Standards & Protocols

GlobalPlatform Card Management

<\/script>\n
'; }, get iframeSnippet() { const domain = '{ SITE_DOMAIN }'; const type = '{ embed_type }'; const slug = '{ embed_slug }'; return ''; }, get activeSnippet() { return this.method === 'script' ? this.scriptSnippet : this.iframeSnippet; }, copySnippet() { navigator.clipboard.writeText(this.activeSnippet).then(() => { this.copied = true; setTimeout(() => { this.copied = false; }, 2000); }); } }" @keydown.escape.window="open = false" @click.outside="open = false">

Embed This Widget

Theme


      
    


    
    

      Widget powered by
      .
      Free, no account required.
    

  




  
  
Managing applets and security domains on smart cards.

  
  

    
    
    |
    4 min read
    
  








  
  

    
    
      
      
  1. 
        GlobalPlatform Card Management
      
    2. 
      
      
  2. 
        Card Manager and Issuer Security Domain
      
    3. 
      
      
  3. 
        Security Channels: SCP03 and Predecessors
      
    4. 
      
      
  4. 
        Applet Lifecycle
      
    5. 
      
      
  5. 
        AID Namespace and Applet Selection
      
    6. 
      
      
  6. 
        Secure Element and TEE Interaction
      
    7. 
      
    

  









  
  

  
  

    
    

      
GlobalPlatform Card Management


GlobalPlatform is the industry consortium whose
specifications define how applets are loaded, installed, managed, and deleted on
multi-application smart cards throughout their lifecycle. Where ISO 7816
defines the chip-level protocol, GlobalPlatform defines the application management
layer on top.


Use the APDU Builder to construct GlobalPlatform STORE DATA,
INSTALL, LOAD, and DELETE commands for testing.


Card Manager and Issuer Security Domain


Every GlobalPlatform card contains a Card Manager — the privileged runtime
responsible for enforcing the card's security policy. The Card Manager is accessed
through the Issuer Security Domain (ISD), the pre-loaded root security domain
that holds the card issuer's keys and authorises all subsequent management operations.






Entity
Role






Card Manager
GP runtime, lifecycle state machine




Issuer Security Domain (ISD)
Root SD; holds issuer keys; authenticates all management sessions




Supplementary Security Domain (SSD)
Delegated SD; holds third-party keys for their applets




Authorised Management Domain
SSD with restricted install/load rights




Controlling Authority SD
SD that issues tokens allowing SSD delegation






The ISD is the only entity that can create or delete other security domains.
Applets loaded outside the issuer's own SSD must be sponsored by a delegated SSD
whose keys are controlled by the applet provider.


Security Channels: SCP03 and Predecessors


All GlobalPlatform management APDUs travel over a Secure Channel Protocol (SCP)
session. SCP01 and SCP02 use 3DES; SCP03 — the current
mandatory baseline for new deployments — uses AES-128 or AES-256.






Protocol
Algorithm
Session keys
MAC coverage






SCP01
3DES-ECB
2 × 3DES
Data + MAC




SCP02
3DES-CBC
3 × 3DES
Data + MAC + DEK




SCP03
AES-CBC / CMAC
3 × AES
Full APDU; counter replay protection






An SCP03 session begins with INITIALIZE UPDATE (card returns a challenge and
card-unique key diversification data), followed by EXTERNAL AUTHENTICATE (host
proves possession of the static AES base key by computing the host cryptogram).
All subsequent APDUs are C-MAC protected; optionally C-ENC and R-MAC as well.


The base keys are derived from a Global Key stored in the
HSM at the card management backend, diversified per card using
the card's serial number or APDU-derived data.


Applet Lifecycle


GlobalPlatform models each managed object as a state machine:


[Not present] → LOADED → INSTALLED → SELECTABLE → PERSONALIZED
                                                         ↓
                                                     BLOCKED → TERMINATED







State
Meaning






Loaded
CAP file contents written to card EEPROM/flash




Installed
Applet object instantiated, AID registered




Selectable
Applet can be SELECT-ed by the host




Personalized
Applet has received its personalisation data (keys, cardholder data)




Blocked
Applet temporarily disabled (e.g., PIN lockout)




Terminated
Applet permanently disabled; cannot be re-enabled






The card-level lifecycle also moves through INITIALIZED → SECURED → CARD_LOCKED →
TERMINATED states, driven by Card Manager commands from the ISD.


AID Namespace and Applet Selection


Each applet is registered under a unique AID derived from the
loading security domain's RID. The SELECT AID APDU
command (INS = A4, P1 = 04) activates the matching applet; the card OS routes
subsequent APDUs to the selected applet's process() method until a new SELECT
or card reset occurs.


Conflicts are prevented by GlobalPlatform's requirement that an SSD can only install
applets under AIDs that share its own RID prefix, unless the Controlling Authority
grants an exception via a signed token.


Secure Element and TEE Interaction


On devices with a TEE (Trusted Execution Environment), GlobalPlatform
also specifies the TEE Management Framework (TMF) — a parallel structure for
managing trusted applications inside the TEE. The same security domain hierarchy
and lifecycle concepts apply, though the transport is TEE-internal rather than APDU.
Combined SE+TEE deployments (common in payment-capable smartphones) must maintain
distinct ISD keys to prevent cross-boundary privilege escalation.


For the cryptographic key management operations that underpin SCP03 sessions,
see Key Management for Smart Cards.

    

    

    
    
    
    

    
    

      




  
자주 묻는 질문


  

    
    

      
      

        
Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.