cardpaymentprotocolssecurity 2.1
advertisement
1
2
3
Card Payment Protocols
4
Security
5
6
7
8
9
10
11
12
Version 2.1
13
1st April 2017
14
© 2017 nexo AISBL All rights reserved.
This information is protected by international intellectual property laws and its use is governed by the applicable End-User
license
Card Payment Protocols Security
Version 2.1
TABLE OF CONTENTS
15
16
17
1
Introduction ........................................................................................................................... 5
18
1.1 What’s new in the edition 2 ...............................................................................................................5
19
1.2 References .......................................................................................................................................5
20
1.3 Protection of Messages ....................................................................................................................6
21
1.4 Recommendations. ...........................................................................................................................6
22
2
Cryptographic Message Syntax (CMS) Data Structure ...................................................... 7
23
2.1 Introduction .......................................................................................................................................7
24
2.2 CMS Data Structure Usage ..............................................................................................................8
25
26
3
Key Management Mechanisms .......................................................................................... 18
3.1 DUKPT Key Management ..............................................................................................................19
27
3.1.1
Key Management ............................................................................................................................ 19
28
29
30
31
32
33
34
35
3.1.2
Resulting CMS Structure ................................................................................................................. 20
3.1.3
PIN Encryption Key ......................................................................................................................... 21
3.1.4
Data Encryption Key ........................................................................................................................ 21
3.1.5
Message Authentication Key ........................................................................................................... 22
3.1.6
Examples ......................................................................................................................................... 22
36
3.1.6.1
Base Key and Terminal Initial Key ........................................................................................................... 22
3.1.6.2
CMS Key Management Data ................................................................................................................... 23
3.1.6.3
Generation of the Keys ............................................................................................................................ 24
3.2 UKPT Key Management .................................................................................................................26
37
38
3.2.1
Resulting CMS Structure ................................................................................................................. 26
3.2.2
Triple DES UKPT Key Management ................................................................................................ 28
39
40
41
42
43
44
3.2.3
AES UKPT Key Management .......................................................................................................... 29
3.2.4
IBM CCA UKPT Key Management .................................................................................................. 30
45
3.2.5
Examples ......................................................................................................................................... 31
3.2.5.1
Triple DES UKPT..................................................................................................................................... 31
3.2.5.2
AES UKPT............................................................................................................................................... 33
3.2.5.3
IBM CCA UKPT ....................................................................................................................................... 34
3.3 RSAES-OAEP Key Encryption .......................................................................................................36
46
47
48
49
50
3.3.1
Key Management ............................................................................................................................ 36
3.3.2
Resulting CMS Structure ................................................................................................................. 37
3.3.3
Key Encryption Process................................................................................................................... 38
3.3.4
MG1 Mask Generator Function Process.......................................................................................... 40
3.3.5
Key Decryption Process .................................................................................................................. 41
51
52
53
54
3.3.6
Examples ......................................................................................................................................... 43
55
56
57
58
59
3.3.6.1
RSA Encryption Key and Certificate......................................................................................................... 43
3.3.6.2
RSAES-OAEP Encryption........................................................................................................................ 48
3.3.6.3
RSADS-OAEP Decryption ....................................................................................................................... 59
3.4 RSAEncryption Key Encryption ......................................................................................................66
3.4.1
Key Management ............................................................................................................................ 66
3.4.2
Resulting CMS Structure ................................................................................................................. 66
3.4.3
Key Encryption Process................................................................................................................... 67
3.4.4
Key Decryption Process .................................................................................................................. 68
-2-
Card Payment Protocols Security
60
61
62
63
64
3.4.5
4
Version 2.1
Examples ......................................................................................................................................... 69
3.4.5.1
RSA Encryption Key and Certificate......................................................................................................... 69
3.4.5.2
Encryption step ........................................................................................................................................ 73
3.4.5.3
Decryption sstep ...................................................................................................................................... 79
Encryption Mechanisms ..................................................................................................... 81
65
4.1 Introduction .....................................................................................................................................81
66
4.2 Resulting CMS Structure ................................................................................................................82
67
4.3 Encryption/Decryption ....................................................................................................................83
68
69
4.3.1
CBC Encryption Process ................................................................................................................. 83
4.3.2
CBC Decryption Process: ................................................................................................................ 84
70
4.3.3
Special Encryption/Decryption ......................................................................................................... 85
71
4.4 Examples ........................................................................................................................................86
72
73
74
4.4.1
Data to Encrypt ................................................................................................................................ 86
4.4.2
Triple DES Encryption with a 112 bits Key ...................................................................................... 87
4.4.3
AES Encryption with a 128 bits Key ................................................................................................ 89
75
4.4.4
Special Encryption/Decryption ......................................................................................................... 91
76
5
MAC Mechanisms ............................................................................................................... 92
77
5.1 Introduction .....................................................................................................................................92
78
5.2 Resulting CMS Structure ................................................................................................................92
79
5.3 MAC Generation and Verification Processes .................................................................................94
80
81
82
5.3.1
Retail-CBC-MAC with SHA-256 ....................................................................................................... 94
5.3.2
CMAC with SHA256 ........................................................................................................................ 95
5.4 Examples ........................................................................................................................................97
83
84
5.4.1
Message Body ................................................................................................................................. 97
5.4.2
Retail-CBC-MAC ............................................................................................................................. 98
85
86
5.4.3
Retail-CBC-MAC with SHA-256 ....................................................................................................... 99
5.4.4
SHA-256 CMAC with AES ............................................................................................................. 100
87
6
Digital Signature Mechanisms ......................................................................................... 102
88
6.1 Introduction ...................................................................................................................................102
89
6.2 Resulting CMS Structure ..............................................................................................................103
90
6.3 Digital Signature Generation and Verification Processes ............................................................105
91
6.3.1
92
6.4 Example ........................................................................................................................................107
93
94
95
96
SHA-256 with RSA ........................................................................................................................ 105
7
6.4.1
Signing Key and Certificate ........................................................................................................... 107
6.4.2
Message Body to Sign ................................................................................................................... 112
6.4.3
SHA-256 with RSA ........................................................................................................................ 114
Digest Mechanisms .......................................................................................................... 122
97
7.1 Introduction ...................................................................................................................................122
98
7.2 Resulting CMS Structure ..............................................................................................................122
99
7.3 Digest test vectors ........................................................................................................................123
100
101
102
-3-
Card Payment Protocols Security
103
Version 2.1
Figures
104
105
Figure 1: Messages Data Protection ...................................................................................................6
106
Figure 2: Generic ContentInformationType Overview ..........................................................................7
107
Figure 3: Key Management for an Encryption Key or a MAC Key ......................................................18
108
Figure 4: Key Serial Number Details..................................................................................................19
109
Figure 5 : PIN Encryption Key Variant ...............................................................................................21
110
Figure 6 : Data Encryption Key ..........................................................................................................21
111
Figure 7 : Message Authentication Key Variant for X9.4-1:2009 ........................................................22
112
Figure 8: Triple DES UKPT Session Key Generation .........................................................................28
113
Figure 9: AES UKPT Session Key Generation ...................................................................................29
114
Figure 10: IBM CCA UKPT Session Key Generation .........................................................................30
115
Figure 11 : RSAES-OAEP Encryption ...............................................................................................39
116
Figure 12 : MG1 Mask Generator Function ........................................................................................40
117
Figure 13 : RSADS-OAEP Decryption ...............................................................................................42
118
Figure 14 : CBC Encryption Process .................................................................................................83
119
Figure 15 : CBC Decryption Process .................................................................................................84
120
Figure 16 : Special Encryption/Decryption .........................................................................................85
121
Figure 17 : Retail-CBC-MAC with SHA-256 .......................................................................................94
122
Figure 18 : CMAC with SHA-256 .......................................................................................................95
123
Figure 19 : Generation of CMAC Subkeys .........................................................................................96
124
125
Figure 20 : SHA-256 with RSA Digital Signature.............................................................................. 105
126
127
-4-
Card Payment Protocols Security
Version 2.1
128
1 Introduction
129
This document contains the specifications of the security to protect the nexo protocol messages.
130
These specifications might be used for the following protocols:
131
132
133
134
135
136
The nexo Acquirer protocol (ISO 20022 CAPE messages, business area caaa),
The nexo TMS protocol (ISO 20022 CAPE messages, business area catm),
The nexo ATM protocol (ISO 20022 CAPE messages, business area catp),
The nexo Retailer protocol, Sale to POI protocol.
The document specifies all the security mechanisms which might be used by one of these protocols.
137
138
1.1 What’s new in the edition 2
139
140
141
This edition brings the following improvements:
Inside the CMS Structue Cf: 2 Cryptographic Message Syntax (CMS) Data Structure
142
o
The ability to exchange keys enciphered by an encrypting key previously exchanged :
143
o
The ability to use different encryption format
144
o
Support of various algorithms to encipher key
145
o
Addition of new algorithm for data encipherement
146
o
Support of new MAC algorithm
147
o
Addition of new Signature algorithms
148
Suppression of the SHA256 CMAC with Triple DES
149
Correction of X509 examples
150
Examples for Digests
151
Precision on padding algorithm for Retail CBC MAC.
152
153
1.2 References
154
155
156
ANSI X9-24-1:2009 : Retail Financial Services Symmetric Key Management – Part 1 : Using
Symmetric Techniques
157
FIPS 180-2 : Secure Hash Standard NIST Computer Security 1st August 2002
158
159
ISO9797-1 : Information technology – Security techniques – Message Authentication Codes (MACs)
– Part 1 : Mechanisms using a block cipher. Second edition 2011-03-01
160
RFC 3370: “Cryptographic Message Syntax (CMS) Algorithms”
161
162
RFC 3447 : “Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1”
163
164
RFC 3560 : “Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message
Syntax (CMS)”
165
RFC 5652 : “Cryptographic Message Syntax (CMS)”
166
1 Introduction
-5-
1.1 What’s new in the edition 2
Card Payment Protocols Security
Version 2.1
167
1.3 Protection of Messages
168
Card payments messages of the nexo protocols use four types of protection:
169
1) Protection of the PIN, performed by the application.
170
171
172
173
2) Protection of sensitive data (e.g. card data or biometric information in authentication value),
performed by either the payment application or the nexo protocol when configured to do so.
Thus sensitive data doesn't include PIN in this document controversely to the PCI-DSS
definition.
174
3) Protection of the message by a MAC (Message Authentication Code).
175
4) Protection of the message by a digital signature.
176
177
178
All the protected data and the related information are formatted according to the generic format
defined by the Cryptographic Message Syntax (CMS) standard defined in the RFC 5652.
179
EPAS Message
EPAS Message
EPAS Message
Message Header
Message Header
Message Header
Message Body
Message Body
Message Body
Encrypted PIN
Card data
1
2
Encrypted PIN
Encrypted PIN
CMS data structure
CMS data structure
Protected
Card data
Protected
Card data
CMS data structure
Authentication
value
2
CMS data structure
Protected
Authentication
value
Protected
Authentication
value
CMS data structure
other data
CMS data structure
3
other data
Unprotected message
4
Message Trailer
Message containing
protected data
180
181
182
other data
CMS data structure
Message Body protected by a MAC
or a signature
protected data
Figure 1: Messages Data Protection
183
184
185
186
The CMS data structure is general enough to convey various attributes related to the protected data
(e.g. identifications of the used keys, encrypted keys, cryptographic algorithms with their parameters,
certificate and revocation lists, time stamps), and can support various architectures of key
management.
187
188
In addition the syntax of the data structure accepts multiple encapsulations, and these encapsulations
can be nested.
189
190
1.4 Recommendations
191
192
193
The use of the SHA-1 defined in FIPS 180-2 is deprecated and therefore not recommended. The
support of SHA-1 in nexo protocol might be removed in a further release.
194
195
For RSA key, we recommend that the length of the RSA modulus must be at least 2048 bits and that
the public exponent is greater than or equal to 216+1.
196
197
198
In order to build smaller message, we recommend to remove all unnecessary white space inside XML
messages. All examples in this document will try to follow this best practice.
1 Introduction
-6-
1.3 Protection of Messages
Card Payment Protocols Security
199
200
Version 2.1
2 Cryptographic Message Syntax (CMS) Data
Structure
201
202
2.1 Introduction
203
204
205
206
The generic CMS data structure is a multi-form data structure, one for each kind of protection, which
contains two elements:
The first element, ContentType, a code identifying the kind of protection:
207
208
EnvelopedData, for digital envelope or data encrypted by a cryptographic key
identified in the message,
209
210
AuthenticatedData, for a MAC, generated with a cryptographic key identified in the
message,
211
212
SignedData, for a digital signature, generated with an asymmetric cryptographic key
pair,
213
DigestedData, for the digest of information,
214
215
The second element which is a data structure dedicated to the kind of protection identified by
the first element (EnvelopedData, AuthenticatedData, SignedData and DigestedData).
ContentInformationType
ContentType
EnvelopedData
SignedData
AuthenticatedData
216
217
218
219
DigestedData
EnvelopedData
AuthenticatedData
SignedData
DigestedData
Encryption
MAC
Digital signature
Digest
Figure 2: Generic ContentInformationType Overview
The details of these sub-structures and their usage are presented in the following section.
220
2 Cryptographic Message Syntax (CMS) Data Structure
-7-
2.1 Introduction
Card Payment Protocols Security
Version 2.1
221
2.2 CMS Data Structure Usage
222
This section present a layout of the CMS data structure with all levels of the structure expanded.
223
The table contains several columns:
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
The “Or” column is used to define a choice of one data structure among several.
These data structures are successive. The first one contains “{Or” in this column, the following
ones “Or”, except the last one which contains “Or}”.
Each data structure of the choice can define any number of occurrences.
The “ContentInformationType” column contains the name of the data element with an
indentation related to the nesting level.
The “Mult.” column provides between square brackets, e.g. [n..m], the minimum number (n) of
occurrences of the data element, and the maximum number (m) of occurrences of the data
element. When the maximum number of occurrence is the character ‘*’, the maximum number is
unlimited.
The “Usage” column presents how to use the data structure or data element, the allowed values
for enumerations or code list.
A default value, defined by “default val”, for which the absence of the data element produces the
same result as the presence of the data element with the default value val.
Or
{Or
{Or
{Or
Lvl
ContentInformationType
Mult.
Usage
1
ContentType
[1..1]
Type of data protection, allowed values:
AuthenticatedData: ContentType is followed by the
AuthenticatedData message item containing a Message
Authentication Code (MAC) and the MAC generation key,
protected by a transport key.
DigestedData: ContentType is followed by the DigestedData
message item containing a digest.
EnvelopedData: ContentType is followed by the EnvelopedData
message item containing encrypted data and the
encryption key, protected by a transport key.
SignedData: ContentType is followed by the SignedData message
item containing digital signature(s) with the identification
of the signer(s).
1
EnvelopedData
[0..1]
Encrypted data with a cryptographic key protected by a transport key
(or key encryption key).
2
Version
[0..1]
default 0
Version of the data structure, current version is 0.
2
Recipient
[1..*]
Encryption key.
If there are several Recipient, the key encryption must be the same
for all the Recipient, but obviously not the transport key.
3
KeyTransport
[1..1]
Encryption key protected by an asymmetric key authenticated and
identified by an X.509 certificate.
4
Version
[0..1]
[default 0]
Version of the data structure, current version is 0.
4
RecipientIdentification
[1..1]
Identification of the recipient’s certificate transport key.
[1..1]
Identification of the issuer and the serial number of the X.509
certificate.
[1..1]
Issuer of the X.509 certificate.
[1..*]
Relative distinguish name identifying the certificate issuer.
5
6
7
IssuerAndSerialNumber
Issuer
RelativeDistinguishedName
8
AttributeType
[1..1]
X.509 attribute, allowed codes:
CountryName
Country of the certificate issuer
Locality
City of the certificate issuer
OrganisationName
Organisation of the certificate issuer
OrganisationUnitName Organisation unit of the certificate issuer
CommonName
Name of the certificate issuer
8
AttributeValue
[1..1]
Value of the X.509 attribute.
2 Cryptographic Message Syntax (CMS) Data Structure
-8-
2.2 CMS Data Structure Usage
Card Payment Protocols Security
Or
Lvl
ContentInformationType
SerialNumber
6
Or}
KeyIdentifier
5
Mult.
Usage
[1..1]
Serial number of the certicate containing the transport public key.
[1..1]
Identifier of a cryptographic asymmetric key, previously exchanged
between parties.
6
KeyIdentification
[1..1]
Identification of the key.
6
KeyVersion
[1..1]
Version of the key.
6
SequenceNumber
[0..1]
Number of usages of the cryptographic key.
6
DerivationIdentification
[0..1]
Information to perform key derivation.
[1..1]
Specifies the encryption algorithm of the key encryption key.
4
KeyEncryptionAlgorithm
5
Algorithm
[1..1]
Asymmetric encryption algorithm for the protection of the encryption
key. Allowed values:
RSAEncryption RSA key encryption scheme (PKCS #1 version
2.1) - (ASN.1 Object Identifier: rsaEncryption).
RSAES-OAEP RSA encryption scheme based on Optimal
Asymmetric Encryption Padding scheme (OAEP
in PKCS #1 version 2.1) - (ASN.1 Object
Identifier: id-RSAES-OAEP).
5
Parameter
[0..1]
Parameter of the RSAES-OAEP encryption algorithm.
6
EncryptionFormat
[0..1]
Format of data before encryption, if the format is not plaintext or
implicit. Allowed values:
TR31
Format of a cryptographic key specified by the ANSI X9
TR-31 standard.
TR34
Format of a cryptographic key specified by the ANSI X9
TR-34 standard.
6
DigestAlgorithm
[0..1]
Cryptographic algorithm for computing the digest of the label in the
encryption algorithm. Allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
6
MaskGeneratorAlgorithm
[0..1]
Mask generator function algorithm used by the RSAES-OAEP
encryption algorithm.
7
Algorithm
[1..1]
Algorithm of the mask generator function, allowed value:
MGF1 Mask Generator Function, used for RSA encryption and
RSA digital signature (PKCS #1 version 2.1) - (ASN.1
Object Identifier: id-mgf1).
7
Parameter
[0..1]
Parameters associated to the mask generator function cryptographic
algorithm.
[0..1]
Digest algorithm used in the mask generator function. Allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
[1..1]
Encryption key encrypted by the transport public key, using the
KeyEncryptionAlgorithm.
[1..1]
Encryption key protected by a transport key, using a symmetric
cryptographic key.
DigestAlgorithm
8
4
Or
Version 2.1
3
EncryptedKey
KEK
4
Version
[0..1]
default 4
Version of the data structure, current version is 4.
4
KEKIdentification
[1..1]
Identification of the encryption key.
5
KeyIdentification
[1..1]
Identification of the key.
5
KeyVersion
[1..1]
Version of the key.
2 Cryptographic Message Syntax (CMS) Data Structure
-9-
2.2 CMS Data Structure Usage
Card Payment Protocols Security
Or
Lvl
5
5
4
Mult.
Usage
SequenceNumber
[0..1]
Number of usages of the cryptographic key.
DerivationIdentification
[0..1]
Information to perform key derivation.
[1..1]
Specifies the encryption algorithm of the key encryption key.
KeyEncryptionAlgorithm
5
Algorithm
[1..1]
Symmetric encryption algorithm for the protection of the encryption
key. Allowed values:
AES128CBC AES (Advanced Encryption Standard) CBC
(Chaining Block Cypher) encryption with a 128 bits
cryptographic key as defined by the Federal
Information Processing Standards (FIPS 197 –
November 6, 2001 - Advanced Encryption Standard).
AES192CBC AES (Advanced Encryption Standard) CBC
(Chaining Block Cypher) encryption with a 192 bits
cryptographic key as defined by the Federal
Information Processing Standards (FIPS 197 –
November 6, 2001 - Advanced Encryption Standard).
AES256CBC AES (Advanced Encryption Standard) CBC
(Chaining Block Cypher) encryption with a 256 bits
cryptographic key as defined by the Federal
Information Processing Standards (FIPS 197 –
November 6, 2001 - Advanced Encryption Standard).
DES112CBC Triple DES (Data Encryption Standard) CBC
(Chaining Block Cypher) encryption with double length
key (112 Bit) as defined in FIPS PUB 46-3
DUKPT2009 DUKPT (Derived Unique Key Per Transaction)
algorithm, as specified in ANSI X9.24-2009 Annex A.
UKPT
UKPT (Unique Key Per Transaction) key encryption,
using Triple DES encryption with a double length key
(112 Bit) as defined in FIPS PUB 46-3.
UKPTwithAES128 UKPT (Unique Key Per Transaction) key
encryption, using Advanced Encryption Standard with
a 128 bits cryptographic key, approved by the Federal
Information Processing Standards (FIPS 197 November 6, 2001 - Advanced Encryption Standard).
5
Parameter
[0..1]
Parameter of the CBC encryption algorithm.
6
EncryptionFormat
[0..1]
see KeyTransport/KeyEncryptionAlgorithm/EncryptionFormat.
see KeyTransport/KeyEncryptionAlgorithm/BytePadding.
6
InitialisationVector
[0..1]
CBC initialisation vector.
6
BytePadding
[0..1]
Byte padding for a cypher block chaining mode encryption, if the
padding is not implicit. Allowed values:
LengthPadding: The message to encrypt is completed by a byte
value containing the total number of added bytes.
Null80Padding: The message to encrypt is completed by one bit of
value 1, followed by null bits until the encryption block
length is reached.
NullLengthPadding: The message to encrypt is completed by null
byte values, the last byte containing the total number
of added bytes.
NullPadding: The message to encrypt is completed by null bytes.
RandomPadding: The message to encrypt is completed by random
value, the last byte containing the total number of
added bytes.
[1..1]
Key encryption key encrypted by the symmetric transport key, using
the KeyEncryptionAlgorithm.
[1..1]
Identification of a cryptographic key, shared and previously
exchanged between the initiator and the recipient.
4
Or}
ContentInformationType
Version 2.1
3
EncryptedKey
KeyIdentifier
4
KeyIdentification
[1..1]
Identification of the key.
4
KeyVersion
[1..1]
Version of the key.
4
SequenceNumber
[0..1]
Number of usages of the cryptographic key.
4
DerivationIdentification
[0..1]
Information to perform key derivation.
[0..1]
Encrypted data.
2
EncryptedContent
2 Cryptographic Message Syntax (CMS) Data Structure - 10 -
2.2 CMS Data Structure Usage
Card Payment Protocols Security
Or
Lvl
ContentInformationType
Mult.
Usage
3
ContentType
[1..1]
Type of encrypted data. Allowed values:
AuthenticatedData: Encrypted data content is a CMS
AuthenticatedData structure.
DigestedData: Encrypted data content is a CMS DigestedData
structure.
EnvelopedData: Encrypted data content is a CMS EnvelopedData
structure.
PlainData:
Encrypted application data is not a CMS data
structure.
SignedData:
Encrypted data content is a CMS SignedData
structure.
3
ContentEncryptionAlgorithm
[1..1]
Encryption algorithm of the data.
[1..1]
Data encryption algorithm. Allowed values:
AES128CBC AES (Advanced Encryption Standard) CBC
(Chaining Block Cypher) encryption with a 128 bits
cryptographic key as defined by the Federal
Information Processing Standards (FIPS 197 November 6, 2001 - Advanced Encryption Standard).
AES192CBC AES (Advanced Encryption Standard) CBC
(Chaining Block Cypher) encryption with a 192 bits
cryptographic key as defined by the Federal
Information Processing Standards (FIPS 197 –
November 6, 2001 - Advanced Encryption Standard).
AES256CBC AES (Advanced Encryption Standard) CBC
(Chaining Block Cypher) encryption with a 256 bits
cryptographic key as defined by the Federal
Information Processing Standards (FIPS 197 –
November 6, 2001 - Advanced Encryption Standard).
DES112CBC Triple DES (Data Encryption Standard) CBC
(Chaining Block Cypher) encryption with double length
key (112 Bit) as defined in FIPS PUB 46-3
[0..1]
Parameter of the CBC encryption algorithm.
Algorithm
4
4
{Or
{Or
EncryptionFormat
[0..1]
see KeyTransport/KeyEncryptionAlgorithm/EncryptionFormat.
5
InitialisationVector
[0..1]
CBC initialisation vector.
5
BytePadding
[0..1]
see KeyTransport/KeyEncryptionAlgorithm/BytePadding.
[1..1]
Encrypted data.
[0..1]
Message Authentication Code (MAC) and the MAC generation key,
protected by a transport key.
1
EncryptedData
AuthenticatedData
2
Version
[0..1]
default 0
Version of the data structure, current version is 0.
2
Recipient
[1..*]
MAC generation key,
3
KeyTransport
[0..1]
see EnvelopedData/Recipient/KeyTransport (encryption key must be
replaced by MAC generation key).
