OPEN SECURE CHANNEL Command
This APDU command is the first step to open secure channel and establish a Secure Channel session. For more information on secure channels and APDU, you can visit the GlobalPlatform official website. A session is aborted when the application is deselected, either directly or because of a card power off or tear away.
def open_secure_channel(PairingKey):
card.open_secure_channel(PairingKey)
# For example:
open_secure_channel(b"Cryptnox_Basic_PairingKey_String")
Open Secure Channel and Application Protocol Data Unit (APDU) Components
The following table outlines the components of the Application Protocol Data Unit (APDU) used in the Open Secure Channel process.
Field | Description | Value |
CLA | This field specifies the class of the instruction. | 0x80 |
INS | This field specifies the particular command or operation that the smart card or secure element should execute. | 0x10 |
P1 | First parameter of the instruction that specifies the details about the operation being requested. | The pairing key index |
P2 | First parameter of the instruction that specifies additional details about the operation being requested. | 0x00 |
Data | Key data | An EC-256 public key on the SECP256r1 curve encoded as an uncompressed point. |
Note
The card generates a random 256-bit salt which is sent to the client. Both the client and the card do the following for key derivation :
- Use their private key and the counterpart public key to generate a secret using the EC-DH algorithm.
- The generated secret, the pairing key and the salt are concatenated and the SHA-512 of the concatenated value is calculated.
- The output of the SHA-512 algorithm is split in two parts of 256 bits. The first part is used as the encryption key and the second part is used as the MAC key for communication auth and integrity.
When P1=0xFF, the pairing key used is SHA256^32 (PUKcode). That way, the PUK can be used as a pairing key, and a user losing her pairing key can still use the PUK to access the card. For the mutual auth, any IV can be used. Then the IV to use is the latest MAC field received.
Response
The following table outlines the possible responses that you will receive:
Response Code | Description |
0x9000 | Success |
0x6A86 | P1 is invalid |
0x6A80 | The data is not a public key |
Product Documentation
Admin Commands
Signature Commands