Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.
Page cover
ChatGPT

Appendix G How to Pair With a Cryptera Encrypting PIN Pad

Some of the commands and notifications described in this application group are designed to support an external Cryptera Encrypting PIN Pad (EPP). To use these functions, the host software must first serve as a broker to pair oDynamo with the Encrypting PIN Pad.

  • Be aware that dismounting the EPP erases all pairing information.

  • Pairing can happen in the field, usually after installation or replacement of the EPP or SCR. Pairing always starts at Step 1.

  • To use the Cryptera EPP, oDynamo must have the Device Signing Keys and certificate installed by the manufacturer. Older devices do not support use of the EPP, even when upgraded in the field with the latest firmware. The host can also check this using Command 0x01::0x04 - Get Device Status and checking the response for tag DF52. If byte 1, bit 6 =1, the device can be used with an EPP.

For additional detail, see the EPP documentation provided by Cryptera.

To pair oDynamo with a Cryptera Encrypting PIN Pad, follow these steps:

  • The operator puts the EPP into the Pre-Activated or Activated state.

  • The host starts the pairing process by sending the EPP Command START_EXCHANGE (no parameters), Response = P1 P2 P3. If P1=OK, use the entire response (P1P2P3) in the next step.

  • The host sends oDynamo Command = Command 0x02::0x0A - EPP Pairing Certificate Exchange (C4 = P1P2P3). Make sure C3 value=0 in the response to confirm success. Use the data in C4 (excluding the tag and length) in the next step.

  • The host sends the EPP Command GENERATE_KEK using the data from the previous step as the parameters. Response = P1 P2 P3. If P1=OK, use the entire response (P1P2P3) for the next step.

  • The host sends oDynamo Command 0x02::0x0C - EPP Pairing Load KEK (C4 = data from the previous step). Check the oDynamo response to make sure C3 value is 0x00 = OK before proceeding.

  • The host sends the EPP Command FETCH_KEY (P1 = “LINK_KGK”) and receives a response P1 P2. If P1 = OK, use the data in P2 for the next step.

  • The host sends oDynamo Command 0x02::0x0D - EPP Pairing Load Derivation Key (C4 = the data from the previous step). Check the oDynamo response to verify C3 value is zero. C4 data is a 3 byte Key Check Value. Save this for the final step.

  • The host sends the EPP Command GET_KCV (“LINK_KGK”). The EPP responds with parameters = Status, KCVZERO, KCVSELF.

  • The host compares the 3 byte Key Check Value from oDynamo with the 3-byte KCVZERO value from the previous step. If they match, pairing is complete.

  • The host can re-check the pairing status at any time by comparing key check values (KCV). The host retrieves the KCV from oDynamo by sending Command 0x02::0x0E - Get Key / Certificate Information with info ID=7, and retrieves a corresponding KCV from the EPP using GET_KCV (“LINK_KGK”) like the steps above. If the values match, pairing is confirmed. If they don’t match, repeat the full pairing process described above.

Last updated