Educational

SCP03 Session Walkthrough

An annotated, educational walkthrough of GlobalPlatform SCP03 (AES-128) — INITIALIZE UPDATE, EXTERNAL AUTHENTICATE, the host/card challenges and cryptograms, and the per-session keys derived for C-MAC, R-MAC, and ENC. No production crypto runs in your browser.

Walkthrough

Step 1Host generates a challenge

8 random bytes (host_challenge), sent as part of INITIALIZE UPDATE. CLA=0x80 INS=0x50.

Step 2Card responds

Returns key diversification data, key info (SCP03 / AES-128), card_challenge (8 bytes), card_cryptogram (8 bytes), and a sequence counter.

Step 3Derive session keys

From the static keys (S-ENC, S-MAC, S-DEK) and the two challenges, both sides derive session keys (C-MAC, R-MAC, S-ENC) via the GP key-derivation function.

Step 4Verify card cryptogram

Host recomputes CMAC(S-MAC, "card cryptogram context") and verifies the card-supplied 8-byte cryptogram. Mismatch → abort.

Step 5Send EXTERNAL AUTHENTICATE

Host computes its own cryptogram (over context including both challenges) and sends it in EXTERNAL AUTHENTICATE. CLA=0x84 INS=0x82. Card verifies — mutual authentication complete.

Step 6Secure messaging in effect

From now on, every command APDU is wrapped: encrypted body (AES-CBC), C-MAC over header+body. Sequence counter increments; replay rejected.

Educational only. Real SCP03 keys live in HSMs and on the secure element. They are never exposed to host software. This page is annotation, not a runnable simulator.

All decoding runs locally.

About SCP03

SCP03 is the AES-based secure-channel protocol from GlobalPlatform 2.3.1 Amendment D. It supplants SCP02 (3DES) for new deployments. Three security levels: C-MAC, C-MAC + C-DECRYPTION, and the same with R-MAC. Choose the level that matches your threat model — passive eavesdropper (C-MAC) vs active man-in-the-middle (C-MAC + C-DECRYPTION).

Spec

GlobalPlatform 2.3.1 Amendment D — Secure Channel Protocol '03'.

Companion

CLA decoder · APDU parser

Reading

JavaCard reference