manualshive.com logo in svg

Magtek MagneSafe V5, Reference Manual

Share
Download
Magtek MagneSafe V5 Reference Manual Download Page 9

 

 

SECTION 1.  SECURITY 

The readers in the family are intended to be secure readers.  Security features include: 

 

Supplies 54 byte MagnePrint value 

 

Includes Device Serial Number 

 

Encrypts all track data and the MagnePrint value 

 

Provides clear text confirmation data including card holder’s name, expiration date, and a 
portion of the PAN as part of the Masked Track Data 

 

Supports Mutual Authentication Mode for use with Magensa.net 

 

Offers selectable levels of Security 

 
Most of the MagneSafe readers support three Security Levels.  The Security Level can be 
increased by command but can never be decreased. 
 

SECURITY LEVEL 2 

Security Level 2 is the least secure user mode.  In this mode, keys are loaded but not used for 
most operations (only used to load new keys or move to Security Level 3 or 4).  All other 
properties and commands are freely usable. 
 
For those products that support keyboard emulation mode or those that provide serial 
information (e.g., via RS-232 communication), the reader sends data in the 

SureSwipe

 format as 

defined in MagTek document 99875206.  The default SureSwipe mode can be changed to allow 
the reader to send data in the V5 format as described in this document but the MagnePrint data 
will not be sent. 
 
In the HID mode, the reader sends track data but does not send MagnePrint data.  By default, the 
data is sent in the format defined in this manual.  Changing the 

HID SureSwipe Flag

 property to 

0x01 will cause the reader to use the SureSwipe VID/PID and send data as defined in 99875191 
(USB HID SureSwipe & USB HID Swipe Technical Reference Manual). 
 

SECURITY LEVEL 3 

Security Level 3 enables encryption of track data, MagnePrint data, and the Session ID.  
MagnePrint data is always included and it is always encrypted.  The format for the data is 
detailed later in this document.  At Security Level 3, many commands require security—most 
notably, the 

Set Property

 command.  Transition to Security Level 4 requires security. 

 

SECURITY LEVEL 4 

When the reader is at Security Level 4, a correctly executed Authentication Sequence is required 
before the reader will emit data from a card swipe.  Correctly executing the Authentication 
Sequence also causes the Green LED to blink, alerting the user to the fact that the reader is being 
controlled by a Host with knowledge of the keys—that is, an Authentic Host. 
 
Commands that require security must be sent with a four byte Message Authentication Code 
(MAC) appended to the end.  The MAC is calculated as specified in ANSI X9.24 Part 1 – 2004, 

Summary of Contents for MagneSafe V5

Page 1: ...MMUNICATION REFERENCE MANUAL PART NUMBER 99875475 10 NOVEMBER 2012 REGISTERED TO ISO 9001 2008 1710 Apollo Court Seal Beach CA 90740 Phone 562 546 6400 FAX 562 546 6301 Technical Support 651 415 6800...

Page 2: ...omments usb org REVISIONS Rev Number Date Notes 1 01 08 Jan 10 Initial Release previously part of 99875388 2 01 03 29 2010 Corrected settings for SureSwipe mode corrected data length values in a few o...

Page 3: ...to the warranty service location and to use the original shipping container or equivalent MagTek will return the product prepaid via a three 3 day shipping service A Return Material Authorization RMA...

Page 4: ...atus does not exceed the Class B limits for radio noise from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications Le pr sent appareil num rique...

Page 5: ...d Encode Type 11 Encrypted Track Data 11 Track 1 Encrypted Data 12 Track 2 Encrypted Data 12 Track 3 Encrypted Data 12 Card Status 12 MagnePrint Status 13 MagnePrint Data Length 13 MagnePrint Absolute...

Page 6: ...II to Keypress Conversion Type Property KB 42 CRC Flag Property KB and Serial Models 43 Keyboard SureSwipe Flag Property KB UART RS 232 44 Decode Enable Property 44 SS JIS Type 2 Property 45 ES JIS Ty...

