# ARPC calculation algorithm

**Algorithm for calculating ARPC**

ARD is padded on the right with six null bytes: X:=(ARD||’00’| |’00’| |’00’| |’00’| |’00’| |’00’);

D:=ARQC@X;

ARPC: – DES3(SK”c) [DJ;

a 10-byte Issuer Authentication Data element (Tag ’91’) is generated, representing the Issuer Authentication Data=ARPC| (ARC.

Method 2. The ARPC cryptogram is calculated by the Issuer using the 3 IS0 / IEC 9797-1 algorithm for calculating the MAC value using the session 16-byte 5kls key, the ARQC value, the 4-byte Card Status Update (CSU) data element, and the Proprietary Authentication Data element with a size from 0 to 8 bytes.** Here is an algorithm for calculating ARPC:**

the y=ARQC| |CSU| | Proprietary Authentication Data element is being built;

the y element uses the 3 IS0/IEC 9797-1 Algorithm to calculate the MAC value using the 16-byte session key SK, r and the size of the MAC value is selected as 4 bytes;

an issue Authentication Data element is generated (Tag ’91’), which is an issue Authentication Data=ARPC||CSU|jProprietary authentication Data.

Secure data transmission (Secure Messaging)

Secure data transfer of commands transmitted from the Issuer to the card is defined by ISO 7816-4 and EMV standards.

There are two mechanisms for secure data transfer commands:

mechanism for ensuring the integrity of data transmitted in the command and authentication of the data source (Secure Messaging for Integrity and Authentication);

mechanism for ensuring the confidentiality of transmitted data (Secure Messaging for Confidentiality).

Data protection mechanisms allow two formats for representing the command data field:

Format 1, when the command data field is represented in BER-TLV encoding. To identify this case, the second half-byte of the CLA byte of the command takes the value ‘ C’h;

Format 2, when the command data field is not represented in BER-TLV encoding. To identify this case, the second half-byte OF the CLA byte of the command takes the value ‘ 4’h.

The formats of the data field of the command that ensures the integrity and authentication of the data source are shown in Fig. 3.13 and 3.14.

Tag 1 Length 1 Value 1 Tag 2 Length 2 Value 2

T L size Value

L bytes ‘8E1 4-8

MAC bytes

(4-8 bytes)

Value 1 Value 2

Command data (if present) * MAC (4-8 bytes)

If the command data field contains data that requires encryption to ensure its confidentiality, then, as described in section 9.3 of Book 2 of the EMV 4.1 standard, this data is presented as

Tag Length Value

T L Encrypted data or byte for adding characters / / Encrypted data

Format of the data object for the encrypted element

data when Using the 1 format of the protected data field

teams

Value 1 Value 2

Encrypted MAC data (4-8 bytes)

Format of the protected data field of the protected command in Format 2

Note that when using Format 2, the entire command data field is encrypted for privacy, except for the MAC value.

For possible tag values for the command data field template in Format 1, as well as the data object for the encrypted data element when using Format 1, see sections 9.2 and 9.3 of Book 2 of the EMV 4.1 standard.

The MAC value is calculated using the 3 IS0/IEC 9797-1 Algorithm described in clause 3.11.3, using the SKOT session key (16 bytes) used by the card for this transaction. The MAC value is calculated for data containing the command header (CLA INS PI P2) and the command data field. When using Format 2, the full list of data for which the MAC is calculated is determined by the payment system.

Data is encrypted using the 3DES algorithm using the SKSMf card session encryption key (16 bytes), as described in clause 3.16.2.

Key management

To ensure the security of operations performed using IPC, the card stores keys of both symmetric and asymmetric encryption algorithms. Asymmetric encryption algorithms are used for dynamic authentication of the card and encryption of the PIN code transmitted from the terminal to the card. Key pairs (public and private) for asymmetric encryption algorithms are generated either directly by the IPC or by the card Issuer. These keys are linked to the card Issuer via certificates of public keys generated by the card Issuer.

