Issuer Security Domain Keys -PUT KEY
Hi,
Right now to access JCOP card I am using default keys; which is actually set when I run any application in JCOP Shell. It sets keys by :
cm> set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
From my understanding I can see above command as (CORRECT ME IF I AM WRONG IN ANY ASSUMPTION/UNDERSTANDING)
255 is version number
1 is key for S-ENC (Secure channel authentication and encryption(DES))
2 is key for S-MAC (Secure channel MAC verification(DES))
3 is key for DEK (Sesnsitive data encryption)
DES-ECB is key type.
First two keys are used for initiating secure channel, so to install/remove any application I must have first two keys. This keys are given by card issuer/card manufac. How can I change these two keys.
What is this key type and and and what is significance of this key type. I think I cant change key type when changing existing keys.
IF I CHANGE THE KEYS ; DOES IT MEAN THAT FOR ANYONE WHO WANT TO INSTALL/REMOVE APPLICATION NEED NEW KEYS?
[1138 byte] By [
mirala] at [2007-10-3 3:09:46]
the 3 keys you mentioned are called card manager keys and are used for the so called secure channel protocol. jcop supports scp01 and scp02 (see gp spec.). the card manager keys you are issued by the issuer/card manufacturer. you can change the keys after init-update/ext-authenticate with the given keys (the scp) to a new card manager keys (overwrite the key set, with same or different version number). once there is a key set (3 keys) present, you can change single keys (jcop: distinguished by key identifiers 1, 2 and 3 only, no other key identifiers allowed). if you put new key set, you have to put 3 keys, except its the rsa key for dap.
anyone who wants to install / delete applications needs to know one key set. according to gp it would be also possible to use delegated management, it means you install an additional security domain --> its own key set --> give this key set to someone who is allowed to install / delete own applets --> not possible to install / delete applets through the issuer security domain --> seperated from applets managed by different sd's. dont think jcop supports this.
