EXT000C: Shared Secret Authentication
- Extension dependencies:
EXT0008 - Document status: Approved (2020-02-01)
Two-way authentication using 256-bit secret key known to application. Device must have unique UID for application to find its key.
Limitation: Application stores all secret keys in clear text. Compromised application list affects all devices; keys cannot be changed on sold devices. See EXT0011 for more secure alternative.
Commands
Section titled “Commands”0016 Device-Server Shared Secret Authentication
Section titled “0016 Device-Server Shared Secret Authentication”Client generates two random sequences, sends them with hash of first sequence + secret key. Device verifies, responds with hash of second sequence + secret key.
For each connection, client is unauthenticated with minimum rights (commands 0000, 0001, 0012, 0016, encryption setup).
Request:
<TID> 3900 0062 0016 <DTOKEN> <STOKEN> <CHALLENGE>Response:
<TID> 3900 0022 0016 <ANSWER>| Field | Length | Description |
|---|---|---|
DTOKEN | 32 bytes | Random 256-bit sequence |
STOKEN | 32 bytes | Random 256-bit sequence |
CHALLENGE | 32 bytes | First 256 bits of SHA-512(DTOKEN + SKEY) |
ANSWER | 32 bytes | First 256 bits of SHA-512(STOKEN + SKEY) |
Errors:
| Code | Description |
|---|---|
0010 | Hash mismatch (client auth error) |
0011 | Too many requests, try later |