Advanced Guide: ARQC/ARPC Generation in EMV Transactions

[Cloned Boy]

This in-depth technical guide covers ARQC (Authorization Request Cryptogram) and ARPC (Authorization Response Cryptogram) generation, which are fundamental to EMV chip card authentication. Understanding these mechanisms is crucial for EMV research and security analysis.

Table of Contents​

1. What Are ARQC & ARPC?
2. Cryptographic Foundations
3. ARQC Generation Process
4. ARPC Generation Process
5. Real-World Testing with ART Tool
6. Bypassing ARQC/ARPC (Security Considerations)
7. Further Research & Resources

1. What Are ARQC & ARPC?​

ARQC (Authorization Request Cryptogram)​

• Generated by the EMV chip card during a transaction.
• Acts as a dynamic authentication signature.
• Proves the card is genuine (not cloned).
• Contains:
  • Transaction details (amount, terminal ID, etc.)
  • A unique unpredictable number (UN) from the terminal.
  • A session key derived from the card’s master key.

ARPC (Authorization Response Cryptogram)​

• Generated by the issuer bank in response to ARQC.
• Validates the transaction approval/decline.
• May include:
  • Authorization code (if approved).
  • Cryptogram Version Number (CVN) for security.

Why Are They Important?​

• ARQC ensures the card is not cloned (static data attacks fail).
• ARPC ensures the issuer approves the transaction.
• Dynamic nature makes EMV harder to clone than magstripe.

2. Cryptographic Foundations​

ARQC/ARPC rely on TDES (Triple DES) or AES encryption with:

• ICC Master Key (IMK) – Unique to each card.
• Session Key (SK) – Derived from IMK + ATC (Application Transaction Counter).
• Data Authentication Code (ARQC/ARPC) – Generated via ISO 9797-1 MAC.

Key Derivation Process​

1. ATC (Application Transaction Counter) increments per transaction.
2. Session Key (SK) = DeriveKey(IMK, ATC)
3. ARQC = MAC(SK, Transaction Data)

Example (TDES Key Derivation)

from Crypto.Cipher import DES3

# ICC Master Key (IMK) – Usually 16-24 bytes
imk = bytes.fromhex("0123456789ABCDEFFEDCBA9876543210")

# ATC (Application Transaction Counter) – 2 bytes
atc = bytes.fromhex("0001")

# Derive Session Key (SK)
sk = derive_emv_session_key(imk, atc)  # Uses EMV key derivation spec

3. ARQC Generation Process​

Step 1: Terminal Sends "GET PROCESSING OPTIONS" (GPO)​

• The terminal requests transaction initialization.
• APDU Command:
  

  80 A8 00 00 02 83 00 00

Step 2: Card Responds with PDOL & AFL​

• PDOL (Processing Options Data Object List) – Specifies dynamic data needed.
• AFL (Application File Locator) – Tells terminal where to read records.

Step 3: Terminal Provides Dynamic Data​

• Unpredictable Number (UN) – Random 4-8 bytes from terminal.
• Transaction Amount, Currency, etc.

Step 4: Card Computes ARQC​

• Uses:
  • Session Key (SK)
  • Transaction Data (Amount, UN, ATC, etc.)
  • ISO 9797-1 MAC Algorithm

Python ARQC Simulation

from Crypto.Cipher import DES3
from Crypto.Util.Padding import pad

def generate_arqc(sk, data):
cipher = DES3.new(sk, DES3.MODE_CBC, iv=b'\x00'*8)
padded_data = pad(data, 8)
mac = cipher.encrypt(padded_data)[-8:]  # Last 8 bytes = MAC
return mac

# Example:
sk = bytes.fromhex("00112233445566778899AABBCCDDEEFF")
txn_data = bytes.fromhex("11223344556677880001000000000000")
arqc = generate_arqc(sk, txn_data)
print("ARQC:", arqc.hex())  # e.g., "A1B2C3D4E5F6G7H8"

4. ARPC Generation Process​

Step 1: Issuer Receives ARQC​

• Bank validates ARQC using same Session Key (SK).

Step 2: Issuer Generates ARPC​

• If Approved:
  • ARPC = MAC(SK, ARQC + Auth Code + Proprietary Data)
• If Declined:
  • ARPC = MAC(SK, ARQC + Decline Reason)

Step 3: Terminal Validates ARPC​

• Ensures the response is from the real issuer.

Python ARPC Simulation

def generate_arpc(sk, arqc, auth_code="00"):
response_data = arqc + bytes.fromhex(auth_code)
cipher = DES3.new(sk, DES3.MODE_CBC, iv=b'\x00'*8)
padded_data = pad(response_data, 8)
mac = cipher.encrypt(padded_data)[-8:]
return mac

# Example:
arpc = generate_arpc(sk, arqc, "00")
print("ARPC:", arpc.hex())  # e.g., "F1E2D3C4B5A69788"

5. Real-World Testing with ART Tool​

Step 1: Load IST File into ART Tool​

• Ensures correct AID, CAP keys, and PDOL.

Step 2: Simulate Transaction​

1. Terminal sends GPO → Card responds with PDOL.
2. Terminal provides UN, Amount, etc.
3. Card generates ARQC → Sent to issuer.
4. Issuer returns ARPC → Terminal approves/declines.

Step 3: Analyze Logs​

• Check if ARQC matches expected value.
• If ARQC fails:
  • Wrong Session Key? (Check IMK derivation)
  • Incorrect PDOL? (Verify transaction data)

6. Bypassing ARQC/ARPC (Security Considerations)​

Why It’s Difficult​

• Dynamic ARQC changes per transaction (unlike static magstripe).
• Issuer checks (velocity, cryptogram history).
• DDA/CDA (offline dynamic authentication).

Possible Attack Vectors (Theoretical)​

1. ARQC Replay Attack (Only works if terminal doesn’t check ATC).
2. Weak IMK Extraction (If master key is leaked).
3. JCOP Manipulation (Forcing static ARQC).

7. Further Research & Resources​

Recommended Tools​

• PyResMan (EMV APDU analysis)
• EMVFoundry (Advanced IST manipulation)
• OpenEMV (Open-source EMV research)

Reading Material​

• EMV Book 2 (Security & Key Management)
• ISO 9797-1 (MAC Algorithms)
• NIST SP 800-57 (Key Derivation)

Final Summary​

• ARQC = Card’s dynamic auth cryptogram.
• ARPC = Issuer’s response cryptogram.
• Relies on TDES/AES + Session Keys.
• ART Tool helps simulate & test.
• Extremely hard to bypass in modern EMV.

Would you like a hands-on exercise with sample transaction logs? Let me know!