CardMan 5x21 CL Reader Developers Guide Card Man V1 13
User Manual:
Open the PDF directly: View PDF .
Page Count: 67
Download | |
Open PDF In Browser | View PDF |
CardMan 5x21-CL Reader Developer’s Guide Document Version: 1.13 Abstract: Guide for developers who want to integrate contactless storage or CPU cards using OMNIKEY CardMan 5x21 smart card readers. Last modified: 27.08.2007 Disclaimer: Copyright 2004-2007 by OMNIKEY GmbH All Rights Reserved. The information in this document may not be changed without the express written permission from OMNIKEY GmbH. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 1 of 67 Version: Printed: 1.13 18.09.07 08:17 Table Of Contents 1 Getting Started – Quick Guide to Access Contactless Cards 5 1.1 Driver Installation 5 1.1.1 Reader Name for Contact/Contactless Slot 7 1.2 Diagnostic Tool 7 1.2.1 Driver Version Detection 8 1.2.2 OMNIKEY Proprietary API Detection 8 1.2.3 Card and Reader Detection 8 1.2.4 Card Type Detection and RFID Settings 9 1.2.5 Air Interface Baud Rate Configuration 11 2 PC/SC 2.0 12 2.1 How to Access Contactless Cards via PC/SC 12 2.2 ATR Generation 14 2.2.1 CPU Cards 14 2.2.2 Storage Cards 14 3 Accessing Asynchronous Cards 15 3.1 DESFire Card 16 3.1.1 Example: Write Card Data via ISO 7816-4 Framed APDU 16 3.1.2 Example: Read Card Data via ISO 7816-4 Framed APDU 16 4 Accessing Synchronous Cards (Storage Cards) 17 4.1 Mifare Card 17 4.1.1 Mifare Increment (Card Command) 18 4.1.2 Mifare Decrement (Card Command) 19 4.1.3 Mifare Emulation Mode 20 4.1.4 Mifare Application Directory (MAD) 20 4.2 iCLASS Card 21 4.2.1 Card Access via SCardCLICCTransmit 21 4.3 ST LRI64 Support (PC/SC 2.0 add-on) 23 4.3.1 Update Binary 23 4.3.2 Read Binary 23 5 CardMan 5x21-CL Keys 25 5.1 Key Numbering Scheme 25 5.2 Key Container and Key Slots 27 5.3 Key Update Rules 28 6 Standard Communication with iCLASS Card 30 6.1 APDU Structure for Standard Communication 30 6.2 Commands Available in Standard Communication Mode 30 Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 2 of 67 Version: Printed: 1.13 18.09.07 08:17 6.2.1 Select Page (Card Command) 31 6.2.2 Load Key 33 6.2.3 GetKeySlotInfo (Reader Command) 35 6.2.4 Authenticate (Card Command) 36 6.2.5 Read (Card Command) 37 6.2.6 Update (Card Command) 38 6.3 Communication in Standard Mode 39 7 Secured Communication with the iCLASS Card 40 7.1 Multi-Step Approach to a Secure Card Reader System 40 7.1.1 Authenticity Between Host and Reader 40 7.1.2 Confidentiality of USB Data Exchange 40 7.1.3 Integrity of Transmitted Data 40 7.1.4 Authenticity Between Reader and Card 40 7.1.5 Integrity of the Radio Frequency (RF) Transmission 41 7.1.6 Confidentiality of the RF Transmission 41 7.1.7 Authentication of the Host for Read/Write Session 41 7.1.8 Protection Against Known Attacks 41 7.2 APDU Structure for Secured Communication 42 7.2.1 Data Header (DH) 43 7.2.2 Signature Generation 43 7.2.3 Session Key Generation 43 7.2.4 Example: Proprietary Datagram Exchange between Host and Reader 44 7.3 Instructions (INS) for Secured Communication 45 7.3.1 Manage Session (Reader Command) 46 7.3.2 Select Page (Card Command) 46 7.3.3 Load Key (Reader Command) 46 7.3.4 Authenticate (Card Command) 46 7.3.5 Read (Card Command) 47 7.3.6 Update (Card Command) 47 7.3.7 GetKeySlotInfo (Reader Command) 47 7.3.8 Update Card Key 47 7.4 Communication at Secured Mode 49 7.5 Example APDUs for a Session at Secured Mode 50 Appendix A Application Programming 53 A1 Sample Project 53 A1.1 Overview 53 A1.2 Reader Related Functions 54 A1.3 Mifare Card Related Functions Using Synchronous API 54 A1.4 PC/SC 2.01 54 A1.5 ISO 7816 - APDU 54 Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 3 of 67 Version: Printed: 1.13 18.09.07 08:17 A1.6 iCLASS Standard Mode 55 A2 Code Snippets 56 A2.1 Getting the Card UID (PC/SC 2.01) 56 A2.2 Loading a Mifare Key (PC/SC 2.01) 56 A2.3 Mifare 1K/4K Authenticate (PC/SC 2.01) 57 A2.4 Mifare 1K/4K Write (PC/SC 2.01) 57 A2.5 Mifare 1K/4K Read (PC/SC 2.01) 57 A2.6 Mifare 1K/4K Increment (OMNIKEY Proprietary API) 58 A2.7 Mifare 1K/4K Decrement (OMNIKEY Proprietary API) 58 A2.8 Mifare Emulation Mode (OMNIKEY Proprietary API) 59 A2.9 iCLASS Select Page (OMNIKEY Proprietary API) 60 Appendix B Accessing iCLASS Memory 61 B1.1 Memory Layout 61 B1.2 Assigning Space to iCLASS Application 2 62 B1.3 Read/Write Memory of iCLASS 2KS, 16KS or page 0 of iCLASS 8x2KS card 62 B1.4 Read/Write Memory of iCLASS 8x2KS Card on Pages 1 to 7 62 Appendix C 64 C1.1 Terms and Abbreviations 64 Appendix D Version History 65 D1.1 Document Changes 65 D1.2 Firmware History 66 Appendix E References 67 Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 4 of 67 Version: Printed: 1.13 18.09.07 08:17 1 Getting Started – Quick Guide to Access Contactless Cards This document is intended as a guide for software developers who want to integrate contactless memory or CPU cards using OMNIKEY CardMan 5x21 smart card readers. This chapter describes how to install the drivers necessary to operate the CardMan 5x21 in a Windows based environment. Please note that other operating systems such as Linux are also supported by the CardMan 5x21. 1.1 Driver Installation The OMNIKEY CardMan 5x21 driver is mandatory for all systems that require support for contactless smart cards. CardMan 5x21 is a CCID compliant device. This means that the contact interface can be operated without an OMNIKEY proprietary driver installed. However, for contactless cards, the OMNIKEY proprietary CardMan 5x21 driver is necessary. The following steps describe how to install the CardMan 5x21 driver: 1. First, go to www.omnikey.com. Then, select the support/download section and download the latest CardMan 5x21 driver installation package for Windows. 2. Run the installation package and follow the instructions on the screen. The installation package will extract all the necessary driver files to your hard drive. Please note the location to which the files were copied. Please note that at this time you have only extracted, not installed the driver files. 3. Connect the reader to a USB Port of your computer. 4. The “Found New Hardware Wizard” will appear. To continue driver installation, click “Next”. Note: On Windows XP systems, the Microsoft Windows CCID Class driver may be activated without showing the “Found New Hardware Wizard”. If this is the case, the Microsoft PC/SC driver` must be replaced manually with the OMNIKEY proprietary PC/SC driver. This can be done using the Device Manager. 5. In the next dialogue, choose “Search for a suitable driver for my device (recommended)” and click “Next”. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 5 of 67 Version: Printed: 1.13 18.09.07 08:17 6. Now, choose “Specify a Location” and click “Next”. 7. Press “Browse” and go to the location where you previously installed the driver package. To continue press “OK”. 8. If the driver was found in this location press “Next” to continue. 9. If the driver is a test driver (a BETA driver that is not digitally signed), the following dialogue will appear. It can be accepted by clicking “Yes”. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 6 of 67 Version: Printed: 1.13 18.09.07 08:17 10. The following message should appear and the green LED on the CardMan 5x21 reader should light up. If the installation was successful, the green LED on the reader will light up and the reader will be listed in the diagnostic tool as “CardMan 5x21”. Now your reader is ready for use and you can do a quick smart card system check using the OMNIKEY Diagnostic Tool described in the chapter entitled “Diagnostic Tool”. 1.1.1 Reader Name for Contact/Contactless Slot OMNIKEY CardMan 5x21 is a “dual slot” reader. This means that from the application and smart card resource manager point of view there are two readers available, each represented by its respective reader name. “OMNIKEY CardMan 5x21 n” identifies the contact slot and “CardMan 5x21-CL n” stands for the contactless slot. The “n” represents a slot number 0, 1…, etc. This allows card tracking though contact and air interface, respectively. 1.2 Diagnostic Tool The OMNIKEY Diagnostic tool is a great tool for a quick test of the smart card system. It lists all available OMNIKEY readers, driver files with version information, firmware version information, and also allows the configuration of the RFID/air interface. ‘Diagnostic Tool’ can be started from the Control Panel. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 7 of 67 Version: Printed: 1.13 18.09.07 08:17 1.2.1 Driver Version Detection The General Tab shows if the ‘Resource Manager’ is running. Select this tab to find out more about version and manufacturer data of smart card system services, DLLs, and drivers. Diagnostic Tool, General Tab 1.2.2 OMNIKEY Proprietary API Detection The API tab shows the APIs that have been installed on your system, including the OMNIKEY Synchronous API. Diagnostic Tool, API Tab 1.2.3 Card and Reader Detection The OMNIKEY Diagnostic tool creates a separate tab for each available OMNIKEY reader interface. The tabs indicate their respective reader names - the same names you will be using within the PC/SC framework. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 8 of 67 Version: Printed: 1.13 18.09.07 08:17 For a quick connectivity test of your contactless card, select the “OMNIKEY CardMan 5x21-CL 0” tab and place a contactless card on the reader. As soon as the card is detected, the Status field will switch from “no smart card inserted” to “smart card inserted” and the ATR field will display the card’s ATR. Please refer to the chapter about ATR for further information on how the Answer to Reset (ATR) is generated for contactless smart cards. The Diagnostic Tool has an internal flat database that allows a quick lookup of the ATR. If it is a known card, a description will be displayed in the Smart Card Name field. For contactless cards the card’s unique ID (UID) will be displayed in the Smart Card Name field and in the Protocol field T=CL will be displayed. Diagnostic Tool, Reader Tab 1.2.4 Diagnostic Tool, Reader Tab (card inserted) Card Type Detection and RFID Settings CardMan 5x21-CL supports multiple 13.56MHz contactless standards and protocols, including but not limited to, ISO14443A, ISO14443B, ISO15694, iCLASS, I-CODE. As there is no physical card switch, the only way to get information about a card in the field is by trial and error in a predefined search order. The built-in anti-collision mechanisms ensure that, once a card is detected, it is the only card the reader interface is connected with. The OMNIKEY Diagnostic tool has an RFID Settings tab that allows configuration of the card types the reader should look for and their respective search order. However, the RFID Settings tab must first be enabled by right-clicking on the title bar of the Diagnostic Tool window and then choosing View->RFID settings from the drop-down menu. Diagnostic Tool, activate RFID settings Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 9 of 67 Version: Printed: 1.13 18.09.07 08:17 Diagnostic Tool, RFID settings Tab The left window pane contains a list of all active card types. The right window pane contains a list of all available card types that are supported by the reader but are not included in the card search. Card types from the left window pane can be moved to the right window pane, and vice versa, using the and buttons. With the and buttons the search order in the active list can be changed. The setting has to be activated using the Apply button. The Reset button discards any unsaved changes. Note: The search order is forward-looking to improve system performance. This means that the last successfully detected card type automatically moves to the top of the search order, regardless of its position within the order set on the RFID settings tab. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 10 of 67 Version: Printed: 1.13 18.09.07 08:17 1.2.5 Air Interface Baud Rate Configuration For ISO 14443 type cards the air interface transmission speed can be 106 kbps, 212 kbps, 424 kbps, or 848 kbps. By default, the contactless interface is set to 424 kbps. It can be changed to a different value through the RFID settings tab of the Diagnostic Tool. Diagnostic Tool, Baud Rate Change To change the baud rate, select the card type (ISO14443A or ISO14443B) and change the ‘Maximum Baud Rate’ field. Finalize your setting by pressing the ‘Apply’ button. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 11 of 67 Version: Printed: 1.13 18.09.07 08:17 2 PC/SC 2.0 With the OMNIKEY CardMan 5x21 PC/SC driver, ISO14443A/B or ISO15693 compliant contactless cards can be accessed through the same framework as ISO7816 compliant contact cards. This makes card integration a snap for any developer who is already familiar with PC/SC. Even valuable PC/SC resource manager functions, such as card tracking, are available for contactless card integration. The Microsoft Developer Network (MSDN) Library contains valuable information and a complete documentation of the SCard API within the MSDN Platform SDK: “Security” section. Contactless CPU cards can be accessed directly via PC/SC. For storage cards other than Mifare cards, an additional library – the OMNIKEY synchronous API – is necessary. Whether using direct PC/SC access or the OMNIKEY synchronous API, only a small set of functions is required to write your first “hello card” program. Card can be integrated via PC/SC 2.0 compliant APDU’s OMNIKEY Synchronous API Mifare YES YES ICLASS NO YES LRI64 YES NO 2.1 How to Access Contactless Cards via PC/SC The following steps provide a guideline to create your first contactless smart card application using industry standard, PC/SC compliant API function calls. The function definitions provided below are taken verbatim from the MSDN Library [MSDNLIB]. For additional descriptions of these and other PC/SC functions provided by the Microsoft Windows PC/SC smart card components, please refer directly to the MSDNLIB. The following functions are defined in the Microsoft Platform SDK (Security section). 1. Establish Context This step will initialize the PC/SC API and allocate all resources necessary for a smart card session. The SCardEstablishContext function establishes the resource manager context (the scope) within which database operations are performed. LONG SCardEstablishContext( IN DWORD dwScope, IN LPCVOID pvReserved1, IN LPCVOID pvReserved2, OUT LPSCARDCONTEXT phContext); 2. Get Status Change Next, check the status of the reader for card insertion, removal, or availability of the reader. SCardGetStatusChange. This function blocks execution until the current availability of the cards in a specific set of readers changes. The caller supplies a list of readers to be monitored and the maximum amount of time (in milliseconds) that it is willing to wait for an action to occur on one of the listed readers. LONG SCardGetStatusChange( IN IN IN IN SCARDCONTEXT hContext, DWORD dwTimeout, OUT LPSCARD_READERSTATE rgReaderStates, DWORD cReaders); Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 12 of 67 Version: Printed: 1.13 18.09.07 08:17 3. List Readers Then, get a list of all PC/SC readers using the SCardListReaders function. Look for “OMNIKEY CardMan 5x21-CL 0” in the returned list. If multiple CardMan 5x21 readers are connected to your system, they will be enumerated. Examples: “OMNIKEY CardMan 5x21-CL 1”, “OMNIKEY CardMan 5x21-CL 2”. Always make sure to analyze the complete string. CardMan 5x21 also has a contact interface. Look for the “-CL” in the reader mane to make sure that you are really referring to the contactless interface in the following calls. LONG SCardListReaders( IN SCARDCONTEXT hContext, IN LPCTSTR mszGroups, OUT LPTSTR mszReaders, IN OUT LPDWORD pcchReaders); 4. Connect Now, you can connect to the card. The SCardConnect function establishes a connection (using a specific resource manager context) between the calling application and a smart card contained by a specific reader. If no card exists in the specified reader, an error is returned. LONG SCardConnect( IN SCARDCONTEXT hContext, IN LPCTSTR szReader, IN DWORD dwShareMode, IN DWORD dwPreferredProtocols, OUT LPSCARDHANDLE phCard, OUT LPDWORD pdwActiveProtocol); Note: For iCLASS cards use T=0 protocol (mandatory). 5. Exchange Data and Commands with the Card Next, exchange command and data via APDUs. The SCardTransmit function sends a service request to the smart card, and expects to receive data back from the card. LONG SCardTransmit( IN SCARDHANDLE hCard, IN LPCSCARD_I0_REQUEST pioSendPci, IN LPCBYTE pbSendBuffer, IN DWORD cbSendLength, IN OUT LPSCARD_IO_REQUEST pioRecvPci, OUT LPBYTE pbRecvBuffer, IN OUT LPDWORD pcbRecvLength); Note: For storage cards that are not supported by PC/SC 2.0, you need to call an OMNIKEY proprietary API function such as SCardCLICCTransmit instead. This function exposes additional functionality of the CardMan 5x21-CL reader that is not yet defined in PC/SC standards. Other than that, you are still using the standard PC/SC framework to track cards, list readers, etc. Even the smart card handle is the same. 6. Disconnect It is not absolutely necessary to disconnect the card after the completion of all transactions, but it is recommended. The SCardDisconnect function terminates a connection previously opened between the calling application and a smart card in the target reader. LONG SCardDisconnect( IN SCARDHANDLE hCard, IN DWORD dwDisposition); 7. Release This step ensures that all system resources are being released. The SCardReleaseContext function closes an established resource manager context, freeing any resources allocated under that context. LONG SCardReleaseContext( IN SCARDCONTEXT hContext); Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 13 of 67 Version: Printed: 1.13 18.09.07 08:17 2.2 ATR Generation Unlike contact cards, contactless cards don’t generate an ATR. They generate an Answer to Select (ATS) instead. To make contactless cards available within the PC/SC framework, CardMan 5x21 generates a PC/SC compliant ATR according to PC/SC v2.01 “Interoperability Specification for ICCs and Personal Computer Systems” [PCSC 2.01]. The documents can be downloaded from the PC/SC Workgroup at the following web address: http://www.pcscworkgroup.com/specifications/specdownload.php 2.2.1 CPU Cards Contactless smart cards (cards with a CPU) expose their ATS or information bytes via ATR mapping according to PCSC 2.01, Part 3: Requirements for PC-Connected Interface Devices, 3.1.3.2.3.1, Table 3.5. 2.2.2 Storage Cards The ATR of storage cards (i.e. cards without a CPU) is composed as described in PCSC 2.01, Part 3: Requirements for PC-Connected Interface Devices, 3.1.3.2.3.1, Table 3.6. In order to allow the host application to identify a storage and card type properly, its standard and card name is mapped according to the Part 3 Supplemental Document of PCSC 2.01. Note: The Registered Application Provider Identifier (RID) returned by the CardMan 5x21 for storage cards (cards without a CPU) is A0 00 00 06 0A, indicating a PC/SC compliant ATR generation. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 14 of 67 Version: Printed: 1.13 18.09.07 08:17 3 Accessing Asynchronous Cards Asynchronous cards are cards with CPU or memory cards that are accessible via standard PC/SC using Microsoft’s library “winscard.dll”. This type of cards supports at least one of the asynchronous protocols T=0 or T=1. The Microsoft Platform SDK contains PC/SC sample code for Visual C/C++ and Visual Basic. No additional libraries or third-party software components are necessary to integrate contactless CPU cards. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 15 of 67 Version: Printed: 1.13 18.09.07 08:17 3.1 DESFire Card According to [DESFIRE], DESFire cards can be accessed via ISO7816-4 compliant framed APDU commands (ISO7816-4 framing). 3.1.1 Example: Write Card Data via ISO 7816-4 Framed APDU Command Syntax CLA INS P1 P2 Lc File No. Offset Length Data Le ‘90’ ‘3D’ ‘00’ ‘00’ ‘xx’ ‘xx’ ‘xxxxxx’ ‘xxxxxx’ ‘xx’ … ‘xx’ ‘00’ Lc = 7+ DataLength; Le=0 (no other values accepted) Response Syntax Response Data SW1 SW2 empty ‘xx’ ‘xx’ Status Codes 3.1.2 SW1 SW2 Description '90' '00' success '91’ 'xx error (refer to DESFire data sheet) Example: Read Card Data via ISO 7816-4 Framed APDU Command Syntax CLA INS P1 P2 Lc File No. Offset Length Data Le ‘90’ ‘3D’ ‘00’ ‘00’ ‘07’ ‘xx’ ‘xxxxxx’ ‘LLLLLL’ empty ‘00’ Le=0 (no other values accepted) Response Syntax Response Data SW1 SW2 ‘xx’ ... ‘xx’ (‘LLLLLL’ bytes) ‘xx’ ‘xx’ Status Codes SW1 SW2 Description '90' '00' success '91’ 'xx error (refer to DESFire data sheet) Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 16 of 67 Version: Printed: 1.13 18.09.07 08:17 4 Accessing Synchronous Cards (Storage Cards) OMNIKEY provides two ways to integrate contactless storage cards. They can either be accessed through OMNIKEY’s proprietary synchronous API library, or, for cards such as Mifare cards, directly via PC/SC 2.0 compliant function calls. Storage cards that are not supported directly through PC/SC 2.0 compliant APDU exchanges, can only be accessed via OMNIKEY proprietary synchronous API. The synchronous API for Windows systems resides in a DLL named “scardsyn.dll”. It can be downloaded from OMNIKEY’s website. The download also contains sample code for Mifare and iCLASS cards. For further information about this API, refer to the help file “cmsync.hlp” available in the c:\omnikey\hlp folder after installation of the synchronous API with default settings. The OMNIKEY Synchronous API is typically used whenever a card has not yet found its way into the PC/SC 2.0 standard. Currently, only Mifare cards can be integrated via PC/SC 2.0 compliant APDU. Card can be integrated via PC/SC 2.0 compliant APDUs OMNIKEY Synchronous API Mifare Yes Yes iCLASS No Yes No special drivers are required for a PC/SC 2.0 compliant card integration on Windows or Linux. OMNIKEY’s latest drivers provide seamless cross-platform support allowing industry standardcompliant contactless card integration. 4.1 Mifare Card CardMan 5x21 supports Mifare 1K, Mifare 4K and Mifare Ultra Light cards. The following functions are supported via PC/SC: GetUID LoadKey Authenticate Implemented according to [PCSC 2.01] Verify Update Binary Read Binary Increment OMNIKEY proprietary extension of PC/SC Decrement OMNIKEY proprietary extension of PC/SC Mifare Emulation Mode OMNIKEY proprietary extension of PC/SC CM_IOCTL_SET_RFID_CONTROL_FLAGS Please refer to the [PCSC 2.01] and [MIFARE] for documentation of PC/SC 2.0 compliant Mifare card access. The following section only describes usage of functions that are not already documented in [PCSC 2.01]. They are part of an OMNIKEY proprietary extension of PC/SC. