Sec.AuthPhase1
This command initiates a 2-phase authentication. The 2-phase authentication is required for entering a security level, if its Authorization Mode enforces a session key.
In the first phase of the 2-phase authentication, the host sends a random number ( RndA ) to the reader. The reader encrypts this number two times, using AES128 encryption, with the key of the Security Level specified in SecLevel, and sends the result back to the host as EncRndA. The host then has to check if the reader encrypted the number correctly. If this is the case, the reader returns the OK status code and the Sec.AuthPhase2 command can be called to initiate the second phase of the 2-phase authentication procedure.
If EncRndA is invalid, the reader is configured with an invalid key, different from the one expected by the host. In this case, an error status code is returned.
Properties
- Command code: 0x0704
- Command timeout: 100 ms
- Possible status codes: General status codes, Sec.ErrTunnel
Parameters (request frame)
| Name | Type/Size | Description |
|---|---|---|
| SecLevel | Integer (8 bits) | The Security Level which needs to be authenticated. |
| RndA | Raw data (length 16 Bytes) | Random number to be encrypted by reader. |
Returned values (response frame)
| Name | Type/Size | Description | |
|---|---|---|---|
| EncRndA | Raw data (length 16 Bytes) | A version of RndA twice encrypted by the reader using the key of the Security Level specified by SecLevel. | |
| RndB | Raw data (length 16 Bytes) | A second random number (generated by reader). | |
| ReqAuthModes | Bit mask (8 bits) | This bitmask specifies the minimum required settings that have to be provided in the Tunnel command. | |
| ContinuousIV | Boolean (bit 0x80) | Requires a contionous IV to avoid replay attacks. | |
| Encrypted | Boolean (bit 0x40) |
Requires that commands running in this security level always have to be encrypted. This flag cannot be set at the same time as the MACed flag. |
|
| MACed | Boolean (bit 0x20) |
Requires that commands running in this security level always have to be MACed. This flag cannot be set at the same time as the Encrypted flag. |
|
| SessionKey | Boolean (bit 0x10) | Requires a two-phase authentication to be able to enter a security level. This two-phase authentication process needs to be performed using the Sec.AuthPhase1 and Sec.AuthPhase2 commands. | |
| RFU | Integer (bit mask area 0x0F) |
Zero padding |
|