Commission Implementing Regulation (EU) 2016/799 of 18 March 2016 implementing Regulation (EU) No 165/2014 of the European Parliament and of the Council laying down the requirements for the construction, testing, installation, operation and repair of tachographs and their components (Text with EEA relevance) (c. 799)

Please note that the date you requested in the address for this web page is not an actual date upon which a change occurred to this item of legislation. You are being shown the legislation from , which is the first date before then upon which a change was made.

ANNEX I CU.K.Requirements for construction, testing, installation, and inspection

Appendix 11

COMMON SECURITY MECHANISMS U.K.

PART BU.K. SECOND-GENERATION TACHOGRAPH SYSTEM

9.KEYS AND CERTIFICATESU.K.

9.2. Symmetric Keys U.K.

9.2.1 Keys for Securing VU — Motion Sensor Communication U.K.

9.2.1.1 General U.K.

Note: readers of this section are supposed to be familiar with the contents of [ISO 16844-3] describing the interface between a vehicle unit and a motion sensor. The pairing process between a VU and a motion sensor is described in detail in chapter 12 of this Appendix.U.K.

CSM_100A number of symmetric keys is needed for pairing vehicle units and motion sensors, for mutual authentication between vehicle units and motion sensors and for encrypting communication between vehicle units and motion sensors, as shown in Table 3. All of these keys shall be AES keys, with a key length equal to the length of the motion sensor master key, which shall be linked to the length of the (foreseen) European root key pair as described in CSM_50.U.K.

Key	Symbol	Generated by	Generation method	Stored by
Table 3
Keys for securing vehicle unit — motion sensor communication
^a Storage of K_M and K_ID is optional, as these keys can be derived from K_M-VU, K_M-WC and CV.
Motion Sensor Master Key — VU part	K_M-VU	ERCA	Random	ERCA, MSCAs involved in issuing VUs certificates, VU manufacturers, vehicle units
Motion Sensor Master Key — Workshop part	K_M-WC	ERCA	Random	ERCA, MSCAs, card manufacturers, workshop cards
Motion Sensor Master Key	K_M	Not independently generated	Calculated as K_M = K_M-VU XOR K_M-WC	ERCA, MSCAs involved in issuing motion sensors keys (optionally)^a
Identification Key	K_ID	Not independently generated	Calculated as K_{ID =} K_M XOR CV, where CV is specified in CSM_106	ERCA, MSCAs involved in issuing motion sensors keys (optionally)^a
Pairing Key	K_P	Motion sensor manufacturer	Random	One motion sensor
Session Key	K_S	VU (during pairing of VU and motion sensor)	Random	One VU and one motion sensor

CSM_101The European Root Certificate Authority shall generate K_M-VU and K_M-WC, two random and unique AES keys from which the motion sensor master key K_M can be calculated as K_M-VU XOR K_M-WC. The ERCA shall communicate K_M, K_M-VU and K_M-WC to Member State Certificate Authorities upon their request.U.K.

CSM_102The ERCA shall assign to each motion sensor master key K_M a unique version number, which shall also be applicable for the constituting keys K_M-VU and K_M-WC and for the related identification key K_ID. The ERCA shall inform the MSCAs about the version number when sending K_M-VU and K_M-WC to them.U.K.

Note: The version number is used to distinguish different generations of these keys, as explained in detail in section 9.2.1.2.U.K.

CSM_103A Member State Certificate Authority shall forward K_M-VU, together with its version number, to vehicle unit manufacturers upon their request. The VU manufacturers shall insert K_M-VU and its version number in all manufactured VUs.U.K.

CSM_104A Member State Certificate Authority shall ensure that K_M-WC, together with its version number, is inserted in every workshop card issued under its responsibility.U.K.

Notes: U.K.

—See the description of data type in Appendix 2.U.K.

—as explained in section 9.2.1.2, in fact multiple generations of K_M-WC may have to be inserted in a single workshop card.U.K.

CSM_105In addition to the AES key specified in CSM_104, a MSCA shall ensure that the TDES key Km_WC, specified in requirement CSM_037 in Part A of this Appendix, is inserted in every workshop card issued under its responsibility.U.K.

Notes: U.K.

