FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

SE050 Mandate platformSCP where current communication is encrypted

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

SE050 Mandate platformSCP where current communication is encrypted

Jump to solution
‎08-31-2023 09:45 AM
1,671 Views
Liad
Contributor II

Hi,

I'm trying to mandate SE to use platformSCP.

I use your se05x_MandatePlatformSCP.c example and it doesn't work for me.

I suspect that the initial session config you use in this example is 

kSSS_AuthType_ID / kSSS_ConnectionType_Password
 

While my session config is

kSSS_AuthType_SCP03 kSSS_ConnectionType_Encrypted
 
Does it matter?
Can I start with my session config to set the authentication user-id object while I'm in a secure channel session (platform SCP no AuthID) and then switch to a new session Auth ID base in order to send the SE Se05x_API_SetPlatformSCPRequest: kSE05x_PlatformSCPRequest_REQUIRED?
 
Please help me.
Labels (1)
Labels
0 Kudos
Reply
1 Solution

Jump to solution
‎09-04-2023 03:35 AM
1,482 Views
Liad
Contributor II

Hi Kan,

First of all, I want to thank you again, each of your responses is truly pointing me in the right direction toward my goals. Now I understand the difference between platformSCP and AuthID/AES thanks to you.

In the original post, I already managed to rotate the keys according to the demo, because it doesn't involve authentication with the applet only with the device. So that was the big difference for me with the Mandate request.

Finally, I successfully managed to mandate SCP. The major mistake in my code was that the SSSFTR_SE05X_AuthSession was false instead of true.

So, the case can be closed.

Regards,

Liad

View solution in original post

0 Kudos
Reply
8 Replies

Jump to solution
‎09-02-2023 07:39 AM
1,621 Views
Liad
Contributor II

Hi Kan,

I appreciate your quick response. I'm afraid that the key adjustment isn't the issue, because I can successfully rotate the binding keys using the initial OEM keys. However, for the sake of good order, it is SE050C1.

I followed the mandate example step by step, and I received an error SM_NOT_OK for the  Se05x_API_SetPlatformSCPRequest. If I open the session with SCP/encrypted instead of ID/password configuration I receive undefined error code 0x6d00.

I came to a realization that although I've been working on this component for about a month now, I've never sent a request that involved writing UserID. I did an experiment to do a true factory reset so I used a Se05x_API_WriteUserID with SE05x_AppletResID_FACTORY_RESET which succeeded but failed on Se05x_API_DeleteAll.
 
So to sum up my questions are:
  1. I used to prepare a host with platform SCP without authKey (ex_sss_se05x_prepare_host_platformscp), should I, for this purpose, prepare a host with AuthID (ex_sss_se05x_prepare_host_userid) / AuthAES (ex_sss_se05x_prepare_host_AppletScp03Keys) instead, or does it come together: first a host with platform SCP then prepare it again with AuthID / AuthAES?
  2. Does it must be AuthAES or can I use AuthID?
  3. After mandating, Is it possible to do any kind of factory reset to reset the SCP03 binding keys without any authentication?

As you can see, I'm a little bit confused sorry for that.

Thank you

0 Kudos
Reply

Jump to solution
‎09-03-2023 06:50 PM
1,496 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @Liad ,

 

Please kindly have my comments as below:

  1. I used to prepare a host with platform SCP without authKey (ex_sss_se05x_prepare_host_platformscp), should I, for this purpose, prepare a host with AuthID (ex_sss_se05x_prepare_host_userid) / AuthAES (ex_sss_se05x_prepare_host_AppletScp03Keys) instead, or does it come together: first a host with platform SCP then prepare it again with AuthID / AuthAES?- Actually you may understand platform SCP is an authentication to the SE, and AuthID / AuthAES is an authentication to the applet inside the SE, so they can work both or either of them, but the security would be the best when you use both of them. 
  2. Does it must be AuthAES or can I use AuthID? - No, you can use either of them, but AES is recommended.
  3. After mandating, Is it possible to do any kind of factory reset to reset the SCP03 binding keys without any authentication? - No, it is not possible , you must use the current key to authenticate with the device and then replace them with any others.

BTW, Did you successfully rotate the platform SCP keys with the demo? I am confused with "received an error SM_NOT_OK for the  Se05x_API_SetPlatformSCPRequest." and " successfully rotate the binding keys using the initial OEM keys", would you please clarify?

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

Jump to solution
‎09-04-2023 03:35 AM
1,483 Views
Liad
Contributor II

Hi Kan,

First of all, I want to thank you again, each of your responses is truly pointing me in the right direction toward my goals. Now I understand the difference between platformSCP and AuthID/AES thanks to you.

In the original post, I already managed to rotate the keys according to the demo, because it doesn't involve authentication with the applet only with the device. So that was the big difference for me with the Mandate request.

Finally, I successfully managed to mandate SCP. The major mistake in my code was that the SSSFTR_SE05X_AuthSession was false instead of true.

So, the case can be closed.

Regards,

Liad

0 Kudos
Reply

Jump to solution
‎09-04-2023 07:51 AM
1,471 Views
Liad
Contributor II

I was glad too early.

Is there a reason why after successfully mandating, I received a NOT_SATISFIED error for the Se05x_API_WriteUserID request? Of course, it was within a SCP session.

I'm trying to send the Se05x_API_DeleteAll request.

0 Kudos
Reply

Jump to solution
‎09-04-2023 06:37 PM
1,462 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @Liad ,

 

Just wondering the scenario from your side, did you enable platform SCP together with some AuthID? and the UserID you wanted to update is just the AuthID? Please kindly clarify.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

Jump to solution
‎09-05-2023 02:03 AM
1,453 Views
Liad
Contributor II

I enabled platformSCP with AuthID and tried to open a session with the application id of kSE05x_AppletResID_FACTORY_RESET, for doing the factory reset.

I received a status fail from sss_session_open, specifically, it failed in Se05x_API_CheckObjectExists where I received NOT_SATISFIED.
 
What I did is similar to the se05x_AllowWithoutPlatformSCP example, just replace the application id with kSE05x_AppletResID_FACTORY_RESET, and of course, I executed the Se05x_API_WriteUserID prior to it, so it exists.
0 Kudos
Reply

Jump to solution
‎09-06-2023 10:08 PM
1,420 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @Liad ,

 

Actually there is no need to executed the Se05x_API_WriteUserID prior to the demo, in which a secure object is initialized already to contain the UserID, but the id itself is a random line number, you may specify it with any value you like.

Kan_Li_0-1694063233736.png

I think that might be the root cause for your issue.

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

Jump to solution
‎08-31-2023 07:30 PM
1,646 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @Liad ,

 

The default platformSCP keys are different across SE05x variants, so maybe you have to adjust the platformSCP key settings before running this demo, would you please specify which SE05x is used in your test? Thanks for your patience!

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply