Key derivation in EMV details

[Papa Carder]

Overview of Key Derivation in EMV​

Key derivation in EMV (Europay, Mastercard, and Visa) systems is a cryptographic process used to generate unique session keys for secure transactions, ensuring that each transaction uses fresh keys to prevent replay attacks and enhance security. This is primarily handled through the Common Session Key (CSK) method, as defined in EMV specifications (e.g., EMV 4.3 Book 2: Security and Key Management, Annex A1.4). Session keys are derived from a master key (e.g., the ICC Application Cryptogram Master Key, MK_AC) and dynamic data like the Application Transaction Counter (ATC), a 2-byte value incremented per transaction. These keys are used for generating cryptograms (e.g., ARQC, TC) and secure messaging in contact or contactless modes.

The process typically uses Triple DES (3DES) with a 16-byte master key (2-key TDES), though some implementations support AES. The derivation ensures the session key is 16 bytes long, split into left and right 8-byte parts.

CSK Session Key Derivation Algorithm​

The CSK method derives the session key SK_AC as follows:
Inputs:

• MK_AC: 16-byte master key (issuer-derived, card-specific, often from encrypting the PAN with an issuer master key).
• ATC: 2-byte Application Transaction Counter (e.g., 0x0001).
• Diversification constants: 'F0' (0xF0) and '0F' (0x0F) for left/right parts.

Steps:

1. Prepare Diversification Data:
   • Left diversification data (DIV_LEFT): ATC concatenated with 0xF0 and 0x00 (i.e., ATC || F0 || 00), padded to 8 bytes if needed.
   • Right diversification data (DIV_RIGHT): ATC concatenated with 0x0F and 0x00 (i.e., ATC || 0F || 00).
2. Encrypt to Derive Parts:
   • SK_LEFT = 3DES_encrypt(MK_AC, DIV_LEFT) [First 8 bytes of the result].
   • SK_RIGHT = 3DES_encrypt(MK_AC, DIV_RIGHT) [First 8 bytes of the result].
3. Combine to Form Session Key:
   • SK_AC = SK_LEFT || SK_RIGHT (16 bytes total).
4. Optional Parity Adjustment:
   • Adjust parity bits in each byte for DES compatibility (e.g., odd parity on the right 7 bits).
5. Key Check Value (KCV):
   • Compute KCV as the first 3 bytes of 3DES_encrypt(SK_AC, 0x0000000000000000) for verification.

Formula Representation:
DIV_LEFT = ATC} || 0xF000
DIV_RIGHT = ATC || 0x0F00
SK_LEFT = 3DES MK_AC (DIV_LEFT)
SK_RIGHT = 3DES MK_AC (DIV_RIGHT)
SK_AC = SK_LEFT || SK_RIGHT

Example:

• MK_AC = 0123456789ABCDEF0123456789ABCDEF
• ATC = 0001
• DIV_LEFT = 0001F000 (padded to 8 bytes: 0001F00000000000)
• DIV_RIGHT = 00010F00 (padded: 00010F0000000000)
• SK_AC ≈ 022551C4FDF76E45988089BA31DC077C (approximate; actual depends on exact padding and encryption).

Variants and Network-Specific Details​

• Mastercard (CVN14/15): Uses CSK with transaction data variations; may include Unpredictable Number (UN) from the terminal.
• Visa (CVN10/18): Similar CSK, but with different key derivation methods for session keys.
• EMV 4.1 vs. 4.2/4.3: Earlier versions may use tree-based derivation with branch factor (e.g., 4) and height (e.g., 8) for more complex keys; later simplify to basic CSK without IV.
• Secure Messaging Keys: In GlobalPlatform (used with EMV), session keys (ENC, MAC) are derived from static keys and challenges (host/card nonces) via 3DES or AES.
• ICC Master Key Derivation: Issuer derives ICC keys from issuer master keys using PAN (e.g., 3DES_encrypt(Issuer_MK, PAN)).

Applications​

• Transaction Cryptograms: SK_AC encrypts data for ARQC/TC generation.
• Offline/Online Modes: Used in both, with offline relying on pre-derived keys.
• Contactless: Same CSK, integrated with ISO 14443 for NFC.

For full normative details, refer to EMVCo specifications (e.g., Book 2). Implementations may vary by network (Visa, Mastercard), and tools like cryptographic calculators can simulate this.