Orange PackID is an application framework designed to create a smartphone-based, hand-free tag for identification, access control or e-wallet applications, created and promoted by mobile network operator Orange.
SpringCore devices featuring a BLE interface are able to read Orange PackID tokens.
Data, keys, and transaction flow
Service provider data
A service provider subscribes to the Orange PackID to develop his identification service (loyalty app, access control, or virtually any other identication scheme).
Orange assigns to the service provider a Company ID, a Service ID and an associated (secret) service master key Kmaster.
A user downloads the Orange PackID BLE application on his mobile phone, subscribes to the service, and gets (from the service provider):
- The Company ID and Service ID,
- A Wallet ID and its accompanying (secret) key Kwallet = E ( Kmaster , Wallet ID ),
- A User ID which identifies the user within the service.
Reader-side data and key
The reader gets (from the service provider):
- The Company ID and Service ID that identify the service provider it belongs to, and the associated Kmaster,
- A Access ID, which identifies the reader within the service.
The Access ID is not directly involved in the transaction, but could be used by the application/service to implement location-based behaviour, and for logging/traceability purposes.
- The reader broadcasts the PackID service, its Company ID, Service ID and Access ID through BLE advertisement frames,
- The application "sees" the reader thanks to its advertisement frames, connects onto the reader, generates a nonce RndB and writes it into the reader, together with its Wallet ID,
- The reader computes Kwallet = E ( Kmaster , Wallet ID ), generates a nonce RndA and computes the reader cryptogram E ( Kwallet , RndA || RndB ),
- The application reads the cryptogram from the reader, deciphers it, checks that the reader is genuine (if RndB is OK after decryption) and retrieves RndA,
- The application computes Ksession = E ( Kwallet , RndB || RndA ), extracts RndA' = RndA[0..5], computes the application cryptogram E ( Ksession , RndA' || UserID ), and writes this cryptogram into the reader,
- The reader deciphers the cryptogram, checks that the application is genuine (if RndA' is OK after decryption) and extracts UserID.
The reader eventually transmits this UserID to its host through one of the protocols supported in Smart Reader mode.
Data transmitted to the host
The reader processes sends to the host:
- User ID in field TagData,
- Wallet ID in field TagDetails.
Reading Orange PackID identifiers involves providing the Service ID, Kmaster and Access ID to the SpringCore device.
This is done in template #0 (addresses
Register 0: BLE token selection
0300 (1 byte) controls which BLE template is enabled to read BLE tokens.
Set it to
C2 to select the Orange PackID BLE template.
Register 1: output format
The Orange PackID template uses the same output formatting procedure as other Templates. Refer to Template engine : Output Format. Address is always
0301 for BLE tokens.
Register 2: output prefix
The Orange PackID template uses the same output prefix procedure as other Templates. Refer to Template engine : Output Prefix. Address is always
0302 for BLE tokens.
Register 3: Service ID, Company ID and Access ID
0303 (12 bytes) stores both the Service ID (2 bytes), Company ID (4 bytes) and Access ID (6 bytes).
Register 5: secret key
The service's secret key Kmaster could be stored either directly in the non-volatile memory (at address
0305) or in the SpringCore device's Secure Element. The second method has to be preferred.
Secret key stored in the template
0305 (16 bytes) stores Kmaster.
Secret key stored in the Secure Element
0305 (2 bytes) to
C010 and load Kmaster at address
10 in the Secure Element (key type = AES128, offline crypto key).