<!-- Edit EirGrabber 3.01 -->
<HTML>
<HEAD>
<TITLE>Smart Card Developer's Kit:The Schlumberger Multiflex Smart Card</TITLE>



<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="092-094.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="096-098.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading6"></A><FONT COLOR="#000077">Keys and Key Files</FONT></H4>
<P>There are two kinds of keys used in the Multiflex smart card: PIN codes and cryptographic keys. PIN codes are used for card-to-person authentication. Crypto-graphic keys are used for card-to-computer authentication.
</P>
<P>PIN codes are used by the card to make sure that the person trying to use the card is authorized to do so. PIN codes are usually four digits long, but they can be up to eight digits long. In a typical scenario, the cardholder is asked to enter a PIN code on a keypad or keyboard attached eventually to the card reader containing the card. The entered value is then sent to the card using the <TT>Verify PIN</TT> command. If the entered PIN agrees with the value found in the current PIN file, then the access level on the card is set to <TT>CHV</TT> (which stands for <I>cardholder verified</I>) and the cardholder can go ahead and perform all operations authorized to the <TT>CHV</TT> access condition.</P>
<P>Cryptographic keys are used by the card to authenticate and be authenticated by the terminal or computer into which the card has been inserted. Authentication is performed by demonstrating knowledge of a cryptographic key. There are four ways cryptographic keys are used:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Verify key&#151;The terminal can demonstrate knowledge of a cryptographic key by simply sending the cryptographic key to the card.
<DD><B>&#149;</B>&nbsp;&nbsp;External authentication&#151;The terminal can demonstrate knowledge of a cryptographic key by using the key to encrypt a challenge provided to it by the card.
<DD><B>&#149;</B>&nbsp;&nbsp;Internal authentication&#151;The card can demonstrate knowledge of a cryptographic key by using the key to encrypt a challenge provided to it by the terminal.
<DD><B>&#149;</B>&nbsp;&nbsp;Protected-mode commands&#151;The terminal can use a command protected by a cryptographic key by sending a challenge encrypted with the key along with the command. (See the section &#147;Protected-Mode Commands&#148; later in this chapter for a full explanation of this use.)
</DL>
<P>External authentication is a better way for a terminal to authenticate itself to the card than to verify the key because the key itself doesn&#146;t pass over the communication line between the terminal and the card.
</P>
<P>Each directory on a 3K Multiflex card can contain up to three key files that control access to the files in that directory. A particular directory need not contain any of these key files. It can contain only one, just two, or all three of them. The key files are all transparent elementary files that have special reserved names. The names of the special key files and what each file contains are shown in Table 5.10.</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 5.10.</B> Standard key files on the 3K Multiflex card.
<TR>
<TH WIDTH="15%" ALIGN="LEFT">Key File Identifier
<TH WIDTH="20%" ALIGN="LEFT">Key File<BR>Name(s)
<TH WIDTH="40%" ALIGN="LEFT" VALIGN="BOTTOM">Key File Contents
<TH WIDTH="25%" ALIGN="LEFT">Maximum<BR>Number of Keys
<TR>
<TH COLSPAN="4"><HR>
<TR>
<TD>0000<SUB>16</SUB>
<TD>PIN file
<TD>PIN code.
<TD>1
<TR>
<TD VALIGN="TOP">0001<SUB>16</SUB>
<TD VALIGN="TOP">Internal authentication file
<TD>Internal cryptographic keys: Keys used by the card to prove its identity to entities outside itself.
<TD VALIGN="TOP">16
<TR>
<TD VALIGN="TOP">0011<SUB>16</SUB>
<TD VALIGN="TOP">External authentication file
<TD>External cryptographic keys: Keys the card uses to authenticate entities outside itself.
