Commission Implementing Regulation (EU) 2016/799 of 18 March 2016 implementing Regulation (EU) No 165/2014 of the European Parliament and of the Council laying down the requirements for the construction, testing, installation, operation and repair of tachographs and their components (Text with EEA relevance) (c. 799)

Please note that the date you requested in the address for this web page is not an actual date upon which a change occurred to this item of legislation. You are being shown the legislation from , which is the first date before then upon which a change was made.

ANNEX I CU.K.Requirements for construction, testing, installation, and inspection

Appendix 2

TACHOGRAPH CARDS SPECIFICATION U.K.

3.HARDWARE AND COMMUNICATIONU.K.

3.5. Command descriptions U.K.

3.5.11 MANAGE SECURITY ENVIRONMENT U.K.

This command is used to set a public key for authentication purpose.

3.5.11.1 Generation 1 Command — Response pair U.K.

This command is compliant with ISO/IEC 7816-4. The use of this command is restricted regarding the related standard.

TCS_103This command is only supported by a generation 1 tachograph application.U.K.

TCS_104The key referenced in the MSE data field remains the current public key until the next correct MSE command, a DF is selected or the card is reset.U.K.

TCS_105If the key referenced is not (already) present into the card, the security environment remains unchanged.U.K.

TCS_106 Command Message U.K.

Byte	Length	Value	Description
CLA	1	‘00h’	CLA
INS	1	‘22h’	INS
P1	1	‘C1h’	P1: referenced key valid for all cryptographic operations
P2	1	‘B6h’	P2 (referenced data concerning Digital Signature)
Lc	1	‘0Ah’	Lc: length of subsequent data field
#6	1	‘83h’	Tag for referencing a public key in asymmetric cases
#7	1	‘08h’	Length of the key reference (key identifier)
#8-#15	8	‘XX..XXh’	Key identifier as specified in Appendix 11

TCS_107 Response Message U.K.

Byte	Length	Value	Description
SW	2	‘XXXXh’	Status Words (SW1,SW2)

If the command is successful, the card returns ‘9000’.
If the referenced key is not present into the card, the processing state returned is ‘6A88’.
If some expected data objects are missing in the secure messaging format, the processing state ‘6987’ is returned. This can happen if the tag ‘83h’ is missing.
If some data objects are incorrect, the processing state returned is ‘6988’. This can happen if the length of the key identifier is not ‘08h’.
If the selected key is considered corrupted, the processing state returned is ‘6400’ or ‘6581’.

3.5.11.2 Generation 2 Command — Response pairs U.K.

For the Generation 2 authentication the tachograph card supports the following MSE: Set command versions which are compliant with ISO/IEC 7816-4. These command versions are not supported for the Generation 1 authentication.

3.5.11.2.1 MSE:SET AT for Chip Authentication U.K.

The following MSE:SET AT command is used to select the parameters for the Chip Authentication that is performed by a subsequent General Authenticate command.

TCS_108The command can be performed in the MF, DF Tachograph and DF Tachograph_G2, see also TCS_34.U.K.

TCS_109 MSE:SET AT Command Message for Chip Authentication U.K.

Byte	Length	Value	Description
CLA	1	‘00h’
INS	1	‘22h’
P1	1	‘41h’	Set for internal authentication
P2	1	‘A4h’	Authentication
Lc	1	‘NNh’	Lc: length of subsequent data field
#6-#(5+L)	L	‘80h’ + ‘0Ah’ + ‘XX..XXh’	DER-TLV encoded cryptographic mechanism reference: Object Identifier of Chip Authentication (value only, Tag ‘06h’ is omitted). See Appendix 1 for the values of object identifiers; the byte notation shall be used. See Appendix 11 for guidance on how to select one of these object identifiers.

3.5.11.2.2 MSE:SET AT for VU Authentication U.K.

The following MSE:SET AT command is used to select the parameters and keys for the VU Authentication that is performed by a subsequent External Authenticate command.