—This allows a second-generation workshop card to be used for coupling a first-generation VU.U.K.

—A second-generation workshop card will contain two different applications, one complying with Part B of this Appendix and one complying with Part A. The latter will contain the TDES key Km_WC.U.K.

CSM_106An MSCA involved in issuing motion sensors shall derive the identification key from the motion sensor master key by XORing it with a constant vector CV. The value of CV shall be as follows:U.K.

[F1For 128-bit motion sensor master keys: CV = ‘ B6 44 2C 45 0E F8 D3 62 0B 7A 8A 97 91 E4 5D 83 ’]
For 192-bit motion sensor master keys: CV = ‘72 AD EA FA 00 BB F4 EE F4 99 15 70 5B 7E EE BB 1C 54 ED 46 8B 0E F8 25’
For 256-bit motion sensor master keys: CV = ‘1D 74 DB F0 34 C7 37 2F 65 55 DE D5 DC D1 9A C3 23 D6 A6 25 64 CD BE 2D 42 0D 85 D2 32 63 AD 60’

Textual Amendments

F1 Substituted by Commission Implementing Regulation (EU) 2018/502 of 28 February 2018 amending Implementing Regulation (EU) 2016/799 laying down the requirements for the construction, testing, installation, operation and repair of tachographs and their components (Text with EEA relevance).

Note: the constant vectors have been generated as follows:U.K.

Pi_10 = first 10 bytes of the decimal portion of the mathematical constant π = ‘24 3F 6A 88 85 A3 08 D3 13 19’
CV_128-bits = first 16 bytes of SHA-256(Pi_10)
CV_192-bits = first 24 bytes of SHA-384(Pi_10)
CV_256-bits = first 32 bytes of SHA-512(Pi_10)

CSM_107 [F1Each Motion sensor manufacturer shall generate a random and unique pairing key K _P for every motion sensor, and shall send each pairing key to its Member State Certificate Authority. The MSCA shall encrypt each pairing key separately with the motion sensor master key K _M and shall return the encrypted key to the motion sensor manufacturer. For each encrypted key, the MSCA shall notify the motion sensor manufacturer of the version number of the associated K _M .] U.K.

Note: as explained in section 9.2.1.2, in fact a motion sensor manufacturer may have to generate multiple unique pairing keys for a single motion sensor.U.K.

[F1CSM_108 Each motion sensor manufacturer shall generate a unique serial number for every motion sensor, and shall send all serial numbers to its Member State Certificate Authority. The MSCA shall encrypt each serial number separately with the identification key K _ID and shall return the encrypted serial number to the motion sensor manufacturer. For each encrypted serial number, the MSCA shall notify the motion sensor manufacturer of the version number of the associated K _ID .] U.K.

CSM_109For requirements CSM_107 and CSM_108, the MSCA shall use the AES algorithm in the Cipher Block Chaining mode of operation, as defined in [ISO 10116], with an interleave parameter m = 1 and an initialization vector SV = ‘00’ {16}, i.e. sixteen bytes with binary value 0. When necessary, the MSCA shall use padding method 2 defined in [ISO 9797-1].U.K.

CSM_110The motion sensor manufacturer shall store the encrypted pairing key and the encrypted serial number in the intended motion sensor, together with the corresponding plain text values and the version number of K_M and K_ID used for encrypting.U.K.

Note: as explained in section 9.2.1.2, in fact a motion sensor manufacturer may have to insert multiple encrypted pairing keys and multiple encrypted serial numbers in a single motion sensor.U.K.

CSM_111In addition to the AES-based cryptographic material specified in CSM_110, a motion sensor manufacturer may also store in each motion sensor the TDES-based cryptographic material specified in requirement CSM_037 in Part A of this Appendix.U.K.

Note: doing so will allow a second-generation motion sensor to be coupled to a first-generation VU.U.K.

CSM_112The length of the session key K_S generated by a VU during the pairing to a motion sensor shall be linked to the length of its K_M-VU, as described in CSM_50.U.K.

