EMV v4.4 Book 2 Security and Key Management
EMV v4.4 Book 2 Security and Key Management
EMV v4.4 Book 2 Security and Key Management
Book 2
Security and Key Management
Version 4.4
October 2022
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
The EMV® Specifications are provided “AS IS” without warranties of any kind, and EMVCo neither
assumes nor accepts any liability for any errors or omissions contained in these Specifications.
EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AS TO THESE
SPECIFICATIONS.
EMVCo makes no representations or warranties with respect to intellectual property rights of any third
parties in or in relation to the Specifications. EMVCo undertakes no responsibility to determine
whether any implementation of these Specifications may violate, infringe, or otherwise exercise the
patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third
parties, and thus any person who implements any part of these Specifications should consult an
intellectual property attorney before any such implementation.
Without limiting the foregoing, the Specifications may provide for the use of public key encryption and
other technology, which may be the subject matter of patents in several countries. Any party seeking
to implement these Specifications is solely responsible for determining whether its activities require a
license to any such technology, including for patents on public key encryption technology. EMVCo
shall not be liable under any theory for any party’s infringement of any intellectual property rights in
connection with these Specifications.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Contents
Part I – General
1 Scope 12
1.1 Changes in Version 4.4 12
1.2 Structure 12
1.3 Underlying Standards 13
1.4 Audience 13
2 Normative References 14
3 Definitions 17
4 Abbreviations, Notations, Conventions, and Terminology 25
4.1 Abbreviations 25
4.2 Notations 32
4.3 Data Element Format Conventions 34
4.4 Terminology 35
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Index 189
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Tables
Table 1: Required ICC Data Elements for SDA 38
Table 2: Issuer Public Key Data To Be Signed by Certification Authority 40
Table 3: Static Application Data To Be Signed by Issuer 41
Table 4: Data Objects Required for SDA 42
Table 5: Minimum Data for Certificate Revocation List Entry 43
Table 6: Format of Data Recovered from Issuer Public Key Certificate 45
Table 7: Format of Data Recovered from Signed Static Application Data 47
Table 8: Required ICC Data Elements for Offline Dynamic Data Authentication 51
Table 9: Data Element Generated for Offline Dynamic Data Authentication 52
Table 10: Issuer Public Key Data To Be Signed by Certification Authority 54
Table 11: ICC Public Key Data To Be Signed by Issuer 55
Table 12: Data Objects Required for Public Key Authentication for Offline
Dynamic Data Authentication 56
Table 13: Format of Data Recovered from Issuer Public Key Certificate 58
Table 14: Format of Data Recovered from ICC Public Key Certificate 60
Table 15: Dynamic Application Data To Be Signed 62
Table 16: Additional Data Objects Required for Dynamic Signature Generation
and Verification 63
Table 17: Format of Data Recovered from Signed Dynamic Application Data 64
Table 18: Dynamic Application Data To Be Signed 68
Table 19: 32-38 Leftmost Bytes of ICC Dynamic Data 68
Table 20: Data Objects Included in Response to GENERATE AC for TC or ARQC 69
Table 21: Data Objects Included in Response to GENERATE AC for AAC 69
Table 22: Format of Data Recovered from Signed Dynamic Application Data 70
Table 23: ICC PIN Encipherment Public Key Data To Be Signed by Issuer 78
Table 24: Data Objects Required for Retrieval of ICC PIN Encipherment Public Key 79
Table 25: Data To Be Enciphered for PIN Encipherment 80
Table 26: Data To Be Enciphered for Biometric Encipherment 83
Table 27: Biometric Verification Data Template 84
Table 28: Recommended Minimum Set of Data Elements for Application
Cryptogram Generation 87
Table 29: ECC Self-Signed Certification Authority Public Key & Related Data
(Binary Encoding) 99
Table 30: Minimum Set of Certification Authority Public Key Related Data
Elements To Be Stored in Terminal (RSA) 101
Table 31: Minimum Set of Certification Authority Public Key Related Data
Elements To Be Stored in Terminal (ECC) 102
Table 32: Data Elements Used to Generate Terminal Unpredictable Number (UN) 104
Table 33: Data Element Generated for XDA 107
Table 34: ICC Data Required for Public Key Authentication for XDA and ECC ODE 109
Table 35: Issuer Public Key Certificate Tag '90' (ECC) 112
Table 36: ICC Public Key Certificate Tag '9F46' (XDA) and Tag '9F2D' (ODE) 115
Table 37: Dynamic Application Data To Be Signed (XDA) 119
Table 38: Format of XDA Signed Dynamic Application Data 120
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Figures
Figure 1: Diagram of SDA 37
Figure 2: Diagram of Offline Dynamic Data Authentication 50
Figure 3: CDA Sample Flow Part 1 of 3 73
Figure 4: CDA Sample Flow Part 2 of 3 74
Figure 5: CDA Sample Flow Part 3 of 3 75
Figure 6: Format 1 Command Data Field for Secure Messaging for Integrity and
Authentication 91
Figure 7: Format 2 Command Data Field for Secure Messaging for Integrity and
Authentication 91
Figure 8: Format 1 – Data Object for Confidentiality 94
Figure 9: Format 2 Command Data Field for Secure Messaging for Confidentiality 94
Figure 10: ECC Self-signed Certification Authority Public Key Diagram 98
Figure 11: Diagram of Offline Dynamic Data Authentication 106
Figure 12: XDA Sample Flow Part 1 of 2 122
Figure 13: XDA Sample Flow Part 2 of 2 123
Figure 14: Decimalisation for Master Key Derivation 139
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Part I
General
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
1 Scope
This document, the Integrated Circuit Card (ICC) Specifications for Payment Systems –
Book 2, Security and Key Management, describes the minimum security functionality
required of integrated circuit cards (ICCs) and terminals to ensure correct operation and
interoperability. Additional requirements and recommendations are provided with
respect to the on-line communication between ICC and issuer and the management of
cryptographic keys at terminal, issuer, and payment system level.
The Integrated Circuit Card Specifications for Payment Systems includes the following
additional documents, all available on http://www.emvco.com:
• Book 1 – Application Independent ICC to Terminal Interface Requirements
• Book 3 – Application Specification
• Book 4 – Cardholder, Attendant, and Acquirer Interface Requirements
EMVCo also publishes security guidelines (see informative references 3 and 5).
1.2 Structure
Book 2 consists of the following parts:
Part I – General
Part II – Security and Key Management Techniques
Part III – Annexes
Part IV – Common Core Definitions
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 1 Scope
Security and Key Management 1.3 Underlying Standards
Part II covers:
• Offline static data authentication (SDA)
• Offline dynamic data authentication (DDA and CDA and XDA)
• Offline PIN encipherment
• Application cryptogram generation and issuer authentication
• Secure messaging
• Public key management principles and policies
• Terminal security and key management requirements
Part III (Annexes A-D) specifies the security mechanisms and the approved
cryptographic algorithms required to implement the security functions specified,
provides a list of informative references, and discusses implementation considerations.
Part IV defines an optional extension to be used when implementing the Common Core
Definitions (CCD).
The Book also includes a revision log and an index.
1.4 Audience
This specification is intended for use by manufacturers of ICCs and terminals, system
designers in payment systems, and financial institution staff responsible for
implementing financial applications in ICCs.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
2 Normative References
The following specifications and standards contain provisions that are referenced in
these specifications. The latest version shall apply unless a publication date is explicitly
stated.
EMV Contact Interface EMV Level 1 Specifications for Payment Systems, EMV
Specification Contact Interface Specification
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 2 Normative References
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 2 Normative References
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
3 Definitions
The following terms are used in one or more books of these specifications.
Biometric Data Block A block of data with a specific format that contains
information captured from a biometric capture device and
that could be used as follows:
• stored in the card as part of the biometric reference
template
• sent to the ICC in the data field of the PIN
CHANGE/UNBLOCK command
• sent to the ICC in the data field of the VERIFY
command for offline biometric verification
• sent online for verification
The format of the BDB is outside the scope of this
specification.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 3 Definitions
Security and Key Management
Byte 8 bits.
Certification Authority Trusted third party that establishes a proof that links a
public key and other relevant information to its owner.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 3 Definitions
Security and Key Management
Data Integrity The property that data has not been altered or destroyed
in an unauthorised manner.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 3 Definitions
Security and Key Management
Hash Result The string of bits that is the output of a hash function.
Integrated Circuit(s) A card into which one or more integrated circuits are
Card inserted to perform processing and memory functions.
Interface Device That part of a terminal into which the ICC is inserted,
including such mechanical and electrical devices as may
be considered part of it.
Iris Verification The process of determining that the iris presented is valid.
Issuer Action Code Any of the following, which reflect the issuer-selected
action to be taken upon analysis of the TVR:
• Issuer Action Code – Default
• Issuer Action Code – Denial
• Issuer Action Code – Online
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 3 Definitions
Security and Key Management
Key Withdrawal The process of removing a key from service as part of its
revocation.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 3 Definitions
Security and Key Management
Payment System A logical construct within the ICC, the entry point to
Environment which is a Directory Definition File (DDF) named
'1PAY.SYS.DDF01'. This DDF contains a Payment
System Directory which in turn contains entries for one or
more Application Definition Files (ADFs) which are
formatted according to this specification.
Physical Compromise The compromise of a key resulting from the fact that it
has not been securely guarded, or a hardware security
module has been stolen or accessed by unauthorised
persons.
Private Key That key of an entity’s asymmetric key pair that should
only be used by that entity. In the case of a digital
signature scheme, the private key defines the signature
function.
Public Key That key of an entity’s asymmetric key pair that can be
made public. In the case of a digital signature scheme, the
public key defines the verification function.
Public Key Certificate The public key information of an entity signed by the
certification authority and thereby rendered unforgeable.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 3 Definitions
Security and Key Management
Terminal The device used in conjunction with the ICC at the point
of transaction to perform a financial transaction. The
terminal incorporates the interface device and may also
include other components and interfaces such as host
communications.
Terminal Action Code Any of the following, which reflect the acquirer-selected
action to be taken upon analysis of the TVR:
• Terminal Action Code – Default
• Terminal Action Code – Denial
• Terminal Action Code – Online
Terminate Card End the card session by deactivating the IFD contacts
Session according to EMV Contact Interface Specification and
displaying a message indicating that the ICC cannot be
used to complete the transaction.
Terminate Transaction Stop the current application and deactivate the card.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 3 Definitions
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
4.1 Abbreviations
a Alphabetic (see section 4.3, Data Element Format Conventions)
AC Application Cryptogram
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 4 Abbreviations, Notations, Conventions, and Terminology
Security and Key Management 4.1 Abbreviations
CA Certification Authority
CV Cryptogram Version
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 4 Abbreviations, Notations, Conventions, and Terminology
Security and Key Management 4.1 Abbreviations
DF Dedicated File
DIR Directory
EF Elementary File
EN European Norm
FC Format Code
Hex Hexadecimal
I/O Input/Output
IC Integrated Circuit
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 4 Abbreviations, Notations, Conventions, and Terminology
Security and Key Management 4.1 Abbreviations
KD Key Derivation
KM Master Key
KS Session Key
L Length
M Mandatory
max. Maximum
MF Master File
NF Norme Française
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 4 Abbreviations, Notations, Conventions, and Terminology
Security and Key Management 4.1 Abbreviations
O Optional
P1 Parameter 1
P2 Parameter 2
PC Personal Computer
pos. Position
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 4 Abbreviations, Notations, Conventions, and Terminology
Security and Key Management 4.1 Abbreviations
SK Session Key
TC Transaction Certificate
UN Unpredictable Number
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 4 Abbreviations, Notations, Conventions, and Terminology
Security and Key Management 4.1 Abbreviations
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 4 Abbreviations, Notations, Conventions, and Terminology
Security and Key Management 4.2 Notations
4.2 Notations
'0' to '9' and 'A' to 'F' 16 hexadecimal characters
xx Any value
A ≡ B mod n Integers A and B are congruent modulo the integer n, that is,
there exists an integer d such that
(A – B) = dn
A mod n The reduction of the integer A modulo the integer n, that is,
the unique integer r, 0 ≤ r < n, for which there exists an
integer d such that
A = dn + r
A/n The integer division of A by n, that is, the unique integer d for
which there exists an integer r, 0 ≤ r < n, such that
A = dn + r
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 4 Abbreviations, Notations, Conventions, and Terminology
Security and Key Management 4.2 Notations
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 4 Abbreviations, Notations, Conventions, and Terminology
Security and Key Management 4.3 Data Element Format Conventions
a Alphabetic data elements contain a single character per byte. The permitted
characters are alphabetic only (a to z and A to Z, upper and lower case).
an Alphanumeric data elements contain a single character per byte. The
permitted characters are alphabetic (a to z and A to Z, upper and lower case)
and numeric (0 to 9).
There is one exception: The permitted characters for Payment Account
Reference are alphabetic upper case (A to Z) and numeric (0 to 9).
ans Alphanumeric Special data elements contain a single character per byte. The
permitted characters and their coding are shown in the Common Character
Set table in Book 4 Annex B.
There is one exception: The permitted characters for Application Preferred
Name are the non-control characters defined in the ISO/IEC 8859 part
designated in the Issuer Code Table Index associated with the Application
Preferred Name.
b These data elements consist of either unsigned binary numbers or bit
combinations that are defined elsewhere in the specification.
Binary example: The Application Transaction Counter (ATC) is defined as
“b” with a length of two bytes. An ATC value of 19 is stored as Hex '00 13'.
Bit combination example: Processing Options Data Object List (PDOL) is
defined as “b” with the format shown in Book 3 section 5.4.
cn Compressed numeric data elements consist of two numeric digits (having
values in the range Hex '0'–'9') per byte. These data elements are left
justified and padded with trailing hexadecimal 'F's.
Example: The Application Primary Account Number (PAN) is defined as “cn”
with a length of up to ten bytes. A value of 1234567890123 may be stored in
the Application PAN as Hex '12 34 56 78 90 12 3F FF' with a length of 8.
n Numeric data elements consist of two numeric digits (having values in the
range Hex '0' – '9') per byte. These digits are right justified and padded with
leading hexadecimal zeroes. Other specifications sometimes refer to this data
format as Binary Coded Decimal (“BCD”) or unsigned packed.
