Pki.PfsGenKey

This command prepares a perfect forward secrecy (PFS) session by exchanging the public part of temporary elliptic curve cryptography (ECC) keys generated by host and reader. These are needed by the Pki.PfsAuthHostCert and Pki.PfsAuthRdrCert commands.

The next step in negotiating a session key can be performed by running the Pki.PfsAuthHostCert command.

If a session key was negotiated before running this command, it will be invalidated. For this reason, it is not possible to exchange encrypted commands until finalizing the session setup sequence.

The temporary keys generated by the host ( TmpHostPubKey parameter) and by the reader ( TmpRdrPubKey response variable) follow the Abstract Syntax Notation One (ASN.1) Distinguished Encoding Rules (DER) format. An example of the format for such keys is as follows:

30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 0C C2 D2 24 16 47 4B DC A1 39 52 08 73 B7 6E A1 32 40 34 7B 8D 70 2F E1 FC CC 93 81 ED EF 65 8E 0C 49 A8 63 0F 23 65 07 5F C1 19 3A 3B 90 4F CA 35 E7 18 52 F7 95 AA CF FB FE 96 66 3D 44 0A BA

Please not that the initial part of the key (30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07) is the ASN.1 DER-specific header and must always be identical.