# PICCData / Meta Authentication

Ixkio supports the authentication of PICCData (Meta) codes as well as CMAC codes. The main reasons for using encrypted PICCData is either to hide the scan count or the chip UID, or both.&#x20;

Typically, this configuration is one of three methods :&#x20;

### Double Key Hybrid

This method avoids the use of key diversification. In this instance, tags are encoded with two keys as follows :&#x20;

**Key A**\
The Key A is unique per tag. This means that every tag has it's own key and this is stored alongside the tag identifier (our XUID, the chip UID or your CUID). Key A is used for Key Zero on the chip - to protect access - and to verify the CMAC.&#x20;

**Key B**\
Key B is not unique per tag. Key B is system wide and is used to decrypt the PICCData to access the tag scan count and UID. Currently, ixkio only allows one Key B per Flex API account. If you require multiple Key B, then discuss your requirements with us.&#x20;

### Triple Key Hybrid

This method avoids the use of key diversification In this instance, tags are encoded with three keys as follows :&#x20;

**Key A**\
The Key A is a global key. Key A is used for Key Zero on the chip - to protect access.&#x20;

**Key B**\
Key B is a global key. Key B is system wide and is used to decrypt the PICCData to access the tag scan count and UID. Currently, ixkio only allows one Key B per Flex API account. If you require multiple Key B, then discuss your requirements with us.&#x20;

**Key C**\
Key C is unique per tag. This means that every tag has it's own key and this is stored alongside the tag identifier (our XUID, the chip UID or your CUID). Key C is used to verify the CMAC.&#x20;

### Triple Key Diversified

This method uses key diversification (using NXP's recommended algorithm). Diversification means that a master key is used across all tags and is diversified based on the UID of the tag. This results in a unique key for the Key Zero (protection) and CMAC (typically Key Two).&#x20;

However, to know the diversified key, the system needs to know the UID. So the PICCData uses a key that is not diversified. The PICCData is then decrypted and the UID and count are then used to diversify the Key C to then authenticate the CMAC.&#x20;

**Key A**\
The Key A is a global system wide key. Key A is used for Key Zero on the chip and is diversified from the UID of the chip.&#x20;

**Key B**\
Key B is a global key. Key B is system wide and is used to decrypt the PICCData to access the tag scan count and UID. Currently, ixkio only allows one Key B per Flex API account. If you require multiple Key B, then discuss your requirements with us. Key B is *not* diversified and is used as-is to decrypt the PICCData.&#x20;

**Key C**\
Key C is a global system key. This is diversified using the tag UID to create a unique key which is then used to authenticate the CMAC code.&#x20;

## Using PICCData / Meta Authentication

The configuration and set-up of this method is straightforward and we have extensive experience at all levels. Contact us for more information and to get started.&#x20;