GP On-Card Key Info - Key Versions
The Global Platform Card Spec v2.1.1 says on Pg 83
"An associated Key Version Number: different key versions within an on-card entity may be used to differentiate several instances or versions of the same key. There is no restriction and no pre-defined order in assigning Key Version Numbers to keys."
My problem is that when I want to change the default keys of a JCOP card, a new key set/version is created and one can authenticate using both the old key and new key. I want to restrict this to one key. Please help !!
P.S.: But why does one need to maintain multiple versions or multiple keys to authenticate with the same on-card entity or ISD, in my case?
[699 byte] By [
VK7a] at [2007-10-3 3:00:28]
I believe that when you change the state of your card to secured, the default key set (255) will be automatically disabled. Regards,Aleksandar
Thank you for responding, Aleksander.
Even if the card is secured, the default keys remain active - however now I have to authenticate using "enc" - ext-auth enc.
My bigger trouble is in understanding as to why multiple versions of the keys have been maintained. I am not sure if "back-up purposes" would be the right reason for it. It would be nice, if you know and you could explain to me - what is the reason behind such a design?
I have read the GP card spec again and again and I am unable to locate it. Searching on this forum and google also didn't help :-(
Thanks,
VK
VK7a at 2007-7-14 20:50:03 >
ok this is a lil complicated one.
first it depends what kind of key you want to put. either the 3 des keys or an rsa key for dap. second thing you need to consider is if you
1. put a new key
2. replace a whole keyset (3 des keys) --> then you need to specify what the new key version number it will have
3. replace single keys (key identifiers)
the beginning is like this: there is a default key set with key version number 0xff. first time you put a key (gp: range 0x00 - 0x7f, jcop specific: range 0x00 - 0x6f) the default key set is disabled. you can never reach key version number 0xff anymore. can you still init-update / ext-auth with the default key set, even you put a new key set? that would be a bug then. could you provide a trace?
