The Host Key is an AES key. It finds its place in the Host Authentication process and/or in the SAM card lock / unlock functions.
SAM Card Keys modification requires Host authentication.
Once the Key mode is set to AV2 mode, the Host authenticates with Master Key A (Key No = 0, Key version = Master Key A version).
To modify the KST, you need to authenticate. To do this, go to the AES key panel and enter the Key number equal to the current Key No CEK (Key Reference Number of Change Entry Key) (0 – 127).
In the case of the Master Key, the Key number is 0. The Key version has to be equal to the current Key version CEK (Key Version of Change Entry Key).
On the panel Key number and options, enter the KST Key number (Key Reference Number) to be modified, the Key No CEK and Key version CEK new values, the Host authentication capability option, and the SAM lock/unlock the capability option.
If the Master Key Host authentication is enabled (Key index number = 0), you need to unlock the SAM Card after every reset or power-up. To authenticate the unlocking action, provide the relevant Host Key or Master Key.
If the master key SAM lock/unlock option is enabled, SAM will be locked after power-up or reset, and only minimal command set will be active.
The SAM unlocking requires authentication by providing the SAM Lock/unlock capable Key or the Host authentication Key. More details on SAM Card is available in NXP documentation.
After the SAM Card activation, the µFR reader checks the Master Key SAM Lock/unlock option status. If this status is enabled, the reader attempts to unlock the SAM Card with the AES Key stored into the reader. This feature prevents the SAM Card misuse and ensures its functionality with the readers containing the right Unlock Key only.