Page 7: ...te Command 68 Set Security Level Command 70 Get Transaction Count Command Flash Reader Only 71 Read Oldest Transaction Command Flash Reader Only 71 Erase Oldest Transaction Command Flash Reader Only 7...

Page 8: ...viii...

Page 9: ...format as described in this document but the MagnePrint data will not be sent In the HID mode the reader sends track data but does not send MagnePrint data By default the data is sent in the format de...

Page 10: ...y Y S S 0x02 Reset Device Y X X 0x03 Get Keymap Item Y Y Y 0x04 Set Keymap Item Y S S 0x05 Save Custom Keymap Y S S 0x09 Get DUKPT KSN and Counter Y Y Y 0x0A Set Session ID Y Y Y 0x10 Activate Authent...

Page 11: ...eless USB reader can also be directly connected to the host with a USB cable for updating firmware and charging the battery When the wireless reader is directly connected the PID is 0x0014 Since this...

Page 12: ...a Input 33 Encrypted MagnePrint data Data Input 38 Card encode type Data Input 39 Card status Data Input 40 Device Serial Number Data Input 42 Reader Encryption Status Data Input 46 DUKPT serial numbe...

Page 13: ...Size 8 75 08 Usage Track 1 decode status 09 20 Usage Track 2 decode status 09 21 Usage Track 3 decode status 09 22 Usage Track 1 encrypted data length 09 28 Usage Track 2 encrypted data length 09 29...

Page 14: ...ount 10 95 0A Input Data Variable Absolute Buffered Bytes 82 02 01 Usage Track 1 Masked data length 09 47 Usage Track 2 Masked data length 09 48 Usage Track 3 Masked data length 09 49 Report Count 3 9...

Page 15: ...09 57 Report Count 20 95 14 Input Data Variable Absolute Buffered Bytes 82 02 01 Usage Command Message 09 20 Report Count 60 95 3C Feature Data Variable Absolute Buffered Bytes B2 02 01 End Collectio...

Page 16: ...tructured into HID reports follow later in this section Windows applications that communicate to this reader can be easily developed These applications can communicate to the reader using standard win...

Page 17: ...ck 2 encrypted data length 5 Track 3 encrypted data length 6 Card encode type 7 118 Track 1 encrypted data 119 230 Track 2 encrypted data 231 342 Track 3 encrypted data 343 Card status 344 347 MagnePr...

Page 18: ...ecoding track 3 Bit position zero indicates if there was an error decoding track 3 if this bit is set to one If it is zero then no error occurred If a track has data on it that is not noise and it is...

Page 19: ...scription 0 ISO ABA ISO ABA encode format see Appendix E Identifying ISO ABA and AAMVA Cards for ISO ABA description 1 AAMVA AAMVA encode format see Appendix E Identifying ISO ABA and AAMVA Cards for...

Page 20: ...bytes it is padded with binary zeros to fill up the 8 bytes After this final clear text block is XORed with the prior 8 bytes of encrypted data it is encrypted and placed in the Encrypted Data buffer...

Page 21: ...age M Bits 1 15 Product revision mode usage R Bit 16 STATUS only state usage S Bit 17 Noise too high or move me away from the noise source used only in STATUS usage N Bit 18 Swipe too slow usage L Bit...

Page 22: ...was an error decoding the track Track 3 Masked Data Length This one byte value indicates how many bytes of decoded card data are in the track 3 Masked Data field This value will be zero if there was n...

Page 23: ...em will be set such that last digit of the PAN calculates an accurate Mod 10 check of the rest of the PAN as transmitted If the Mod 10 correction is not specified all of the intermediate characters of...

Page 24: ...ted If the Mod 10 correction is not specified all of the intermediate characters of the PAN are set to the specified mask character All Field Separators are sent unmasked All other characters are set...

Page 25: ...this CRC The CRC is converted to 16 characters of ASCII before being sent After the receiver decrypts the message the CRC is contained in the first 2 bytes of the message all other bytes are meaningl...