4
Version
[0..1]
4
RecipientIdentification
[1..1]
5
6
7
IssuerAndSerialNumber
Issuer
RelativeDistinguishedName
[1..1]
[1..1]
[1..*]
8
AttributeType
[1..1]
8
AttributeValue
[1..1]
6
Or}
Parameter
5
3
Or
Version 2.1
5
SerialNumber
KeyIdentifier
[1..1]
[1..1]
6
KeyIdentification
[1..1]
6
KeyVersion
[1..1]
6
SequenceNumber
[0..1]
6
DerivationIdentification
[0..1]
2 Cryptographic Message Syntax (CMS) Data Structure - 11 -
2.2 CMS Data Structure Usage
Card Payment Protocols Security
Or
Lvl
4
ContentInformationType
KeyEncryptionAlgorithm
[1..1]
5
Parameter
[0..1]
6
EncryptionFormat
[0..1]
6
DigestAlgorithm
[0..1]
6
MaskGeneratorAlgorithm
[0..1]
7
Algorithm
[1..1]
7
Parameter
[0..1]
DigestAlgorithm
3
EncryptedKey
KEK
[0..1]
[1..1]
[0..1]
4
Version
[0..1]
4
KEKIdentification
[1..1]
5
KeyIdentification
[1..1]
5
KeyVersion
[1..1]
5
SequenceNumber
[0..1]
5
DerivationIdentification
[0..1]
4
KeyEncryptionAlgorithm
Algorithm
[1..1]
5
Parameter
[0..1]
6
EncryptionFormat
[0..1]
6
InitialisationVector
[0..1]
6
BytePadding
[0..1]
3
EncryptedKey
KeyIdentifier
[1..1]
[1..1]
4
KeyIdentification
[1..1]
4
KeyVersion
[1..1]
4
SequenceNumber
[0..1]
4
DerivationIdentification
[0..1]
2
MACAlgorithm
see EnvelopedData/Recipient/KEK (encryption key must be replaced
by MAC generation key).
[1..1]
5
4
Usage
[1..1]
Algorithm
4
Or}
Mult.
5
8
Or
Version 2.1
[1..1]
see EnvelopedData/Recipient/KeyIdentifier (encryption key must be
replaced by MAC generation key).
Algorithm to compute the Message Authentication Code.
2 Cryptographic Message Syntax (CMS) Data Structure - 12 -
2.2 CMS Data Structure Usage
Card Payment Protocols Security
Or
Lvl
Mult.
Usage
3
Algorithm
[1..1]
Cryptographic algorithms for the MAC. Allowed values:
RetailCBCMAC: Retail CBC (Chaining Block Cypher) MAC
(Message Authentication Code) (cf. ISO 9807, ANSI
X9.19) - (ASN.1 Object Identifier: id-retail-cbc-mac).
RetailSHA1MAC: Retail-CBC-MAC with SHA-1 (Secure Hash
standard) - (ASN.1 Object Identifier: id-retail-cbc-mac-sha1) with padding Method 2 from ISO9797-1.
RetailSHA256MAC Retail-CBC-MAC with SHA-256 (Secure
Hash standard) - (ASN.1 Object Identifier: id-retail-cbcmacsha-256).
SHA256CMACwithAES128: CMAC (Cipher based Message
Authentication Code) defined by the National Institute of
Standards and Technology (NIST 800-38B - May 2005),
using the block cipher Advanced Encryption Standard with
a 128 bits cryptographic key, approved by the Federal
Information Processing Standards (FIPS 197 - November
6, 2001 - Advanced Encryption Standard).
SHA384CMACwithAES192: CMAC (Cipher based Message
Authentication Code) defined by the National Institute of
Standards and Technology (NIST 800-38B - May 2005),
using the block cipher Advanced Encryption Standard with
a 192 bits cryptographic key, approved by the Federal
Information Processing Standards (FIPS 197 - November
6, 2001 - Advanced Encryption Standard). The CMAC
algorithm is computed on the SHA-384 digest of the
message.
SHA512CMACwithAES256: CMAC (Cipher based Message
Authentication Code) defined by the National Institute of
Standards and Technology (NIST 800-38B - May 2005),
using the block cipher Advanced Encryption Standard with
a 256 bits cryptographic key, approved by the Federal
Information Processing Standards (FIPS 197 - November
6, 2001 - Advanced Encryption Standard). The CMAC
algorithm is computed on the SHA-512 digest of the
message.
3
Parameter
[0..1]
Parameter of the CBC encryption algorithm.
4
InitialisationVector
[0..1]
CBC initialisation vector.
4
BytePadding
[0..1]
EncapsulatedContent
[1..1]
Data to authenticate, i.e. input of the MAC generation.
3
ContentType
[1..1]
Type of authenticated data. Allowed values:
DigestedData: Authenticated data content is a CMS DigestedData
structure.
EnvelopedData: Authenticated data content is a CMS
EnvelopedData structure.
PlainData:
Authenticated application data is not a CMS data
structure.
SignedData:
Authenticated data content is a CMS SignedData
structure.
3
Content
[0..1]
Data to authenticate.
Absent if the MAC is detached, i.e. if the content to authenticate with
this MAC is implicitly defined in another location of the message.
2
MAC
[1..1]
MAC value.
1
SignedData
[0..1]
Digital signature(s) with identification of the signers and their signing
key.
2
Version
[0..1]
default 1
Version of the data structure, current version is 1.
2
DigestAlgorithm
[1..*]
Digest algorithm used by one or more signer to perform its digital
signature.
2
Or
ContentInformationType
Version 2.1
2 Cryptographic Message Syntax (CMS) Data Structure - 13 -
2.2 CMS Data Structure Usage
Card Payment Protocols Security
Or
Lvl
3
2
{Or
Algorithm
EncapsulatedContent
Mult.
Usage
[1..1]
Cryptographic algorithms for digests, allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
[1..1]
Data that have been signed, i.e. input of the digital signature
generation.
3
ContentType
[1..1]
Type of signed data. Allowed values:
AuthenticatedData: Signed data content is a CMS
AuthenticatedData structure.
DigestedData: Signed data content is a CMS DigestedData
structure.
EnvelopedData: Signed data content is a CMS EnvelopedData
structure.
PlainData:
Signed application data is not a CMS data
structure.
3
Content
[0..1]
Data that have been signed.
Absent if the digital signature is detached, i.e. the content to sign is
implicitly in another location of the message.
2
Certificate
[0..*]
Collection of certificates.
2
Signer
[1..*]
Identification of the signing key and digital signature per signer.
3
Version
[0..1]
default 1
Version of the data structure, current version is 1.
3
SignerIdentification
[0..1]
Identification of the signing key.
[1..1]
Issuer name and serial number of the certificate.
[1..1]
Issuer Name
[1..*]
X.500 attribute.
4
5
6
IssuerAndSerialNumber
Issuer
RelativeDistinguishedName
7
AttributeType
[1..1]
Type of attribute, allowed values:
CountryName
Country name of the attribute (ASN.1 Object
Identifier: id-at-countryName).
CommonName Common name of the attribute (ASN.1 Object
Identifier: id-at-commonName).
Locality Locality of the attribute (ASN.1 Object Identifier: idatlocalityName).
OrganisationName
Organization name of the attribute (ASN.1
Object Identifier: id-at-organizationName).
OrganisationUnitName Organization unit name of the attribute
(ASN.1 Object Identifier: id-at-organizationalUnitName).
7
AttributeValue
[1..1]
Value of the attribute.
[1..1]
Serial number of the certificate.
[1..1]
Identifier of a cryptographic asymmetric key, previously exchanged
between parties.
5
Or}
ContentInformationType
Version 2.1
4
SerialNumber
KeyIdentifier
5
KeyIdentification
[1..1]
Identification of the key.
5
KeyVersion
[1..1]
Version of the key.
5
SequenceNumber
[0..1]
Number of usages of the cryptographic key.
5
DerivationIdentification
[0..1]
Information to perform key derivation.
[1..1]
Digest algorithm to apply to the data (EncapsulatedContent) before
private encryption.
3
DigestAlgorithm
2 Cryptographic Message Syntax (CMS) Data Structure - 14 -
2.2 CMS Data Structure Usage
Card Payment Protocols Security
Or
Lvl
4
3
ContentInformationType
Algorithm
SignatureAlgorithm
Mult.
Usage
[1..1]
Identifiation of the algorithm, allowed values:
Cryptographic algorithms for digests, allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
[1..1]
Digital signature algorithm to apply to the data
(EncapsulatedContent).
4
Algorithm
[1..1]
Digital signature algorithm, allowed values:
RSASSA-PSS
Signature algorithm with Appendix, Probabilistic
Signature Scheme (PKCS #1 version 2.1), (ASN.1 Object Identifier: id-RSASSA-PSS).
SHA1WithRSA Signature algorithms with RSA (PKCS #1
version 2.1), using SHA-1 digest algorithm (ASN.1 Object Identifier:
sha1WithRSAEncryption).
SHA256WithRSA Signature algorithms with RSA (PKCS #1
version 2.1), using SHA-256 digest algorithm (ASN.1 Object Identifier:
sha256WithRSAEncryption).
4
Parameter
[0..1]
Parameter of the RSASSA-PSS signature algorithm.
5
DigestAlgorithm
[0..1]
Cryptographic algorithm for computing the digest of the label in the
RSASSA-PSS encryption algorithm. Allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
5
MaskGeneratorAlgorithm
[1..1]
Mask generator function algorithm used by the RSASSA-PSS
signature algorithm.
6
Algorithm
[1..1]
Algorithm of the mask generator function, allowed value:
MGF1 Mask Generator Function, used for RSA encryption and
RSA igital signature (PKCS #1 version 2.1) - (ASN.1
Object Identifier: id-mgf1).
6
Parameter
[0..1]
Parameters associated to the mask generator function cryptographic
algorithm.
[0..1]
Digest algorithm used in the mask generator function. Allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
DigestAlgorithm
7
5
SaltLength
[1..1]
Length of the salt to include in the signature.
5
TrailerField
[0..1]
Trailer field number.
Signature
[1..1]
Digital signature value.
DigestedData
[0..1]
Digest computed on identified data.
2
Version
[0..1]
default 0
Version of the data structure: 0 if ContentType has the value
“PlainData”, otherwise 2.
2
DigestAlgorithm
[1..1]
Digest algorithm.
3
Or}
Version 2.1
1
2 Cryptographic Message Syntax (CMS) Data Structure - 15 -
2.2 CMS Data Structure Usage
Card Payment Protocols Security
Or
Lvl
3
ContentInformationType
Algorithm
EncapsulatedContent
Version 2.1
Mult.
Usage
[1..1]
Identifiation of the algorithm, allowed values:
Cryptographic algorithms for digests, allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
[1..1]
Data, input of the digest generation.
3
ContentType
[1..1]
Type of digested data. Allowed values:
AuthenticatedData: Digested data content is a CMS
AuthenticatedData structure.
EnvelopedData: Digested data content is a CMS EnvelopedData
structure.
PlainData:
Digested application data is not a CMS data
structure.
SignedData:
Digested data content is a CMS SignedData
structure.
3
Content
[0..1]
Data that have been digested.
Absent if the digest is detached, i.e. if the content to hash is implicitly
in another location of the message.
[1..1]
Digest value.
2
2
Digest
239
240
The layout of the CMS data structure could also be presented by this component view.
241
2 Cryptographic Message Syntax (CMS) Data Structure - 16 -
2.2 CMS Data Structure Usage
Card Payment Protocols Security
242
243
244
Version 2.1
Figure 3: Component view of the CMS data structure.
245
2 Cryptographic Message Syntax (CMS) Data Structure - 17 -
2.2 CMS Data Structure Usage
Card Payment Protocols Security
246
Version 2.1
3 Key Management Mechanisms
247
248
This section present the key management mechanisms used for:
249
1. Data encryption, carried out by the CMS data structure EnvelopedData, and
250
251
2. Message Authentication Code (MAC), carried out by the CMS data structure
AuthenticatedData.
252
253
254
The EnvelopedData and AuthenticatedData CMS data structures include the same data structure
Recipient which contains identification or the protected encryption key or MAC generation key.
255
The Recipient data structure is a choice between:
256
257
258
259
260
261
An encryption or MAC key protected by an asymmetric key carried out by the KeyTransport
CMS data structure,
An encryption or MAC key protected by a symmetric key carried out by the KEK CMS data
structure.
An identification of the key carried out by the KeyIdentifier CMS data structure
KeyTransport and KEK data structures contain:
262
263
264
265
The identification of the key, RecipientIdentification and KEKIdentification respectively,
The encryption algorithm of the encryption key or MAC key,
The encrypted encryption key or MAC key
EnvelopedData
Version
AuthenticatedData Version
encryption key
encrypted data
Recipient
EncryptedContent
Recipient
MACAlgorithm
EncapsulatedContent
MAC
MAC computation key
KeyTransport Version RecipientIdentification KeyEncryptionAlgorithm EncryptedKey
Recipient
KEK Version
KeyIdentifier
266
267
268
KEKIdentification
KeyIdentification
KeyEncryptionAlgorithm EncryptedKey
Version SequenceNumber DerivationIdentification
Figure 4: Key Management for an Encryption Key or a MAC Key
269
3 Key Management Mechanisms
- 18 -
2.2 CMS Data Structure Usage
Card Payment Protocols Security
Version 2.1
270
3.1 DUKPT Key Management
271
272
The DUKPT (Derived Unique Key per Transaction) key management is specified in the ANS X9.241:2009 standard using a different key for request/advice and response messages.
273
The standard defines the generation of three triple DES keys (112 bits) with the following usages:
274
275
1) The encryption of the cardholder PIN (Personnal Identification Number), for an online PIN
verification.
276
2) The encryption of sensitive data, as card data,
277
3) The generation of a Message Authentication Code (MAC).
278
279
3.1.1 Key Management
280
281
The DUKPT key management mechanism uses 10 bytes of information (Key Serial Number or KSN)
sent by the initiator of the message request to uniquely identify the derived key at the recipient side.
282
This KSN contains the following information:
283
-
Information related to the owner and the identification of the base key,
284
-
Information to perform derivation of the base per merchant and POI,
285
286
287
-
Transaction Counter (last 21 bits): the counter value to detect message replay or abusive usage
of the key.
288
289
290
291
At the exception of the Transaction Counter, the organisation of these information is the responsibility
of the owner of the key. An example is provided by the DUKPT standard. Note that this could led to
the management of a very high number of base keys which may not be suitable for large networks of
POS.
292
293
294
295
The 5 first bytes are sent in the Recipient.KEK.KEKIdentification.DerivationIdentification item of the
EnvelopedData component, the last 5 bytes are sent in the Recipient.KEK.EncryptedKey of the
EnvelopedData component.
296
297
298
The figure below shows how to map the KSN, as presented as an example in Figure D-1 of the ANSI
standard X9-24-1:2009, in the corresponding CMS fields.
Issuer Identification Number
3 bytes
299
300
1 byte
1 byte
Device ID
Transaction Counter
19 bits
21 bits
DerivationIdentification
EncryptedKey
5 bytes
5 bytes
301
302
303
304
Merchant ID Group ID
Figure 5: Key Serial Number Details
The KSN has always the same value for the two messages of the same exchange (request and
response).
305
306
307
3 Key Management Mechanisms
- 19 -
3.1 DUKPT Key Management
Card Payment Protocols Security
Version 2.1
308
3.1.2 Resulting CMS Structure
309
The CMS data structures that are used by the keys that DUKPT provides are the following:
310
311
312
1. EnvelopedData to convey the encrypted cardholder PIN.
One occurrence of EnvelopedData/Recipient contains the information to retrieve the DUKPT
PIN key,
313
314
315
2. EnvelopedData to convey other encrypted data.
One occurrence of EnvelopedData/Recipient contains the information to retrieve the DUKPT
data encryption key,
316
317
318
3. AuthenticatedData to convey the MAC of a message.
One occurrence of AuthenticatedData/Recipient contains the information to retrieve the
DUKPT Message Authentication key,
319
320
321
322
In addition to the KSN prefix, the DUKPT Base DerivationKey (BDK) is identified by a name. Test key
identification is distinguished from production key by a name including the suffix "TestKey".
323
324
325
The Recipient element of EnvelopedData and AuthenticatedData for DUKPT key management is
presented in the table below:
326
DUKPT Key
Mult.
Usage
Recipient
[1..1]
Information related to the DUKPT key for the recipient.
[1..1]
DUKPT uses the KEK choice.
Version
[0..1]
default 4
Version of the data structure, current version is 4.
KEKIdentification
[1..1]
Identification of the DUKPT base key.
KeyIdentification
[1..1]
Name of the key. Test keys must include the suffix "TestKey".
KeyVersion
[1..1]
The version of the DUKPT key.
When the version represents the date of activation, it must have the format
YYYYMMDDhh where:
YYYY is a 4-digits numeral representing the year, 0000 is prohibited
MM is a 2-digits numeral representing the month (from 01 to 12)
DD is a 2-digits numeral representing the day of the month (from 01 to 31)
hh is a 2-digits numeral representing the hours (from 00 to 23)
SequenceNumber
[0..1]
Number of usages of the cryptographic key.
DerivationIdentification
[1..1]
see Figure 5: Key Serial Number Details
KeyEncryptionAlgorithm
[1..1]
Algorithm to encrypt the key encryption key.
[1..1]
Value "DUKPT2009"
[1..1]
see Figure 5: Key Serial Number Details
KEK
Algorithm
EncryptedKey
327
328
329
The same data structure is used for the two messages of the same exchange.
330
3 Key Management Mechanisms
- 20 -
3.1 DUKPT Key Management
Card Payment Protocols Security
331
Version 2.1
3.1.3 PIN Encryption Key
332
333
334
335
After derivation of the resultant key, an XOR with the hexadecimal value 00000000 000000FF
00000000 000000FF is applied to the resultant key in order to use a variant of the key for PIN
encryption.
8 bytes
8 bytes
Derived Key
PIN Encryption Variant
PIN Encryption Variant
00 00 00 00 00 00 00 FF
00 00 00 00 00 00 00 FF
xor
PIN Encryption Key
336
337
338
339
340
xor
Figure 6 : PIN Encryption Key Variant
3.1.4 Data Encryption Key
341
342
343
The DUKPT Data Encryption key can be used to protect sensitive data, as card data, with the
exception of the PIN.
344
345
346
347
348
349
After derivation of the resultant key, in conformance to the ANS X9.24-1:2009 standard:
A different mask has to be used for the request/advice messages and the response messages
(the hexadecimal values 00000000 00FF0000 00000000 00FF0000 and 000000FF 00000000
000000FF 00000000 respectively),
An additional triple DES is applied as described in the figure below.
8 bytes
8 bytes
Derived Key
Data Encryption Variant
request 00 00 00 00 00 FF 00 00
response 00 00 00 FF 00 00 00 00
key
Data Encryption Variant
00 00 00 00 00 FF 00 00 request
00 00 00 FF 00 00 00 00 response
xor
xor
3DES
3DES
key
Data Encryption Key
350
351
352
Figure 7 : Data Encryption Key
353
3 Key Management Mechanisms
- 21 -
3.1 DUKPT Key Management
Card Payment Protocols Security
Version 2.1
354
3.1.5 Message Authentication Key
355
356
The DUKPT Message Authentication Key is used to compute the MAC of an nexo message (in the
SecurityTrailer).
357
358
After derivation of the resultant key:
359
When using the ANS X9.24-1:2009 standard:
A different mask has to be used for the request/advice messages and the response
messages (the hexadecimal values 00000000 0000FF00 00000000 0000FF00 and
00000000 FF000000 00000000 FF000000 respectively),
360
361
362
8 bytes
8 bytes
Derived Key
Msg Authentication Variant
request/advice 00 00 00 00 00 00 FF 00
00 00 00 00 FF 00 00 00
response
Msg Authentication Variant
00 00 00 00 00 00 FF 00 request/advice
00 00 00 00 FF 00 00 00 response
xor
xor
Message Authentication Key
363
364
365
Figure 8 : Message Authentication Key Variant for X9.4-1:2009
366
3.1.6 Examples
367
3.1.6.1 Base Key and Terminal Initial Key
368
369
The DUKPT base test key is named "SpecV1TestKey", with the version "2010060715".
370
371
372
The hereby displayed example uses the test base derivation key value:
-
373
BDK (Base Derivation Key stored by the RecipientParty of the message):
37233E89 0B0104E9 BC943D0E 45EAE5A7
374
375
and the following KSN input values:
376
-
Issuer Identification Number (3 bytes): 398725
377
-
Merchant ID (1 byte): A5
378
-
Group ID (1 byte): 01
379
380
381
382
383
-
Device ID (19 bits): 71481
which then produces the following initial key?
- TIK (Terminal Initial Key stored by the sender of the message):
EE3AE644 1C2EEE18 3F3B4179 2DBCD318
384
385
386
387
388
389
With a Transaction Counter hexadecimal value of 00017 and the information above, the KSN has the
value: 39 87 25 A5 01 E2 90 20 00 17 (notice the 1-bit-left-shift of the Device ID before
concatenation to the TC and integration to the KSN to obtain the value E2 90 2, as the leading bit of
the TC has the value 0).
3 Key Management Mechanisms
- 22 -
3.1 DUKPT Key Management
Card Payment Protocols Security
390
Version 2.1
3.1.6.2 CMS Key Management Data
391
392
The Recipient data structure is presented in the table below:
393
Message Item
Recipient
Value
KEK
KEKIdentification
KeyIdentification
SpecV1TestKey
KeyVersion
2010060715
DerivationIdentification
398725A501
KeyEncryptionAlgorithm
Algorithm
DUKPT2009
EncryptedKey
E290200017
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
The resulting XML encoded structure is:
<Rcpt>
<KEK>
<KEKId>
<KeyId>SpecV1TestKey</KeyId>
<KeyVrsn>2010060715</KeyVrsn>
<DerivtnId>OYclpQE=</DerivtnId>
</KEKId>
<KeyNcrptnAlgo>
<Algo>DKP9</Algo>
</KeyNcrptnAlgo>
<NcrptdKey>4pAgABc=</NcrptdKey>
</KEK>
</Rcpt>
409
410
Once unnecessary spaces and carriage returns are removed,Recipient data structure is:
411
412
413
414
415
416
417
418
419
420
421
422
423
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
3C
64
65
65
35
76
44
64
3E
6F
6F
67
3E
52
3E
73
79
3C
74
65
3E
3C
3E
3E
41
3C
63
3C
74
56
2F
6E
72
3C
41
3C
3C
42
2F
70
4B
4B
72
4B
49
69
4B
6C
2F
4E
63
4B
74
65
65
73
65
64
76
65
67
4B
63
3D
45
3E
79
79
6E
79
3E
74
79
6F
65
72
3C
4B
3C
49
3C
3E
56
4F
6E
4E
3E
79
70
2F
3E
4B
64
2F
32
72
59
49
63
44
4E
74
4E
3C
45
3E
4B
30
73
63
64
72
4B
63
64
63
2F
4B
53
65
31
6E
6C
3E
70
50
72
4B
72
52
3E
70
79
30
3E
70
3C
74
39
70
65
70
63
3C
65
49
30
3C
51
2F
6E
3C
74
79
74
70
4B
63
64
36
44
45
4B
41
2F
6E
3E
64
74
45
56
3E
30
65
3D
45
6C
41
41
34
4B
3E
4B
31
3C
37
72
3C
4B
67
6C
6C
70
65
49
54
4B
31
69
2F
49
6F
67
67
41
79
|<Rcpt><KEK><KEKI|
|d><KeyId>SpecV1T|
|estKey</KeyId><K|
|eyVrsn>201006071|
|5</KeyVrsn><Deri|
|vtnId>OYclpQE=</|
|DerivtnId></KEKI|
|d><KeyNcrptnAlgo|
|><Algo>DKP9</Alg|
|o></KeyNcrptnAlg|
|o><NcrptdKey>4pA|
|gABc=</NcrptdKey|
|></KEK></Rcpt> |
424
425
3 Key Management Mechanisms
- 23 -
3.1 DUKPT Key Management
Card Payment Protocols Security
426
Version 2.1
3.1.6.3 Generation of the Keys
427
428
Intermediary results to compute the 3 DUKPT keys are presented below:
429
430
431
432
433
434
435
Derivation of the Initial Key
KSN, without Encryption Counter
Left Half of Initial Key
EE
Masked Base Key
F7
Right Half of Initial Key
3F
Terminal Initial Key
EE
3A
E3
3B
3A
39 87 25 A5 01 E2 90 20
E6 44 1C 2E EE 18
FE 49 0B 01 04 E9 7C 54 FD CE 45 EA E5 A7
41 79 2D BC D3 18
E6 44 1C 2E EE 18 3F 3B 41 79 2D BC D3 18
436
437
438
Init
CurKey:
EE 3A E6 44 1C 2E EE 18 3F 3B 41 79 2D BC D3 18
439
R8:
25 A5 01 E2 90 20 00 00
Iteration 17
R8 bit set:
R8A = R8 xor CurKey-rh:
R8A = (R8A)CurKey-lh:
R8A = R8A xor CurKey-rh:
CurKey xor Mask:
R8B = R8 xor CurKey-rh:
R8B = (R8B)CurKey-lh:
R8B = R8B xor CurKey-rh:
CurKey:
25
1A
65
5A
2E
DA
51
AE
AE
A5
9E
84
BF
FA
5E
14
EF
EF
01
40
66
27
26
80
00
81
81
E2
9B
1C
65
84
5B
21
98
98
90
BD
74
59
1C
BD
8A
A7
A7
20
9C
B8
04
2E
9C
81
3D
3D
00
D3
D1
02
EE
D3
3A
E9
E9
10
08
0E
16
18 FF FB 81 B9 2D BC D3 18
08
CF
D7
D7 5A BF 27 65 59 04 02 16
Iteration 19
R8 bit set:
R8A = R8 xor CurKey-rh:
R8A = (R8A)CurKey-lh:
R8A = R8A xor CurKey-rh:
CurKey xor Mask:
R8B = R8 xor CurKey-rh:
R8B = (R8B)CurKey-lh:
R8B = R8B xor CurKey-rh:
CurKey:
25
7F
D7
8D
6E
BF
69
F3
F3
A5
1A
73
CC
2F
DA
D2
AD
AD
01
26
EF
C8
41
E6
07
E0
E0
E2
87
A0
C5
58
47
16
B3
B3
90
C9
25
7C
A7
C9
0D
54
54
20
24
F1
F5
3D
24
83
87
87
00
02
D1
D3
E9
02
0F
0D
0D
14
02
AB
BD
D7 9A 7F E7 A5 59 04 02 16
02
D5
C3
C3 8D CC C8 C5 7C F5 D3 BD
Iteration 20
R8 bit set:
R8A = R8 xor CurKey-rh:
R8A = (R8A)CurKey-lh:
R8A = R8A xor CurKey-rh:
CurKey xor Mask:
R8B = R8 xor CurKey-rh:
R8B = (R8B)CurKey-lh:
R8B = R8B xor CurKey-rh:
CurKey:
25
A8
7F
F2
33
68
2C
61
61
A5
69
30
FC
6D
A9
DC
D0
D0
01
C9
95
5D
20
09
A0
A8
A8
E2
27
40
85
73
E7
C2
C7
C7
90
EC
58
24
54
EC
78
04
04
20
D5
26
D3
87
D5
1D
E8
E8
00
D3
B5
66
0D
D3
B4
67
67
16
AB
8E
33
C3 4D 0C 08 05 7C F5 D3 BD
AB
19
A4
A4 F2 FC 5D 85 24 D3 66 33
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
3 Key Management Mechanisms
- 24 -
3.1 DUKPT Key Management
Card Payment Protocols Security
474
475
476
477
478
479
480
481
482
483
Iteration 21
R8 bit set:
R8A = R8 xor CurKey-rh:
R8A = (R8A)CurKey-lh:
R8A = R8A xor CurKey-rh:
CurKey xor Mask:
R8B = R8 xor CurKey-rh:
R8B = (R8B)CurKey-lh:
R8B = R8B xor CurKey-rh:
CurKey:
Version 2.1
25
D7
8D
7F
A1
17
6D
5F
5F
A5
59
9E
62
10
99
59
65
65
01
5C
C2
9F
68
9C
6C
F1
F1
E2
67
47
C2
07
A7
EE
AB
AB
90
B4
97
B3
04
B4
D6
F2
F2
20
F3
D1
02
E8
F3
8E
5D
5D
00
66
61
07
67
66
A3
C5
C5
17
24
D9
EA
A4 32 3C 9D 45 24 D3 66 33
24
92
A1
A1 7F 62 9F C2 B3 02 07 EA
484
485
PIN Encryption Key:
486
487
488
489
490
Applying the mask defined in section 3.1.3 PIN Encryption Key, the variant of the key for PIN
encryption is then:
CurKey xor PINVariant:
5F 65 F1 AB F2 5D C5 5E 7F 62 9F C2 B3 02 07 15
With the parity bits applied to the key:
PIN Encryption Key:
5E 64 F1 AB F2 5D C4 5E 7F 62 9E C2 B3 02 07 15
491
492
493
494
495
496
497
Data Encryption Key:
Applying the mask defied in section 0
Data Encryption Key, the variant of the key for data encryption is then:
The encryption key for the request or advice messages:
CurKey xor EncVariantReq:
5F 65 F1 AB F2 A2 C5 A1 7F 62 9F C2 B3 FD 07 EA
498
499
500
TDES(CurKey)CurKey:
A7 5C 21 F7 04 51 74 44 3F 28 24 9C 3B 08 A7 2B
With the parity bits applied to the key:
Data Encryption Key Req:
A7 5D 20 F7 04 51 75 45 3E 29 25 9D 3B 08 A7 2A
501
502
The encryption key for the response messages:
CurKey xor EncVariantResp:
5F 65 F1 54 F2 5D C5 A1 7F 62 9F 3D B3 02 07 EA
503
504
505
TDES(CurKey)CurKey:
ED 7E 8A 3D 76 05 2B EA E6 9E E6 88 61 61 3B E2
With the parity bits applied to the key:
Data Encryption Key Resp:
EC 7F 8A 3D 76 04 2A EA E6 9E E6 89 61 61 3B E3
506
507
508
509
510
511
512
Message Authentication Key:
The MAC key for the request or advice messages:
CurKey xor MACVariantReq:
5F 65 F1 AB F2 5D 3A A1 7F 62 9F C2 B3 02 F8 EA
With the parity bits applied to the key:
MAC Key Req:
5E 64 F1 AB F2 5D 3B A1 7F 62 9E C2 B3 02 F8 EA
513
514
515
516
The MAC key for the response messages:
CurKey xor MACVariantResp:
5F 65 F1 AB 0D 5D C5 A1 7F 62 9F C2 4C 02 07 EA
With the parity bits applied to the key:
MAC Key Resp:
5E 64 F1 AB 0D 5D C4 A1 7F 62 9E C2 4C 02 07 EA
517
518
519
3 Key Management Mechanisms
- 25 -
3.1 DUKPT Key Management
Card Payment Protocols Security
Version 2.1
520
3.2 UKPT Key Management
521
522
The UKPT (Unique Key per Transaction) key management is based on a Master Session Key MK and
a session key for encryption or MAC generation exchanged for each message.
