3 media keys, Media keys -3 – HID iCLASS SE Encoder User Guide User Manual

April 2014

PLT-01067, Version: A.3

Page 1-3

Overview

Purpose of HID Admin identity is to manage the keys and configuration data that originate from HID
Vault where as the OEM Admin identity can be used to create custom keys and perform operations
that do not require high level of security.

When a customer receives an encoder it has OEM Admin SNMP keys that are set to default/public
values. When the host application is started the first time it prompts the user to change them to the
ones managed by the user. The host application then stores the changed OEM Admin keys in the
local database and the keys are encrypted using the password of the user of the desktop
application.

1.1.3

Media Keys

The keys that are used to authenticate to a card to perform read/write operations are called media
keys. For example, the debit and credit keys for a page in PicoPass (iCLASS) cards will be the media
keys. In case of MIFARE Classic, the Key A and Key B of a sector are the media keys and for DESFire
the application keys as well as PICC master key will be the examples of media keys.

The lengths of these types of keys as well as the cryptographic algorithms such as authentication
algorithm that make use of these keys are dependent upon the card/media technology.

A typical encoding operation will use the default/known media key to first authenticate to the blank
card, create the application, write the credential and change the value of the key to the one
specified by the user. It is important to make a note that the new value will be a diversified key so as
to reduce the surface area of attack. In other words, all the cards/media will have different values of
the media keys. For the newer and more secure credentials (for example: Secure Objects) we make
use of NIST 108 key diversification algorithm whereas the older/legacy credentials make use of
proprietary key diversification algorithms invented by HID and/or chip vendor such as NXP.

For all the card/media, the keys could fall in one of these categories:

•

HID Managed Standard Media Keys: These keys are managed securely in the HID vault and are
intended for general customer base.

•

HID Managed Elite Media Keys: These keys are managed securely in the HID vault and are
specific to customers who participate in the Elite program. For example an Elite customer
identified using an ICE 0120 will have a different set of media keys than the one identified using
ICE0133.

•

Customer Generated and Managed Keys: These keys are either generated using encoder
solution and/or entered by the customer. The keys reside in the encoder SAM, and can be
exported in encrypted form to be archived. Once created, knowledge of the plain text key is the
responsibility of the administrator. Custom Keys are not archived in the HID vault.

All the HID managed keys are delivered in the form of static SNMP messages targeted to the
encoder, for which they were requested. Typically, the customer will read the engineId of the
encoder device using the host application and request HID for the appropriate key set (for example:
standard, ICEXXX etc.). The keys are delivered in the form of a file that will contain the static
messages, and the host application provides necessary user interface to load them in the encoder
SAM.

Custom keys can be exported from the encoder device. The export format is again an SNMP
message that is protected using OEM Admin keys.