MUTUALLY AUTHENTICATE Command
This APDU command allows both parties to verify that the keys generated in the OPEN SECURE CHANNEL step are matching, guaranteeing authentication of the counterpart. The data sent by both parties is a 256-bit random number, which is encrypted with the keys generated in the OPEN SECURE CHANNEL step.
Each party must verify the MAC of the received APDU. If the MAC and padding can be verified, it means that both parties are using the same keys. Only after this step has been executed can the secure channel be considered open and other commands sent.
If authentication fails, the card must respond with 0x6982. In this case, the OPEN SECURE CHANNEL command must be repeated to generate new keys.
def mutual_auth():
card.mutual_auth()
# For example:
mutual_auth()
Mutually Authenticate – Application Protocol Data Unit (APDU) Components
The following table outlines the components of the Application Protocol Data Unit (APDU) used to mutually authenticate in secure communications.
Field | Description | Value |
CLA | This field specifies the class of the instruction. | 0x80 |
INS | This field specifies the particular command or operation that the smart card or secure element should execute. | 0x11 |
P1 | First parameter of the instruction that specifies the details about the operation being requested. | 0x00 |
P2 | First parameter of the instruction that specifies additional details about the operation being requested. | 0x00 |
Data | Key data | 256-bit random number |
Note
Once the secure channel is opened, for commands requiring a secure channel, the status error codes are sent back as encrypted data through the tunnel. The last 2 bytes of the data decoded are the command status word, and the “outer plain” data are always 0x9000 as status word. The real status word is hence the one being encrypted in the secure channel “inner data” payload of the command answer.
Response
The following table outlines the possible responses that you will receive:
Response Code | Description |
0x9000 | Success |
0x6985 | The previous successfully executed APDU was not OPEN SECURE CHANNEL |
0x6982 | Mutually Authenticate failed or the data is not 256-bit long |
Product Documentation
Admin Commands
Signature Commands