Copyright © 2010-2020, International Technologies & Systems Corporation. All rights reserved.
Page 37 of 76
User Manual, SecureHead USB and UART Interface
This one-byte value indicates the number of bytes in Track 3 data field.
Track 1 and Track 2 Masked
Track data masked with the MaskCharID (default is ‘*’). The first PrePANID (up to 6 for BIN,
default is 4) and last PostPANID (up to 4, default is 4) characters can be in the clear
(unencrypted).
Track 1, Track 2 and Track 3 Encrypted
This field is the encrypted Track data, using either TDES-CBC or AES-CBC with initial vector
of 0. If the original data is not a multiple of 8 bytes for TDES or a multiple of 16 bytes for AES,
the reader right pads the data with 0.
The key management scheme is DUKPT or Fixed Key. For DUKPT, the key used for
encrypting data is called the Data Key. Data Key is generated by first taking the DUKPT
Derived Key exclusive or’ed with 0000000000FF0000 0000000000FF0000 to get the resulting
intermediate variant key. The left side of the intermediate variant key is then TDES encrypted
with the entire 16-byte variant as the key. After the same steps are preformed for the right side
of the key, combine the two key parts to create the Data Key.
Encrypted Data Length
Track 1 and Track 2 data are encrypted as a single block. In order to get the number of bytes
for encrypted data field, we need to get Track 1 and Track 2 unencrypted length first. The field
length is always a multiple of 8 bytes for TDES or multiple of 16 bytes for AES. This value
will be zero if there was no data on both tracks or if there was an error decoding both tracks.
Once the encrypted data is decrypted, all padding 0 need to be removed. The number of bytes
of decoded track 1 data is indicated by track 1 unencrypted length field. The remaining bytes
are track 2 data, the length of which is indicated by track 2 unencrypted length filed.
Track 1 and Track 2 Hashed
SecureHead reader uses SHA-1 to generate hashed data for both track 1 and track 2
unencrypted data. It is 20 bytes long for each track. This is provided with two purposes in mind:
One is for the host to ensure data integrity by comparing this field with a SHA-1 hash of the
decrypted Track data, prevent unexpected noise in data transmission. The other purpose is to
enable the host to store a token of card data for future use without keeping the sensitive card
holder data. This token may be used for comparison with the stored hash data to determine if
they are from the same card.
4.8.
Level 4 Activate Authentication Sequence