Page 26: ...is then converted to two bytes of ASCII data representing the Hexadecimal value of the encrypted byte many of the encrypted bytes will not have values in the ASCII character range When the reader is i...

Page 27: ...Sentinel 0x3F 0x3F 0x3F 0x3F Track 1 Track 2 and Track 3 Encrypted Data includes the Start and End Sentinel that were decoded from the card All fields with the format P are programmable configuration...

Page 28: ...changed the first character of the Format Code will automatically change to a 1 The application may change the final three characters but making such a change will automatically cause the first charac...

Page 29: ...ers and they should contain only the characters 0123456789ABCDEF The receiver will combine two successive ASCII characters from the message to form one byte see the descriptions of the commands which...

Page 30: ...umber Description 0x00 Get Property Gets a property from the reader 0x01 Set Property Sets a property in the reader 0x02 Reset Device Resets the reader 0x03 Get Keymap Item Gets a key map item KB only...

Page 31: ...data Result Code This one byte field contains the value of the result code There are two types of result codes generic result codes and command specific result codes Generic result codes always have t...

Page 32: ...s for the Get and Set Property commands can be any of the codes listed in the generic result code table If the Set Property command gets a result code of 0x07 it means the required MAC was absent or i...

Page 33: ...x17 ASCII To Keypress Conversion Type Type of conversion performed when converting ASCII data to key strokes 0x19 0x19 CRC Flag Enables disables sending CRC 0x1A 0x1A Keyboard SureSwipe Flag Enables d...

Page 34: ...length of the property The following table lists all of the property types and describes them Property Type Description Byte This is a one byte value The valid values depend on the property String Th...

Page 35: ...the USB serial number This string can be 0 15 bytes long The value of this property if any will be sent to the host when the host requests the USB string descriptor This property is stored in non vola...

Page 36: ...us bandwidth used by the reader and slowing down the card data transfer rate decreases the USB bus bandwidth used by the reader The value of this property if any will be sent to the host when the host...

Page 37: ...the unit is power cycled When this property is changed the unit must be reset see Command Number 2 or power cycled to have these changes take effect This reader must be unplugged for at least 30 seco...

Page 38: ...owed for that track will be decoded If the track cannot be decoded by the ISO method it will be considered to be in error T 00 Track Disabled 01 Track Enabled 10 Track Enabled Required Error if blank...

Page 39: ...the Mod 10 Correction should be applied to the PAN Y means Yes the Mod 10 Correction will be applied N means No the Mod 10 will not be applied This option is only effective if the masking character i...

Page 40: ...has units of bytes The maximum packet size tells the host the maximum size of the Interrupt In Endpoint packets For example if the maximum packet size is set to 8 the reader will send HID reports in m...

Page 41: ...rs are in effect An application that wishes to communicate with the reader must use the correct speed and parity There is no method of bringing a reader to a default speed and parity thus the user tha...

Page 42: ...operty Yes Default Value 120 0x78 seconds Description This property specifies in seconds the minimum amount of time a wireless reader will operate in the absence of activity Activity is defined as a S...

Page 43: ...e memory so it will persist when the unit is power cycled When this property is changed the unit must be reset see Command Number 2 or power cycled for these changes to take effect Track Data Transmis...

Page 44: ...after a good swipe In this case the reader may be powered down by pressing and holding the User Switch or it will go off after the activity timeout This property is stored in non volatile memory so i...

Page 45: ...process at the time the reader and dongle are paired together Additionally the read and dongle pair should be labeled with a unique matching identifier so that they can be visually distinguished from...

Page 46: ...ilable After this property is changed the reader should be power cycled before changing any other properties Readers other than the USB HID and KB emulation models return other Interface Type values a...

Page 47: ...d the start sentinels that were modified to indicate the card encode type need to be converted back to their original values Note that this property only applies to track data sent via the keyboard in...

Page 48: ...ransmitted in unless the ICL bit in this property is set to 1 Er 00 Don t send any card data if error NOT CURRENTLY IMPLEMENTED 01 Don t send track data if error 11 Send E for each track error This pr...

