The library provides implementation of secure communication between off-card entity (OCE) and Security Domain (SD) according to GlobalPlatform's (GP) Secure Channel Protocols SCP03 based on static symmetric keys and SCP11 based on certificates. The solution utilizes OpenSCP-Java prebuilt library for core logic and Python modules to build similar user interface
- Smooth integration to user's Secure Element transport solution as extra security layer
- SCP 03 & 11 specifications support
The solution provides feature set according to the specifications:
Please aware of known issues list which explains what features introduced in specifications aren't supported
- Lower security levels support - only maximum security level is supported now (C-DECRYPTION, R-ENCRYPTION, C-MAC, and R-MAC)
- Pseudo-random card challenge verification - verification is optional according to the specification
- BEGIN R-MAC session & END R-MAC session commands - implementation is optional according to the specification
- SD certificate validation
- Usage of CA-KLCC Identifier in GET_DATA (Certificate Store), MUTUAL AUTHENTICATE.
- For now, only "KID/KVN" is used
- "CA-KLCC Identifier" and "KID/KVN" usage is mutually exclusive and shall be chosen by OCE
- Usage of Host and Card ID in Key Derivation process
- For now, it is not used
- HostID usage is chosen by OCE during MUTUAL AUTHENTICATE / INTERNAL AUTHENTICATE
- Lower security levels support - only maximum security level is supported now (C-DECRYPTION, R-ENCRYPTION, C-MAC, and R-MAC)
- Key usage is chosen by OCE during MUTUAL AUTHENTICATE / INTERNAL AUTHENTICATE
- Some library exceptions might be not descriptive enough