8 - Commands
eDynamo| Secure Card Reader Authenticator | Programmer’s Manual (COMMANDS)
Page 73 of 245 (
D998200115-17
)
8.3.6
Command 0x10 - Activate Authenticated Mode (MSR Only)
This command is used by the host software to activate Authenticated Mode, and is the only way to enter
that mode. When the device is set to Security Level 4 (see section
), it does not
gather and transmit card data after a swipe until Authenticated Mode has been established with the host,
indicating both devices have established a direct two-way trust relationship. The general sequence of
events for entering Authenticated Mode is as follows:
1)
The cardholder or operator performs an action as a lead-in to swiping a card, such as signing in to a
web page that interacts with the device.
2)
The host software is aware of the cardholder action, and in response it sends the Activate
Authenticated Mode command to the device. As part of this command, the host software specifies a
PreAuthentication Time Limit parameter in units of seconds. The device uses this time limit in
subsequent steps. The device interprets any value less than 120 seconds to mean 120 seconds.
3)
The device responds to the host with the current Key Serial Number (KSN) and two challenges
(Challenge 1 and Challenge 2), which it encrypts using a custom variant of the current DUKPT Key
(Key XOR F0F0 F0F0 F0F0 F0F0 F0F0 F0F0 F0F0 F0F0). Challenge 1 contains 6 bytes of random
numbers followed by the last two bytes of the KSN. Challenge 2 contains 8 bytes of random
numbers.
4)
The device waits up to the PreAuthentication Time Limit. If the device times out waiting for the host
to respond, the Authentication attempt fails and the device may activate anti-hacking behavior. See
below for details.
5)
The host software decrypts Challenge 1 and Challenge 2 and compares the last two bytes of the KSN
with the last two bytes of the clear text KSN to authenticate the device.
6)
The host software completes the Activate Authentication sequence using
, including the length of time the device should keep Authenticated
Mode active without a swipe.
7)
The device determines whether the Activation Challenge Reply is valid. If it is valid, the device
activates Authenticated Mode and allows transmission of swiped card data to the host. The device
may optionally indicate to the operator that the host and the device are mutually authenticated. See
below for information about device behavior when the Activation Challenge Reply is not valid.
8)
Authenticated mode stays active until the timeout previously specified by the host in
- Activation Challenge Response
, or until the device sends valid swipe data to the host, at which
point the device deactivates Authenticated Mode.
The first two Activate Authenticated Mode commands may proceed without any delay (one error is
allowed with no anti-hacking consequences). If a second Activate Authenticated Mode in a row fails, the
device activates anti-hacking behavior by enforcing an increasing delay between incoming Activate
Authenticated Mode commands. The first delay is 10 seconds, increasing by 10 seconds up to a
maximum delay of 10 minutes. The operator may deactivate anti-hacking mode at any time by swiping
any encoded magnetic stripe card. When the device is in this anti-hacking mode, it requires the host to
take additional steps to call
To support use of Authenticated Mode, the host software can use
Command 0x14 - Get Device State
at any time to determine the current state of the device.
Table 8-11 - Request Data for Command 0x10 - Activate Authenticated Mode (MSR Only)
Offset
Field Name
Description
0
PreAuthentication Time
Limit (msb)
Most significant byte of the PreAuthentication Time Limit in
seconds (120 seconds or greater)
