How to customize a newly installed supplementary security domain (SSD)?

Question

I have a sample javacard supporting supplementary security domain (SSD), since it has an executable load file (i.e. package) with the AID A0 00 00 01 51 53 50 as described in Global Platform: Card Secure Element Configuration. So I can install an instance of this package by two privileges (Security Domain and Delegated Management) with AID A0 00 00 01 51 53 50 41.

My question arises after installing the SSD. I think first of all I have to set a key set to make this SSD independent from ISD. So I select SSD and use Global platform PUT KEY Command to set a key set with 3 keys and key type 80. What should be the old and new KVN values? ISD key set is with KVN 20, key index 01, 02, 03, key type 80, and key length 80, as I get key information template using pyResMan. Now, what should be the key information to PUT Key for SSD? How SSD is forced to use this new key set? what are other customizations needed?

Answer 1

Once you have your SSD installed. To be able to set the new default key set, you should do the following steps:

1. Select your SSD to open a secure channel protocol (since no keys exist, this will use the key of ISD or SD ancestor to be able to open secure channel).
2. Perform your Put-key command with P1=00 (which means you're adding new key). Then put the kvn to the value you want in the command data.

Your put-key may look like this : 84D80081 + lc + kvn + 8010des-enckey + 8010des-mackey + 8010des-dekkey

You can do the same using global platform pro as following

gp --sdaid yourSDAID -lock key (if you use the same key or --lock-mac XXX, lock-dek XXX, lock-enc ...XXXX).

Related references from GPC_Card specificationv2.3.1 : 11.8, 11.8.2.1

Answer 2

An alternative way to customize your newly created SSD is to use the store data command described in GPC-Spec_2.2_Amendment_A_1.0.1. You may refer to the mapping guideline 2.1.1_Mapping_guidelines_v1.0.1 in table 10: Secure Channel Key Information to build your key information data. Following are the steps you shall follow.

1. Select and open SCP with your ISD or your SD ancestor
2. Send an Install [for personalization] command for the newly installed SD
3. Send Store Data command (according to above)

Examples of traces may look like the following : After select

install[for personalization] >>>>>> 84e62000 16 00 00 08 a000000151535043 00 00 00 8ca7d31e9c734007
store data >>>>>> 84e20000 4a 8f01 30 8c5aa9a6d1d8de8e111da245c11f262d 8c5aa9a6d1d8de8e111da245c11f262d 8c5aa9a6d1d8de8e111da245c11f262d 7f01 0c 0021808baf478baf478baf47 2610d7c2ab682d0c

Notice that I'm using store data in DGI format. Here DGI 8F01 and 7F01 are used as described in the table 10 of the aforementioned guideline. Also, the keys are encrypted using the Session DEK Key and a CMAC is added (since I'm using "i" = 15 with SCP 02).

After this step your SD will switch to personalized State. This can be checked with a GetStatus (80F24002 0A 4F08 A000000151535043) or command with gpPro and the TAG 9F70 shall be 0F00 (PERSONALIZED).