manualshive.com logo in svg

IDTECH SecureHead SPI, Руководство пользователя, Страница: 24 / 57

Поделиться
Скачать
IDTECH SecureHead SPI Скачать руководство пользователя страница 24

 

ID TECH SecureHead SPI with TMIV User Manual 

Page | 24  

 

4.15.

 

Encrypted Output for Decoded Data 

4.15.1.

 

Encrypt Functions 

When a card is swiped through the Reader, the track data will be encrypted via TDES (Triple Data 
Encryption Algorithm, aka, Triple DES) or AES (Advanced Encryption Standard) using Fixed key 
management or DUKPT (Derived Unique Key Per Transaction) key management. DUKPT key 
management uses a base derivation key to encrypt a key serial number that produces an initial 
encryption key (IPEK), which is injected into the Reader prior to deployment. After each transaction, 
the encryption key is modified per the DUKPT algorithm so that each transaction uses a unique key. 
Thus, the data will be encrypted with a different encryption key for each transaction, as a safeguard 
against replay attacks. DUKPT is described by ANSI X9.24-1:2009; for details, refer to that spec. 
 

4.15.2.

 

Security Related Function ID 

Security Related Function IDs are listed below. Their functions are described in other sections. 

Characters 

Hex Value 

Description 

PrePANID 

49 

First N Digits in PAN which can be 
clear data 

PostPANID 

4A 

Last M Digits in PAN which can be 
clear data 

MaskCharID 

4B 

Character used to mask PAN 

EncryptionID 

4C 

Security Algorithm 

SecurityLevelID 

7E 

Security Level (Read Only) 

Device Serial Number ID 

4E 

Device Serial Number (Can be write 
once. After that, can only be read) 

DisplayExpirationDataID 

50 

Display expiration data as mask 
data or clear data 

KSN and Counter ID 

51 

Review the Key Serial Number and 
Encryption Counter 

Session ID 

54 

Set current Session ID 

Key Management Type 
ID 

58 

Select Key Management Type 

 
 

 

 

Содержание SecureHead SPI

Страница 1: ... Walker Street Cypress CA 90630 4720 Tel 714 761 6368 Fax 714 761 8880 www idtechproducts com USER MANUAL SecureHead Encrypted Magnetic Read Head With TriMagIV ASIC SPI Interface 80101502 002 Rev J 28 September 2020 ...

Страница 2: ...thorized to assume for ID TECH any other liabilities in connection with the sales of any product In no event shall ID TECH be liable for any special incidental or consequential damages to Purchaser or any third party caused by any defective item of equipment whether that defect is warranted against or not Purchaser s sole and exclusive remedy for defective equipment which does not conform to the r...

Страница 3: ...endix J on firmware updating Flow diagrams removed Add note about power management and firmware update Add expanded discussion of firmware update to Appendix J KT F 12 05 2019 Updated section 4 2 Communication Timing Corrected header and footer removed section breaks and replaced them with page breaks repaginated layout CB G 07 15 2020 Updated font style Updated pinout diagrams CB H 09 17 2020 Cor...

Страница 4: ...4 7 Decoding Method Settings 17 4 7 1 Samsung Pay Encoding Decoding 18 4 8 Review Settings 18 4 9 Review Firmware Version 18 4 10 Review Serial Number 19 4 11 Message Formatting Selections Only for Security Level 1 2 19 4 11 1 Terminator Setting 19 4 11 2 Preamble Setting 19 4 11 3 Postamble Setting 19 4 11 4 Track n Prefix Setting 20 4 11 5 Track n Suffix Setting 20 4 12 Magnetic Track Selections...

Страница 5: ... 2 3 Definitions 29 6 3 DUKPT Level 3 Data Output Enhanced Format 29 6 3 1 Data length byte 30 6 3 2 Card Encode Type 31 6 4 Track Status 31 6 5 Track Data Length 31 6 6 Clear Masked Data sent status 32 6 6 1 Encrypted Hash Data sent status 32 6 7 Track Masked Data 32 6 8 Track Encrypted Data 32 6 9 Track Hashed Data 33 6 9 1 Encryption Output Format Setting 33 6 9 2 Encryption Option Setting for ...

