Copyright © 2010-2020, International Technologies & Systems Corporation. All rights reserved.
Page 38 of 76
User Manual, SecureHead USB and UART Interface
The security level changes from 3 to 4 when the device enters authentication mode successfully.
Once the security level is changed to level 3 or 4, it cannot go back to a lower level.
Activate Authentication Mode Command
When the reader is in security level 4, it would only transmit the card data when it is in
Authenticated Mode.
Authentication Mode Request
When sending the authentication request, the user also needs to specify a time limit for the reader
to wait for the activation challenge reply command. The minimum timeout duration required is 120
seconds. If the specified time is less than the minimum, 120 seconds would be used for timeout
duration. The maximum time allowed is 3600 seconds (one hour). If the reader times out while
waiting for the activation challenge reply, the authentication failed.
Device Response
When authentication mode is requested, the device responds with two challenges: Challenge 1 and
challenge 2. The challenges are encrypted using the current DUKPT key exclusive- or’ed with
<F0F0 F0F0 F0F0 F0F0 F0F0 F0F0 F0F0 F0F0>.
The decrypted challenge 1 contains 6 bytes of random number followed by the last two bytes of
KSN. The two bytes of KSN may be compared with the last two bytes of the clear text KSN sent in
the message to authenticate the reader. The user should complete the Activate Authentication
sequence using Activation Challenge Reply command.
Command Structure
Host -> Device:
<STX><R><80h><02h><Pre-Authentication Time Limit><ETX><CheckSum>
Device -> Host:
<ACK><STX><Device Response Data><ETX><CheckSum> (success)
<NAK> (fail)
Pre-Authentication Time Limit: 2 bytes of time in seconds
Device Response Data: 26 bytes data, consists of <Current Key Serial Number> <Challenge 1>
<Challenge 2>
Current Key Serial Number: 10 bytes data with Initial Key Serial Number in the leftmost 59 bits
and Encryption Counter in the rightmost 21 bits.
Challenge 1: 8 bytes challenge used to activate authentication. Encrypted using the key derived
from the current DUKPT key.
Challenge 2: 8 bytes challenge used to deactivate authentication. Encrypted using the key derived
from the current DUKPT key.