Host Protocols Direct Protocol PROTOCOL class AUTHENTICATE
April 13, 2023 at 2:39 AMAUTHENTICATE instruction
The AUTHENTICATE instruction is used to establish a secure communication channel over the current communication link.
INS value
INS = 0A
Cookbook
In the following paragraphs,
- EECB (K, x) is the AES128-ECB Encrypt (one-block encipher) function, using key K over plain block x,
- E-1ECB (K, y) is the AES128-ECB Decrypt (one-block decipher) function, using key K over ciphered block y,
- ECBC (K, x, iv) is the AES128-CBC Encrypt (cipher block chaining mode, encipher) function, using key K and initialization vector iv over plain message x,
- E-1CBC (K, y, iv) is the AES128-CBC Decrypt (cipher block chaining mode, decipher) function, using key K and initialization vector iv over ciphered message y.
Host –> Device AUTHENTICATE command
| Field | Value | Explanations |
|---|---|---|
| CLA | 00 |
Class = PROTOCOL |
| INS | 0A |
Instruction = AUTHENTICATE |
| Data byte 0 | 01 |
Authentication version & mode: AES128 |
| Data byte 1 | 0001 |
User access (KAUTH = HostCommUserKey) Admin access (KAUTH = HostCommAdminKey) |
Device –> Host - Authentication Step 1
The device
- Generates a 16-byte nonce RndB,
- Sends E ( K, RndB ) where KAUTH is the authentication key selected by the host, as it is known by the device (HostCommUserKey or HostCommAdminKey).
| Field | Value | Explanations |
|---|---|---|
| CLA | 00 |
Class = PROTOCOL |
| STA | FF |
Status = FOLLOWING |
| Data | EECB ( KAUTH , RndB ) | First device cryptogram (16 bytes) |
Host –> Device - Authentication Step 2
The host
- Generates a 16-byte nonce RndA,
- Retrieves RndB by deciphering the response,
- Computes RndB’ = RndB << 8 (rotate one byte to the left, with carry),
- Sends EECB ( KAUTH , RndA ) || EECB ( KAUTH , RndB’ ) where KAUTH is the authentication key as it is known by the host.
| Field | Value | Explanations |
|---|---|---|
| CLA | 00 |
Class = PROTOCOL |
| INS | FF |
Instruction = FOLLOWING |
| Data | EECB ( KAUTH , RndA ) || EECB ( KAUTH , RndB’ ) | Host cryptogram (32 bytes) |
The device deciphers the host cryptogram. If the decrypted RndB’ matches with RndB, the device knows that it can trust the host.
Device –> Host - Authentication Step 3
The device
- Retrieves RndA from the command,
- Computes RndA’ = RndA << 8 (rotate one byte to the left, with carry),
- Sends EECB ( KAUTH , RndA’ ).
| Field | Value | Explanations |
|---|---|---|
| CLA | 00 |
Class = PROTOCOL |
| STA | 00 |
Status = SUCCESS |
| Data | EECB ( KAUTH , RndA’ ) | Second device cryptogram (16 bytes) |
The host deciphers the device cryptogram. If the decrypted RndA’ matches with RndA, the host knows that it can trust the device.
From now on, secure communication shall be used.
Session keys and first init vector
Both the host and the device generate the same session keys as follow:
- Assemble SV1 = RndA[0..3] || RndB[0..3] || RndA[8..11] || RndB[8..11]
- Assemble SV2 = RndA[4..7] || RndB[4..7] || RndA[12..15] || RndB[12..15]
- Compute the session encryption key KENC = EECB ( KAUTH , SV1 ),
- Compute the session authentication key KMAC = EECB ( KAUTH , SV2 ).
- Assemble SVMAC = RndA XOR RndB
- Compute the first initialization vector IV0 = EECB ( KMAC , SVMAC )
Following init vectors, ciphering and CMACing
See the Secure Communication paragraph.