BALTECH SDK wrapper functions reference

§ brp_Sec_AuthPhase1()

brp_errcode brp_Sec_AuthPhase1 ( brp_Sec_AuthPhase1_t  params)

This command initiates a 2-phase authentication.

The 2-phase authentication is required for entering a security level, if its Authorization Mode enforces a session key.

In the first phase of the 2-phase authentication, the host sends a random number (RndA) to the reader. The reader encrypts this number two times, using AES128 encryption, with the key of the Security Level specified in SecLevel , and sends the result back to the host as EncRndA. The host then has to check if the reader encrypted the number correctly. If this is the case, the reader returns the OK status code and the brp_Sec_AuthPhase2() command can be called to initiate the second phase of the 2-phase authentication procedure.

If EncRndA is invalid, the reader is configured with an invalid key, different from the one expected by the host. In this case, an error status code is returned.

Parameters
[in]paramsStruct with the following fields:
  • protocol used to execute the command
  • SecLevel (in) The Security Level which needs to be authenticated.
  • RndA (in) Random number to be encrypted by reader.
  • EncRndA (out) A version of RndA twice encrypted by the reader using the key of the Security Level specified by SecLevel.
  • RndB (out) A second random number (generated by reader).
  • ContinuousIV (out) Requires a contionous IV to avoid replay attacks.
  • Encrypted (out) Requires that commands running in this security level always have to be encrypted. This flag cannot be set at the same time as the MACed flag.
  • MACed (out) Requires that commands running in this security level always have to be MACed. This flag cannot be set at the same time as the Encrypted flag.
  • SessionKey (out) Requires a two-phase authentication to be able to enter a security level. This two-phase authentication process needs to be performed using the Sec.AuthPhase1 and brp_Sec_AuthPhase2() commands.
  • mempool (in) is used to store response data. Maybe NULL to use an internal mempool, in this case the data is only available until another command uses the internal mempool