This is not the case with symmetric encryption algorithms. These algorithms assume that there is a common secret between the parties using them, and therefore they are used in EMV only for interaction between the card and its Issuer.

A hierarchical key management structure is used to improve the security of operations in terms of using symmetric encryption algorithms. Symmetric keys in the EMV standard can be used for various purposes — keys for generating cryptograms, ensuring confidentiality and integrity of information exchange between the card and the Issuer. The Issuer creates a master key for a specific purpose, which is intended for generating keys for the same purpose. The Issuer’s master key is used for a certain set of Issuer’s cards, usually identified by an identifier issued to the Bank by the payment system (Bank identification number, or BIN for short). With the help of a certain diversification mode defined by the Issuer, it generates for each card from the mentioned set a personal card key of the same purpose as the Issuer’s key. In turn, the card generates a session key of the same purpose for each transaction using the card key and the Issuer-defined diversification mode.

This hierarchical system of generating symmetric keys increases the cost of fraudsters to implement fraud, which means that it allows you to increase the security of operations performed using IPC. Indeed, a fraudster who has access only to the details of the card transaction (the most accessible, and therefore the cheapest option for a fraudster) can hope to compromise the card’s session keys. Even by compromising these keys, the fraudster will achieve almost nothing, because the next operation will use new session keys, and to find out, you need to compromise the card keys.

After spending a lot of effort and compromising the card keys, the fraudster will get access to the operations of only one card. To access the operations of other cards, you must know the Issuer’s key.

Thus, ensuring the confidentiality of the Issuer’s keys becomes the holiest of holies in the schemes for ensuring the security of IPC operations. However, it’s time to remind you that the IPC stores a whole set of keys for symmetric and asymmetric encryption. So compromising the Issuer’s key for a specific purpose, in addition to being difficult to implement, gives the fraudster virtually no chance of success. Unfortunately, there are other ways to cheat the IPC

Let’s consider algorithms for generating card keys and session keys.

Procedure for withdrawing card keys from the Issuer’s keys

An EMV card application can use the following 16-byte keys of symmetric encryption algorithms to perform a transaction (see Chapter 5 for keys for card personalization) :

MK, C-ICC Master Key for AC generation (key for output of a session key intended for generating applied cryptograms of the card);

ICS-ICC Master Key for Secure Messaging for Integrity and Authentication (key for output of the session key used to ensure the integrity of data transmitted in the command and authentication of the data source of the command);

Shj-CS Master Key for Secure Messaging for Confidentiality (key for output of the session key used to ensure the confidentiality of data transmitted in the command);

MK/sh-KS Master Key for KS Dynamic Number Generation (the key used to generate the value of KS Dynamic Number).

All the listed keys in turn are obtained from the corresponding keys of the card Issuer

It is the Issuer’s prerogative to select the algorithm for extracting the card key from the Issuer’s key. Meanwhile, the EMV standard offers its own version of key output. Note that the recommendation of the EMV standard becomes law for many card manufacturers. Except

in addition, payment systems on behalf of the card Issuer perform the function of backup authorization on behalf of the Issuer (Stand-In mode) in case of unavailability of the latter (failure of the processing center of the Issuer or communication problems). To be able to do this, the payment system must be able to output the card key and session key from the Issuer’s key.

The EMV V. 4. 1 standard offers the following algorithm for extracting the MK card key from the IMK Issuer’s key.

Case 1. The size of the PAN card number is equal to or less than 16 digits. Get an 8-byte y number by concatenating the PAN and PAN Sequence Number data elements (if the last data element is missing on the card, it is replaced with the ’00’h byte). Note that if the concatenation of the PAN and PAN Sequence Number elements results in a number less than 8 bytes, it is supplemented on the right with half-bytes of the form ‘O’h until a number of 8 bytes is obtained. If the size of the resulting number is more than 8 bytes, then the rightmost 8 bytes of this number are taken as Y.

