Secure Channel Key; Credential Credit Management - HID CP1000 User Manual

Page 1-4
to perform both encryption and signing of the SO credential. This key is called the SO encryption
key.
Note: It is called an encryption key but it also performs signature verification.
The SO encryption key could be managed by HID as a standard key and/or an Elite key, which is
similar to the management of Media keys described earlier. We also provide the support to create a
customer managed SO encryption key, however a SO credential that is protected using such a key is
not managed via HID and also has an additional signature using HID Global's license key.
Additional information about secure objects can be requested from HID Global.
1.1.5

Secure Channel Key

The messages that are exchanged between a host application and the encoder device are
transferred over a mandatory secure channel
authenticity of the messages between the host application and the encoder device.
The encoder comes with a default value for the secure channel key, and very much like the OEM
Admin keys, the host application prompts you to provide a new value for the secure channel key.
This secure channel key is stored on a per user basis.
The secure channel mechanism is based on a slightly modified Global platform SCP secure channel
protocol. You can request more information about the secure channel from HID Global.
1.1.6

Credential Credit Management

All transactions with credentials are enabled by credential credits. These are discrete tokens that are
consumed with each transaction until none remain or until additional credits are ordered and
applied to the encoder.
The term Credential Credit, refers to the tokens purchased from HID that enable all credential write
transactions. The iCLASS SE Encoder is enabled until the authorized credits have been exhausted,
then you must request additional credits from HID Global.
The management of credits can be understood as a type of counter. When a customer orders "X"
credits, the counter is increased by "X" and the encoder is enabled until the counter is decremented
to 0, or until more credits are ordered.
The following attributes, are the building blocks to define a transaction which is enabled by a
Credential Credit Token.
Technology
iCLASS
MIFARE Classic
MIFARE DESFire EV1
Prox
Seos
For example: To encode iCLASS with HID Access Control application and Standard keys, this
transaction would require a different credential credit token than the same transaction using Elite
keys.
PLT-01067, Version: A.7
5
. The secure channel ensures the confidentiality and
Application
HID
SIO
Custom
HID
SIO
Overview
Security
Standard
Elite
Custom
Standard
Elite
Media
Genuine HID
Third Party
Third Party
Genuine HID
Genuine HID
July 2017