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 17 of 67 Version: Printed: 1.13 18.09.07 08:17 4.1.1 Mifare Increment (Card Command) This command will increment the value of a block, if the card and block support this functionality: Command Syntax CLA ‘FF’ INS ‘D4’ P1 MSB of block address P2 LSB of block address LC 1 Data Field One byte value indicating block increment Le empty Response Syntax Data Field Empty SW1 SW2 status word as described below ‘90’ ‘00’ Success '65' ‘81’ memory failure (unsuccessful increment) ‘69’ ‘81’ incompatible command ‘69’ ‘82’ security status not satisfied ‘69’ ‘86’ command not allowed ‘6A’ ‘81’ function not supported ‘6A’ ‘82’ invalid block address Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 18 of 67 Version: Printed: 1.13 18.09.07 08:17 4.1.2 Mifare Decrement (Card Command) This command will decrement the value of a block, if the card and block support this functionality: Command Syntax CLA ‘FF’ INS ‘D8’ P1 MSB of block address P2 LSB of block address LC 1 Data Field one byte value indicating block decrement Le Empty Response Syntax Data Field Empty SW1 SW2 status word as described below ‘90’ ‘00’ Success '65' ‘81’ memory failure (unsuccessful decrement) ‘69’ ‘81’ incompatible command ‘69’ ‘82’ security status not satisfied ‘69’ ‘86’ command not allowed ‘6A’ ‘81’ function not supported ‘6A’ ‘82’ invalid block address Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 19 of 67 Version: Printed: 1.13 18.09.07 08:17 4.1.3 Mifare Emulation Mode By default, the CardMan 5x21 driver exposes standard Mifare storage cards through a PC/SC 2.01 compliant interface. This driver-level Mifare emulation mode makes standard Mifare cards available via standard APDUs even though the card itself does not support any asynchronous protocols supported directly by native PC/SC components. For dual-interface cards things work a little different. Their CPU supports communication via ISO14443A part 4 (T=CL) allowing on-card Mifare emulation rather than host-side Mifare emulation. This means that CardMan 5x21’s default mode (i.e. host-side Mifare emulation) must be disabled to support the on-card Mifare emulation of such dial-interface card. There are two ways to switch between host-side and card-side Mifare emulation: via registry keys or via IO controls using the PC/SC function ScardControl() as described in Appendix A2.8 Mifare Emulation Mode (OMNIKEY Proprietary API). The following registry keys let you switch between OMNIKEY Mifare emulation mode (default) and oncard Mifare emulation. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CardMan\RFID ControlFlags=0x00000004 OMNIKEY’s host-side Mifare emulation ON default ControlFlags=0x00000000 OMNIKEY’s host-side Mifare emulation OFF T=CL, for on-card Mifare emulation Notes: - The CardMan 5x21 driver needs to be (re)started after changing the registry keys (disconnect and reconnect the reader). 4.1.4 Mifare Application Directory (MAD) To access the Mifare Application Directory (MAD), two commands are necessary – Authenticate and Read. The following steps describe how a MAD can be retrieved from a Mifare card: 1. 2. 3. 4. Authenticate block 3 with the Public key ‘A0A1A2A3A4A5’ and authentication mode A. Read Block 3. Read Block 2. Read Block 1. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 20 of 67 Version: Printed: 1.13 18.09.07 08:17 4.2 iCLASS Card HID iCLASS cards can only be accessed through OMNIKEY’s proprietary “scardsyn” API. This synchronous API contains a function that is dedicated to accessing contactless cards using the standard PC/SC card handle. OMNIKEY CardMan 5x21-CL exposes all iClass functions necessary to access any of the application areas on an iClass card. Two modes of communication between the card and the application are supported: • Standard mode communication • Secured mode communication (OMNIKEY proprietary mode) Note: OMNIKEY CardMan 5x21 does not allow WRITE access to the HID application (1st application on page 0). For READ access to the HID application, secured communication (available for firmware version 5.00 and greater) is mandatory. 4.2.1 Card Access via SCardCLICCTransmit SCardCLICCTransmit is the OMNIKEY proprietary function to access HID iCLASS cards via the OMNIKEY synchronous API. It supports both, standard and secure communication modes and is defined as follows: OKERR ENTRY SCardCLICCTransmit ( IN IN IN IN IN SCARDHANDLE PUCHAR ULONG OUT PUCHAR OUT PULONG ulHandleCard, pucSendData, ulSendDataBufLen, pucReceivedData, pulReceivedDataBufLen ); Parameter Description ulHandleCard handle to the card, provided from the PC/SC "smart card resource manager" after connecting to the card with SCardConnect pucSendData buffer for data sent to the reader/card, typically a command APDU ulSendDataBufLen length of the data to be sent pucReceivedData buffer for data received from reader/card, typically data and status pulReceivedDataBufLen before the call: length (in bytes) of the receive buffer after the call: number of bytes actually received Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 21 of 67 Version: Printed: 1.13 18.09.07 08:17 Command Syntax CLA INS P1 P2 Lc Input Data or Datagram*** Le ‘8x’ ‘xx’ ‘xx’ ‘xx’ ‘xx’ ‘xx’ ... ‘xx’ (Lc bytes) ‘xx’ Response Syntax Response Data or Datagram*** SW1 SW2 ‘xx’ .. ‘xx’ (Le or max bytes) ‘xx’ ‘xx’ Status Codes SW1 SW2 Description '90' '00' success '64' '00' card execution error '67' '00' wrong length '68' '00' invalid class (CLA) byte '69' '82' security status not satisfied. This can include wrong data structure, wrong keys, incorrect padding. '6A' '81' invalid instruction (INS) byte '6B' '00' wrong parameter P1 or P2 The error codes defined in the table above are valid for all the commands. Command specific error codes are documented with their respective command documentation. Note: Error code ‘6982’ “security status not satisfied”, received during any secured communication, blocks any further commands and requires that the card be removed and re-inserted to reactivate communication with the card. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 22 of 67 Version: Printed: 1.13 18.09.07 08:17 4.3 ST LRI64 Support (PC/SC 2.0 add-on) ST Microelectronics’ LRI64 is a memory tag IC with 64-bit Unique ID (UID) and WORM user area. The following table lists PC/SC 2.01 compliant functions that are available for LRI64 based storage cards. Get UID Update Binary implemented according to [PCSC 2.01] Read Binary This ISO15693 compliant IC is not accessible with standard standard driver settings. It requires the following registry key setting: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CardMan\RFID] "ControlFlags"=dword:00000010 Please refer to the [PCSC 2.01] and [LRI64] for documentation of PC/SC 2.0 compliant LRI64 card access. The following section only describes usage of functions that are not already documented in [PCSC 2.01]. 4.3.1 Update Binary UpdateBinary requires block numbers within the WORM memory area (Write-Once Read-Many). Examples: Write ‘121314’ to block ‘0D’ (decimal 12): Command APDU: ‘FFD6000D03121314’ Response APDU : ‘9000’ Attempt to write ‘101112 to block ‘0A’ (10 decimal): Command APDU: ‘FFD6000A03101112’ Response APDU : ‘6282’ For blocks 10 and 11 this works out fine, however, because we previously wrote to block 12, the card responds with ‘6282’ “End of file reached before writing Lc bytes”. After the first write access to block 12 only read operations are supported. The following APDU attempts to write to block 7: Command APDU: ‘FFD6000701FF’ Response APDU : ‘6581’ The card responds with ‘6581’ “Memory failure (unsuccessful writing)” because this is a UID byte - write access to the UID area is always locked. 4.3.2 Read Binary The ReadBinary command is available for all blocks of the LRI64 chip. Examples: Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 23 of 67 Version: Printed: 1.13 18.09.07 08:17 Reading all 15 blocks from 0 to 14 Command APDU: ‘FFB0000000’ Response APDE : ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9000’ Attempt to read 16 blocks Command APDU: ‘FFB0000010’ Response APDE : ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx6282’ The response is ‘6282’ or “End of file reached before reading expected number of bytes”. Even though the warning ‘6282’ is returned, all bytes from block 0 up to block 14 are read correctly. Read blocks 10 and 11 (2 bytes) Command APDU: ‘FFB0000A02’ Response APDE : ‘xxxx9000’ Attempt to read an invalid block number: Command APDU: ‘FFB0000F01’ Response APDE : ‘6A82’ The response is the error code ‘6A82’ because block number 15 does not exists. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 24 of 67 Version: Printed: 1.13 18.09.07 08:17 5 CardMan 5x21-CL Keys OMNIKEY CardMan 5x21-CL has a set of built-in cryptographic keys, some of which are implemented in volatile memory others in non-volatile memory. 5.1 Key Numbering Scheme Cryptographic keys are referenced by a unique key number between 0x00 and 0xFE. Each key number refers to a key of pre-defined length for a specific card type. For cards such as Mifare and iCLASS, multiple key numbers are reserved. The OMNIKEY key number is used to determine key usage, key length, and to map the reader key to the third party card key. Examples: CardMan Key number ‘0A’ refers to the 6 byte Mifare key 10, KMIF10 CardMan Key number ‘24’ refers to the 8 byte iCLASS Default key for application 1 on page 1 Refer to [MIFARE] and [ICLASS] for detailed documentation of these third-party keys and contact your card manufacturer in case you need information about any key values. Keys Numbers and Key Names Key Number Key Name Key Length Key Type Memory Type 6-byte (Mifare) keys ‘00’ to ‘1F’ KMIF0 (Mifare Key 0) to KMIF31 (Mifare Key 31) 6 bytes Card Key Nonvolatile memory 8-byte (iClass) keys ‘20’ KIAMC (Any Inside Application Master key) 8 bytes Card Key Nonvolatile memory ‘21’ KMDC HID Master Key (KMD0, Kd for application 1 of page 0 on Book 0 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘22’ RFU (previously used for HID Master Key KMDO) 8 bytes Card Key Nonvolatile memory ‘23’ KMC0 (Default Master Key for application 2 of page 0 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘24’ KMD1 (Default Master Key for application 1 of page 1 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘25’ KMC1 (Default Master Key for application 2 of page 1 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘26’ KMD2 (Default Master Key for application 1 of page 2 of iCLASS card) 8 bytes Card Key Nonvolatile memory Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 25 of 67 Version: Printed: 1.13 18.09.07 08:17 ‘27’ KMC2 (Default Master Key for application 2 of page 2 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘28’ KMD3 (Default Master Key for application 1 of page 3 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘29’ KMC3 (Default Master Key for application 2 of page 