523
524
Resulting CMS Structure
525
The CMS data structures that are used to retrieve the UKPT session keys are the following:
526
527
528
1. EnvelopedData to convey encrypted sensitive data.
One occurrence of EnvelopedData/Recipient contains the information to retrieve the
encryption session key,
529
530
531
2. AuthenticatedData to convey the MAC of a message.
One occurrence of AuthenticatedData/Recipient contains the information to retrieve the MAC
session key,
532
533
534
The Recipient element of EnvelopedData and AuthenticatedData for UKPT key management is
presented in the table below:
UKPT Key
Mult.
Usage
Recipient
[1..1]
Information related to the UKPT key for the recipient.
[1..1]
UKPT uses the KEK choice.
Version
[0..1]
default 4
Version of the data structure, current version is 4.
KEKIdentification
KEK
[1..1]
Identification of the Master Session key MK.
KeyIdentification
[1..1]
Name of the key. Test keys must include the suffix "TestKey".
KeyVersion
[1..1]
The version of the Master Session key.
When the value represents the date of activation, it must use the format
YYYYMMDDhh where:
YYYY is a 4-digits numeral representing the year, 0000 is prohibited
MM is a 2-digits numeral representing the month (from 01 to 12)
DD is a 2-digits numeral representing the day of the month (from 01 to 31)
hh is a 2-digits numeral representing the hours (from 00 to 23)
[1..1]
Algorithm to encrypt the key encryption key.
[1..1]
Symmetric encryption algorithm for the protection of the encryption key.
Allowed values:
DES112CBC Triple DES (D Encryption Standard) with double length key
(112 Bit) as defined in FIPS PUB 46-3
section 3.2.2: Triple DES UKPT Key Management
UKPT
UKPT (Unique Key Per Transaction) key encryption, using
Triple DES encryption with a double length key (112 Bit) and
IBM CCA control vectors.
section 3.2.4: IBM CCA UKPT Key Management
UKPTwithAES128 UKPT (Unique Key Per Transaction) key encryption,
using Advanced Encryption Standard with a 128 bits
cryptographic key, approved by the Federal Information
Processing Standards (FIPS 197 - November 6, 2001 Advanced Encryption Standard).
section 0:
AES UKPT Key Management
[1..1]
see following sections :
3.2.2: Triple DES UKPT Key Management
3.2.4: IBM CCA UKPT Key Management
0:
KeyEncryptionAlgorithm
Algorithm
EncryptedKey
AES UKPT Key Management
535
536
The same value for the data structures KEKIdentification and KeyEncryptionAlgorithm must be used
for the two messages of the same exchange.
3 Key Management Mechanisms
- 26 -
3.2 UKPT Key Management
Card Payment Protocols Security
537
538
539
Version 2.1
However to use different session keys, the value of EncryptedKey must be different for the two
messages of the same exchange.
3 Key Management Mechanisms
- 27 -
3.2 UKPT Key Management
Card Payment Protocols Security
540
Version 2.1
3.2.2 Triple DES UKPT Key Management
541
542
543
The Triple DES UKPT key management mechanism uses:
544
545
1. A 112 bits Triple DES Master Session Key MK, identified by the KEK/KEKIdentification,
546
2. A 128 bits random number, conveyed in KEK/EncryptedKey,
547
548
549
550
The result generates a 112 bits Triple DES Session Key for sensitive data encryption or MAC
computation with the following algorithm:
551
(i) Set IV to 0
552
(ii) Split the random number contained in EncryptedKey in two blocks of 8 bytes
553
(iii) Compute a XOR with IV and the first block of the EncryptedKey
554
(iv) Decrypt the the result of this XOR with the Master Session Key identified by KEKIdentification
555
(v) Compute a XOR with the given result and the second block of EncryptedKey
556
(vi) Decrypt the result of the XOR with the Master Session Key identified by KEKIdentification
557
(vii) Concatenate the results
558
559
(viii)
Impose odd parity to each of the 16 bytes on the least significant bit to obtain the
Session Key.
560
561
The figure below summarises the details of the generation.
8 bytes
8 bytes
xor
xor
EncryptedKey
Initialisation Vector (IV)
00 00 00 00 00 00 00 00
MK
3DES-1
MK
3DES-1
parity
Session Key
562
563
564
Figure 9: Triple DES UKPT Session Key Generation
565
566
3 Key Management Mechanisms
- 28 -
3.2 UKPT Key Management
Card Payment Protocols Security
567
Version 2.1
3.2.3 AES UKPT Key Management
568
569
570
The AES UKPT key management mechanism uses:
571
572
1. A 128 bits AES Master Session Key MK, identified by the KEK/KEKIdentification,
573
2. A 128 bits random number, conveyed in KEK/EncryptedKey,
574
575
576
577
578
579
The result generates a 128 bits AES Session Key for sensitive data encryption or MAC computation
with the quite simple following algorithm:
(i) Decrypt the random number contained in EncryptedKey with the Master Session Key
identified by KEKIdentification to obtain the Session Key.
580
581
582
The figure below summarises the details of the generation.
16 bytes
EncryptedKey
MK
583
584
585
AES-1
Session Key
Figure 10: AES UKPT Session Key Generation
586
587
3 Key Management Mechanisms
- 29 -
3.2 UKPT Key Management
Card Payment Protocols Security
588
Version 2.1
3.2.4 IBM CCA UKPT Key Management
589
590
The IBM CCA UKPT key management mechanism uses:
591
1. A 112 bits Triple DES Master Session Key MK, identified by the KEK/KEKIdentification,
592
2. A 128 bits random number, conveyed in KEK/EncryptedKey,
593
594
The result generates a 112 bits Triple DES Session Key for sensitive data encryption, PIN encryption,
key encryption, or MAC computation with the following algorithm:
595
596
597
598
599
600
601
602
603
604
605
(i) Mask the Master Session Key MK identified by KEKIdentification with an exclusive OR by the
control vectors below, depending on the key usage, to generate two 112 bits Triple DES Key
Encryption Keys KEKL and KEKR:
Left MAC control vector: 00004D00 03410000 00004D00 03410000
Left PIN control vector: 00215F00 03410000 00215F00 03410000
Left data control vector: 00007100 03410000 00007100 03410000
Left key encryption control vector: 00427D00 03410000 00427D00 03410000
Right MAC control vector: 00004D00 03210000 00004D00 03210000
Right PIN control vector: 00215F00 03210000 00215F00 03210000
Right data control vector: 00007100 03210000 00007100 03210000
Right key encryption control vector: 00427D00 03210000 00427D00 03210000
606
(ii) Split the random number contained in EncryptedKey in two blocks of 8 bytes
607
608
(ii) Decrypt the left EncryptedKey block with the key KEKL, and the right EncryptedKey block with
the key KEKR
609
610
(iii) Impose odd parity to each of the 16 bytes with the least significant bit to obtain the Session
Key.
611
The figure below summarises the details of the generation.
Left Control Vectors
Right Control Vectors
00 00 4D 00 03 41 00 00 00 00 4D 00 03 41 00 00
00 21 5F 00 03 41 00 00 00 21 5F 00 03 41 00 00
00 00 71 00 03 41 00 00 00 00 71 00 03 41 00 00
MAC
PIN
data
00 00 4D 00 03 21 00 00 00 00 4D 00 03 21 00 00
00 21 5F 00 03 21 00 00 00 21 5F 00 03 21 00 00
00 00 71 00 03 21 00 00 00 00 71 00 03 21 00 00
00 42 7D 00 03 41 00 00 00 42 7D 00 03 41 00 00 key encrypt 00 42 7D 00 03 21 00 00 00 42 7D 00 03 21 00 00
Master Session Key
xor
xor
16 bytes
left key KEKL
right key KEKR
EncryptedKey
key
8 bytes
8 bytes
3DES-1
3DES-1
key
Parity
612
613
Session Key
Figure 11: IBM CCA UKPT Session Key Generation
614
3 Key Management Mechanisms
- 30 -
3.2 UKPT Key Management
Card Payment Protocols Security
615
Version 2.1
3.2.5 Examples
616
617
3.2.5.1 Triple DES UKPT
618
619
620
The hereby displayed example uses for DES test Master Session Key MK the same value as the test
DUKPT base derivation key:
621
37233E89 0B0104E9 BC943D0E 45EAE5A7
622
623
The random string sent in the KEK/EnryptedKey is:
624
F5DBFB9D 229BEF77 758F0448 87D15245
625
626
627
628
(i) Split the random number contained in EncryptedKey in two blocks of 8 bytes
629
630
(ii) Decrypt the first block with the Master Session Key identified by KEKIdentification
631
632
(iii) Compute a XOR with the given result and the second block of EncryptedKey
633
634
(iv) Decrypt the result of the XOR with the Master Session Key identified by KEKIdentification
635
636
(v) Concatenate the results
637
(vi) Impose odd parity to each of the 16 bytes on the least significant bit to obtain the Session Key
Block 1 = F5DBFB9D 229BEF77
Block 2 = 758F0448 87D15245
Decrypted Block 1 = 877162B8 EB9557D3
Decrypted Block 1 XOR Block 2 = F2FE66F0 6C440596
Decrypted Block 2 = 949088E1 C3BA954E
Session Key = 877162B8 EB9557D3 949088E1 C3BA954E
638
Odd-parity adjusted Session Key = 867062B9 EA9457D3 949189E0 C2BA944F
639
640
The Recipient data structure is presented in the table below:
641
Message Item
Recipient
Value
KEK
KEKIdentification
KeyIdentification
SpecV1TestKey
KeyVersion
2010060715
KeyEncryptionAlgorithm
Algorithm
EncryptedKey
DES112CBC
F5DBFB9D229BEF77758F044887D15245
642
643
644
645
646
647
648
649
650
651
The resulting XML encoded structure is:
<Rcpt>
<KEK>
<KEKId>
<KeyId>SpecV1TestKey</KeyId>
<KeyVrsn>2010060715</KeyVrsn>
</KEKId>
<KeyNcrptnAlgo>
<Algo>E3DC</Algo>
3 Key Management Mechanisms
- 31 -
3.2 UKPT Key Management
Card Payment Protocols Security
652
653
654
655
Version 2.1
</KeyNcrptnAlgo>
<NcrptdKey>9dv7nSKb73d1jwRIh9FSRQ==</NcrptdKey>
</KEK>
</Rcpt>
656
657
3 Key Management Mechanisms
- 32 -
3.2 UKPT Key Management
Card Payment Protocols Security
Version 2.1
658
Once unnecessary spaces and carriage returns are removed, Recipient data structure is:
659
660
661
662
663
664
665
666
667
668
669
670
671
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
672
3.2.5.2 AES UKPT
673
674
675
The hereby displayed example uses for AES test Master Session Key MK the same value as the test
DUKPT base derivation key:
3C
64
65
65
35
49
6F
67
67
76
46
79
52
3E
73
79
3C
64
3E
6F
6F
37
53
3E
63
3C
74
56
2F
3E
3C
3E
3E
6E
52
3C
70
4B
4B
72
4B
3C
41
3C
3C
53
51
2F
74
65
65
73
65
4B
6C
2F
4E
4B
3D
4B
3E
79
79
6E
79
65
67
4B
63
62
3D
45
3C
49
3C
3E
56
79
6F
65
72
37
3C
4B
4B
64
2F
32
72
4E
3E
79
70
33
2F
3E
45
3E
4B
30
73
63
45
4E
74
64
4E
3C
4B
53
65
31
6E
72
33
63
64
31
63
2F
3E
70
79
30
3E
70
44
72
4B
6A
72
52
3C
65
49
30
3C
74
43
70
65
77
70
63
676
37233E89 0B0104E9 BC943D0E 45EAE5A7
677
678
The random string sent in the KEK/EnryptedKey is:
679
F5DBFB9D 229BEF77 758F0448 87D15245
680
681
4B
63
64
36
2F
6E
3C
74
79
52
74
70
45
56
3E
30
4B
41
2F
6E
3E
49
64
74
4B
31
3C
37
45
6C
41
41
39
68
4B
3E
49
54
4B
31
4B
67
6C
6C
64
39
65
|<Rcpt><KEK><KEKI|
|d><KeyId>SpecV1T|
|estKey</KeyId><K|
|eyVrsn>201006071|
|5</KeyVrsn></KEK|
|Id><KeyNcrptnAlg|
|o><Algo>E3DC</Al|
|go></KeyNcrptnAl|
|go><NcrptdKey>9d|
|v7nSKb73d1jwRIh9|
|FSRQ==</NcrptdKe|
|y></KEK></Rcpt> |
The AES decryption of the random string by the Key MK, which is the Session Key is:
682
88D0ECFD ACAB3E8A C044BAE5 04548F9A
683
684
The Recipient data structure is presented in the table below:
685
Message Item
Recipient
Value
KEK
KEKIdentification
KeyIdentification
SpecV1TestKey
KeyVersion
2010060715
KeyEncryptionAlgorithm
Algorithm
EncryptedKey
UKPTwithAES128
F5DBFB9D229BEF77758F044887D15245
686
687
688
689
690
691
692
693
694
695
696
697
698
699
The resulting XML encoded structure is:
<Rcpt>
<KEK>
<KEKId>
<KeyId>SpecV1TestKey</KeyId>
<KeyVrsn>2010060715</KeyVrsn>
</KEKId>
<KeyNcrptnAlgo>
<Algo>UKA1</Algo>
</KeyNcrptnAlgo>
<NcrptdKey>9dv7nSKb73d1jwRIh9FSRQ==</NcrptdKey>
</KEK>
</Rcpt>
700
701
3 Key Management Mechanisms
- 33 -
3.2 UKPT Key Management
Card Payment Protocols Security
Version 2.1
702
Once unnecessary spaces and carriage returns are removed, Recipient data structure is:
703
704
705
706
707
708
709
710
711
712
713
714
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
3C
64
65
65
35
49
6F
67
67
76
46
79
52
3E
73
79
3C
64
3E
6F
6F
37
53
3E
63
3C
74
56
2F
3E
3C
3E
3E
6E
52
3C
70
4B
4B
72
4B
3C
41
3C
3C
53
51
2F
74
65
65
73
65
4B
6C
2F
4E
4B
3D
4B
3E
79
79
6E
79
65
67
4B
63
62
3D
45
3C
49
3C
3E
56
79
6F
65
72
37
3C
4B
4B
64
2F
32
72
4E
3E
79
70
33
2F
3E
45
3E
4B
30
73
63
55
4E
74
64
4E
3C
4B
53
65
31
6E
72
4B
63
64
31
63
2F
3E
70
79
30
3E
70
41
72
4B
6A
72
52
3C
65
49
30
3C
74
31
70
65
77
70
63
4B
63
64
36
2F
6E
3C
74
79
52
74
70
45
56
3E
30
4B
41
2F
6E
3E
49
64
74
4B
31
3C
37
45
6C
41
41
39
68
4B
3E
49
54
4B
31
4B
67
6C
6C
64
39
65
|<Rcpt><KEK><KEKI|
|d><KeyId>SpecV1T|
|estKey</KeyId><K|
|eyVrsn>201006071|
|5</KeyVrsn></KEK|
|Id><KeyNcrptnAlg|
|o><Algo>UKA1</Al|
|go></KeyNcrptnAl|
|go><NcrptdKey>9d|
|v7nSKb73d1jwRIh9|
|FSRQ==</NcrptdKe|
|y></KEK></Rcpt> |
715
716
717
718
3.2.5.3 IBM CCA UKPT
719
720
721
722
723
724
725
726
The hereby displayed example uses for DES test Master Session Key MK the same value as the test
DUKPT base derivation key:
37233E89 0B0104E9 BC943D0E 45EAE5A7
We are considering the generation of a MAC session key, the random string sent in the
KEK/EnryptedKey being:
F5DBFB9D 229BEF77 758F0448 87D15245
727
728
729
730
The “exclusive or” of the Key MK by the left MAC control vector 00004D00 03410000 00004D00
03410000, to generate the KEKL key is:
37237389 084004E9 BC94700E 46ABE5A7
731
732
733
734
The “exclusive or” of the Key MK by the rigth MAC control vector 00004D00 03210000 00004D00
03210000, to generate the KEKR key is:
37237389 082004E9 BC94700E 46CBE5A7
735
736
737
The triple DES decryption of the random string by the KEKL and KEKR keys is:
053262F9 191BFD81 5C5D2414 C2D4A248
738
739
740
Imposing bitwise odd parity, the session key is:
043262F8 191AFD80 5D5D2515 C2D5A249
741
742
743
3 Key Management Mechanisms
- 34 -
3.2 UKPT Key Management
Card Payment Protocols Security
744
Version 2.1
The Recipient data structure is presented in the table below:
745
Message Item
Recipient
Value
KEK
KEKIdentification
KeyIdentification
SpecV1TestKey
KeyVersion
2010060715
KeyEncryptionAlgorithm
Algorithm
UKPT
EncryptedKey
F5DBFB9D229BEF77758F044887D15245
746
747
748
749
750
751
752
753
754
755
756
757
758
759
The resulting XML encoded structure is:
<Rcpt>
<KEK>
<KEKId>
<KeyId>SpecV1TestKey</KeyId>
<KeyVrsn>2010060715</KeyVrsn>
</KEKId>
<KeyNcrptnAlgo>
<Algo>UKPT</Algo>
</KeyNcrptnAlgo>
<NcrptdKey>9dv7nSKb73d1jwRIh9FSRQ==</NcrptdKey>
</KEK>
</Rcpt>
760
761
762
Once unnecessary spaces and carriage returns are removed, Recipient data structure is:
763
764
765
766
767
768
769
770
771
772
773
774
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
3C
64
65
65
35
49
6F
67
67
76
46
79
52
3E
73
79
3C
64
3E
6F
6F
37
53
3E
63
3C
74
56
2F
3E
3C
3E
3E
6E
52
3C
70
4B
4B
72
4B
3C
41
3C
3C
53
51
2F
74
65
65
73
65
4B
6C
2F
4E
4B
3D
4B
3E
79
79
6E
79
65
67
4B
63
62
3D
45
3C
49
3C
3E
56
79
6F
65
72
37
3C
4B
4B
64
2F
32
72
4E
3E
79
70
33
2F
3E
45
3E
4B
30
73
63
55
4E
74
64
4E
3C
4B
53
65
31
6E
72
4B
63
64
31
63
2F
3E
70
79
30
3E
70
50
72
4B
6A
72
52
3C
65
49
30
3C
74
54
70
65
77
70
63
4B
63
64
36
2F
6E
3C
74
79
52
74
70
45
56
3E
30
4B
41
2F
6E
3E
49
64
74
4B
31
3C
37
45
6C
41
41
39
68
4B
3E
49
54
4B
31
4B
67
6C
6C
64
39
65
|<Rcpt><KEK><KEKI|
|d><KeyId>SpecV1T|
|estKey</KeyId><K|
|eyVrsn>201006071|
|5</KeyVrsn></KEK|
|Id><KeyNcrptnAlg|
|o><Algo>UKPT</Al|
|go></KeyNcrptnAl|
|go><NcrptdKey>9d|
|v7nSKb73d1jwRIh9|
|FSRQ==</NcrptdKe|
|y></KEK></Rcpt> |
775
776
777
778
3 Key Management Mechanisms
- 35 -
3.2 UKPT Key Management
Card Payment Protocols Security
Version 2.1
779
3.3 RSAES-OAEP Key Encryption
780
781
782
783
The RSAES-OAEP (RSA Encryption Scheme with Optimal Asymmetric Encryption Padding) is an
encryption specified in the RFC 3447 “Public-Key Cryptography Standards (PKCS) #1: RSA
Cryptography Specifications Version 2.1”. The section 1.4 contains key lengths and key exponent
recommendations.
784
785
3.3.1 Key Management
786
787
788
The RSAES-OAEP algorithm is used to encrypt a transport key by a RSA public key, as specified in
the RFC 3560 “Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message
Syntax (CMS)”.
789
790
The RSA public key must be authenticated by a Certificate Authority that has signed the RSA public
along with other information in a X.509 certificate.
791
792
The keyUsage extension must be present in the X.509 certificate, and must contain the value
“keyEncipherment”.
793
The KeyTransport choice of the CMS Recipient data structure must be used with:
794
795
-
The Issuer’s distinguished names of the X.509 certificate, with the AttributeType and
AttributeValue in the same order than in the X.509 certificate.
796
797
-
The serial number of the X.509 certificate.
798
The parameters allowed by RSAES-OAEP are:
799
800
-
The digest algorithms used by RSAES-OAEP are limited to SHA-256, as specified in FIPS 1802.
