# Application Group 0x02 - Authentication Messages

**Command 0x02::0x0A - EPP Pairing Certificate Exchange**

This command starts the EPP pairing process on oDynamo using the results from the START\_EXCHANGE command on the Encrypting PIN Pad (EPP). The host should use the oDynamo response as the parameters for the next EPP command GENERATE\_KEK. For details about the pairing flow, see Appendix G How to Pair With a Cryptera Encrypting PIN Pad.

## Table - Message Structure for Command 0x02::0x0A - EPP Pairing Certificate Exchange

<table data-header-hidden><thead><tr><th width="74.27273559570312" valign="top"></th><th width="117.63638305664062" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">01</td><td>Message Type Data Object (Tag C0) = 0x01 Command</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">0B</td><td>Command ID Data Object (Tag C2) = 0x0A EPP Certificate Exchange</td></tr><tr><td valign="top"><p> </p><p>C4</p></td><td valign="top"><p> </p><p>Calculated</p></td><td valign="top"><p>Data Field Data Object (Tag C4 or E0) =</p><p>Use complete response to the EPP START_EXCHANGE command when the response code indicates OK (first 4 bytes should be 00020000).</p></td><td></td></tr></tbody></table>

If an error occurs, the device will terminate the command and report the error using an ACK Response containing the result code. For a full list of error codes, see 2.4.4 Result Code Data Object (Tag C3). If no error occurs, the device responds as follows:

## Table - Response to Command 0x02::0x0A - EPP Pairing Certificate Exchange

<table data-header-hidden><thead><tr><th width="82.45455932617188" valign="top"></th><th width="109.18182373046875" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">02</td><td>Message Type Data Object (Tag C0) = 0x02 Response</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">0B</td><td>Command ID Data Object (Tag C2) = 0x0A EPP Certificate Exchange</td></tr><tr><td valign="top">C3</td><td valign="top">01</td><td valign="top">00</td><td>Result Code Data Object (Tag C3) = 0x00 OK / Done</td></tr><tr><td valign="top">C4</td><td valign="top">Calculated</td><td valign="top"><p>Data Field Data Object (Tag C4 or E0) =</p><p>Provide this data as the parameter portion of the EPP GENERATE_KEK command.</p></td><td></td></tr></tbody></table>

**Command 0x02::0x0B - Get Challenge**

This command directs the device to send challenge data to the host, which the host can then use to perform a specific sensitive operation / modify a specific type of device setting. Information about how the host should pass the required challenge data to the device is included in the documentation for all commands that use this security mechanism.

Upon providing the challenge to the host, the device sets an internal 5-minute countdown timer. When the time limit expires, the device will no longer accept the challenge. This binding of the command to a specific time period allows the device to detect and reject commands that have been captured/intercepted at one point in time and replayed later.

## Table - Message Structure for Command 0x02::0x0B - Get Challenge

<table data-header-hidden><thead><tr><th width="75.18182373046875" valign="top"></th><th width="73.09088134765625" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">01</td><td>Message Type Data Object (Tag C0) = 0x01 Command</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">0B</td><td>Command ID Data Object (Tag C2) = 0x0B Get Challenge</td></tr><tr><td valign="top"><p> </p><p> </p><p> </p><p>C4</p></td><td valign="top"><p> </p><p> </p><p> </p><p>02</p></td><td valign="top"><p>Data Field Data Object (Tag C4 or E0) = Sub Operation:</p><p>0xDF71 = MSR Initial Key for DUKPT 0xDF73 = MSR Key Loader Certificate</p><p>0xDF75 = Device Authentication Request signed by MSR Key Loader Certificate 0xDF7B = Configuration signed by MSR Key Loader Certificate</p><p>0xDF7C = Manufacturer Command</p></td><td></td></tr></tbody></table>

If an error occurs, the device will terminate the command and report the error using an ACK Response containing the result code. For a full list of error codes, see 2.4.4 Result Code Data Object (Tag C3). If no error occurs, the device responds as follows:

