User manual

Page 47 of 61

MS246 User Manual

Device -> Host:

<ACK><STX><Device Response Data><ETX><LRC> (success)

<NAK> (fail)

Pre-Authentication Time Limit: 2 bytes of time in seconds.

Device Response Data: 26 bytes of data, consists of <Current Key Serial Number>

<Challenge 1> <Challenge 2>.

Current Key Serial Number: 10 bytes of data with the Initial Key Serial Number in

the leftmost 59 bits and Encryption Counter in the rightmost 21 bits.

Challenge 1: 8 bytes challenge used to activate authentication. Encrypted using the

key derived from the current DUKPT key.

Challenge 2: 8 bytes challenge used to deactivate authentication. Encrypted using the

key derived from the current DUKPT key.

Activation Challenge Reply Command

This command serves as the second part of an Activate Authentication sequence. The

host sends the first 6 bytes of Challenge 1 from the response of Activate

Authenticated Mode command, two bytes of Authenticated mode timeout duration,

and eight bytes Session ID encrypted with the result of the current DUKPT Key

exclusive- or’ed with <3C3C 3C3C 3C3C 3C3C 3C3C 3C3C 3C3C 3C3C>.

The Authenticated mode timeout duration specifies the maximum time in seconds

that the reader will remain in Authenticated Mode. A value of zero forces the reader

to stay in Authenticated Mode until a card swipe or power down occurs. The

minimum timeout duration required is 120 seconds. If the specified time is less than

the minimum, 120 seconds will be used for timeout duration. The maximum time

allowed is 3600 seconds (one hour).

If Session ID information is included and the command is successful, the Session ID

will be changed.

The Activate Authenticated Mode succeeds if the device decrypts Challenge Reply

response correctly. If the device cannot decrypt the Challenge Reply command,

Activate Authenticated Mode fails and DUKPT KSN advances.

Command Structure

Host -> Device:

Device -> Host:

<ACK> (success)