This document specifies a secure channel protocol, named Secure Channel Protocol ’11’ (SCP11), based on Elliptic Curve Cryptography (ECC) for mutual authentication and secure channel initiation and on AES for secure messaging. This document is a maintenance release of the v1.2.
This version of Amendment F adds a new variant for Secure Channel Protocol '11'. It is named SCP11c and uses ephemeral keys only on the off card side. By this mechanism, it allows off-line creation of card management scripts. The usage of the same key pairs and certificates for groups of cards enables such scripts to be processed by the whole group. In addition, SCP11c adds a mechanism that allows a script to be transaction protected with a rollback occurring upon error.
This update of Secure Channel Protocol '11' introduces the management of several CAs as well as the concept of a subordinate Key Authority (KA) to which a CA may delegate the diversification of keys and certificates. This concept applies to both CA-KLCC and CA-KLOC roles and is optionally supported by a Security Domain implementing the SCP11 protocol.