TCS_110The command can be performed in the MF, DF Tachograph and DF Tachograph_G2, see also TCS_34.U.K.

TCS_111 MSE:SET AT Command Message for VU Authentication U.K.

Byte	Length	Value	Description
CLA	1	‘00h’
INS	1	‘22h’
P1	1	‘81h’	Set for external authentication
P2	1	‘A4h’	Authentication
Lc	1	‘NNh’	Lc: length of subsequent data field
#6-#(5+L)	L	‘80h’ + ‘0Ah’ + ‘XX..XXh’	DER-TLV encoded cryptographic mechanism reference: Object Identifier of VU Authentication (value only, Tag ‘06h’ is omitted). See Appendix 1 for the values of object identifiers; the byte notation shall be used. See Appendix 11 for guidance on how to select one of these object identifiers.
		‘83h’ + ‘08h’ + ‘XX..XXh’	DER-TLV encoded reference of the VU public key by the Certificate Holder Reference mentioned in its certificate.
		‘91h’ + L₉₁ + ‘XX..XXh’	DER-TLV encoded compressed representation of the ephemeral public key of the VU that will be used during Chip Authentication (see Appendix 11)

3.5.11.2.3 MSE:SET DST U.K.

The following MSE:SET DST command is used to set a public key either

for the verification of a signature that is provided in a subsequent PSO: Verify Digital Signature command or
for the signature verification of a certificate that is provided in a subsequent PSO: Verify Certificate command

TCS_112The command can be performed in the MF, DF Tachograph and DF Tachograph_G2, see also TCS_33.U.K.

TCS_113 MSE:SET DST Command Message U.K.

Byte	Length	Value	Description
CLA	1	‘00h’
INS	1	‘22h’
P1	1	‘81h’	Set for verification
P2	1	‘B6h’	Digital Signature
Lc	1	‘NNh’	Lc: length of subsequent data field
#6-#(5+L)	L	‘83h’ + ‘08h’ + ‘XX...XXh’	DER-TLV encoded reference of a public key, i.e. the Certificate Holder Reference in the certificate of the public key (see Appendix 11)

For all command versions the response message structure and status words are given by:

TCS_114 Response Message U.K.

Byte	Length	Value	Description
SW	2	‘XXXXh’	Status Words (SW1,SW2)

If the command is successful, the card returns ‘9000’. The protocol has been selected and initialised.
‘6A80’ indicates incorrect parameters in the command data field.
‘6A88’ indicates that referenced data (i.e. a referenced key) is not available.
[F1If the currentAuthenticatedTime of the card is later than the Expiration Date of the selected public key, the processing state returned is ‘ 6A88 ’ .

Textual Amendments

F1 Inserted by Commission Implementing Regulation (EU) 2018/502 of 28 February 2018 amending Implementing Regulation (EU) 2016/799 laying down the requirements for the construction, testing, installation, operation and repair of tachographs and their components (Text with EEA relevance).

Note: In the case of a MSE: SET AT for VU Authentication command, the referenced key is a VU_MA public key. The card shall set the VU_MA public key for use, if available in its memory, which matches the Certificate Holder Reference (CHR) given in the command data field (the card can identify VU_MA public keys by means of the certificate's CHA field). A card shall return ‘ 6A 88 ’ to this command in case only the VU_Sign public key or no public key of the Vehicle Unit is available. See the definition of the CHA field in Appendix 11 and of data type equipmentType in Appendix 1. U.K.

Similarly, in case an MSE: SET DST command referencing an EQT (i.e. a VU or a card) is sent to a control card, according to CSM_234 the referenced key is always an EQT_Sign key that has to be used for the verification of a digital signature. According to Figure 13 in Appendix 11, the control card will always have stored the relevant EQT_Sign public key. In some cases, the control card may have stored the corresponding EQT_MA public key. The control card shall always set the EQT_Sign public key for use when it receives an MSE: SET DST command.]