*iProtect™ Charon

Owned by Tom Polman
Last updated: Nov 29, 2023 by Arnout van Wanrooij
9 min read

Technical Manual | TM-20210309-TP-26

iProtect Access / Security | Installation |

This manual represents the knowledge at the above-mentioned time. TKH security works non-stop to improve her products. For the most recent technical information please contact your consultant or dealer.

1 Introduction

This document describes the Charon module in iProtect. It explains its purpose and how it should be configured.

The Charon is a module that can be added to Pluto. The Charon can contain up to 4 SAM (Secure Access Module) cards.

Integrating a SAM into the system makes the system more secure. The SAM handles all key management and cryptography in a secure way.

The Charon is connected via USB with a cable that is supplied with the Charon to a USB port on the Pluto. So it does not take a position of an Orion and therefore still 4 Orions can be used.

The Charon is placed immediately to the right of Pluto

2 Installing the Charon

2.1 License and versions

There is no license involved for the use of the Charon

Charon support:

  • iProtect version: 10.00 or higher

  • Reader manager: 5.03.13. or higher

Reader type and reader firmware:

  • TKH security I30, I80 and I80p with firmware: 1.6.24.1.1

  • TKH security IX30 with firmware version: 2.0.5.a.1 and higher

2.2 SAM cards

Inside the Charon there are 4 card slots where the SAM card (NXP Mifare SAM AV2) can be placed. It is recommended that you select, place and configure the SAM cards with your project manager.

2.3 Mounting the Charon

The Charon is connected via USB with a cable that is supplied with the Charon to a USB port on the Pluto. So it does not take a position of an Orion and therefore still 4 Orions can be used.

The Charon is placed immediately to the right of Pluto.

 

3 Programming

3.1 SAM cards in iProtect

In the iProtect application there is nothing to set up, the Charon with its SAMs will be automatically detected and reported to the iProtect database.
SAM cards will be visible under the reader manager and the detail screen shows basic information about the SAM.

Device: The device name (at the Linux level of the Pluto) of this SAM card

Node: The node name this SAM/Charon is connected to.

moduleId: The ID of this SAM card on the node. This ID must be used by the reader to select this SAM card for the decoding of the card.

Serial number: The unique serial number of this SAM card

Batch number: Production batch number of this SAM card

Production date: The production date of this SAM card

Last update time: The time stamp of the last change on this SAM card (keys stored / changed etc.)

Connected: Shown whether the SAM card is online.

For the Reader Manager < version 06.00.07 It is important to fully configure all SAM cards that are included in the Charon, even when they are not being used.

3.2 SAM applications

The applications that are present on the SAM cards are listed in:

Menu: Installation | Hardware | Security access module

3.3 SAM events

The following events are shown in the event overview when a Charon is connected to the Pluto and the SAM cards are detected when the nodemanager starts.

• sam event => sam action: sam connected, Node: 001.00, Reader manager,
127.0.0.1, Serial Number: 04333312E85180, Serial port name: /dev/ttyUSB0,
Production date: 05/01/2017

• sam event => sam action: sam found key entry, Node: 001.00, Reader manager,
127.0.0.1, Serial Number: 04333312E85180, Sam key type: PICC(active), df aid: 92f7,
Ver A: 0, Ver B: 0, Ver C: 0, df key number: 1, KeyNoCEK: 5, KeyVCEK: 0, RefNoKUC:
ff, SET: 824, extSET: 1

For every SAM card that is detected by the node manager a SAM Connected event is generated, giving the SAM serial number, port name and production date. The port name indicates in which slot of the Charon the SAM card is found.
For every valid Mifare DESFire key entry that is found on the SAM card the key type and AID of the file are given, along with a number of other key properties. This can be used to verify if it is a Rijkspas SAM or not.

When a Charon is disconnected from the Pluto, a SAM disconnected event is generated:

• sam event => sam action: sam disconnected, Node: 003.00, Reader manager,
127.0.0.1, Serial Number: 042D300AAB3680

4 Reader configuration

To instruct the Readermanager that it should use the keys that are stored in the SAM card, a special reader script must be provisioned to the reader.

4.1 Reader script

The script below tells the Readermanager that this reader should use the SAM card with moduleId 0.

In the above script the command LoadKeystoreKey tells the readermanager to authenticate itself to the SAM with the key “MK” from the keystore (that has been provisioned before to the readermanager).