801
802
803
-
The mask generator functions used by RSAES-OAEP are limited to MGF1, as specified in the
RFC 3560 “Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message
Syntax (CMS)”.
804
805
806
-
The digest algorithms used by the mask generator function MGF1 are limited to SHA-256, as
specified in FIPS 180-2.
807
808
809
3 Key Management Mechanisms
- 36 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
810
3.3.2 Resulting CMS Structure
811
The CMS data structure that is used by the provided RSAES-OAEP key is the following:
812
813
814
1. EnvelopedData to convey an encrypted key encryption key.
One occurrence of EnvelopedData/Recipient/KeyTransport contains the information to retrieve
the key encryption key.
815
816
The Recipient element of EnvelopedData is presented in the table below:
817
Message Item
Mult.
Usage
Recipient
[1..1]
Information related to the transport key for the recipient.
[1..1]
RSAES-OAEP uses the KeyTransport choice.
Version
[1..1]
[default 0]
Version of the data structure, current version is 0.
RecipientIdentification
[1..1]
Identification of the X.509 certificate of the RSA public key.
[1..1]
Identification of the issuer and the serial number of the X.509 certificate.
[1..1]
Identification of the issuer of the X.509 certificate.
[1..*]
X.509 attributes of the issuer of the X.509 certificate, in the same order as the
certificate.
AtributeType
[1..1]
X.509 attribute, allowed codes:
CountryName
Country of the certificate issuer
Locality
City of the certificate issuer
OrganisationName
Organisation of the certificate issuer
OrganisationUnitName Organisation unit of the certificate issuer
CommonName
Name of the certificate issuer
AttributeName
[1..1]
Value of the X.509 attribute.
[1..1]
Serial number of the X.509 certificate of the RSA public key.
[1..1]
Algorithm to encrypt the transport key by the RSA public key.
Algorithm
[1..1]
Encryption algorithm for the encryption of the transport key. Allowed value:
RSAES-OAEP RSA encryption scheme based on Optimal Asymmetric
Encryption Padding scheme (OAEP in PKCS #1 version 2.1)
- (ASN.1 Object Identifier: id-RSAES-OAEP).
Parameter
KeyTransport
IssuerAndSerialNumber
Issuer
RelativeDistinguishedName
SerialNumber
KeyEncryptionAlgorithm
[1..1]
Parameter of the RSAES-OAEP encryption algorithm.
DigestAlgorithm
[1..1]
Cryptographic algorithm for computing the digest of the label in the RSAESOAEP encryption algorithm. Allowed value:
SHA256 Message digest algorithm SHA-256 as defined in FIPS 180-2 (ASN.1 Object Identifier: id-sha256).
MaskGeneratorAlgorithm
[1..1]
Mask generator function algorithm used by the RSAES-OAEP encryption
algorithm.
Algorithm
[1..1]
Algorithm of the mask generator function, allowed value:
MGF1 Mask Generator Function, used for RSA encryption and RSA digital
signature (PKCS #1 version 2.1) - (ASN.1 Object Identifier: id-mgf1).
Parameter
[1..1]
Parameters associated to the mask generator function cryptographic
algorithm.
[1..1]
Digest algorithm used in the mask generator function. Allowed value:
SHA256 Message digest algorithm SHA-256 as defined in FIPS 180-2 (ASN.1 Object Identifier: id-sha256).
DigestAlgorithm
EncryptedKey
[1..1]
818
819
3 Key Management Mechanisms
- 37 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
820
Version 2.1
3.3.3 Key Encryption Process
821
822
The RSAES-OAEP encryption is described below with the following notations:
823
-
K: the RSA key pair
824
-
mLen: the length of the K modulus
825
-
hLen: the length of the digest, 32 for the SHA-256
826
-
KT: the plaintext transport key
827
-
01: an hexadecimal value
828
829
-
|| : the concatenation
830
(i)
Compute the SHA-256 digest LH of the empty string.
831
832
833
(ii)
Build the data block DB = LH || PS || 01 || KT
of length mLen - (hLen + 1), where
PS is the string of hexadecimal byte values 00
834
(iii)
Generate a random seed block value SD of length hLen
835
836
(iv)
Compute the data block mask DBM of length mLen - (hLen + 1), result of the mask
generator function MGF1 applied to the seed block SD for the length mLen - (hLen + 1)
837
838
(v)
Compute the masked data block MDB of length mLen - (hLen + 1), result of the bitwise
exclusive or, between the data block DB and the data block mask DBM
839
840
(vi)
Compute the seed block mask SDM of length hLen, result of the mask generator function
MGF1 applied to the block MDB for the length hLen
841
842
(vii) Compute the masked seed block MSD of length hLen, result of the bitwise exclusive or,
between the seed block SD and the seed block mask SDM
843
844
(viii) Build the block EM= 00 || MSD || MDB
of length mLen
845
(ix)
Encrypt the block EM with the RSA public key K to fill EncryptedKey.
846
847
The figure below summarises the steps (i) to (ix) of the RSAESOAEP encryption process.
848
3 Key Management Mechanisms
- 38 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
DB
(i)
SHA256
empty string
(ii)
LH
00 00 00
mLen-(hLen+1)
00 01
KT
KT
mLen-(hLen+1)
hLen
(iii)
SD
MGF1
(iv)
DBM
xor
(v)
hLen
MDB
MGF1
(vi)
SDM
xor
EM
(vii)
00
MSD
(viii)
MSD
(ix)
Public key K
mLen
MDB
EncryptedKey
849
850
851
RSA
Figure 12 : RSAES-OAEP Encryption
852
3 Key Management Mechanisms
- 39 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
853
Version 2.1
3.3.4 MG1 Mask Generator Function Process
854
855
The RSAES-OAEP encryption and decryption use the MGF1 mask generator function.
856
857
858
The MGF1 function generates a data block M of length mLen from a seed block mgfSD, using a digest
algorithm limited to SHA-256 in nexo protocols:
859
(i) Build a block T initialised as an empty string (i.e. T has length 0)
860
(ii) Initialise a counter C of 4 bytes to 00 00 00 00
861
(iii) While the block T has not reached a length of mLen bytes:
862
a. T = T || SHA-256(mgfSD || C)
863
b. Increment C by one
864
(iv) M is the first mLen bytes of T
865
mgfSD
mgfSD
mgfSD
C 00 00 00 00
C 00 00 00 01
SHA256
SHA256
C xx xx xx xx
SHA256
T
M
866
867
868
mLen
Figure 13 : MG1 Mask Generator Function
869
870
3 Key Management Mechanisms
- 40 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
871
Version 2.1
3.3.5 Key Decryption Process
872
873
The RSADS-OAEP decryption is described below with the same notations than for the encryption:
874
875
876
877
878
879
(i)
Decrypt the value of EncryptedKey with the RSA private key K to the block
EM= Y || MSD || MDB where
Y, one byte, must be equal to 00
MSD has the length hLen
MDB has the length mLen-(hLen+1)
880
881
(ii)
Compute the seed mask block SDM of length hLen, result of the mask generator function
MGF1 applied to the block MDB for the length hLen
882
883
(iii) Compute the seed block SD of length hLen, result of the bitwise exclusive or between the
seed mask MSD and the masked seed SDM
884
885
(iv) Compute the masked data block DBM of length mLen - (hLen + 1), result of the mask
generator function MGF1 applied to the seed block SD for the length mLen - (hLen + 1)
886
887
(v) Compute the data block DB of length mLen - (hLen + 1), result of the bitwise exclusive or
between the masked data bloc MDB and the data block mask DBM
888
(vi) Compute the SHA-256 digest LH of the empty string.
889
890
891
892
893
(vii) Split the data block DB=LH’ || PS || M || KT
LH’ of length hLen must be equal to LH
PS is the largest string following LH’ of hexadecimal of value 00
M, first non zero byte, must have the value 01
KT, the remaining string, the transport key to use, must have the right length
894
895
The figure below summarises the steps (i) to (vii) of the RSADS-OAEP decryption process.
896
3 Key Management Mechanisms
- 41 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
SHA256
empty string
DB
(vi)
LH
(v)
LH’
00 00 00
(vii)
00 01
KT
KT
mLen-(hLen+1)
(iii)
SD
MGF1
(iv)
DBM
xor
hLen
MDB
MGF1
(ii)
SDM
xor
EM
00
MSD
(i)
MSD
Private key K
MDB
EncryptedKey
897
898
899
mLen-(hLen+1)
RSA
Figure 14 : RSADS-OAEP Decryption
900
3 Key Management Mechanisms
- 42 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
901
3.3.6 Examples
902
3.3.6.1 RSA Encryption Key and Certificate
903
904
The RSA key to encrypt the transport key has a key length of 3072 bits with the components dumped
below:
RSA Key Component Value
Modulus
D72CCF63FB2F866A18F219DC919316495FF66C906F904D7B266525C37FABE7D4
ED99EA0424336D99B0B7979DE1764E7CD16B64B9BA954610BCACBB6CFDA4CB90
6AA75BED58B9A0037152541EB1DC3DD0B6214EB31BE97A4F91073412DE042216
FA8F826D24C7F2D305D4BF63465BF899DC6F073FF6AA338EA44DB6BE51A6358C
AA3CCB8528E58B55540ED22325233333D3D6D2B82ED7A58D499F445FF835C3EB
D5B515379A7C2B5B41D35F3DFD5A1A2D61491038FDD19E18EF678FD794872ACC
8B8129AFA0D02FCD6E4ADE9184D5FEC2386441293B16BB76B8E2E4F8E8027636
6855A880E0EFAC449E76124C4BF7FF2BA15E674B62A5637D26600AA3A013E153
0E11F4BF984E533F520A2E74BD826DD507C283D2F563C22848E05D84D2B7D222
1F4B63B56797E6AFB425D567E5F916E3AB4E2C486EC81489469C17DA2DFAF7AB
496EE7C24E43951FFE28006BFF96E2D15838AC7252F3D45E8FEBEF0F7EEF974F
FE0A38C38926CFA0683198CA8FD08C8B2427B91A0B16F79A7186DE7DAB9DFF3D
Public Exponent
010001
Private Exponent
70CA3357D446202E232F5CB10AB9D017DC2E7ECFE33AFFF24AB900678ED7DC68
F7B7133CE280F6B57635764B32F0E1C979B8D28EACA82C96FF5F87CB64D56A43
2434DFF1F4ED305C3D9D8B2C9FCCB3B66091EAFFE5E4A7D16753204FB782F11F
9C6D774FA0D5128ADCE69CFFFBD49FE67EEED01D0E3E3F5248FBD78BC19EDF39
01CF665B4189B9549C003CD461562733C69A37D085F551F9529B22AB2F9F7738
7AC835FBF4859BF074FBC853E526C2CC00CFDCAA131A3AC6154FF2CD6D34C110
8A903DDA424D8A689EBCCFDB05FCAC0B9FC16C3091D284506661F52D4A2FAB8C
A519B79C882E1E1DA6E04BC292D8C86A073BBB4DD354FE9A068F59621AD2739C
F0C7C1536187337B758F0CA31CE1381EC81D61EF92F7251BA60ABC2F3732C0CB
31979282D7B96866CAD0CFD4842A1041E2A8BC720FB2B9147DED36BAD36E323E
21482BD5A5416E3FA2DB23355B19A3534910DA8A03FC41B2DCA278796D98E9A3
BE44410361825CBA24ACC5E0D5276FE55A6AD20E0F8FE1F3BFBE7DC5E1D5F581
Prime 1
FA00B40D29723058B33EB625A4B52D9B9F010360F739135E4A6AB13A24780D7C
D577657B3E6DB0043C4B1422384D4023E2F901B922D188C5AE0365B816DCF8AF
7E62E4ECF2D0AB3EA21B362B811873661BFF476DD123509F07D8D633CC373F7A
EF59894385BF9FC7E82BBD84DC148922A00558DD365A47B6A384BF91EAF440F4
E05D4BC95481AEFB61A1706C1E4B62A482A0A5AE9E3A87ED64826896CDD52B00
355FDF2D81B649E553D412205C0EFB4E075C2526FDDFA885F94AAFA323C4601D
Prime 2
DC5639C6AE9A6BD28746623C4D86C4A4E0212A1BE44EC34054FEEC65C101DC1E
0F45183CEC4CECB367E250D69A1B4ADE858BD67CE8CDCFAE182369B7B86D2DC0
F1159429A29E1293ADAFC66C5A8673D789D589AA66D0C25AE6B5325D1477B47A
713DC43842E22A36AEB738A893D17CFEAC4F9F0FF25DCD5D7DAD3AF7346B88EA
D4E5C86ECC970BC67BE142C53534788006AA1D8FADE91EE6D988BDB6D57775C7
3F8C41AAEF83508E836A92083B571D52E2904D0592A34900787C9650A41831A1
Exponent 1
D72FA7CAF473BF3D79FB6E98F42EA6B51EA5A69CDDEF18C6BE531B7D2A4AD381
31D4755B219F14347119469935D0F8766B355DD05731F801FF081993DCCA129C
2BB33FCCDC2BD45A32FA2D24411824AC2D490BD8707D6F35937186DE4AD6FB22
FBC61BAA2D0385AA7222C41C09BAFB56FC59DDE57A9536C8F3F29D5A21DC5FD4
E71226DB828BA56BE6DB2883478827BDE65A14823ADBB288194D4E6D0F7A7E6A
CD8659F9377F0A180491B3907AECC24EA57320DF710204725CE3764E7BC8D9D9
Exponent 2
5826F73E92249DF6C0C05C151C3F4AF55BE668DE77DD3B28C5D8A7E39DF08C8C
4A37AE96D143857FD1942E1B6DD47583C99244E1FC923B00C00F8B0041FD0C4D
21272CFBEB5FAAB702CA4C6C955B2D859253A89C503E3D43F9018D80C7EB8C7D
604901F4306E23CD74E140FDD106032830F03A073B4464217F628B30D3FC21EF
31F62CD6876BF6FE1619ED88D0DC89494F61482A6FBDD0EB33250E21D40DD345
401B713A5E50FF2DC54E21D6C146FD286814AB7C0B4AE0AE1B865CED2E79AF81
Coefficient
BF2571D99CCC8D31ECEE0DE36E8C591043C371D01052AE0DF46DD35118031F5E
4AAB2948761A9BFCE909047EA5143B03EAD08A65B9F0E96F525ABF014A121E4C
E7935EDB7F0244357B1E20E106066A2E0BF326D82BFE6EDD2A283174D6E9A865
D3FD60D3FACC1D1B8F82FD32A9DAE2CEFC92C0BA4A3D66872A82FB1E67608565
3EDF96B096766729824F4C2B050494C7CE6ADEE376379558E3DA58CC608558CD
A2C4257398C03A973B9790ADAE2E3D4FD18A551DBC847E632455BB55633698EF
3 Key Management Mechanisms
- 43 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
905
906
This RSA key is authenticated by a certificate authority with the following informations:
Certificate Information
Value
serialNumber
7895 CA35 014C 3D2F 1E11 B10D
Issuer
Country Name
BE
Organisation Name
EPASOrg
Organisation Unit Name
Technical Center of Expertise
Common Name
EPAS Protocols Test CA
Validity
notBefore
20130418101823+0100
notAfter
20181001182005+0100
Subject
Country Name
FR
Organisation Name
EPASOrg
Organisation Unit Name
Technical Center of Expertise
Common Name
EPAS Protocol Test Host Key Encryption
Extensions
keyUsage
KeyEncipherment
907
908
The dump of the X.509 certificate is:
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
0180
0190
01A0
01B0
30
95
86
06
04
03
43
69
41
74
31
38
30
10
67
6E
45
04
6C
45
06
8F
2F
90
33
95
B9
E9
82
CA
48
03
0A
55
65
73
53
20
30
31
78
30
31
69
78
03
20
6E
09
00
86
4D
6D
46
A0
7A
05
35
86
55
13
04
6E
65
20
43
31
30
31
0E
26
63
70
13
54
63
2A
30
6A
7B
99
10
03
4F
25
01
F7
04
07
0B
74
31
50
41
38
30
0B
06
30
61
65
26
65
72
86
82
18
26
B0
BC
71
91
30
4C
0D
06
45
13
65
1F
72
30
32
31
30
03
24
6C
72
45
73
79
48
01
F2
65
B7
AC
52
07
82
3D
01
13
50
1D
72
30
6F
2A
33
31
09
55
06
20
74
50
74
70
86
8A
19
25
97
BB
54
34
03
2F
01
02
41
54
20
1D
74
17
2B
38
06
04
03
43
69
41
20
74
F7
02
DC
C3
9D
6C
1E
12
3 Key Management Mechanisms
0D
1E
0B
42
53
65
6F
06
6F
13
30
32
03
0A
55
65
73
53
48
69
0D
82
91
7F
E1
FD
B1
DE
A0
11
05
45
4F
63
66
03
63
32
31
30
55
13
04
6E
65
20
6F
6F
01
01
93
AB
76
A4
DC
04
03
B1
00
31
72
68
20
55
6F
30
30
30
04
07
0B
74
31
50
73
6E
01
81
16
E7
4E
CB
3D
22
02
0D
30
10
67
6E
45
04
6C
31
30
35
06
45
13
65
2F
72
74
30
01
00
49
D4
7C
90
D0
16
01
30
68
30
31
69
78
03
73
33
17
2B
13
50
1D
72
30
6F
20
82
05
D7
5F
ED
D1
6A
B6
FA
02
0D
31
0E
26
63
70
13
20
30
13
30
02
41
54
20
2D
74
4B
01
00
2C
F6
99
6B
A7
21
8F
02
06
0B
06
30
61
65
16
54
34
32
31
46
53
65
6F
06
6F
65
A2
03
CF
6C
EA
64
5B
4E
82
- 44 -
0C
09
30
03
24
6C
72
45
65
31
30
30
52
4F
63
66
03
63
79
30
82
63
90
04
B9
ED
B3
6D
78
2A
09
55
06
20
74
50
73
38
31
30
31
72
68
20
55
6F
20
0D
01
FB
6F
24
BA
58
1B
24
|0..%0..........x|
|..5.L=/....0...*|
|.H........0h1.0.|
|..U....BE1.0...U|
|....EPASOrg1&0$.|
|.U....Technical |
|Center of Expert|
|ise1.0...U....EP|
|AS Protocols Tes|
|t CA0*..20130418|
|101823+0100..201|
|81001182005+0100|
|0x1.0...U....FR1|
|.0...U....EPASOr|
|g1&0$..U....Tech|
|nical Center of |
|Expertise1/0-..U|
|...&EPAS Protoco|
|l Test Host Key |
|Encryption0...0.|
|..*.H...........|
|..0.........,.c.|
|/.j.......I_.l.o|
|.M{&e%.........$|
|3m......vN|.kd..|
|.F....l....j.[.X|
|...qRT...=..!N..|
|.zO..4..."....m$|
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
01C0
01D0
01E0
01F0
0200
0210
0220
0230
0240
0250
0260
0270
0280
0290
02A0
02B0
02C0
02D0
02E0
02F0
0300
0310
0320
0330
0340
0350
0360
0370
0380
0390
03A0
03B0
03C0
03D0
03E0
03F0
0400
0410
0420
0430
0440
0450
0460
0470
0480
0490
04A0
04B0
04C0
04D0
04E0
04F0
0500
C7
AA
E5
D7
7C
D1
D0
16
EF
A5
4E
63
97
C8
43
F3
26
16
A3
03
14
4E
01
E4
74
FB
1E
62
ED
37
D8
12
6E
7D
FA
5C
E1
65
33
25
E7
13
2F
66
E0
52
E2
6E
3C
69
EF
A2
47
F2
33
8B
A5
2B
9E
2F
BB
AC
63
53
C2
E6
14
95
D4
CF
F7
33
02
A0
E0
0B
54
23
8E
69
8C
A9
4C
CD
25
05
AA
39
E6
60
81
06
0C
34
63
14
7F
4C
B7
71
A3
28
AA
F1
5F
68
D3
8E
55
8D
5B
18
CD
76
44
7D
3F
28
AF
89
1F
5E
A0
9A
30
05
6F
50
05
09
38
31
0C
13
B8
F2
AE
DC
20
E6
2D
8A
02
A1
6B
48
CA
80
6D
42
1E
FE
71
6C
14
E1
94
34
AD
05
A4
54
49
41
EF
6E
B8
9E
26
52
48
B4
46
FE
8F
68
71
31
20
83
D9
00
98
53
17
65
EC
D2
9D
80
24
3F
6D
8D
11
20
F5
9A
57
44
23
1B
5B
AA
E1
10
6F
00
B2
DE
FA
3E
D4
4D
0E
9F
D3
67
4A
E2
76
60
0A
E0
25
9C
28
EB
31
86
30
30
79
AC
03
62
57
8C
2D
DF
82
C1
F3
39
8E
8A
A7
7D
9B
00
78
83
7F
AE
D6
86
E8
BD
EF
76
B4
20
B5
78
A1
BF
B6
D2
44
5F
8F
DE
E4
12
0A
2E
5D
D5
17
00
EF
98
DE
0E
1F
EF
30
82
5C
0A
72
39
5E
1C
A2
03
5B
48
83
C1
2E
52
95
4F
D1
B0
20
73
49
19
B1
3F
05
FC
EF
62
19
22
Version 2.1
63
BE
23
5F
3D
D7
91
F8
4C
A3
74
84
67
DA
6B
0F
CA
7D
06
06
C4
0D
02
9F
04
6B
15
FE
1E
56
2C
02
34
B7
BB
C8
96
7E
93
47
06
F2
7E
0F
F9
96
59
46
64
9F
6D
0B
27
3 Key Management Mechanisms
46
51
25
F8
FD
94
84
E8
4B
A0
BD
D2
E5
2D
FF
7E
8F
AB
03
03
EB
06
01
3D
1E
7A
91
61
20
DC
6B
D4
4F
55
C6
73
26
52
45
86
19
78
C0
D4
94
F9
A9
C0
13
5A
AF
96
CE
5B
A6
23
35
5A
87
D5
02
F7
13
82
B7
F9
FA
96
EF
D0
9D
55
55
3C
09
00
BB
5A
48
57
41
F7
80
CF
CC
F0
48
A2
59
23
95
0B
9C
DE
EB
FF
6D
52
C9
9E
FC
4A
9B
84
A0
9B
F8
35
33
C3
1A
2A
FE
76
FF
E1
6D
D2
16
F7
E2
97
8C
FF
1D
1D
73
2A
A8
62
79
62
0E
FF
8A
1E
FC
14
68
01
52
05
07
A0
BA
00
4D
7C
94
4E
94
A2
61
12
2A
A6
F2
FF
24
99
8C
33
EB
2D
CC
C2
36
2B
53
D5
22
E3
AB
D1
4F
8B
3D
0F
23
78
86
6F
95
DE
34
F2
E1
6A
CF
94
07
29
01
C4
D1
12
2A
91
70
DB
EF
6A
09
99
28
A7
A1
9E
FB
DD
A4
56
DC
AA
D3
D5
61
8B
38
68
A1
0E
07
1F
AB
49
58
FE
24
02
01
04
4C
48
81
87
F6
CF
8B
64
9A
07
89
0D
BA
1D
CC
B9
78
57
F3
61
36
3F
E8
F0
FF
01
5F
0D
05
1F
6D
3A
E2
6F
3C
D6
B5
49
81
64
55
5E
11
C2
4B
4E
6E
38
0A
27
03
01
18
A4
86
98
0A
0F
3E
50
FD
4C
F2
50
38
2E
E7
0B
5B
52
05
AC
8E
5F
CF
70
8D
38
9D
23
E5
EE
14
FD
B4
FA
07
CB
D2
15
10
29
41
A8
67
F4
83
63
2C
E7
AC
38
B9
01
00
30
98
F7
4D
2C
51
85
B3
72
FC
44
96
99
12
72
2E
01
1A
90
91
88
7D
1E
E2
52
2B
BD
5D
52
4F
A0
A5
D4
B0
- 45 -
3F
85
B8
37
38
AF
29
80
4B
BF
D2
B5
48
C2
72
C3
1A
00
04
16
E5
0D
F9
11
17
1D
E5
B7
1B
1A
00
EA
89
3C
F8
45
60
A7
88
E4
6E
5D
B5
E4
90
82
61
24
62
7B
EF
9A
34
F6
28
2E
9A
FD
A0
3B
E0
62
98
F5
67
6E
4E
52
89
0B
01
04
80
18
01
14
74
E6
E8
E7
22
42
47
58
67
11
AB
7C
CE
FE
81
A8
68
61
87
33
59
37
1A
65
16
19
0F
76
07
BB
|......cF[...o.?.|
|.3..M..Q.5..<..(|
|..UT..#%#33.....|
|...I.D_.5.....7.|
||+[A._=.Z.-aI.8.|
|....g....*...)..|
|./.nJ......8dA);|
|..v......v6hU...|
|..D.v.LK..+.^gKb|
|.c}&`.....S.....|
|NS?R..t..m......|
|c.(H.]....".Kc.g|
|....%.g.....N,Hn|
|...F...-...In..N|
|C...(.k....X8.rR|
|..^....~..O..8..|
|&..h1......$'...|
|...q..}...=.....|
|.3010...U.......|
|... 0...U.#..0..|
|..o.y...<sxL....|
|N.P..0...*.H....|
|..........o..M..|
|.T..b\.=.b...,.t|
|t#8SW...Zy...Q..|
|..1..rkzHb4.>...|
|.i.e-9..W...P...|
|b....^.aA..d.r."|
|....... ..j.L..B|
|7L....V......D.G|
|......,k....P..X|
|.%.$9[......8..g|
|n. ?.H4O.h).....|
|}..m...UH....r<.|
|.9-......R.....||
|\...}..sY...[.E.|
|.`. .R.&#..xR.`.|
|e.....~R..*W....|
|3.k.xO.E........|
|%.HW..G...pa...h|
|.4.D.....M.6_}na|
|.c.#. .x.|.?..].|
|/.m..s~...j.p..3|
|f.B[.I..mN...R.Y|
|.L......R...8+.7|
|R.........(.....|
|.qq..?Y..a._#]ae|
|n.lov.F......R$.|
|<(....d.J*...Ob.|
|i... ..Z......{.|
|.....bm....m...v|
|._4.x......:....|
|Gh.>."'..$V...4.|
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
990
991
0510
0520
992
993
994
The RSA key of the certificate authority signing this X.509 certificate has a key length of 4096 bits with
the components dumped below:
E2 E4 B0 27 1A 96 D2 2E 8C D3 79 8C D3 73 25 A0
28 04 9D 01 C8 01 60 0D F7
|...'......y..s%.|
|(.....`..