## Table - Response to Command 0x02::0x0B - Get Challenge

<table data-header-hidden><thead><tr><th width="71.54547119140625" valign="top"></th><th width="111.3636474609375" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">02</td><td>Message Type Data Object (Tag C0) = 0x02 Response</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">0B</td><td>Command ID Data Object (Tag C2) = 0x0B Get Challenge</td></tr><tr><td valign="top">C3</td><td valign="top">01</td><td valign="top">00</td><td>Result Code Data Object (Tag C3) = 0x00 OK / Done</td></tr><tr><td valign="top"><p> </p><p> </p><p> </p><p> </p><p> </p><p>E0</p></td><td valign="top"><p> </p><p> </p><p> </p><p> </p><p> </p><p>Calculated</p></td><td valign="top"><p>Data Field Data Object (Tag C4 or E0) = Bytes 0..1 Sub Operation:</p><p>0xDF71 = MSR Initial Key for DUKPT 0xDF73 = MSR Key Loader Certificate</p><p>0xDF75 = Device Authentication Request signed by MSR Key Loader Certificate 0xDF7B = Configuration signed by MSR Key Loader Certificate</p><p>0xDF7C = Manufacturer Command</p><p> </p><p>Bytes 2..13 Data Block:</p><p>8 bytes device serial number 4 bytes random token</p></td><td></td></tr></tbody></table>

**Command 0x02::0x0C - EPP Pairing Load KEK**

This command is the second step in the EPP pairing process after Command 0x02::0x0A - EPP Pairing Certificate Exchange has completed successfully. This step loads a temporary key from the EPP that will be used during the third step of pairing (Command 0x02::0x0D - EPP Pairing Load Derivation Key). For details about the pairing flow, see Appendix G How to Pair With a Cryptera Encrypting PIN Pad.

## Table - Message Structure for Command 0x02::0x0C - EPP Pairing Load KEK

<table data-header-hidden><thead><tr><th width="82.45455932617188" valign="top"></th><th width="106.45452880859375" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">01</td><td>Message Type Data Object (Tag C0) = 0x01 Command</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">0B</td><td>Command ID Data Object (Tag C2) = 0x0C Load KEK</td></tr><tr><td valign="top"><p> </p><p>C4</p></td><td valign="top"><p> </p><p>Calculated</p></td><td valign="top"><p>Data Field Data Object (Tag C4 or E0) =</p><p>Use complete response from the EPP GENERATE_KEK command when the response code is OK (first 4 bytes should be 00020000).</p></td><td></td></tr></tbody></table>

If an error occurs, the device will terminate the command and report the error using an ACK Response containing the result code. For a full list of error codes, see 2.4.4 Result Code Data Object (Tag C3). If no error occurs, the device responds as follows:

## Table - Response to Command 0x02::0x0C - EPP Pairing Load KEK

<table data-header-hidden><thead><tr><th width="80.63638305664062" valign="top"></th><th width="65.63638305664062" valign="top"></th><th width="200.9090576171875" valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">02</td><td>Message Type Data Object (Tag C0) = 0x02 Response</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">0B</td><td>Command ID Data Object (Tag C2) = 0x0C Load KEK</td></tr><tr><td valign="top">C3</td><td valign="top">01</td><td valign="top">00</td><td>Result Code Data Object (Tag C3) = 0x00 OK / Done</td></tr></tbody></table>

**Command 0x02::0x0D - EPP Pairing Load Derivation Key**

This command is used for the third and final step of the EPP pairing process. It securely loads a key shared with the paired EPP. This key is used to derive keys that protect the PIN and PAN sent to/from the EPP.. For details about the pairing flow, see Appendix G How to Pair With a Cryptera Encrypting PIN Pad.

## Table - Message Structure for Command 0x02::0x0D - EPP Pairing Load Derivation Key

<table data-header-hidden><thead><tr><th width="70.63638305664062" valign="top"></th><th width="108.6363525390625" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">01</td><td>Message Type Data Object (Tag C0) = 0x01 Command</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">0B</td><td>Command ID Data Object (Tag C2) = 0x0D Load Derivation Key</td></tr><tr><td valign="top"><p> </p><p>C4</p></td><td valign="top"><p> </p><p>Calculated</p></td><td valign="top"><p>Data Field Data Object (Tag C4 or E0) =</p><p>EPP response to the FETCH_KEY(LINK_KGK) command if the response code was</p><p>OK starting with “B0080B0TX”</p></td><td></td></tr></tbody></table>

