This update of GlobalPlatform Card Specification Amendment F: Secure Channel Protocol '11' contains added support for X.509 certificate format; extended support of authorization rules (tag 'BF20') to SCP11a; new options for SCP11 “i” parameter; clarifications for the SecureChannel.processSecurity(..) method; added functionality for the STORE DATA and GET DATA commands; broader applicability of the Card Content Transaction mechanism and SD Self‑Deletion mechanism; and extension of Cumulative Delete to allow cumulatively deleting an SD (and sub‑hierarchy) at any level, not only at root level.
Previous Version(s)
This update of GlobalPlatform Card Specification Amendment F: Secure Channel Protocol '11' contains an alignment with the recently published SCP03 on longer checksums, changes related to the API between an application on the SE and its Security Domain, which allows the application to retrieve data objects related to the secure channel (especially certificates) from the SD, plus a few other clarifications.
This document specifies a secure channel protocol, named Secure Channel Protocol '11' (SCP11), based on Elliptic Curve Cryptography (ECC) for mutual authentication and secure channel initiation and on AES for secure messaging. This document is a maintenance release of the v1.2.
This version of Amendment F adds a new variant for Secure Channel Protocol '11'. It is named SCP11c and uses ephemeral keys only on the off card side. By this mechanism, it allows off-line creation of card management scripts. The usage of the same key pairs and certificates for groups of cards enables such scripts to be processed by the whole group. In addition, SCP11c adds a mechanism that allows a script to be transaction protected with a rollback occurring upon error.
This update of Secure Channel Protocol '11' introduces the management of several CAs as well as the concept of a subordinate Key Authority (KA) to which a CA may delegate the diversification of keys and certificates. This concept applies to both CA-KLCC and CA-KLOC roles and is optionally supported by a Security Domain implementing the SCP11 protocol.