Scribd Logo
Cargar

¡Te damos la bienvenida a Scribd!

  • 08-1 - Master Key Derivation

    Cargado por

    o0000o
    3K vistas2 páginas
    EMV Master Key Derivation

    Título original

    08-1_Master Key Derivation

    Derechos de autor

    © © All Rights Reserved

    Formatos disponibles

    PDF, TXT o lea en línea desde Scribd

    ¿Le pareció útil este documento?

    ¿Este contenido es inapropiado?

    Denunciar este documento
    EMV Master Key Derivation

    Copyright:

    © All Rights Reserved
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    3K vistas2 páginas

    08-1 - Master Key Derivation

    Cargado por

    o0000o
    EMV Master Key Derivation

    Copyright:

    © All Rights Reserved
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    de 2

    Master Key Derivation

    Introduction
    Each bank owns its Issuer Master Keys. These keys aimed at generating unique keys by derivation for each
    transaction.
    The key derivation is performed with a Triple DES algorithm.
    A bank owns four types Issuer Master Key (IMK) :

    Application Cryptogram (AC)


    Secure Messaging Integrity (SMI)
    Secure Messaging Confidentiality (SMC)
    ICC Dynamic Number (IDN)

    A Master Key (MK) is dedicated to each card. The Master Key is associated to the card during the personalization
    phase.
    The Master Keys are derived from the Issuer Master Keys.
    Master Key Derivation

    Master Key derivation process


    The Master Key Derivation method takes as input the PAN and PAN Sequence Number, plus a 16-byte Issuer Master
    Key IMK, and produces the 16-byte ICC Master Key.

    Input Data : PAN (Private Account Number), PAN_SN (PAN Sequence Number), IMK (Issuer Master Key)
    Output Data : MK (Master Key)

    1.
    2.
    3.
    4.

    Y
    ZL
    ZR
    Z

    =
    =
    =
    =

    PAN || PAN_SN ;
    ( || concatenation operation )
    DES3 (IMK) (Y) ;
    DES3 (IMK) ((Y) xor ('FF' || 'FF' || 'FF' || 'FF' || 'FF' || 'FF' || 'FF' || 'FF')) ;
    ZL || ZR ;

    The 16-byte ICC Master Key MK is then equal to Z, with the exception of the least significant bit of each byte of Z
    which is set to a value that ensures that each of the 16 bytes of MK has an odd number of non-zero bits (this is to
    conform with the odd parity requirements for DES keys).
    Explanation for each step :
    1.
    2.
    3.
    4.

    First, we concatenate the PAN with the PAN Sequence Number. ( Exemple : PAN = "12 34 56 78 90 12 3F
    FF" ; PAN_SN = "01"; Y = "12 34 56 78 90 12 3F FF 01" )
    We apply the Triple DES algorithm on Y. The result is stored in Z L. ZL is 8-byte length.
    We apply the Triple DES algorithm on Y after performing an XOR operation between Y and eight bytes set
    to 'FF'. The result is stored in ZR. ZR is 8-byte length.
    The concatenation result between ZL and ZR is stored in Z. Z is 16-byte length.

    Conclusion
    Master Key Derivation is the middle step in the Key Derivation Process.

    Glossary

    ARC

    ARQC

    ARPC

    Authentification
    Card master
    keys
    Cryptogram

    DES
    IAD
    IMK

    MAC

    PAN
    PAN SN
    Session Key

    Authorisation Response Code: The issuer's answer to an


    authorisation request. The issuer's responses are typically:
    approve the transaction, decline the transaction, call your bank...
    Authorisation ReQuest Cryptogram: The cryptogram generated by the
    card for transactions requiring online authorization and sent to the
    issuer in the authorization request. The issuer validates the ARQC
    during the online card authentication process to ensure that the card is
    authentic, was not created using skimmed data and that data stored in
    the card has not been altered since card issuance.
    Authorisation ResPonse Cryptogram: A cryptogram generated by the
    issuer and sent to the card in the authorization response. This
    cryptogram is the result of the Authorization Request Cryptogram
    (ARQC) and the issuers authorization response code (ARC)
    encrypted with the card secret key. The cards validates it during
    online issuer authentication to ensure that the response came from a
    valid issuer.
    A cryptographic process that validates the integrity of data and its
    origin.
    These keys are used to generate session keys unique for each
    transaction. The card uses these session keys to compute ARQCs
    and validate issuer's ARPCs.
    A numeric value that is the result of data elements put into an
    algorithm and then encrypted. It is commonly used to validate data
    integrity.
    Data Encryption Standard is a symmetic cryptographic algorithm.
    Issuer Authentication Data: Data sent to the card from the issuer host
    for online issuer authentication.
    Issuer Master Keys are used to generate the unique card master keys
    for each card during personalisation. The issuer hosts uses them to
    recover the card master keys to validate ARQCs and generate
    ARPCs.
    Message Authentication Code: A numeric value generated using a
    cryptographic algorithm, which establishes that the contents of a
    message have not been changed and that the message was
    generated by an authorized entity.
    Primary Account Number is the valid cardholder account number.
    PAN Sequence Number identifies and differentiates cards with the
    same PAN.
    A temporary cryptographic key computed and no longer valid after the
    end of the transaction.

    También podría gustarte