Страница 6: ...IX G EXAMPLE OF ID TECH RAW DATA DECRYPTION 44 Original Raw Data Forward Direction 44 Original Raw Data Backward Direction 44 Example of decryption of a two track ABA card with the original encryption format For both Fix DUKPT key management 44 SecureHead Reader with default settings 44 Original Encryption Format 44 14 APPENDIX H EXAMPLE OF SPI MASTER CHIP CONTROLLING 46 15 APPENDIX I MAGNETIC HEA...

Страница 7: ...0 C to 55 C Storage Temperature 40 C to 70 C Humidity 10 to 90 non condensing Mechanical Weight 5 67 grams Cable Length 125 6 4 mm Note 1 During the analog components wake up a few capacitors are charged up and the wake up inrush current can go up to 40 mA for no more than 5 μsec Note 2 During the chip power up the internal regulator can introduce 80 mA current for 50 μsec Note 3 ID TECH recommend...

Страница 8: ...ID TECH SecureHead SPI with TMIV User Manual Page 8 2 1 Dimensions ...

Страница 9: ...s the standard mounting option and can be used on most swipe readers The protrusion of the head from the surface of the spring is 3 50 mm 2 3 Head assembly only T his option is provided for special applications The mechanical interface is an eight pin male Molex Connector 51021 0800 for option 1 and 2 ...

Страница 10: ...ring each SPI clock cycle data are transmitted in both directions at the same time full duplex transmission On the MOSI line the master sends a bit and the slave reads it On the MISO line the slave sends a bit and the master reads it The SPI bus transmits data in 8 bit data groups sending data one bit at a time from MSB to LSB An example of bit transmission for byte A and byte B of two byte quanti...

Страница 11: ...r TM4 SPI firmware with clock polarity 0 and clock phase 0 The data are read on the rising edge of the clock and changed on the falling edge On MOSI line the host sends out data of 00000010 or 02h 0x02 3 3 Master Input Slave Output MISO The MISO signal is the serial data output sent from for the device It is also the data line that is received by the host When the device is not active Chip Select ...

Страница 12: ...ead the data After all the data is transmitted the device sets the DAV signal low again The signal can be used for the host to determine if the device has data ready to transmit However the signal should be ignored right after 1 second maximum the power cycle or a reset as it would be in an indeterminate state In the case when the DAV signal is not used the host will need to poll the device period...

Страница 13: ...sent the DAV is pulled low If user polls DAV status to check whether there are data available we suggest using 100μs polling interval and throw away any data when DAV is low 3 6 Chip Select SPI interface allows connecting several SPI devices while master selects each of them with NCS Chip Select Active Low The device will only respond to SPCK and MOSI signals after an NCS is pulled low For the fir...

Страница 14: ...ck in the frame The host normally clocks out IDLE characters to clock in a frame from the device Because the device typically loads its one transmit buffer with IDLE byte when it has nothing to transmit the first byte clocked out from the device after the DAV signal is asserted could be IDLE instead of a valid byte If this is the case simply discard this byte To detect whether the device has a fra...

Страница 15: ...y so they are not affected by the cycling of power In TriMag IV ACK is 0x06 4 1 Command Structure 4 1 1 Commands sent to SecureHead a Setting Command STX S FuncID Len FuncData ETX CheckSum b Read Status Command STX R FuncID ETX CheckSum c Special Function Command STX FuncID Len FuncData ETX CheckSum 4 1 2 Response from SecureHead a Setting Command Host SecureHead Setting Command ACK if OK or NAK i...

Страница 16: ...03h CheckSum Check Sum The overall Modulo 2 Exclusive OR sum from STX to CheckSum should be zero ACK 06h NAK 15h 4 2 Communication Timing The power up time for TMIV SecureHead is 600ms The typical delay for the reader to respond to a command is 20ms the maximum delay for the reader to respond can be as much as 40ms Caution must therefore be taken to maintain an appropriate delay between two comman...

Страница 17: ... Directions If the encryption feature is enabled the key management method used is DUKPT 2 Moving stripe along head in direction of encoding If the encryption feature is enabled the key management method used is DUKPT 3 Moving stripe along head against direction of encoding If the encryption feature is enabled the key management method used is DUKPT 4 Raw Data Decoding in Both Directions send out ...

