4 - Security Levels
eDynamo| Secure Card Reader Authenticator | Programmer’s Manual (COMMANDS)
Page 33 of 245 (D998200115-17)
4 Security Levels
Devices can be configured to operate at different Security Levels, which affects Magnetic Stripe Card
Data Sent from Device to Host (MSR Only | Keypad Entry Only), the host software’s ability to
modify Properties, and the host software’s ability to execute certain Commands. The Security Level
can be increased by sending commands to the device, but can never be decreased. The sections below
provide details about how each security level affects device behavior.
4.1 About Message Authentication Codes (MAC)
Commands in this manual that are tagged “MAC” are privileged commands. If the device is set to a
Security Level higher than Security Level 2, the host software must calculate and append a four-byte
Message Authentication Code (“MAC”) to the Data field of the message, extending the length of the field
by 4 bytes, to prove the sender is authorized to execute that command. The host software should calculate
the MAC per ISO 9797-1, MAC Algorithm 3, Padding Method 1. Data supplied to the MAC algorithm
should be provided in raw binary form, not converted to ASCII-hexadecimal. The host should use the
current DUKPT Key Serial Number (which can be retrieved using Command 0x09 - Get Current TDES
DUKPT KSN to get a reference to the key), then calculate the Message Authentication, request or both
ways variant as specified in ANS X9.24-1:2009, Annex A.
Upon successfully completing any MACed command, the device advances the DUKPT Key.
If a MAC is required but not present or incorrect, the device returns 0x07.
4.2 Security Level 2
Security Level 2 is the least secure mode. In this mode, keys are loaded but the device does not require
the host software to use them for most operations: Keys are used/needed to load new keys and to move to
Security Level 3 or 4, but all other properties and commands are freely usable. The host can use
Command 0x15 - Get / Set Security Level (MAC) to determine the device’s current security level.
(MSR Only, HID Only)
In Security Level 2, if the device is using HID format [see section 3.1 How to Use HID Format (HID
Only)], the device sends data in the MagneSafe V5 format described in this manual or in USB HID
SureSwipe format using the SureSwipe VID/PID, based on the setting in Property 0x38 - HID
SureSwipe Flag (SureSwipe Only, HID Only, MSR Only). For information about USB HID
SureSwipe format, see D99875191 Technical Reference Manual, USB HID SureSwipe & Swipe
Reader.
4.3 Security Level 3
At Security Level 3, many commands require security; most notably Command 0x01 - Set Property
(MAC). See section 4.1 About Message Authentication Codes (MAC) for details. The host can use
Command 0x15 - Get / Set Security Level (MAC) to determine the device’s current security level.
Security Level 3 also enables encryption of data and inclusion of encrypted data where it may have been
left out at a lower security level. For a list of specific data the device encrypts at this security level and
how the host can decrypt it, see section 5 Encryption, Decryption, and Key Management.
4.4 Security Level 4 (MSR Only)
When the device is at Security Level 4, the device requires the host to successfully complete an
Authentication Sequence before it will transmit data from a card swipe (see section 8.3.6 Command 0x10
- Activate Authenticated Mode). Correctly executing the Authentication Sequence also causes the green
LED to blink, alerting the operator that the device is being controlled by a host with knowledge of the
To Next Page
Loading...