Example: Amount, Authorised (Numeric) is defined as “n 12” with a length of
six bytes. A value of 12345 is stored in Amount, Authorised (Numeric) as
Hex '00 00 00 01 23 45'.
var. Variable data elements are variable length and may contain any bit
combination. Additional information on the formats of specific variable data
elements is available elsewhere.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 4 Abbreviations, Notations, Conventions, and Terminology
Security and Key Management 4.4 Terminology
4.4 Terminology
business agreement An agreement reached between a payment system and its
business partner(s).
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Part II
Security and Key
Management Techniques
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Signed Static
Application Issuer PK
Data (SSAD) Issuer PK
Certificate Certificate
IC Card IC Terminal
ICCs that support SDA shall contain the data elements listed in Table 1:
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management
To support SDA, each terminal shall be able to store six Certification Authority Public
Keys per Registered Application Provider Identifier (RID) and shall associate with each
such key the key-related information to be used with the key (so that terminals can in
the future support multiple algorithms and allow an evolutionary transition from one to
another, as discussed in section 11.2.2). The terminal shall be able to locate any such
key (and the key-related information) given the RID and Certification Authority Public
Key Index as provided by the ICC.
SDA shall use a reversible algorithm as specified in section A2.1 and section B2.
Section 5.1 contains an overview of the keys and certificates involved in the SDA
process, and sections 5.2 to 5.4 specify the three main steps in the process, namely:
• Retrieval of the Certification Authority Public Key by the terminal
• Retrieval of the Issuer Public Key by the terminal
• Verification of the Signed Static Application Data by the terminal
If SDA fails then the terminal shall set the ‘SDA failed’ bit in the Terminal Verification
Results (TVR) to 1.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management 5.1 Keys and Certificates
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management 5.1 Keys and Certificates
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management 5.1 Keys and Certificates
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management 5.1 Keys and Certificates
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management 5.1 Keys and Certificates
Additional data such as the date the certificate was added to the CRL may be included
in the CRL entry.
The terminal shall be able to support at least thirty entries in the CRL for each RID for
which the terminal has CA Public Keys.
The terminal shall be able to update the CRL as requested by the acquirer. The
payment systems provide these updates to the acquirer. A reliable method of
maintaining the CRL is defined by the terminal vendor and the acquirer and should
meet the security requirements of the acquirer. It is the responsibility of the payment
system to ensure that the number of revoked certificates does not exceed the maximum
number of entries that terminals are required to support and the responsibility of the
acquirer to ensure that appropriate entries are deleted in order to make way for new
entries.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management 5.2 Retrieval of Certification Authority Public Key
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management 5.3 Retrieval of Issuer Public Key
3. Check the Recovered Data Header. If it is not '6A', SDA has failed.
4. Check the Certificate Format. If it is not '02', SDA has failed.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management 5.3 Retrieval of Issuer Public Key
5. Concatenate from left to right the second to the tenth data elements in Table 6 (that
is, Certificate Format through Issuer Public Key or Leftmost Digits of the Issuer
Public Key), followed by the Issuer Public Key Remainder (if present), and finally the
Issuer Public Key Exponent.
6. Apply the indicated hash algorithm (derived from the Hash Algorithm Indicator) to
the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recovered Hash
Result. If they are not the same, SDA has failed.
8. Verify that the Issuer Identifier matches the leftmost 3-8 PAN digits (allowing for
the possible padding of the Issuer Identifier with hexadecimal 'F's). If not, SDA has
failed.
9. Verify that the last day of the month specified in the Certificate Expiration Date is
equal to or later than today’s date. If the Certificate Expiration Date is earlier than
today’s date, the certificate has expired, in which case SDA has failed.
10. Verify that the concatenation of RID, Certification Authority Public Key Index, and
Certificate Serial Number is valid. If not, SDA has failed. 7
11. If the Issuer Public Key Algorithm Indicator is not recognised, SDA has failed.
12. If all the checks above are correct, concatenate the Leftmost Digits of the Issuer
Public Key and the Issuer Public Key Remainder (if present) to obtain the Issuer
Public Key Modulus, and continue with the next steps for the verification of the
Signed Static Application Data.
7This step is optional and is to allow the revocation of the Issuer Public Key Certificate against a
Certification Revocation List that may be kept by the terminal (see section 5.1.2).
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management 5.4 Verification of Signed Static Application Data
3. Check the Recovered Data Header. If it is not '6A', SDA has failed.
4. Check the Signed Data Format. If it is not '03', SDA has failed.
5. Concatenate from left to right the second to the fifth data elements in Table 7 (that
is, Signed Data Format through Pad Pattern), followed by the static data to be
authenticated as specified in Book 3 section 10.3. If the Static Data Authentication
Tag List is present and contains tags other than '82', then SDA has failed.
6. Apply the indicated hash algorithm (derived from the Hash Algorithm Indicator) to
the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recovered Hash
Result. If they are not the same, SDA has failed.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 5 Static Data Authentication (SDA)
Security and Key Management 5.4 Verification of Signed Static Application Data
If all of the above steps were executed successfully, SDA was successful. The Data
Authentication Code recovered in Table 7 shall be stored in tag '9F45'.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
10 In order to ensure that the ICC uses the correct value for the Unpredictable Number, the
Issuer needs to ensure that both CDOL1 and CDOL2 contain tag '9F37'.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management
ICC PK
Issuer PK Issuer PK
Certificate Certificate
Certificate
IC Card IC Terminal
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management
ICCs that support DDA or CDA shall contain the data elements listed in Table 8:
Table 8: Required ICC Data Elements for Offline Dynamic Data Authentication
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management
ICCs that support DDA or CDA shall generate the data element listed in Table 9:
To support offline dynamic data authentication, each terminal shall be able to store six
Certification Authority Public Keys per RID and shall associate with each such key the
key-related information to be used with the key (so that terminals can in the future
support multiple algorithms and allow an evolutionary transition from one to another,
see section 11.2.2). The terminal shall be able to locate any such key (and key-related
information) given the RID and Certification Authority Public Key Index as provided by
the ICC.
DDA and CDA shall use a reversible algorithm as specified in section A2.1 and
section B2. Section 11.2 contains an overview of the keys and certificates involved in the
offline dynamic data authentication process. Sections 6.2 to 6.4 specify the initial steps
in the process, namely:
• Retrieval of the Certification Authority Public Key by the terminal.
• Retrieval of the Issuer Public Key by the terminal.
• Retrieval of the ICC Public Key by the terminal.
If DDA or CDA fails then the TVR bit indicating failure of the attempted method shall
be set as follows:
• If the attempted method is DDA then the terminal shall set the ‘DDA failed’ bit in
the TVR to 1.
• If the attempted method is CDA then the terminal shall set the ‘CDA failed’ bit in
the TVR to 1.
Sections 6.5 and 6.6 specify the dynamic signature generation and verification processes
for each method.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.1 Keys and Certificates
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.1 Keys and Certificates
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.1 Keys and Certificates
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.1 Keys and Certificates
Table 12: Data Objects Required for Public Key Authentication for Offline Dynamic
Data Authentication
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.2 Retrieval of Certification Authority Public Key
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.3 Retrieval of Issuer Public Key
Table 13: Format of Data Recovered from Issuer Public Key Certificate
3. Check the Recovered Data Header. If it is not '6A', offline dynamic data
authentication has failed.
4. Check the Certificate Format. If it is not '02', offline dynamic data authentication
has failed.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.4 Retrieval of ICC Public Key
5. Concatenate from left to right the second to the tenth data elements in Table 13
(that is, Certificate Format through Issuer Public Key or Leftmost Digits of the
Issuer Public Key), followed by the Issuer Public Key Remainder (if present), and
finally the Issuer Public Key Exponent.
6. Apply the indicated hash algorithm (derived from the Hash Algorithm Indicator) to
the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recovered Hash
Result. If they are not the same, offline dynamic data authentication has failed.
8. Verify that the Issuer Identifier matches the leftmost 3-8 PAN digits (allowing for
the possible padding of the Issuer Identifier with hexadecimal 'F's). If not, offline
dynamic data authentication has failed.
9. Verify that the last day of the month specified in the Certificate Expiration Date is
equal to or later than today’s date. If the Certificate Expiration Date is earlier than
today’s date, the certificate has expired, in which case offline dynamic data
authentication has failed.
10. Verify that the concatenation of RID, Certification Public Key Index, and Certificate
Serial Number is valid. If not, offline dynamic data authentication has failed. 17
11. If the Issuer Public Key Algorithm Indicator is not recognised, offline dynamic data
authentication has failed.
12. If all the checks above are correct, concatenate the Leftmost Digits of the Issuer
Public Key and the Issuer Public Key Remainder (if present) to obtain the Issuer
Public Key Modulus, and continue with the next steps for the retrieval of the ICC
Public Key.
17 This step is optional and is to allow the revocation of the Issuer Public Key Certificate against
a Certification Revocation List that may be kept by the terminal (see section 6.1.2).
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.4 Retrieval of ICC Public Key
Table 14: Format of Data Recovered from ICC Public Key Certificate
3. Check the Recovered Data Header. If it is not '6A', offline dynamic data
authentication has failed.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.5 Dynamic Data Authentication (DDA)
4. Check the Certificate Format. If it is not '04', offline dynamic data authentication
has failed.
5. Concatenate from left to right the second to the tenth data elements in Table 14
(that is, Certificate Format through ICC Public Key or Leftmost Digits of the ICC
Public Key), followed by the ICC Public Key Remainder (if present), the ICC Public
Key Exponent, and finally the static data to be authenticated specified in Book 3
section 10.3. If the Static Data Authentication Tag List is present and contains tags
other than '82', then offline dynamic data authentication has failed.
6. Apply the indicated hash algorithm (derived from the Hash Algorithm Indicator) to
the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recovered Hash
Result. If they are not the same, offline dynamic data authentication has failed.
8. Compare the recovered PAN to the Application PAN read from the ICC. If they are
not the same, offline dynamic data authentication has failed.
9. Verify that the last day of the month specified in the Certificate Expiration Date is
equal to or later than today’s date. If not, offline dynamic data authentication has
failed.
10. If the ICC Public Key Algorithm Indicator is not recognised, offline dynamic data
authentication has failed.
11. If all the checks above are correct, concatenate the Leftmost Digits of the ICC Public
Key and the ICC Public Key Remainder (if present) to obtain the ICC Public Key
Modulus, and continue with the actual offline dynamic data authentication described
in the two sections below.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.5 Dynamic Data Authentication (DDA)
The ICC does not contain a DDOL and the default DDOL in the terminal does
not include the Unpredictable Number.
2. The ICC generates a digital signature as described in section A2.1 on the data
specified in Table 15 using its ICC Private Key SIC in conjunction with the
corresponding algorithm. The result is called the Signed Dynamic Application Data.
The length LDD of the ICC Dynamic Data satisfies 0 ≤ LDD ≤ NIC − 25. The 3-9 leftmost
bytes of the ICC Dynamic Data shall consist of the 1-byte length of the ICC Dynamic
Number, followed by the 2-8 byte value of the ICC Dynamic Number (tag '9F4C',
2-8 bytes binary). The ICC Dynamic Number is a time-variant parameter generated by
the ICC (it can for example be an unpredictable number or a counter incremented each
time the ICC receives an INTERNAL AUTHENTICATE command).
In addition to those specified in Table 12, the data objects necessary for DDA are
specified in Table 16.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.5 Dynamic Data Authentication (DDA)
Table 16: Additional Data Objects Required for Dynamic Signature Generation and
Verification
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.5 Dynamic Data Authentication (DDA)
Table 17: Format of Data Recovered from Signed Dynamic Application Data
3. Check the Recovered Data Header. If it is not '6A', DDA has failed.
4. Check the Signed Data Format. If it is not '05', DDA has failed.
5. Concatenate from left to right the second to the sixth data elements in Table 17 (that
is, Signed Data Format through Pad Pattern), followed by the data elements
specified by the DDOL.
6. Apply the indicated hash algorithm (derived from the Hash Algorithm Indicator) to
the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recovered Hash
Result. If they are not the same, DDA has failed.
If all the above steps were executed successfully, DDA was successful. The ICC Dynamic
Number contained in the ICC Dynamic Data recovered in Table 17 shall be stored in
tag '9F4C'.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
• When requesting an ARQC, the terminal may request it with or without a CDA
signature. When an ARQC is requested without a CDA signature, then the terminal
shall set the TVR bit for ‘Offline data authentication was not performed’ to 1 24 prior
to issuance of the GENERATE AC command. When an ARQC is requested without a
CDA signature, the processes described in sections 6.6.1 and 6.6.2 are not performed.
• When requesting a TC, the terminal shall request it with a CDA signature.
• When requesting an AAC, the terminal shall request it without a CDA signature.
In the case of the second GENERATE AC command:
• The terminal shall set the TVR bit for ‘Offline data authentication was not
performed’ to 0 25 prior to issuance of the GENERATE AC command. If the terminal
is processing the transaction as ‘unable to go online’ then the TVR bit setting shall
be done before the associated terminal action analysis.
• When requesting a TC:
If the terminal is processing the transaction as ‘unable to go online’ (and the
result of terminal action analysis is to request a TC), then the terminal shall
request a TC with a CDA signature.
If the terminal is not processing the transaction as ‘unable to go online’, then the
terminal may request the TC with or without a CDA signature.
• When requesting an AAC, the terminal shall request it without a CDA signature.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
The values of the data elements specified by, and in the order they appear
in the PDOL, and sent by the terminal in the GET PROCESSING
OPTIONS command. 26
The values of the data elements specified by, and in the order they appear
in the CDOL1, and sent by the terminal in the first GENERATE AC
command.26
The tags, lengths, and values of the data elements returned by the ICC in
the response to the GENERATE AC command in the order they are
returned, with the exception of the Signed Dynamic Application Data.
In the case of the second GENERATE AC command:
The values of the data elements specified by, and in the order they appear
in the PDOL, and sent by the terminal in the GET PROCESSING
OPTIONS command.26
The values of the data elements specified by, and in the order they appear
in the CDOL1, and sent by the terminal in the first GENERATE AC
command.26
The values of the data elements specified by, and in the order they appear
in the CDOL2, and sent by the terminal in the second GENERATE AC
command.
The tags, lengths, and values of the data elements returned by the ICC in
the response to the GENERATE AC command in the order they are
returned, with the exception of the Signed Dynamic Application Data.
The 20-byte result is called the Transaction Data Hash Code.
c) The ICC applies the digital signature scheme as specified in section A2.1 on the
data specified in Table 18 using its ICC Private Key SIC in conjunction with the
corresponding algorithm. The result is called the Signed Dynamic Application
Data.