The following part selectAppl aid=”F79200” checks if the card that is offered to the reader is a configuration card. If that is not the case the samRijkspasScriptwill be executed using the SAM with id=0.

If there are 4 SAM cards present in a Charon then there will be 4 different reader scripts with samId=0,1,2 and 3. By provisioning these scripts to the readers on the line you can determine which reader uses which SAM, and in this way spread the load. These scripts are called use_SamX.xml with X=0,1,2,3.

For the Reader Manager version 5.03.41 or later, a new command setLed is available and recommended to be used in the reader script. See the note in the next section below.

For the Reader Manager < version 06.00.07 It is important to fully configure all SAM cards that are included in the Charon, even when they are not being used.

4.2 Reader keys

Loading the correct keystore in the SAM and instructing the SAM which generation keys to use is a process that requires a number of steps.

  1. Initially the SAM will contain only one application (with AID 92f7 and TKH Security specific keys).

  2. By provisioning a keystore file that contains the TKH Specific keys (RM-SAM.ktl) to the Readermanager node, the Readermanager has the correct keys to communicate with the SAM. Once this has successfully been provisioned to the Readermanager this provisioning element can be removed from the node.

  3. Now the SAM will accept project specific configuration cards. With these cards the keysets can be configured that are used to read the access cards.

  4. First of all a configuration card must be presented that changes the TKH Security specific keys to Customer/Rijkspas specific keys.

  5. Now the first customer configuration card (G0  G0) can be offered to the reader. The customer specific applications are loaded in the SAM. If you have 4 SAMs in the Charon module connected to a Pluto you will have to present the G0->G0 card to 4 readers to configure all SAMs.

  6. If, in the future it is necessary to start using the next generation keyset on the SAM card, you can offer the G0->G1 configuration card to the corresponding reader.

5 Reader configuration preparation step-by-step

5.1 Set-up Media elements (duality)

Add the needed “elements” to the iProtect database as “media element”

Required;

  • Reader manager: ≥ 05.03.13

  • Reader keystore: project specific keystore (example: project-x.ktl)

  • Reader script per SAM (4x) (example: combi-sam0_v3.xml, combi-sam1_v3.xml,
    …)

  • Combi script for duality

  • Rijkspas only script to disable duality

  • Reader manager keystore SAM (example: reader-manager_SAM.ktl)

Go to;

  • General | Settings | Media element

  • Add “Media element”

  • Type “Provisioner”

  • Add specific name (copy name details of the element)


Example;

5.2 Set-up Provisioning elements (duality)

Add the needed “Media elements” to the iProtect database as “Provisioning element”
Required;

  • Reader manager: ≥ 05.03.13

  • Reader keystore: project specific keystore (example: project-x.ktl)

  • Reader script per SAM (4x) (example: combi-sam0_v3.xml, combi-sam1_v3.xml,…)

  • Reader manager keystore SAM (example: reader-manager_SAM.ktl)

Go to;

  • Installation | Settings | Provisioner | Provisioner element

  • Add “Provisioner element”

Reader manager

  • Type “Reader manager”

  • Active: Yes

  • Add specific name (copy name details of the Media element)

Reader keystore

  • Type “Reader keystore”

  • Active: Yes

  • Add specific name (copy name details of the Media element)

Reader script (per SAM, so 4x)

  • Type “Sirius all”

  • Active: Yes

  • Add specific name (copy name details of the Media element)

Reader manager keystore  SAM

  • Type “_SAM update”

  • Active: Yes

  • Add specific name (copy name details of the Media element)

5.3 Set-up reader provisioner group (duality)

To create duality (KeyStore reader manager & SAM) a reader provisioner group has to be created.

Add the needed “Provisioning elements” to a iProtect “Provisioner group”

  • Provisioner group type: reader config

  • Provisioner group name: for example “project-x_and_Rijkspas_Orion_x-1”

Needed elements;

  • Reader KeyStore: provisioner file: “Reader KeyStore: project-x.ktl”)

  • Sirius all: Reader script duality (example: combi-sam0_v3.xml”)

  • Provisioner group type: reader config

  • Provisioner group name: for example “project-x_and_Rijkspas_Orion_x-2”

Needed elements;

  • Reader KeyStore: provisioner file: “Reader KeyStore: project-x.ktl”)

