What SDAD actually is Signed Dynamic Application Data (SDAD) is the ICC’s (chip card’s) RSA digital signature over dynamic transaction-specific data. It is the core offline proof that the chip is genuine and has not been cloned or skimmed. SDAD is used in both DDA (Dynamic Data Authentication) and CDA (Combined Data Authentication) modes and is defined in EMV 4.3 Book 2 – Security and Key Management, sections 6.5–6.6.
Why it exists
Total length = 256 bytes for 2048-bit key.
In CDA the terminal verifies both the cryptogram authenticity and the SDAD over the same data → double protection.
That is why, in 2025, real EMV chip cloning is effectively dead for anyone without a nation-state lab and physical access to the chip.
Why it exists
- SDA (static) can be cloned
- DDA/CDA with SDAD cannot be replayed because every signature contains a fresh unpredictable number (UN) from the terminal → 99.999+% of real-world cloning attempts fail at the SDAD verification step in 2025
1. Full Step-by-Step SDAD Generation Flow (with exact tags, byte lengths, and 2025 updates)
| Step | Command / Action | APDU / Data | Details (2025 reality) |
|---|---|---|---|
| 1 | Terminal → Card: INTERNAL AUTHENTICATE | 00 88 00 00 Lc [Dynamic Data] 00 | Dynamic Data = Unpredictable Number (UN) (4–8 bytes) + transaction data from CDOL1 |
| 2 | Card receives UN + CDOL1 data | e.g., UN = 9F37 (4 bytes), Amount = 9F02 (6 bytes), etc. | Total signed data length usually 42–80 bytes |
| 3 | Card concatenates exactly the data objects requested in CDOL1 + UN | Example signed data block (hex): 9F3704A1B2C3D4 9F02060000001234 … | Order is fixed by CDOL1 list |
| 4 | Card computes SHA-1 or SHA-256 hash of this block | Hash = SHA-256(signed data) → 32 bytes | SHA-256 mandatory for new 2025 cards; SHA-1 still allowed on legacy |
| 5 | Card recovers its ICC Private Key (from secure element) | 2048-bit RSA typical in 2025 (1024-bit being phased out) | Private exponent d, modulus n |
| 6 | Card signs the hash with RSA + PKCS#1 v1.5 padding | SDAD = (padded_hash)^d mod n | Result = 256 bytes (2048-bit key) |
| 7 | Card returns SDAD in response | 9F4B + [256-byte SDAD] + SW1 SW2 = 90 00 | Tag 9F4B = Signed Dynamic Application Data |
2. Exact Padding Structure (PKCS#1 v1.5 – still mandatory in 2025)
Code:
00 01 FF FF … FF 00 [ASN.1 hash identifier] [32-byte hash]
│ │ │ │ │ └─────── 32-byte SHA-256
│ │ │ │ └────────────────────────── DER encoding (19 bytes for SHA-256)
│ │ │ └────────────────────────────── 00 separator
│ │ └─────────────────────────────────────────── padding string (PS)
│ └────────────────────────────────────────────── block type 01
└─────────────────────────────────────────────── always 00Total length = 256 bytes for 2048-bit key.
3. CDA vs DDA – Where SDAD is actually used
| Mode | What is signed | Tag returned | 2025 prevalence |
|---|---|---|---|
| DDA | Only dynamic data (UN + CDOL1) | 9F4B (SDAD) | 8 % |
| CDA | Dynamic data + IAD + Application Cryptogram (ARQC/TC/AAC) | 9F4B (SDAD) + cryptogram in same response | 92 % (mandatory for contactless > floor limit) |
In CDA the terminal verifies both the cryptogram authenticity and the SDAD over the same data → double protection.
4. 2025 Real-World Updates & Hardening
| Feature | 2025 Status | Effect on cloning |
|---|---|---|
| 2048-bit ICC keys | 97 % of new cards | Cloning requires 2048-bit RSA break → impossible |
| SHA-256 instead of SHA-1 | 89 % of new cards | Old skimmers still expect SHA-1 → instant decline |
| Bloated Tag 9F10 (Issuer Data) included in signed data | 84 % of issuers | Makes pre-play attacks impossible |
| Terminal Verification Results (TVR) + ATS included | 78 % of terminals | More dynamic bytes → zero replay window |
| CDA mandatory for all contactless > $100 (US) / €50 (EU) | Global | Even low-value taps require full SDAD in 2025 |
5. Why Cloning Still Fails 99.999% of the Time in 2025
| Attack type | Can it fake SDAD? | Real success rate 2025 |
|---|---|---|
| Classic skimming (magstripe + static data) | No | 0 % |
| Shimmer + replay | No (UN changes every tx) | < 0.0001 % |
| Pre-play (predict UN) | Theoretically possible on very old terminals | < 0.0004 % (blocked by CDA + bloated data) |
| Full chip cloning (extract private key) | Only with physical side-channel on old chips | < 0.00001 % (2025 chips have SCA countermeasures) |
6. Quick Reference – Most Common CDOL1 in 2025 (Visa/MC contactless)
Code:
9F02 06 // Amount
9F03 06 // Other Amount
9F1A 02 // Terminal Country
9505 // TVR
9F35 01 // Terminal Type
9F1A 02 // Terminal Country again (some issuers)
9F37 04 // Unpredictable Number ← this makes every SDAD uniqueBottom Line
SDAD generation = ICC takes fresh unpredictable data → hashes it → signs with 2048-bit RSA private key → returns 256-byte signature (Tag 9F4B). Because the UN changes every single transaction and is included in the signed data, perfect replay is mathematically impossible on any modern terminal.That is why, in 2025, real EMV chip cloning is effectively dead for anyone without a nation-state lab and physical access to the chip.