Initialization & Pairing
INIT
This command is a one-time setup command that is crucial for provisioning the card and activating its secure features. It’s the first secure write to the card and must be used only once, during initial setup of the secure applet.
def init(name: str, email: str, pin: str, puk: str, pairing_secret: bytes, nfc_sign: bool)
card.init(name, email, pin, puk, pairing_secret, nfc_sign)
For example, init(“name”, “email”, “pin_code”, “puk_code”, b"Cryptnox_Basic_PairingKey_String", false)
📘 Note
- This command is only available when the applet is in the pre-initialized state.
- Upon successful execution, the applet transitions to the initialized state and securely stores:
– PIN (9 digits/bytes)
– PUK (12 digits/bytes)
– Secure Channel pairing secret (32 bytes)
– User personal information (e.g., name and email)
- The payload is AES-CBC encrypted using:
– A random IV
– A key derived via EC-DH between the card’s public key (GET CARD CERTIFICATE) and a client-generated ephemeral keypair
– ISO/IEC 9797-1 Method 2 padding
- Payload format:
[LEN | Name] + [LEN | Email] + PIN + PUK + PairingSecret
- The command provides protection against passive MITM attacks but not active MITM, which is considered unrealistic due to the local nature of the communication (NFC or contact interface).
- After successful execution:
– The INIT command becomes permanently disabled (unless reset)
– The Secure Channel is enabled and PIN/PUK become active and required
Application Protocol Data Unit (APDU) Components
The following table outlines the components of the Application Protocol Data Unit (APDU).
Field | Description | Value |
CLA | This field specifies the class of the instruction. | 0x80 |
INS | This field specifies the particular command or operation that the smart card or secure element should execute. | 0xFE |
P1 | First parameter of the instruction that specifies the details about the operation being requested. | 0x00 |
P2 | First parameter of the instruction that specifies additional details about the operation being requested. | 0x00 |
Data | Key data | EC public key (LV encoded) | IV | encrypted payload |
Response
The following table outlines the possible responses that you will receive:
Response Code | Description |
0x9000 | Success |
0x6D00 | The applet is already initialized |
0x6A80 | The data is invalid (pubkey, non-digits in PIN, decrypted data length) |
0x6984 | The decryption is invalid (wrong encryption key or bad padding) |