Cryptnox Docs

cryptnox-logo

INIT Command

The INIT command is a one-time setup command that is crucial for provisioning the card and activating its secure features. It’s the first secure write to the card and must be used only once, during initial setup of the secure applet.




  def init(
      name: str,
      email: str,
      pin: str,
      puk: str,
      pairing_secret: bytes,
      nfc_sign: bool
  ):
      card.init(
          name,
          email,
          pin,
          puk,
          pairing_secret,
          nfc_sign
      )

  # For example:
  init(
      "name",
      "email",
      "pin_code",
      "puk_code",
      b"Cryptnox_Basic_PairingKey_String",
      False
  )

📘

Note

  • This command is only available when the applet is in the pre-activate state.
  • Upon successful execution, the applet transitions to the activate state and securely stores:
  • PIN (9 digits/bytes)
  • PUK (12 digits/bytes)
  • Secure Channel pairing secret (32 bytes)
  • User personal information (e.g., name and email)
  • The payload is AES-CBC encrypted using:
  • A random IV
  • A key derived via EC-DH between the card's public key (GET CARD CERTIFICATE) and a client-generated ephemeral keypair
  • ISO/IEC 9797-1 Method 2 padding
  • Payload format:
[LEN | Name] + [LEN | Email] + PIN + PUK + PairingSecret
  • The command provides protection against passive MITM attacks but not active MITM, which is considered unrealistic due to the local nature of the communication (NFC or contact interface).
  • After successful execution:
  • The command becomes permanently disabled (unless reset)
  • The Secure Channel is enabled and PIN/PUK become active and required

Application Protocol Data Unit (APDU) Components for INIT

The following table outlines the components of the Application Protocol Data Unit (APDU).

FieldDescriptionValue
CLAThis field specifies the class of the instruction.0x80
INSThis field specifies the particular command or operation that the smart card or secure element should execute.0xFE
P1First parameter of the instruction that specifies the details about the operation being requested.0x00
P2First parameter of the instruction that specifies additional details about the operation being requested.0x00
DataKey dataEC public key (LV encoded) | IV | encrypted payload

Response

The following table outlines the possible responses that you will receive:

Response Code

Description

0x9000

Success

0x6D00

The applet is already

activated

0x6A80

The data is invalid (pubkey, non-digits in PIN, decrypted data length)

0x6984

the decryption is

invalid (wrong encryption key or bad padding)

Product Documentation

Admin Commands

Signature Commands

Menu
Menu
cryptnox-logo
Menu