3 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘2A’ KMD4 (Default Master Key for application 1 of page 4 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘2B’ KMC4 (Default Master Key for application 2) of page 4 of iCLASS card 8 bytes Card Key Nonvolatile memory ‘2C’ KMD5 (Default Master Key for application 1 of page 5 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘2D’ KMC5 (Default Master Key for application 2 of page 5 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘2E’ KMD6 (Default Master Key for application 1 of page 6 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘2F’ KMC6 (Default Master Key for application 2 of page 6 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘30’ KMD7 (Default Master Key for application 1 of page 7 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘31’ KMC7 (Default Master Key for application 2 of page 7 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘32’ KMTD (Master Transport Key for application 1 of iCLASS card, key stored at chip production) 8 bytes Card Key Non volatile memory ‘33’ KMTC (Master Transport Key for application 1 of iCLASS card, key stored at chip production)) 8 bytes Card Key Nonvolatile memory ‘34’ KMD0B1 (Default Master Key for application 1 of page 0 on Book 1 of iCLASS card) 8 bytes Card Key Nonvolatile memory ‘35’..’7f’ RFU 16-byte keys ‘80’ KCUR (Custom read key) 16 bytes Reader Key Nonvolatile memory ‘81’ KCUW (Custom write Key) 16 bytes Reader Key Nonvolatile memory Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 26 of 67 Version: Printed: 1.13 18.09.07 08:17 KENC (Card data encryption key) ‘82’ 16 bytes Card Key Nonvolatile memory Card Key Volatile memory 24- byte keys ‘B0’..’CF’ RFU 32-byte keys ‘D0’..’DF’ RFU 0xF0 to 0xFF are volatile keys 0xF0 KVAK (volatile application key) ‘F1’...‘FF’ RFU 8 bytes Note: CardMan 5x21 firmware version 5.00 is the first to support all keys listed above. Readers with firmware version 1.03 and 1.04 only support key numbers 0x20 and 0xF0. Key number 0x21 to Key number 0x31 (except 0x22) are the default keys for iCLASS cards. Key number 0x32 and 0x33 are the default transport keys for Inside cards. Keys 0x21 and 0x22 are stored in the reader. The remaining non-volatile keys 0x23 to 0x33 are stored in the registry. Key 0x21 can’t be updated. Updates of key 0x22 are RFU and currently not supported. 5.2 Key Container and Key Slots The CardMan 5x21-CL key container is organized in fixed-length key slots. These key slots allow easy usage of cryptographic keys. It is thus not necessary that the host application knows anything about the physical storage location. Keys can be loaded into a key container just by referring to a key slot and a key number. Key access and usage are managed by the reader firmware. For security purposes, keys can only be used and updated, but they can never be read. As an additional security measure, keys are diversified with two 16-byte secret keys before being committed to a key container. Key slot properties are available for advanced users. This feature is designed to ensure proper use of a single key in case there are more keys than key slots. Key Container of CardMan 5x21-CL Reader Key Slot (KS) Number KS Length Default Stored Key Name Default Stored Key Number ‘00’ 12 KMIF0 ’00’ …. 12 ------- ---- ‘1F’ 12 KMIF31 ’1F’ ‘20’ 16 KCUR ’80’ ’21’ 16 KCUW ’81’ ’22’ 16 KENC ’82’ ’23’ 08 KIAMC ’20’ '24’ 08 KMDO ’22’ Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 27 of 67 Remarks No key slot information is available for these key slots. Retrieving information will return SW1SW2 “6300”. Key slot information is available. Version: Printed: 1.13 18.09.07 08:17 5.3 ’25’ 08 KMDC ’21’ ’26’ 08 KVAK ’F0’ ’27’ 08 KMC0 ’23’ ’28’ 08 KMD1 ’24’ ’29’ 08 KMC1 ’25’ ’2A’ 08 KMD2 ’26’ ’2B’ 08 KMC2 ’27’ ’2C’ 08 KMD3 ’28’ ’2D’ 08 KMC3 ’29’ ’2E’ 08 KMD4 ’2A’ ’2F’ 08 KMC4 ’2B’ ’30’ 08 KMD5 ’2C’ ’31’ 08 KMC5 ’2D’ ’32’ 08 KMD6 ’2E’ ’33’ 08 KMC6 ’2F’ ’34’ 08 KMD7 ’30’ ’35’ 08 KMC7 ’31’ ’36’ 08 KMTD ’32 ’37’ 08 KMTC ’33’ ’38’ 08 KMD0B1 ’34’ No key slot information is available for these key slots. Retrieving information will return SW1SW2 “6300”. Key slot information is available. Key Update Rules The following table lists update rules for keys being used by the reader system. Key updates relate to keys residing in the OMNIKEY reader. Those keys are used for authentication of the reader to the card or to encrypt data written to the card. Key Name KMIF0 Key Number Key Update Rule ’00’ to ‘1F’ Always 6-byte Mifare keys can be loaded/updated by using the SCardCLWriteMifareKeyToReader function of synchronous API. A key sent to reader may be plain or 3DES encrypted with the KCUR or KCUW ‘20’ Standard Mode: - Always 8-byte iCLASS key to authenticate any iCLASS application. The default value for this key is the Inside contactless card transport key Kd0 (authenticates to application 1 on page 0). to KMIF31 KIAMC Description Secured Mode: - Read session - Write session Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 28 of 67 Version: Printed: 1.13 18.09.07 08:17 KMDC ’21’ Never Authenticates the reader to the HID application of an iCLASS card for read access. This authentication requires secure mode operation. Write access to the HID application is not allowed. KMDO ’22’ Never RFU KCUR ’80’ Secured mode: - read session - write session Authenticates the reader to establish a secured session. Grants the application read access. This key can also be used to encrypt the Mifare key in SCardCLWriteMifareKeyToReader function. KCUW ’81’ Secured mode: - read session Authenticates the reader to establish a secured session. Grants the application read-only access. This key can also be used to encrypt the Mifare key in SCardCLWriteMifareKeyToReader function. KENC ’82’ Secured mode: - read session - write session Encrypts data written to the card or decrypts data read from the card. Requires read/update INS bits to be set accordingly. If INS bits are set for DES, the first 8 bytes of KENC are used. For 3-DES operations, all 16 bytes are used. KVAK ’F0’ Standard Mode: - Always Authenticates any application on the iCLASS card. The sequence is as follows: Secured Mode: - Read session - Write session KMC0 to Load KVAK with the 8-byte value, Authenticate with KVAK ……………………………………………………………… Load KVAK with new 8-byte value, Authenticate with KVAK. ’23‘ to ’31’ and ‘34’ Never iCLASS default keys for free memory zones. May be used to authenticate to any non-HID application on an iCLASS card. This allows quick evaluation of iCLASS cards without knowledge of the default keys. ’32’ Never iCLASS transport keys set by the card manufacturer. KMC7 KMD1 to KMD7, and KMD0B1 KMTD KMTC, ’33’ Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 29 of 67 Version: Printed: 1.13 18.09.07 08:17 6 Standard Communication with iCLASS Card Standard communication means that there is no authentication of the host application (i.e. Windows program) to the CardMan 5x21-CL. Unless the card itself has a built-in mechanisms for confidential communication, the channel between host and reader is unprotected, exposing the connecting USB cable to eavesdropping. 6.1 APDU Structure for Standard Communication iCLASS cards are supported via ISO7816 compliant APDU exchange. Command and response APDUs are exchanged through the OMNIKEY proprietary API function SCardCLICCTransmit residing in the OMNIKEY synchronous API. Command APDU (via pucSendData) CLA INS P1 P2 Lc Data in Le ‘80’ ‘xx’ ‘xx’ ‘xx’ ‘xx’ ‘xx’ … ‘xx’ ‘xx’ Response APDU (via pucReceivedData) 6.2 Data out SW2 SW1 ‘xx’ … ‘xx’ ‘xx’ ‘xx’ Commands Available in Standard Communication Mode Card commands are referred to by their respective instruction (INS) byte as part of a command APDU sent by SCardCLICCTransmit. The following table lists all INS values supported by the OMNIKEY CardMan 5x21-CL reader in standard communication mode. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 30 of 67 Version: Printed: 1.13 18.09.07 08:17 List of Supported INS bytes (APDU Commend Set) Instruction (INS) 6.2.1 Description Command Type ‘82’ Load Key reader command ‘C4’ GetKeySlotInfo reader command ‘A6’ Select Page card command ‘88’ Authenticate card command ‘B0’ Read card command ‘D6’ Update card command Select Page (Card Command) iCLASS comes with various card configurations. Every iCLASS card has at least one page (page 0). Cards such as the iCLASS 2x8KS, provide additional pages 1 to 7. In addition to pages, iCLASS cards also have books. To select a certain memory block on an iCLASS card, you need to know its book number, page number, and block number. It is necessary to select the appropriate page and book before any authentication to an iCLASS card application for read/write access can be performed. In the context of iCLASS cards, an application area and memory area are synonymous. Currently, only cards with more than 16 kbit of total memory capacity have an additional book. The following section describes parameters of the Select Page command. Command Syntax CLA ‘80’ INS ‘A6’ P1 ‘00’: Select the only page of iCLASS 2KS or single page of 16KS ’01’: Select page of multi-page iCLASS 16KS (8x2KS) or 32KS P2 Specifies whether data is requested from the card ’00’: no data requested ’04’: request for 8-byte card serial number ’08’: request for 8-byte configuration block data ’0C’: request for 8-byte application issuer data LC for P1=’00’: standard mode: empty; secured mode: ‘00’ for P1=’01’: ‘01’ Data Field for P1=’00’: empty for P1=’01’: book number and page number according to format below Le for P2=’00’: empty for P2>’00’: ’00’ or ‘08’ Data Field Format for Page Number & Book Selection b7 b6 b5 0 0 0 b4 b3 Book number 0: for 1st book 1: for 2nd book on iCLASS 32KS 0 b2 b1 b0 Page number 0-7 Examples for Page Selection: Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 31 of 67 Version: Printed: 1.13 18.09.07 08:17 Data Field Description ‘03’ select page 3 of an iCLASS 8x2KS card ‘03’ select page 3 of book 0 of an iCLASS 32KS (book 0: 8x2KS) card ‘13’ select page 3 of book 1 of an iCLASS 32KS (book 1: 8x2KS) card ‘10’ select book 1 (16KS) of an iCLASS 32KS ‘00’ select book 0 (16KS) of an iCLASS 32KS Response Syntax Data Field empty or 8 byte card response, in case of a previous request for such data SW1 SW2 status word as described below ‘90’ ‘00’ Success ‘62’ ‘83’ requested page number does not exist ‘6C’ ‘xx’ wrong length Le. xx returns the number of data available Please refer to 4.2.1-Card Access via SCardCLICCTransmit for additional status words common to all iCLASS access functions. Note: If the application resides on page 0 of an 8x2KS iCLASS card or on the single page of an iCLASS 16KS or iCLASS 2KS card, the Select Page command is not necessary. It can still be helpful to call Select Page anyway, in case you need to retrieve the card serial number, configuration block, or application issuer data. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 32 of 67 Version: Printed: 1.13 18.09.07 08:17 6.2.2 Load Key Load Key command loads an iCLASS card key and stores it in reader memory, thus preparing the reader for subsequent card authentication commands. CardMan 5x21 can only store one such key at a time. Command Syntax CLA ‘80’: standard mode operation ’84’: secured mode operation INS ‘82’ P1 ‘xx’ specifies key location according to byte format below P2 ‘xx’ key number (see Key Numbering Scheme) LC ‘08’ Data Field 8 byte key Le Empty P1 - Format for Key Location b7 b6 b5 b4 b3 b2 b1 b0 x Description 0: card key 1: reader key x 0: plain transmission 1: secured transmission (not available) x 0: key loaded in volatile memory 1: key loaded in non-volatile memory. x 0: RFU (non-zero value returns error) 0 0 0 0 b0..b3 must be set to 0 Note: A key in volatile memory only needs to be loaded once during any given card session. Unless you need to authenticate to any additional application with a different key, you can use the stored key throughout the session for more than just one authentication. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 33 of 67 Version: Printed: 1.13 18.09.07 08:17 Response Syntax Data Field empty SW1 SW2 status word as described below ‘90’ ‘00’ success ‘63’ ‘00’ no further information given (warning) ‘63’ ‘81’ loading/updating is not allowed ‘63’ ‘82’ card key not supported ‘63’ ‘83’ reader key not supported ‘63’ ‘84’ plaintext transmission not supported ‘63’ ‘85’ secured transmission not supported ‘63’ ‘86’ volatile memory is not available ‘63’ ‘87’ non-volatile memory is not available ‘63’ ‘88’ key number not valid ‘63’ ‘89’ key length is not correct Please refer to 4.2.1-Card Access via SCardCLICCTransmit for additional status words common to all iCLASS access functions. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 34 of 67 Version: Printed: 1.13 18.09.07 08:17 6.2.3 GetKeySlotInfo (Reader Command) The GetKeySlotInfo reader command provides access to key slot status information. OMNIKEY CardMan 5x21-CL provides a set of predefined key slots in the key container. Key slots can easily be loaded with keys by referring to the key number (i.e. key reference) rather than loading the actual 8 byte key by value. The slot for key storage is automatically determined by the reader system. Command Syntax CLA ‘80’: standard mode operation ’84’: secured mode operation INS ‘C4’ P1 ‘00’ P2 ‘xx’ key slot number (see chapter 5.2 Key Container and Key Slots) LC standard mode: empty; secured mode: ‘00’ Data Field 8 byte key Le ‘00’ or ‘02’ Response Syntax Data Field 2 byte key information see “Key Information” and “Key Access Option” below SW1 SW2 status word as described below ‘90’ ‘00’ success ‘63’ ‘00’ no further information given (warning) ‘63’ ‘01’ key slot does not contain valid key or empty key slot ‘62’ ‘83’ requested key slot does not exist ‘6C’ ‘xx’ more data available than requested; xx returns available data size Please refer to 4.2.1-Card Access via SCardCLICCTransmit for additional status words common to all iCLASS access functions. Key Information (contained in Data Field) b15 b14 B13 b12 RFU b11 b10 b9 b8 b7 Key Access Option b6 b5 b4 b3 b2 b1 b0 key number according to 5.1-Key Numbering Scheme ’FF’ means “empty key slot” Key Access Option (contained in b9,b8 of Data Field) b9 B8 Key Access Option 0 0 key can be loaded for any plaintext and secured transmission. 0 1 key can only be loaded in OMNIKEY proprietary secured mode 1 0 key can never be loaded 1 1 RFU Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 35 of 67 Version: Printed: 1.13 18.09.07 08:17 6.2.4 Authenticate (Card Command) The Authenticate command authenticates the reader system to the card application of the selected page. For iCLASS authentication, this command requires previous page selection. Command Syntax CLA ‘80’: standard mode operation ’84’: secured mode operation INS ‘88’ P1 ‘xx’ key type: ’00’: Inside Contactless or iCLASS debit key Kd (i.e. application 1) ’01’: Inside Contactless or iCLASS credit key Kc (i.e. application 2) ’60’: Mifare Key A ’61’: Mifare Key B ’FF’: key type unknown or not necessary all other values: RFU P2 ‘xx’ key number (see chapter 5.1-Key Numbering Scheme ) LC length of address iCLASS: standard mode: empty; secured mode: ‘00’ other cards: ‘01’ or ‘02’ (max 2 address bytes supported) Data Field iCLASS: empty other cards: one or two byte address Le empty Response Syntax Data Field empty SW1 SW2 status word as described below ‘90’ ‘00’ success ‘63’ ‘00’ no further information given (warning) ‘69’ ‘83’ authentication cannot be done ‘69’ ‘84’ reference key not useable ‘69’ ‘88’ key number not valid Please refer to 4.2.1-Card Access via SCardCLICCTransmit for additional status words common to all iCLASS access functions. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 36 of 67 Version: Printed: 1.13 18.09.07 08:17 6.2.5 Read (Card Command) The Read command reads a data block from the given block address. For the iCLASS card, only eight bytes can be read at a time. For further information about available blocks refer to [HID_ICLASS]. This command requires previous page selection and, depending on the iCLASS card configuration, authentication to the iCLASS application. Command Syntax CLA ‘80’: standard mode operation ’84’: secured mode operation INS ‘B0’ P1 MSB of block number P2 LSB of block number LC standard mode: empty; secured mode: ‘00’ Data Field empty Le ‘00’ or ‘08’ ’20’: if supported by card, up to 32 bytes can be returned Response Syntax Data Field 8 byte block returned from the card (iCLASS) 32 bytes returned if card supports it SW1 SW2 status word as described below ‘90’ ‘00’ success ‘62’ ‘81’ part of returned data may be corrupted ‘62’ ‘82’ end of file reached before reading all requested bytes ‘69’ ‘81’ command incompatible ‘69’ ‘86’ command not allowed ‘6A’ ‘81’ function not supported ‘6A’ ‘82’ file not found or addressed block or byte does not exist ‘6C’ ‘xx’ more data available than requested; xx returns available data size, typically ‘08’ Please refer to 4.2.1-Card Access via SCardCLICCTransmit for additional status words common to all iCLASS access functions. Note: Reading blocks without valid authentication or trying to read data without read permission, will set all returned data to ‘FF’. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 37 of 67 Version: Printed: 1.13 18.09.07 08:17 6.2.6 Update (Card Command) The Update command writes a data block to a given block address. For the iCLASS card, only eight bytes can be written at a time. For further information about available blocks refer to [HID_ICLASS]. This command requires previous page selection and, depending on the iCLASS card configuration, authentication to the iCLASS application. Command Syntax CLA ‘80’: standard mode operation ’84’: secured mode operation INS ‘D6’ P1 MSB of block number P2 LSB of block number LC ‘08’ (iCLASS only allows 8 bytes per call) Data Field 8 bytes to be written to card Le empty Response Syntax Data Field empty SW1 SW2 status word as described below ‘90’ ‘00’ success ‘62’ ‘82’ end of file reached before writing all Lc bytes ‘65’ ‘81’ memory failure (unsuccessful writing). ‘69’ ‘81’ command incompatible ‘69’ ‘86’ command not allowed ‘6A’ ‘81’ function not supported ‘6A’ ‘82’ file not found or addressed block or byte does not exist Please refer to 4.2.1-Card Access via SCardCLICCTransmit for additional status words common to all iCLASS access functions. Note: Trying to update without authenticating to the corresponding application will return ‘6400‘ “Card Execution Error”. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 38 of 67 Version: Printed: 1.13 18.09.07 08:17 6.3 1 Communication in Standard Mode Establish Context 2 3 Connect Card 4 Select Page 5 Load Key 6 Authenticate Application 7 Read/Update No Same Yes Page Yes Further Read/Update Yes Same Application No No 8 Disconnect Card 9 Release Context Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 39 of 67 Version: Printed: 1.13 18.09.07 08:17 7 Secured Communication with the iCLASS Card For a desktop smart card reader, such as the OMNIKEY CardMan 5x21-CL, security mainly evolves from the following scenarios: • Authenticity between the host application and the reader • Confidentiality of data transmitted via USB cable • Integrity of transmitted data • Authenticity between the reader and the card • Confidentiality and integrity of the RF transmission • Confidentiality of data stored in cards OMNIKEY CardMan 5x21-CL reader provides an end-to-end security scheme to fulfill the security requirements listed above. Note: Secured mode communication requires reader firmware version 5.00 or greater. 7.1 Multi-Step Approach to a Secure Card Reader System 7.1.1 Authenticity Between Host and Reader Authenticity between host and reader is enforced with a mutual authentication scheme that requires a 16-byte transport key (Kcur or Kcuw) and a proprietary algorithm. Sessions can only be initiated upon successful completion of this one-step mutual authentication process. Note: This feature prevents unauthorized reader usage. Additional information about this process is available to under an NDA. 7.1.2 Confidentiality of USB Data Exchange CardMan 5x21-CL has a built-in mechanism that protects against eavesdropping and replay attacks on USB traffic. The data transmitted through a USB cable is triple DES encrypted with the Session Key (Ks). This key is generated during the mutual authentication process. It is unique for every session. Therefore, traffic recorded in one session cannot be replayed in another session. 7.1.3 Integrity of Transmitted Data Data transmitted between host and reader is digitally signed with an eight-byte Message Authentication Code (MAC) which is appended to the data. This is done to detect any inconsistencies that may occur due to erroneous or modified data. 7.1.4 Authenticity Between Reader and Card iCLASS cards allow authentication of the reader system to the card. This is done by proving knowledge of a shared secret, the iCLASS card application key KIAMC or KMDC . Applications that are protected Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 40 of 67 Version: Printed: 1.13 18.09.07 08:17 with such a key require successful reader authentication before read/write access to card data can be granted. 7.1.5 Integrity of the Radio Frequency (RF) Transmission Data integrity of an RF transmission with an iCLASS card is enforced with a two-byte checksum (based on CRC algorithm). 7.1.6 Confidentiality of the RF Transmission The CardMan 5x21-CL supports an important feature to guarantee confidentiality: it encrypts data before writing data to the card and decrypts data read from the card. Confidentiality in this context means that data can be securely transmitted between the card and the reader without an eavesdropper being able to read the data in plaintext. 7.1.7 Authentication of the Host for Read/Write Session CardMan 5x21-CL contains two keys KCUR and KCUW that are used to control access to read and write functions respectively. Initiating a reader session with KCUR makes it a read-only session thus blocking functions that write to the card. Starting a session with KCUW enables the reader for both read and write access. Note: This is part of a host-to-reader authentication mechanism, not to be confused with reader-to-card authentication enforced by the card itself. 