Can we limit 'Security Level' in Secure Channel Protocol (SCP) 02 communication?

Question

I have a situation where I want to load and install an applet on card. SCP_02 will be used to perform authentication with ISD or CM. But I want SCP_02 authentication to be performed only with maximum security, i.e. C-MAC and encryption. No other security level should be allowed by ISD (or by any additional SSD, where required).

Is it possible to achieve this?

---

Expected result with external-authenticate (Ex-Auth) command:

Plain Ex-Auth: 8482000010f7d23150e635fd93d4e5ef76368f3d68
Expected Response : 6986

C-MAC Ex-Auth: 8482010010f7d23150e635fd93d4e5ef76368f3d68
Expected Response : 6986

Enc + C-MAC Ex-Auth: 8482030010f7d23150e635fd93d4e5ef76368f3d68
Expected Response : 9000 (authentication successful)

Answer 1

There is no mechanism in the Global Platform specification that matches your needs. Your two possiblities that I see are:

• use card proprietary settings and conventions
• as I see your other questions which is related to Personalization of applets, you could do the following in your applet:
  1. Select your applet to be personalized
  2. perform init-update and ext-auth against the applet directly and use SecureChannel.processSecurity() to redirect the authentication process to the secury domain
  3. check the security Level with SecureChannel.getSecurityLevel()