|
RSA Key Component Value
Modulus
A97F45122196E7353C89C240F5D163CF7B9B6A0899440C3D3F3C431BF898BFDE
121407E57E4B6EA2A85E52742659E05087CBC69E2EF6A301B9000A9DA4216951
B793B70B3D27EA9BD6E80584929C55AA5D315CF691F789E677E52105065CC79C
20C58384DF934640A80E7F970088650663610B80B478B17E5863B910332C89DF
3F1FEE47E8A96E9A413CD69410693FECBA0388D2DDB4B6B33341CF9D523AC561
729C5854512EDE984AEB1D937E3C8F74F527FFEFE710CBD2A6819CA0A3C8C7CB
C237E1B60A66D790E5DFFCE5EF1B8BA241E284FBF32345AC74D179382DA7D714
E63CE04084FD904C3AAE0CAC44CCB17A4DFB4B5917971BE12B24FBC17E1E20DD
DC363E45D1659C80D5FF087C51FBED5846C43C0D3580C1C7E8BE91629FDE96F7
A5E531E0166AFE88CC3AFE4EB642F9E51F02E007CB482B4E91D588965F53C73D
8CA2A2D4F7A8663F492CB1623906417A553C9D4DFB2CF55CE6290956C5E80009
7F0E8C974E879BCB981977377FA6A3750DBF478F57C0C7338F45BA83F54670E3
5DDBAC4E30665338A75C0D61DF6918721E885054C85BC3CACD2206468C8A84BB
8B3432CE2D8B2F46B3E25124E956E401AA4194066C01ADC9E633DD2BFE794C87
10F3B94766986465135B8B395F832166A17F9E7EDD8DCB0D19125307CC32B76B
7009113A1BD91C5A2815E0A5A533B8A6ABFC47F0D11A668A2791E9F2F6088A5D
Public Exponent
010001
Private Exponent
2329168FF34DD57A92AB55139AAAAC14CF6466F38FAFB1064786DDB900B1D723
5F06AEB8A9A1463B11C8373C86F41FF734A44DF8646F9F52ED28980B299010C3
F5DBFB9DA63B108CF160C23C45198F1FBF234D508CE917BF2A61EA9E9B3A45E2
1A5E3EB1229BEF77DC24DDCCDA3C7110892F096ED28132F8ADA74A2D9520091D
B97F8B33798D2437758F044844BB409A7FDFD9D33C508F91CEF138FB3EA2986D
65940F32B6808D86740C1FDF87D1524505D21D628BC14D36CE79969F303AA74F
9A63733C0B1E585B63843A770C49DF86723A6631C9B7286DE4F1CB3E9F21F119
11C5D1133143545AABD58D2573442F10DAFA651FFF27C68DC8206CE52F9F5A5B
B51BEDC9E488312A3B6FEB3C3F216C06B1DEAC0EEFBF0923146338A642D98136
45AD19BA6F057946FB7DD6C590E232ED8B7B41431D6970362F0D4DBCBD9B24E7
4C3B3339B312D350DF8CB61DED711FCDC184F06FB9D8F89E68BAC2ABBFADDF52
88946DE053723075CD4F429B413D7FD870A104145A6ACE893A20258864FAD2A8
6A1F5AD252269AF71283593929304F86D9720A43161E26ABA6B19E9E870B1B39
952B6D97EAA88904F8D5D33BC00C87AC207D30EB07FC90FC5EA1423AA7AED534
30DAA12A68E5FA78CC42336D34273F6530BFA098085990EA2A12252E68B5E166
67086DB85B22FF747ECC0AA74F3687A9C058ABF9B891CE423FDE410D6E3CE121
Prime 1
C68BEBAFB00F0A1B7150AB24BDFC6E9ACCB413951857EEF62EC81D78B7F4E432
CF653F969F81F6C26FB6ACC300302F583853C654B823E48EA617540F2EAE10A9
D46C005A539F270AFC86E8A1FDA9B66960B5C4B6D1746F5B616A6B90D8B1E822
C3AF0ED1097550D87B55C5B6651CBFE769A16051FAA4F416DEECBA79FD9252BC
D99694FEA3981A50E329ECB367988A5FAEEB7C81FDAD8276B11CFC3AD0A85E65
53AB5D661EFA4D26A30157BD9FEA3428EB452F20D33525B2A9151BF542885B38
BF2FDAFA3CD3C3B48754822A5EF648D91A4CB3F98BCD222CC1497CB530A91B29
F1C52ED3F3242E1D6AB0A790708A3CB96D6DD718A7F1B4579EE6D0941DC06CE5
Prime 2
DA8B67A93CB27D2F5B7D2F86454FD2A57D20258058B3AE74999665E03C8A95A4
739D338B1312AD7E39EDBECADB3151A5172D198ABA2D1D6C88DFBA3462D52805
ADCF44070423098B0DC7D12CC767109860B1D1674F37CA2A3E03A425A76ECAB5
2737392460DB0221E90E099F02623FC93631E34C146B8DBD7367C0365C329704
C6D2304E0B4A8519737162556E0D36952D24A830DC8BDB1EDE7062C0DA000C26
44653F9F6043452EC676F51E3CF8EC2AC4B9249630CE522E2E754D5A0629612D
5D7180EBA39802E9DA665C6EA661A8483AB688D5B525B2EB0521BFF5E37211FA
7E882FE3F2FA109CC53800A902296BA6E4C3CCDC84E8EBAAB9EB59A03CCFC819
Exponent 1
9D26A8D1319865D69CD54DF1521358F45BEC78C77D3234A95513FE07CC0B2108
7A91D847FF4EDE22BE4BA7E8DCE046C91C246B0A2989F7615563879C50C563D9
1892B7A0C72964BCD46E6FF9B00EC19C1CF9228FD5AFC4685EEDDDE0133495D9
D66B5C5DE68F9E030B74337F0FFF36821360B11D923738205628A7DCE0F10D5D
FF17AA2CF70DF05E6FBF8263EA2E99EFEC42E614F9D6793A3B2C0715028D11D2
3FEC968BBB1F412BC0BFD253FC1C6356B409D9A8B0A413879B3F6316B8A7B714
6E77916A99F4BFA5C7AC032F4864C5FA594FB6F0615067A96700249E41BAC80E
66183DDD734902DB33D4497D1126C9B3B742C68AF47B62D42BA8E415288B6365
3 Key Management Mechanisms
- 46 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
Exponent 2
483FC1FB5F079AFF26FDD1D24FE3BDBDDC09DE9BF9B71D3B8AF2FFA70C1CBCAF
EB50D3136D30C58E6F543BB91091D36E02A574463A9A6399D7FE2EAED6E5A51F
8B8073FAE5D1377C7307D60D39B6C6F3B933D0089955D64DF4C67B63BF608F3F
2841C770515CD5EDA4007209D15DEDBC756034C698119E803D40D578A32E4E62
D3DFF4FC381B60B933430EC1336AC6DAB65BE2069542DF23EB61B8240D6DEA96
54122CE061909BB485041AB0EE735490270D161D58F13C95EBE1F7BA8542F4CF
6C8EF391F33973ED1FB8AB62213B33C8FD300F38A774591BFD4C550BD32F88E6
0922B8C261376E7A8570A8373771BE172495DE8A209E681ABEF0216729F37F31
Coefficient
6978A387C201384A23F0E0BCD73737787364460ACF34F2B103AE60181A3E2DAF
D4F26B819F4B1ED7CD9E8CF225922365ACFB408ACC2E87207E339CF72059B94B
09552BFFAED96E486CE29AABDC8B95DA948B19F26CE702FD4D40867B50F5CFF5
7361BD181A7B4AFF4D80C547A5CBF9D2D51E9A1D1C729FF12E84129DCB132DC9
DCEE79F45456A05F232E1B3C31CA02D56EBDBC031C81A85DDE3CA2A5E4CD2F5B
C7D6394AA7F20022B74ED11A730C8C7024053C36500658D10C0622668C41E627
AF714A6EB76BCDC0B888F8AB4046DC5F158D08A5D7F388C76C7F022CE1834FDE
2B443126A9209274DED029D7D4FF7AC4B5AB0C88E8DEFD592D440AE254FBB422
995
996
3 Key Management Mechanisms
- 47 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
997
3.3.6.2 RSAES-OAEP Encryption
998
999
The transport key KT to encrypt is the following 112 bits triple DES key:
0000
AE EF 80 98 A7 3D E9 D6 5B BF 26 64 58 04 02 16
|.....=..[.&dX...|
1000
1001
1002
Step (i): Digest LH of the empty string Label
1003
1004
1005
The block LH, SHA-256 digest of the empty string, is:
0000
0010
E3 B0 C4 42 98 FC 1C 14 9A FB F4 C8 99 6F B9 24
27 AE 41 E4 64 9B 93 4C A4 95 99 1B 78 52 B8 55
|...B.........o.$|
|'.A.d..L....xR.U|
1006
1007
1008
1009
Step (ii): Building of the block DB
The RSA encryption key has a modulus length mLen of 384.
1010
The SHA-256 digest has a length hLen of 32.
1011
1012
The bloc DB has a length of 384 - (32+1)= 351 bytes:
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
E3
27
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
EF
B0
AE
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
80
C4
41
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
98
42
E4
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
A7
98
64
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3D
FC
9B
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
E9
1C
93
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
D6
14
4C
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
5B
9A
A4
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
BF
FB
95
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
26
F4
99
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
64
C8
1B
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
58
99
78
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
6F
52
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
02
B9
B8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
01
16
24
55
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
AE
|...B.........o.$|
|'.A.d..L....xR.U|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|....=..[.&dX... |
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
|?.].w.0}`..lo;.=|
|...]d.Lg.;......|
1035
1036
1037
1038
Step (iii): Generation of the Seed SD
We consider the following seed SD:
1039
1040
0000
0010
1041
1042
3 Key Management Mechanisms
- 48 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1043
1044
Step (iv): Generation of the mask DBM by MGF1
1045
Intermediate computation of the MGF1 function with:
1046
-
The seed SD generated at the step (iii)
1047
-
The length of the mask to generate, mLen-(hLen+1) equal to 351
1048
1049
- The SHA256 digest algorithm
are presented below.
1050
1051
Iteration 0 (T length =00)
1052
Block mgfSD || C
1053
1054
1055
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 00
1056
Result SHA-256(mgfSD || C)
1057
1058
0000 E2 DB 1C 9A C4 B9 69 92 EC E4 CC 9A 9E D7 82 AD
0010 59 0A CD 0B 51 58 03 56 5D 4C B3 26 89 5B B1 F1
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|
|Y
i
QX V]L & [
|
|
1059
1060
Iteration 1 (T length = 20)
1061
Block mgfSD || C
1062
1063
1064
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 01
1065
Result SHA-256(mgfSD || C)
1066
1067
0000 27 EF 19 93 78 FD B8 67 DF 4C 66 7A 91 27 4E 62
0010 7A 81 8D D4 C7 BA 06 CB 6C 27 C8 D7 9B 96 15 B0
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|'
|z
x
g Lfz 'Nb|
l'
|
1068
1069
Iteration 2 (T length = 40)
1070
Block mgfSD || C
1071
1072
1073
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 02
1074
Result SHA-256(mgfSD || C)
1075
1076
0000 DA 8A 43 17 70 50 A5 CC 48 29 C8 B3 F1 A9 1A F6
0010 68 CC 0C 03 49 E4 74 32 28 86 3B 7A 35 B8 87 B0
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
| C pP H)
|h
I t2( ;z5
|
|
1077
1078
Iteration 3 (T length = 60)
1079
Block mgfSD || C
1080
1081
1082
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 03
1083
Result SHA-256(mgfSD || C)
1084
1085
1086
0000 0C EC 0B E5 8E 79 9C EB FF FD BB ED E9 ED 31 35
0010 15 F6 B4 DA 9D 87 8D E7 0F DE 06 23 5C 60 D4 59
3 Key Management Mechanisms
- 49 -
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|
|
y
15|
#\` Y|
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1087
Iteration 4 (T length = 80)
1088
Block mgfSD || C
1089
1090
1091
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 04
1092
Result SHA-256(mgfSD || C)
1093
1094
0000 73 38 83 3B 66 16 65 C9 A6 01 7E FD 1A D8 00 5C
0010 F8 68 DC 71 A3 80 52 0E 0A 9D 27 23 23 82 A7 E3
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|s8 ;f e
| h q R
~
'##
\|
|
1095
1096
Iteration 5 (T length = A0)
1097
Block mgfSD || C
1098
1099
1100
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 05
1101
Result SHA-256(mgfSD || C)
1102
1103
0000 8C 58 25 FA 97 F0 C2 06 0B 51 1B 04 5A 88 70 84
0010 83 13 CB BE F2 5C 07 79 E0 11 1F 52 A2 AF 8A 69
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
| X%
|
Q
\ y
Z p |
R
i|
1104
1105
Iteration 6 (T length = C0)
1106
Block mgfSD || C
1107
1108
1109
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 06
1110
Result SHA-256(mgfSD || C)
1111
1112
0000 36 F8 EE 95 02 AB 5F 92 E6 6D B7 CA DD C2 FD 4D
0010 A3 B8 EB F4 CB 07 39 C3 5B 2E 3D C0 D0 DD 1A E4
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|6
|
_ m
9 [.=
M|
|
1113
1114
Iteration 7 (T length = E0)
1115
Block mgfSD || C
1116
1117
1118
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 07
1119
Result SHA-256(mgfSD || C)
1120
1121
0000 5D 23 59 40 39 40 6C 21 A7 90 3F 1C 92 4D B7 F3
0010 4B 3E 37 D9 41 61 C8 F7 78 71 27 A0 65 77 36 66
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|]#Y@9@l! ? M |
|K>7 Aa xq' ew6f|
1122
1123
Iteration 8 (T length = 100)
1124
Block mgfSD || C
1125
1126
1127
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 08
1128
Result SHA-256(mgfSD || C)
1129
1130
0000 7A 5F DB 49 75 CD E9 DA C0 2B 34 A2 78 85 B9 8D
0010 25 EF DA 91 BC E3 51 B1 5D E2 50 48 77 F5 81 77
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|z_ Iu
+4 x
|%
Q ] PHw
|
w|
1131
1132
3 Key Management Mechanisms
- 50 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1133
Iteration 9 (T length = 120)
1134
Block mgfSD || C
1135
1136
1137
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 09
1138
Result SHA-256(mgfSD || C)
1139
1140
0000 F7 71 4C 0E 38 EC FE 6E 8E B1 62 5C A9 1E 8C 9E
0010 E1 B1 B4 6D 71 F2 D6 46 69 D3 95 EE 53 C4 A8 E5
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
| qL 8
|
mq
n b\
Fi
S
|
|
1141
1142
Iteration A (T length = 140)
1143
Block mgfSD || C
1144
1145
1146
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 0A
1147
Result SHA-256(mgfSD || C)
1148
1149
0000 01 70 BE 4A 14 0D 8E A7 2B 4A 00 D5 03 D8 2A 33
0010 93 03 D4 DF CA F8 74 CC 4E BD D9 C3 9C 0B 01 04
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
| p J
|
+J
t N
*3|
|
1150
1151
The resulting block DBM is:
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
E2
59
27
7A
DA
68
0C
15
73
F8
8C
83
36
A3
5D
4B
7A
25
F7
E1
01
93
DB
0A
EF
81
8A
CC
EC
F6
38
68
58
13
F8
B8
23
3E
5F
EF
71
B1
70
03
1C
CD
19
8D
43
0C
0B
B4
83
DC
25
CB
EE
EB
59
37
DB
DA
4C
B4
BE
D4
9A
0B
93
D4
17
03
E5
DA
3B
71
FA
BE
95
F4
40
D9
49
91
0E
6D
4A
DF
C4
51
78
C7
70
49
8E
9D
66
A3
97
F2
02
CB
39
41
75
BC
38
71
14
CA
B9
58
FD
BA
50
E4
79
87
16
80
F0
5C
AB
07
40
61
CD
E3
EC
F2
0D
F8
69
03
B8
06
A5
74
9C
8D
65
52
C2
07
5F
39
6C
C8
E9
51
FE
D6
8E
74
92
56
67
CB
CC
32
EB
E7
C9
0E
06
79
92
C3
21
F7
DA
B1
6E
46
A7
CC
EC
5D
DF
6C
48
28
FF
0F
A6
0A
0B
E0
E6
5B
A7
78
C0
5D
8E
69
2B
4E
E4
4C
4C
27
29
86
FD
DE
01
9D
51
11
6D
2E
90
71
2B
E2
B1
D3
4A
BD
CC
B3
66
C8
C8
3B
BB
06
7E
27
1B
1F
B7
3D
3F
27
34
50
62
95
00
D9
9A
26
7A
D7
B3
7A
ED
23
FD
23
04
52
CA
C0
1C
A0
A2
48
5C
EE
D5
C3
9E
89
91
9B
F1
35
E9
5C
1A
23
5A
A2
DD
D0
92
65
78
77
A9
53
03
9C
D7
5B
27
96
A9
B8
ED
60
D8
82
88
AF
C2
DD
4D
77
85
F5
1E
C4
D8
0B
82
B1
4E
15
1A
87
31
D4
00
A7
70
8A
FD
1A
B7
36
B9
81
8C
A8
2A
01
AD
F1
62
B0
F6
B0
35
59
5C
E3
84
69
4D
E4
F3
66
8D
77
9E
E5
33
|
i
|
|Y
QX V]L & [ |
|'
x g Lfz 'Nb|
|z
l'
|
| C pP H)
|
|h
I t2( ;z5
|
|
y
15|
|
#\` Y|
|s8 ;f e
~
\|
| h q R
'##
|
| X%
Q Z p |
|
\ y
R
i|
|6
_ m
M|
|
9 [.=
|
|]#Y@9@l! ? M |
|K>7 Aa xq' ew6f|
|z_ Iu
+4 x
|
|%
Q ] PHw w|
| qL 8 n b\
|
|
mq Fi
S
|
| p J
+J
*3|
|
t N
|
1174
1175
3 Key Management Mechanisms
- 51 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1176
1177
Step (v): Generation of the block MDB
1178
The masked block MDB, result of the bitwise exclusive or between DB and DBM is then:
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
01
7E
27
7A
DA
68
0C
15
73
F8
8C
83
36
A3
5D
4B
7A
25
F7
E1
01
7C
6B
A4
EF
81
8A
CC
EC
F6
38
68
58
13
F8
B8
23
3E
5F
EF
71
B1
70
83
D8
8C
19
8D
43
0C
0B
B4
83
DC
25
CB
EE
EB
59
37
DB
DA
4C
B4
BE
4C
D8
EF
93
D4
17
03
E5
DA
3B
71
FA
BE
95
F4
40
D9
49
91
0E
6D
4A
78
5C
35
78
C7
70
49
8E
9D
66
A3
97
F2
02
CB
39
41
75
BC
38
71
14
F7
45
C3
FD
BA
50
E4
79
87
16
80
F0
5C
AB
07
40
61
CD
E3
EC
F2
0D
11
75
90
B8
06
A5
74
9C
8D
65
52
C2
07
5F
39
6C
C8
E9
51
FE
D6
8E
A2
86
1A
67
CB
CC
32
EB
E7
C9
0E
06
79
92
C3
21
F7
DA
B1
6E
46
A7
97
76
F9
DF
6C
48
28
FF
0F
A6
0A
0B
E0
E6
5B
A7
78
C0
5D
8E
69
2B
F1
1F
D9
4C
27
29
86
FD
DE
01
9D
51
11
6D
2E
90
71
2B
E2
B1
D3
4A
9B
38
2A
66
C8
C8
3B
BB
06
7E
27
1B
1F
B7
3D
3F
27
34
50
62
95
00
BD
52
3D
7A
D7
B3
7A
ED
23
FD
23
04
52
CA
C0
1C
A0
A2
48
5C
EE
D5
9B
07
F1
91
9B
F1
35
E9
5C
1A
23
5A
A2
DD
D0
92
65
78
77
A9
53
03
98
B8
09
27
96
A9
B8
ED
60
D8
82
88
AF
C2
DD
4D
77
85
F5
1E
C4
D8
09
3B
09
4E
15
1A
87
31
D4
00
A7
70
8A
FD
1A
B7
36
B9
81
8C
A8
2B
17
89
A4
62
B0
F6
B0
35
59
5C
E3
84
69
4D
E4
F3
66
8D
77
9E
E5
9D
| k \Eu v 8R ; |
|~
5
*=
|
|'
x g Lfz 'Nb|
|z
l'
|
| C pP H)
|
|h
I t2( ;z5
|
|
y
15|
|
#\` Y|
|s8 ;f e
~
\|
| h q R
'##
|
| X%
Q Z p |
|
\ y
R
i|
|6
_ m
M|
|
9 [.=
|
|]#Y@9@l! ? M |
|K>7 Aa xq' ew6f|
|z_ Iu
+4 x
|
|%
Q ] PHw w|
| qL 8 n b\
|
|
mq Fi
S
|
| p J
+J
+ |
|| Lx
|
89
A4
62
B0
F6
B0
35
59
5C
E3
84
69
4D
E4
F3
66
8D
77
9E
E5
9D
00
| k \Eu v 8R ; |
|~
5
*=
|
|'
x g Lfz 'Nb|
|z
l'
|
| C pP H)
|
|h
I t2( ;z5
|
|
y
15|
|
#\` Y|
|s8 ;f e
~
\|
| h q R
'##
|
| X%
Q Z p |
|
\ y
R
i|
|6
_ m
M|
|
9 [.=
|
|]#Y@9@l! ? M |
|K>7 Aa xq' ew6f|
|z_ Iu
+4 x
|
|%
Q ] PHw w|
| qL 8 n b\
|
|
mq Fi
S
|
| p J
+J
+ |
|| Lx
|
|
|
1201
1202
Step (vi): Generation of the mask SDM by MGF1
1203
1204
Intermediate computation of the MGF1 function with:
1205
-
The masked bloc MDB generated at the previous step
1206
-
The length of the mask to generate, hLen equal to 32
1207
1208
- The SHA256 digest algorithm
Are presented below.
1209
1210
Iteration 0 (T length =00)
1211
Block mgfSD || C
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
01
7E
27
7A
DA
68
0C
15
73
F8
8C
83
36
A3
5D
4B
7A
25
F7
E1
01
7C
00
6B
A4
EF
81
8A
CC
EC
F6
38
68
58
13
F8
B8
23
3E
5F
EF
71
B1
70
83
00
D8
8C
19
8D
43
0C
0B
B4
83
DC
25
CB
EE
EB
59
37
DB
DA
4C
B4
BE
4C
00
D8
EF
93
D4
17
03
E5
DA
3B
71
FA
BE
95
F4
40
D9
49
91
0E
6D
4A
78
5C
35
78
C7
70
49
8E
9D
66
A3
97
F2
02
CB
39
41
75
BC
38
71
14
F7
45
C3
FD
BA
50
E4
79
87
16
80
F0
5C
AB
07
40
61
CD
E3
EC
F2
0D
11
75
90
B8
06
A5
74
9C
8D
65
52
C2
07
5F
39
6C
C8
E9
51
FE
D6
8E
A2
3 Key Management Mechanisms
86
1A
67
CB
CC
32
EB
E7
C9
0E
06
79
92
C3
21
F7
DA
B1
6E
46
A7
97
76
F9
DF
6C
48
28
FF
0F
A6
0A
0B
E0
E6
5B
A7
78
C0
5D
8E
69
2B
F1
1F
D9
4C
27
29
86
FD
DE
01
9D
51
11
6D
2E
90
71
2B
E2
B1
D3
4A
9B
38
2A
66
C8
C8
3B
BB
06
7E
27
1B
1F
B7
3D
3F
27
34
50
62
95
00
BD
52
3D
7A
D7
B3
7A
ED
23
FD
23
04
52
CA
C0
1C
A0
A2
48
5C
EE
D5
9B
07
F1
91
9B
F1
35
E9
5C
1A
23
5A
A2
DD
D0
92
65
78
77
A9
53
03
98
B8
09
27
96
A9
B8
ED
60
D8
82
88
AF
C2
DD
4D
77
85
F5
1E
C4
D8
09
- 52 -
3B
09
4E
15
1A
87
31
D4
00
A7
70
8A
FD
1A
B7
36
B9
81
8C
A8
2B
17
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1235
Result SHA-256(mgfSD || C)
1236
1237
0000 48 C3 43 1B CF 4B A3 1A 1A 04 E2 EC 8B 10 93 DB
0010 7D 07 8F 36 4E 58 D1 4C 6F D5 AE 32 87 1A B4 40
|H C K
|} 6NX Lo
2
|
@|
|H C K
|} 6NX Lo
2
|
@|
1238
1239
The resulting block SDM is:
1240
1241
0000 48 C3 43 1B CF 4B A3 1A 1A 04 E2 EC 8B 10 93 DB
0010 7D 07 8F 36 4E 58 D1 4C 6F D5 AE 32 87 1A B4 40
1242
1243
Step (vii): Generation of the block MSD
1244
1245
The masked block MSD, result of the bitwise exclusive or between SD and SDM is then:
1246
1247
0000 77 6D 1E 08 B8 8C 93 67 7A D7 79 80 E4 2B 00 E6
0010 7C 8E 1A 6B 2A 87 9D 2B D9 EE 58 3A 74 E8 30 5C
|wm
|| k*
gz y + |
+ X:t 0\|
1248
1249
1250
1251
Step (viii): Generation of the block EM
1252
The block EM, result of the concatenation 00 || MSD || MDB is then:
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
00
E6
5C
89
A4
62
B0
F6
B0
35
59
5C
E3
84
69
4D
E4
F3
66
8D
77
9E
E5
9D
77
7C
01
7E
27
7A
DA
68
0C
15
73
F8
8C
83
36
A3
5D
4B
7A
25
F7
E1
01
7C
6D
8E
6B
A4
EF
81
8A
CC
EC
F6
38
68
58
13
F8
B8
23
3E
5F
EF
71
B1
70
83
1E
1A
D8
8C
19
8D
43
0C
0B
B4
83
DC
25
CB
EE
EB
59
37
DB
DA
4C
B4
BE
4C
08
6B
D8
EF
93
D4
17
03
E5
DA
3B
71
FA
BE
95
F4
40
D9
49
91
0E
6D
4A
78
B8
2A
5C
35
78
C7
70
49
8E
9D
66
A3
97
F2
02
CB
39
41
75
BC
38
71
14
F7
8C
87
45
C3
FD
BA
50
E4
79
87
16
80
F0
5C
AB
07
40
61
CD
E3
EC
F2
0D
11
93
9D
75
90
B8
06
A5
74
9C
8D
65
52
C2
07
5F
39
6C
C8
E9
51
FE
D6
8E
A2
67
2B
86
1A
67
CB
CC
32
EB
E7
C9
0E
06
79
92
C3
21
F7
DA
B1
6E
46
A7
97
7A
D9
76
F9
DF
6C
48
28
FF
0F
A6
0A
0B
E0
E6
5B
A7
78
C0
5D
8E
69
2B
F1
D7
EE
1F
D9
4C
27
29
86
FD
DE
01
9D
51
11
6D
2E
90
71
2B
E2
B1
D3
4A
9B
79
58
38
2A
66
C8
C8
3B
BB
06
7E
27
1B
1F
B7
3D
3F
27
34
50
62
95
00
BD
80
3A
52
3D
7A
D7
B3
7A
ED
23
FD
23
04
52
CA
C0
1C
A0
A2
48
5C
EE
D5
9B
E4
74
07
F1
91
9B
F1
35
E9
5C
1A
23
5A
A2
DD
D0
92
65
78
77
A9
53
03
98
2B
E8
B8
09
27
96
A9
B8
ED
60
D8
82
88
AF
C2
DD
4D
77
85
F5
1E
C4
D8
09
00
30
3B
09
4E
15
1A
87
31
D4
00
A7
70
8A
FD
1A
B7
36
B9
81
8C
A8
2B
17
| wm
gz y + |
| | k* + X:t 0|
|\ k \Eu v 8R ;|
| ~
5
*=
|
| '
x g Lfz 'N|
|bz
l'
|
|
C pP H)
|
| h
I t2( ;z5 |
|
y
1|
|5
#\` |
|Ys8 ;f e
~
|
|\ h q R
'## |
| X%
Q Z p|
|
\ y
R
|
|i6
_ m
|
|M
9 [.=
|
| ]#Y@9@l! ? M |
| K>7 Aa xq' ew6|
|fz_ Iu
+4 x |
| %
Q ] PHw |
|w qL 8 n b\
|
|
mq Fi
S |
| p J
+J
+|
| | Lx
|
1277
1278
3 Key Management Mechanisms
- 53 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1279
1280
Step (ix): Encryption of the block EM
1281
The encryption of the block EM by the public RSA key is:
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
0E
EE
4B
A4
C1
DD
2C
20
A3
9D
76
C7
47
3C
EF
20
71
F7
D8
EF
2C
85
87
69
8E
A8
16
9D
78
06
2F
4B
90
54
24
4A
5E
1B
98
26
69
E0
86
C8
A3
1A
86
23
47
14
CE
FD
3E
16
FA
D6
EE
E4
CF
CA
0E
AE
2A
1A
4A
F6
EC
B3
71
56
95
B9
09
E9
42
6D
D7
E9
E5
35
6B
8C
A4
5B
3D
F5
EC
8F
9E
1F
23
88
7C
98
31
09
FA
D2
71
6F
07
32
46
B1
02
9A
4B
38
32
A6
C0
05
DC
F9
A9
F4
88
F5
AF
42
83
B7
5F
8E
DB
2C
26
B7
E1
67
D8
F3
98
DE
BA
5C
2A
06
25
F2
4D
5D
1C
7D
A3
7A
01
81
C7
0A
4D
24
14
39
BD
8D
00
B3
5F
40
54
86
F6
CB
A8
BA
6B
5B
2B
34
D7
87
D5
CF
61
F0
12
C1
7E
D0
7A
37
B0
B4
8B
01
F3
E6
6A
0C
1F
94
80
95
49
51
79
43
5F
51
BB
CE
FD
C8
C6
AA
5E
F3
72
CA
4E
45
7F
4D
E4
96
63
84
FC
9C
BC
18
79
F8
D2
5D
2D
EE
E9
FF
48
60
CA
90
49
AD
A5
26
CA
B5
5B
F5
B4
8F
08
B4
88
46
4D
48
3E
FF
44
A4
6B
8D
C2
3A
BE
10
8E
21
99
82
D7
24
EF
A7
9A
2B
E0
93
5F
B0
BE
EE
2A
83
51
7B
DC
1F
AC
14
8D
A0
B1
C6
D0
DB
B2
B7
6E
58
D4
9E
73
A6
58
7F
6D
6E
DA
07
38
2C
43
C3
96
E1
C5
2D
F7
DF
51
FF
AA
35
DC
D1
65
90
76
EC
D3
8D
82
FF
2D
59
83
29
DB
58
D2
15
F8
60
77
92
87
DD
53
13
32
67
39
A8
1B
09
02
C2
B1
8F
6D
E8
31
AE
1E
BA
B9
76
11
8E
6C
5B
F6
B1
05
EA
89
A5
7D
1E
64
0C
AF
FF
76
09
57
06
11
69
| G
+ c[
|
|
z4
$ `v|
|K Bq_ I
Qw |
|
mo
Q
|
| x>
y
n l|
|
2, C +X5 [|
|,/ F&Ma_y
S |
| K 5 $ Q F
|
|
k
M_se2 |
| T
g9 ]H
g |
|v$ K ~ -> Xv9 |
| J [8
|
|G^ =2 z D*m }|
|<
7
n
|
| *
_ ^HkQ
d|
| &
\@ ` {
|
|qiJ *T r
8- |
|
: ,Y |
|
# % NI C mv|
|
E
) |
|, q| M j
1W|
| V ] M&! X |
|
1 k
|
|i# B}[
- i|
1306
1307
1308
3 Key Management Mechanisms
- 54 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
1309
1310
Version 2.1
Inside the EnvelopedData CMS data structure, the Recipient data structure is presented in the table
below:
Message Item
Value
Recipient
KeyTransport
Version
0
RecipientIdentification
IssuerAndSerialNumber
Issuer
RelativeDistinguishedName
AtributeType
CountryName
AttributeName
BE
RelativeDistinguishedName
AtributeType
OrganisationName
AttributeName
EPASOrg
RelativeDistinguishedName
AtributeType
OrganisationUnitName
AttributeName
Technical Center of Expertise
RelativeDistinguishedName
AtributeType
CommonName
AttributeName
EPAS Protocols Test CA
SerialNumber
7895CA35014C3D2F1E11B10D
KeyEncryptionAlgorithm
Algorithm
RSAES-OAEP
Parameter
DigestAlgorithm
SHA256
MaskGeneratorAlgorithm
Algorithm
MGF1
Parameter
DigestAlgorithm
EncryptedKey
SHA256
0E8E4709FA83A32B80635BD7D0F7F8B9EEA814E9D2B77A34
9584F524DBDF60764B16CE42715F01D749FCB4EFB2517711
A49DFD6D6F8E8187519C8FA7B7FF928EC1783ED707DBC7D5
79BC089A6EAA876CDD0616E9322C0ACF4318B42B5835DD5B
2C2FFAE546264D615F7988E0D4DC53F6204BD635B1B724F0
51F846939ED113B1A390EE6B02E11412BBD24D5F73653205
9D54E48C9A6739C1CE5D48B0A69067EA7624CFA44BD8BD7E
FD2D3EBE58763989C74ACA5B38F38DD0C8EEFFEE7FECA8A5
475E0E3D3298007AC6E9442A6DD31B7D3C1BAEF5A6DEB337
AAFFA4836E8D091EEF982AECC0BA5FB05E486B51DA820264
20261A8F055C40B4F3608D7B07FFC20C71694A9EDC2A548B
72CAC2DC382DB1AFF7E0F61FF9068601CA903A1F2C598FFF
D886EC23A925F6F34E49BEAC43836D76EFC8B388F4F2CBE6
45AD1014C329E8092CA3717C884DA86A7FA58E8D96DB3157
851A5698F55DBA0C4D2621A0E158AE0687869531AF1C6B1F
E4CA99B1C5D21E116923B909427D5B9496B582C62D15BA69
1311
3 Key Management Mechanisms
- 55 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1312
1313
The XML encoded structure of the Recipient data structure in the EnvelopedData CMS data structure
is:
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
<Rcpt>
<KeyTrnsprt>
<Vrsn>0</Vrsn>
<RcptId>
<IssrAndSrlNb>
<Issr>
<RltvDstngshdNm>
<AttrTp>CATT</AttrTp>
<AttrVal>BE</AttrVal>
</RltvDstngshdNm>
<RltvDstngshdNm>
<AttrTp>OATT</AttrTp>
<AttrVal>EPASOrg</AttrVal>
</RltvDstngshdNm>
<RltvDstngshdNm>
<AttrTp>OUAT</AttrTp>
<AttrVal>Technical Center of Expertise</AttrVal>
</RltvDstngshdNm>
<RltvDstngshdNm>
<AttrTp>CNAT</AttrTp>
<AttrVal>EPAS Protocols Test CA</AttrVal>
</RltvDstngshdNm>
</Issr>
<SrlNb>eJXKNQFMPS8eEbEN</SrlNb>
</IssrAndSrlNb>
</RcptId>
<KeyNcrptnAlgo>
<Algo>RSAO</Algo>
<Param>
<DgstAlgo>HS25</DgstAlgo>
<MskGnrtrAlgo>
<Algo>MGF1</Algo>
<Param>
<DgstAlgo>HS25</DgstAlgo>
</Param>
</MskGnrtrAlgo>
</Param>
</KeyNcrptnAlgo>
<NcrptdKey>
Do5HCfqDoyuAY1vX0Pf4ue6oFOnSt3o0lYT1JNvfYHZLFs5CcV8B10n8tO+yUXcRpJ39bW+OgYdRnI
+nt/+SjsF4PtcH28fVebwImm6qh2zdBhbpMiwKz0MYtCtYNd1bLC/65UYmTWFfeYjg1NxT9iBL1jWx
tyTwUfhGk57RE7GjkO5rAuEUErvSTV9zZTIFnVTkjJpnOcHOXUiwppBn6nYkz6RL2L1+/S0+vlh2OY
nHSspbOPON0Mju/+5/7KilR14OPTKYAHrG6UQqbdMbfTwbrvWm3rM3qv+kg26NCR7vmCrswLpfsF5I
a1HaggJkICYajwVcQLTzYI17B//CDHFpSp7cKlSLcsrC3Dgtsa/34PYf+QaGAcqQOh8sWY//2IbsI6
kl9vNOSb6sQ4Ntdu/Is4j08svmRa0QFMMp6Akso3F8iE2oan+ljo2W2zFXhRpWmPVdugxNJiGg4Viu
BoeGlTGvHGsf5MqZscXSHhFpI7kJQn1blJa1gsYtFbpp
</NcrptdKey>
</KeyTrnsprt>
</Rcpt>
1363
1364
3 Key Management Mechanisms
- 56 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1365
Once unnecessary spaces and carriage returns are removed, Recipient data structure is:
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
0180
0190
01A0
01B0
01C0
01D0
01E0
01F0
0200
0210
0220
0230
0240
0250
0260
0270
0280
0290
02A0
02B0
02C0
02D0
02E0
02F0
0300
0310
0320
0330
0340
0350
0360
0370
0380
0390
03A0
03B0
03C0
03D0
03E0
03F0
0400
0410
3C
74
3C
53
76
72
3E
74
67
67
41
72
74
67
67
55
72
65
73
74
74
74
70
50
41
76
73
46
62
3E
72
53
3E
2F
72
46
3C
44
3E
3C
70
65
31
33
73
58
49
38
68
64
59
79
4F
54
55
4C
73
4B
55
72
43
67
49
6C
50
59
52
3E
52
72
44
54
3C
72
73
73
54
56
72
73
73
41
56
6E
65
76
76
72
3E
72
3C
44
72
4D
3E
3C
70
41
3C
44
74
31
44
67
3C
2F
74
79
76
6F
35
63
2B
66
62
31
6A
54
35
49
69
31
70
69
51
4D
72
4A
31
53
59
2F
63
3C
63
6C
73
70
41
56
68
68
54
61
56
68
68
54
61
74
3C
44
44
54
3C
6F
2F
73
3E
50
3C
2F
74
4F
44
67
72
3C
67
73
2F
50
6E
3E
58
30
43
52
6E
56
70
62
67
77
72
46
77
2B
62
6C
71
33
73
6B
37
4C
66
2F
70
56
70
4E
74
3E
74
61
64
64
3C
6C
61
64
64
3C
6C
65
2F
73
73
70
41
74
41
74
3C
53
2F
52
6E
3C
67
73
41
2F
73
74
4D
61
41
44
30
6C
63
70
74
65
4D
4C
31
55
41
6E
70
2F
4F
52
62
71
77
49
42
63
2B
32
74
72
74
62
6E
43
74
6C
4E
4E
2F
3E
6C
4E
4E
2F
3E
72
41
74
74
3E
74
6F
74
6E
53
38
49
63
41
2F
73
74
6C
41
74
41
73
72
6C
6F
50
59
56
4A
2F
62
69
43
4E
66
75
56
70
53
50
31
64
76
4C
43
2F
73
51
49
3E
73
49
3E
67
41
72
3E
6D
6D
41
45
3E
6D
6D
41
54
20
74
6E
6E
43
74
63
74
67
72
65
73
70
6C
41
74
41
67
6C
41
6C
6B
61
67
35
66
54
38
33
2B
77
77
2F
78
68
45
54
42
30
4F
34
4D
2B
70
59
2F
72
61
62
3C
6E
64
3C
73
54
56
3C
3E
3E
74
50
3C
3E
3E
74
65
6F
74
67
67
4E
72
6F
72
73
6C
45
73
74
67
6C
41
6C
6F
67
6C
67
47
6D
6F
48
34
31
42
39
53
49
4B
36
54
47
55
6B
6E
2B
4E
4F
62
6B
66
61
43
43
47
73
3 Key Management Mechanisms
4B
3E
3E
49
68
54
61
2F
3C
3C
74
41
2F
3C
3C
74
63
66
72
73
73
41
56
6C
56
68
4E
62
72
49
6F
67
6C
67
3E
6F
67
6F
6E
3E
3E
43
75
4A
31
62
6A
6D
7A
35
39
6B
45
6A
36
76
30
50
66
67
73
6A
44
33
41
49
65
30
3C
73
64
3C
6C
52
52
41
72
53
52
52
41
72
68
20
56
68
68
54
61
73
61
64
62
45
41
64
3E
6F
67
6F
3C
3E
6F
3E
72
3C
3C
66
65
4E
30
57
73
6D
30
55
69
35
72
4A
6E
6C
4D
54
54
32
46
77
48
44
63
36
79
3C
49
73
4E
2F
3E
6C
6C
74
54
4F
6C
6C
74
54
6E
45
61
64
64
3C
6C
20
6C
4E
3E
4E
6E
3E
3C
3E
6F
3E
41
3C
3E
3C
74
2F
4E
71
36
76
6E
2B
46
36
4D
59
42
37
76
70
59
68
6A
4B
77
36
35
56
46
67
71
6B
54
2F
73
72
6D
41
42
74
74
74
70
72
74
74
74
70
69
78
6C
4E
4E
2F
3E
54
3E
6D
65
3C
64
3C
41
3C
3E
3C
6C
50
48
2F
72
4B
63
44
6F
66
38
4F
34
71
59
6D
4C
52
53
6E
6B
32
75
59
62
4E
49
63
70
74
51
6C
72
56
73
3E
3E
74
45
76
76
72
3E
67
76
76
72
3E
63
70
3E
6D
6D
41
45
65
3C
3E
4A
2F
53
4B
6C
50
48
4D
67
61
53
50
41
65
72
6F
46
59
74
67
50
68
74
54
31
45
54
4F
7A
4F
2F
41
72
43
61
51
53
73
4F
39
6E
72
72
3C
3C
74
3C
44
44
54
3C
3C
44
44
54
3C
61
65
3C
3E
3E
74
50
73
2F
3C
58
53
72
65
67
61
53
73
6F
72
32
61
6C
79
70
79
4F
48
4F
59
74
32
43
57
6A
37
56
63
36
59
2B
48
76
52
31
4C
70
61
68
76
73
73
41
52
41
72
2F
73
73
70
41
2F
73
73
70
41
6C
72
2F
3C
3C
74
41
74
52
2F
4B
72
6C
79
6F
72
32
6B
3E
61
35
72
67
4E
74
75
6E
5A
2B
64
63
7A
74
46
57
47
39
48
52
6E
35
72
57
37
48
54
37
2F
38
4E
- 57 -
70
6E
6E
6C
74
54
41
74
74
3E
74
41
74
74
3E
74
20
74
52
52
41
72
53
20
6C
49
4E
6C
4E
4E
3E
61
35
47
4D
6D
3C
61
6F
63
64
41
53
4C
79
52
48
64
59
66
78
6A
7A
4F
4C
48
2F
47
6D
76
61
7A
63
33
73
4F
72
3E
64
74
74
70
74
6E
6E
4F
74
74
6E
6E
4F
74
43
69
6C
6C
74
54
20
43
74
73
51
4E
62
63
52
6D
3C
6E
47
3E
2F
6D
3E
72
4B
59
74
46
55
6E
32
42
4E
65
74
6B
5A
58
32
53
37
36
33
6D
67
59
4B
34
57
53
|<Rcpt><KeyTrnspr|
|t><Vrsn>0</Vrsn>|
|<RcptId><IssrAnd|
|SrlNb><Issr><Rlt|
|vDstngshdNm><Att|
|rTp>CATT</AttrTp|
|><AttrVal>BE</At|
|trVal></RltvDstn|
|gshdNm><RltvDstn|
|gshdNm><AttrTp>O|
|ATT</AttrTp><Att|
|rVal>EPASOrg</At|
|trVal></RltvDstn|
|gshdNm><RltvDstn|
|gshdNm><AttrTp>O|
|UAT</AttrTp><Att|
|rVal>Technical C|
|enter of Experti|
|se</AttrVal></Rl|
|tvDstngshdNm><Rl|
|tvDstngshdNm><At|
|trTp>CNAT</AttrT|
|p><AttrVal>EPAS |
|Protocols Test C|
|A</AttrVal></Rlt|
|vDstngshdNm></Is|
|sr><SrlNb>eJXKNQ|
|FMPS8eEbEN</SrlN|
|b></IssrAndSrlNb|
|></RcptId><KeyNc|
|rptnAlgo><Algo>R|
|SAO</Algo><Param|
|><DgstAlgo>HS25<|
|/DgstAlgo><MskGn|
|rtrAlgo><Algo>MG|
|F1</Algo><Param>|
|<DgstAlgo>HS25</|
|DgstAlgo></Param|
|></MskGnrtrAlgo>|
|</Param></KeyNcr|
|ptnAlgo><NcrptdK|
|ey>Do5HCfqDoyuAY|
|1vX0Pf4ue6oFOnSt|
|3o0lYT1JNvfYHZLF|
|s5CcV8B10n8tO+yU|
|XcRpJ39bW+OgYdRn|
|I+nt/+SjsF4PtcH2|
|8fVebwImm6qh2zdB|
|hbpMiwKz0MYtCtYN|
|d1bLC/65UYmTWFfe|
|Yjg1NxT9iBL1jWxt|
|yTwUfhGk57RE7Gjk|
|O5rAuEUErvSTV9zZ|
|TIFnVTkjJpnOcHOX|
|UiwppBn6nYkz6RL2|
|L1+/S0+vlh2OYnHS|
|spbOPON0Mju/+5/7|
|KilR14OPTKYAHrG6|
|UQqbdMbfTwbrvWm3|
|rM3qv+kg26NCR7vm|
|CrswLpfsF5Ia1Hag|
|gJkICYajwVcQLTzY|
|I17B//CDHFpSp7cK|
|lSLcsrC3Dgtsa/34|
|PYf+QaGAcqQOh8sW|
|Y//2IbsI6kl9vNOS|
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
0420
0430
0440
0450
0460
0470
0480
0490
04A0
04B0
62
73
33
7A
69
47
37
62
2F
70
36
76
46
46
47
73
6B
70
4B
74
73
6D
38
58
67
66
4A
70
65
3E
51
52
69
68
34
35
51
3C
79
34
61
45
52
56
4D
6E
2F
54
4E
30
32
70
69
71
31
4E
72
Version 2.1
74
51
6F
57
75
5A
62
63
6E
64
46
61
6D
42
73
6C
72
73
75
4D
6E
50
6F
63
4A
70
70
2F
4D
2B
56
65
58
61
74
72
49
70
6C
64
47
53
31
64
74
73
36
6A
75
6C
48
67
4B
3E
34
41
6F
67
54
68
73
65
3C
6A
6B
32
78
47
46
59
79
2F
30
73
57
4E
76
70
74
3E
52
38
6F
32
4A
48
49
46
3C
63
|b6sQ4Ntdu/Is4j08|
|svmRa0QFMMp6Akso|
|3F8iE2oan+ljo2W2|
|zFXhRpWmPVdugxNJ|
|iGg4ViuBoeGlTGvH|
|Gsf5MqZscXSHhFpI|
|7kJQn1blJa1gsYtF|
|bpp</NcrptdKey><|
|/KeyTrnsprt></Rc|
|pt>
|
1442
1443
3 Key Management Mechanisms
- 58 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1444
3.3.6.3 RSADS-OAEP Decryption
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
We use the result of the previous section with the EncryptedKey message item value:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
0E
EE
4B
A4
C1
DD
2C
20
A3
9D
76
C7
47
3C
EF
20
71
F7
D8
EF
2C
85
87
69
8E
A8
16
9D
78
06
2F
4B
90
54
24
4A
5E
1B
98
26
69
E0
86
C8
A3
1A
86
23
47
14
CE
FD
3E
16
FA
D6
EE
E4
CF
CA
0E
AE
2A
1A
4A
F6
EC
B3
71
56
95
B9
09
E9
42
6D
D7
E9
E5
35
6B
8C
A4
5B
3D
F5
EC
8F
9E
1F
23
88
7C
98
31
09
FA
D2
71
6F
07
32
46
B1
02
9A
4B
38
32
A6
C0
05
DC
F9
A9
F4
88
F5
AF
42
83
B7
5F
8E
DB
2C
26
B7
E1
67
D8
F3
98
DE
BA
5C
2A
06
25
F2
4D
5D
1C
7D
A3
7A
01
81
C7
0A
4D
24
14
39
BD
8D
00
B3
5F
40
54
86
F6
CB
A8
BA
6B
5B
2B
34
D7
87
D5
CF
61
F0
12
C1
7E
D0
7A
37
B0
B4
8B
01
F3
E6
6A
0C
1F
94
80
95
49
51
79
43
5F
51
BB
CE
FD
C8
C6
AA
5E
F3
72
CA
4E
45
7F
4D
E4
96
63
84
FC
9C
BC
18
79
F8
D2
5D
2D
EE
E9
FF
48
60
CA
90
49
AD
A5
26
CA
B5
5B
F5
B4
8F
08
B4
88
46
4D
48
3E
FF
44
A4
6B
8D
C2
3A
BE
10
8E
21
99
82
D7
24
EF
A7
9A
2B
E0
93
5F
B0
BE
EE
2A
83
51
7B
DC
1F
AC
14
8D
A0
B1
C6
D0
DB
B2
B7
6E
58
D4
9E
73
A6
58
7F
6D
6E
DA
07
38
2C
43
C3
96
E1
C5
2D
F7
DF
51
FF
AA
35
DC
D1
65
90
76
EC
D3
8D
82
FF
2D
59
83
29
DB
58
D2
15
F8
60
77
92
87
DD
53
13
32
67
39
A8
1B
09
02
C2
B1
8F
6D
E8
31
AE
1E
BA
B9
76
11
8E
6C
5B
F6
B1
05
EA
89
A5
7D
1E
64
0C
AF
FF
76
09
57
06
11
69
| G
+ c[
|
|
z4
$ `v|
|K Bq_ I
Qw |
|
mo
Q
|
| x>
y
n l|
|
2, C +X5 [|
|,/ F&Ma_y
S |
| K 5 $ Q F
|
|
k
M_se2 |
| T
g9 ]H
g |
|v$ K ~ -> Xv9 |
| J [8
|
|G^ =2 z D*m }|
|<
7
n
|
| *
_ ^HkQ
d|
| &
\@ ` {
|
|qiJ *T r
8- |
|
: ,Y |
|
# % NI C mv|
|
E
) |
|, q| M j
1W|
| V ] M&! X |
|
1 k
|
|i# B}[
- i|
1470
1471
The value of mLen is 384 (or 180)
1472
The value of hLen is 32 (or 20)
1473
1474
3 Key Management Mechanisms
- 59 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1475
1476
Step (i): Decryption of the block EncryptedKey
1477
1478
The decryption of the EncryptedKey message item by the private RSA key provides the following
block EM by:
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
00
E6
5C
89
A4
62
B0
F6
B0
35
59
5C
E3
84
69
4D
E4
F3
66
8D
77
9E
E5
9D
77
7C
01
7E
27
7A
DA
68
0C
15
73
F8
8C
83
36
A3
5D
4B
7A
25
F7
E1
01
7C
6D
8E
6B
A4
EF
81
8A
CC
EC
F6
38
68
58
13
F8
B8
23
3E
5F
EF
71
B1
70
83
1E
1A
D8
8C
19
8D
43
0C
0B
B4
83
DC
25
CB
EE
EB
59
37
DB
DA
4C
B4
BE
4C
08
6B
D8
EF
93
D4
17
03
E5
DA
3B
71
FA
BE
95
F4
40
D9
49
91
0E
6D
4A
78
B8
