Commands
Table of Commands
User commands are designed for secure, read-only access or cryptographic operations that do not alter the device’s core configuration or security posture. These commands allow users to retrieve public data, perform cryptographic functions, and interact with the device within the boundaries of established security policies. User commands include:
| Category | Command | Description | Secure Channel Required | PIN / User Key Required | PUK Required |
| Application & Info | SELECT | Selects the Cryptnox applet. |  |
|
|
| Get Card Public Key | Retrieves the card factory EC public key. | |
|
|
|
| Get Manufacturer Certificate | Reads Cryptnox X509 manufacturer certificate (paged). | |
|
|
|
| Get Card Certificate | Retrieves ephemeral session certificate (for secure channel setup). | |
|
|
|
| Initialization | INIT | Initializes card with PIN, PUK, and pairing key. | (one-shot encryption) |
|
 (to set initial PUK) |
| Open Secure Channel | Establishes Secure Channel with pairing key. | |
|
(unless using PUK-derived key index = FF) |
|
| Mutually Authenticate | Confirms Secure Channel integrity with challenge/ response. | |
|
|
|
| Change Pairing Key | Updates Secure Channel pairing key. | |
|
|
|
| User Auth | Verify PIN | Verifies user PIN, unlocks card for session. | |
(PIN) |
|
| Change PIN / PUK | Changes PIN or PUK. | |
(PIN or PUK) |
(to change PIN if PIN not validated, or to change PUK itself) |
|
| Unblock PIN | Unblocks PIN with PUK + new PIN. | |
|
|
|
| Add User Key | Stores external user public key (ECDSA, RSA, FIDO). | |
PIN/User Key (or PUK if PIN disabled) | (if PIN disabled) |
|
| Check User Key | Performs challenge-response authentication using user key. | |
(User Key signature) |
|
|
| Delete User Key | Deletes a registered user key slot. | |
|
|
|
| Set Pin Auth | Enables/disables PIN auth (forces User Key only). | |
|
|
|
| Key Management | Load Key | Loads seed, keypair, or performs dual seed generation. | |
PIN/User Key | |
| Generate Key | Generates new seed internally. | |
PIN/User Key | |
|
| Set Pinless Path | Configures special EIP-1581 pinless derivation path. | |
|
|
|
| Set Pub Export | Enables xpub or clear pubkey output. | |
|
|
|
| Get Public Key (Pubkey) | Reads current or derived public key, xpub. | (except pinless/clear export) |
PIN/User Key (unless pinless/clear allowed) | |
|
| Derive Key | Derives new key pair from seed (BIP32/SLIP10). | |
PIN/User Key | |
|
| Generate TRNG Random | Outputs random data (16–64 bytes). | |
|
|
|
| Operations | Sign | Signs 32-byte hash (ECDSA/ Schnorr). | (except pinless path) |
PIN/User Key (unless pinless mode) | |
| Decrypt | ECIES-like decryption / symmetric key output. | |
PIN/User Key | |
|
| Data & History | Get Card Info / Read Data | Reads owner info, key source, counters, user slot info. | |
PIN/User Key (for protected slots) | |
| Get History | Reads signing history slots. | |
PIN/User Key | |
|
| Write Data | Writes user data slot or custom bytes. | |
PIN/User Key | |
|
| Administration | Reset | Full reset of the card. | |
|
|