Страница 18: ...ill be ignored to avoid capturing track data as an incorrect type The processor will not move data from one track to another 4 8 Review Settings Command STX R 1Fh ETX CheckSum This command does not have any FuncData It activates the review settings command SecureHead sends back an ACK and Response Response format The current setting data block is a collection of many function setting blocks FuncSE...

Страница 19: ...ata These can be special characters for identifying a specific reading station to format a message header expected by the receiving host or any other character string Up to fifteen ASCII characters can be defined Command STX S D2h Len Preamble ETX CheckSum Where Len the number of bytes of preamble string Preamble string length string NOTE String length is one byte maximum fifteen 0Fh 4 11 3 Postam...

Страница 20: ...se can be special characters to identify the specific track to the receiving host or any other character string Up to six ASCII characters can be defined Command STX S n Len Suffix ETX CheckSum Where n 37h for Track1 38h for Track2 and 39h for Track3 Len the number of bytes of suffix string Suffix string length string NOTE String length is one byte maximum six 4 12 Magnetic Track Selections Only f...

Страница 21: ...setting does not affect the output of Track1 and Track3 Command STX S 19h 01h SendOption ETX CheckSum SendOption 0 Do not send start end sentinel and send all data on Track2 1 Send start end sentinel and send all data on Track2 2 Don t send start end sentinel and send account on Track2 3 Send start end sentinel and send account number on Track2 4 13 Security Settings 4 13 1 Select Key Management T...

Страница 22: ...t succeeds before any security related featured can be changed 4 13 3 Retrieve Encrypted Challenge Command Host Device Command STX R 74h ETX CheckSum Device Host Command ACK STX 8 bytes of TDES encrypted random data ETX CheckSum success NAK fail 4 13 4 Send External Authenticate Command Host Device Command STX S 74h 08h 8 bytes of original random data ETX CheckSum Device Host ACK success NAK fail ...

Страница 23: ...r 4 Command Host Device Command STX 41h Length Data to Be Encrypted ETX CheckSum Where Length is the 2 byte length of Data to Be Encrypted in hex represented as Length_L and Length_H Device Host Command ACK STX Length Encrypted Data SessionID KSN ETX LRC success or NAK fail Where Length is the 2 byte length of Encrypted Data SessionID KSN in hex represented as Length_L and Length_H SessionID is on...

Страница 24: ...ed with a different encryption key for each transaction as a safeguard against replay attacks DUKPT is described by ANSI X9 24 1 2009 for details refer to that spec 4 15 2 Security Related Function ID Security Related Function IDs are listed below Their functions are described in other sections Characters Hex Value Description PrePANID 49 First N Digits in PAN which can be clear data PostPANID 4A ...

Страница 25: ...32 31 30 03 LRC Get Serial Number 02 52 4E 03 LRC KSN and Counter ID 00 00 00 00 00 00 00 00 00 00 This field includes the Initial Key Serial Number in the leftmost 59 bits and a value for the Encryption Counter in the right most 21 bits Get DUKPT KSN and Counter 02 52 51 03 LRC Session ID 00 00 00 00 00 00 00 00 This Session ID is an eight byte string which contains hex data This field is used by...

Страница 26: ...ctively 1 million meaning that a new key can be generated per swipe for up to a million card swipes After this limit has been reached key injection will need to occur again before any more transactions can be done 4 16 2 Level 1 By default readers from the factory are configured to have this security level There is no encryption process no key serial number transmitted with decoded data The reader...

Страница 27: ...k1 is 7 bits encoding Track2 is 5 bits encoding Track2 is 5 bits encoding Additional check Track1 second byte is B There is only one in Track2 and the position of is between 13th 20th character Total length of Track2 should above 21 characters 5 1 2 AAMVA American Association of Motor Vehicle Administration Card Encoding method Track1 is 7 bits encoding Track2 is 5 bits encoding Track3 is 7 bits e...

Страница 28: ... 6 2 Level 1 and 2 Data Output Format 6 2 1 Magnetic Track Basic Decoded Data Format Track1 SS1 T1 Data ES Track Separator Track2 SS2 T2 Data ES Track Separator Track3 SS3 T3 Data ES Terminator Where SS1 start sentinel Track1 SS2 start sentinel Track2 SS3 start sentinel Track3 for ISO for AAMVA ES end sentinel all tracks Track Separator Carriage Return Terminator Carriage Return Language US Englis...

