beautypg.com

4 secure object keys, 5 secure channel key, Secure object keys -4 – HID iCLASS SE Encoder User Guide User Manual

Page 10: Secure channel key -4

background image

Overview

Page 1-4

PLT-01067, Version: A.3

April 2014

1.1.4

Secure Object Keys

The newer and more secure credentials used by HID readers are based on the Secure Object (SO)
technology. While it is outside the scope of this document to describe SO technology in detail, in
simple words, a SO is a structured credential that is based on state of the art industry standards to
ensure extensibility of credential structure and use industry validated and approved security
algorithms and mechanisms. The most important aspect of a SO is that it provides an additional
security for the credential and therefore we do not only rely on the security mechanisms of the
chip/media silicon vendor.

Very much like an SNMP message a SO also has a notion of encryption and signature. In order to
reduce the size of a secure object credential we make use of an Authenticated Encryption with
Associated Data (AEAD) algorithm called EAX’ (read as EAX prime). In simple words, EAX’ one key
can be used to perform both encryption and signing of the SO credential. This key is called SO
encryption key. Please note it is called an encryption key but it also performs signature verification.

The SO encryption key could be managed by HID as a standard key and/or an Elite key, which is
similar to the management of Media keys described earlier. We also provide the support to create a
customer managed SO encryption key, however a SO credential that is protected using such a key is
not managed via the HID vault and will also have an additional signature using HID’s license key.

More information about secure objects can be requested from HID.

1.1.5

Secure Channel Key

The messages that are exchanged between a host application and the encoder device are
transferred over a mandatory secure channel

5

. The secure channel ensures the confidentiality and

authenticity of the messages between the host application and the encoder device.

The encoder comes with a default value of the secure channel key, and very much like the OEM
Admin keys, the host application prompts the user to provide the new value of the secure channel
key. This secure channel key is stored in the local database, which is managed by host application,
and is encrypted using the user’s password.

The secure channel mechanism is based on a slightly modified Global platform SCP 03 secure
channel protocol. You can request more information about the secure channel from HID.

Reference:

1

ISO/IEC 7816: http://en.wikipedia.org/wiki/ISO/IEC_7816

2

SAM: http://en.wikipedia.org/wiki/Secure_access_module

3

SNMP: http://tools.ietf.org/html/rfc3411

4

SIO: Secure Identity Objects; request information from HID

5

HID Secure Channel version 0.87

See also other documents in the category HID Equipment: