In cryptography, a Secure Channel Protocol (SCP) is a way of transferring data that is resistant to overhearing and tampering. A confidential channel is a way of transferring data that is resistant to overhearing (i.e., reading the content), but not necessarily resistant to tampering. An authentic channel is a way of transferring data that is resistant to tampering but not necessarily resistant to overhearing.
An SCP is used in smart cards to protect bidirectional communication between Java Card and Host. It is used as Mutual authentication and provide cryptographic protection for card and host subsequent communication.
SCP provides the following three levels of security:
Mutual authentication is achieved through the process of initiating a Secure Channel and provides assurance to both; card and host, that they are communicating with an authenticated entity. This process include the creation of new challenges and secure channel session keys. If any step in the mutual authentication process fails, the process shall be restarted, i.e. new challenges and Secure Channel Session keys shall be generated again.
Data or message integrity is checked by comparing C-MAC received from off-card entity (Host) with the card internally generated C-MAC. Note that this comparison is done using same Secure Channel session key, generated in Mutual authentication step.
The date received from host to card or card to host is not viewable by an unauthorized entity rather it is encrypted with Secure Channel session key generated during the mutual authentication process.
Secure Channel Protocol ’02’
SCP02 uses Triple DES encryption algorithm in CBC mode with Initialization vector (IV) of binary zeros. As SCP02 uses 3DES in CBC mode with fixed IV of binary zeros therefore its encryption scheme is deterministic and not highly secure and thus vulnerable to a classical plaintext-recovery attacks.
SCP02 relies on the «Encrypt-and-MAC» method, which means that it compute the MAC on the plain-text, encrypt the plain-text, and then append the MAC at the end of the ciphertext as shown in below diagram:
SCP02 has been deprecated by GlobalPlatform. GlobalPlatform recommends that Card Content Management operations and applications relying on SCP02 confidentiality protection of static data shall adopt one of the possible mitigations:
Encrypt all sensitive data transmitted in SCP02 using the Data Encryption Key (DEK) or any applet key.
In early April 2018, GlobalPlatform announced in a Security Informative Note that the latest version of the Card Specification (v2.3.1) will set SCP02 as a deprecated feature. Eurosmart is committed in developing, promoting and maintaining the appropriate security level for its products,
New York, NY, August 04, 2017 -- Versasec, the leader in smart card management systems, today introduced version 4.9 of its vSEC:CMS S-Series identity and access management solution. This updated version of the company's flagship product includes a variety