Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 963
- Points
- 113
(Secure Messaging)
The security of the command data transmitted from the issuer to the card is determined by the ISO 7816-4 and EMV standards.
There are two mechanisms for secure data transmission of the issuer's command:
The data field formats of the command, which ensure the integrity and authentication of the data source, are shown in Fig. 3.13 and 3.14.
Rice. 3.13. Command data field in format 1
Rice. 3.14. Command data field in format 2
If the command data field contains data that requires encryption to ensure their confidentiality, then, as described in section 9.3 of book 2 of the EMV 4.2 standard, this data is presented in the form shown in Fig. 3.15 and 3.16.
Rice. 3.15. Data object format for encrypted data item using format 1 of the data field of the secure command
Rice. 3.16. Protected Command Data Field Format 2
Note that when format 2 is used, to ensure confidentiality, the entire command data field is encrypted, with the exception of the MAC value.
The possible tag values for the command data field template in format 1, as well as the data object for the encrypted data item when format 1 is used, can be found in Sections 9.2 and 9.3 of Book 2 of the EMV 4.2 standard.
The MAC value is calculated using algorithm 3 of ISO / IEC 9797-1 described in clause 3.11.3 using the SK SMI session key (16 bytes) used by the card for the current transaction and the 3DES algorithm. The MAC value is calculated for data containing the command header (CLA INS Pl P2) and the command data field. When using format 2, the complete list of data for which the MAC is calculated is determined by the payment system.
Data encryption is performed using the 3DES algorithm using the SK SMC card session encryption key (16 bytes), as described in clause 3.16.2.
The security of the command data transmitted from the issuer to the card is determined by the ISO 7816-4 and EMV standards.
There are two mechanisms for secure data transmission of the issuer's command:
- 1) a mechanism for ensuring the integrity of the data transmitted in the command and authentication of the command source (Secure Messaging for Integrity and Authentication);
- 2) mechanism for ensuring the confidentiality of transmitted data (Secure Messaging for Confidentiality).
- format 1 when the command data field is BER-TLV encoded. To identify this case, the second nibble of the CLA command is' C'h;
- format 2 when the command data field is not BER-TLV encoded. In this case, the map application knows in advance the size of the command data. To identify this case, the second nibble of the CLA command is set to '4'h.
The data field formats of the command, which ensure the integrity and authentication of the data source, are shown in Fig. 3.13 and 3.14.
| Tag 1 | Length 1 | Value 1 | Thad 2 | Length 2 | Value 2 |
| T | L | Command data in size L bytes | '8E' | 4-8 bytes | MAC |
Rice. 3.13. Command data field in format 1
| Value 1 | Value 2 |
| Command data (if present) | MAC (4-8 bytes) |
Rice. 3.14. Command data field in format 2
If the command data field contains data that requires encryption to ensure their confidentiality, then, as described in section 9.3 of book 2 of the EMV 4.2 standard, this data is presented in the form shown in Fig. 3.15 and 3.16.
| Thad | Length | Value |
| T | L | Encrypted data or character addition indicator byte II. Encrypted data |
Rice. 3.15. Data object format for encrypted data item using format 1 of the data field of the secure command
| Value 1 | Value 2 |
| Encrypted data | MAC (4-8 bytes) |
Rice. 3.16. Protected Command Data Field Format 2
Note that when format 2 is used, to ensure confidentiality, the entire command data field is encrypted, with the exception of the MAC value.
The possible tag values for the command data field template in format 1, as well as the data object for the encrypted data item when format 1 is used, can be found in Sections 9.2 and 9.3 of Book 2 of the EMV 4.2 standard.
The MAC value is calculated using algorithm 3 of ISO / IEC 9797-1 described in clause 3.11.3 using the SK SMI session key (16 bytes) used by the card for the current transaction and the 3DES algorithm. The MAC value is calculated for data containing the command header (CLA INS Pl P2) and the command data field. When using format 2, the complete list of data for which the MAC is calculated is determined by the payment system.
Data encryption is performed using the 3DES algorithm using the SK SMC card session encryption key (16 bytes), as described in clause 3.16.2.
