Sec.AuthPhase2

This command finishes the 2-phase authentication procedure started by the Sec.AuthPhase1 command. The host has to encrypt the parameter RndB returned by Sec.AuthPhase1 two times, using AES128 encryption, with the key of the Security Level specified by the SecLevel parameter of Sec.AuthPhase1 . The host then sends the result back to the reader as EncRndB.

If RndB was encrypted correctly, the reader returns the OK status code and enters the security level specified in Sec.AuthPhase1 as parameter SecLevel. Depending on the Authentication Mode, the reader enters this Security Level permanently (all subsequent commands are executed in this Security Level) or temporarily (only encrypted/MACed commands are executed in this Security Level). To ensure that the reader enters the Security Level temporarily, one of the Encrypted / MACed flags of the Authentication Mode has to be set. Please refer to the Sec.SetKey command for details.

Additionally, the Sec.AuthPhase2 command generates a session key by encrypting the RndA parameter of Sec.AuthPhase1 and the RndB value returned by Sec.AuthPhase1, each only once. The resulting 16 Byte session key is the result of the encryption of the concatenated RndA (first 8 Bytes) and RndB (last 8 Bytes).