If an error occurs, the device will terminate the command and report the error using an ACK Response containing the result code. For a full list of error codes, see 2.4.4 Result Code Data Object (Tag C3). If no error occurs, the device responds as follows:

## Table - Response to Command 0x02::0x0D - EPP Pairing Load Derivation Key

<table data-header-hidden><thead><tr><th width="75.18182373046875" valign="top"></th><th width="72.18182373046875" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">02</td><td>Message Type Data Object (Tag C0) = 0x02 Response</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">0B</td><td>Command ID Data Object (Tag C2) = 0x0D Load Derivation Key</td></tr><tr><td valign="top">C3</td><td valign="top">01</td><td valign="top">00</td><td>Result Code Data Object (Tag C3) = 0x00 OK / Done</td></tr><tr><td valign="top">C4</td><td valign="top">03</td><td valign="top">3 byte EPP Key KCV. This should be compared with the KCV read from the EPP to confirm that the pairing process is complete and correct.</td><td></td></tr></tbody></table>

**Command 0x02::0x0E - Get Key / Certificate Information**

The host uses this command to get key or certificate information from the device.

## Table - Message Structure for Command 0x02::0x0E - Get Key / Certificate Information

<table data-header-hidden><thead><tr><th width="67.90908813476562" valign="top"></th><th width="110.54544067382812" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">01</td><td>Message Type Data Object (Tag C0) = 0x01 Command</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">0E</td><td>Command ID Data Object (Tag C2) = 0x0E Get Key / Certificate Information</td></tr><tr><td valign="top">C4</td><td valign="top">Calculated</td><td valign="top">Data Field Data Object (Tag C4 or E0) = Byte 0 Info ID from Table 4-49</td><td></td></tr></tbody></table>

If an error occurs, the device terminates the command and reports the error using an ACK Response containing the result code. For a full list of error codes, see 2.4.4 Result Code Data Object (Tag C3).

If no error occurs, the device responds by immediately sending two or more instances of Notification 0x01::0x10 - Big Block Device Data, which the host should concatenate, then interpret as follows:

## Table - Response to Command 0x02::0x0E - Get Key / Certificate Information

<table data-header-hidden><thead><tr><th width="77" valign="top"></th><th width="107.54547119140625" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">02</td><td>Message Type Data Object (Tag C0) = 0x02 Response</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">0E</td><td>Command ID Data Object (Tag C2) = 0x0E Get Key / Certificate Information</td></tr><tr><td valign="top">C3</td><td valign="top">01</td><td valign="top">00</td><td>Result Code Data Object (Tag C3) = 0x00 OK / Done</td></tr><tr><td valign="top"><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p>C4</p></td><td valign="top"><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p>Calculated</p></td><td valign="top"><p>Data Field Data Object (Tag C4 or E0) = Byte 0 Info ID from Table 4-49</p><p> </p><p>Byte 1 Key Status If Info ID &#x3C; 0x80</p><p>0x00 = Empty (default) 0x01 = OK</p><p>0x02 = Exhausted If Info ID = 0x80:</p><p>0x00 to 0x05 = KCV type from Table 4-49</p><p>Byte 2 Data Length corresponding to the selected Info ID and shown in Table 4-49</p><p> </p><p>Bytes 3.. Data corresponding to the selected Info ID, shown in Table 4-49</p></td><td></td></tr></tbody></table>