  • Sirius all: Reader script duality (example: combi-sam1_v3.xml”)

  • Provisioner group type: reader config

  • Provisioner group name: for example “project-x_and_Rijkspas_Orion_x-3”

Needed elements;

  • Reader KeyStore: provisioner file: “Reader KeyStore: project-x.ktl”)

  • Sirius all: Reader script duality (example: combi-sam2_v3.xml”)

  • Provisioner group type: reader config

  • Provisioner group name: for example “project-x_and_Rijkspas_Orion_x-4”

Needed elements;

  • Reader KeyStore: provisioner file: “Reader KeyStore: project-x.ktl”)

  • Sirius all: Reader script duality (example: combi-sam3_v3.xml”)

5.4 Set-up reader provisioner group (Rijkspas only)

To eliminate duality later on and create “Rijkspas only” (via SAM) a reader provisioner group has to be created.

Add the needed “Provisioning elements” to a iProtect “Provisioner group”

  • Provisioner group type: reader config

  • Provisioner group name: for example “Rijkspas-only_Orion_x-1”

Needed element;

  • Sirius all: Reader script duality (example: static-rijkspas-sam0.xml”)

  • Provisioner group type: reader config

  • Provisioner group name: for example “Rijkspas-only_Orion_x-2”

Needed element;

  • Sirius all: Reader script duality (example: static-rijkspas-sam1.xml”)

  • Provisioner group type: reader config

  • Provisioner group name: for example “Rijkspas-only_Orion_x-3”

Needed element;

  • Sirius all: Reader script duality (example: static-rijkspas-sam2.xml”)

  • Provisioner group type: reader config

  • Provisioner group name: for example “Rijkspas-only_Orion_x-4”

Needed element;

  • Sirius all: Reader script duality (example: static-rijkspas-sam3.xml”)

5.5 Set-up node provisioner group (RM-SAM) KeyStore

By provisioning a keystore file that contains the TKH Specific keys (RM-SAM.ktl) to the Readermanager node, the Readermanager has the correct keys to communicate with the SAM. Once this has successfully been provisioned to the Readermanager this provisioning element can be removed from the node.

Add the needed “Provisioning element” to a iProtect “Provisioner group”

  • Provisioner group type: node

  • Provisioner group name: for example “SAM_KS.ktl”

Needed element;

  • _SAM update: (example: reader-manager_SAM.ktl”)

6 Commissioning

6.1 Commissioning duality

  • First make sure that the Pluto, Orion and readers are operating correctly with iProtect

  • Make sure that the Mifare DESFire accesscard of the project is read correctly

  • Attach the reader config provisioner group “project-x_and_Rijkspas_Orion_x-1” to one or
    both readers connected to Orion x-1.

  • and for the reader(s) on Orion x-2 with provisioner group “projectx_
    and_Rijkspas_Orion_x-2”

  • and for the reader(s) on Orion x-3 with provisioner group “projectx_
    and_Rijkspas_Orion_x-3”

  • and for the reader(s) on Orion x-4 with provisioner group “projectx_
    and_Rijkspas_Orion_x-4”

  • Make sure that all the readers can still read the project Mifare DESFire accesscards

  • Connect Charon with Pluto by using the USB cable and USB ports on the both devices

  • Make sure that all the SAM’s are recognized and are visible in iProtect
    o SAM’s are visible under the reader manager node of the Pluto line

  • Provision the reader manager node with the “RM-SAM.ktl” via the provisioner group

  • The reader manager will restart after provisioning (see overview “Last events”)

  • After successful provisioning the reader manager with the “SAM-KS.ktl” this provisioner group should be set “blanco” at the reader manager node.

  • Then reset the Pluto line

  • The Charon SAM’s are now ready to be configured with the Rijkspas key’s


Note: it is possible to analyse the configuration process via Putty (SSH). SSH has to be enabled in the Pluto serverbox and on the network.

6.2 Commissioning “Rijkspas only”

When duality is no longer needed and should be irreversible removed, the following steps should be followed.

  • Provision the reader(s) with the “Rijkspas-only” reader config files.

  • This way the reader project KeyStore and the duality script will be removed.

  • Now the reader configuration can only access the SAM with which the Rijkspas can be read.

  • After all the readers are set to “Rijkspas-only” and they are tested for correct operation. The project specific KeyStore (project-x.ktl) should be removed as provisoner element and media element on the iProtect server.