| User command | Description |
| Select | Selects a specific applet or file on the device, allowing subsequent operations to target the selected context. |
| Get Card Public Key | Retrieves the device’s public key used for signature or encryption verification. |
| Get Manufacturer Certificate | Retrieves the device manufacturer’s certificate for authenticity validation. |
| Get Card Certificate | Obtains the card or device certificate for identity verification. |
| Get Card Info / Read Data | Accesses basic information or metadata about the card/device, such as firmware version, ID, or capabilities. |
| Get Public Key (Pubkey) | Retrieves a specific public key associated with a known key index or derivation path. |
| Generate TRNG Random | Returns random data generated by the device’s True Random Number Generator, typically for nonce or key generation use. |
| Decrypt | Performs decryption of ciphertext using a user-authorized key, assuming permission or authentication is satisfied. |
| INIT | Initializes the device or resets it to a predefined state. Often used during personalization or factory setup. |
| Open Secure Channel | Establishes a secure communication channel using cryptographic protocols such as GlobalPlatform SCP or proprietary equivalents. |
| Mutually Authenticate | Performs a mutual authentication handshake between the host and device to ensure trust on both sides. |
| Seed Administration | Manage cryptographic seeds that are essential for key generation and security operations. |
| Change Pairing Key | Change the pairing key to maintain secure communication between devices. |
| Change PIN | Allows modification of the PIN used for user authentication. May be restricted based on policy. |
| Unblock PIN | Unblocks a locked PIN counter using an administrative key or PUK, restoring access to the device. |
| Derive Key | Derive keys from existing seeds for various cryptographic purposes. |
| Get Public Key (Pubkey) | Retrieve the public key associated with a specific private key stored on the device. |
| Get History | Access the history of operations or transactions performed by the device. |
| Write Data | Writes protected data to the card’s non-volatile memory. Access is restricted to authenticated sessions. |
| Set Pin Authentication (Pin Auth) | Configure PIN-based authentication mechanisms to enhance device security. |
| Set Pinless Path | Define operations or paths that can be executed without PIN authentication. |
| Set Public Key Export | Configures whether certain public keys can be exported or used externally. |
| User Key Management (Add, Check, and Delete) | Introduce a new user key into the device’s key management system, verify an existing key, and remove a user key from the device. |
| Challenge Response | Implement challenge-response authentication protocols to verify identities securely. |
| Generate Key | Generates new cryptographic key pairs inside the secure device. May support key derivation paths or templates. |
| Reset | Resets the device, session, or secure channel. May be used to clear session states or reinitialize contexts. |
| EC Signature | The commands are operations that enable you to generate digital signatures using the private keys stored securely on your Cryptnox hardware devices. |