## Table - Table of Info IDs and Data

<table data-header-hidden><thead><tr><th valign="top"></th><th valign="top"></th><th valign="top"></th><th valign="top"></th><th valign="top"></th></tr></thead><tbody><tr><td valign="top">Info ID</td><td valign="top">Key Status</td><td valign="top">Data Length</td><td valign="top">Data</td><td valign="top">Description</td></tr><tr><td valign="top">0x00</td><td valign="top">1</td><td valign="top">Label length</td><td valign="top">AMK (Acquirer Master Key) label</td><td valign="top">If AMK (Acquirer Master Key) exists</td></tr><tr><td valign="top">0x01,0x02</td><td valign="top">2</td><td valign="top">20</td><td valign="top">KSN</td><td valign="top">If no more keys</td></tr><tr><td valign="top">0x02</td><td valign="top">1</td><td valign="top">20</td><td valign="top">KSN</td><td valign="top">MSR key</td></tr><tr><td valign="top">0x04</td><td valign="top">1</td><td valign="top">calculated (&#x3C;=59)</td><td valign="top"><p>SN &#x26; subject’s</p><p>DN**</p></td><td valign="top">If MSR cert exists</td></tr><tr><td valign="top">0x07</td><td valign="top">1</td><td valign="top">Calculated (&#x3C;=20)</td><td valign="top"><p>KCV &#x26; EPP SN</p><p>length &#x26; EPP SN</p></td><td valign="top">Data and KCV for EPP Paired Key</td></tr><tr><td valign="top">0x80</td><td valign="top">kcv_type=1</td><td valign="top">4</td><td valign="top">KCV value</td><td valign="top">KCV for MSR key</td></tr><tr><td valign="top">0x80</td><td valign="top">kcv_type=2</td><td valign="top">4</td><td valign="top">KCV value</td><td valign="top">KCV for AMK (signed by MSR cert)</td></tr><tr><td valign="top">0x80</td><td valign="top">kcv_type=5</td><td valign="top">4</td><td valign="top">Hash value</td><td valign="top">Device Authentication Token signed by MSR Key Loader Certificate</td></tr></tbody></table>

{% hint style="info" %}
\*:         lbllen = auth key’s label length

\*\*:       SN = serial number of cert

DN = distinguished names of subject or issuer of cert

Data length varies with SN and DN length; max length is 59

\*\*\*:     its corresponding CA cert

\*\*\*\*:   KCV = Key Check Value, where the lowest 6 digits are valid
{% endhint %}

**Command 0x02::0x58 - Request Device Certificates**

The host uses this command to request the Device Certificate, which the host would generally pass to Magensa web services that generate signed byte sequences for remote configuration commands.

## Table - Message Structure for Command 0x02::0x58 - Request Device Certificates

<table data-header-hidden><thead><tr><th width="73.3636474609375" valign="top"></th><th width="73.09091186523438" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">01</td><td>Message Type Data Object (Tag C0) = 0x01 Command</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">58</td><td>Command ID Data Object (Tag C2) = 0x58 Key Handling or Manufacturer Command</td></tr><tr><td valign="top"><p> </p><p>E0</p></td><td valign="top"><p> </p><p>02</p></td><td valign="top"><p>Data Field Data Object (Tag C4 or E0) =</p><p>·         0xDF6E = Request Device Certificate, or</p><p>·         0xDF72 = Request Device Signing Certificate</p></td><td></td></tr></tbody></table>

If an error occurs, the device will terminate the command and report the error using an ACK Response containing the result code. For a full list of error codes, see 2.4.4 Result Code Data Object (Tag C3). If no error occurs, the device responds as follows:

## Table - Response to Command 0x02::0x58 - Request Device Certificates

<table data-header-hidden><thead><tr><th width="76.09091186523438" valign="top"></th><th width="116.63638305664062" valign="top"></th><th valign="top"></th><th></th></tr></thead><tbody><tr><td valign="top">Tag</td><td valign="top">Len</td><td valign="top">Value(s) / Description</td><td></td></tr><tr><td valign="top">C0</td><td valign="top">01</td><td valign="top">02</td><td>Message Type Data Object (Tag C0) = 0x02 Response</td></tr><tr><td valign="top">C1</td><td valign="top">01</td><td valign="top">02</td><td>Application ID Data Object (Tag C1) = 0x02 Authentication Messages</td></tr><tr><td valign="top">C2</td><td valign="top">01</td><td valign="top">58</td><td>Command ID Data Object (Tag C2) = 0x58 Key Handling or Manufacturer Command</td></tr><tr><td valign="top">C3</td><td valign="top">01</td><td valign="top">00</td><td>Result Code Data Object (Tag C3) = 0x00 OK / Done</td></tr><tr><td valign="top">C4</td><td valign="top">Calculated</td><td valign="top"><p>Data Field Data Object (Tag C4 or E0) =</p><p>X.509 Device certificate in DER format</p></td><td></td></tr></tbody></table>

The host should then wait (up to 90 seconds in some cases) for the device to respond synchronously with the requested data.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.magtek.com/hardware/oem-readers-and-components/oem-readers/odynamo/documentation/programmers-manuals/programmers-manual-commands/command-set/application-group-0x02-authentication-messages.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.