C API for BALTECH SDK

§ brp_Sec_Tunnel()

brp_errcode brp_Sec_Tunnel ( brp_protocol  protocol,
bool  ContinuousIV,
bool  Encrypted,
bool  MACed,
bool  SessionKey,
unsigned  SecLevel,
brp_buf  TunnelledCmd,
size_t  TunnelledCmd_len,
brp_buf TunnelledResp,
size_t *  TunnelledResp_len,
brp_mempool mempool 
)

This command enables to send a specific command, called the tunnelled command, to the reader (and to receive its response) in an encrypted and/or MACed fashion.

Depending on the values of the AuthModeAndSecLevel bit mask, the tunnelled command will either be encrypted, MACed or both. The structure of the TunnelledCmd parameter and of the TunnelledResp response vary depending on the encryption/MACing behaviour:

  • Encrypted only :
    • The data has to be padded to the next 16 Byte boundary by appending "00"-Bytes.
    • The initial vector (IV) has to be reset to all zeros (00 00 ... 00) if if the ContinuousIV flag is not set. If ContinuousIV is set, Cipher Block Chaining (CBC) will be used in the encryption process. In this case, the result from the last block encryption will be used as IV.
    • The padded data is encrypted using AES128 in CBC mode. The key for encryption is either the key assigned to the currently selected Security Level or, if the SessionKey flag is set, the session key derived from the values RndA and RndB of the Sec.AuthPhase1 command:

SessionKey = encrypt(RndA[0..7] + RndB[8..15])

  • Encrypted and MACed : Same as the encrypted only variant, but a number of padding Bytes (at least 8) are appended to the encrypted data before transmission. The receiver always has to check whether the padding Bytes have the 0x00 value. If not, the frame is considered invalid.
  • MACed only : The encryption process is applied to the data which has to be MACed, but unlike in the encryption only mode, the data is not modified. The first 8 Bytes of the hash value resulting from the encryption process (normally used as an IV for the next data block) are simply appended to the original data block to get the MACed data block.

This command must not be used in BRP Repeat Mode .

Parameters
[in]protocolused to execute the command
[in]ContinuousIVIf true , encryption/MACing will use a continuous IV for CBC mode will be used. That means the state of the IV after the first command will be used as the IV for the second command and so on. If this bit is not set, the IV will be reset to zeros (00 00 ... 00) before every command or response is encrypted/MACed.
[in]EncryptedRequires that commands running in this security level always have to be encrypted.
[in]MACedRequires that commands running in this security level always have to be MACed.
[in]SessionKeyIf true , a session key needs to be used instead of a fixed key. A session key can be generated using the 2-phase authentication process triggered by the Sec.AuthPhase1 and Sec.AuthPhase2 commands.
[in]SecLevelThe Security Level (0-3), which should be entered when executing the tunnelled command.
[in]TunnelledCmdEncrypted and/or MACed command. This variable has the following data structure (before encryption): * Byte 0 (DeviceCode): Device code of the command to tunnel. * Byte 1 (CommandCode): Command code of the command to tunnel. * Byte 2-3 (ParamLen): Length of the parameter block of the command to tunnel. Unlike standard BRP frames, this parameter is MSB encoded. * Byte 4-x (Param): Parameter block of the command to tunnel. * Byte x-n (PadByteAndMac): Depending on the Authorization Mode flags, these Bytes are either zero-padding bytes (always 0) or a MAC.
[in]TunnelledCmd_len
[out]TunnelledRespEncrypted/MACed response of command. This variable has the following data structure (before encryption): * Byte 0 (StatusCode): The status code of the command which was tunnelled. * Byte 1-2 (RespLen): The length of the response block of the command which was tunnelled Unlike standard BRP frames, this parameter is MSB encoded. * Byte 3-x (Resp): Response block of the command which was tunnelled. * Byte x-n (PadByteAndMac): Depending on the Authorization Mode flags, these Bytes are either zero-padding bytes (always 0) or a MAC.
[out]TunnelledResp_len
[in]mempoolis used to store response data. Maybe NULL to use an internal mempool, in this case the data is only available until another command uses the internal mempool