IDTECH SecureMag - Activation Challenge Reply Command

Copyright © 2010-2014, International Technologies & Systems Corp. All rights reserved.

When sending the authentication request, the user also needs to specify a time limit

for the reader to wait for the activation challenge reply command. The minimum

When authentication mode is requested, the device responds with two challenges:

Challenge 1 and challenge 2. The challenges are encrypted using the current DUKPT

key exclusive- or’ed with <F0F0 F0F0 F0F0 F0F0 F0F0 F0F0 F0F0 F0F0>.

The decrypted challenge 1 contains 6 bytes of random number followed by the last

two bytes of KSN. The two bytes of KSN may be compared with the last two bytes of

the clear text KSN sent in the message to authenticate the reader. The user should

complete the Activate Authentication sequence using Activation Challenge Reply

command.

<NAK> (fail)

Pre-Authentication Time Limit: 2 bytes of time in seconds

Device Response Data: 26 bytes data, consists of <Current Key Serial Number>

<Challenge 1> <Challenge 2>

Current Key Serial Number: 10 bytes data with Initial Key Serial Number in the

leftmost 59 bits and Encryption Counter in the rightmost 21 bits.

Challenge 1: 8 bytes challenge used to activate authentication. Encrypted using the

host sends the first 6 bytes of Challenge 1 from the response of Activate

Authenticated Mode command, two bytes of Authenticated mode timeout duration,

and eight bytes Session ID encrypted with the result of current DUKPT Key

exclusive- or’ed with <3C3C 3C3C 3C3C 3C3C 3C3C 3C3C 3C3C 3C3C>.