Secure Channel Protocols (SCP02/SCP03)

Secure Channel Protocols (SCP02/SCP03)

GlobalPlatformGlobalPlatformSoftwareCard application management standard.Click to view → Secure Channel Protocols establish a mutually authenticated, encrypted communication channel between a card management system (off-card entity, OCE) and a card's Security Domain (SD). SCP02 and SCP03SCP03SoftwareAESAESCryptographyNIST symmetric block cipher for smart card encryption.Click to view →-based secure channel protocol.Click to view → are the two production-grade variants; understanding their key structures and session establishment is essential for card personalisation and post-issuance application management.

Why a Secure Channel?

Raw APDU traffic can be observed if the card-reader link is intercepted. During personalisation, key injection, or application loading, the commands carry sensitive data (keys, PINs, executable code). SCP provides:

• C-MAC (Command MAC): integrity of every command
• C-ENC (Command Encryption): confidentiality of sensitive command data
• R-MAC / R-ENC (Response MAC/ENC): integrity and optionally encryption of card responses

SCP02 Architecture

SCP02 uses 3DES3DESCryptographyLegacy triple-DES symmetric cipher in payment smart cards.Click to view → (Triple DES) with 16-byte static keys. The Issuer Security Domain (ISD) holds three static base keys:

Session key derivation (3DES ECB):

S-ENC_session = 3DES_ECB(S-ENC, 0x0182 || Sequence_Counter || 00..00)
S-MAC_session = 3DES_ECB(S-MAC, 0x0101 || Sequence_Counter || 00..00)
R-MAC_session = 3DES_ECB(S-MAC, 0x0102 || Sequence_Counter || 00..00)

SCP02 Session Establishment

# INITIALIZE UPDATE (INS=50)
Command: 80 50 00 00  08  [8-byte host challenge]  00
Response: [28 bytes]
    Key Diversification Data  (10 bytes)
    Key Information           (2 bytes)
    Sequence Counter          (2 bytes)
    Card Challenge            (6 bytes)
    Card Cryptogram           (8 bytes)
  SW1 SW2: 90 00

# Compute host cryptogram, verify card cryptogram
# EXTERNAL AUTHENTICATE (INS=82)
Command: 84 82 [security_level]  00  10
    [8-byte host cryptogram] [8-byte C-MAC over preceding APDUs]
  SW1 SW2: 90 00   <- secure channel established

Security levels in P1 of EXTERNAL AUTHENTICATE: - 00: C-MAC only - 01: C-MAC + C-ENC - 03: C-MAC + C-ENC + R-MAC

SCP03 Architecture

SCP03 replaces 3DES with AES-128 (or AES-256) and CMAC for integrity — a significant security improvement. It is mandatory for Java Card 3.0.5+ platforms.

SCP03 session key derivation (AES-CMAC-based KDF, per GPC_SPE_014):

derivation_data = derivation_constant(1B) || 00(1B) || usage(1B) || 00..00(11B) || L(2B) || i(1B)
S-ENC_session = AES-CMAC(S-ENC_static, derivation_data[ENC])
S-MAC_session = AES-CMAC(S-MAC_static, derivation_data[MAC])
S-RMAC_session = AES-CMAC(S-MAC_static, derivation_data[RMAC])

Key Diversification

In a deployment with millions of cards, each card must have unique session keys derived from shared master keys. Key diversificationKey diversificationSecurityDeriving unique per-card keys from a master key.Click to view → computes:

card_S-ENC = 3DES(master_S-ENC, diversification_data)

Diversification data is typically built from the CPLC (Card Production Life Cycle) data — IC Serial Number, batch identifier — retrieved via GET DATA (80 CA 9F 7F). The secure-element architecture ensures that master keys never leave the HSM.

Sending a Secured APDU

With SCP02 C-MAC active, every command gets an 8-byte MAC appended:

Original: 80 E8 00 00  10  [16 bytes load block data]
Secured:  84 E8 00 00  18  [16 bytes load block data] [8-byte C-MAC]

The recipient SD verifies the C-MAC using the session MAC key before processing the command. A MAC failure returns SW 69 88 (Incorrect MAC).

For the key injection infrastructure behind diversification, see HSM Integration. For the SCP03 usage in eSIMeSIMApplicationProgrammable embedded SIMSIMApplicationSmart card for mobile network authentication.Click to view → chip.Click to view → profile packaging, see eSIM Remote Provisioning.