4 - Security Levels
eDynamo| Secure Card Reader Authenticator | Programmer’s Manual (COMMANDS)
Page 33 of 245 (
D998200115-17
)
4
Security Levels
Devices can be configured to operate at different Security Levels, which affects
Data Sent from Device to Host (MSR Only | Keypad Entry Only)
, the host software’s ability to
, and the host software’s ability to execute certain
. The Security Level
can be increased by sending commands to the device, but can never be decreased. The sections below
provide details about how each security level affects device behavior.
4.1
About Message Authentication Codes (MAC)
Commands in this manual that are tagged “MAC” are
privileged commands
. If the device is set to a
Security Level higher than
, the host software must calculate and append a four-byte
Message Authentication Code (“MAC”) to the Data field of the message, extending the length of the field
by 4 bytes, to prove the sender is authorized to execute that command. The host software should calculate
the MAC per
ISO 9797-1
, MAC Algorithm 3, Padding Method 1. Data supplied to the MAC algorithm
should be provided in raw binary form, not converted to ASCII-hexadecimal. The host should use the
current DUKPT Key Serial Number (which can be retrieved using
Command 0x09 - Get Current TDES
to get a reference to the key), then calculate the
Message Authentication, request or both
ways
variant as specified in
ANS X9.24-1:2009, Annex A
.
Upon successfully completing any MACed command, the device advances the DUKPT Key.
If a MAC is required but not present or incorrect, the device returns
0x07
.
4.2
Security Level 2
Security Level 2 is the least secure mode. In this mode, keys are loaded but the device does not require
the host software to use them for most operations: Keys are used/needed to load new keys and to move to
Security Level 3 or 4, but all other properties and commands are freely usable. The host can use
Command 0x15 - Get / Set Security Level (MAC)
to determine the device’s current security level.
(MSR Only, HID Only)
In Security Level 2, if the device is using HID format [see section
3.1 How to Use HID Format (HID
], the device sends data in the MagneSafe V5 format described in this manual or in USB HID
SureSwipe format using the SureSwipe VID/PID, based on the setting in
SureSwipe Flag (SureSwipe Only, HID Only, MSR Only)
. For information about USB HID
SureSwipe format, see
D99875191 Technical Reference Manual, USB HID SureSwipe & Swipe
Reader
.
4.3
Security Level 3
At Security Level 3, many commands require security; most notably
4.1 About Message Authentication Codes (MAC)
Command 0x15 - Get / Set Security Level (MAC)
to determine the device’s current security level.
Security Level 3 also enables encryption of data and inclusion of encrypted data where it may have been
left out at a lower security level. For a list of specific data the device encrypts at this security level and
how the host can decrypt it, see section
5 Encryption, Decryption, and Key Management
4.4
Security Level 4 (MSR Only)
When the device is at Security Level 4, the device requires the host to successfully complete an
Authentication Sequence before it will transmit data from a card swipe (see section
). Correctly executing the Authentication Sequence also causes the green
LED to blink, alerting the operator that the device is being controlled by a host with knowledge of the
