SCP03 Helper
An educational companion to the SCP03 walkthrough: derive the S-ENC, S-MAC, and S-RMAC session keys plus the host and card cryptograms from static keys and challenges, using AES-CMAC and the SP 800-108 KDF entirely in your browser.
Input
Derived values
What this tool does
SCP03 is GlobalPlatform's AES-based Secure Channel Protocol: the handshake a host (a card-management tool or backend) and a secure element run to agree on fresh session keys before exchanging confidential, integrity-protected APDUs. This helper reproduces the cryptographic core of that handshake so you can follow the maths with concrete numbers. Given the two static base keys and the two challenges, it computes the three session keys and both cryptograms exactly as GlobalPlatform Amendment D specifies.
Under the hood, every value is produced by a NIST SP 800-108 counter-mode key-derivation function whose pseudo-random function is AES-CMAC. Because the Web Crypto API ships AES but no CMAC, the tool implements RFC 4493 itself — generating the K1/K2 subkeys and the MAC on top of crypto.subtle AES-CBC with a zero IV. The CMAC implementation reproduces the published RFC 4493 AES-128 test vectors, so the building block underneath the KDF is verifiable rather than hand-waved.
When to use it
Reach for this when you are learning or debugging an SCP03 flow: checking why a card rejected your EXTERNAL AUTHENTICATE, confirming that your own KDF produces the same session keys as a reference, or teaching the difference between S-ENC, S-MAC, and S-RMAC. It pairs naturally with the step-by-step SCP03 walkthrough, which narrates the protocol exchange, while this page gives you the numbers. If you only need the MAC-length or padding rules, the CMAC length reference is lighter weight.
Inputs and outputs
The four inputs are all hexadecimal. K-ENC and K-MAC are the static base keys provisioned on the card; each is a 16-, 24-, or 32-byte AES key (AES-128/192/256) and both must be the same length. The host challenge and card challenge are each exactly 8 bytes — the host generates one, the card returns the other, and their concatenation (host || card) forms the KDF context.
Session keys
S-ENC (constant 0x04), S-MAC (0x06), and S-RMAC (0x07), each derived to the base-key length.
Cryptograms
Card cryptogram (0x00) and host cryptogram (0x01), each 8 bytes, derived under the freshly computed S-MAC.
Context
The 16-byte host || card challenge concatenation that ties every derivation to this one session.
Common mistakes
- Swapping the two cryptograms. The card returns the card cryptogram in INITIALIZE UPDATE; the host sends the host cryptogram in EXTERNAL AUTHENTICATE. They are derived with different constants (
0x00vs0x01) and are not interchangeable. - Reversing the challenge order. The context is
host || card, notcard || host. Reversing it changes every output. - Mismatched key lengths. SCP03 uses the same AES key length for K-ENC and K-MAC; mixing a 16-byte and a 24-byte key is not a valid configuration.
- Treating this as production crypto. There is no channel state, no command counter, and no key wrapping here. It is a calculator for the derivation, not a secure channel.
- Pasting real keys. Even though everything runs locally, a webpage is the wrong place for production key material — use throwaway test values.
Related tools
SCP03 walkthrough
Step-by-step narration of the SCP03 protocol exchange and APDUs.
Key diversification
How per-card keys are derived from a master key in a SAM.