26 At the time of issuance of the command, the terminal is required to store the values of these
data elements to later perform the signature verification process as specified in section 6.6.2.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
The length LDD of the ICC Dynamic Data satisfies 0 ≤ LDD ≤ NIC − 25. The 32-38
leftmost bytes of the ICC Dynamic Data shall consist of the concatenation of the
data specified in Table 19.
The ICC Dynamic Number is a time-variant parameter generated by the ICC (it
can for example be an unpredictable number or a counter incremented each time
the ICC receives the first GENERATE AC command during a transaction).
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
The ICC response to the first GENERATE AC command shall be coded according
to format 2 as specified in Book 3 section 6.5.5.4 (constructed data object with
tag '77') and shall contain at least the mandatory data objects (TLV coded in the
response) specified in Table 20, and optionally the Issuer Application Data.
3. If the ICC responds with an AAC, the ICC response shall be coded according to
either format 1 or format 2 as specified in Book 3 section 6.5.5.4 and shall contain at
least the mandatory data elements specified in Table 21, and optionally the Issuer
Application Data.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
2. To obtain the recovered data specified in Table 22, apply the recovery function as
specified in section A2.1 on the Signed Dynamic Application Data using the ICC
Public Key in conjunction with the corresponding algorithm. If the Recovered Data
Trailer is not equal to 'BC', CDA has failed.
Table 22: Format of Data Recovered from Signed Dynamic Application Data
3. Check the Recovered Data Header. If it is not '6A', CDA has failed.
4. Check the Signed Data Format. If it is not '05', CDA has failed.
5. Retrieve from the ICC Dynamic Data the data specified in Table 19.
6. Check that the Cryptogram Information Data retrieved from the ICC Dynamic Data
is equal to the Cryptogram Information Data obtained from the response to the
GENERATE AC command. If this is not the case, CDA has failed.
7. Concatenate from left to right the second to the sixth data elements in Table 22 (that
is, Signed Data Format through Pad Pattern), followed by the Unpredictable
Number.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
8. Apply the indicated hash algorithm (derived from the Hash Algorithm Indicator) to
the result of the concatenation of the previous step to produce the hash result.
9. Compare the calculated hash result from the previous step with the recovered Hash
Result. If they are not the same, CDA has failed.
10. Concatenate from left to right the values of the following data elements:
In the case of the first GENERATE AC command:
The values of the data elements specified by, and in the order they appear in
the PDOL, and sent by the terminal in the GET PROCESSING OPTIONS
command.
The values of the data elements specified by, and in the order they appear in
the CDOL1, and sent by the terminal in the first GENERATE AC command.
The tags, lengths, and values of the data elements returned by the ICC in the
response to the GENERATE AC command in the order they are returned,
with the exception of the Signed Dynamic Application Data.
In the case of the second GENERATE AC command:
The values of the data elements specified by, and in the order they appear in
the PDOL, and sent by the terminal in the GET PROCESSING OPTIONS
command.
The values of the data elements specified by, and in the order they appear in
the CDOL1, and sent by the terminal in the first GENERATE AC command.
The values of the data elements specified by, and in the order they appear in
the CDOL2, and sent by the terminal in the second GENERATE AC
command.
The tags, lengths, and values of the data elements returned by the ICC in the
response to the GENERATE AC command in the order they are returned,
with the exception of the Signed Dynamic Application Data.
11. Apply the indicated hash algorithm (derived from the Hash Algorithm Indicator) to
the result of the concatenation of the previous step to produce the Transaction Data
Hash Code.
12. Compare the calculated Transaction Data Hash Code from the previous step with
the Transaction Data Hash Code retrieved from the ICC Dynamic Data in step 5. If
they are not the same, CDA has failed.
If all the above steps were executed successfully, CDA was successful. The ICC Dynamic
Number and the ARQC or TC contained in the ICC Dynamic Data recovered in Table 19
shall be stored in tag '9F4C' and in tag '9F26', respectively.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
Check other
Offline Data Terminal
Offline Data
Authentication & card support NO
Authentication
Processing CDA?
methods
NO
YES
TC or
ICC response... AAC
ARQC
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
A
1st GENERATE AC
Response Processing
ARQC/TC
Perform approval
processing.
Do not issue 2nd
GEN AC. ARQC
Any CDA errors
O NO
detected?
Perform online
authorisation YES
Online Decline
Online processing or Unable TC/
GEN AC response...
result ... to Go Online AAC
- Decline
Unable to
Go Online
- Approval Online Perform decline
Approval processing.
ARQC Do not issue 2nd
GEN AC.
Terminal
requests CDA for
YES
online
approvals?
Issue 2nd GEN AC for
an AAC without
requesting CDA.
NO
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 6 Offline Dynamic Data Authentication (DDA, CDA)
Security and Key Management 6.6 Combined DDA/Application Cryptogram Generation (CDA)
B 2nd GENERATE AC
Response Processing
GEN AC
response... AAC
TC
Recover Signed
Dynamic Applic. Data
YES
Complete transaction
processing
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 7 PIN and Biometric Data Encipherment Using RSA
Security and Key Management 7.1 Keys and Certificates
31 In the case that the ICC owns a specific ICC PIN Encipherment Public Key, the format of the
data recovered from the certificate is exactly the same as for dynamic data authentication (see
Table 14 in section 6.4) however the data that is input to the hash algorithm when computing the
certificate (see Table 23) does not include the Static Data to be Authenticated. Hence all the
verification steps specified in section 6.4 are performed except in step 5 the static data to be
authenticated is not included in the concatenation of data elements to be hashed in step 6.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 7 PIN and Biometric Data Encipherment Using RSA
Security and Key Management 7.1 Keys and Certificates
Table 23: ICC PIN Encipherment Public Key Data To Be Signed by Issuer
(i.e. input to the hash algorithm)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 7 PIN and Biometric Data Encipherment Using RSA
Security and Key Management 7.1 Keys and Certificates
2. The ICC does not own a specific ICC PIN encipherment public key pair, but owns an
ICC public key pair for offline dynamic data authentication as specified in
section 6.1. This key pair can then be used for PIN encipherment and biometric data
encipherment. The ICC Public Key is stored on the ICC in a public key certificate as
specified in section 6.1.
The first step of PIN encipherment or biometric data encipherment shall be the retrieval
of the public key to be used by the terminal for the encipherment of the PIN or biometric
data. This process takes place as follows.
1. If the terminal has obtained all the data objects specified in Table 24 from the ICC,
then the terminal retrieves the ICC PIN Encipherment Public Key in exactly the
same way as it retrieves the ICC Public Key for offline dynamic data authentication
(see section 6).
2. If the terminal has not obtained all the data objects specified in Table 24, but has
obtained all the data objects specified in Table 12, then the terminal retrieves the
ICC Public Key as described in section 6.
3. If the conditions under points 1 and 2 above are not satisfied or if as described in
section 6.1.2 for dynamic data authentication, the Issuer Public Key Certificate has
been revoked, then PIN encipherment has failed and the Offline Enciphered PIN
CVM has failed, or biometric data encipherment has failed and the Offline Biometric
CVM has failed.
Table 24: Data Objects Required for Retrieval of ICC PIN Encipherment Public Key
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 7 PIN and Biometric Data Encipherment Using RSA
Security and Key Management 7.2 PIN Encipherment and Verification
5. The terminal issues a VERIFY command including the Enciphered PIN Data
obtained in the previous step.
6. With the ICC Private Key, the ICC applies the RSA Signing Function as specified in
section B2.1.2 to the Enciphered PIN Data in order to recover the plaintext data
specified in Table 25.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 7 PIN and Biometric Data Encipherment Using RSA
Security and Key Management 7.2 PIN Encipherment and Verification
7. The ICC verifies whether the ICC Unpredictable Number recovered is equal to the
ICC Unpredictable Number generated by the ICC with the GET CHALLENGE
command. If this is not the case, Offline Enciphered PIN has failed. 34
8. The ICC verifies whether the Data Header recovered is equal to '7F'. If this is not the
case, Offline Enciphered PIN has failed.34
9. The ICC verifies whether the PIN included in the recovered PIN Block corresponds
with the PIN stored in the ICC. If this is not the case, PIN verification has failed.34
If all the above steps were executed successfully, then enciphered PIN verification was
successful. The ordering of steps 1 to 3 in section 7.2 is representative, not mandatory.
Key retrieval (as described in section 7.1) and steps 1 to 3 in section 7.2 can be
conducted in any order, provided they are all complete before the terminal applies the
RSA Recovery Function (as described in step 4 of section 7.2).
34 When recovery of the PIN Block has failed, the ICC should return SW1 SW2 = '6983' or '6984'
as described in Book 3 section 10.5.1 to indicate that Offline Enciphered PIN processing has
failed.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 7 PIN and Biometric Data Encipherment Using RSA
Security and Key Management 7.3 Biometric Data Encipherment and Recovery
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 7 PIN and Biometric Data Encipherment Using RSA
Security and Key Management 7.3 Biometric Data Encipherment and Recovery
The MAC algorithm used in the DEM1 mechanism shall be HMAC, as defined in
ISO/IEC 9797-2 using SHA-256 as the hash function. Note that the label L
defined in DEM1 shall be null, and thus according to DEM1 the HMAC is
computed over the Enciphered Biometric Data appended with 8 zero bytes.
Note: The length bytes in Table 26 are simple binary bytes, and are not coded as BER-
TLV length fields.
4. The terminal shall construct the Biometric Verification Data Template, and order
the data elements as indicated in Table 27.
a) The value of Biometric Type is set as the plaintext value used in step 3f) when
referencing Table 26.
b) The value of Biometric Solution ID is set as the plaintext value used in step 3f)
when referencing Table 26.
c) The value of Enciphered Biometric Key Seed is set as the value generated in
step 3e).
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 7 PIN and Biometric Data Encipherment Using RSA
Security and Key Management 7.3 Biometric Data Encipherment and Recovery
d) The value of Enciphered Biometric Data is set as the value generated in step 3f).
e) The value of MAC of Enciphered Biometric Data is set as the value generated in
step 3g).
Note: The data objects in Table 27 are BER-TLV coded. The length of all TLV coded data
objects are coded on the minimum number of bytes (that is, on 1 byte if < 128, on 2 bytes
if in the range 128 to 255, and so on). See Book 3 section B2 for BER-TLV coding rules.
There shall be no '00' padding bytes before, between, or after the BER-TLV coded data
objects.
5. The terminal shall construct and issue VERIFY command(s) as following:
a) If the length of the value field of the Biometric Verification Data Template is no
more than 255 bytes, the terminal shall set the value field of the Biometric
Verification Data Template as the data field of the single VERIFY command.
b) If the length of the value field of the Biometric Verification Data Template is
more than 255 bytes, the terminal shall divide the value field of the Biometric
Verification Data Template into 255 byte data blocks. The last data block may be
1 to 255 bytes in length. Then the terminal shall set these data blocks as the data
fields of the commands and chain the commands using command chaining
defined in Book 3 section 6.5.13.
c) The terminal shall issue the VERIFY command(s).
6. With the ICC Private key, the ICC decrypts the Enciphered Biometric Data in the
following way:
a) The private key owned by the ICC has exponent d and modulus n.
b) The ICC decrypts the Enciphered Biometric Key Seed using the RSA Transform
algorithm as defined in ISO/IEC 18033-2: R = RSATransform (C, d, n), where C is
Enciphered Biometric Key Seed (tag 'DF50').
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 7 PIN and Biometric Data Encipherment Using RSA
Security and Key Management 7.3 Biometric Data Encipherment and Recovery
c) The ICC generates two keys using the key derivation function KDF1 as defined
in ISO/IEC 18033-2 with SHA-256 as the hash function: K = KDF1 (R, 48). The
16 most significant bytes of K is the Biometric Encryption Key BEK and the 32
least significant bytes of K is the Biometric MAC Key BMK.
d) The ICC uses the BMK generated in step c) to generate an 8-byte MAC on the
Enciphered Biometric Data according to the DEM1 mechanism as defined in
ISO/IEC 18033-2.
The MAC algorithm used in the DEM1 mechanism shall be HMAC, as defined in
ISO/IEC 9797-2 using SHA-256 as the hash function. Note that the label L
defined in DEM1 shall be null, and thus according to DEM1 the HMAC is
computed over the Enciphered Biometric Data appended with 8 zero bytes.
If the generated MAC is not equal to the MAC of Enciphered Biometric Data
(tag 'DF52') included in the Biometric Verification Data Template, Offline
Biometric CVM has failed.
e) The ICC decrypts the Enciphered Biometric Data using the DEM1 mechanism as
defined in ISO/IEC 18033-2, with the Biometric Encryption Key BEK generated
in step c).
The symmetric cipher (SC) used in the DEM1 mechanism shall be the SC1
defined in ISO/IEC 18033-2 with the block cipher being the AES-128 defined in
ISO/IEC 18033-3.
7. The ICC verifies whether the ICC Unpredictable Number recovered in step 6e) is
equal to the ICC Unpredictable Number generated by the ICC with the GET
CHALLENGE command. If they are not the same, Offline Biometric CVM has failed.
8. The ICC verifies whether the Biometric Solution ID recovered in step 6e) is equal to
the Biometric Solution ID (tag '90') included in the Biometric Verification Data
Template. If they are not the same, Offline Biometric CVM has failed.
9. The ICC verifies whether the Biometric Type recovered in step 6e) is equal to the
Biometric Type (tag '81') included in the Biometric Verification Data Template. If
they are not the same, Offline Biometric CVM has failed.
The ordering of steps 1 and 2 is representative, not mandatory. Key retrieval as
described in section 7.1 and steps 1 and 2 can be conducted in any order, provided they
are all completed before the terminal applies the RSA-KEM algorithm (as described in
step 3).
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 8 Application Cryptogram and Issuer Authentication
Security and Key Management 8.1 Application Cryptogram Generation
Value Source
Amount, Authorised (Numeric) Terminal
Amount, Other (Numeric) Terminal
Terminal Country Code Terminal
Terminal Verification Results Terminal
Transaction Currency Code Terminal
Transaction Date Terminal
Transaction Type Terminal
Unpredictable Number Terminal
Application Interchange Profile ICC
Application Transaction Counter ICC
Table 28: Recommended Minimum Set of Data Elements for Application Cryptogram
Generation
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 8 Application Cryptogram and Issuer Authentication
Security and Key Management 8.2 Issuer Authentication
ARPC Method 1 for the generation of an 8-byte ARPC using AES is identical to the
ARPC Method 1 using Triple DES (above) except that in step 3 the 8-byte ARPC is
computed using AES as specified in section B1.2 and is defined to be the leftmost 8
bytes of:
AES(SKAC)[ Y || Y0 ]
where
Y0 := ('00' || '00' || '00' || '00' || '00' || '00' || '00' || '00').