Page 49: ...map The key map can be modified to another countries key map by using commands Get Key Map Set Key Map and Save Custom Key Map See the command section of this manual for a complete description of thes...

Page 50: ...is set to 1 ALT ASCII code instead of using the key map a international keyboard key press combination consisting of the decimal value of the ASCII character combined with the ALT key modifier is used...

Page 51: ...ows 0 0 0 0 0 0 E S E 0 The Encrypted CRC will NOT be sent 1 The Encrypted CRC will be sent S 0 The Clear Text CRC will NOT be sent 1 The Clear Text CRC will be sent This property is used to designate...

Page 52: ...e of 0x01 enables SureSwipe emulation a value of 0x00 disables it A user might disable SureSwipe emulation to allow the reader to emit keyboard data in the full V5 format without encryption This could...

Page 53: ...ex Cmd Num Data Len Prp ID 00 01 1B Example Get property Response Hex Result Code Data Len Prp Value 00 01 01 SS JIS Type 2 Property Property ID 0x1C Property Type Byte Length 1 byte Get Property Yes...

Page 54: ...gth 0 7 bytes Get Property Yes Set Property Yes Default Value No string with a length of zero Description The value is an ASCII string that represents the reader s pre card string This string can be 0...

Page 55: ...ample Set Post Card String property Response Hex Result Code Data Len Data 00 00 Example Get Post Card String property Request Hex Cmd Num Data Len Prp ID 00 01 1F Example Get Post Card String propert...

Page 56: ...t after the data for each track The string can be 0 7 bytes long If the value is 0 no character is sent This property is stored in non volatile memory so it will persist when the unit is power cycled...

Page 57: ...rint info reader info DUKPT info etc If the value is 0 no character is sent If the value is in the range 1 127 then the equivalent ASCII character will be sent This property is stored in non volatile...

Page 58: ...ack 3 start sentinel for cards that have track 3 encoded in ISO ABA format If the value is 0 no character is sent If the value is in the range 1 127 then the equivalent ASCII character will be sent Th...

Page 59: ...0x29 Property Type Byte Length 1 byte Get Property Yes Set Property Yes Default Value 0x26 Description This character is sent as the track 3 start sentinel for cards that have track 3 encoded in 7 bi...

Page 60: ...ans the Format Code is user defined This property is stored in non volatile memory so it will persist when the unit is power cycled When this property is changed the unit must be reset see Command Num...

Page 61: ...Description This character is sent as the end sentinel for track 3 with any format If the value is 0 no character is sent If the value is in the range 1 127 then the equivalent ASCII character will be...

Page 62: ...encoded data read If a card is encoded according to ISO ABA rules track 1 in 7 bit format tracks 2 3 in 5 bit format and track 1 does not begin with the character B the track 1 masked data field will...

Page 63: ...te Get Property Yes Set Property No Default Value None Description This value is used to determine if a card is fully inserted into the device If a card is fully inserted into the device this property...

Page 64: ...lear AAMVA card data Example Set Send Clear AAMVA Card Data property Request Hex Cmd Num Data Len Prp ID Data 01 06 34 01 xx xx xx xx where xx xx xx xx is the MAC Example Set Send Clear AAMVA Card Dat...

Page 65: ...be reset see Command Number 2 or power cycled to have these changes take effect Example Set HID SureSwipe Flag property Request Hex Cmd Num Data Len Prp ID Data 01 02 38 01 Example Set HID SureSwipe F...

Page 66: ...ers will get dropped from the card data The larger this delay is made the longer it will take the card data to get transferred to the host A delay of 12ms 0x0C was observed to work reliably with a Win...

Page 67: ...ends this command to the reader it should close the USB port wait a few seconds for the operating system to handle the reader detach followed by the attach and then re open the USB port before trying...

Page 68: ...ier byte modifies the meaning of the key usage ID The modifier byte indicates if any combination of the right or left Ctrl Shift Alt or GUI keys are pressed at the same time as the key usage ID For a...