2A
5C
35
78
C7
70
49
8E
9D
66
A3
97
F2
02
CB
39
41
75
BC
38
71
14
F7
8C
87
45
C3
FD
BA
50
E4
79
87
16
80
F0
5C
AB
07
40
61
CD
E3
EC
F2
0D
11
93
9D
75
90
B8
06
A5
74
9C
8D
65
52
C2
07
5F
39
6C
C8
E9
51
FE
D6
8E
A2
67
2B
86
1A
67
CB
CC
32
EB
E7
C9
0E
06
79
92
C3
21
F7
DA
B1
6E
46
A7
97
7A
D9
76
F9
DF
6C
48
28
FF
0F
A6
0A
0B
E0
E6
5B
A7
78
C0
5D
8E
69
2B
F1
D7
EE
1F
D9
4C
27
29
86
FD
DE
01
9D
51
11
6D
2E
90
71
2B
E2
B1
D3
4A
9B
79
58
38
2A
66
C8
C8
3B
BB
06
7E
27
1B
1F
B7
3D
3F
27
34
50
62
95
00
BD
80
3A
52
3D
7A
D7
B3
7A
ED
23
FD
23
04
52
CA
C0
1C
A0
A2
48
5C
EE
D5
9B
E4
74
07
F1
91
9B
F1
35
E9
5C
1A
23
5A
A2
DD
D0
92
65
78
77
A9
53
03
98
2B
E8
B8
09
27
96
A9
B8
ED
60
D8
82
88
AF
C2
DD
4D
77
85
F5
1E
C4
D8
09
00
30
3B
09
4E
15
1A
87
31
D4
00
A7
70
8A
FD
1A
B7
36
B9
81
8C
A8
2B
17
| wm
gz y + |
| | k* + X:t 0|
|\ k \Eu v 8R ;|
| ~
5
*=
|
| '
x g Lfz 'N|
|bz
l'
|
|
C pP H)
|
| h
I t2( ;z5 |
|
y
1|
|5
#\` |
|Ys8 ;f e
~
|
|\ h q R
'## |
| X%
Q Z p|
|
\ y
R
|
|i6
_ m
|
|M
9 [.=
|
| ]#Y@9@l! ? M |
| K>7 Aa xq' ew6|
|fz_ Iu
+4 x |
| %
Q ] PHw |
|w qL 8 n b\
|
|
mq Fi
S |
| p J
+J
+|
| | Lx
|
1503
1504
The EM block is split in 3 blocks: Y || MSD || MDB
1505
1506
Y has the value 00,
The masked seed block MSD has the value:
1507
1508
0000
0010
77 6D 1E 08 B8 8C 93 67 7A D7 79 80 E4 2B 00 E6
7C 8E 1A 6B 2A 87 9D 2B D9 EE 58 3A 74 E8 30 5C
|wm
|| k*
gz y + |
+ X:t 0\|
1509
1510
The masked data block MDB has the value:
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
01
7E
27
7A
DA
68
0C
15
73
F8
8C
83
36
A3
5D
4B
7A
25
F7
E1
01
7C
6B
A4
EF
81
8A
CC
EC
F6
38
68
58
13
F8
B8
23
3E
5F
EF
71
B1
70
83
D8
8C
19
8D
43
0C
0B
B4
83
DC
25
CB
EE
EB
59
37
DB
DA
4C
B4
BE
4C
D8
EF
93
D4
17
03
E5
DA
3B
71
FA
BE
95
F4
40
D9
49
91
0E
6D
4A
78
5C
35
78
C7
70
49
8E
9D
66
A3
97
F2
02
CB
39
41
75
BC
38
71
14
F7
45
C3
FD
BA
50
E4
79
87
16
80
F0
5C
AB
07
40
61
CD
E3
EC
F2
0D
11
75
90
B8
06
A5
74
9C
8D
65
52
C2
07
5F
39
6C
C8
E9
51
FE
D6
8E
A2
86
1A
67
CB
CC
32
EB
E7
C9
0E
06
79
92
C3
21
F7
DA
B1
6E
46
A7
97
76
F9
DF
6C
48
28
FF
0F
A6
0A
0B
E0
E6
5B
A7
78
C0
5D
8E
69
2B
F1
1F
D9
4C
27
29
86
FD
DE
01
9D
51
11
6D
2E
90
71
2B
E2
B1
D3
4A
9B
38
2A
66
C8
C8
3B
BB
06
7E
27
1B
1F
B7
3D
3F
27
34
50
62
95
00
BD
52
3D
7A
D7
B3
7A
ED
23
FD
23
04
52
CA
C0
1C
A0
A2
48
5C
EE
D5
9B
07
F1
91
9B
F1
35
E9
5C
1A
23
5A
A2
DD
D0
92
65
78
77
A9
53
03
98
B8
09
27
96
A9
B8
ED
60
D8
82
88
AF
C2
DD
4D
77
85
F5
1E
C4
D8
09
3B
09
4E
15
1A
87
31
D4
00
A7
70
8A
FD
1A
B7
36
B9
81
8C
A8
2B
17
89
A4
62
B0
F6
B0
35
59
5C
E3
84
69
4D
E4
F3
66
8D
77
9E
E5
9D
| k \Eu v 8R ; |
|~
5
*=
|
|'
x g Lfz 'Nb|
|z
l'
|
| C pP H)
|
|h
I t2( ;z5
|
|
y
15|
|
#\` Y|
|s8 ;f e
~
\|
| h q R
'##
|
| X%
Q Z p |
|
\ y
R
i|
|6
_ m
M|
|
9 [.=
|
|]#Y@9@l! ? M |
|K>7 Aa xq' ew6f|
|z_ Iu
+4 x
|
|%
Q ] PHw w|
| qL 8 n b\
|
|
mq Fi
S
|
| p J
+J
+ |
|| Lx
|
1533
1534
3 Key Management Mechanisms
- 60 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1535
1536
Step (ii): Generation of the seed mask SDM by MGF1
1537
Intermediate computation of the MGF1 function with:
1538
-
The masked bloc MDB isolated at the previous step
1539
-
The length of the mask to generate, hLen equal to 32
1540
1541
- The SHA256 digest algorithm
are presented below.
1542
1543
Iteration 0 (T length =00)
1544
Block mgfSD || C
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
1568
Result SHA-256(mgfSD || C)
1569
1570
0000
0010
01
7E
27
7A
DA
68
0C
15
73
F8
8C
83
36
A3
5D
4B
7A
25
F7
E1
01
7C
00
6B
A4
EF
81
8A
CC
EC
F6
38
68
58
13
F8
B8
23
3E
5F
EF
71
B1
70
83
00
D8
8C
19
8D
43
0C
0B
B4
83
DC
25
CB
EE
EB
59
37
DB
DA
4C
B4
BE
4C
00
D8
EF
93
D4
17
03
E5
DA
3B
71
FA
BE
95
F4
40
D9
49
91
0E
6D
4A
78
5C
35
78
C7
70
49
8E
9D
66
A3
97
F2
02
CB
39
41
75
BC
38
71
14
F7
45
C3
FD
BA
50
E4
79
87
16
80
F0
5C
AB
07
40
61
CD
E3
EC
F2
0D
11
75
90
B8
06
A5
74
9C
8D
65
52
C2
07
5F
39
6C
C8
E9
51
FE
D6
8E
A2
86
1A
67
CB
CC
32
EB
E7
C9
0E
06
79
92
C3
21
F7
DA
B1
6E
46
A7
97
76
F9
DF
6C
48
28
FF
0F
A6
0A
0B
E0
E6
5B
A7
78
C0
5D
8E
69
2B
F1
1F
D9
4C
27
29
86
FD
DE
01
9D
51
11
6D
2E
90
71
2B
E2
B1
D3
4A
9B
38
2A
66
C8
C8
3B
BB
06
7E
27
1B
1F
B7
3D
3F
27
34
50
62
95
00
BD
52
3D
7A
D7
B3
7A
ED
23
FD
23
04
52
CA
C0
1C
A0
A2
48
5C
EE
D5
9B
07
F1
91
9B
F1
35
E9
5C
1A
23
5A
A2
DD
D0
92
65
78
77
A9
53
03
98
B8
09
27
96
A9
B8
ED
60
D8
82
88
AF
C2
DD
4D
77
85
F5
1E
C4
D8
09
3B
09
4E
15
1A
87
31
D4
00
A7
70
8A
FD
1A
B7
36
B9
81
8C
A8
2B
17
89
A4
62
B0
F6
B0
35
59
5C
E3
84
69
4D
E4
F3
66
8D
77
9E
E5
9D
00
48 C3 43 1B CF 4B A3 1A 1A 04 E2 EC 8B 10 93 DB
7D 07 8F 36 4E 58 D1 4C 6F D5 AE 32 87 1A B4 40
| k \Eu v 8R ; |
|~
5
*=
|
|'
x g Lfz 'Nb|
|z
l'
|
| C pP H)
|
|h
I t2( ;z5
|
|
y
15|
|
#\` Y|
|s8 ;f e
~
\|
| h q R
'##
|
| X%
Q Z p |
|
\ y
R
i|
|6
_ m
M|
|
9 [.=
|
|]#Y@9@l! ? M |
|K>7 Aa xq' ew6f|
|z_ Iu
+4 x
|
|%
Q ] PHw w|
| qL 8 n b\
|
|
mq Fi
S
|
| p J
+J
+ |
|| Lx
|
|
|
|H C K
|} 6NX Lo
2
|
@|
|H C K
|} 6NX Lo
2
|
@|
1571
1572
The resulting block SDM is:
1573
1574
0000
0010
48 C3 43 1B CF 4B A3 1A 1A 04 E2 EC 8B 10 93 DB
7D 07 8F 36 4E 58 D1 4C 6F D5 AE 32 87 1A B4 40
1575
1576
Step (iii): Retrieving the seed block SD
1577
1578
1579
The seed SD, result of the bitwise exclusive or between the masked seed MSD and seed mask SDM
is then:
1580
1581
0000
0010
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
|?.].w.0}`..lo;.=|
|...]d.Lg.;......|
1582
1583
3 Key Management Mechanisms
- 61 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1584
1585
Step (iv): Generation of the mask DBM by MGF1
1586
Intermediate computation of the MGF1 function with:
1587
-
The seed SD retireved at the step (iii)
1588
-
The length of the mask to generate, mLen-(hLen+1) equal to 351 (or 15F)
1589
1590
- The SHA256 digest algorithm
Are presented below.
1591
1592
Iteration 0 (T length =00)
1593
Block mgfSD || C
1594
1595
1596
0000
0010
0020
1597
Result SHA-256(mgfSD || C)
1598
1599
0000
0010
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
00 00 00 00
E2 DB 1C 9A C4 B9 69 92 EC E4 CC 9A 9E D7 82 AD
59 0A CD 0B 51 58 03 56 5D 4C B3 26 89 5B B1 F1
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|
|Y
i
QX V]L & [
|
|
1600
1601
Iteration 1 (T length = 20)
1602
Block mgfSD || C
1603
1604
1605
0000
0010
0020
1606
Result SHA-256(mgfSD || C)
1607
1608
0000
0010
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
00 00 00 01
27 EF 19 93 78 FD B8 67 DF 4C 66 7A 91 27 4E 62
7A 81 8D D4 C7 BA 06 CB 6C 27 C8 D7 9B 96 15 B0
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|'
|z
x
g Lfz 'Nb|
l'
|
1609
1610
Iteration 2 (T length = 40)
1611
Block mgfSD || C
1612
1613
1614
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D |? ] w 0}` lo; =|
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C |
]d Lg ;
|
0020 00 00 00 02
|
|
1615
Result SHA-256(mgfSD || C)
1616
1617
0000
0010
DA 8A 43 17 70 50 A5 CC 48 29 C8 B3 F1 A9 1A F6
68 CC 0C 03 49 E4 74 32 28 86 3B 7A 35 B8 87 B0
| C pP H)
|h
I t2( ;z5
|
|
1618
1619
Iteration 3 (T length = 60)
1620
Block mgfSD || C
1621
1622
1623
0000
0010
0020
1624
Result SHA-256(mgfSD || C)
1625
1626
1627
0000
0010
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
00 00 00 03
0C EC 0B E5 8E 79 9C EB FF FD BB ED E9 ED 31 35
15 F6 B4 DA 9D 87 8D E7 0F DE 06 23 5C 60 D4 59
3 Key Management Mechanisms
- 62 -
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|
|
y
15|
#\` Y|
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
1628
Iteration 4 (T length = 80)
1629
Block mgfSD || C
1630
1631
1632
0000
0010
0020
1633
Result SHA-256(mgfSD || C)
1634
1635
0000
0010
Version 2.1
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
00 00 00 04
73 38 83 3B 66 16 65 C9 A6 01 7E FD 1A D8 00 5C
F8 68 DC 71 A3 80 52 0E 0A 9D 27 23 23 82 A7 E3
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|s8 ;f e
| h q R
~
'##
\|
|
1636
1637
Iteration 5 (T length = A0)
1638
Block mgfSD || C
1639
1640
1641
0000
0010
0020
1642
Result SHA-256(mgfSD || C)
1643
1644
0000
0010
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
00 00 00 05
8C 58 25 FA 97 F0 C2 06 0B 51 1B 04 5A 88 70 84
83 13 CB BE F2 5C 07 79 E0 11 1F 52 A2 AF 8A 69
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
| X%
|
Q
Z p |
R
i|
\ y
1645
1646
Iteration 6 (T length = C0)
1647
Block mgfSD || C
1648
1649
1650
0000
0010
0020
1651
Result SHA-256(mgfSD || C)
1652
1653
0000
0010
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
00 00 00 06
36 F8 EE 95 02 AB 5F 92 E6 6D B7 CA DD C2 FD 4D
A3 B8 EB F4 CB 07 39 C3 5B 2E 3D C0 D0 DD 1A E4
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|6
|
_ m
9 [.=
M|
|
1654
1655
Iteration 7 (T length = E0)
1656
Block mgfSD || C
1657
1658
1659
0000
0010
0020
1660
Result SHA-256(mgfSD || C)
1661
1662
0000
0010
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
00 00 00 07
5D 23 59 40 39 40 6C 21 A7 90 3F 1C 92 4D B7 F3
4B 3E 37 D9 41 61 C8 F7 78 71 27 A0 65 77 36 66
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|]#Y@9@l! ? M |
|K>7 Aa xq' ew6f|
1663
1664
Iteration 8 (T length = 100)
1665
Block mgfSD || C
1666
1667
1668
0000
0010
0020
1669
Result SHA-256(mgfSD || C)
1670
1671
0000
0010
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
00 00 00 08
7A 5F DB 49 75 CD E9 DA C0 2B 34 A2 78 85 B9 8D
25 EF DA 91 BC E3 51 B1 5D E2 50 48 77 F5 81 77
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
|z_ Iu
+4 x
|%
Q ] PHw
|
w|
1672
1673
3 Key Management Mechanisms
- 63 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
1674
Iteration 9 (T length = 120)
1675
Block mgfSD || C
1676
1677
1678
0000
0010
0020
1679
Result SHA-256(mgfSD || C)
1680
1681
0000
0010
Version 2.1
3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
00 00 00 09
F7 71 4C 0E 38 EC FE 6E 8E B1 62 5C A9 1E 8C 9E
E1 B1 B4 6D 71 F2 D6 46 69 D3 95 EE 53 C4 A8 E5
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
| qL 8
|
mq
n b\
Fi
S
|
|
1682
1683
Iteration A (T length = 140)
1684
Block mgfSD || C
1685
1686
1687
0000 3F AE 5D 13 77 C7 30 7D 60 D3 9B 6C 6F 3B 93 3D
0010 01 89 95 5D 64 DF 4C 67 B6 3B F6 08 F3 F2 84 1C
0020 00 00 00 0A
1688
Result SHA-256(mgfSD || C)
1689
1690
0000 01 70 BE 4A 14 0D 8E A7 2B 4A 00 D5 03 D8 2A 33
0010 93 03 D4 DF CA F8 74 CC 4E BD D9 C3 9C 0B 01 04
|? ] w 0}` lo; =|
|
]d Lg ;
|
|
|
| p J
|
+J
t N
*3|
|
1691
1692
The resulting block DBM, mask of the data block, is:
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
E2
59
27
7A
DA
68
0C
15
73
F8
8C
83
36
A3
5D
4B
7A
25
F7
E1
01
93
DB
0A
EF
81
8A
CC
EC
F6
38
68
58
13
F8
B8
23
3E
5F
EF
71
B1
70
03
1C
CD
19
8D
43
0C
0B
B4
83
DC
25
CB
EE
EB
59
37
DB
DA
4C
B4
BE
D4
9A
0B
93
D4
17
03
E5
DA
3B
71
FA
BE
95
F4
40
D9
49
91
0E
6D
4A
DF
C4
51
78
C7
70
49
8E
9D
66
A3
97
F2
02
CB
39
41
75
BC
38
71
14
CA
B9
58
FD
BA
50
E4
79
87
16
80
F0
5C
AB
07
40
61
CD
E3
EC
F2
0D
F8
69
03
B8
06
A5
74
9C
8D
65
52
C2
07
5F
39
6C
C8
E9
51
FE
D6
8E
74
92
56
67
CB
CC
32
EB
E7
C9
0E
06
79
92
C3
21
F7
DA
B1
6E
46
A7
CC
EC
5D
DF
6C
48
28
FF
0F
A6
0A
0B
E0
E6
5B
A7
78
C0
5D
8E
69
2B
4E
E4
4C
4C
27
29
86
FD
DE
01
9D
51
11
6D
2E
90
71
2B
E2
B1
D3
4A
BD
CC
B3
66
C8
C8
3B
BB
06
7E
27
1B
1F
B7
3D
3F
27
34
50
62
95
00
D9
9A
26
7A
D7
B3
7A
ED
23
FD
23
04
52
CA
C0
1C
A0
A2
48
5C
EE
D5
C3
9E
89
91
9B
F1
35
E9
5C
1A
23
5A
A2
DD
D0
92
65
78
77
A9
53
03
9C
D7
5B
27
96
A9
B8
ED
60
D8
82
88
AF
C2
DD
4D
77
85
F5
1E
C4
D8
0B
82
B1
4E
15
1A
87
31
D4
00
A7
70
8A
FD
1A
B7
36
B9
81
8C
A8
2A
01
AD
F1
62
B0
F6
B0
35
59
5C
E3
84
69
4D
E4
F3
66
8D
77
9E
E5
33
|
i
|
|Y
QX V]L & [ |
|'
x g Lfz 'Nb|
|z
l'
|
| C pP H)
|
|h
I t2( ;z5
|
|
y
15|
|
#\` Y|
|s8 ;f e
~
\|
| h q R
'##
|
| X%
Q Z p |
|
\ y
R
i|
|6
_ m
M|
|
9 [.=
|
|]#Y@9@l! ? M |
|K>7 Aa xq' ew6f|
|z_ Iu
+4 x
|
|%
Q ] PHw w|
| qL 8 n b\
|
|
mq Fi
S
|
| p J
+J
*3|
|
t N
|
1715
1716
3 Key Management Mechanisms
- 64 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1717
1718
Step (v): Retrieving the data block DB
1719
1720
The data block DB, result of the bitwise exclusive or between the masked data MDB and data mask
DBM is then:
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
E3
27
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
EF
B0
AE
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
80
C4
41
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
98
42
E4
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
A7
98
64
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3D
FC
9B
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
E9
1C
93
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
D6
14
4C
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
5B
9A
A4
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
BF
FB
95
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
26
F4
99
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
64
C8
1B
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
58
99
78
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
6F
52
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
02
B9
B8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
01
16
24
55
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
AE
|...B.........o.$|
|'.A.d..L....xR.U|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|....=..[.&dX... |
E3 B0 C4 42 98 FC 1C 14 9A FB F4 C8 99 6F B9 24
27 AE 41 E4 64 9B 93 4C A4 95 99 1B 78 52 B8 55
|...B.........o.$|
|'.A.d..L....xR.U|
1743
1744
1745
Step (vi): Digest LH of the empty string Label
1746
1747
1748
1749
The block LH, SHA-256 digest of the empty string, is:
0000
0010
1750
1751
1752
1753
Step (vii): Retrieving the data (KT key)
1754
The data block DB is split in 3 blocks: LH’ || PS || M || KT
1755
LH’ and LH, of length 32 (or 20), have the same value,
1756
PS the largest string following LH’ of hexadecimal of value 00, has a length of 302 (or 12E) bytes
1757
M, the following byte, has the value 01,
1758
The data, or KT key, is:
1759
0000
AE EF 80 98 A7 3D E9 D6 5B BF 26 64 58 04 02 16
|.....=..[.&dX...|
1760
1761
1762
3 Key Management Mechanisms
- 65 -
3.3 RSAES-OAEP Key Encryption
Card Payment Protocols Security
Version 2.1
1763
3.4 RSAEncryption Key Encryption
1764
1765
The RSAEncryption (RSAEncryption Scheme PKCS1-v1_5) is an encryption specified in the RFC
3447 “Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1”.
1766
1767
As mentioned in the RFC3447, we recommend also to use the RSAES-OAEP method, but for
compatibility issue, we support also the RSAES-PKCS1-V1_5 method.
1768
1769
3.4.1 Key Management
1770
1771
The RSAEncryption algorithm is used to encrypt a transport key by a RSA public key, as specified in
the RFC 3370 “Cryptographic Message Syntax (CMS) Algorithms”.
1772
1773
The RSA public key must be authenticated by a Certificate Authority that has signed the RSA public
along with other information in a X.509 certificate.
1774
1775
The keyUsage extension must be present in the X.509 certificate, and must contain the value
“keyEncipherment”.
1776
The KeyTransport choice of the CMS Recipient data structure must be used with:
1777
1778
-
The Issuer’s distinguished names of the X.509 certificate, with the AttributeType and
AttributeValue in the same order than in the X.509 certificate.
1779
1780
-
The serial number of the X.509 certificate.
1781
There is no parameter for RSAEncryption.
1782
1783
3.4.2 Resulting CMS Structure
1784
The CMS data structure that is used by the provided RSAEncryption key is the following:
1785
1786
1787
2. EnvelopedData to convey an encrypted key encryption key.
One occurrence of EnvelopedData/Recipient/KeyTransport contains the information to retrieve
the key encryption key.
1788
1789
The Recipient element of EnvelopedData is presented in the table below:
1790
Message Item
Mult.
Usage
Recipient
[1..1]
Information related to the transport key for the recipient.
KeyTransport
[1..1]
RSAEncryption uses the KeyTransport choice.
Version
[1..1]
[default 0]
Version of the data structure, current version is 0.
RecipientIdentification
[1..1]
Identification of the X.509 certificate of the RSA public key.
[1..1]
Identification of the issuer and the serial number of the X.509 certificate.
[1..1]
Identification of the issuer of the X.509 certificate.
[1..*]
X.509 attributes of the issuer of the X.509 certificate, in the same order as the
certificate.
AtributeType
[1..1]
X.509 attribute, allowed codes:
CountryName
Country of the certificate issuer
Locality
City of the certificate issuer
OrganisationName
Organisation of the certificate issuer
OrganisationUnitName Organisation unit of the certificate issuer
CommonName
Name of the certificate issuer
AttributeName
[1..1]
Value of the X.509 attribute.
[1..1]
Serial number of the X.509 certificate of the RSA public key.
[1..1]
Algorithm to encrypt the transport key by the RSA public key.
