Commission Implementing Regulation (EU) 2016/799 of 18 March 2016 implementing Regulation (EU) No 165/2014 of the European Parliament and of the Council laying down the requirements for the construction, testing, installation, operation and repair of tachographs and their components (Text with EEA relevance) (c. 799)

ANNEX I CU.K.Requirements for construction, testing, installation, and inspection

Modifications etc. (not altering text)

C1Annex 1C modified (21.8.2023) by The Drivers’ Hours and Tachographs (Amendment) Regulations 2023 (S.I. 2023/739), regs. 1(1), 3, Sch.

Appendix 2

TACHOGRAPH CARDS SPECIFICATIONU.K.

3.HARDWARE AND COMMUNICATIONU.K.

3.5.Command descriptionsU.K.

3.5.11MANAGE SECURITY ENVIRONMENTU.K.

3.5.11.2Generation 2 Command — Response pairsU.K.

For the Generation 2 authentication the tachograph card supports the following MSE: Set command versions which are compliant with ISO/IEC 7816-4. These command versions are not supported for the Generation 1 authentication.

3.5.11.2.1MSE:SET AT for Chip AuthenticationU.K.

The following MSE:SET AT command is used to select the parameters for the Chip Authentication that is performed by a subsequent General Authenticate command.

TCS_108The command can be performed in the MF, DF Tachograph and DF Tachograph_G2, see also TCS_34.U.K.

TCS_109MSE:SET AT Command Message for Chip AuthenticationU.K.

Byte	Length	Value	Description
CLA	1	‘00h’
INS	1	‘22h’
P1	1	‘41h’	Set for internal authentication
P2	1	‘A4h’	Authentication
Lc	1	‘NNh’	Lc: length of subsequent data field
#6-#(5+L)	L	‘80h’ + ‘0Ah’ + ‘XX..XXh’	DER-TLV encoded cryptographic mechanism reference: Object Identifier of Chip Authentication (value only, Tag ‘06h’ is omitted). See Appendix 1 for the values of object identifiers; the byte notation shall be used. See Appendix 11 for guidance on how to select one of these object identifiers.

3.5.11.2.2MSE:SET AT for VU AuthenticationU.K.

The following MSE:SET AT command is used to select the parameters and keys for the VU Authentication that is performed by a subsequent External Authenticate command.

TCS_110The command can be performed in the MF, DF Tachograph and DF Tachograph_G2, see also TCS_34.U.K.

TCS_111MSE:SET AT Command Message for VU AuthenticationU.K.

Byte	Length	Value	Description
CLA	1	‘00h’
INS	1	‘22h’
P1	1	‘81h’	Set for external authentication
P2	1	‘A4h’	Authentication
Lc	1	‘NNh’	Lc: length of subsequent data field
#6-#(5+L)	L	‘80h’ + ‘0Ah’ + ‘XX..XXh’	DER-TLV encoded cryptographic mechanism reference: Object Identifier of VU Authentication (value only, Tag ‘06h’ is omitted). See Appendix 1 for the values of object identifiers; the byte notation shall be used. See Appendix 11 for guidance on how to select one of these object identifiers.
		‘83h’ + ‘08h’ + ‘XX..XXh’	DER-TLV encoded reference of the VU public key by the Certificate Holder Reference mentioned in its certificate.
		‘91h’ + L₉₁ + ‘XX..XXh’	DER-TLV encoded compressed representation of the ephemeral public key of the VU that will be used during Chip Authentication (see Appendix 11)

3.5.11.2.3MSE:SET DSTU.K.

The following MSE:SET DST command is used to set a public key either

for the verification of a signature that is provided in a subsequent PSO: Verify Digital Signature command or
for the signature verification of a certificate that is provided in a subsequent PSO: Verify Certificate command

TCS_112The command can be performed in the MF, DF Tachograph and DF Tachograph_G2, see also TCS_33.U.K.

TCS_113MSE:SET DST Command MessageU.K.

Byte	Length	Value	Description
CLA	1	‘00h’
INS	1	‘22h’
P1	1	‘81h’	Set for verification
P2	1	‘B6h’	Digital Signature
Lc	1	‘NNh’	Lc: length of subsequent data field
#6-#(5+L)	L	‘83h’ + ‘08h’ + ‘XX...XXh’	DER-TLV encoded reference of a public key, i.e. the Certificate Holder Reference in the certificate of the public key (see Appendix 11)

For all command versions the response message structure and status words are given by:

TCS_114Response MessageU.K.

Byte	Length	Value	Description
SW	2	‘XXXXh’	Status Words (SW1,SW2)

If the command is successful, the card returns ‘9000’. The protocol has been selected and initialised.
‘6A80’ indicates incorrect parameters in the command data field.
‘6A88’ indicates that referenced data (i.e. a referenced key) is not available.
[F1If the currentAuthenticatedTime of the card is later than the Expiration Date of the selected public key, the processing state returned is ‘ 6A88 ’ .

Textual Amendments

F1Inserted by Commission Implementing Regulation (EU) 2018/502 of 28 February 2018 amending Implementing Regulation (EU) 2016/799 laying down the requirements for the construction, testing, installation, operation and repair of tachographs and their components (Text with EEA relevance).

Note: In the case of a MSE: SET AT for VU Authentication command, the referenced key is a VU_MA public key. The card shall set the VU_MA public key for use, if available in its memory, which matches the Certificate Holder Reference (CHR) given in the command data field (the card can identify VU_MA public keys by means of the certificate's CHA field). A card shall return ‘6A 88’ to this command in case only the VU_Sign public key or no public key of the Vehicle Unit is available. See the definition of the CHA field in Appendix 11 and of data type equipmentType in Appendix 1.U.K.

Similarly, in case an MSE: SET DST command referencing an EQT (i.e. a VU or a card) is sent to a control card, according to CSM_234 the referenced key is always an EQT_Sign key that has to be used for the verification of a digital signature. According to Figure 13 in Appendix 11, the control card will always have stored the relevant EQT_Sign public key. In some cases, the control card may have stored the corresponding EQT_MA public key. The control card shall always set the EQT_Sign public key for use when it receives an MSE: SET DST command.]