However if an issuer still intends to return an ARPC when ARQC verification has failed, then the
ARPC should not be calculated from the ARQC received from the network.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 8 Application Cryptogram and Issuer Authentication
Security and Key Management 8.3 Key Management
However if an issuer still intends to return an ARPC when ARQC verification has failed, then the
ARPC should not be calculated from the ARQC received from the network.
37 See Book 3 Annex A for a definition of this data item.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
9 Secure Messaging
The objectives of secure messaging are to ensure data confidentiality, data integrity, and
authentication of the sender. Data integrity and issuer authentication are achieved
using a MAC. Data confidentiality is achieved using encipherment of the data field.
38 EMV anticipates one data object preceding the MAC data object. Depending on the command
data of the unsecured command there could be more than one such data object. For these
constructions please refer to ISO/IEC 7816-4.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 9 Secure Messaging
Security and Key Management 9.2 Secure Messaging for Integrity and Authentication
• If the unsecured command data is not BER-TLV encoded, then the data shall be
encapsulated under tag '81'.
• If the unsecured command data is BER-TLV encoded and if the tag of any data
element lies in the context specific class (range '80' to 'BF') reserved for SM-related
data objects, then the command data shall be encapsulated in a constructed data
object under tag 'B3'.
• If the unsecured command data is BER-TLV encoded and no tag lies in the context
specific class (range '80' to 'BF') reserved for SM-related data objects, then ISO/IEC
7816-4 permits that the command data may be included without encapsulation.
However, if encapsulated then the command data shall be encapsulated in a
constructed data object under tag 'B3'.
Note: If it is not always apparent that the data is BER-TLV encoded then the data may be
encapsulated under tag '81'.
If the command data is carried as a cryptogram then it shall be encapsulated in a data
object for confidentiality as described in section 9.3.1.1.
The second data object is the MAC. Its tag is '8E', and its length shall be in the range of
four to eight bytes. Note that if the command to be secured has no command data (e.g.
Application Block) then this MAC is the first and only data object of the secured
command.
Figure 6: Format 1 Command Data Field for Secure Messaging for Integrity and
Authentication
9.2.1.2 Format 2
The data elements (including the MAC) contained in the data field and the
corresponding lengths shall be known by the sender of a command using secure
messaging and known by the currently selected application. The MAC is not BER-TLV
coded and shall always be the last data element in the data field and its length shall be
in the range of 4 to 8 bytes (see Figure 7).
Value 1 Value 2
Command data (if present) MAC (4-8 bytes)
Figure 7: Format 2 Command Data Field for Secure Messaging for Integrity and
Authentication
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 9 Secure Messaging
Security and Key Management 9.2 Secure Messaging for Integrity and Authentication
39 In the terms of ISO/IEC 7816-4 and in the case that Algorithm 3 of ISO/IEC 9797-1 is used
with Single DES this is equivalent to using an auxiliary block in the initial stage where this
auxiliary block is the single DES encryption of the Application Cryptogram or MAC of the
preceding command.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 9 Secure Messaging
Security and Key Management 9.2 Secure Messaging for Integrity and Authentication
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 9 Secure Messaging
Security and Key Management 9.3 Secure Messaging for Confidentiality
ISO/IEC 7816-4 specifies the tags which may be allocated to the cryptogram resulting
from the encipherment of the data field of the unsecured command. An odd-numbered
tag shall be used if the object is to be integrated in the computation of a MAC; an
even-numbered tag shall be used otherwise.
If tag '86' or '87' is allocated to the data object for confidentiality, the value field of the
data object for confidentiality contains the padding indicator byte followed by the
cryptogram. The padding indicator byte shall be encoded according to ISO/IEC 7816-4. If
another tag is used, the value field of the data object for confidentiality contains the
cryptogram only.
An example is provided in section D2.
9.3.1.2 Format 2
Data encipherment is applied to the full plaintext command data field with the
exception of a MAC (see Figure 9).
Value1 Value2
Cryptogram (enciphered data) MAC (if present)
Figure 9: Format 2 Command Data Field for Secure Messaging for Confidentiality
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 9 Secure Messaging
Security and Key Management 9.4 Key Management
9.3.3 Encipherment/Decipherment
Encipherment/decipherment of the plain/enciphered command data field takes place
according to the mechanism described in section A1.1 with the Encipherment Session
Key derived as described in section 9.3.2.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 11 Terminal Security and Key Management Requirements
Security and Key Management 11.2 Key Management Requirements
One process for the introduction of Certification Authority Public Keys into terminals is
to install the keys during terminal manufacture and deployment. The keys may be made
available by the payment systems to terminal vendors, or acquirers may specify the keys
necessary for their particular market segments.
On being informed of a new key being available, Acquirers are expected to install it in
their terminal base within six months.
During installation into the terminal the integrity of the Certification Authority Public
Key and its related data is confirmed, see Book 4 section 10.2.
For RSA, the integrity of the Certification Authority Public Key may be protected using
a Check Sum calculated in the same manner as is used to protect the integrity in
storage as described in section 11.2.2.
For ECC, the Certification Authority Public Key will be self-signed for distribution
according to Table 29. A diagram showing the construction of a self-signed Certification
Authority Public Key Certificate is shown in Figure 10.
Successful verification of the self-signed Certification Authority Public Key Certificate
also ensures that the terminal supports the algorithm suite associated with the
Certification Authority Public Key and that will be used for verifying Issuer Public Key
Certificates.
Self Signed
Certification
Certification
Authority
Authority
Key Index
Public Key SIGN
Certificate Certification
Authority Public Key
Algorithm
Suite Indicator
Certification
Authority
Public Key
Signature
Block
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 11 Terminal Security and Key Management Requirements
Security and Key Management 11.2 Key Management Requirements
As shown in Figure 10, the self-signed Certification Authority Public Key Certificate
consists of a plain text prefix followed by a signature block. The certificate is specified in
the following table where for this version of the specifications the encoding of the
certificate is binary (i.e. value, value, value... with no additional identifier or length
fields).
Name Description Length
(bytes)
1 Certificate Format Always Hex value '20' for this version of 1
the specifications.
2 Certificate Encoding Always Hex value '00' for this version of 1
the specifications.
3 RID Identifies the Payment System with 5
which the Certification Authority public
key is associated. The RID is identified
in the AID (first 5 bytes).
4 Certification Authority When combined with the RID, uniquely 1
Public Key Index identifies the Certification Authority
Public Key.
5 Certification Authority Indicates the algorithms to be used with 1
Public Key Algorithm the Certification Authority Public Key.
Suite Indicator
6 Certification Authority Representation of Certification NFIELD
Public Key Authority Public Key (x-coordinate of
Certification Authority public key point)
on the curve identified by the
Certification Authority Public Key
Algorithm Suite Indicator.
7 Certification Authority Output of digital signature ECC NSIG
Public Key Certificate algorithm on concatenated first six data
Signature objects using the Certification Authority
private key on the elliptic curve
identified by the Certification Authority
Public Key Algorithm Suite Indicator.
Table 29: ECC Self-Signed Certification Authority Public Key & Related Data (Binary
Encoding)
At the end of the installation, after verifying the integrity of the public key and its
related data, the terminal shall apply storage integrity protection of the public key and
its related data to allow the subsequent re-verification of their integrity. This may be
achieved using the Certification Authority Public Key Check Sum in Table 30 and
Table 31 or a proprietary mechanism.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 11 Terminal Security and Key Management Requirements
Security and Key Management 11.2 Key Management Requirements
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 11 Terminal Security and Key Management Requirements
Security and Key Management 11.2 Key Management Requirements
Table 30: Minimum Set of Certification Authority Public Key Related Data Elements
To Be Stored in Terminal (RSA)
40 Only necessary if used to verify the integrity of the Certification Authority Public Key.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 11 Terminal Security and Key Management Requirements
Security and Key Management 11.2 Key Management Requirements
Table 31: Minimum Set of Certification Authority Public Key Related Data Elements
To Be Stored in Terminal (ECC)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 11 Terminal Security and Key Management Requirements
Security and Key Management 11.2 Key Management Requirements
• The acquirer shall be able to confirm that a specific Certification Authority Public
Key was indeed withdrawn correctly from its terminals.
Other than in the extreme case of a Certification Authority Public Key compromise, keys
are expected to be withdrawn on the previously publicised expiration dates.
To assist with this, EMVCo will conduct annual review sessions for Certification
Authority Public Key pair strength evaluation, using state of the art information and
analysis from the fields of computer science, cryptography, and data security.
All Certification Authority Public Keys will have December 31st as planned expiration
date.
Public Key expiration dates will be set well in advance to allow card portfolio lifetimes to
meet business needs and Issuers should ensure that IC Cards expire no later than the
expiration date of the Issuer Public Key Certificates.
Acquirers need to remove the Certification Authority Public Keys from service in their
terminals within a specific grace period after expiration. This is expected to be six
months starting from the planned expiration date (until June 30th of the following
calendar year) but may be deferred at payment system discretion.
It may be noted that much of this material relates to the introduction of longer RSA
keys, necessary as the shorter keys lose security strength. This sequence will end when
the 1984 bit keys reach an expiration date. Whilst ECC keys are expected to be stable in
the long term, the ability to install and withdraw keys is still necessary to allow for
infrastructure changes, such as the emergence of a new domestic payment system.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 11 Terminal Security and Key Management Requirements
Security and Key Management 11.3 Unpredictable Number Generation
Table 32: Data Elements Used to Generate Terminal Unpredictable Number (UN)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 11 Terminal Security and Key Management Requirements
Security and Key Management 11.3 Unpredictable Number Generation
Note that Q is held in non-volatile memory and so persists when the terminal is powered
down.
UN generation is as follows
1. Power-up
Each time the terminal is powered-up it updates Q and generates a value P as
follows:
Set Q = SHA[ Q || TVP || IFDSN || TID || RAND (if available) ]
Set P = Q
2. Per transaction
• Before a transaction, the terminal generates a UN as follows:
Set UN = LS4B( SHA[ P || RAND (if available) ] )
• After a transaction (even if it fails) refresh P as follows:
Set P = SHA[ P || TVP || RAND (if available) || AC (if available) ]
3. Power-down
Set Q = P
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
ICC PK
Issuer PK Issuer PK
Certificate Certificate
Certificate
IC Card IC Terminal
ICCs that support XDA contain an ICC Private Key that the ICC uses for generating the
Signed Dynamic Application Data.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management
ICCs that support XDA shall generate the data element listed in Table 33:
XDA uses the signature scheme specified in section A2.2 and section B2.2. Section 12.1
contains an overview of the keys and certificates involved in the XDA process.
Sections 12.2, 12.3, and 12.4 specify the initial steps in the process, namely:
• Retrieval of the Certification Authority Public Key by the terminal
• Authentication and Recovery of the Issuer Public Key by the terminal
• Authentication and Recovery of the ICC Public Key by the terminal
If the first of these steps fails then the CA ECC key is considered to be missing and
therefore XDA is considered to have failed. If either of the last two of these steps fail
then ECC key recovery is considered to have failed and therefore XDA is considered to
have failed. Terminal actions in case of ECC key recovery failures are addressed in
Book 4 section 6.3. Note that ECC key recovery failure is not reflected in the Terminal
Verification Results before the GENERATE AC command is sent and so cannot
influence Terminal Action Analysis until after the GENERATE AC command is sent.
The final step of the XDA process consists of generation by the ICC and verification by
the terminal of the Signed Dynamic Application Data. Section 12.5 specifies the dynamic
signature generation and verification processes for XDA.
If dynamic signature verification fails then XDA is considered to have failed. XDA shall
only be considered successful if CA key retrieval is successful and ECC key recovery is
successful and XDA signature verification is successful.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.1 Keys and Certificates
41 This is unlike RSA certificates, where if a public key is used for both ODA and ODE, then only
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.1 Keys and Certificates
Table 34: ICC Data Required for Public Key Authentication for XDA and ECC ODE
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.2 Retrieval of Certification Authority Public Key
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.3 Authentication and Recovery of Issuer Public Key
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.3 Authentication and Recovery of Issuer Public Key
When using EC-SDSA, the length NSIG of a digital signature is equal to the length NHASH
of the hash plus the length of a field element. Thus, if the signature algorithm suite uses
P-256 and a 256-bit hash algorithm (such as SHA-256), then NHASH = NFIELD = 32 and
NSIG = NHASH + NFIELD = 64. Furthermore, for item 10 in Table 35 the lengths NSIG,
NHASH, and NFIELD are determined by the Certification Authority Public Key Algorithm
Suite Indicator whereas for item 9 in Table 35 the length NFIELD is determined by the
Issuer Public Key Algorithm Suite Indicator.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.3 Authentication and Recovery of Issuer Public Key
To authenticate the Issuer Public Key the terminal shall perform the following steps:
1. Check that the length in bytes of the Issuer Public Key Certificate as defined in
Table 35 is at least 21 bytes. If this fails, ECC key recovery has failed.
2. Check the Issuer Certificate Format. If it is not '12', ECC key recovery has failed.
3. Check the Issuer Certificate Encoding. If it is not '00', ECC key recovery has failed.
4. Verify that the Issuer Identifier matches the leftmost 3 – 10 digits of the PAN
(tag '5A') (allowing for the possible padding of the Issuer Identifier with hexadecimal
'F's). If not, ECC key recovery has failed.
5. Verify that the date specified in the Issuer Certificate Expiration Date is equal to or
later than today’s date. If the Issuer Certificate Expiration Date is earlier than
today’s date, the certificate has expired, in which case ECC key recovery has failed.
6. Verify that the RID and the Certification Authority Public Key Index in the
certificate matches the RID and the Certification Authority Public Key Index used to
retrieve the Certification Authority Public Key. If not, ECC key recovery has failed.
7. Verify that the concatenation of RID, Certification Authority Public Key Index, and
Issuer Certificate Serial Number is valid. If not, ECC key recovery has failed. 42
8. Verify that the Issuer Public Key Algorithm Suite Indicator is in accordance with
section B2.4.1. If not, then ECC key recovery has failed.
9. Check that the length in bytes of the Issuer Public Key Certificate as defined in
Table 35 is equal to NFIELD + NSIG + 21. If this fails, ECC key recovery has failed.
10. Concatenate the first 9 data elements of the Issuer Public Key Certificate
11. Using the Certification Authority Public Key and the algorithms indicated by the
associated Certification Authority Public Key Algorithm Suite Indicator, verify as
specified in section A2.2.3 the Issuer Public Key Certificate Signature contained in
the Issuer Public Key Certificate (tag '90') with the concatenated data from step 10
being the MSG as specified in section A2.2.3. If signature verification fails then ECC
key recovery has failed.
12. Recover the y-coordinate of the Issuer Public Key point using the Point4x() function
applied to the x-coordinate obtained from the Issuer Public Key field of the certificate
(item 9 in Table 35) as described in section B2.2.1(e).
If the above steps were all successful, then authentication and recovery of the Issuer
Public Key is successful and the terminal shall continue with the steps in the following
section. If any of the above steps were not successful (i.e. ECC key recovery has failed),
then XDA (and/or ODE) processing is considered to have failed.
42This step is optional and is to allow the revocation of the Issuer Public Key Certificate against
a list that may be kept by the terminal.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.4 Authentication and Recovery of ICC Public Key
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.4 Authentication and Recovery of ICC Public Key
Table 36: ICC Public Key Certificate Tag '9F46' (XDA) and Tag '9F2D' (ODE)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.4 Authentication and Recovery of ICC Public Key
When using EC-SDSA the length NSIG of a digital signature is equal to the length of the
hash plus the length of a field element. Thus, if the signature algorithm suite uses P-256
and a 256-bit hash algorithm (such as SHA-256) then NHASH = NFIELD = 32 and NSIG =
NHASH + NFIELD = 64. Furthermore, for item 11 in Table 36 the lengths NSIG, NHASH, and
NFIELD are determined by the Issuer Public Key Algorithm Suite Indicator whereas for
item 10 in Table 36 the length NFIELD is determined by the ICC Public Key Algorithm
Suite Indicator and for item 9 in Table 36 the length NHASH is determined by the ICCD
Hash Algorithm Indicator.
Note: If the issuer signature algorithm suite uses P-521/SHA-512 (signature algorithm suite
'11') and the ICC Public Key is P-521 (signature algorithm suite '11' or encryption algorithm suite
'01') then the ICCD Hash is limited to using SHA-256 (hash algorithm '02') in order to prevent
exceeding length restrictions.
ICCD Hash
As part of ICC Public Key authentication, the terminal shall check that the hash of the
Issuer Certified Card Data (ICCD) is equal to the ICCD Hash included in the ICC Public
Key Certificate (see Table 36).
The ICCD is the Static Data to be Authenticated which is equal to the concatenation of
records identified by the AFL as participating in Offline Data Authentication, the tag,
length, and value of Application Interchange Profile, the tag, length, and value of
Application Identifier (AID) – terminal, and the tag, length, and value of PDOL (if
received from the card) as specified in Book 3 section 10.3.
It is expected that authenticated records will include Application Primary Account
Number (PAN), Application Primary Account Number (PAN) Sequence Number, and
Application Expiration Date.
Note: For this version of the specifications, the encoding method used for the ICCD is restricted
to TLV encoding and so the ICCD Hash will be computed over the data objects formatted in TLV
representation as described in Book 3 section 10.3.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.4 Authentication and Recovery of ICC Public Key
5. Verify that the ICC Public Key Algorithm Suite Indicator is in accordance with
section B2.4 (B2.4.1 for XDA if tag '9F46' or B2.4.2 for ODE if tag '9F2D'). If not,
then ECC key recovery has failed.
6. Verify that the ICCD Hash Algorithm Indicator is an identifier in accordance with
section B2.3. If not, then ECC key recovery has failed.
7. Check that the length in bytes of the ICC Public Key Certificate as defined in
Table 36 is equal to 17 + NHASH + NFIELD + NSIG. If this fails, ECC key recovery has
failed.
8. Check that the hash of the Issuer Certified Card Data (ICCD) using the hash
algorithm identified by ICCD Hash Algorithm Indicator is equal to the ICCD Hash
included in the ICC Public Key Certificate (see Table 36). If this check fails then
ECC key recovery has failed.
9. Concatenate the first 10 data elements of the ICC Public Key Certificate.
10. Using the Issuer Public Key and the algorithms indicated by the associated Issuer
Public Key Algorithm Suite Indicator, verify as specified in section A2.2.3 the Digital
Signature contained in the ICC Public Key Certificate with the concatenated data
from step 9 being the MSG as specified in section A2.2.3. If signature verification
fails, ECC key recovery has failed.
11. Recover the y-coordinate of the ICC Public Key point using the Point4x() function
applied to the x-coordinate obtained from the ICC Public Key field of the certificate
(item 10 in Table 36) as described in section B2.2.1(e).
If the above steps were all successful, then authentication and recovery of the ICC
Public Key is successful and the terminal shall continue with the steps in the following
section (in case of tag '9F46') or section 13.2 (in case of tag '9F2D'). If any of the above
steps were not successful (i.e. ECC key recovery has failed), then XDA processing is
considered to have failed (in case of tag '9F46') or ODE processing is considered to have
failed (in case of tag '9F2D').
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.5 XDA Signature Generation and Verification
43 The reason for always requesting an XDA signature, even if an AAC is requested, is to avoid
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.5 XDA Signature Generation and Verification
The Response Data in Table 37 shall be exactly (including their order) as returned in the
response to the GENERATE AC command, but not including the Signed Dynamic
Application Data.
The Signed Dynamic Application Data consists of the concatenation of the Signed Data
Format and the Digital Signature. This is illustrated in Table 38.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.5 XDA Signature Generation and Verification
The ICC response to GENERATE AC commands with XDA signature is coded according
to format 2 as specified in Book 3 section 6.5.5.4 (constructed data object with tag '77')
and contains at least the mandatory data objects (TLV coded in the response) specified
in Table 39, and optionally the Issuer Application Data and other data objects.
Table 39: Data Objects Included in Response to GENERATE AC with XDA Signature
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.5 XDA Signature Generation and Verification
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.5 XDA Signature Generation and Verification
Yes
Set XDA
selecte d in TVR
Terminal retrieves CA
Pub lic Key and sets
CA ECC key missing
in TVR if key i s not
presen t
Note: K ey recovery may be
don e a t any time before 1st
GEN AC re sp onse p rocessing. If ke y
Terminal Actio n recovery fails the n the TVR is u pdated
Decline
Offl ine
Ana lysis afte r send ing the 1 st GEN AC command.
preced ing 1st
(AA C)
GEN AC
Terminal recovers
App rove O ffline (TC) or Go Onl ine Issuer and ICC Publ ic
(ARQC) Keys from cer tificate s.
ARQC No
TAA Processi ng
1XDA OK No
TAC/IAC-Denial
Yes
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 12 Offline Dynamic Data Authentication Using ECC (XDA)
Security and Key Management 12.5 XDA Signature Generation and Verification
XDA and Offline-only Processing Offline Only Online Processing XDA and Online Processing
- 1ARQC 1XDA OK - 1ARQC 1XDA OK
- 1ARQC 1XDA NOK - 1ARQC 1XDA NOK
- 1TC 1XDA NOK - 1TC 1XDA NOK
Unable To Go
Yes No
Online
Issuer
Yes 1XDA OK
Response
No
ARQC
ARQC
Request TC Request AAC
2nd GEN AC for TC
with XDA signature
2nd GEN AC for TC 2nd GEN AC for AAC
with XDA signature with XDA signature
2nd GEN AC
Response
2nd GEN AC TC
TC
Response
1XDA OK
TC
TC No
AAC
Yes
No
Yes
Note: Note:
‘1XDA OK’ means that CA key retrieval, Issuer key If the issuer has authorised the transaction and XDA
recovery, ICC key recovery, and verification of 1 st had failed on 1st GEN AC it is known that issuer has
GEN AC XDA signature were all successful. ‘1XDA authorised despite the XDA failure so XDA is not
NOK’ means that one of them failed. verified on 2nd GEN AC
‘2XDA OK’ means that 2nd GEN AC XDA signature
verification was successful, ‘2XDA NOK’ means that
it failed.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
44 ICC Public Key Certificates enforce key usage by including the appropriate Algorithm Suite
Indicator.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 13 Offline Data Encipherment Using ECC
Security and Key Management 13.2 PIN Encipherment
45 The derivation function generates four AES keys, but this specification only uses K1 and K2.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 13 Offline Data Encipherment Using ECC
Security and Key Management 13.2 PIN Encipherment
6. The terminal issues a VERIFY command including the Enciphered Data obtained in
the previous step.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 13 Offline Data Encipherment Using ECC
Security and Key Management 13.3 PIN Decipherment and Verification
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 13 Offline Data Encipherment Using ECC
Security and Key Management 13.4 Biometric Data Encipherment
46 The derivation function generates four AES keys, but this specification only uses K1 and K2.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 13 Offline Data Encipherment Using ECC
Security and Key Management 13.4 Biometric Data Encipherment
Note: The length bytes in Table 41 are simple binary bytes, and are not coded as BER-TLV
length fields.
6. The terminal shall construct the Biometric Verification Data Template, and order
the data elements as indicated in Table 42.
a) The value of Biometric Type is set as the plaintext value used in step 4 when
referencing Table 41.
b) The value of Biometric Solution ID is set as the plaintext value used in step 4
when referencing Table 41.
c) The value of Enciphered Biometric Data is set as the value of the Enciphered
Data generated in step 5.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 13 Offline Data Encipherment Using ECC
Security and Key Management 13.4 Biometric Data Encipherment
Note: The data objects in Table 42 are BER-TLV coded. The length of all TLV coded data objects
are coded on the minimum number of bytes (that is, on 1 byte if < 128, on 2 bytes if in the range
128 to 255, and so on). See Book 3 section B.2 for BER-TLV coding rules. There shall be no '00'
padding bytes before, between, or after the BER-TLV coded data objects.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 13 Offline Data Encipherment Using ECC
Security and Key Management 13.5 Biometric Data Decipherment and Recovery
If all the above steps were executed successfully, then enciphered biometric recovery
was successful.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Part III
Annexes
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
A1 Symmetric Mechanisms
A1.1 Encipherment
Encipherment of data uses an n-byte block cipher ALG either in Electronic Codebook
(ECB) Mode or in Cipher Block Chaining (CBC) mode according to ISO/IEC 10116.
Encipherment of a message MSG of arbitrary length with Encipherment Session Key KS
takes place in the following steps.
1. Padding and Blocking
• If the message MSG has a length that is not a multiple of n bytes, add one '80'
byte to the right of MSG, and then add the smallest number of '00' bytes to
the right such that the length of resulting message
MSG := (MSG || '80' || '00' || '00' || . . . || '00') is a multiple of n bytes.
• If the message MSG has a length that is a multiple of n bytes, the following
two cases can occur depending on pre-defined rules.
No padding takes place: MSG := MSG.
MSG is padded to the right with the n-byte block
('80' || '00' || '00' || … || '00' || '00' || '00' || '00')
to obtain MSG.
MSG is then divided into n-byte blocks X1, X2, . . . , XB.
2. Cryptogram Computation
ECB Mode
Encipher the blocks X1, X2, . . . , XB into the n-byte blocks Y1, Y2, . . . , YB with the
block cipher algorithm in ECB mode using the Encipherment Session Key KS.
Hence compute for i = 1, 2, . . . , B:
Yi := ALG(KS)[Xi]
CBC Mode
Encipher the blocks X1, X2, . . . , XB into the n-byte blocks Y1, Y2, . . . , YB with the
block cipher algorithm in CBC mode using the Encipherment Session Key KS.
Hence compute for i = 1, 2, . . . , B:
Yi := ALG(KS)[Xi ⊕ Yi-1]
with n-byte initial value
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A1 Symmetric Mechanisms
Decipherment is as follows.
1. Cryptogram Decipherment
ECB Mode
Compute for i = 1, 2, . . . , B:
Xi := ALG-1(KS)[Yi ]
CBC Mode
Compute for i = 1, 2, . . . , B:
Xi := ALG-1(KS)[Yi ] ⊕ Yi-1
with n-byte initial value
Y0 := ('00' || '00' || '00' || … || '00' || '00' || '00' || '00').
2. To obtain the original message MSG, concatenate the blocks X1, X2, . . . , XB and if
padding has been used (see above) remove the trailing
('80' || '00' || '00' || . . . || '00') byte-string from the last block XB.
Notation:
MSG = DEC(KS)[Y]
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A1 Symmetric Mechanisms
47Note that pre-pending the MSG with the previous MAC (8 bytes) as a chaining block (see
section 9.2.3) is equivalent to using an initial value equal to the previous MAC processed by
Triple DES (Algorithm 1) or Single DES (Algorithm 3).
48 Note that this will always be the case with Format 1 Secure Messaging as the message is
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A1 Symmetric Mechanisms
Process the 16-byte blocks X1, X2, . . . , XB with the block cipher in CBC mode
using the MAC Session Key KS:
Hi := ALG(KS)[Xi ⊕ Hi-1], for i = 1, 2, . . . , B
with 16-byte initial value
H0 := ('00' || '00' || ... || '00' || '00' || '00' || '00' || '00'). 49
The MAC S is then equal to the s most significant bytes of HB.
49 Note that pre-pending the MSG with the previous MAC (16 bytes) as a chaining block (see
section 9.2.3) is equivalent to using an initial value equal to the previous MAC
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A1 Symmetric Mechanisms
For the session key used to generate and verify the Application Cryptogram and the
ARPC, the diversification value is the ATC followed by n-2 bytes of '00':
R := ATC || '00' || '00' || … || '00' || '00' || '00'.
For the session keys used for secure messaging, the diversification value R is the
Application Cryptogram returned in the response to the first GENERATE AC command
followed by n-8 bytes of '00':
R := Application Cryptogram … || '00' || '00' || '00'.
For an n-byte block cipher ALG using a k-bit key where k = 8n (AES with k=128) the
derivation function F is computed as follows:
SK := ALG (MK) [ R ].
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A1 Symmetric Mechanisms
For an n-byte block cipher ALG using a k-bit key where 16n ≥ k > 8n (Triple DES with
k=128 or AES with k=192 or 256) R is used to create two n-byte blocks as follows:
F1 = R0 || R1 || 'F0' || … || Rn-1.
