Menu

Manage ODE decryption keys

Your UCM storage plugin can be used on a device that is secured with Samsung's On-Device Encryption (ODE). In such a case, the decryption key for ODE can be stored in your space, which means you must ensure that the decryption key is available to the Samsung boot loader early enough in the boot process to decrypt the device. To do so, implement the following.

Command-response APDU sequence

When the Samsung boot loader issues the following command APDU, your plugin must respond with the correct response APDU. The format of these APDUs closely follows the ISO/IEC 7816-4 specification but are not an exact implementation.

Command APDU Fields and Meaning

Field Name Description
CLA The type of command, instruction class
INS The specific command, instruction code
P1-P2 Instruction parameters for the command
Lc The number of bytes of command data
Data The command data
Le The maximum number of response bytes expected
Response data Response data
SW1-SW2 Command processing status

Command APDU: Get status of plugin

The following APDUs enable the boot loader to determine the lock state of the plugin as well as how many remaining attempts are available to unlock it.

Field Name Acceptable Values
CLA

0x80 - data on plugin is not encrypted

0x84 - data on plugin is encrypted

INS 0xCA
P1 0x00
P2 0xE2
Lc 0
Data None
Le Absent for encoding, Ne = 0 (will be ignored if present)

Response APDU

Note: The state of the plugin and the remaining number of attempts to get the plugin state must always be returned in the response APDU. Miscellaneous information is optional.

Response Bytes Description

Data Field

(BER-TLV)

TAG = 0x8A indicates the plugin state
Len = 1
DATA = 0x83: unlocked, 0x84: locked, 0x85: blocked

TAG = 0xC2 remaining number of attempts to get the plugin's state
Len = 1
DATA = count

TAG = 0xC3 miscellaneous information
Len = n indicates the number of characters, with a maximum of 10
DATA = string length of n

SW1-SW2

0x9000: Success

0x6B00: Invalid P1

0x6A82: Invalid P2

Command APDU: Verify PIN

The following APDUs enable the boot loader to verify the input PIN number and return the current state and remaining retry count. This requires two consecutive APDU commands. The first is a VERIFY APDU command, followed by the GET DATA APDU command (defined in getStatus) to get the applet state and miscellaneous information.

Field Name Acceptable Values
CLA

0x80 - data on plugin is not encrypted

0x84 - data on plugin is encrypted

INS 0x20
P1 0x00
P2 0x00
Lc Lenght of PIN
Data User PIN
Le Absent for encoding, Ne = 0 (will be ignored if present)

Response APDU

Response Bytes Description

Data Field

(BER-TLV)

None
SW1-SW2

0x9000: Success - PIN is valid

0x63CX: Error - PIN is not valid, X encondes the number of remaining retires

0x6B00: Invalid P1, P2

0x6A80: The command data-field is empty or contains incorrect data.

0x6982: The plugin's current state does not allow this to be processed.

Command APDU: Generate device encryption key (DEK)

The following APDUs enable the boot loader to generate the DEK, which is stored in the plugin.

Field Name Acceptable Values
CLA

0x80 - data on plugin is not encrypted

0x84 - data on plugin is encrypted

INS 0xCA
P1 0x00
P2 0xCE
Lc 0
Data None
Le Absent for encoding, Ne = 0 (will be ignored if present)

Response APDU

Response Bytes Description

Data Field

(BER-TLV)

None
SW1-SW2

0x9000: Success

0x6B00: invalid P1

0x6A82: Invalid P2

0x6982: The plugin's current state does not allow this to be processed.

Command APDU: Generate DEK and return wrapped DEK

The following APDUs enable the boot loader to generate the DEK and return the wrapped DEK. ODE stores the DEK on the device's non-volatile memory.

Field Name Acceptable Values
CLA

0x80 - data on plugin is not encrypted

0x84 - data on plugin is encrypted

INS 0xCA
P1 0x00
P2 0xCF
Lc 0
Data None
Le Absent for encoding, Ne = 0 (will be ignored if present)

Response APDU

Response Bytes Description

Data Field

(BER-TLV)

TAG = 0xCF to indicate wrapped DEK
LEN = length of wrapped DEK
Data = wrapped DEK

SW1-SW2

0x9000: Success

0x6B00: invalid P1

0x6A82: Invalid P2

0x6982: The plugin's current state does not allow this to be processed.

Share it: