4.2 GlobalPlatform key sets
A GlobalPlatform key set is a set of symmetric keys on every GlobalPlatform card – which includes most PIV cards. Its exact usage depends on the device type, but in general the GlobalPlatform key is required to carry out key management operations and activations on the cards over a secure channel.
Cards are delivered with a factory GlobalPlatform key. You must set up MyID with the factory GlobalPlatform key for the appropriate device type. This allows MyID to carry out operations such as card activation, changing the PIV 9B key, and working with archived certificates.
4.2.1 Risks
- The factory GlobalPlatform key may be the same on other cards of that type; therefore, it is possible that it is known to unauthorized parties.
- Some cards are manufactured with dedicated factory keys specific to the end customer that may also be diversified; in this situation, however, the card manufacturer knows the key for each card, and you have no control over their information security.
- An unauthorized party with the GlobalPlatform key can modify the content of the card.
4.2.2 Solution
Set up MyID to replace the factory GlobalPlatform key with a customer GlobalPlatform key – this is a key known only to the customer's system. Unauthorized parties will not have access to this customer GlobalPlatform key, and therefore cannot perform any unauthorized modifications of the cards issued by MyID.
For further security, you can set the following options on your customer keys:
- Key Type: Diverse – each card is issued with a different key, derived from a master key. Even in the unlikely situation that one card is compromised, no other cards would be compromised.
- Automatically Generate Key In HSM – the GlobalPlatform master key, used to derive the keys for the cards, is randomly generated on your HSM.
4.2.3 Implementation
Use the Manage GlobalPlatform Keys workflow (Manage Open Platform Keys workflow on older systems) to set up your customer GlobalPlatform keys, using the options for diversification and HSM key generation.
You must set up a customer key for each algorithm; for example, if SCP01 IDPrime PIV cards are issued, you must create a 2DES customer GP key which will be used for those cards, but if OT-SCP03 Oberthur ID-One cards are issued on the same system you must also create an AES128 customer key.
Note: The Smart Card Integration Guide contains tables detailing the appropriate combinations of secure channels, algorithms, and cryptographic key types for GlobalPlatform factory and customer keys for your particular type of smart card. In general:
|
Secure Channel Type (Factory tab) |
Key Algorithm (Customer tab) |
|---|---|
|
SCP01/SCP02 |
2DES |
|
OTSCP03 |
AES128 |
|
SCP03 |
AES128/AES192/AES256, depending on the algorithm chosen on the Factory tab. |
For 10.2 systems and later:
- In the Security Settings workflow, on the Device Security page, set the Enable Customer GlobalPlatform Keys option to Yes. If you do not have this option set, MyID will not attempt to write customer GlobalPlatform keys to your cards.
For systems before 10.2:
- Within the Operation Settings workflow, on the Devices page, set the Java Card Keyset options to Yes. If you do not have the Java Card Keyset option set, MyID will not attempt to write customer GlobalPlatform keys to your cards.
Make sure you set the Version numbers of your factory and customer keys correctly, according to the instructions in the Managing GlobalPlatform keys section in the Administration Guide:
- The factory key version number should be available from your card manufacturer and will be a number between 0 and 127 or 255. A version of 255 should normally be used for cards delivered with an Initial Keyset.
- The customer key version number must be a different value from the version entered for any factory keyset; otherwise, the custom GlobalPlatform keyset will not be written to cards with that factory keyset. The highest allowed customer key version is 127.
- When the factory key version is configured, it is instructing MyID what the key version is on the cards when they are presented to MyID (fresh from the factory). However, the configuration of the customer key version is to set the key version that will be written to the card when MyID replaces the factory key with the customer key.
- If you have specified a factory keyset version of 255, you cannot use a customer keyset version of 1; otherwise, the custom GlobalPlatform keyset will not be written to cards with that factory keyset.
- You are recommended not to use a customer keyset version of 1, as many cards have factory key version 1 or 255.
- The customer keyset version must be different from the value entered for any other Key Algorithm; for example, you can have version 2 for 2DES and version 3 for AES128.
See the Managing GlobalPlatform keys section in the Administration Guide for details (Manage Open Platform Keys in older versions).
To verify that the system has been configured correctly, issue a card, then examine the audit logs for the issuance. A row should appear in the Audit Reporting workflow indicating that the GlobalPlatform keyset was changed to Customer.
4.2.4 Considerations
When you issue a card with a customer GlobalPlatform key, if you intend to use the card on a different MyID installation, you must first cancel the card on the system on which it was issued – this changes the key back to the factory setting.
4.2.5 Recommendations
- You must configure your system for customer GlobalPlatform keys before your production system goes live.
- You must set up the GlobalPlatform key to be diversified and HSM-generated.
- Use the audit logs to confirm that the GlobalPlatform keys are being changed to customer values.