PUT KEY command: way to encrypt key data value and get key check value for SCP 02

Key Encryption and Decryption (Card Specification v 2.0.1)

Key encryption is used when transmitting key data to the card and is over and beyond the security level required for the Secure Channel i.e. all DES keys transmitted to a card (PUT KEY command) should be encrypted.

The key encryption process uses the static Key Encryption Key(KEK/DEK) and the encryption method described in section 12.1.3. (ECB mode) As all DES keys are by their very nature a multiple of 8-byte lengths no padding is required for key encryption operations.

The encryption is performed across the key data and the result of each encryption becomes part of the encrypted key data. This encrypted key data becomes part of the clear text data field in the command message.

The on-card decryption of key data, is the exact opposite of the above operation.

Key verification  (Card Specification v 2.0.1)

In order to verify that the card received the correct key, each DES key transmitted to the card in the PUT KEY command has an associated key check value.

The check value generation process uses the clear text key using the encryption method described in section 12.1.3. The data to be encrypted is binary zeroes and as it is defined to be 8 bytes, no padding is required. The encryption is performed across the 8 binary zeroes and only the 3 right most bytes of the result are required as a check value. As with the encrypted keys the check value becomes part of the clear text data field in the command message.

Following the decryption of the keys, on-card verification of the key is achieved by performing the exact same operation as defined above and comparing the 3 right most bytes of the encryption with the check value in the data field.

Log: 

00A4040007A0000001510000SW6111
00C0000011SW6F0F8407A0000001510000A5049F6501FF9000
8050000008BD4E6A713DD7D805SW611C
00C000001CSW00000000000000000000FF0200010C6892C3B73CFE58E93B5ECF185E9000
8482000010B88BB23C01C42F1A49D2357B41AC2E93SW9000
80D8000117218010D09780F8AB1875477824E706C2E208BB0320309BSW9000
00C0000004SW2120309B9000

Way to encrypt key data value and get Key Check Value (SCP 02)

1. get static key(KEK): 

derivation data: 01810001000000000000000000000000
KEK key(DEK):  505152535455565758595A5B5C5D5E5F
//CBC DES:
static key: 8D2FA346ED9E2A4E15E100B07328E7A2

2. get enc data value: 

data value: 404142434445464748494a4b4c4d4e4d (This will be the new key you want to add/change)
static key: 8D2FA346ED9E2A4E15E100B07328E7A2
//ECB DES:
ENCdata: D09780F8AB1875477824E706C2E208BB

3. get check value: 

data value: 0000000000000000
key:  404142434445464748494a4b4c4d4e4d (This will be the new key you want to add/change)
//ECB DES  & get first three bytes.  20309B5AEC51125E：
Key Check Value:  20309B

4. Organise PUT KEY command.

//80D8000117218010+ENCdata+KeyCheckValueLength+KeyCheckValue
80D8000117218010D09780F8AB1875477824E706C2E208BB0320309BSW9000
00C0000004SW2120309B9000

PUT KEY command structure