Reference Manual


Pki.Tunnel2

Runs a command in the Security Level authenticated by the Pki.PfsGenKey, Pki.PfsAuthHostCert, Pki.PfsAuthRdrCert commands sequence. The command is encrypted with the session key calculated by Pki.PfsAuthRdrCert.

After the reader decrypts the received tunnelled command, it checks whether this command is blocked by the Access Condition Mask assigned to the Security Level or by one of the Access Condition Masks of the certificates in the host certificate chain. If this command is blocked by one of these Access Condition Masks, it is not allowed to be executed in the given Security Level and the ErrAccessDenied status code is returned.

Properties

Parameters (request frame)

Name Type/Size Description
SequenceCounter Integer (32 bits) A continuous counter that has to be incremented every time Pki.Tunnel2 is executed (no matter if successful), and that is reset to 0 after a successful execution of the Pki.PfsAuthRdrCert command.
CmdHMAC Raw data (length 16 Bytes) An AES 128 CBC-MAC over EncryptedCmd using the session key calculated by Pki.PfsAuthRdrCert and an IV constructed from SequenceCounter. To get the IV, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x20.
Length of EncryptedCmd Integer (16 bits) Length of EncryptedCmd in bytes
EncryptedCmd Raw data

Encrypted command to execute in the authenticated Security Level. Data is encrypted via AES-128 CBC using the session key generated by Pki.PfsAuthRdrCert and an IV constructed from SequenceCounter. To get the IV for encryption, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x10.

Before encryption, EncryptedCmd is split up into the following fields:

  • DevCode (1 Byte): Device code of the command which must be executed in the authenticated Security Level.
  • CmdCode (1 Byte): Command code of the command which must be executed in the authenticated Security Level.
  • PayloadLen (2 Bytes): Length of Payload in Bytes.
  • Payload (n Bytes): contains the parameters buffer for the command which must be executed in the authenticated Security Level.

Returned values (response frame)

Name Type/Size Description
RspHMAC Raw data (length 16 Bytes) An AES 128 CBC-MAC over EncryptedRsp using the session key calculated by Pki.PfsAuthRdrCert and an IV constructed from SequenceCounter. To get the IV, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x80.
Length of EncryptedRsp Integer (16 bits) Length of EncryptedRsp in bytes
EncryptedRsp Raw data

Encrypted response of the command which was executed in the authenticated Security Level. Data is encrypted via AES-128 CBC using the session key generated by Pki.PfsAuthRdrCert and an IV constructed from SequenceCounter. To get the IV for encryption, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x40.

Before encryption, EncryptedRsp is split up into the following fields:

  • StatusCode (1 Byte): Has to be 0x00 on successful execution of the encrypted command. Else, an error occurred.
  • RespLen (2 Bytes): Length of Resp in Bytes.
  • Resp (n Bytes): Contains the response buffer of the command which was executed in the authenticated Security Level.