Страница 29: ...is required or when the tracks must be encrypted separately or when cards other than type 0 ABA bank cards must be encrypted or when Track3 must be encrypted This format is the standard encryption format but not yet the default encryption format Card data is sent out in the following format STX LenL LenH Card Data CheckLRC CheckSum ETX Value Description 0 STX 1 Data Length low byte 2 Data Length h...

Страница 30: ...ed 20 bytes each if encrypted and hash Track3 allowed KSN 10 bytes CheckLRC CheckSum ETX Where STX 02h ETX 03h Description see also Appendix F for a real world example 6 3 1 Data length byte LenL Overall length of data low bits LenH Overall length of data high bits ...

Страница 31: ...anced mode similar to ABA Track2 6 4 Track Status MSR sampling and decode status MB LB B7 B6 B5 B4 B3 B2 B1 B0 B0 1 Track1 decode success 0 Track1 decode fail B1 1 Track2 decode success 0 Track2 decode fail B2 1 Track3 decode success 0 Track3 decode fail B3 1 Track1 sampling data exists 0 Track1 sampling data does not exist B4 1 Track2 sampling data exists 0 Track2 sampling data does not exist B5 ...

Страница 32: ...it 7 1 KSN present 6 7 Track Masked Data Track data masked with the MaskCharID default is The first PrePANID up to 6 for BIN default is 4 and last PostPANID up to 4 default is 4 characters can be in the clear unencrypted 6 8 Track Encrypted Data This field is the encrypted Track data using either TDES CBC or AES CBC with initial vector of 0 If the original data is not a multiple of 8 bytes for TDE...

Страница 33: ...upported 1 Enhanced Encryption Format 6 9 2 Encryption Option Setting for enhanced encryption format only Command 53 84 01 Encryption Option Encryption Option default 08h bit 0 1 Track1 force encrypt bit 1 1 Track2 force encrypt bit 2 1 Track3 force encrypt bit 3 1 Track3 force encrypt when card type is 0 Note 1 When force encrypt is set this track will always be encrypted regardless of card type ...

Страница 34: ...pe Card Type will be 8x for enhanced encryption format and 0x for original encryption format Value Encode Type Description 00h 80h ISO ABA format 01h 81h AAMVA format 03h 83h Other 04h 84h Raw un decoded format For Type 04 or 84 Raw data format all tracks are encrypted and no mask data is sent No track indicator 01 02 or 03 in front of each track Track indicator 01 02 and 03 will still exist for n...

Страница 35: ...rent from 2 or 6 1 Use IC where feasible 1st digit in Service Code is 2 or 6 Bit 6 1 Pin Encryption Key 0 Data Encryption Key Refer ANSI X9 24 2009 Page 56 for details Bit 7 1 Serial present 0 not present 6 14 Note 4 Encrypted Hash data sent status Field 9 Encrypted data sent status Bit 0 1 Track1 encrypted data present Bit 1 1 Track2 encrypted data present Bit 2 1 Track3 encrypted data present Bi...

Страница 36: ...ed Decoding Method Both Swiping Direction Decode mode Track Separator Settings CR Terminator Settings CR Preamble Settings None Postamble Settings None Track Selected Settings Any Track Sentinel and T2 Account No Send Sentinels and all T2 data Data Edit Setting Disabled Track Prefix None Track Suffix None ...

Страница 37: ...tion date 4 h Optional Discretionary data Variable i End Sentinel 1 j Linear Redundancy Check LRC Character 1 8 1 2 Track2 Field ID Character Contents Length a Start Sentinel 1 b Account Number 12 or 19 c Separator 1 d Expiration date YYMM 4 e Optional discretionary data Variable f End Sentinel 1 g Linear Redundancy Check LRC Character 1 8 2 AAMVA Driver s License Format 8 2 1 Track1 Field ID Char...

