Table of Contents
Advertisement
The minimum timeout duration required is 120 seconds. If the specified time is less than the
minimum, 120 seconds would be used for timeout duration. The maximum time allowed is 3600
seconds (one hour). If the reader times out while waiting for the Activation Challenge Reply, the
authentication failed.
11.5. Device Response
When Authentication Mode is requested, the device responds with two challenges: Challenge 1 and
challenge 2. The challenges are encrypted using the current DUKPT Key exclusive- or'ed with <F0F0
F0F0 F0F0 F0F0 F0F0 F0F0 F0F0 F0F0>.
The decrypted challenge 1 contains 6-bytes of random number followed by the last 2-bytes of KSN.
The 2-bytes of KSN may be compared with the last 2-bytes of the clear text KSN sent in the message
to authenticate the reader. The user should complete the Activate Authentication sequence using
Activation Challenge Reply command.
Command Structure
Host -> Device:
<STX><R><80h><02h><Pre-Authentication Time Limit><ETX><LRC>
Device -> Host:
<ACK><STX><Device Response Data><ETX><LRC> (success)
<NAK> (fail)
11.5.1. Pre-Authentication Time Limit
2-bytes of time in seconds
Device Response Data: 26-bytes data, consists of <Current Key Serial Number>
<Challenge 1>
<Challenge 2>
Current Key Serial Number: 10-bytes data with Initial Key Serial Number in the leftmost 59 bits and
Encryption Counter in the rightmost 21 bits.
1. Challenge 1: 8-bytes challenge used to activate authentication. Encrypted using the key derived
from the current DUKPT Key.
2. Challenge 2: 8-bytes challenge used to deactivate authentication. Encrypted using the key derived
from the current DUKPT Key.
11.6. Activation Challenge Reply Command
This command serves as the second part of an Activate Authentication sequence. The host sends the
first 6-bytes of Challenge 1 from the response of Activate Authenticated Mode command, 2-bytes of
SecureMag Encrypted MagStrip Reader User Manual
Page | 50
Advertisement
Table of Contents