Page 69: ...strokes are sent to the host to represent the ASCII character The key map maps a single ASCII character to a single USB key usage ID and USB key modifier byte The key usage ID and the key modifier byt...

Page 70: ...et the key map item for ASCII character card data end sentinel use the ASCII value of which is 63 0x3F 1 Key Usage ID The value of the USB key usage ID that is to be mapped to the given ASCII value Fo...

Page 71: ...rect MAC Command not authorized Example Save Custom Keymap Request Hex Cmd Num Data Len Data 05 00 Example Save Custom Keymap Response Hex Result Code Data Len Data 00 00 DUKPT Operation Since key loa...

Page 72: ...uely identify the present transaction Its primary purpose is to prevent replays After a card is read the Session ID will be encrypted along with the card data a supplied as part of the transaction mes...

Page 73: ...ly command followed by the last two bytes of the KSN These last two bytes of the KSN may be compared with the last two bytes of the clear text KSN sent in the message to authenticate the reader The ap...

Page 74: ...003 9845 A48B 7ED3 C294 7987 5FD4 03FA 8543 Activation Challenge Reply Command Command number 0x11 Description This command is used as the second part of an Activate Authentication sequence In this co...

Page 75: ...Len Data 11 08 8579827521573495 Example Activation Challenge Reply Response Hex Result Code Data Len Data 00 00 Deactivate Authenticated Mode Command Command number 0x12 Description This command is us...

Page 76: ...Key Response Data None Result codes 0x00 Success 0x02 Bad Parameters the Request Data is not a correct length 0x03 Bad Data the encrypted reply data could not be verified 0x07 Sequence not expecting...

Page 77: ...d since it was powered up 0x01 GoodAuth Authentication Activation Successful The reader processed a valid Activation Challenge Reply command 0x02 GoodSwipe Good Swipe The user swiped a valid card corr...

Page 78: ...nt the MAC field should NOT be sent 1 MAC Four byte MAC to secure the command Response Data Offset Field Name Description 0 Security Level Only present if there was no request data This field gives th...

Page 79: ...nsactions stored Hex Result Code Data Len Data 00 01 09 Read Oldest Transaction Command Flash Reader Only Command number 0x17 Description This command is used to stimulate the reader to send the oldes...

Page 80: ...ore erasure Example Request Erase Oldest Transaction Hex Cmd Num Data Len Data 18 00 Example Response Erase Oldest Transaction Hex Result Code Data Len Data 00 00 Get Encryption Counter Command Comman...

Page 81: ...Counter Response Hex Encryption Counter is 2033 Result Code Data Len Data 00 13 54455354205345545550203030303100 0007F1 Power Down Command Wireless USB Reader Only Command number 0x28 Description Thi...

Page 82: ...ypt Bulk Data Command Command number 0x30 Description This command will encrypt up to a maximum of 120 bytes The Data Response variant of the DUKPT key will be used to encrypt data It will also comput...

Page 83: ...less than 15 bytes it will be left justified The 16th byte will always be set to NULL Cryptogram Encrypted data the length of which is always a multiple of 8 this field can be maximum of 120 characte...

Page 84: ...MagneSafe V5 76...

Page 85: ...rd data HID mode only The part numbers for the demo program can be found in this document in Section 1 under Accessories INSTALLATION To install the demo program run the setup exe file and follow the...

Page 86: ...ult The command request and the command result will be displayed in the Communications Dialog edit box The Clear Dialog button clears the Communication Dialog edit box To read cards and view the card...

Page 87: ...should be used so that a keyboard may be modified for a different language by simply printing different keycaps One example is the Y key on a North American keyboard In Germany this is typically Z Rat...

Page 88: ...01 104 28 1C Keyboard y and Y 4 22 4 101 104 29 1D Keyboard z and Z 4 46 4 101 104 30 1E Keyboard 1 and 4 2 4 101 104 31 1F Keyboard 2 and 4 3 4 101 104 32 20 Keyboard 3 and 4 4 4 101 104 33 21 Keyboa...