F2 = R0 || R1 || '0F' || … || Rn-1.
and
SK := Leftmost k-bits of {ALG (MK) [F1] || ALG (MK) [F2] }.
The same session key is used for all commands in a single transaction.
A1.4.1 Option A
Option A is only applicable when the block cipher is Triple DES.
1. Concatenate from left to right the decimal digits of the Application PAN with the
PAN Sequence Number (if the PAN Sequence Number is not present, then it is
replaced by a '00' byte). If the result X is less than 16 digits long, pad it to the left
with hexadecimal zeros in order to obtain an 8-byte number Y in numeric format. If
X is at least 16 digits long, then Y consists of the 16 rightmost digits of X in numeric
format.
2. Compute the two 8-byte numbers
ZL := DES3(IMK)[Y]
and
ZR := DES3(IMK)[Y ⊕ ('FF'||'FF'||'FF'||'FF'||'FF'||'FF'||'FF'||'FF')]
and define
Z := (ZL || ZR)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A1 Symmetric Mechanisms
The 128-bit ICC Master Key MK is then equal to Z, with the exception of the least
significant bit of each byte of Z which is set to a value that ensures that each of the 16
bytes of MK has an odd number of nonzero bits (this to conform with the odd parity
requirements for DES keys).
A1.4.2 Option B
Option B is only applicable when the block cipher is Triple DES.
If the Application PAN is equal to or less than 16 decimal digits, use Option A. If the
Application PAN is greater than 16 decimal digits, do the following:
1. Concatenate from left to right the decimal digits of the Application PAN and the
PAN Sequence Number (if the PAN Sequence Number is not present, it is replaced
by a '00' byte). If the Application PAN has an odd number of decimal digits then
concatenate a '0' padding digit to the left thereby ensuring that the result is an even
number of digits.
2. Hash the result of the concatenation using the SHA-1 hashing algorithm to obtain
the 20-byte hash result X.
3. Select the first 16 decimal digits (0 to 9) starting from the left side of the 20-byte
(40-nibble) hash result X and use as the value Y. If this does not provide for 16
decimal digits in Y, convert the non-decimal nibbles in X to decimal digits by means
of the following decimalisation table:
Input nibble of X A B C D E F
Decimalised nibble 0 1 2 3 4 5
Add the converted digits starting from the left side of X to the end of Y until Y
contains 16 digits.
Example 1: Hash result X contains 16 or more decimal digits
X = '12 30 AB CD 56 78 42 D4 B1 79 F2 CA 34 5D 67 89 A1 7B 64 BB'
Y = first 16 decimal digits of X = '12 30 56 78 42 41 79 23'
Example 2: Hash result X contains less than 16 decimal digits
X = '1B 3C AB CD D6 E8 FA D4 B1 CD F2 CA D4 FD C7 8F A1 7B 6E BB'
Y = decimal digits from X = '13 68 41 24 78 17 6' plus the required number of
converted digits '1 20' (from 'B', 'C', and 'A'), giving:
Y = '13 68 41 24 78 17 61 20'
4. Continue with the processing specified for Option A starting at step 2.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A1 Symmetric Mechanisms
A1.4.3 Option C
Option C is only applicable when the n-byte block cipher is AES.
Concatenate from left to right the decimal digits of the Application PAN with the PAN
Sequence Number (if the PAN Sequence Number is not present, then it is replaced by a
'00' byte). Pad it to the left with hexadecimal zeros in order to obtain a 16-byte number
Y in numeric format.
The k-bit ICC Master Key MK is then equal to
• In the case k = 8n:
MK := AES(IMK)[Y]
• In the case 16n ≥ k > 8n:
MK := Leftmost k–bits of {AES(IMK)[Y] || AES(IMK)[Y*]}
where Y* = Y ⊕ ('FF'||'FF'||'FF'||'FF'||'FF'||'FF'||'FF'||'FF'
||'FF'||'FF'||'FF'||'FF'||'FF'||'FF'||'FF'||'FF')
In other words Y* is a bit-wise inversion of Y.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A2 Asymmetric Mechanisms
A2 Asymmetric Mechanisms
A2.1.1 Algorithms
The digital signature scheme uses the following two types of algorithms.
• A reversible asymmetric algorithm consisting of a signing function Sign(SK)[ ]
depending on a Private Key SK, and a recovery function Recover(PK)[ ] depending
on a Public Key PK. Both functions map N-byte numbers onto N-byte numbers
and have the property that
Recover(PK)[Sign(SK)[X]] = X
for any N-byte number X.
• A hashing algorithm Hash[ ] that maps a message of arbitrary length onto an
20-byte hash code.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A2 Asymmetric Mechanisms
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A2 Asymmetric Mechanisms
A2.2.1 Introduction
The signature generation and verification functions specified in A2.2 are for Signature
Algorithm Suites '10' and '11' (see B2.4.1).
The Elliptic Curve Schnorr Digital Signature Algorithm (EC-SDSA) consists of a
signature generation function and a signature verification function as described below.
These functions make use of:
• The selected ECC curves specified in section B2.2.2.
• A hash algorithm Hash[ ] that maps a message of arbitrary length onto an
NHASH-byte hash code, where NHASH is a fixed value for the given hash algorithm.
For selected hash algorithms, see section B2.3.
• The combinations of ECC curves and hash algorithms are specified in
section B2.4 and are determined by the Public Key Algorithm Suite Indicator
associated with the key pair that generates the signature.
Input:
• Algorithm Suite Indicator identifying the curve E, group order n, and hash
function Hash[ ] (output length NHASH).
• d, the private signing key of the ICC.
• MSG (length L ≥ 0), the message to be signed.
Output:
• S := (r, s), the signature (a byte-string of length NHASH + NFIELD) on the message
MSG.
Process:
a) Select a statistically unique and unpredictable integer k where 0 < k < n. (This
may be a random or a strong pseudo-random generation process and may use the
string-to-integer techniques used in section B2.6.)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A2 Asymmetric Mechanisms
Input:
• Algorithm Suite Indicator identifying the curve E, n, and Hash[ ] (output length
NHASH).
• S, a byte-string that is the (asserted) signature on the message MSG.
• P (or x-coordinate thereof), public key point of signer.
• MSG (length L ≥ 0).
Output:
• Success or failure.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A2 Asymmetric Mechanisms
Process:
Preliminary processing: If only the x-coordinate of the signer’s public key is available
then the public key point P is first calculated using the Point4x() function as described
in section B2.2.1(e).
Verification steps:
a) If the length in bytes of S is not NHASH + NFIELD, signature verification fails.
b) Parse S into the NHASH byte string r and the NFIELD byte string s. Thus S = (r, s).
c) Convert s to an integer s' according to the integer conversion function OS2I() in
section B2.6.
d) Convert r to a non-negative integer r' less than n by using OS2I() followed by
reduction modulo n.
e) Check that 0 < s' < n and 0 < r'. If either is not true then signature verification
fails.
f) Compute (x2, y2) = s'G – r'P.
g) Convert the x-coordinate x2 to a byte string B2 of NFIELD bytes according to the
integer conversion function I2OS() in section B2.6.
h) Compute v = Hash[ B2 || MSG ].
i) If v = r, then signature verification is successful; otherwise signature verification
fails.
NHASH is the output length of the hash algorithm in bytes and NFIELD is the length of p
(the field size) in bytes.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A2 Asymmetric Mechanisms
Input:
• UNKD, an 8-byte unpredictable number used for key derivation.
• Algorithm Suite Indicator identifying the curve, key agreement, and derivation
method.
• d, a private ECC key.
• Q, a public key point on the curve.
Global variable:
• N, a 2-byte counter.
Output:
• K1, a symmetric key used for encrypting/decrypting data sent from terminal to
ICC.
• K2, a symmetric key used for authenticating data sent from terminal to ICC.
• K3, a symmetric key used for encrypting/decrypting data sent from ICC to
terminal.
• K4, a symmetric key used for authenticating data sent from ICC to terminal.
Process:
a) Set NumSKs : = 4.
b) Using the function PointMultiply() defined in B2.2.1(d), compute Z as the x-
coordinate of the point dQ.
c) Convert Z from an integer to a bit string according to the integer conversion
function I2BS() in section B2.6.
o For P-256, Z is converted to a 256-bit string.
o For P-521, Z is converted to a 640-bit string; the rightmost 521 bits of Z are a
bit string representation of the x-coordinate of the point dQ and so the
leftmost 119 bits of Z are zero ‘padding bits’.
d) For P-256, write Z as Z0 || Z1 where Zi is a 128-bit string for i = 0,1. This can be
denoted as Z0 || Zt-1 with t = 2.
e) For P-521, write Z as Z0 || Z1 || Z2 || Z3 || Z4 where Zi is a 128-bit string for i =
0,1,2,3,4. This can be denoted as Z0 || Z1 || Z2 || Z3 || Zt-1 with t = 5.
f) Apply CMAC (see section A1.2.2) to Z to produce an AES key derivation KDK key
as follows, using the 128-bit zero string (0128) as the CMAC key:
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A2 Asymmetric Mechanisms
C0 := AES(0128)[Z0]
Zt-1 := Zt-1 ⊕ 'CDD297A9DF1458771099F4B39468565C'
where the constant is according to CMAC and calculated as
AES(0128)[0128] << 1
for i from 1 to t-1, let Ci := AES(0128)[Ci-1 ⊕ Zi]
KDK := Ct-1
g) Derive Ki for i = 1 to NumSKs:
Ki := AES(KDK)['0i' || DerData]
where for this specification DerData is the 15 bytes SKD_VERSION || '00' || T
|| '02' || '00' where
o SKD_VERSION is the 1-byte '01'
o T is the 11 byte UNKD || 'A5A5A5'
o The final 2 bytes represent the length of the output (512 bits in the
case of 128-bit session keys with NumSKs equal to 4)
h) Set the 2-byte variable N to the value '0000'. This is a global variable a copy of
which is maintained by terminal and ICC. The terminal increments N after each
successful encryption (see section A2.3.3) and the ICC increments N after each
successful decryption (see section A2.3.4).
Input:
• Algorithm Suite Indicator identifying the Authenticated Encryption method and
Block Cipher.
• KX, a symmetric key used for encrypting data.
• KY, a symmetric key used for authenticating data.
• MSG, a plaintext message.
• A, Additional Authentication Data.
Global variable:
• N, a 2-byte counter.
Output:
• C, the ciphertext (encrypted message) or an indication of failure.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A2 Asymmetric Mechanisms
Process:
The encryption process uses two derived keys because the encryption process is actually
‘authenticated encryption’ using a method called Encrypt-then-MAC (Mechanism 5 in
ISO/IEC 19772).
The authenticated encryption mechanism described in this specification supports
Additional Authenticated Data (AAD, data that is authenticated but not encrypted).
Encryption of a plaintext MSG, denoted P, takes place in the following steps:
a) If N = 65535 then encryption has failed, so abort and report failure.
b) Generate the Starting Variable SV as the 16-byte all-zero string whose leftmost
2 bytes are set to the value of N.
c) If the message payload P is null then set C* to be null and skip to step i).
d) If the bit-length of the message payload P is not a multiple of 8, then Encryption
has failed, so abort and report failure.
e) If P is not a multiple of 16 bytes, then pad 50 by appending r (0 < r <16) zero-bytes
to P.
f) Partition P into B 16-byte blocks:
P := P1 || P2 || . . . || PB
g) Encipher the message payload
Ci = Pi ⊕ AES(KX)[ SV + ((i-1) mod 2112) ] for 1 <= i <= B
h) If padding had been applied then truncate the final rightmost r bytes from CB
thereby creating CB', otherwise set CB' = CB. Set:
C* := C1 || C2 || . . . || CB'
i) If the bit-length of A is not a multiple of 8, then encryption has failed, so abort
and report failure.
j) Set:
D := I2BS(len(A)/8 , 64) || A
k) Generate an 8-byte MAC using KY in accordance with section A1.2.2 over
D || SV || C* and append this to C* to create the ciphertext C
C := C* || MAC(D || SV || C*).
l) Increment N.
m) Return the ciphertext C.
50 This padding is only specified to simplify the specification in the case that the plaintext is not a
multiple of 16 bytes and is not functionally necessary as any padding bytes added to the plaintext
are truncated from the ciphertext before calculation of the MAC.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A2 Asymmetric Mechanisms
Input:
• Algorithm Suite Indicator identifying the Authenticated Encryption method and
Block Cipher.
• KX, a symmetric key used for decrypting data.
• KY, a symmetric key used for authenticating data.
• C, ciphertext of a message.
• A, Additional Authentication Data.
Global variable:
• N, a 2-byte counter.
Output:
• MSG, a plaintext message or an indication of failure.
Process:
The authenticated decryption mechanism described in this specification supports
Additional Authenticated Data (data that is authenticated but not encrypted).
Decryption of the ciphertext C, takes place in the following steps:
a) If N = 65535 then decryption has failed, so abort and report failure.
b) If the length of the ciphertext C is less than the size of a MAC (8 bytes) then
decryption has failed, so abort and report failure.
c) If the bit-length of A is not a multiple of 8, then decryption has failed, so abort
and report failure.
d) Set:
D := I2BS(len(A)/8 , 64) || A
e) Partition the ciphertext C into C* and an 8-byte candidate MAC value S'.
C := C* || S'
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex A Security Mechanisms
Security and Key Management A2 Asymmetric Mechanisms
f) The bit-length of C* should be a multiple of 8 and will be zero in the case that C*
is null (corresponding to a null plaintext). If the bit-length of C* is not a multiple
of 8, then decryption has failed, so abort and report failure.
g) Generate the Starting Variable SV as the 16-byte all-zero string whose leftmost
2 bytes are set to the value of N.
h) Calculate the 8-byte MAC S using KY in accordance with section A1.2.2 over
D || SV || C*.
i) If S ≠ S' then decryption has failed, so abort and report failure.
j) If C* is null then the plaintext MSG is null so skip to step p).
k) If C* is not a multiple of 16 bytes, then pad 51 by appending r (0 < r <16)
zero-bytes to C*.
l) Partition C* into B 16-byte blocks:
C* := C1 || C2 || . . . || CB
m) Decrypt the ciphertext as
Pi = Ci ⊕ AES(KX)[ SV + ((i-1) mod 2112) ] for 1 <= i <= B
n) If padding had been applied then truncate the final rightmost r bytes from PB
o) The plaintext MSG is the byte-string
P := P1 || P2 || . . . || PB
p) Increment N.
q) Return the plaintext message MSG.