After the number Y is received, the left and right components of the card key ZL and ZR are calculated:

Zl=DES3(IMK) [Y];

ZR = DES3(IMK) [Y © (FF\ \ ‘FF’\ \ ‘FF’\ \ ‘FF’\ \ ‘FF’\ / W\ \ ‘FF’\ / 7-F)]

Case 2. The size of the PAN card number is greater than 16 digits. In this case, the algorithm for displaying the card key is as follows:

The PAN and PAN Sequence Number data elements are concatenated (if the last data element is missing on the card, it is replaced with the ’00’h byte). If the card number contains an odd number of digits, a half-byte ‘O’h is added to the previously received sequence on the left.

The Sha-1 hashing algorithm is applied to the sequence obtained in the previous step. The result is an X sequence consisting of 40 half-bytes. Moving along the x sequence from left to right, we sequentially select the half-bytes that correspond to the decimal digits (0, 1,…, 9). As a result of this procedure, the sequence y is obtained.If its size is not less than 16 digits, then the first 16 digits on the left are selected from it. Otherwise, moving along X from left to right, the half-bytes of X corresponding to non-decimal digits are converted to half-bytes corresponding to decimal digits using the decimalization table:

The “decimalized” half-bytes are added to the right of the G until a sequence consisting of 16 decimal digits is obtained.

After getting Y, the card key MK = (ZL\ZR) is calculated the same way as in the case of 1.

The procedure for deriving the session key

Selecting the procedure for output of the session key SK =(SKL\SKR), where SKL and SKR are 8 — byte numbers, from the master key of the card is the prerogative of the card Issuer. In EMV specifications prior to version 4.0, there was a single informal restriction on converting the output of the session key SK=F(MK) [X], which was that the number of possible values of the function F was sufficiently large and evenly distributed. Later, version 4.0 of the EMV standard also required that the probability of repeating the diversification data X be low, and a key tree output algorithm (AVDC) was proposed to output the session key from the card key value and the PBX transaction counter.

Payment systems recommended that issuers use the SKD(M)[X] function to output session keys with the key M from the 8-byte diversification sequence L ‘= (L ‘0||X1||x2||X3| / X4| / X’5||X’ 6| / L ‘ 7), defined by the equalities:

SKD(M)[X] = (SXJ |SX„);

SKL = ocsm [X0| |XJ I W| |X3| |X4| |X5| |X,| |X7); SK, = DESmiXA m I ‘or| |X3| |X4| |X5| / X,| |X,).

When displaying the skac session key required for calculating the applied cryptogram, it was suggested to use the 8-byte sequence X = (PBX\ j’O’j I’O’i \UN) as a diversification mode, where PBX is a 2 — byte transaction counter, UN is a 4-6 — byte random number (Unpredictable Number) generated by the terminal. This structure of the diversification mode explains the type of transformation SKD(M) [X]. In fact, the conversion value does not depend on the XG byte, which always consists of zero bits for the selected diversification mode structure, since the element has a size of 2 bytes.

When displaying session keys for the algorithm for ensuring the integrity of data transmitted in the command and authentication of the data source SKSMI, as well as for the algorithm for ensuring the confidentiality of data transmitted in the command SK5MC, it was proposed to use the 8-byte cryptogram ARQC as a diversification mode X.

In version 4.0 of the EMV standard, an additional optional key tree output algorithm was proposed for calculating session keys, described below. This algorithm is also provided in version 4.1 of the EMV standard.

We consider a tree with height H and the size of the branch of each vertex B. It is obvious that at level 0 216-1 is fulfilled.

Consider converting f (X, Y, j) of two 16-byte numbers X, Y, and an integer j to a 16-byte number. The transformation of f(X, Y,j) has the form:

Z = f(X, Y, j) = (DES3{X) [YL ® j (modb)]\DES3(X) [YR ® j(modb)]),

where Yl and Yr are 8-byte numbers such that Y = (^11^)-

It is obvious that the inverse transformation exists and is dened by equality:

K = f-1 (/, Z, j) = [DESr1{X) [ZL]@j(modb)\DES3-\X) [ZR]@y(modb))

where ZL and ZR are 8-byte numbers such that Z = (ZL\ZR).

