Guidance to provision custom keys to open a secure channel on SE050C1

Rutwik0409 · ‎10-09-2025

Hi,

I’m working with an ESP32 host and SE050C1. Environment details:

Plug & Trust: v3.0.6 (Mini)

SE050 applet version: 03 01 01 6F FF 01 0B

I can open a secure channel using the default keys, generate an EC keypair on the SE, and create a CSR successfully.

Now I’d like to provision my own SCP03 keyset (ENC/MAC/DEK, AES-256) once, store it on the SE050 under a new key version, and thereafter always open the SCP03 session using that version.

can any one provide a API / Example for PUT KEY in v3.0.6 (Mini)

In my Mini drop I see INS_GP_PUT_KEY defined, but I don’t find a higher-level helper like Se05x_API_PutKeys(), nxScp03_ChangeKeys(), or an ex_scp03_change_keys example.

Best regards,
Reddy

Kan_Li · ‎10-09-2025

Hi @Rutwik0409 ,

The nano package provide a demo for that purpose, please kindly refer to https://github.com/NXPPlugNTrust/nano-package/tree/master/examples/se05x_rotate_scp03_keys for details.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Rutwik0409 · ‎10-14-2025

Hi @Kan_Li ,

opening Platform SCP03 using the factory keys (KVN=0x01) (Initialize Update + External Authenticate return 9000). I’m trying to rotate the Platform SCP03 keys to KVN=0x11: ENC/MAC/DEK are AES-128, wrapped with the old DEK via AES Key Wrap (RFC3394, 24-byte ciphertext), and I include a 3-byte KCV (AES-ECB(key, 0x00…00)[0..2]). The new key KCVs are ENC=9D67A9, MAC=9213C0, DEK=741560 (actual keys redacted).

I attempt two PUT KEY formats under SCP03 protection (C-ENC + C-MAC):

(1) KVN in P1, IDs 81/82/83, header 84 D8 11 81, data begins keyType, 0x03, 81 <len> <24B wENC> <KCV>, 82 …, 83 …;

and (2) KVN in DATA, IDs 01/02/03, header 84 D8 80 81 (ADD, multiple), data begins keyType, 0x11, 0x03, 01 <len> <24B wENC> <KCV>, 02 …, 03 …. In both cases I’ve tried keyType=0x88 and 0x0A, and per-component length as 0x18 (wrapped-only) and 0x1B (wrapped+KCV), ensuring the KCV is appended as raw 3 bytes (no extra length).

Both attempts consistently return 6A80 (“wrong data field”).

Questions: which AES key type coding does SE050C1 require in PUT KEY (0x88 vs 0x0A)? Should the component length include the KCV (i.e., 0x1B), with no extra 0x03 tag? Are multi-key updates (P2=0x81) supported for Platform SCP03 here, or must I send three single-key updates (P2=0x00) in order ENC→MAC→DEK? Are IDs 81/82/83 accepted for platform keys on this part, or must I always use 01/02/03?

Any constraints on placing KVN in P1 vs in the data for Platform SCP03 on this applet? I can provide minimal code (payload builder and caller) plus full APDU logs; real keys are redacted but KCVs and lengths are intact.

Thanks

rutwik

Kan_Li · ‎10-14-2025

Hi @Rutwik0409 ,

There is no special requirement for the AES key type. The SCP03 keys (AES keys) can be generated just with using random numbers as source.

Please make sure to use only KVN11 as default keyset for changing Platform SCP keys with a different keyset on SE050C1.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Guidance to provision custom keys to open a secure channel on SE050C1

Guidance to provision custom keys to open a secure channel on SE050C1

A71CH

SE050