Страница 38: ...Jurisdiction i ID DL 5 h End Sentinel 1 i Linear Redundancy Check LRC Character 1 8 2 3 Track3 Field ID Character Contents Length a Start Sentinel 1 b Template Version 1 c Security Version 1 d Postal Code 11 e Class 2 f Restrictions 10 g Endorsements 4 h Sex 1 i Height 3 j Weight 3 k Hair Color 3 l Eye Color 3 m ID 10 n Reserved Space 16 o Error Correction 6 p Security 5 q End Sentinel 1 r Linear ...

Страница 39: ...rst data block before it is encrypted Then the data is encrypted with the device key using TDES algorithm The result is again XOR ed with the next 8 byte data block before it is encrypted The process repeats until all the data blocks have been encrypted The host can decrypt the cipher text from the beginning of the block when the data is received However it must keep track of both the encrypted an...

Страница 40: ...ID TECH SecureHead SPI with TMIV User Manual Page 40 11 APPENDIX E Key Management Flow Chart ...

Страница 41: ...B10A3FBC230FBFB941FAC9E82649981AE79F263215 6E775A06AEDAFAF6F0A184318C5209E55AD44A9CCF6A78AC240F791B63284E15B40191 02BA6C505814B585816CA3C2D2F42A99B1B9773EF1B116E005B7CD8681860D174E6AD3 16A0ECDBC687115FC89360AEE7E430140A7B791589CCAADB6D6872B78433C3A25DA9DD AE83F12FEFAB530CE405B701131D2FBAAD970248A456000933418AC88F65E1DB7ED4D10 973F99DFC8463FF6DF113B6226C4898A9D355057ECAF11A5598F02CA31688861C157C1C ...

Страница 42: ...6C50FC39C7E6AF22F06ED1F033BE0FB23D6BD33DC5A1F8 08512F7AE18D47A60CC3F4559B1B093563BE7E07459072ABF8FAAB5338C6CC88 15FF87797AE3A7BE Track2 encrypted length 0x32 rounded up to 8 bytes 0x38 56 decimal AB3B10A3FBC230FBFB941FAC9E82649981AE79F2632156E775A06AEDAFAF6F0A 184318C5209E55AD Track3 encrypted length 0x6B rounded up to 8 bytes 0x70 64 decimal 44A9CCF6A78AC240F791B63284E15B4019102BA6C505814B585816C...

Страница 43: ...3337676760707 2 Track1 decrypted data in hex including padding zeros but there are no pad bytes here 2542343236363834313038383838393939395E42555348204A522F47454F5247452057 2E4D525E30383039313031313030303031313030303030303030303436303030303030 3F21 Track2 decrypted data in hex including padding zeros 3B343236363834313038383838393939393D3038303931303131303030303034363F30 0000000000 Track3 decrypted ...

Страница 44: ...er with default settings Key for all examples is 0123456789ABCDEFFEDCBA9876543210 Original Encryption Format Original encryption format this can be recognized because the high bit of the fourth byte underlined 00 is 0 028700041B331A0027D2E435CEE303F007E977B598B7E3C57C76F4445E309F6916C032 1A0F915B6E490813498839049FE5204762327C3C758C5BF82542DEEDD8D6AF88019149 A702FF2D43BD4AD60031FA450720B00D7808E15F...

Страница 45: ...sum and ETX 87 1D 03 Key Value 8A 60 A3 EB 80 87 63 52 B8 F5 05 CD A8 3C 33 70 KSN 62 99 49 01 1A 00 00 00 00 01 Decrypted Raw Data 01D67C81020408102D4481020408102042890A350854A2FB3EE4BA3D4065B67A9C391F 582A42B99A858A90AF60852B14AA628A028FC210842C18421084030092040B51581F24 B5607440481116 ...

Страница 46: ...00 FCLK PERIPH 2 define SPI_RATIO_4 0x01 FCLK PERIPH 4 define SPI_RATIO_8 0x02 FCLK PERIPH 8 define SPI_RATIO_16 0x03 FCLK PERIPH 16 define SPI_RATIO_32 0x80 FCLK PERIPH 32 define SPI_RATIO_64 0x81 FCLK PERIPH 64 define SPI_RATIO_128 0x82 FCLK PERIPH 128 define SPI_RATIO_INVALID 0x83 No BRG M A C R O S SPIF Serial Peripheral data transfer flag Cleared by hardware to indicate data transfer is in pr...

