xmlns:atom="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom"
For the Generation 2 authentication the tachograph card supports the following MSE: Set command versions which are compliant with ISO/IEC 7816-4. These command versions are not supported for the Generation 1 authentication.
The following MSE:SET AT command is used to select the parameters for the Chip Authentication that is performed by a subsequent General Authenticate command.
Byte | Length | Value | Description |
---|---|---|---|
CLA | 1 | ‘00h’ | |
INS | 1 | ‘22h’ | |
P1 | 1 | ‘41h’ | Set for internal authentication |
P2 | 1 | ‘A4h’ | Authentication |
Lc | 1 | ‘NNh’ | Lc: length of subsequent data field |
#6-#(5+L) | L | ‘80h’ + ‘0Ah’ + ‘XX..XXh’ | DER-TLV encoded cryptographic mechanism reference: Object Identifier of Chip Authentication (value only, Tag ‘06h’ is omitted). See Appendix 1 for the values of object identifiers; the byte notation shall be used. See Appendix 11 for guidance on how to select one of these object identifiers. |
The following MSE:SET AT command is used to select the parameters and keys for the VU Authentication that is performed by a subsequent External Authenticate command.
Byte | Length | Value | Description |
---|---|---|---|
CLA | 1 | ‘00h’ | |
INS | 1 | ‘22h’ | |
P1 | 1 | ‘81h’ | Set for external authentication |
P2 | 1 | ‘A4h’ | Authentication |
Lc | 1 | ‘NNh’ | Lc: length of subsequent data field |
#6-#(5+L) | L | ‘80h’ + ‘0Ah’ + ‘XX..XXh’ | DER-TLV encoded cryptographic mechanism reference: Object Identifier of VU Authentication (value only, Tag ‘06h’ is omitted). See Appendix 1 for the values of object identifiers; the byte notation shall be used. See Appendix 11 for guidance on how to select one of these object identifiers. |
‘83h’ + ‘08h’ + ‘XX..XXh’ | DER-TLV encoded reference of the VU public key by the Certificate Holder Reference mentioned in its certificate. | ||
‘91h’ + L91 + ‘XX..XXh’ | DER-TLV encoded compressed representation of the ephemeral public key of the VU that will be used during Chip Authentication (see Appendix 11) |
The following MSE:SET DST command is used to set a public key either
for the verification of a signature that is provided in a subsequent PSO: Verify Digital Signature command or
for the signature verification of a certificate that is provided in a subsequent PSO: Verify Certificate command
Byte | Length | Value | Description |
---|---|---|---|
CLA | 1 | ‘00h’ | |
INS | 1 | ‘22h’ | |
P1 | 1 | ‘81h’ | Set for verification |
P2 | 1 | ‘B6h’ | Digital Signature |
Lc | 1 | ‘NNh’ | Lc: length of subsequent data field |
#6-#(5+L) | L | ‘83h’ + ‘08h’ + ‘XX...XXh’ | DER-TLV encoded reference of a public key, i.e. the Certificate Holder Reference in the certificate of the public key (see Appendix 11) |
For all command versions the response message structure and status words are given by:
Byte | Length | Value | Description |
---|---|---|---|
SW | 2 | ‘XXXXh’ | Status Words (SW1,SW2) |
If the command is successful, the card returns ‘9000’. The protocol has been selected and initialised.
‘6A80’ indicates incorrect parameters in the command data field.
‘6A88’ indicates that referenced data (i.e. a referenced key) is not available.
[F1If the currentAuthenticatedTime of the card is later than the Expiration Date of the selected public key, the processing state returned is ‘ 6A88 ’ .
Textual Amendments
Similarly, in case an MSE: SET DST command referencing an EQT (i.e. a VU or a card) is sent to a control card, according to CSM_234 the referenced key is always an EQT_Sign key that has to be used for the verification of a digital signature. According to Figure 13 in Appendix 11, the control card will always have stored the relevant EQT_Sign public key. In some cases, the control card may have stored the corresponding EQT_MA public key. The control card shall always set the EQT_Sign public key for use when it receives an MSE: SET DST command.]