Media Keys; Secure Object Keys - HID CP1000 User Manual

1.1.3

Media Keys

The keys that are used to authenticate a credential to perform read/write operations are called
media keys. For example, the debit and credit keys for a page in iCLASS credentials are the media
keys. In the case of MIFARE Classic, the Key A and Key B of a sector are the media keys and for
DESFire EV1 the application keys as well as the PICC master key are examples of media keys.
The lengths of these types of keys as well as the cryptographic algorithms, such as authentication
algorithm, that makes use of these keys are dependent upon the credential/media technology.
A typical encoding operation uses the default/known media key to first authenticate to the blank
credential, create the application, write the credential, and change the value of the key to the one
specified by the user. It is important to make a note that the new value can be a diversified key to
reduce the surface area of attack. In other words, all the credentials/media have different values for
the media keys. For the newer and more secure credentials (for example: Secure Objects) we make
use of NIST 108 key diversification algorithm whereas the older/legacy credentials make use of
proprietary key diversification algorithms invented by HID Global and/or chip vendors such as NXP.
For all the credential/media, the keys could fall in one of these categories:
HID Managed Standard Media Keys: These keys are managed securely by HID and are intended

for general customer base.
HID Managed Elite Media Keys: These keys are managed securely by HID and are specific to

customers who participate in the Elite program. For example an Elite customer identified using
an ICE0000 have a different set of media keys than the one identified using ICE0133.
Customer Generated and Managed Keys: These keys are either generated using the encoder

solution and/or entered by the customer. The keys reside in the encoder SAM, and can be
exported in encrypted form to be archived. Once created, knowledge of the plain text key is the
responsibility of the administrator. Custom Keys are not archived by HID.
All the HID managed keys are delivered in the form of static SNMP messages targeted to the
encoder, for which they were requested. Typically, the customer reads the engineId of the encoder
device using the host application and orders from HID Global the appropriate key set (for example:
standard, ICEXXX etc.). The keys are delivered in the form of a file that contains the static messages,
and the host application provides necessary user interface to load them in the encoder SAM.
Custom keys can be exported from the encoder device. The export format is again an SNMP
message that is protected using OEM Admin keys.
1.1.4

Secure Object Keys

The newer and more secure credentials used by HID Global readers are based on the Secure Object
(SO) technology. While it is outside the scope of this document to describe SO technology in detail,
in simple words, a SO is a structured credential that is based on state of the art industry standards
to ensure extensibility of credential structure and use industry validated and approved security
algorithms and mechanisms. The most important aspect of a SO is that it provides an additional
security for the credential and therefore we do not only rely on the security mechanisms of the
chip/media silicon vendor.
Very much like an SNMP message a SO also has a notion of encryption and signature. To reduce the
size of a secure object credential we make use of an Authenticated Encryption with Associated
Data (AEAD) algorithm called EAX' (read as EAX prime). In simple words, EAX' one key can be used
July 2017
Overview Page 1-3
PLT-01067, Version: A.7