Страница 47: ...A 0 SSDIS 1 bitrate Fper 32 Enable_spi_interrupt Turn on SPI interrupt in system _SPI_SS 0 Disable SPI slave during power on to prevent indeterminate state do keep polling Other subroutine to handle other tasks if _DAV_IN If DAV pin is high level SPI slave has data ready _SPI_SS 1 To Generate a falling edge Not useful for clock phase 0 but clock phase 1 needs this falling edge delay10us Wait for h...

Страница 48: ...dle other tasks if SPIMasterCommandReady If SPI master wants to send a command to SPI slave _SPI_SS 1 To Generate a falling edge Not useful for clock phase 0 but clock phase 1 needs this falling edge delay10us Wait for high level get steady _SPI_SS 0 Pull chip select pin low ready to start SPI communication for j 0 j Command_Length j Send out whole command string spi_Sendout Command_OUTbuf j chip ...

Страница 49: ...flags are used to communicate with higher level functions user application Here the global variables to communicate with spi interrupt routine F NAME spi_isp PARAMS none return none PURPOSE spi interruption program for serial transmission Master and Slave mode NOTE Interrupt void spi_isp void IRQ_SPI if Spif_set Quit if data transfer has not been completed transmit_completed 1 Set software complet...

Страница 50: ...ripheral Master Set to configure the SPI as a Master _SPI_SS 1 Initialize chip select pin to idle high level spi_set_speed speed Set SPI master speed to Fper 32 if cpol SPCON MSK_SPCON_CPOL Cleared to have the SCK set to 0 in idle state if cpha SPCON MSK_SPCON_CPHA Cleared to have the data sampled when the SCK leaves the idle state if ssdis SPCON MSK_SPCON_SSDIS Set to disable chip select in both ...

Страница 51: ...e magnetic head needs to have the freedom to gimbal rotate about Track2 s centerline and move in out to remain in contact with the surface of the card after head is assembled to the rail Below figure shows the rotational and linear movements that the head mounting must allow 3 The head has to be mounted in relation to the reference surface on which the card slides so that the magnetic tracks of th...

Страница 52: ...lows for proper contact of the head to stripe especially at high speeds 5 Standard card thickness is 0 76mm 10 if only standard cards are to be used the rule should be the Apex crown of head of the head should be a maximum of 0 25mm from opposing card slot wall If a thinner or thicker than standard card is used the distance the head is positioned from the opposing wall needs to be adjusted this wi...

Страница 53: ...to ensure adequate rail life 10 The back side pin side of magnetic head shall have enough reserved space to prevent interference with other parts during swiping of maximum thickness cards The design must provide for a minimum of 1 25 1 52mm space behind the head to allow for proper gimbal and head movement during card swiping The head opening in the rail must allow room for maximum gimbal action 1...

Страница 54: ...d through the slot c The height of the slot should be as big as the dimensional constraints allow but shall not extend over the embossing area of the card unless there is a provision recess in the rail wall design to allow for such embossing 14 The window in the rail wall through which the head protrudes into the slot should be big enough to allow free movement of the head 15 The clearance between...

Страница 55: ...anual Page 55 ID TECH can provide samples of a rail and magnetic head for design reference Order these through your local sales representative using the following part numbers 90mm rail 80006248 001 and Standard wing spring head 80027236 001 ...

Страница 56: ...th ACK 0x06 16 2 Basic steps 1 Read firmware version 52 22 88 command This is to confirm current reader is working 2 Erase firmware 53 7E 0D 31 01 02 03 04 05 06 07 08 04 03 02 01 The firmware will be erased in about 2 seconds then rise DAV line to request the send of 0x5A Host needs to read this response Note The DAV line will be high for 500 mS If software does not read a response the SecureHead...

Страница 57: ...1c 5a Z 2 2sc Note It takes about 2 seconds for SecureHead to finish erasing firmware The host should wait for DAV line rise and read the response 5A The host might wait another 3 seconds to perform following loading step Step 2 Download firmware 1 Send one byte for getting into download mode BD 2 Send encrypted bin file new firmware file 3 Wait for DAV line rise get one byte response ignore it 4 ...

Отзывы:

Нет отзывов