Previous | Table of Contents | Next |
There are two kinds of keys used in the Multiflex smart card: PIN codes and cryptographic keys. PIN codes are used for card-to-person authentication. Crypto-graphic keys are used for card-to-computer authentication.
PIN codes are used by the card to make sure that the person trying to use the card is authorized to do so. PIN codes are usually four digits long, but they can be up to eight digits long. In a typical scenario, the cardholder is asked to enter a PIN code on a keypad or keyboard attached eventually to the card reader containing the card. The entered value is then sent to the card using the Verify PIN command. If the entered PIN agrees with the value found in the current PIN file, then the access level on the card is set to CHV (which stands for cardholder verified) and the cardholder can go ahead and perform all operations authorized to the CHV access condition.
Cryptographic keys are used by the card to authenticate and be authenticated by the terminal or computer into which the card has been inserted. Authentication is performed by demonstrating knowledge of a cryptographic key. There are four ways cryptographic keys are used:
External authentication is a better way for a terminal to authenticate itself to the card than to verify the key because the key itself doesnt pass over the communication line between the terminal and the card.
Each directory on a 3K Multiflex card can contain up to three key files that control access to the files in that directory. A particular directory need not contain any of these key files. It can contain only one, just two, or all three of them. The key files are all transparent elementary files that have special reserved names. The names of the special key files and what each file contains are shown in Table 5.10.
Key File Identifier | Key File Name(s) | Key File Contents | Maximum Number of Keys |
---|---|---|---|
000016 | PIN file | PIN code. | 1 |
000116 | Internal authentication file | Internal cryptographic keys: Keys used by the card to prove its identity to entities outside itself. | 16 |
001116 | External authentication file | External cryptographic keys: Keys the card uses to authenticate entities outside itself. | 16 |
If a PIN code file 000016 is present in the directory, it contains a sequence of 23 bytes describing one PIN code. The format of this descriptor is given in Table 5.11.
Byte Number | Description | Sample Values | Interpretation of Sample Values | Comment |
---|---|---|---|---|
1 | Activation Byte | FF16 | PIN is unblocked. | A value of 0016 means the PIN is blocked. |
2 | Reserved for future use. | |||
3 | Reserved for future use. | |||
4-11 | PIN Code | 0116 0216 0316 0416 FF16 FF16 FF16 FF16 FF16 | PIN is 1234 | A value of means the byte is ignored in checking a presented PIN. |
12 | Attempts Allowed | 0316 | Three sequential incorrect presentations of the PIN will block the PIN. | When the PIN is blocked you must use the Unblocking PIN and the Unblock PIN command to unblock it. |
13 | Attempts Remaining | 0316 | Three more attempts to enter the PIN may be made before it is blocked. | A successful presentation resets this value to Attempts Allowed. |
14-21 | Unblocking PIN Code | 0816 0716 0616 0516 0416 0316 0216 0116 | 87654321 is the PIN code needed to unblock this PIN. | This key is usually known to the card issuer but not the cardholder. The cardholder must present the card to the card issuer to get it unblocked. |
22 | Unblock attempts allowed | 0316 | Three sequential incorrect presentations of the unblocking key will block the PIN forever. | There is no way to unblock a blocked unblocking key, so once it is blocked the PIN is blocked forever. |
23 | Unblock attempts remaining | 0316 | Three more attempts at entering the unblocking key may be made before it is blocked forever. | |
Previous | Table of Contents | Next |