Page 89: ...104 68 44 Keyboard F11 122 101 104 69 45 Keyboard F12 123 101 104 70 46 Keyboard PrintScreen 1 124 101 104 71 47 Keyboard Scroll Lock 11 125 4 101 104 72 48 Keyboard Pause 1 126 101 104 73 49 Keyboard...

Page 90: ...ation 10 129 104 102 66 Keyboard Power 9 103 67 Keypad 104 68 Keyboard F13 62 105 69 Keyboard F14 63 106 6A Keyboard F15 64 107 6B Keyboard F16 65 107 6C Keyboard F17 109 6D Keyboard F18 110 6E Keyboa...

Page 91: ...ational9 22 144 90 Keyboard Lang1 25 145 91 Keyboard Lang2 26 146 92 Keyboard Lang3 30 147 93 Keyboard Lang4 31 148 94 Keyboard Lang5 32 149 95 Keyboard Lang6 8 150 96 Keyboard Lang7 8 151 97 Keyboard...

Page 92: ...ypad 196 C4 Keypad 197 C5 Keypad 198 C6 Keypad 199 C7 Keypad 200 C8 Keypad 201 C9 Keypad 202 CA Keypad 203 CB Keypad 204 CC Keypad 205 CD Keypad Space 206 CE Keypad 207 CF Keypad 208 D0 Keypad Memory...

Page 93: ...a non locking key sent as member of an array 12 Implemented as a locking key sent as a toggle button Available for legacy support however most systems should use the non locking version of this key 13...

Page 94: ...es the Zenkaku Hankaku key for Japanese USB word processing keyboards 33 The symbol displayed will depend on the current locale settings of the operating system For example the US thousands separator...

Page 95: ...ce Class Definition for Human Interface Devices HID Version 1 11 and specifically for this manual Section 8 3 Report Format for Array Items The modifier byte is defined as follows Table B 1 Modifier B...

Page 96: ...MagneSafe V5 88...

Page 97: ...he derived key is used These sequences are based on the following data Derivation Key 0123 4567 89AB CDEF FEDC BA98 7654 3210 Initially Loaded Key Serial Number KSN FFFF 9876 5432 10E0 0000 Initially...

Page 98: ...MagneSafe V5 90...

Page 99: ...N 02 DATA 10 00 Response RC 00 LEN 00 DATA 02 00 Reset so changes take effect Request CMND 02 LEN 00 DATA Response RC 00 LEN 00 DATA Delay waited 5 seconds 00 01 10 Get current interface should return...

Page 100: ...t interface should be 00 Request CMND 00 LEN 01 DATA 10 Response RC 00 LEN 01 DATA 00 00 01 01 Get current USB SN should be 1234 Request CMND 00 LEN 01 DATA 01 Response RC 00 LEN 04 DATA 31 32 33 34 0...

Page 101: ...00 00 00 Example 2 Configuring a reader before encryption is enabled Secureity Level 2 In this example the reader is set up for Keyboard Emulation This script demonstrates configuration commands for...

Page 102: ...t ISO Track Mask 0404 N uses as mask char Request CMND 01 LEN 07 DATA 07 30 34 30 34 2A 4E Response RC 00 LEN 00 DATA 00 01 19 Get current CRC Flags Request CMND 00 LEN 01 DATA 19 Response RC 00 LEN 0...

Page 103: ...FF FF FF FF 01 05 2C 31323334 Set to 1234 Request CMND 01 LEN 05 DATA 2C 31 32 33 34 Response RC 00 LEN 00 DATA 02 00 Reset so changes take effect Request CMND 02 LEN 00 DATA Response RC 00 LEN 00 DA...

Page 104: ...06 DATA 54 52 4B 45 4E 44 00 01 22 Get current Termination String should return TXEND ENTER Request CMND 00 LEN 01 DATA 22 Response RC 00 LEN 06 DATA 54 58 45 4E 44 0D 00 01 2C Get current Format Code...

