EXTERNAL AUTHENTICATION XAUTH key 1

Command Description

The EXTERNAL AUTHENTICATION Access Condition is granted upon successful execution of the GET CHALLENGE command and the EXTERNAL AUTHENTICATE command with the XAUTH key 1.

The length of the Get Challenge response indicates the key type of XAUTH key 1:

• 8 bytes for a TDES Administration key
• 16 bytes for an AES-128 Administration key

Instance: ACA

Access Condition: Always

Get Challenge Command Message

The following table lists the coding for the GET CHALLENGE command message.

CLA	00h
INS	84h
P1	00h
P2	00h
Lc	Empty
Data Field	Empty
Le	00h

Get Challenge Response Message

Data Field Returned in the Response Message

This command returns the card challenge value coded on:

• 8 bytes if the Xauth Key is a TDES key

• 16 bytes if the XAUTH key is a 128-bit AES key

Processing State Returned in the Response Message

The following table lists the processing state returned in the response message.

Status	Meaning
9000h	Successful Execution

External Authenticate Command Message

The following table lists the coding for the EXTERNAL AUTHENTICATE command message.

CLA	00h
INS	82h
P1	00h
P2	Key index: 01h for XAUTH 1
Lc	08h for TDES algorithm 10h for AES algorithm
Data Field	Host Cryptogram= TDES-ECB[XAuth 1 key](8-bytes Card Challenge) Host Cryptogram= AES128-ECB[XAuth 1 key](16-bytes Card Challenge)
Le	Empty

External Authenticate Response Message

Data Field Returned in the Response Message

The response message is always empty.

Processing State Returned in the Response Message

The following table lists the processing state returned in the response message.

Status	Meaning
6A88h	XAUTH 1 key has not been initialized, see PUT XAUTH KEY for the key initialization
6985h	The Get Challenge command has not been sent before the command
6300h	Invalid cryptogram, authentication with XAUTH 1 failed
9000h	Successful Execution

External Authentication Sequences

To perform an external authentication, use the following process:

1. Select the ACA instance.
2. Get the Challenge.
3. Send the External Authenticate.

Sequence Parameters

AES-128 Key

This section details the sequences to perform an external authentication where the XAUTH key 1 is a 00000000000000000000000000000000 AES-128 key.

Field	Value
	Select ACA instance
Cmd	00A4040007A0000000791000
Resp	6F128407A0000000791000A507010510030003019000
	Get Challenge
Cmd	0084000100
Resp	2F9594D17F88B8F7A1F047BEC304DDCF9000
	External Authentication Host Cryptogram=AES128-ECB[XAuth 1 key] (2F9594D17F88B8F7A1F047BEC304DDCF)=ACF047FE969C019C0F58BA4BE136549 where Xauth key 1= 00000000000000000000000000000000
Cmd	0084000100ACF047FE969C019C0F58BA4BE136549
Resp	9000

TDES Key

This section details the sequences to perform an external authentication where the XAUTH key 1 is a 000000000000000000000000000000000000000000000000 TDES key.

Field	Value
	Select ACA instance
Cmd	00A4040007A0000000791000
Resp	6F128407A0000000791000A507010510030003019000
	Get Challenge
Cmd	0084000100
Resp	D839A7C621ECFB519000
	External Authentication Host Cryptogram=TDES-ECB[XAuth 1 key] (D839A7C621ECFB51)=E79075FBE7CBE92B where Xauth key 1= 000000000000000000000000000000000000000000000000
Cmd	0084000008E79075FBE7CBE92B
Resp	9000