How are static keys loaded onto the card in globalplatfrom achitecture?

Question

Having a quite newbie problem. But this question lingered for a very long time: We all know session keys used in SCP01/02/03 are derived from static keying materials. But I cannot figure out how those static keys are loaded on card! Maybe I read the spec too carelessly, yet I had searched the whole paper relating to those words of interest and I found nothing. Any boss could enlighten me? And could you by the way tell me something about the personalization process on its purpose? Please.

---

For those of you who might not have known the usage of the data "diversification data" just like me here I quote a paragraph from "GlobalPlatform Card Specifications 2.1.1 & 2.1 17 FAQ":

Typically, smart card schemes diversify the static keys (e.g. the Secure Channel Keys listed in Appendix D.2 – Cryptographic Keys) that are loaded on any smart card, so that a security breach in one card does not compromise the entire card base. Hence, the presence of ‘key diversification data’ in the INITIALIZE UPDATE response described in appendices D.4.1.6 and E.5.1.6 – INITIALIZE UPDATE Response message. Such information is specific to key management and card management schemes: for example, it may be a unique card identifier allowing the off-card system to identify and/or compute which static keys a particular card carries. In summary, it is an operational technique to avoid storing in an off-card database as many sets of keys as cards are issued, which may potentially be millions.

Answer 1

With a brandnew NXP JavaCard and jcshell terminal. To change a static first key of value 1D9A55C27970FACEBABEDEC0DE4CCE55:

/terminal
/atr
/card
init-update
ext-auth enc
/set-var k 1D9A55C27970FACEBABEDEC0DE4CCE55
set-key 1/1/DES-ECB/${k} 1/2/DES-ECB/${k} 1/3/DES-ECB/${k}
put-keyset -m add -r 1 1

Remove the card and put back the card and then authenticate using new static key:

/card
/set-var k 1D9A55C27970FACEBABEDEC0DE4CCE55
set-key 1/1/DES-ECB/${k} 1/2/DES-ECB/${k} 1/3/DES-ECB/${k}
init-update 1

Here are some things that I observed. A brandnew card default key index is FF which means the static key is from manufacturing default. Once a new key is introduced, the default static keys is forever lost and the key index shall no longer be FF. Since we set the static key index to 1, then init-update must supply this index number. Otherwise, the card will chose this index number.

I can continue adding more static keys, but not delete. Static keys can only be changed in value or reposition in index. I'm not messing with the 10 bytes diversification data yet, but I see them to be fixed for each card.

Answer 2

Your smartcard usually ships with default keys installed on the card. For most cards this is 404142..4F for all 3 DES keys in SCP02. So you might try the default key, otherwise ask your vendor/supplier/chip manufacturer for the keys. Beware that the chip locks itself after certain amount of unsuccessful tries..

To change the keys for operational lifecycle, Global Platform offers the PUTKEY command, often also other proprietary chip-specific methods (e.g. STORE DATA or completely proprietary) may exist. If PUTKEY does not work, contact your vendor/supplier/chip manufacturer.