9.2.1.2 Motion Sensor Master Key Replacement in Second-Generation Equipment U.K.

CSM_113Each motion sensor master key and all related keys (see Table 3) is associated to a particular generation of the ERCA root key pair. These keys shall therefore be replaced every 17 years. The validity period of each motion sensor master key generation shall begin one year before the associated ERCA root key pair becomes valid and shall end when the associated ERCA root key pair expires. This is depicted in Figure 2.U.K.

Figure 2

Issuance and usage of different generations of the motion sensor master key in vehicle units, motions sensors and workshop cards

CSM_114At least one year before generating a new European root key pair, as described in CSM_56, the ERCA shall generate a new motion sensor master key K_M by generating a new K_M-VU and K_M-WC. The length of the motion sensor master key shall be linked to the foreseen strength of the new European root key pair, according to CSM_50. The ERCA shall communicate the new K_M, K_M-VU and K_M-WC to the MSCAs upon their request, together with their version number.U.K.

CSM_115An MSCA shall ensure that all valid generations of K_M-WC are stored in every workshop card issued under its authority, together with their version numbers, as shown in Figure 2.U.K.

Note: this implies that in the last year of the validity period of an ERCA certificate, workshop cards will be issued with three different generations of K_M-WC, as shown in Figure 2.U.K.

CSM_116In relation to the process described in CSM_107 and CSM_108 above: An MSCA shall encrypt each pairing key K_P it receives from a motion sensor manufacturer separately with each valid generation of the motion sensor master key K_M. An MSCA shall also encrypt each serial number it receives from a motion sensor manufacturer separately with each valid generation of the identification key K_ID. A motion sensor manufacturer shall store all encryptions of the pairing key and all encryptions of the serial number in the intended motion sensor, together with the corresponding plain text values and the version number(s) of K_M and K_ID used for encrypting.U.K.

Note: This implies that in the last year of the validity period of an ERCA certificate, motion sensors will be issued with encrypted data based on three different generations of K_M, as shown in Figure 2.U.K.

CSM_117In relation to the process described in CSM_107 above: Since the length of the pairing key K_P shall be linked to the length of K_M (see CSM_100), a motion sensor manufacturer may have to generate up to three different pairing keys (of different lengths) for one motion sensor, in case subsequent generations of K_M have different lengths. In such a case, the manufacturer shall send each pairing key to the MSCA. The MSCA shall ensure that each pairing key is encrypted with the correct generation of the motion sensor master key, i.e. the one having the same length.U.K.

Note: In case the motion sensor manufacturer chooses to generate a TDES-based pairing key for a second-generation motion sensor (see CSM_111), the manufacturer shall indicate to the MSCA that the TDES-based motion sensor master key must be used for encrypting this pairing key. This is because the length of a TDES key may be equal to that of an AES key, so the MSCA cannot judge from the key length alone.U.K.

CSM_118Vehicle unit manufacturers shall insert only one generation of K_M-VU in each vehicle unit, together with its version number. This K_M-VU generation shall be linked to the ERCA certificate upon which the VU's certificates are based.U.K.

Notes: U.K.

—A vehicle unit based on the generation X ERCA certificate shall only contain the generation X K_M-VU, even if it is issued after the start of the validity period of the generation X+1 ERCA certificate. This is shown in Figure 2.U.K.

—A VU of generation X cannot be paired to a motion sensor of generation X-1.U.K.

—Since workshop cards have a validity period of one year, the result of CSM_113 — CSM_118 is that all workshop cards will contain the new K_M-WC at the moment the first VU containing the new K_M-VU is issued. Therefore, such a VU will always be able to calculate the new K_M. Moreover, by that time most new motion sensors will contain encrypted data based on the new K_M as well.U.K.

ANNEX I CU.K.Requirements for construction, testing, installation, and inspection

Appendix 11

COMMON SECURITY MECHANISMS U.K.

PART BU.K. SECOND-GENERATION TACHOGRAPH SYSTEM

9.KEYS AND CERTIFICATESU.K.

9.2. Symmetric Keys U.K.

9.2.1 Keys for Securing VU — Motion Sensor Communication U.K.

9.2.1.1 General U.K.

CSM_103A Member State Certificate Authority shall forward KM-VU, together with its version number, to vehicle unit manufacturers upon their request. The VU manufacturers shall insert KM-VU and its version number in all manufactured VUs.U.K.