Page 105: ...00 00 00 00 00 340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00...

Page 106: ...ack 3 Masked data 844 851 Encrypted Session ID 852 Track 1 Absolute data length 853 Track 2 Absolute data length 854 Track 3 Absolute data length 855 MagnePrint Absolute data length Using this informa...

Page 107: ...0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 477 492 Device serial number not set not filled 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 493 494 Reader Encryptio...

Page 108: ...al Reference Manual and USB KB SureSwipe USB KB Swipe Reader Technical Reference Manual 99875206 the KB Data SureSwipe format is broken down like this Tk1 SS Tk1 Data ES Tk2 SS Tk2 Data ES Tk3 SS Tk3...

Page 109: ...ession ID P35 DUKPT serial number counter P35 Clear Text CRC P35 Encrypted CRC P35 Format Code P34 Each of the Pxx elements has the default value in this configuration thus we can reinterpret the form...

Page 110: ...se RC 00 LEN 0A DATA FF FF 98 76 54 32 10 E0 00 01 For KSN 1 MAC Key 042666B4918430A3 68DE9628D03984C9 The command to change Security Level looks like 15 05 03 nnnnnnnn where nnnnnnnn is the MAC The d...

Page 111: ...MAC The data to be MACd is 15 05 04 Data to be MACd must be in blocks of eight bytes so we left justify and zero fill the block to get 15 05 04 00 00 00 00 00 This is the block to MAC For convenience...

Page 112: ...For convenience show it as the compacted form 1505040000000000 The MAC algorithm run with this data uses the following cryptographic operations Single DES Encrypt the data to be MACd with the left hal...

Page 113: ...Polling Interval to 1 ms Request CMND 01 LEN 06 DATA 02 01 87 20 CE 23 Response RC 00 LEN 00 DATA 00 01 1E Get current Pre Card String Request CMND 00 LEN 01 DATA 1E Response RC 00 LEN 00 DATA Form M...

Page 114: ...32F gets 1FA9A44C703099E1 MAC is first four bytes 1FA9A44C 01 05 21 1FA9A44C Set to Request CMND 01 LEN 05 DATA 21 1F A9 A4 4C Response RC 00 LEN 00 DATA 00 01 22 Get current Termination String Reques...

Page 115: ...A 21 Response RC 00 LEN 00 DATA 00 01 22 Get current Termination String should return ENTER Request CMND 00 LEN 01 DATA 22 Response RC 00 LEN 01 DATA 0D 00 01 2C Get current Format Code Request CMND 0...

Page 116: ...using Current Encryption Key variant as above A72D2DB236BF29D2 TDES Dec with FD0329B2DA3AA6EA B7979DF75D9B5DF5 34DB9230698281B4 Build an Activation Challenge Reply command cmd len cryptogram 11 08 XXX...

Page 117: ...D0 F0 72 A6 CB 34 40 36 56 0B 30 71 FC 1F D1 1D 9F 7E 74 88 67 42 D9 BE E0 CF D1 60 EA 10 64 C2 13 BB 55 27 8B 2F 12 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0...

Page 118: ...00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 840 00 00 00 00 21 68 5F 15 8B 5C 6B E0 3C 25 1F 36 According to the USB MagneS...

Page 119: ...00 00 00 231 342 Track 3 encrypted data 76 BB 01 3C 0D FD 81 95 F1 6F 2F BC 50 A3 51 71 AA 37 01 31 F8 74 42 31 3E E3 64 57 B8 7C 87 F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0...

Page 120: ...00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 844 851 Encrypted Session ID user didn t load all zeroes 21 68 5F 15 8B 5C 6B E0 852...

Page 121: ...7F gets 0704673B0041CC2F XOR 3436560B3071FC1F gets 3332313030303030 decrypted block 6 Continue on in reverse block order 3436560B3071FC1F TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets 718DF68EC...

Page 122: ...0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 As Track 2 Encrypted Data Length cites 40 bytes only we c...