<TD VALIGN="TOP">16
<TR>
<TD COLSPAN="4"><HR>
</TABLE>
<P>If a PIN code file 0000<SUB>16</SUB> is present in the directory, it contains a sequence of 23 bytes describing one PIN code. The format of this descriptor is given in Table 5.11.</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 5.11.</B> Format of a PIN file.
<TR>
<TH WIDTH="15%" ALIGN="LEFT">Byte Number
<TH WIDTH="20%" ALIGN="LEFT" VALIGN="BOTTOM">Description
<TH WIDTH="15%" ALIGN="LEFT">Sample Values
<TH WIDTH="25%" ALIGN="LEFT">Interpretation of Sample Values
<TH WIDTH="25%" ALIGN="LEFT" VALIGN="BOTTOM">Comment
<TR>
<TD COLSPAN="5"><HR>
<TR>
<TD VALIGN="TOP">1
<TD VALIGN="TOP">Activation Byte
<TD VALIGN="TOP">FF<SUB>16</SUB>
<TD VALIGN="TOP">PIN is unblocked.
<TD>A value of 00<SUB>16</SUB> means the PIN is blocked.
<TR>
<TD>2
<TD>
<TD>
<TD>
<TD>Reserved for future use.
<TR>
<TD>3
<TD>
<TD>
<TD>
<TD>Reserved for future use.
<TR>
<TD VALIGN="TOP">4-11
<TD VALIGN="TOP">PIN Code
<TD>01<SUB>16</SUB> 02<SUB>16</SUB> 03<SUB>16</SUB> 04<SUB>16</SUB> FF<SUB>16</SUB> FF<SUB>16</SUB> FF<SUB>16</SUB> FF<SUB>16</SUB> FF<SUB>16</SUB>
<TD VALIGN="TOP">PIN is 1234
<TD VALIGN="TOP">A value of means the byte is ignored in checking a presented PIN.
<TR>
<TD VALIGN="TOP">12
<TD VALIGN="TOP">Attempts Allowed
<TD VALIGN="TOP">03<SUB>16</SUB>
<TD VALIGN="TOP">Three sequential incorrect presentations of the PIN will block the PIN.
<TD>When the PIN is blocked you must use the Unblocking PIN and the <TT>Unblock PIN</TT> command to unblock it.
<TR>
<TD VALIGN="TOP">13
<TD VALIGN="TOP">Attempts Remaining
<TD VALIGN="TOP">03<SUB>16</SUB>
<TD VALIGN="TOP">Three more attempts to enter the PIN may be made before it is blocked.
<TD>A successful presentation resets this value to <TT>Attempts Allowed.</TT>
<TR>
<TD VALIGN="TOP">14-21
<TD VALIGN="TOP">Unblocking PIN Code
<TD VALIGN="TOP">08<SUB>16</SUB> 07<SUB>16</SUB> 06<SUB>16</SUB> 05<SUB>16</SUB> 04<SUB>16</SUB> 03<SUB>16</SUB> 02<SUB>16</SUB> 01<SUB>16</SUB>
<TD VALIGN="TOP">87654321 is the PIN code needed to unblock this PIN.
<TD>This key is usually known to the card issuer but not the cardholder. The cardholder must present the card to the card issuer to get it unblocked.
<TR>
<TD VALIGN="TOP">22
<TD VALIGN="TOP">Unblock attempts allowed
<TD VALIGN="TOP">03<SUB>16</SUB>
<TD VALIGN="TOP">Three sequential incorrect presentations of the unblocking key will block the PIN forever.
<TD>There is no way to unblock a blocked unblocking key, so once it is blocked the PIN is blocked forever.
<TR>
<TD VALIGN="TOP">23
<TD VALIGN="TOP">Unblock attempts remaining
<TD VALIGN="TOP">03<SUB>16</SUB>
<TD>Three more attempts at entering the unblocking key may be made before it is blocked forever.
<TD>
<TR>
<TD COLSPAN="5"><HR>
</TABLE>
<P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="092-094.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="096-098.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>



</BODY></HTML>