3.11. Auth Objects : UserID

As user ID is kind of Symmetric Identifier that is used to authenticate a session.

3.11.1. User ID - Provisioning / Injection

To provision / inject the key, the process is like this:

../../_images/auth-object-pin-create.png
Steps to provision

Step

Operation

10

We establish physical connection to SE

11

We create a UserId object, Attestation Type is Auth

3.11.2. User ID - Use for connection / authentication

To use the key, the process is like this:

../../_images/auth-object-pin-use.png
Steps

Step

Operation

20

Host establishes physical connection to SE

21

Host calls Se05x_API_CreateSession() and use the 32bit id of UserId that we are going to use.

22

As a part of Se05x_API_CreateSession() API, Applet returns an 8 byte Session ID. We use this in future communication with the SE.

23

Host calls Se05x_API_VerifySessionUserID().

At this point, we pass the Value that we are going to use. (Host must already know the value of the PIN that is used/chosen in step 21.)

24

Finally, Host calls Se05x_API_ExchangeSessionData() API

3.11.3. User ID - Applet Spec Notes

From SE050 APDU Spec:

3.2.1.9 UserID

A UserID object is a byte array that holds a value that is linked to a
user.

UserID objects can only be created as Authentication object. By default,
the maximum number of allowed authentication attempts is set to 255.

Length = 1 up to 16 bytes

From SE051 APDU Spec:

3.3.1.9 UserID

A User ID object is a value which is used to logically group secure objects. UserID
objects can only be created as Authentication objects (see Section 3.3.3). They cannot
be updated once created (i.e. the value of an existing UserID can not be changed).
A session that is opened by a UserID Authentication Object is not applying secure
messaging (so no encrypted or MACed communication).

By default, the maximum number of allowed authentication attempts is set to infinite. Its
length is 4 up to 16 bytes. It is intended for use cases where a trusted operating system
on a host MCU/MPU is isolating applications based e.g. on application ID.