Page 123: ...curate decryption of the track Track 3 encrypted data 76 BB 01 3C 0D FD 81 95 F1 6F 2F BC 50 A3 51 71 AA 37 01 31 F8 74 42 31 3E E3 64 57 B8 7C 87 F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00...

Page 124: ...D5244FF621E AA6F6120EDEB427F gets AF4EABEE4973E402 XOR D0E31706106903E6 gets 7FADBCE8591AE7E4 decrypted block 5 Continue on in reverse block order D0E31706106903E6 TDES Dec with 27F66D5244FF621E AA6F6...

Page 125: ...ata received Raw KB Data Byte Content 0 B5452000000007189 HOGAN PAUL 08040000000000 50 000000000 5452000000007189 080400000000000000 51 100 63000050000445 000000000000 0600 C25C1D1197D31CAA 150 87285D...

Page 126: ...to the structure B5452000000007189 HOGAN PAUL 08040000000000000000000 5452000000007189 080400000000000000 5163000050000445 000000000000 0600 C25C1D1197D31CAA87285D59A892047426D9182EC11353C051ADD6D0F07...

Page 127: ...74886742 7 D9BEE0CFD1EA1064 8 C213BB55278B2F12 Appendix C tells us to decrypt the last block C213BB55278B2F12 TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets E98ED0F0D1EA1064 XOR D9BEE0CFD1EA1064...

Page 128: ...000 000 We can ignore the last four bytes because they are all hex 00 and fall after the End Sentinel ASCII string B5452300551227189 HOGAN PAUL 08043210000000725000000 This is an accurate decryption o...

Page 129: ...91059A0FB 2 FE627954EE21868A 3 EE3979540B67FCC4 4 0F61CECA54152D1E Appendix C tells us to decrypt the last block 0F61CECA54152D1E TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets DE0949643B57C3C4...

Page 130: ...ntinue on in reverse block order C07B12648DCAC4FD TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets AAC8D06ACCF27E6D XOR BE6EE7466B81196E gets 14A6372CA7736703 decrypted block 5 Continue on in reve...

Page 131: ...0FE2C5A3556E9CE5A9B2E6DB8914A6372C A77367036EFAADC02F02C4FB76C6CFD8A59C0000 This is an accurate decryption of the MagnePrint data Encrypted Session ID user didn t load all zeroes 21685F158B5C6BE0 As t...

Page 132: ...MagneSafe V5 124...

Page 133: ...cy will be sent in the clear c If the Format Code PAN Name or Expiration Date contain the character End Sentinel the field is not correctly structured d A correctly structured Format Code is the first...

Page 134: ...e the card is considered to be an AAMVA card 3 AAMVA card masking when enabled works as follows a Tracks 1 3 are sent entirely masked i e zeros are supplied in all character positions b Track 2 The go...

Page 135: ...re 0x01 USB Serial Num No string with a length of zero 0x02 Polling Interval 1 ms 0x03 Device Serial Num No string with a length of zero 0x04 MagneSafe Version Number V05 0x05 Track ID Enable 0x95 0x0...

Page 136: ...perty JIS 0x00 0x1C SS JIS TYPE 2 0x7F DEL 0x1D ES JIS TYPE 2 0x7F DEL 0x1E Pre Card String 0x00 0x1F Post Card String 0x00 0x20 Pre Track String 0x00 0x21 Post Track String 0x00 0x22 Termination Stri...

Page 137: ...Enable MagneSafe 2 0 format 0x00 Disabled 0x37 MagneSafe 2 0 Decode Status 0x00 no decodes performed yet 0x38 HID SureSwipe Flag 0x00 0x39 MagneSafe 2 0 Track Handling 0x00 always create MS 2 0 forma...

Page 138: ...0x46 Transaction Threshold Exhausted Message 0x47 Bad Read Message 0x48 Good Read Message 0x49 Authenticated Message 0x4A Waiting Authentication Message 0x4B Transaction Validation Rejected text 0x50...

Reviews:

No comments

Brands by name

Popular brands

Load more brands