Sec.Tunnel
This command enables to send a specific command, called the tunnelled command, to the reader (and to receive its response) in an encrypted and/or MACed fashion.
Depending on the values of the AuthModeAndSecLevel bit mask, the tunnelled command will either be encrypted, MACed or both. The structure of the TunnelledCmd parameter and of the TunnelledResp response vary depending on the encryption/MACing behaviour:
-
Encrypted only:
- The data has to be padded to the next 16 Byte boundary by appending "00"-Bytes.
-
The initial vector (IV) has to be reset to all zeros (00 00 ... 00) if if the ContinuousIV flag is not set. If ContinuousIV is set, Cipher Block Chaining (CBC) will be used in the encryption process. In this case, the result from the last block encryption will be used as IV.
-
The padded data is encrypted using AES128 in CBC mode. The key for encryption is either the key assigned to the currently selected Security Level or, if the SessionKey flag is set, the session key derived from the values RndA and RndB of the Sec.AuthPhase1 command:
SessionKey = encrypt(RndA[0..7] + RndB[8..15])
- Encrypted and MACed: Same as the encrypted only variant, but a number of padding Bytes (at least 8) are appended to the encrypted data before transmission. The receiver always has to check whether the padding Bytes have the 0x00 value. If not, the frame is considered invalid.
- MACed only: The encryption process is applied to the data which has to be MACed, but unlike in the encryption only mode, the data is not modified. The first 8 Bytes of the hash value resulting from the encryption process (normally used as an IV for the next data block) are simply appended to the original data block to get the MACed data block.
This command must not be used in BRP Repeat Mode.
Properties
- Command code: 0x0706
- Command timeout: 100 ms
- Possible status codes: General status codes, Sec.ErrCrypto, Sec.ErrTunnel
Parameters (request frame)
| Name | Type/Size | Description | |
|---|---|---|---|
| - | Bit mask (8 bits) | - | |
| ContinuousIV | Boolean (bit 0x80) |
If true, encryption/MACing will use a continuous IV for CBC mode will be used. That means the state of the IV after the first command will be used as the IV for the second command and so on. If this bit is not set, the IV will be reset to zeros (00 00 ... 00) before every command or response is encrypted/MACed. |
|
| Encrypted | Boolean (bit 0x40) | Requires that commands running in this security level always have to be encrypted. | |
| MACed | Boolean (bit 0x20) | Requires that commands running in this security level always have to be MACed. | |
| SessionKey | Boolean (bit 0x10) | If true, a session key needs to be used instead of a fixed key. A session key can be generated using the 2-phase authentication process triggered by the Sec.AuthPhase1 and Sec.AuthPhase2 commands. | |
| RFU | Integer (bit mask area 0x0C) |
Zero padding |
|
| SecLevel | Integer (bit mask area 0x03) | The Security Level (0-3), which should be entered when executing the tunnelled command. | |
| TunnelledCmd | Raw data (until end of frame) |
Encrypted and/or MACed command. This variable has the following data structure (before encryption):
|
|
Returned values (response frame)
| Name | Type/Size | Description |
|---|---|---|
| TunnelledResp | Raw data (until end of frame) |
Encrypted/MACed response of command. This variable has the following data structure (before encryption):
|