8.1 Keys for Thales authentication devices
This section provides information you need when setting up keys for Thales authentication devices.
8.1.1 Secure Channel Protocol
The Secure Channel Protocol (SCP) is used in the Manage GlobalPlatform Keys workflow.
When configuring your GlobalPlatform keys, use the following Secure Channel Protocol:
|
Smart card |
SCP |
|---|---|
|
IDPrime PIV Card v2.0 |
SCP03 |
|
IDPrime PIV Card v2.1 |
SCP03 |
|
IDPrime PIV Card v3.0 |
SCP03 |
8.1.2 Cryptographic keys for IDPrime PIV cards
When you configure the cryptographic keys, use the following details:
|
|
IDPrime PIV Card v2.0 |
IDPrime PIV Card v2.1 |
IDPrime PIV Card v3.0 |
|---|---|---|---|
|
Credential Type in MyID |
Gemplus PIV V2 |
Gemplus PIV V21 |
Gemplus PIV V3 |
|
GlobalPlatform Secure Channel |
SCP03 |
SCP03 |
SCP03 |
|
Factory GlobalPlatform Key Type |
AES128 |
AES128 |
AES128 |
|
Factory GlobalPlatform Key Diversification Algorithm |
Diverse108 |
Diverse108 |
Diverse108 |
|
Factory PIV 9B Key Encryption Type |
3DES or AES128 |
AES128 |
AES128 |
|
PIV 9B Factory Key Diversity |
Static |
Static |
Static |
|
Recommended PIV 9B Customer Key Diversity |
Diverse2 |
Diverse2 |
Diverse2 |
8.1.3 Cryptographic keys for Thales minidriver devices
For Thales minidriver-based cards (for example, IDPrime MD830, MD831, MD840, MD3810, MD3840, SafeNet eToken 5110 CC, SafeNet eToken 5110+ FIPS Level 2, or SafeNet eToken 5110+ FIPS Level 3), the card technology supports GlobalPlatform keys, but the actual cryptographic key details depend on the cards you order from the manufacturer; for example, the manufacturer may provide you with the necessary cryptographic key details (secure channel, GlobalPlatform keys, and so on), or the cards may be shipped with diversified keys, where the key is kept private by the manufacturer.
To issue cards whose keys are unknown, you must disable customer GlobalPlatform keys within MyID for this device type – use the settings on the Devices page of the Security Settings workflow. Disabling customer GlobalPlatform keys produces a security message within MyID; for information about disabling this warning, contact customer support to discuss your requirements, quoting reference SUP-273.
See also the Securing Devices section in the System Security Checklist document for important information about device security.