No result other than an indication of failure shall be returned in case of failure.
51 This padding is only specified to simplify the specification in the case that the ciphertext is not
a multiple of 16 bytes and is not functionally necessary as any padding bytes added to the
ciphertext are truncated from the plaintext before output.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
B1 Symmetric Algorithms
These specifications use block cipher algorithms with key size k and block size n. For
various reasons the key size is expressed in bits and the block size in bytes. Note that
the mechanisms specified in Annex A only support block cipher algorithms satisfying
16n ≥ k ≥ 8n.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
B2 Asymmetric Algorithms
The maximum length for issuer and ICC keys is reduced because a 2-byte tag is used for
the ICC certificates and ICC keys cannot be longer than issuer keys. For SDA cards the
maximum length for issuer keys is 248 bytes because a 1-byte tag is used for the Signed
Static Application Data.
Additional restrictions on the lengths of moduli are described in section D1.
In the choice of the lengths of the public key moduli, one should take into account the
lifetime of the keys compared to the expected progress in factoring during that lifetime.
The ranges (upper and lower bounds) for the key lengths mandated by each of the
payment systems are specified in their corresponding proprietary specifications. Further
guidance is also provided in the EMV Issuer and Application Security Guidelines.
The value of the Issuer Public Key Exponent and the ICC Public Key Exponent is
determined by the issuer. The Certification Authority, Issuer, and ICC Public Key
Exponents shall be equal to 3 or 216 + 1.
The Public Key Algorithm Indicator for this digital signature algorithm shall be coded as
hexadecimal '01'.
The keys and signing and recovery functions for the RSA algorithm with odd-numbered
public key exponent are specified below.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
B2.1.1 Keys
The private key SK of the RSA digital signature scheme with an odd-numbered public
key exponent e consists of two prime numbers p and q such that p – 1 and q – 1 are co-
prime to e and a private exponent d such that:
ed ≡ 1 mod (p – 1)(q – 1)
The corresponding public key PK consists of the public key modulus n = pq and the
public key exponent e.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
Note that the algorithms defined in this specification do not use division or inverse.
Output:
• Point (x3, y3) on the curve equal to the sum (x1, y1) + (x2, y2).
The points on an elliptic curve together with one special extra point 0, called the point at
infinity, form a group, where the group operation is traditionally called addition, or
point addition. That is, two points on an elliptic curve P and Q can be “added”, and the
result, denoted as P + Q, is a point on the same curve.
Point addition for selected curves in this specification is defined as follows.
• For any point P on the curve (including P = 0):
P+0=0+P=P
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
Output:
• Point kP on the curve.
Point multiplication (also called scalar multiplication) is repeated addition of an elliptic
curve point to itself: for a positive integer k, kP = P + P + ··· + P (with k copies of P). For
k = 0, the result is the point at infinity: 0P = 0.
As a result of the group structure of the set of points on the curve, there is an integer n
such that nP = 0 for all P on the curve. The number n is called the order of the curve
group. As a consequence, for all points P and all integers k, kP = (k mod n)P.
52 By the curve equation, this implies that (x, –y) is also on the curve.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
Output:
• Point (x,y) on the curve with least value y.
In order to find a point P on the curve that has a given x-coordinate x, it is necessary to
find an integer y such that y2 = x3 + ax + b mod p. Note that if there is a non-zero
solution y to this equation, and thus a point (x, y) on the curve, then there will be exactly
two non-zero solutions y and –y, and thus two points P and –P on the curve with this
x-coordinate x. The routine Point4x() assumes that p = 3 mod 4 (which is the case for all
the curves defined in this specification) and returns a point (x, y) where y can be
computed as follows:
y' = modsqrt(x3 + ax + b, p) = (x3 + ax + b)((p+1)/4) mod p
y = min(y', p-y')
Under some attack conditions this function may return a point that is not on the curve.
Therefore, card implementations need to take appropriate steps to ensure that the point
returned is valid. Such attacks are less relevant to the Diffie-Hellman and the certificate
verification functions in the Kernel.
Note: When the recovered point is to be used for Diffie-Hellman key agreement rather than
signature verification either of the two possible y values may be used and therefore the y =
min(y', p-y') step may be omitted and y' can be used directly.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
An elliptic curve Public Key is a point on the curve and in this specification a Public Key
is represented by the x-coordinate of the point.
In the choice of curves one should take into account the lifetime of the keys compared to
the expected progress in ECC cryptanalysis. The minimum and maximum strengths of
curves mandated by each of the payment systems are specified in their corresponding
proprietary specifications.
Below, each of the supported curves is specified in detail.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
Output:
• An integer d and a point P = dG on the curve.
This section describes the generation of ECC key pairs with special attention to long
term Payment System, Issuer and ICC key pairs. The method of elliptic curve key pair
generation follows ISO/IEC 15946-1.
The private key d for a given elliptic curve E with base point G of order n consists of a
positive integer d, satisfying 1 < d < n-1.
The corresponding public key point is P = dG on the curve E.
Given an elliptic curve, all parameters including the base point are fixed. Therefore, key
generation consists solely of random or pseudorandom generation of d and subsequent
computation of the public key point P = dG and thereby its x-coordinate representation.
This specification represents public keys using only their x-coordinate. For any non-zero
point (x,y) on the curve, (x,-y) will also be on the curve. The function in this specification
that is sensitive to the value of the y-coordinate is signature verification and specifically
Issuer Public Key Certificate verification using the Certification Authority Public Key,
ICC Public Key Certificate verification using the Issuer Public Key, and ICC XDA
signature verification using the ICC Public Key. For this reason the Payment System
key, the Issuer key and the ICC key must be generated to ensure that the verifier can
determine the correct value of the y-coordinate of the Public Key from knowledge of only
the x-coordinate.
For this reason this specification requires that Payment System, Issuer and ICC keys
are generated to ensure that the y-coordinate as an integer modulo p is less than
(p+1)/2. The function Point4x() defined in B2.2.1(e) will then generate the correct
y-coordinate given the correct x-coordinate.
Two examples of how to generate such Payment System, Issuer and ICC keys are
provided below. The first approach (1) will take longer, but the second approach (2) may
require special HSM functionality.
(1) Repeatedly generate a random non-negative integer d satisfying 1 < d < n-1 – for
example, d := 2+RandomInteger(n-3) – until the y-coordinate of dG is less than
(p+1)/2.
(2) Generate a random non-negative integer d' satisfying 1 < d' < n-1 for example
d' := 2+RandomInteger(n-3), and if the y-coordinate of d'G is less than (p+1)/2
then d := d' else set d := n - d'.
The public key is then calculated to be the point P = dG and its representation is the
x-coordinate of P. Note that this construction of the Payment System key, Issuer key
and ICC key reduces the key space of the private key by one bit.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
ECC encryption requires that the terminal generate an ephemeral key pair. As this key
is used for Diffie-Hellman key agreement rather than signature, the y-coordinate does
not require the checks stipulated above. Thus, the terminal ephemeral private key d can
be generated without the range checks on y:
Generate a random non-negative integer d satisfying 1 < d < n-1 for example
d := 2+RandomInteger(n-3).
For security reasons, a strong pseudo-random or random number generator is required
(see section B2.5).
The output length NHASH of the hash algorithm refers to the number of bytes in the
untruncated output of the hash algorithm.
All these hash algorithms are standardised in ISO/IEC 10118-3 and can hash an
arbitrarily large input 53 and implementations shall be designed to support this.
53 Actually SHA-256 and SM3 have a limit of 264 bits and SHA-512 has a limit of 2128 bits.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
A string of bytes that is input to a hash algorithm is processed in blocks and the size of
these blocks, referred to as Block Size in Table 47, is a characteristic of the hash
algorithm. Table 47 only includes this information because it can be relevant to
implementations that need to process large input strings.
SHA-512 is included for contingency purposes only. Due to length restrictions in the ICC
Public Key Certificate and ICC Public Key Certificate for ODE, SHA-512 cannot be used
for ICCD Hash if the Issuer Public Key Certificate Algorithm Suite is '11' and the ICC
Public Key Algorithm Suite is '11' for signature or '01' for encryption.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
Table 49: Cryptographic Algorithm Suite Indicators for Offline Data Encipherment
(e.g. for PIN or Biometrics)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
Output:
• A non-negative integer value v.
The function BS2I(x) maps a bit string x of length l to a non-negative integer value v, as
follows. If x = <xl-1, …, x0> where x0,…, xl-1 are bits, then the value v is defined as
𝑙𝑙−1
𝑣𝑣 = � 𝑥𝑥𝑘𝑘 2𝑘𝑘
𝑘𝑘=0
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
The function BS2I() is invoked from the function RandomInteger() (section B2.5) used by
Key Generation (section B2.2.4).
Output:
• A bit string x of length l.
The function I2BS(v,l) which takes as input two non-negative integers v and l, and
outputs the unique bit string x of length l such that BS2I(x) = v, if such an x exists. If no
such x exists then the function outputs an error message.
• Example 1: I2BS(10945, 19) = 000 0010 1010 1100 0001
• Example 2: I2BS(10945, 14) = 10 1010 1100 0001
The function I2BS() is invoked from Key Derivation (section A2.3.2), Encryption and
Authentication (section A2.3.3), and Authentication and Decryption (section A2.3.4).
Output:
• A bit string y.
The function OS2BS(x) takes as input an octet string x, interprets it as a bit string y
and outputs the bit string y.
• Example: OS2BS('00' '2A' 'C1') = 0000 0000 0010 1010 1100 0001
Output:
• An octet string x.
The function BS2OS(y) takes as input a bit string y, whose length is a multiple of 8, and
outputs the unique octet string x such that y = OS2BS(x).
• Example: BS2OS(0000 0010 1010 1100 0001)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B2 Asymmetric Algorithms
Output:
• An integer v.
The function OS2I(x) takes as input an octet string x and outputs the integer
v = BS2I(OS2BS(x)).
• Example: OS2I(<0010 1010> <1100 0001>) = OS2I('2A' 'C1') = 10945
The function OS2I() is invoked from PIN Encipherment (section 13.2), Biometric Data
Encipherment (section 13.4), Signature Generation (section A2.2.2), and Signature
Verification (section A2.2.3).
Output:
• An octet string x of length l in octets.
The function I2OS(v,l) takes as input two non-negative integers v and l, and outputs the
unique octet string x of length l in octets such that OS2I(x) = v, if such an x exists.
Otherwise, the function outputs an error message.
• Example 1: I2OS(10945, 3) = <0000 0000> <0010 1010> <1100 0001>
= '00' '2A' 'C1'
• Example 2: I2OS(10945, 2) = <0010 1010> <1100 0001>
= '2A' 'C1'
The function I2OS() is invoked from Signature Generation (section A2.2.2), Signature
Verification (section A2.2.3), and Encryption and Authentication (section A2.3.3).
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex B Approved Cryptographic Algorithms
Security and Key Management B3 Hashing Algorithms (for RSA)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D1 Issuer and ICC RSA Public Key Length Considerations
Length in Bytes
Total
Tag Length Value
Length
Response 1 ('77') 2 — 3
Template
Cryptogram Information 2 ('9F27') 1 1 4
Data
Application Transaction 2 ('9F36') 1 2 5
Counter
Signed Dynamic 2 ('9F4B') 2 NIC NIC + 4
Application Data
Issuer Application Data 2 ('9F10') 1 0 to 32 0 to 35
(optional)
Other optional data var.
The tag and length of the response template, together with the tags, lengths, and values
of the Cryptogram Information Data and Application Transaction Counter, and the tag
and length of the Signed Dynamic Application Data are fixed in size and occupy
16 bytes. Thus, without Issuer Application Data, the maximum size of the Signed
Dynamic Application Data and consequently the ICC Public Key is 240 bytes (1920 bits).
If Issuer Application Data is included, then the maximum size of the Signed Dynamic
Application Data needs to be reduced accordingly. Including Issuer Application Data of
tag, length, and 32 bytes of value (the maximum) results in a maximum size of 205 bytes
(1640 bits) for the Signed Dynamic Application Data and consequently the ICC Public
Key.
Note: If other optional data is appended in the response, then the length of this data and its
associated tag and length field further restricts the length of the ICC Public Key.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D1 Issuer and ICC RSA Public Key Length Considerations
D1.2.2 DDA
The following restriction applies for card applications supporting INTERNAL
AUTHENTICATE Format 2:
To ensure that the INTERNAL AUTHENTICATE response data length is within the
256 byte limit, the length of the Signed Dynamic Application Data plus the length of the
TLV encoded optional data (if present) shall not exceed 249 bytes. The length of the ICC
Public Key is the same as the Signed Dynamic Application Data. The additional 7 bytes
in the response are used for the tags and lengths of the response template and the
Signed Dynamic Application Data.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D2 Format 1 Secure Messaging Illustration
or, if there is no data (e.g. Application Block command), the following structure:
'X0' INS P1 P2
The following sections describe the construction of the secured command data field and
the value of New Lc. Firstly for the case where integrity 54 (only) is required and secondly
for the case where both confidentiality and integrity are required.
54 For the purposes of this Annex the term ‘integrity’ represents the combination of integrity and
authentication.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D2 Format 1 Secure Messaging Illustration
and the value of New Lc will range from 6 to 10 depending on the length of the MAC.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D2 Format 1 Secure Messaging Illustration
In this case:
• The first byte in the value field of the cryptogram data object for confidentiality with
tag '87' is the padding indicator byte. The value '01' indicates that the plaintext data
is padded according to ISO/IEC 7816-4 before encipherment.
• Since the plaintext data is padded to be a multiple of 8 bytes (see D2.2), the resulting
enciphered data field will range from 1+Lc to 8+Lc. Consequently L will range from
2+Lc to 9+Lc.
Notes
1. The plaintext data is transported in the value field of a plaintext data object with
tag '81'.
The enciphered data is transported in the value field of a cryptogram data object for
confidentiality with tag '87'.
2. The fact that the tag of the data object (whether plaintext or cryptogram) is odd-
numbered indicates that the data object is included in the MAC computation.
3. The padding indicator byte is the mandatory first byte in the value field of a
cryptogram data object for confidentiality with tag '87' (see ISO/IEC 7816-4.)
