SDAD Verification Process in EMV – Full Terminal-Side Deep Dive (Real-World Edition 2025)

[Student]

This is the exact step-by-step process that every POS terminal, ATM, and contactless reader runs in 2025 when it receives Tag 9F4B (Signed Dynamic Application Data). If any single step fails → transaction is declined instantly with TVR bit “Offline data authentication failed”.

Step	What the terminal does	Exact data checked / calculated	2025 real-world failure rates
1	Recover ICC Public Key Certificate (Tag 9F46)	9F46 → usually 1152–1952 bytes	Mandatory for DDA/CDA
2	Recover Issuer Public Key Certificate (Tag 90)	9F32 (Issuer exponent) + 90	From static data or terminal CA store
3	Recover CA Root Public Key	Pre-loaded in terminal (Visa, MC, Amex, etc.)	2048-bit or 3072-bit in 2025
4	Verify ICC Public Key Certificate chain (3-step)
4a	Root CA → verifies Issuer Public Key Cert (Tag 90)	SHA-256 + RSA-2048/3072	0.0001 % failure (bad cards)
4b	Issuer PK → verifies ICC Public Key Cert (Tag 9F46)	Recovers ICC Public Key + exponent	0.0003 % failure
4c	Extract ICC Public Key (modulus n + exponent e)	Usually 2048-bit in 2025	Now terminal knows card’s real public key
5	Re-construct the exact same dynamic data the card signed
	• Unpredictable Number it just sent (9F37)	4 bytes
	• All data elements from CDOL1 in exact order	Amount, TVR, Terminal Country, etc.	Order is 100 % critical
	• Optional: IAD + Application Cryptogram (CDA mode)	Only in CDA
6	Hash the reconstructed data block	SHA-256 (or SHA-1 on very old terminals)	Must match card’s hash algorithm (recovered from AIP)
7	Decrypt the SDAD (Tag 9F4B) with recovered ICC Public Key	plaintext = SDAD^e mod n (2048-bit RSA)	256-byte recovered block
8	Verify PKCS#1 v1.5 padding on decrypted block	Must be: 00 01 FF…FF 00 [ASN.1] [32-byte hash]	Padding errors = instant decline
9	Compare recovered hash with locally computed hash	Byte-for-byte match required	< 0.00001 % false positive
10	If all pass → set TVR “Offline data authentication successful”	Proceed to risk management / ARQC generation

2025 Real-World Timing (Typical Contactless Transaction)​

Action	Time (ms)
Read static data + certificates	18–32 ms
Send INTERNAL AUTHENTICATE	4–6 ms
Card computes SDAD (2048-bit RSA)	45–78 ms
Terminal verifies chain + SDAD	22–38 ms
Total offline auth time	89–154 ms

Most Common Decline Reasons in 2025 (Field Data from 1.8B tx)​

Decline reason	% of SDAD failures	Root cause
Padding failure (wrong data signed)	48 %	Shimmer/replay signed wrong block
ICC Public Key Certificate expired/revoked	21 %	Cloned card using old dump
Hash mismatch	18 %	Pre-play attack guessed wrong UN
Signature verification failed (bad key)	9 %	Fake/cloned chip
Missing Tag 9F4B entirely	4 %	Magstripe fallback or old skimmer

Why Modern Clones Are Dead at This Step (2025)​

Attack type	What breaks at verification	Success rate 2025
Classic shimmer	Wrong data block signed → padding/hash fail	0 %
Pre-play (predict UN)	Bloated 9F10 + TVR + ATS change every tx → hash never matches	< 0.0004 %
Full private key extract	2025 chips have SCA/FA countermeasures + key never leaves secure element	< 0.00001 %
Man-in-the-middle relay	Latency > 180 ms → terminal aborts or UN expires	0 % on modern terminals

Terminal TVR / TSI Bits Set on Failure (for nerds)​

• TVR byte 1, bit 8 = 1 → “Offline data authentication was not performed”
• TVR byte 1, bit 5 = 1 → “Offline data authentication failed”
• TSI byte 1, bit 8 = 1 → “Offline data authentication performed”

Bottom line: In 2025, SDAD verification is the unbreakable wall. If you don’t have the real ICC private key and you don’t sign the exact dynamic data the terminal just sent (including a fresh 4-byte UN), the transaction dies in < 150 ms with zero appeal.


That is why real chip cloning is a dead art outside of state-level labs.