How to choose Secure Channel Protocol to use?

Question

What does it mean that some smart card support SCP 01 and SCP02? And how to choose between those two? Is it predefined in security domain or there is some command to select one or other choice?

Answer 1

What does it mean that some smart card support SCP 01 and SCP02?

When you want to install an applet on the card or want to delete some applets and for some other sensitive operations (changing applets life-cycles for example), you need to prove that you are an authenticate guy first (i.e. you need to prove that you are owner of the card). And also when you want to have an encrypted communication with the card, you need to implement a secure channel. To do that you must do some cryptography operations. The steps and structure of these operations is mentioned in the Global-Platform specifications in details. Different versions of Global Platform specifications introduce different mechanism for authentication. SCP01, SCP02 and SCP03 are the name of these mechanism (Stands for Secure Channel Protocol 01, 02 and 03). (Other specifications such as ETSI, introduce other mechanism too).

And how to choose between those two?

Well, typically each card support only one of these authentication mechanisms after issuance. old cards support SCP01 and the newer ones support SCP02 or SCP03. refer to GlobalPlatform Card Specification in the Mutual Authentication and Secure Channel sections for details. Some card manufacturers provide an option to choose the protocol once, in the pre-personalization step. But it is not common for cards.