3.13. Auth Objects : ECKey

ECKey is secure channel protocol tailored for secured authentication and communication between a Host and a connected SE.

Please contact NXP CAS/FAE for the specification of ECKey.

The Secure Channel Protocol consists of two logical phases:
  1. Authentication phase

  2. Secure messaging phase

3.13.1. ECKey - Keys Used

The table below gives an overview of the required keys and their presence at SE and Host as required for the ECKey setup, authentication phase

Auth Keys

key

SE

Host

Purpose

SK.SE.ECKA

Static SE key pair for Key Agreement Private key

PK.SE.ECKA

Static SE key pair for Key Agreement Public key

SK.Host.ECDSA

Host signing key pair Private key

PK.Host.ECDSA

Host signing key pair Private key

eSK.Host.ECKA

Ephemeral private key of the Host used for key agreement

ePK.Host.ECKA

Ephemeral public key of the Host used for key agreement

3.13.2. ECKey - Use for connection / authentication

Authentication Phase:
  1. In the Secure Channel authentication phase, a Host-generated ephemeral key pair, the static SE key pair and SE-generated random data are used to compute a shared master secret

  2. The Host generates an ephemeral ECC key pair and exchanges the public key component ePK.Host.ECKA with the SE. The ePK.Host.ECKA is signed to prove its authenticity.

  3. Both the Host and the SE compute the shared secret ShS from (eSK.Host.ECKA , PK.SE.ECKA) and (SK.SE.ECKA, ePK.Host.ECKA) respectively.

  4. The SE generates random bytes DR.SE and exchanges this with the Host.

  5. Both the Host and the SE compute the shared master secret MK from the shared secret ShS and random bytes DR.SE.

  6. Optionally:
    1. Both Host and SE compute the Key-DEK.

    2. Both Host and SE compute the S-RMAC session key (used for the receipt).

    3. Both Host and SE compute the receipt.

    4. The Host verifies the receipt.

Secure Messaging phase:
  1. In the Secure Channel secure messaging phase, first a setup is performed, where the shared master secret is used to compute the AES session keys (S-ENC, S-MAC and S-RMAC) and initialize the encryption counter

  2. Both the Host and the SE compute the AES session keys from MK.

  3. Both the Host and the SE apply an OWF to MK. Note that this is performed after the validation of the command’s C-MAC (to exclude DOS attacks on the SE).

  4. Both the Host and the SE initialize the encryption counter to 1 for the first command/response with C-DECRYPTION or R-ENCRYPTION.

  5. After the secure messaging setup has been performed, the AES session keys are employed to realize SCP03 secure messaging between Host and SE

  6. Command APDUs are MACed.

  7. Response APDUs are optionally MACed.

  8. Command and response APDUs are optionally encrypted. For each command/response with C-DECRYPTION or R-ENCRYPTION, the encryption counter is incremented.

The phases inclusive the optional Key-DEK and receipt are shown in the figure below

../../_images/auth-object-fastscp-use.png