CSM_104A Member State Certificate Authority shall ensure that KM-WC, together with its version number, is inserted in every workshop card issued under its responsibility.U.K.

Notes: U.K.

—See the description of data type in Appendix 2.U.K.

—as explained in section 9.2.1.2, in fact multiple generations of KM-WC may have to be inserted in a single workshop card.U.K.

CSM_105In addition to the AES key specified in CSM_104, a MSCA shall ensure that the TDES key KmWC, specified in requirement CSM_037 in Part A of this Appendix, is inserted in every workshop card issued under its responsibility.U.K.

Notes: U.K.

—This allows a second-generation workshop card to be used for coupling a first-generation VU.U.K.

—A second-generation workshop card will contain two different applications, one complying with Part B of this Appendix and one complying with Part A. The latter will contain the TDES key KmWC.U.K.

CSM_106An MSCA involved in issuing motion sensors shall derive the identification key from the motion sensor master key by XORing it with a constant vector CV. The value of CV shall be as follows:U.K.

CSM_110The motion sensor manufacturer shall store the encrypted pairing key and the encrypted serial number in the intended motion sensor, together with the corresponding plain text values and the version number of KM and KID used for encrypting.U.K.

CSM_111In addition to the AES-based cryptographic material specified in CSM_110, a motion sensor manufacturer may also store in each motion sensor the TDES-based cryptographic material specified in requirement CSM_037 in Part A of this Appendix.U.K.

CSM_112The length of the session key KS generated by a VU during the pairing to a motion sensor shall be linked to the length of its KM-VU, as described in CSM_50.U.K.

9.2.1.2 Motion Sensor Master Key Replacement in Second-Generation Equipment U.K.

CSM_115An MSCA shall ensure that all valid generations of KM-WC are stored in every workshop card issued under its authority, together with their version numbers, as shown in Figure 2.U.K.

CSM_118Vehicle unit manufacturers shall insert only one generation of KM-VU in each vehicle unit, together with its version number. This KM-VU generation shall be linked to the ERCA certificate upon which the VU's certificates are based.U.K.

Notes: U.K.

—A vehicle unit based on the generation X ERCA certificate shall only contain the generation X KM-VU, even if it is issued after the start of the validity period of the generation X+1 ERCA certificate. This is shown in Figure 2.U.K.

—A VU of generation X cannot be paired to a motion sensor of generation X-1.U.K.

CSM_103A Member State Certificate Authority shall forward K_M-VU, together with its version number, to vehicle unit manufacturers upon their request. The VU manufacturers shall insert K_M-VU and its version number in all manufactured VUs.U.K.

CSM_104A Member State Certificate Authority shall ensure that K_M-WC, together with its version number, is inserted in every workshop card issued under its responsibility.U.K.

—as explained in section 9.2.1.2, in fact multiple generations of K_M-WC may have to be inserted in a single workshop card.U.K.

CSM_105In addition to the AES key specified in CSM_104, a MSCA shall ensure that the TDES key Km_WC, specified in requirement CSM_037 in Part A of this Appendix, is inserted in every workshop card issued under its responsibility.U.K.

—A second-generation workshop card will contain two different applications, one complying with Part B of this Appendix and one complying with Part A. The latter will contain the TDES key Km_WC.U.K.

CSM_110The motion sensor manufacturer shall store the encrypted pairing key and the encrypted serial number in the intended motion sensor, together with the corresponding plain text values and the version number of K_M and K_ID used for encrypting.U.K.

CSM_112The length of the session key K_S generated by a VU during the pairing to a motion sensor shall be linked to the length of its K_M-VU, as described in CSM_50.U.K.

CSM_115An MSCA shall ensure that all valid generations of K_M-WC are stored in every workshop card issued under its authority, together with their version numbers, as shown in Figure 2.U.K.

CSM_118Vehicle unit manufacturers shall insert only one generation of K_M-VU in each vehicle unit, together with its version number. This K_M-VU generation shall be linked to the ERCA certificate upon which the VU's certificates are based.U.K.

—A vehicle unit based on the generation X ERCA certificate shall only contain the generation X K_M-VU, even if it is issued after the start of the validity period of the generation X+1 ERCA certificate. This is shown in Figure 2.U.K.