For each vertex of the tree, we recursively define 16-byte numbers IK.. as follows:

where MK — the master key of the card; IV — the initial sequence of 16 bytes in size; the ” / ” sign indicates division completely (only an integer part of the number obtained as a result of division remains).

Then for the specified PBX we define the value of the session key

cha SK{ATC) = IKHMC ® IKH_2MC/b

Note that the above definition has one important property. To calculate SK (ATC), you only need to know the values of IKjATC/bH_i for 1 <i<H. Note that all points of the form (i,ATC/bH~’), where 1</<W, lie on a single branch of the tree coming from its root (0,0). Therefore, for any l<i<H, the value is IK.depends on the IK values.. for two adjacent vertexes of this tree branch located directly above the vertex (i, PBX / Bn~’).

Then the recurrent definition of SK(ATC) can be represented using the following algorithm:

GP: = MK;

P: = f(MK, IV, A0); Forl<i<H-ldo T: = P;

P: = f(P, GP, af);

GP: = T end;

SK(ATC): = <b{P, GP, aH.l)@GP

The VISA payment system has implemented the AVDC algorithm described in ITS vis 1.4.0 and higher specifications to output session keys. Received as a result of using AVDC when the original cryptogram was named after the application version number “Cryptogram version 14”. Due to some legal problems related to the patent purity of the AVDC algorithm, the payment system sent a letter to the participating banks in early September 2005 to terminate the use of Cryptogram 14 in VISA cards.

Restrictions on the size of asymmetric encryption keys

Recall that for the lengths (expressed in bytes) of the asymmetric encryption public key modules of the certification authority of the Nca payment system, the NR Issuer, and the NIC card, the following relation is true

At the same time, there are additional restrictions on the size of modules for the specified keys. In particular, the length of the Value field of the AEF Data Template object does not exceed 251 bytes (see clause 3.6). This means that the size of the ICC Public Key Certificate (Tag ‘9F46’) and ICC PIN Encryption Public Key Certificate (Tag ‘9F2D’) data objects is less than or equal to 251 bytes. Since the length of the key module exceeds 127 bytes, the length of the Length field of these objects will be equal to 2 bytes, it follows that the size of the Value field does not exceed 247 bytes. Since the length of the certificate is equal to the length of the module of the Issuer’s open key, it follows that the NIC<Nj< 247 inequality always holds.

The CDA method also imposes a limit on the size of the NIC card key module. The Response Template (77′) structure for the GENERATE AC/CDA command looks like this (all data lengths in bytes)

As you can see from the table, the size of the Response Template changes in the range from NK+16 to NIC+ 51 bytes. On the other hand, according to EMV V. 4.1, the data field of the command response is no more than 256 bytes.

It follows that when using the CDA method, the size of the card key module can change in the range from 205 to 240 bytes. Payment systems have already started distributing their public keys with a module size of 248 bytes. So the specified restriction is critical.

The DDA card authentication method may impose a limit on the size of the NK card key module. The response to the INTERNAL AUTHENTICATE command may contain, along with the mandatory Signed Dynamic Application Data element, some special data elements that are not specified in the EMV standard and are represented in BER-TLV encoding. In this case, the Format 2 of the command response data field is used (the Tag 77 ‘ template is used for composite data objects represented in BER – TLV encoding). This means that 7 bytes will be spent on the Tag and Length fields of the template and the Signed Dynamic Application Data object (Tag ‘9F4B’). Thus, the limit on the size of the card public key module, expressed in bytes, in this case looks like this: A/;f< 249-Z, where Z is the total size of all special data objects returned to the terminal in response to the INTERNAL AUTHENTICATE command.