7.1.8 Protection Against Known Attacks Replay Attacks: The data header contains a datagram that is different with every APDU exchange. The reader ensures that no frame is repeated. Plain Text Attack: For some critical commands, there is a built-in delay to prevent a plain text attack. If there is any error in the data header or signature, the session is immediately terminated. One can commence communication only again after starting a new session. OMNIKEY welcomes comments and suggestions regarding any additional features that might be implemented to prevent specific attacks to the card system. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 41 of 67 Version: Printed: 1.13 18.09.07 08:17 7.2 APDU Structure for Secured Communication CardMan 5x21-CL provides a unique mechanism to secure the communication channel using OMNIKEY’s proprietary cryptographic envelope which protects the transmitted data from eavesdroppers. Secured communication requires additional steps to prepare data before sending it to the reader system and after receiving data from the reader. The underlying triple DES algorithm requires a block size that is a multiple of 8. Therefore, the datagram has a built-in padding scheme. Authenticity of the plaintext is enforced with an 8 byte signature. Command Syntax CLA INS P1 P2 Lc Input Datagram (sent to the reader) Le ‘84’ ‘xx’ ‘xx’ ‘xx’ ‘xx’ ‘xx ... xx” ‘xx’ Input Datagram (sent to the reader) 3-DES{KS, ( Data Header (DH) Size of INS related data LcINS INS related data (INSData) Padding Bytes (PB) ‘xxxxxxxx’ ‘xx’ ‘xx ... xx’ ’80 ... 00’ 4 bytes 1 byte LcINS bytes P bytes Signature ‘xx ... xx’ )} 8 bytes P = number of padding bytes to satisfy (4+1+ LcINS+P) is multiple of 8. Response Syntax Output Datagram (received from the reader) SW2 SW1 ‘xx ... xx’ ‘xx’ ‘xx’ Output Datagram (received from the reader) Data Header (DH) 3-DES{KS, ( Size of Card Response LcR Card Response Padding Bytes ‘xxxxxxxx’ ‘xx’ ‘xx ... xx’ ’80 ... 00’ 4 bytes 1 byte n bytes P bytes Signature (PB) ‘xx ... xx’ )} 8 bytes P = number of padding bytes to satisfy (4+1+ LcINS+P) is multiple of 8. Note: If no valid session key Ks is available due to a previous error during the ‘Start Session’ command, all datagram bytes are set to ‘00’. Therefore the host would receive ’00 ... 00’ || SW1 || SW2 as response from the reader. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 42 of 67 Version: Printed: 1.13 18.09.07 08:17 7.2.1 Data Header (DH) Data Header Byte 0 Byte 1 Host data header (HDH) Byte 2 Byte 3 Reader data header (RDH) When the host system sends a Host Data Header (HDH) to the reader, the reader must acknowledge the HDH in its response by returning the 1’s complement of the original HDH. This allows the host to check whether it receives data originating from the correct data header. When the reader sends a Reader Data Header (RDH) to the host, the host must acknowledge the RDH in its next request by sending the 1’s complement of the preceding RDH. This allows the reader to check whether the data sent by the host follows a previous reader response. 7.2.2 Signature Generation The CardMan 5x21-CL signature generation is based on an 8-byte Message Authentication Code (MAC). The MAC value is calculated by taking the last 8 bytes of a DES CBC encypted data block consisting of DH, LcINSData, INSData, and padding bytes. Kcur or Kcuw are used as signing keys. The following steps describe how padding is applied to create a data block that can be signed using a DES CBC operation: • Append '80' to the right of the data block. • If the resulting data block length is a multiple of eight, no further padding is required. • Do zero (‘00’) padding until the data block size reaches a multiple of eight. 7.2.3 Session Key Generation The session key Ks is derived from an 8-byte random number and the MAC transmitted to the reader during Start Session. For the Start Session command, LcINSData equals 8 (length of the random number) and INSData contains the 8-byte random number. All secured communication calls following a successful session key negotiation are 3DES encrypted with Ks. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 43 of 67 Version: Printed: 1.13 18.09.07 08:17 7.2.4 Example: Proprietary Datagram Exchange between Host and Reader Host Reader Note: This is a read-only session because KCUR was used in the start session command. If KCUW were used to start the session, both read and write operations would be allowed. The HID application is always read-only. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 44 of 67 Version: Printed: 1.13 18.09.07 08:17 7.3 Instructions (INS) for Secured Communication Card commands are referred to by their respective instruction (INS) byte as part of a command APDU sent by SCardCLICCTransmit. CardMan 5x21-CL with firmware version 5.00 or greater supports the following secured mode instructions: List of INS bytes for Secured Communication Instruction (INS) Description Command Type ‘C4’ GetKeySlotInfo reader command ‘72’ Manage Session reader command ‘82’ Load Key reader command ‘A6’ Select Page card command ‘88’ Authenticate card command ‘B0’ Read card command ‘D6’ Update card command ‘24’ Update Card Key card command In the following sections the command structure is described. LcINS and INSData are part of the OMNIKEY proprietary structure. Notes 1- Secured mode’ and ‘Standard Mode’ use different formatting of P1, bit 7 and bit 6 of the Read/Update commands (INS 0xB0 and 0xD6 respectively). The two LSBits of P1 are used to control the encryption of data read or updated. 2- Lc must always be transmitted in secured mode. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 45 of 67 Version: Printed: 1.13 18.09.07 08:17 7.3.1 Manage Session (Reader Command) The Manage Session command is used to either start a session or end a session. Command Syntax CLA ‘84’ INS ‘72’ P1 ‘00’: start session ’01’: end session other values: RFU P1 = ‘00’ (start session) P2 P1 = ’01’ (end session) ‘00’: start read only session ’01’: start read/write session ‘00’ Lc ‘08’: challenge size ‘00’ Data Field 8-byte random number (challenge) Le empty empty Response Syntax Data Field empty SW1 SW2 status word as described below ‘90’ ‘00’ success Please refer to 4.2.1-Card Access via SCardCLICCTransmit for additional status words common to all iCLASS access functions. Note: A session will be automatically ended if the card is removed. 7.3.2 Select Page (Card Command) Except for the CLA byte ‘84’, the syntax for Select Page in secured mode is identical to the command described in 6.2.1-Select Page (Card Command). 7.3.3 Load Key (Reader Command) Except for the CLA byte ‘84’, the syntax for Load Key in secured mode is identical to the Load Command described in 6.2.2-Load Key. 7.3.4 Authenticate (Card Command) Except for the CLA byte ‘84’, the syntax for Authenticate in secured mode is identical to the command described in 6.2.4-Authenticate (Card Command). Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 46 of 67 Version: Printed: 1.13 18.09.07 08:17 7.3.5 Read (Card Command) Except for the CLA byte ‘84’, and the additional formatting rules for P1 described below, the syntax for the Read command in secured mode is identical to the command described in 6.2.5-Read (Card Command). P1 Formatting for Secured Mode b7 b6 0 0 0 1 1 0 1 1 b5 – b0 Description Plain Block Nr. MSB DES Encryption Triple DES Encryption RFU Data needs to be decrypted with the KENC to get the plaintext data. 7.3.6 Update (Card Command) Except for the CLA byte ‘84’, and additional formatting of P1 described below, the syntax for the Update command in secured mode is identical with the command described in 6.2.6-Update (Card Command). P1 Formatting for Secured Mode b7 b6 0 0 0 1 1 0 1 1 b5 – b0 Description Plain Block Nr. MSB DES Encryption Triple DES Encryption RFU Data is encrypted with KENC before storing it on the card. 7.3.7 GetKeySlotInfo (Reader Command) Except for the CLA byte ‘84’, the syntax for 7.3.7 GetKeySlotInfo in secured mode is identical to the command described in 6.2.3-GetKeySlotInfo (Reader Command). 7.3.8 Update Card Key The Update Card Key command is used to change KC or KD. Command Syntax CLA ‘84’ INS ‘24’ P1 ‘00’: New key for KD (application 1) ’01’: New key for KC (application 2) other values: RFU P2 Key number where new key is stored. Lc ‘00’: empty Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 47 of 67 Version: Printed: 1.13 18.09.07 08:17 Data Field empty Le empty Response Syntax Data Field empty SW1 SW2 status word as described below ‘90’ ‘00’ Success '65' '81' Memory failure (unsuccessful writing) '69' '81' ‘86’ Command incompatible Command not allowed '6A' '81' Function not supported Please refer to 4.2.1-Card Access via SCardCLICCTransmit for additional status words common to all iCLASS access functions. The sequences for using UpdateCardKey command are as follows: 1. If the desired change of the key is not in page 0, the page has to be selected by a ‘Select Page’ command 2. Load transport/old key by ‘Load Key’ command 3. Authenticate the card with the old key (key number as used for ‘Load Key’in step 2) 4. Load new key by ‘Load Key’ command 5. Now send Update CardKey command with specific P2 (New Key number as loaded in step 4) Note: You can only update KD (application 1) after authentication with KD, and you can only update KC (application 2) after authentication with KC. Note: Do not write directly to address 3,4 where KC and KD are stored, this will destroy the keys. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 48 of 67 Version: Printed: 1.13 18.09.07 08:17 7.4 1 Communication at Secured Mode Establish Context 2 3 Connect Card 4 Start Session 5 Select Page 6 Load Key 7 Authenticate Application 8 Read/Update No Yes Same Page Yes Further Read/Update Yes Same Application No No 9 End Session 10 Disconnect Card 11 Release Context Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 49 of 67 Version: Printed: 1.13 18.09.07 08:17 7.5 Example APDUs for a Session at Secured Mode KCUR = ‘A0A1A2A3A4A5A6A7A8A9AAABACADAEAF’, Read-only session Host Reader 1. Start Session CLA INS P1 P2 Lc ‘84’ ‘72’ ‘00’ ‘00’ ‘18’ OMNIKEY Proprietary Input Datagram (sent to reader) CLEAR ‘1422’ ‘9D2B’ HDH (Rnd) RDH (Rnd) ‘08’ ‘4A895F20C2D30B5E ’ ‘800000’ ‘9E5052819C5A8D3C’ Rnd8 (INSData) Padding Signature LcINS DH MAC ‘FD274CE840FA9AD139E4FC2923653A88743CB5986DB4F7A0’ OMNIKEY Proprietary Input datagram (sent to reader) ENCIPHERED Signature = DESEn {(A0A1A2A3A4A5A6A7),(14229D2B084A895F20C2D30B5E800000)} = 8A8D430D608714FE9E5052819C5A8D3C 9E5052819C5A8D3C (last eight bytes of DES encryption) Enciphered datagram = 3-DESEn{ (A0A1A2A3A4A5A6A7A8A9AAABACADAEAF), (14229D2B084A895F20C2D30B5E8000009E5052819C5A8D3C) } = FD274CE840FA9AD139E4FC2923653A88743CB5986DB4F7A0 (24 byte input datagram) SessionKey (KS) = Rnd8 + MAC = 4A895F20C2D30B5E9E5052819C5A8D3C OMNIKEY Proprietary Output Datagram (received from reader) SW1SW2 A04B84A4DE515FD8A9D40DFFE703FBF1 9000 ‘EBDD’ E00C ~HDH RDH(Rnd) 00 LcR 800000 E367401E2DA8FACB Padding DH Signature MAC 3-DESDec{(4A895F20C2D30B5E9E5052819C5A8D3C),(A04B84A4DE515FD8A9D40DFFE703FBF1) } = EBDDE00C00800000E367401E2DA8FACB Signature = DESEn{(4A895F20C2D30B5E),( EBDDE00C00800000) } = E367401E2DA8FACB Note: An open source library to accomplish all security protocols introduced in the secured communication mode is available from OMNIKEY upon request. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 50 of 67 Version: Printed: 1.13 18.09.07 08:17 2. Authenticate HID Application CLA INS P1 P2 Lc 84 88 00 21 10 OMNIKEY Proprietary Send Datagram B3F1 1FF3 HDH (Rnd) ~RDH 00 800000 LcINS Padding B50318C9E871191A Signature DH MAC B5FD83E756CA03DE54FBEA5546E8867D Proprietary Data Signature = DESEn{(4A895F20C2D30B5E),(B3F11FF300800000)} = B50318C9E871191A Proprietary Data = 3-DESEn{(4A895F20C2D30B5E9E5052819C5A8D3C),( B3F11FF300800000B50318C9E871191A) } = B5FD83E756CA03DE54FBEA5546E8867D 4C0E OMNIKEY Proprietary Response Datagram SW1SW2 78A10C4FCC7EBC2C516354A56C4C7818 9000 7D55 ~HDH RDH(Rnd) 00 LcR 800000 D2D0B0B4E34EBDBE Padding DH Signature MAC 3-DESDec{(4A895F20C2D30B5E9E5052819C5A8D3C), (78A10C4FCC7EBC2C516354A56C4C7818) } = 4C0E7D5500800000D2D0B0B4E34EBDBE Signature = DESEn{(4A895F20C2D30B5E),( 4C0E7D5500800000) } = D2D0B0B4E34EBDBE Note: An open source library to accomplish all security protocols introduced in the secured communication mode is available from OMNIKEY upon request. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 51 of 67 Version: Printed: 1.13 18.09.07 08:17 3. Read Block 6 CLA INS P1 P2 Lc 84 B0 00 06 10 OMNIKEY Proprietary Send Datagram 6762 HDH (Rnd) 82AA ~RDH 00 800000 LcINS Padding Le F63AB82BED09B039 08 Signature DH MAC 2FABB8F0533E742383F4FE9045142859 Proprietary Data Signature = DESEn{(4A895F20C2D30B5E),( 676282AA00800000)} = F63AB82BED09B039 Proprietary Data = 3-DESEn{(4A895F20C2D30B5E9E5052819C5A8D3C),( 676282AA00800000F63AB82BED09B039) } = 2FABB8F0533E742383F4FE9045142859 OMNIKEY Proprietary Response Datagram SW1S W2 AA401E3D849B881044FF4D847977D9070C589338C097F163 9000 989D 2A94 08 000000000000E414 ~HDH RDH(Rnd) LcR Response Data 800000 3101DDB971C922FF Padding Signature DH MAC 3-DESDec {(4A895F20C2D30B5E9E5052819C5A8D3C), (AA401E3D849B881044FF4D847977D9070C589338C097F163)} = 989D2A9408000000000000E4148000003101DDB971C922FF Signature = DESEn{(4A895F20C2D30B5E),( 989D2A9408000000000000E414800000) } = 1CDF21DCA31BABDB3101DDB971C922FF = 3101DDB971C922FF (last 8-byte block) Note: An open source library to accomplish all security protocols introduced in the secured communication mode is available from OMNIKEY upon request. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 52 of 67 Version: Printed: 1.13 18.09.07 08:17 Appendix A A1 Application Programming Sample Project The following C++ sample project is part of the synchronous API which can be downloaded from our website at www.omnikey.com If you choose the default installation settings, sample code can be found in: c:\omnikey\samples\contactlessdemovc. Sample code for Visual Basic is also available and can be found in c:\omnikey\samples\contactlessdemovb. The sample uses the OMNIKEY synchronous API and demonstrates how to select a reader, connect to a card, and access either a Mifare or an iCLASS card. Note: Mifare cards can also be integrated via non-proprietary, PC/SC 2.0 compliant function calls. A1.1 Overview Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 53 of 67 Version: Printed: 1.13 18.09.07 08:17 Figure 1: Screenshot of Sample Program In the list box in the top-left corner of the window you can select the reader from a drop down list that contains all readers available to the smart card resource manager. When a card is inserted, the ATR, UID and Card Name is displayed. The functions in the Reader Related functions group box can be used with or without a card in the RF field. Functions available in the Mifare Functions using Sync API group can only be used when a Mifare card is in the field. The ISO 7816/iCLASS/PCSC 2.01 group allows APDU exchange with a CPU card (asynchronous card) in the field. Each processed command produces output in the output log on the bottom of the window. This log can be cleared with the Refresh Output Screen button. The return status of the last function executed is shown in the group box Last Operation Status. The Exit button closes the application. A1.2 Reader Related Functions Reader related functions don’t require a card in the field. To store a MIFare key, do the following: • Define a key number to determine the location where the key will be stored. • Select either plain or secured as the mode of transmission of the key. For secured transmissions, use transmission key number 0x80 or 0x81. • Enter the key in hex string format to the text field Mifare Key. For plain transmissions enter a 6 byte, 12 hex digit value (no spaces). For secured transmission enter an 8 byte value. • Click on the Write Mifare Key to Reader button to load the key to reader memory. A1.3 Mifare Card Related Functions Using Synchronous API Before using any of the Mifare Card Related functions authentication to the card is required. (Mifare UltraLight does not need authentication). To authenticate to a block of the card do the following: • In the field Block Nr, enter the block number of the block you want to authenticate to. • In the Access Option box choose whether a key number or a plain key will be supplied. • In the Authentication Mode box choose Mode A or Mode B. • Press the Authenticate button. Upon successful authentication, you can read and write data blocks and use the increment and decrement functions. A1.4 PC/SC 2.01 Enter an APDU according to PC/SC 2.01 to access storage cards such as Mifare cards directly without using the OMNIKEY proprietary synchronous API. A1.5 ISO 7816 - APDU Enter an APDU for your CPU (asynchronous) card and send the APDU the same way you would an ISO7816 contact card. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 54 of 67 Version: Printed: 1.13 18.09.07 08:17 A1.6 iCLASS Standard Mode Present an iCLASS card to the reader RF field, and send APDUs directly to the card according to the chapter 6-Standard Communication with iCLASS Card. This will give you an easy-to-use way of experimenting with the available functions. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 55 of 67 Version: Printed: 1.13 18.09.07 08:17 A2 Code Snippets This section lists some coding samples for a PC/SC 2.01 compliant implementation. A2.1 Getting the Card UID (PC/SC 2.01) The following function retrieves the Unique card ID (UID) of the card currently connected via air interface. You can use the UID as the card serial number. It is available for every ISO 14443 A/B or ISO 15693 compliant card and does not matter whether it is a CPU or storage card. This makes GetUID the ideal candidate for Hello Card type applications. If you don’t have access to application keys, the UID may serve as a valuable identifier that allows card lookup on a backend database. BOOLEAN GetUID(UCHAR *UID, int &sizeofUID) { ucByteSend[0] = 0xFF;//CLA ucByteSend[1] = 0xCA;//INS ucByteSend[2] = 0x00;//P1 ucByteSend[3] = 0x00;//P2 ucByteSend[4] = 0x00;//Le ulnByteSend = 5; printf("\nRetrieving the UID.........."); SCard_Status = SCardTransmit(hCard,SCARD_PCI_T1,ucByteSend,ulnByteSend,NULL, ucByteReceive, &dwRecvLength); if (SCard_Status != SCARD_S_SUCCESS) { printf("\nProblem in SCardTransmit, Erro rcode = 0x%04X",SCard_Status); return FALSE; } if(ucByteReceive[dwRecvLength-2] != 0x90 || ucByteReceive[dwRecvLength-1] != 0x00) { printf("\nWrong return code: %02X%02X", ucByteReceive[dwRecvLength-2],ucByteReceive[dwRecvLength-1]); return FALSE; } sizeofUID = dwRecvLength-2; memcpy(UID,ucByteReceive,sizeofUID); return TRUE; } A2.2 Loading a Mifare Key (PC/SC 2.01) The following code-snippet loads a Mifare key to the reader. The key is stored in non-volatile memory. Once loaded, it remains available throughout the reader session. BOOLEAN LoadKey(UCHAR ucKeyNr, UCHAR *ucKey, UCHAR ucKeyLength) { ucByteSend[0] = 0xFF; //CLA ucByteSend[1] = 0x82; //INS ucByteSend[2] = 0x20; //P1 card key, plain transmission, non-volatile memory ucByteSend[3] = ucKeyNr; //P2 key number for mifare could be 0x00 to 0x31) ucByteSend[4] = ucKeyLength;//Lc memcpy(ucByteSend+5,ucKey, ucKeyLength ); ulnByteSend = 5+ucKeyLength; printf("\nLoading Key to the reader.........."); SCard_Status = SCardTransmit(hCard,SCARD_PCI_T1,ucByteSend,ulnByteSend,NULL, ucByteReceive, &dwRecvLength); if (SCard_Status != SCARD_S_SUCCESS) { printf("\nProblem in SCardTransmit, Erro rcode = 0x%04X",SCard_Status); return FALSE; } if(ucByteReceive[dwRecvLength-2] != 0x90 || ucByteReceive[dwRecvLength-1] != 0x00) { printf("\nWrong return code: %02X%02X", ucByteReceive[dwRecvLength -2],ucByteReceive[dwRecvLength-1]); return FALSE; Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 56 of 67 Version: Printed: 1.13 18.09.07 08:17 } return TRUE; } A2.3 Mifare 1K/4K Authenticate (PC/SC 2.01) The following code snippet demonstrates how to authenticate to a Mifare card: BOOLEAN Authenticate(UCHAR BlockNr, UCHAR ucKeyNr, UCHAR ucKeyType) { ucByteSend[0] = 0xFF; // CLA ucByteSend[1] = 0x88; // INS ucByteSend[2] = 0x00; // P1, Mifare Block Number MSB, for mifare it is always 0x00 ucByteSend[3] = BlockNr; // Mifare Block Number LSB ucByteSend[4] = ucKeyType; // P3 ucByteSend[5] = ucKeyNr; ulnByteSend = 6; printf("\nAuthenticating .........."); SCard_Status = SCardTransmit(hCard,SCARD_PCI_T1,ucByteSend,ulnByteSend,NULL, ucByteReceive, &dwRecvLength); if (SCard_Status != SCARD_S_SUCCESS) { printf("\nProblem in SCardTransmit, Erro rcode = 0x%04X",SCard_Status); return FALSE; } if(ucByteReceive[dwRecvLength-2] != 0x90 || ucByteReceive[dwRecvLength-1] != 0x00) { printf("\nWrong return code: %02X%02X", ucByteReceive[dwRecvLength-2],ucByteReceive[dwRecvLength-1]); return FALSE; } return TRUE; } A2.4 Mifare 1K/4K Write (PC/SC 2.01) BOOLEAN UpdateBinary(UCHAR BlockNr, UCHAR *ucDataToWrite, UCHAR ucDataLenght) { ucByteSend[0] = 0xFF;//CLA ucByteSend[1] = 0xD6;//INS ucByteSend[2] = 0x00;//P1, Mifare Block Number MSB, for mifare it is always 0x00 ucByteSend[3] = BlockNr;//Mifare Block Number LSB ucByteSend[4] = ucDataLenght; memcpy(ucByteSend+5,ucDataToWrite, ucDataLenght); ulnByteSend = 5+ucDataLenght; printf("\nUpdating Block .........."); SCard_Status = SCardTransmit(hCard,SCARD_PCI_T1,ucByteSend,ulnByteSend,NULL, ucByteReceive, &dwRecvLength); if (SCard_Status != SCARD_S_SUCCESS) { printf("\nProblem in SCardTransmit, Erro rcode = 0x%04X",SCard_Status); return FALSE; } if(ucByteReceive[dwRecvLength-2] != 0x90 || ucByteReceive[dwRecvLength-1] != 0x00) { printf("\nWrong return code: %02X%02X", ucByteReceive[dwRecvLength-2],ucByteReceive[dwRecvLength-1]); return FALSE; } return TRUE; } A2.5 Mifare 1K/4K Read (PC/SC 2.01) BOOLEAN ReadBinary(UCHAR BlockNr, UCHAR *ucDataRead, UCHAR &ucDataLenght) { ucByteSend[0] = 0xFF;//CLA ucByteSend[1] = 0xB0;//INS ucByteSend[2] = 0x00;//P1, Mifare Block Number MSB, for mifare it is always 0x00 ucByteSend[3] = BlockNr;//Mifare Block Number LSB ucByteSend[4] = 0x10;//Le ulnByteSend = 5; Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 57 of 67 Version: Printed: 1.13 18.09.07 08:17 dwRecvLength = 255; printf("\nReading Block .........."); SCard_Status = SCardTransmit(hCard,SCARD_PCI_T1,ucByteSend,ulnByteSend,NULL, ucByteReceive, &dwRecvLength); if (SCard_Status != SCARD_S_SUCCESS) { printf("\nProblem in SCardTransmit, Erro rcode = 0x%04X",SCard_Status); return FALSE; } if(ucByteReceive[dwRecvLength-2] != 0x90 || ucByteReceive[dwRecvLength-1] != 0x00) { printf("\nWrong return code: %02X%02X", ucByteReceive[dwRecvLength-2],ucByteReceive[dwRecvLength-1]); return FALSE; } ucDataLenght = (unsigned char)dwRecvLength -2; memcpy(ucDataRead,ucByteReceive,ucDataLenght); return TRUE; } A2.6 Mifare 1K/4K Increment (OMNIKEY Proprietary API) BOOLEAN Increment(UCHAR BlockNr, UCHAR *ucDataTobeIncremented, UCHAR ucDataLenght) { ucByteSend[0] = 0xFF;//CLA ucByteSend[1] = 0xD4;//INS ucByteSend[2] = 0x00;//P1, Mifare Block Number MSB, for mifare it is always 0x00 ucByteSend[3] = BlockNr;//Mifare Block Number LSB ucByteSend[4] = ucDataLenght; memcpy(ucByteSend+5,ucDataTobeIncremented, ucDataLenght); ulnByteSend = 5+ucDataLenght; printf("\nIncrementing Block .........."); SCard_Status = SCardTransmit(hCard,SCARD_PCI_T1,ucByteSend,ulnByteSend,NULL, ucByteReceive, &dwRecvLength); if (SCard_Status != SCARD_S_SUCCESS) { printf("\nProblem in SCardTransmit, Erro rcode = 0x%04X",SCard_Status); return FALSE; } if(ucByteReceive[dwRecvLength-2] != 0x90 || ucByteReceive[dwRecvLength-1] != 0x00) { printf("\nWrong return code: %02X%02X", ucByteReceive[dwRecvLength-2],ucByteReceive[dwRecvLength-1]); return FALSE; } return TRUE; } A2.7 Mifare 1K/4K Decrement (OMNIKEY Proprietary API) BOOLEAN Decrement(UCHAR BlockNr, UCHAR *ucDataTobeDecremented, UCHAR ucDataLenght) { ucByteSend[0] = 0xFF;//CLA ucByteSend[1] = 0xD8;//INS ucByteSend[2] = 0x00;//P1, Mifare Block Number MSB, for mifare it is always 0x00 ucByteSend[3] = BlockNr;//Mifare Block Number LSB ucByteSend[4] = ucDataLenght; memcpy(ucByteSend+5,ucDataTobeDecremented, ucDataLenght); ulnByteSend = 5+ucDataLenght; printf("\nDecrementing Block .........."); SCard_Status = SCardTransmit(hCard,SCARD_PCI_T1,ucByteSend,ulnByteSend,NULL, ucByteReceive, &dwRecvLength); if (SCard_Status != SCARD_S_SUCCESS) { printf("\nProblem in SCardTransmit, Erro rcode = 0x%04X",SCard_Status); return FALSE; } if(ucByteReceive[dwRecvLength-2] != 0x90 || ucByteReceive[dwRecvLength-1] != 0x00) { printf("\nWrong return code: %02X%02X", ucByteReceive[dwRecvLength2],ucByteReceive[dwRecvLength-1]); return FALSE; } return TRUE; } Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 58 of 67 Version: Printed: 1.13 18.09.07 08:17 A2.8 Mifare Emulation Mode (OMNIKEY Proprietary API) With the following code-snippet the Mifare Emulation Mode can switched on and off. DWORD DWORD dwActiveProtocol; dwControlFlag; BYTE BYTE DWORD DWORD DWORD DWORD DWORD DWORD InBuffer[16]; OutBuffer[16]; dwInBufferSize ; dwOutBufferSize; dwBytesReturned; *Mask = (DWORD *)InBuffer; *Value = (DWORD *)InBuffer+1; dwControlCode = CM_IOCTL_SET_RFID_CONTROL_FLAGS; memset(InBuffer, 0x00, sizeof(InBuffer)); memset(OutBuffer, 0x00, sizeof(OutBuffer)); *Mask *Value dwInBufferSize dwOutBufferSize dwBytesReturned = = = = = 0x00000004; dwControlFlag & *Mask; 8; 0; 0; SCard_Status = SCardControl(hCard, dwControlCode, (LPCVOID)InBuffer, dwInBufferSize, (LPVOID)OutBuffer, dwOutBufferSize, &dwBytesReturned); if (SCard_Status == SCARD_S_SUCCESS) { if(dwControlFlag) sprintf(szText,"Mifare\t"); else sprintf(szText,"T=CL\t"); } else { sprintf(szText,"IO Cntrol error\r"); } // The card is disconnected after changing the Mifare emulation mode do { sReaderState.szReader = szReaderName; sReaderState.dwCurrentState = SCARD_STATE_EMPTY; sReaderState.dwEventState = SCARD_STATE_EMPTY; SCardGetStatusChange(hContext,50,&sReaderState,1); } while((sReaderState.dwEventState & SCARD_STATE_PRESENT) == 0); Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 59 of 67 Version: Printed: 1.13 18.09.07 08:17 A2.9 iCLASS Select Page (OMNIKEY Proprietary API) The following code-snippet selects page 0x01 of a 8x2KS iCLASS card and returns the card serial number: //Select page 0x02 of a 8x2KS iCLASS card UCHAR ucDataSend[7] = {0}; ULONG ulNoOfDataSend = 7; UCHAR ucReceivedData[64] = {0}; ULONG ulNoOfDataReceived = 64; ucDataSend ucDataSend ucDataSend ucDataSend ucDataSend ucDataSend ucDataSend [0] [1] [2] [3] [4] [5] [6] = = = = = = = 0x80 0xA6 0x01 0x04 0x01 0x01 0x08 //CLA, standard mode //INS //P1 //P2, return card serial number //Lc //Page number //Le SCard_Status = SCardCLICCTransmit(hCard,ucDataSend,ulNoOfDataSend, ucReceivedData,&ulNoOfDataReceived); if(SCard_Status!= SCARD_S_SUCCESS) { printf("Error in SCardCLICCTransmit, with error code %8X", SCard_Status); exit(-1); } Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 60 of 67 Version: Printed: 1.13 18.09.07 08:17 Appendix B Accessing iCLASS Memory In the following diagrams the free zones of two typical iCLASS memory layouts is shown: B1.1 Memory Layout a) Memory layout of an iCLASS 2KS, iCLASS 16KS or page 0 of an iCLASS 8x2KS card: Block Number Block Description (block size eight bytes) ‘00’ card serial number ‘01’ configuration block ’02’ e-Purse ‘03’ Kd (so-called debit key, key for application 1) ’04’ Kc (so-called credit key, key for Application 2) ’05’ application issuer area ‘06’ HID application …. ’12’ ’13’ …. Free zones in iCLASS 2KS, iCLASS 16KS or page 0 of iCLASS 8x2KS ‘1F’(2KS) ‘FF’(16KS) b) Memory layout of an iCLASS 8x2KS on pages 1 to 7: Block Size: 8 bytes ’00’ card serial number ’01’ configuration block ’02’ e-Purse ’03’ Kd (so-called debit key, key for application 1) ’04’ Kc (so-called credit key, key for Application 2) ’05’ application issuer area ’06’ …. application 1 (free zones in iCLASS 8x2KS other than page 0) ‘xx’ ‘xx’+1 …. application 2 (free zones in iCLASS 8x2KS other than page 0) ‘1F’ Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 61 of 67 Version: Printed: ‘00’ 18.09.07 08:17 B1.2 Assigning Space to iCLASS Application 2 By default, iCLASS cards have the application limit set to the last byte of its respective memory area. This means that the complete memory area is reserved for application 1 and the size of application 2 is set to zero. The application limit can be set to a different block number to support an additional application. To do this, the page’s configuration block must be overwritten as follows: 1. Select the page you want to configure. 2. Authenticate with Kd of the selected page. 3. Read 8 bytes from block 0x01 – the configuration block. 4. Replace the first byte with the block number ‘xx’ of the new application limit. 5. Leave the remaining bytes of the configuration block unchanged and write all 8 bytes back to the configuration block 0x01. 6. Remove the card. B1.3 Read/Write Memory of iCLASS 2KS, 16KS or page 0 of iCLASS 8x2KS card 1. Insert card. 2. Connect to card. 3. For secured mode: Start Session. 4. Authenticate with KMC0 , (P1 = 0x01, P2 = 0x23). If the key is not an iCLASS default key, the new key has to be loaded as KIAMC or KVAK , and in the authenticate command the key number of KIAMC or KVAK must be used. 5. Read/write any block (block number 0x13 to 0x1F for 2KS and 0xFF for 16KS). 6. For secured mode: End Session. 7. Disconnect from card. 8. Remove card. B1.4 Read/Write Memory of iCLASS 8x2KS Card on Pages 1 to 7 1. Insert card. 2. Connect to card. 3. For secured mode: Start Session. 4. Select page N (N = 1 to 7). 5. Authenticate with KMDN / KMCN (P1 = 0x00 for KMDN ,or 0x01 for KMCN , P2 = KMDN ,/ KMCN (refer to chapter 5.1Key Numbering Scheme). 6. If the key is other than iCLASS default key, the new key has to be loaded as KIAMC or KVAK , and in the authenticate command the key number of KIAMC or KVAK must be used. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 62 of 67 Version: Printed: ’00’ 18.09.07 08:17 7. Read/write any block (block number 0x13 to 0x1F for 2KS and 0xFF for 16KS). 8. For secured mode: End Session. 9. Disconnect card. 10. Remove card. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 63 of 67 Version: Printed: ’00’ 18.09.07 08:17 Appendix C C1.1 Terms and Abbreviations The following table lists abbreviations used throughout this document. CSNR Card Serial Number HDH Host Data Header INSData Instruction Specific Data KCUR Customer Read Key KCUW Customer Write Key KDOKM Omnikey Diversified Master Key KENC Card Data Encryption Key KIAMC Any Application Master Key KMCN Page N Application 2’s Master Key of iCLASS card KMDC HID Master Key Current KMDN Page N Application 1’s Master Key of iCLASS card KMDNB1 Page N Application 1’s on Book 1 Master Key of iCLASS card KMDO HID Master Key Old KMTD ICLASS Master Transport key for application 1 KMTC ICLASS Master Transport key for application 2 KOKM OMNIKEY Master Key KS Session Key KVAK Any Volatile Application Master Key LcINS Instruction specific data (INSData) length. LcR Card Response data length RDH Reader Data Header RSNR Reader Serial Number Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 64 of 67 Version: Printed: ’00’ 18.09.07 08:17 Appendix D Version History D1.1 Document Changes Version Author(s) Date Description 1.00 Abu Ismail Feb 08, 2005 Initial Version 1.01 Abu Ismail June 30, 2006 Reorganization, adding PC/SC 2.01 support 1.10 Marc Jacquinot Aug 18, 2006 FW 5.00, secured communication, finalized document for release 1.11 Marc Jacquinot Nov 22, 2006 Added notes: mandatory Lc in secured mode 1.12 Werner Waitz Aug 20, 2007 Add KMD0B1 (Default Master Key for application 1 of page 0 on Book 1), Mifare Emulation Mode and PC/SC 2.01 support for LRI64 1.13 Marc Jacquinot Aug 28, 2007 Minor edits, Reviewed recent changes. Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 65 of 67 Version: Printed: ’00’ 18.09.07 08:17 D1.2 Firmware History FW Version Special Feature(s) Remarks 1.00 MIF Mifare support 1.01, 1.02 MIF, MKS 1.03, 1.04 MIF, MKS, IST iCLASS memory access 5.00 MIF, MKS, IST, ISE iClass secured mode, HID application read 5.10 MIF, MKS, IST, ISE iClass secured mode, HID application read Special Feature of Synchronous Cards: MIF = MIFARE Functionalities MKS = MIFARE Key Storage MSK = MIFARE Secured Key Loading IST = iCLASS Standard Mode Communication ISE = iCLASS Secured Mode Communication Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 66 of 67 Version: Printed: ’00’ 18.09.07 08:17 Appendix E References [MIFARE] MIFARE Data Sheets http://www.semiconductors.philips.com/markets/identification/datasheets/index.html mifare [MSDNLIB] Microsoft Developer Network Library; http://msdn.microsoft.com/library/ [DESFIRE] DESFire Data Sheets http://www.semiconductors.philips.com/acrobat_download/other/identification/M075031.pdf [PCSC_2.01] PC/SC Workgroup Specifications 2.01 http://www.pcscworkgroup.com/ [PICO16KS] PICOTAG and PICOCRYPT secured 16KS data sheet from the Inside Contactless [PICO2KS] PICOTAG and PICOCRYPT secured 2KS data sheet from the Inside Contactless [ICLASSD] iCLASS card specifications from HID. [ISO7816-4] Information Technology Identification Cards Integrated Circuit(s) Cards with Contacts, Part 4: Inter-industry Commands for Interchange [LRI64] ST Microelectronics datasheet for “LRI64” Title: CardMan 5x21-CL Reader Developer’s Guide Created/Modified: 28.08.07 20:01 Page: 67 of 67 Version: Printed: ’00’ 18.09.07 08:17
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Page Count : 67 Producer : AFPL Ghostscript 8.54 Create Date : 2007:09:18 08:17:15+02:00 Modify Date : 2007:09:18 08:17:15+02:00 Title : CardMan 5x21-CL Reader Developers Guide Creator : PDFCreator Version 0.9.2 Author : tbruendlEXIF Metadata provided by EXIF.tools