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D2 Format 1 Secure Messaging Illustration
D2.2 Encipherment
If secure messaging for confidentiality is applied to the command, the unsecured
command data field is enciphered in the following way:
• Padding and blocking of the data field is performed according to step 1 of
section A1.1. A value of '01' of the padding indicator indicates that padding according
to ISO/IEC 7816-4 always takes place even if the data field is a multiple of 8 bytes.
Thus, the unsecured command data field is always padded to a multiple of 8 bytes
prior to encipherment with a minimum of one byte of padding always present; if the
length of the unsecured command data field is a multiple of 8 bytes, it is padded with
8 bytes ('80 00 00 00 00 00 00 00') prior to encipherment.
• The padded data is enciphered according to step 2 of section A1.1 using the
Encipherment Session Key derived according to section 9.3.2.
'XC' INS P1 P2
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D2 Format 1 Secure Messaging Illustration
• The MAC (the full 8 bytes prior to any optional truncation) of the preceding script
command for all following script commands.
If MAC chaining is not implemented then the 8-byte Application Cryptogram generated
by the card is inserted to the left of the padded input data.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D3 Application Transaction Counter Considerations
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D4 CDA Modes
D4 CDA Modes
EMV permits flexible terminal CDA behaviour that can potentially improve transaction
performance. These include the selective use of CDA for online authorisations and public
key retrieval relative to Terminal Action Analysis (TAA).
In the years since publication of SU44, terminals have become faster, therefore the
performance impact of always doing CDA, irrespective of online authorisation, is no
longer significant. For this reason Mode 1 is now recommended instead of the other
modes.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D4 CDA Modes
SU44 also clarifies that keys can be retrieved before or after TAA which can lead to
performance improvements for terminals operating predominantly online. This is
because if the TAA results in an online authorisation and if the terminal requests an
ARQC without CDA (i.e. it is operating in Mode 3 or 4), then the retrieval of the issuer
and ICC public keys need not be completed, saving the RSA processing. 55
Note that section 6 now mandates for CDA that all terminals verify before TAA that
they contain the Certification Authority Public Key identified by the card. Such
verification does not involve time-consuming cryptographic processing. If the correct key
is not present, then the Terminal Action Codes can result in Terminal Action Analysis
sending the transaction online without requesting CDA in the GENERATE AC.
Recommendations
The following recommendations apply to terminals supporting CDA.
For online capable terminals that are able to perform certificate verification quickly, it is
recommended that the terminal retrieve the issuer and ICC public keys before TAA.
This is to ensure that in the unlikely event that key retrieval fails then the terminal can
request an ARQC without CDA rather than decline the transaction.
Terminal vendors are recommended to implement Mode 1 only.
As Mode 4 does not provide significant benefit, terminal vendors are recommended not
to implement Mode 4. If CDA is needed on all 2nd GENERATE AC commands requesting
a TC, then Mode 1 can be used.
55If Offline Enciphered PIN is performed then this will force the retrieval of the issuer and ICC
public keys to happen before PIN verification is performed.
56 Issuers may also note that for terminals approved to the old test plan version 4.1d of CDA
Mode 3, the TVR bit for ‘Offline data authentication was not performed’ would remain set to 1
after the online authorisation.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Annex D Implementation Considerations
Security and Key Management D4 CDA Modes
Furthermore from a card perspective, during a transaction where both card and
terminal support CDA, the card may legitimately receive a 2nd GENERATE AC TVR
where the bit for ‘Offline data authentication was not performed’ is set to zero even
though the card did not generate a CDA signature on the 1st GENERATE AC (i.e. the
terminal implements CDA Mode 3 or 4).
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Part IV
Common Core Definitions
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Changed Sections
Each section heading below refers to the section in this Book to which the additional
requirements apply. The text defines requirements for a common core implementation,
in addition to the requirements already specified in the referenced section of EMV.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Common Core Definitions
Security and Key Management
3. If the ICC responds with an AAC, the ICC response shall be coded according to
format 2 as specified in Book 3 section 6.5.5.4 and shall contain only the data
elements specified in Table CCD 2 (which, for CCD, supplants Table 21).
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Common Core Definitions
Security and Key Management
Value Source
Amount, Authorised (Numeric) Terminal
Amount Other (Numeric) Terminal
Terminal Country Code Terminal
Terminal Verification Results Terminal
Transaction Currency Code Terminal
Transaction Date Terminal
Transaction Type Terminal
Unpredictable Number Terminal
Application Interchange Profile ICC
Application Transaction Counter ICC
Issuer Application Data ICC
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Common Core Definitions
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Common Core Definitions
Security and Key Management
9 Secure Messaging
9.2.1.1 Format 1
All command data shall be included in the computation of the MAC.
Data enciphered for confidentiality shall be encapsulated with tag '87'. Data not
enciphered for confidentiality shall be encapsulated with tag '81'.
The CCD-compliant application shall accept 4-byte MACs, and the issuer can only rely
on support of 4-byte MACs.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Common Core Definitions
Security and Key Management
9.3.1.1 Format 1
Data enciphered for confidentiality shall be encapsulated with tag '87'.
Data that is enciphered in the Issuer Script Command data field shall always be padded
before encipherment. The Padding Indicator byte shown in Figure 8 shall be included
and shall be set to the value '01' to indicate padding is present.
9.3.3 Encipherment/Decipherment
Encipherment/decipherment of the command data field shall use the Cipher Block
Chaining (CBC) Mode described in section A1.1. For Cryptogram Version '5' the Triple
DES algorithm specified in section B1.1 is used. For Cryptogram Version '6' the AES
algorithm specified in section B1.1 is used. For both versions the Padding Indicator byte
is set to the value '01' to indicate that padding is present.
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2
Security and Key Management
Index
Certificate Serial Number ............................... 46, 59, 113
Certificates and Keys
A DDA and CDA ......................................................... 53
PIN Encipherment ............................................ 77, 124
SDA ......................................................................... 39
AAC.............................................................................. 86
XDA ....................................................................... 108
Abbreviations................................................................ 25
Certification Authority .................................................. 37
AC ....................................... See Application Cryptogram
Certification Authority Private Key ................ 39, 53, 108
AFL ........................................................................ 42, 56
Certification Authority Public Key ..... 38, 52, 57, 97, 110
AID ............................................................................... 53
Key Management Requirements .............................. 97
AIP.................................................................... 42, 49, 56
Retrieval for DDA and CDA............................ 57, 110
Algorithm
Retrieval for SDA .................................................... 44
Application Cryptogram Generation ........................ 87
Certification Authority Public Key Algorithm Indicator
DES ........................................................................ 141
............................................................................... 100
RSA ....................................................................... 152
Certification Authority Public Key Exponent . 39, 53, 152
SHA-1 .................................................................... 168
Certification Authority Public Key Index 44, 52, 100, 110
Application Authentication Cryptogram ............ See AAC
Certification Authority Public Key Modulus .......... 39, 53
Application Cryptogram ......................................... 66, 86
CID ....................................................................... 69, 120
and Issuer Authentication......................................... 86
Commands
Generation
GENERATE AC .............................................. 66, 118
Algorithm ............................................................ 87
GET CHALLENGE ......................................... 80, 125
Data Selection ..................................................... 86
GET PROCESSING OPTIONS ............................... 67
Key Management ..................................................... 89
INTERNAL AUTHENTICATE ...................... 61, 172
MAC Chaining ......................................................... 92
READ RECORD ..................................................... 53
Application Cryptogram Master Key ............................ 87
VERIFY ........................................................... 80, 126
Application PAN ............................................ 61, 95, 138
Common Core Definitions .......................................... 183
Application PAN Sequence Number .................... 95, 138
Application Cryptogram Generation ...................... 185
Application Transaction Counter ........................ See ATC
CDA ....................................................................... 184
ARPC ............................................................................ 86
DDA ....................................................................... 183
ARPC Methods for Issuer Authentication
Dynamic Signature Generation ...................... 183, 184
Method 1 .................................................................. 88
Encipherment/Decipherment.................................. 188
Method 2 .................................................................. 89
Issuer Authentication ............................................. 186
ARQC ............................................................... 86, 88, 89
Key Management ........................................... 186, 188
ATC .......................................... 69, 87, 94, 120, 137, 178
MAC Computation................................................. 187
Authorisation Request Cryptogram .................See ARQC
Secure Messaging for Confidentiality .................... 188
Authorisation Response Code ....................................... 88
Secure Messaging for Integrity and Authentication187
Authorisation Response Cryptogram ............... See ARPC
Secure Messaging Format ...................................... 187
Cryptogram Information Data ........................ 70, See CID
Cryptographic Algorithms
C Asymmetric
RSA Algorithm ................................................. 152
CA Private Key ............................................................. 37 Hashing
CA Public Key .............................................................. 37 Secure Hash Algorithm (SHA-1) ...................... 168
Card Public Key Algorithm Suite Indicator ................ 117 Symmetric
Card Status Update ............................................. See CSU Data Encryption Standard (DES) ...................... 151
CCD ................................. See Common Core Definitions CSU .............................................................................. 89
CDA........................................................................ 49, 65
Dynamic Signature Generation ................................ 65
Dynamic Signature Verification .............................. 69 D
Keys and Certificates ............................................... 53
Retrieval of Certification Authority Public Key ..... 57,
Data Authentication Code ............................................. 48
110
Data Element Format Conventions ............................... 34
Retrieval of ICC Public Key .................................... 59
Data Encryption Standard ................................... See DES
Retrieval of Issuer Public Key ................................. 57
Data Selection
Sample Flow ............................................................ 72
Application Cryptogram Generation ........................ 86
CDOL1 ........................................................... 66, 71, 118
DDA ............................................................................. 49
CDOL2 ........................................................... 66, 71, 118
Dynamic Signature Generation ................................ 61
Certificate Expiration Date ....................... 46, 59, 61, 116
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Index
Security and Key Management
Dynamic Signature Verification .............................. 63 ICC Master Key .................................................. 137, 138
Keys and Certificates ............................................... 53 ICC Private Key .............................................. 62, 67, 118
Retrieval of Certification Authority Public Key ..... 57, ICC Public Key ................................... 53, 61, 63, 79, 124
110 Restriction on Length ............................................. 171
Retrieval of ICC Public Key .................................... 59 Retrieval for DDA and CDA.................................... 59
Retrieval of Issuer Public Key ................................. 57 Retrieval for XDA .................................................. 114
DDOL ........................................................................... 61 ICC Public Key Algorithm Indicator ............................ 61
Decipherment ICC Public Key Certificate ........................... 53, 108, 116
Symmetric Security Mechanisms ........................... 134 ICC Public Key Exponent ..................................... 53, 152
Default DDOL .............................................................. 61 ICC Public Key Remainder..................................... 53, 61
Definitions .................................................................... 17 ICC Session Key ......................................................... 137
Derivation ICC Unpredictable Number .................................. 81, 127
Master Key............................................................. 138 ICCD Hash Algorithm Indicator ................................. 117
Session Key ........................................................... 137 Implementation Considerations
DES ............................................................................ 151 Application Transaction Counter ........................... 178
Dynamic Signature Format 1 Secure Messaging Illustration ................. 173
Generation ICC Public Key Restriction .................................... 171
CDA .................................................................... 65 Issuer Public Key Restriction ................................. 170
DDA .................................................................... 61 Informative References ............................................... 169
Verification INTERNAL AUTHENTICATE Command.......... 61, 172
CDA .................................................................... 69 Issuer Application Data......................................... 69, 120
DDA .................................................................... 63 Issuer Authentication .................................................... 88
XDA .................................................................. 121 ARPC Method 1 ....................................................... 88
ARPC Method 2 ....................................................... 89
Key Management ..................................................... 89
E Issuer Authentication Data ............................................ 89
Issuer Certificate Expiration Date ............................... 113
Issuer Certificate Format............................................. 113
Encipherment
Issuer Identifier ............................................... 46, 59, 113
Symmetric Security Mechanisms ........................... 133
Issuer Master Key ....................................................... 138
Encipherment Master Key ...................................... 94, 95
Issuer Private Key ..................................... 37, 39, 53, 108
Encipherment Session Key ................................... 94, 176
Issuer Public Key .............................................. 37, 46, 59
Restriction on Length ............................................. 170
Retrieval for DDA and CDA.................................... 57
F Retrieval for SDA .................................................... 44
Issuer Public Key Algorithm Indicator ......................... 46
Format 1 Secure Messaging Illustration ..................... 173 Issuer Public Key Algorithm Suite Indicator .............. 113
Issuer Public Key Certificate ..... 37, 39, 44, 53, 108, 111,
113
G Issuer Public Key Exponent ............................ 39, 53, 152
Issuer Public Key Modulus ..................................... 39, 53
Issuer Public Key Remainder ...................... 39, 46, 53, 59
GENERATE AC
IV . .............................................................................. 173
Response .......................................................... 69, 120
GENERATE AC Command ................................. 66, 118
GET CHALLENGE Command ............................ 80, 125
GET PROCESSING OPTIONS Command .................. 67 K
Key Derivation
H Master Key ............................................................. 138
Session Key............................................................ 137
Key Management .......................................................... 89
Hash Algorithm Indicator ................... 46, 61, 64, 71, 168
Application Cryptogram........................................... 89
Hashing Algorithms .................................................... 168
Issuer Authentication ............................................... 89
Secure Messaging .................................................... 95
Key Management Requirements
I Certification Authority Public Key Introduction ...... 97
Certification Authority Public Key Storage ........... 100
ICC Application Cryptogram Master Keys................... 89 Certification Authority Public Key Withdrawal ..... 102
ICC Dynamic Data ................................................. 62, 68 Key Restriction
ICC Dynamic Number ...................................... 62, 64, 68 Implementation Considerations...................... 170, 171
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Index
Security and Key Management
R
T
READ RECORD Command ......................................... 53
References TC ................................................................................. 86
Informative ............................................................ 169 Terminal Security Requirements................................... 97
Normative ................................................................ 14 Terminal Verification Results ............................ See TVR
Revision Log................................................................... 3 Terminology ................................................................. 35
RID ............................................. 38, 44, 52, 53, 100, 110 Transaction Certificate .......................................... See TC
RSA Algorithm ........................................................... 152 Transaction Data Hash Code................................... 67, 71
TVR ........................................................................ 38, 52
S
Scope ............................................................................ 12
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.
EMV 4.4 Book 2 Index
Security and Key Management
© 1994-2022 EMVCo, LLC (“EMVCo”). All rights reserved. Reproduction, distribution and other use of
this document is permitted only pursuant to the applicable agreement between the user and EMVCo
found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United
States and other countries.