Communication Protocols
The Cryptnox Basic Wallet Card communicates using ISO7816 APDUs over the T=1 protocol,Â
with full support for extended APDUs to handle larger payloads. All sensitive operations areÂ
performed through an authenticated Secure Channel, established via ECDH and protected byÂ
AES-256 encryption.
- APDU Model
The card follows a standard command/response exchange structure (CLA | INS | P1 | P2 | Lc | Data | Le). Extended APDUs (>255 bytes) are supported for operations that require large data exchanges.
- T=1 Protocol
A block-oriented communication model with built-in error detection and message chaining, ensuring reliable data transfer even during extended or chained APDUs.
- Secure Channel
The Secure Channel is derived through an ECDH exchange combined with the pairing key, producing session keys via SHA-512 derivation. These keys protect the session using AES-256 CBC (encryption) and AES-256 CMAC (integrity), with replay protection managed by nonces and counters.
- Authentication
Access control relies on a multi-tiered authentication framework:
- PIN (4–9 digits): Required before executing sensitive operations such as signing. Three failed attempts trigger a lockout, recoverable via the PUK.
- PUK (12 characters): Used for PIN recovery and card reset, with unlimited attempts but enforced delay mechanisms.
- Pairing Key (32 bytes): Required to open a Secure Channel; recoverable from PUK if lost.
- User Keys: External authentication keys (ECDSA, RSA, or FIDO2) uploaded to authorize transactions.
- FIDO2 Authentication: Challenge–response mechanism using an external authenticator such as a YubiKey, TPM, or Secure Enclave.
- Query/Response Model
Communication is strictly one command per response, ensuring predictable and deterministic
interactions without concurrency.