IssuerAndSerialNumber
Issuer
RelativeDistinguishedName
SerialNumber
KeyEncryptionAlgorithm
3 Key Management Mechanisms
- 66 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
Version 2.1
Message Item
Algorithm
EncryptedKey
Mult.
Usage
[1..1]
Encryption algorithm for the encryption of the transport key. Allowed value:
RSAEncryption RSA key encryption scheme (PKCS #1 version 2.1) - (ASN.1
Object Identifier: rsaEncryption).
[1..1]
1791
1792
3.4.3 Key Encryption Process
1793
1794
The encryption following the RSAEncryption algorithm is described below with the following notations:
1795
-
K: the RSA key pair
1796
-
k: the length of the K modulus
1797
-
KT: the plaintext transport key
1798
-
mLen: the length of the key KT
1799
-
01: an hexadecimal value
1800
1801
-
|| : the concatenation
1802
(i) Compute a pseudo randomly generated non zero octet string PS of length k-mLen – 3.
1803
1804
(ii)
Build the block EM= 00 || 02 || PS || 00 || KT
of length mLen
1805
(iii)
Encrypt the block EM with the RSA public key K to fill EncryptedKey.
1806
1807
The figure below summarises the steps (i) to (iii) of the RSAEncryption encryption process.
1808
k-(mLen+3)
EM
(ii)
00 02
(i)
Random
PSS
k
00
mLen
KT
KT
(iii)
Public key K
EncryptedKey
1809
1810
1811
RSA
Figure 15 : Encryption step of RSAEncryption
1812
3 Key Management Mechanisms
- 67 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
1813
3.4.4
Version 2.1
Key Decryption Process
1814
1815
The RSAEncryption decryption is described below with the same notations than for the encryption:
1816
1817
(i) Decrypt the value of EncryptedKey with the RSA private key K to the block
1818
1819
1820
(ii) Split the data block EM= 00 || 02 || PS || 00 || KT
PS is a pseudo random string
KT is the transport key to use
1821
1822
The figure below summarises the steps (i) to (ii) of the RSAEncryption decryption process.
1823
(ii)
k-(mLen+3)
KT
EM
(i)
00 02
PSS
Private key K
k-(mLen+3)
EncryptedKey
RSA
00
KT
1824
1825
1826
Figure 16 : RSAEncryption Decryption
1827
3 Key Management Mechanisms
- 68 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
Version 2.1
1828
3.4.5 Examples
1829
3.4.5.1 RSA Encryption Key and Certificate
1830
1831
The RSA key to encrypt the transport key has a key length of 3072 bits with the components dumped
below:
RSA Key Component Value
Modulus
D72CCF63FB2F866A18F219DC919316495FF66C906F904D7B266525C37FABE7D4
ED99EA0424336D99B0B7979DE1764E7CD16B64B9BA954610BCACBB6CFDA4CB90
6AA75BED58B9A0037152541EB1DC3DD0B6214EB31BE97A4F91073412DE042216
FA8F826D24C7F2D305D4BF63465BF899DC6F073FF6AA338EA44DB6BE51A6358C
AA3CCB8528E58B55540ED22325233333D3D6D2B82ED7A58D499F445FF835C3EB
D5B515379A7C2B5B41D35F3DFD5A1A2D61491038FDD19E18EF678FD794872ACC
8B8129AFA0D02FCD6E4ADE9184D5FEC2386441293B16BB76B8E2E4F8E8027636
6855A880E0EFAC449E76124C4BF7FF2BA15E674B62A5637D26600AA3A013E153
0E11F4BF984E533F520A2E74BD826DD507C283D2F563C22848E05D84D2B7D222
1F4B63B56797E6AFB425D567E5F916E3AB4E2C486EC81489469C17DA2DFAF7AB
496EE7C24E43951FFE28006BFF96E2D15838AC7252F3D45E8FEBEF0F7EEF974F
FE0A38C38926CFA0683198CA8FD08C8B2427B91A0B16F79A7186DE7DAB9DFF3D
Public Exponent
010001
Private Exponent
70CA3357D446202E232F5CB10AB9D017DC2E7ECFE33AFFF24AB900678ED7DC68
F7B7133CE280F6B57635764B32F0E1C979B8D28EACA82C96FF5F87CB64D56A43
2434DFF1F4ED305C3D9D8B2C9FCCB3B66091EAFFE5E4A7D16753204FB782F11F
9C6D774FA0D5128ADCE69CFFFBD49FE67EEED01D0E3E3F5248FBD78BC19EDF39
01CF665B4189B9549C003CD461562733C69A37D085F551F9529B22AB2F9F7738
7AC835FBF4859BF074FBC853E526C2CC00CFDCAA131A3AC6154FF2CD6D34C110
8A903DDA424D8A689EBCCFDB05FCAC0B9FC16C3091D284506661F52D4A2FAB8C
A519B79C882E1E1DA6E04BC292D8C86A073BBB4DD354FE9A068F59621AD2739C
F0C7C1536187337B758F0CA31CE1381EC81D61EF92F7251BA60ABC2F3732C0CB
31979282D7B96866CAD0CFD4842A1041E2A8BC720FB2B9147DED36BAD36E323E
21482BD5A5416E3FA2DB23355B19A3534910DA8A03FC41B2DCA278796D98E9A3
BE44410361825CBA24ACC5E0D5276FE55A6AD20E0F8FE1F3BFBE7DC5E1D5F581
Prime 1
FA00B40D29723058B33EB625A4B52D9B9F010360F739135E4A6AB13A24780D7C
D577657B3E6DB0043C4B1422384D4023E2F901B922D188C5AE0365B816DCF8AF
7E62E4ECF2D0AB3EA21B362B811873661BFF476DD123509F07D8D633CC373F7A
EF59894385BF9FC7E82BBD84DC148922A00558DD365A47B6A384BF91EAF440F4
E05D4BC95481AEFB61A1706C1E4B62A482A0A5AE9E3A87ED64826896CDD52B00
355FDF2D81B649E553D412205C0EFB4E075C2526FDDFA885F94AAFA323C4601D
Prime 2
DC5639C6AE9A6BD28746623C4D86C4A4E0212A1BE44EC34054FEEC65C101DC1E
0F45183CEC4CECB367E250D69A1B4ADE858BD67CE8CDCFAE182369B7B86D2DC0
F1159429A29E1293ADAFC66C5A8673D789D589AA66D0C25AE6B5325D1477B47A
713DC43842E22A36AEB738A893D17CFEAC4F9F0FF25DCD5D7DAD3AF7346B88EA
D4E5C86ECC970BC67BE142C53534788006AA1D8FADE91EE6D988BDB6D57775C7
3F8C41AAEF83508E836A92083B571D52E2904D0592A34900787C9650A41831A1
Exponent 1
D72FA7CAF473BF3D79FB6E98F42EA6B51EA5A69CDDEF18C6BE531B7D2A4AD381
31D4755B219F14347119469935D0F8766B355DD05731F801FF081993DCCA129C
2BB33FCCDC2BD45A32FA2D24411824AC2D490BD8707D6F35937186DE4AD6FB22
FBC61BAA2D0385AA7222C41C09BAFB56FC59DDE57A9536C8F3F29D5A21DC5FD4
E71226DB828BA56BE6DB2883478827BDE65A14823ADBB288194D4E6D0F7A7E6A
CD8659F9377F0A180491B3907AECC24EA57320DF710204725CE3764E7BC8D9D9
Exponent 2
5826F73E92249DF6C0C05C151C3F4AF55BE668DE77DD3B28C5D8A7E39DF08C8C
4A37AE96D143857FD1942E1B6DD47583C99244E1FC923B00C00F8B0041FD0C4D
21272CFBEB5FAAB702CA4C6C955B2D859253A89C503E3D43F9018D80C7EB8C7D
604901F4306E23CD74E140FDD106032830F03A073B4464217F628B30D3FC21EF
31F62CD6876BF6FE1619ED88D0DC89494F61482A6FBDD0EB33250E21D40DD345
401B713A5E50FF2DC54E21D6C146FD286814AB7C0B4AE0AE1B865CED2E79AF81
Coefficient
BF2571D99CCC8D31ECEE0DE36E8C591043C371D01052AE0DF46DD35118031F5E
4AAB2948761A9BFCE909047EA5143B03EAD08A65B9F0E96F525ABF014A121E4C
E7935EDB7F0244357B1E20E106066A2E0BF326D82BFE6EDD2A283174D6E9A865
D3FD60D3FACC1D1B8F82FD32A9DAE2CEFC92C0BA4A3D66872A82FB1E67608565
3EDF96B096766729824F4C2B050494C7CE6ADEE376379558E3DA58CC608558CD
A2C4257398C03A973B9790ADAE2E3D4FD18A551DBC847E632455BB55633698EF
3 Key Management Mechanisms
- 69 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
Version 2.1
1832
1833
This RSA key is authenticated by a certificate authority with the following informations:
Certificate Information
Value
serialNumber
7895 CA35 014C 3D2F 1E11 B10D
Issuer
Country Name
BE
Organisation Name
EPASOrg
Organisation Unit Name
Technical Center of Expertise
Common Name
EPAS Protocols Test CA
Validity
notBefore
20130418101823+0100
notAfter
20181001182005+0100
Subject
Country Name
FR
Organisation Name
EPASOrg
Organisation Unit Name
Technical Center of Expertise
Common Name
EPAS Protocol Test Host Key Encryption
Extensions
keyUsage
KeyEncipherment
1834
1835
The dump of the X.509 certificate is:
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
0180
0190
01A0
01B0
30
95
86
06
04
03
43
69
41
74
31
38
30
10
67
6E
45
04
6C
45
06
8F
2F
90
33
95
B9
E9
82
CA
48
03
0A
55
65
73
53
20
30
31
78
30
31
69
78
03
20
6E
09
00
86
4D
6D
46
A0
7A
05
35
86
55
13
04
6E
65
20
43
31
30
31
0E
26
63
70
13
54
63
2A
30
6A
7B
99
10
03
4F
25
01
F7
04
07
0B
74
31
50
41
38
30
0B
06
30
61
65
26
65
72
86
82
18
26
B0
BC
71
91
30
4C
0D
06
45
13
65
1F
72
30
32
31
30
03
24
6C
72
45
73
79
48
01
F2
65
B7
AC
52
07
82
3D
01
13
50
1D
72
30
6F
2A
33
31
09
55
06
20
74
50
74
70
86
8A
19
25
97
BB
54
34
03
2F
01
02
41
54
20
1D
74
17
2B
38
06
04
03
43
69
41
20
74
F7
02
DC
C3
9D
6C
1E
12
3 Key Management Mechanisms
0D
1E
0B
42
53
65
6F
06
6F
13
30
32
03
0A
55
65
73
53
48
69
0D
82
91
7F
E1
FD
B1
DE
A0
11
05
45
4F
63
66
03
63
32
31
30
55
13
04
6E
65
20
6F
6F
01
01
93
AB
76
A4
DC
04
03
B1
00
31
72
68
20
55
6F
30
30
30
04
07
0B
74
31
50
73
6E
01
81
16
E7
4E
CB
3D
22
02
0D
30
10
67
6E
45
04
6C
31
30
35
06
45
13
65
2F
72
74
30
01
00
49
D4
7C
90
D0
16
01
30
68
30
31
69
78
03
73
33
17
2B
13
50
1D
72
30
6F
20
82
05
D7
5F
ED
D1
6A
B6
FA
02
0D
31
0E
26
63
70
13
20
30
13
30
02
41
54
20
2D
74
4B
01
00
2C
F6
99
6B
A7
21
8F
02
06
0B
06
30
61
65
16
54
34
32
31
46
53
65
6F
06
6F
65
A2
03
CF
6C
EA
64
5B
4E
82
- 70 -
0C
09
30
03
24
6C
72
45
65
31
30
30
52
4F
63
66
03
63
79
30
82
63
90
04
B9
ED
B3
6D
78
2A
09
55
06
20
74
50
73
38
31
30
31
72
68
20
55
6F
20
0D
01
FB
6F
24
BA
58
1B
24
|0..%0..........x|
|..5.L=/....0...*|
|.H........0h1.0.|
|..U....BE1.0...U|
|....EPASOrg1&0$.|
|.U....Technical |
|Center of Expert|
|ise1.0...U....EP|
|AS Protocols Tes|
|t CA0*..20130418|
|101823+0100..201|
|81001182005+0100|
|0x1.0...U....FR1|
|.0...U....EPASOr|
|g1&0$..U....Tech|
|nical Center of |
|Expertise1/0-..U|
|...&EPAS Protoco|
|l Test Host Key |
|Encryption0...0.|
|..*.H...........|
|..0.........,.c.|
|/.j.......I_.l.o|
|.M{&e%.........$|
|3m......vN|.kd..|
|.F....l....j.[.X|
|...qRT...=..!N..|
|.zO..4..."....m$|
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
01C0
01D0
01E0
01F0
0200
0210
0220
0230
0240
0250
0260
0270
0280
0290
02A0
02B0
02C0
02D0
02E0
02F0
0300
0310
0320
0330
0340
0350
0360
0370
0380
0390
03A0
03B0
03C0
03D0
03E0
03F0
0400
0410
0420
0430
0440
0450
0460
0470
0480
0490
04A0
04B0
04C0
04D0
04E0
04F0
0500
C7
AA
E5
D7
7C
D1
D0
16
EF
A5
4E
63
97
C8
43
F3
26
16
A3
03
14
4E
01
E4
74
FB
1E
62
ED
37
D8
12
6E
7D
FA
5C
E1
65
33
25
E7
13
2F
66
E0
52
E2
6E
3C
69
EF
A2
47
F2
33
8B
A5
2B
9E
2F
BB
AC
63
53
C2
E6
14
95
D4
CF
F7
33
02
A0
E0
0B
54
23
8E
69
8C
A9
4C
CD
25
05
AA
39
E6
60
81
06
0C
34
63
14
7F
4C
B7
71
A3
28
AA
F1
5F
68
D3
8E
55
8D
5B
18
CD
76
44
7D
3F
28
AF
89
1F
5E
A0
9A
30
05
6F
50
05
09
38
31
0C
13
B8
F2
AE
DC
20
E6
2D
8A
02
A1
6B
48
CA
80
6D
42
1E
FE
71
6C
14
E1
94
34
AD
05
A4
54
49
41
EF
6E
B8
9E
26
52
48
B4
46
FE
8F
68
71
31
20
83
D9
00
98
53
17
65
EC
D2
9D
80
24
3F
6D
8D
11
20
F5
9A
57
44
23
1B
5B
AA
E1
10
6F
00
B2
DE
FA
3E
D4
4D
0E
9F
D3
67
4A
E2
76
60
0A
E0
25
9C
28
EB
31
86
30
30
79
AC
03
62
57
8C
2D
DF
82
C1
F3
39
8E
8A
A7
7D
9B
00
78
83
7F
AE
D6
86
E8
BD
EF
76
B4
20
B5
78
A1
BF
B6
D2
44
5F
8F
DE
E4
12
0A
2E
5D
D5
17
00
EF
98
DE
0E
1F
EF
30
82
5C
0A
72
39
5E
1C
A2
03
5B
48
83
C1
2E
52
95
4F
D1
B0
20
73
49
19
B1
3F
05
FC
EF
62
19
22
Version 2.1
63
BE
23
5F
3D
D7
91
F8
4C
A3
74
84
67
DA
6B
0F
CA
7D
06
06
C4
0D
02
9F
04
6B
15
FE
1E
56
2C
02
34
B7
BB
C8
96
7E
93
47
06
F2
7E
0F
F9
96
59
46
64
9F
6D
0B
27
3 Key Management Mechanisms
46
51
25
F8
FD
94
84
E8
4B
A0
BD
D2
E5
2D
FF
7E
8F
AB
03
03
EB
06
01
3D
1E
7A
91
61
20
DC
6B
D4
4F
55
C6
73
26
52
45
86
19
78
C0
D4
94
F9
A9
C0
13
5A
AF
96
CE
5B
A6
23
35
5A
87
D5
02
F7
13
82
B7
F9
FA
96
EF
D0
9D
55
55
3C
09
00
BB
5A
48
57
41
F7
80
CF
CC
F0
48
A2
59
23
95
0B
9C
DE
EB
FF
6D
52
C9
9E
FC
4A
9B
84
A0
9B
F8
35
33
C3
1A
2A
FE
76
FF
E1
6D
D2
16
F7
E2
97
8C
FF
1D
1D
73
2A
A8
62
79
62
0E
FF
8A
1E
FC
14
68
01
52
05
07
A0
BA
00
4D
7C
94
4E
94
A2
61
12
2A
A6
F2
FF
24
99
8C
33
EB
2D
CC
C2
36
2B
53
D5
22
E3
AB
D1
4F
8B
3D
0F
23
78
86
6F
95
DE
34
F2
E1
6A
CF
94
07
29
01
C4
D1
12
2A
91
70
DB
EF
6A
09
99
28
A7
A1
9E
FB
DD
A4
56
DC
AA
D3
D5
61
8B
38
68
A1
0E
07
1F
AB
49
58
FE
24
02
01
04
4C
48
81
87
F6
CF
8B
64
9A
07
89
0D
BA
1D
CC
B9
78
57
F3
61
36
3F
E8
F0
FF
01
5F
0D
05
1F
6D
3A
E2
6F
3C
D6
B5
49
81
64
55
5E
11
C2
4B
4E
6E
38
0A
27
03
01
18
A4
86
98
0A
0F
3E
50
FD
4C
F2
50
38
2E
E7
0B
5B
52
05
AC
8E
5F
CF
70
8D
38
9D
23
E5
EE
14
FD
B4
FA
07
CB
D2
15
10
29
41
A8
67
F4
83
63
2C
E7
AC
38
B9
01
00
30
98
F7
4D
2C
51
85
B3
72
FC
44
96
99
12
72
2E
01
1A
90
91
88
7D
1E
E2
52
2B
BD
5D
52
4F
A0
A5
D4
B0
- 71 -
3F
85
B8
37
38
AF
29
80
4B
BF
D2
B5
48
C2
72
C3
1A
00
04
16
E5
0D
F9
11
17
1D
E5
B7
1B
1A
00
EA
89
3C
F8
45
60
A7
88
E4
6E
5D
B5
E4
90
82
61
24
62
7B
EF
9A
34
F6
28
2E
9A
FD
A0
3B
E0
62
98
F5
67
6E
4E
52
89
0B
01
04
80
18
01
14
74
E6
E8
E7
22
42
47
58
67
11
AB
7C
CE
FE
81
A8
68
61
87
33
59
37
1A
65
16
19
0F
76
07
BB
|......cF[...o.?.|
|.3..M..Q.5..<..(|
|..UT..#%#33.....|
|...I.D_.5.....7.|
||+[A._=.Z.-aI.8.|
|....g....*...)..|
|./.nJ......8dA);|
|..v......v6hU...|
|..D.v.LK..+.^gKb|
|.c}&`.....S.....|
|NS?R..t..m......|
|c.(H.]....".Kc.g|
|....%.g.....N,Hn|
|...F...-...In..N|
|C...(.k....X8.rR|
|..^....~..O..8..|
|&..h1......$'...|
|...q..}...=.....|
|.3010...U.......|
|... 0...U.#..0..|
|..o.y...<sxL....|
|N.P..0...*.H....|
|..........o..M..|
|.T..b\.=.b...,.t|
|t#8SW...Zy...Q..|
|..1..rkzHb4.>...|
|.i.e-9..W...P...|
|b....^.aA..d.r."|
|....... ..j.L..B|
|7L....V......D.G|
|......,k....P..X|
|.%.$9[......8..g|
|n. ?.H4O.h).....|
|}..m...UH....r<.|
|.9-......R.....||
|\...}..sY...[.E.|
|.`. .R.&#..xR.`.|
|e.....~R..*W....|
|3.k.xO.E........|
|%.HW..G...pa...h|
|.4.D.....M.6_}na|
|.c.#. .x.|.?..].|
|/.m..s~...j.p..3|
|f.B[.I..mN...R.Y|
|.L......R...8+.7|
|R.........(.....|
|.qq..?Y..a._#]ae|
|n.lov.F......R$.|
|<(....d.J*...Ob.|
|i... ..Z......{.|
|.....bm....m...v|
|._4.x......:....|
|Gh.>."'..$V...4.|
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
1917
1918
0510
0520
Version 2.1
E2 E4 B0 27 1A 96 D2 2E 8C D3 79 8C D3 73 25 A0
28 04 9D 01 C8 01 60 0D F7
|...'......y..s%.|
|(.....`..
|
1919
1920
1921
The RSA key of the certificate authority signing this X.509 certificate has a key length of 4096 bits with
the components dumped below:
RSA Key Component Value
Modulus
A97F45122196E7353C89C240F5D163CF7B9B6A0899440C3D3F3C431BF898BFDE
121407E57E4B6EA2A85E52742659E05087CBC69E2EF6A301B9000A9DA4216951
B793B70B3D27EA9BD6E80584929C55AA5D315CF691F789E677E52105065CC79C
20C58384DF934640A80E7F970088650663610B80B478B17E5863B910332C89DF
3F1FEE47E8A96E9A413CD69410693FECBA0388D2DDB4B6B33341CF9D523AC561
729C5854512EDE984AEB1D937E3C8F74F527FFEFE710CBD2A6819CA0A3C8C7CB
C237E1B60A66D790E5DFFCE5EF1B8BA241E284FBF32345AC74D179382DA7D714
E63CE04084FD904C3AAE0CAC44CCB17A4DFB4B5917971BE12B24FBC17E1E20DD
DC363E45D1659C80D5FF087C51FBED5846C43C0D3580C1C7E8BE91629FDE96F7
A5E531E0166AFE88CC3AFE4EB642F9E51F02E007CB482B4E91D588965F53C73D
8CA2A2D4F7A8663F492CB1623906417A553C9D4DFB2CF55CE6290956C5E80009
7F0E8C974E879BCB981977377FA6A3750DBF478F57C0C7338F45BA83F54670E3
5DDBAC4E30665338A75C0D61DF6918721E885054C85BC3CACD2206468C8A84BB
8B3432CE2D8B2F46B3E25124E956E401AA4194066C01ADC9E633DD2BFE794C87
10F3B94766986465135B8B395F832166A17F9E7EDD8DCB0D19125307CC32B76B
7009113A1BD91C5A2815E0A5A533B8A6ABFC47F0D11A668A2791E9F2F6088A5D
Public Exponent
010001
Private Exponent
2329168FF34DD57A92AB55139AAAAC14CF6466F38FAFB1064786DDB900B1D723
5F06AEB8A9A1463B11C8373C86F41FF734A44DF8646F9F52ED28980B299010C3
F5DBFB9DA63B108CF160C23C45198F1FBF234D508CE917BF2A61EA9E9B3A45E2
1A5E3EB1229BEF77DC24DDCCDA3C7110892F096ED28132F8ADA74A2D9520091D
B97F8B33798D2437758F044844BB409A7FDFD9D33C508F91CEF138FB3EA2986D
65940F32B6808D86740C1FDF87D1524505D21D628BC14D36CE79969F303AA74F
9A63733C0B1E585B63843A770C49DF86723A6631C9B7286DE4F1CB3E9F21F119
11C5D1133143545AABD58D2573442F10DAFA651FFF27C68DC8206CE52F9F5A5B
B51BEDC9E488312A3B6FEB3C3F216C06B1DEAC0EEFBF0923146338A642D98136
45AD19BA6F057946FB7DD6C590E232ED8B7B41431D6970362F0D4DBCBD9B24E7
4C3B3339B312D350DF8CB61DED711FCDC184F06FB9D8F89E68BAC2ABBFADDF52
88946DE053723075CD4F429B413D7FD870A104145A6ACE893A20258864FAD2A8
6A1F5AD252269AF71283593929304F86D9720A43161E26ABA6B19E9E870B1B39
952B6D97EAA88904F8D5D33BC00C87AC207D30EB07FC90FC5EA1423AA7AED534
30DAA12A68E5FA78CC42336D34273F6530BFA098085990EA2A12252E68B5E166
67086DB85B22FF747ECC0AA74F3687A9C058ABF9B891CE423FDE410D6E3CE121
Prime 1
C68BEBAFB00F0A1B7150AB24BDFC6E9ACCB413951857EEF62EC81D78B7F4E432
CF653F969F81F6C26FB6ACC300302F583853C654B823E48EA617540F2EAE10A9
D46C005A539F270AFC86E8A1FDA9B66960B5C4B6D1746F5B616A6B90D8B1E822
C3AF0ED1097550D87B55C5B6651CBFE769A16051FAA4F416DEECBA79FD9252BC
D99694FEA3981A50E329ECB367988A5FAEEB7C81FDAD8276B11CFC3AD0A85E65
53AB5D661EFA4D26A30157BD9FEA3428EB452F20D33525B2A9151BF542885B38
BF2FDAFA3CD3C3B48754822A5EF648D91A4CB3F98BCD222CC1497CB530A91B29
F1C52ED3F3242E1D6AB0A790708A3CB96D6DD718A7F1B4579EE6D0941DC06CE5
Prime 2
DA8B67A93CB27D2F5B7D2F86454FD2A57D20258058B3AE74999665E03C8A95A4
739D338B1312AD7E39EDBECADB3151A5172D198ABA2D1D6C88DFBA3462D52805
ADCF44070423098B0DC7D12CC767109860B1D1674F37CA2A3E03A425A76ECAB5
2737392460DB0221E90E099F02623FC93631E34C146B8DBD7367C0365C329704
C6D2304E0B4A8519737162556E0D36952D24A830DC8BDB1EDE7062C0DA000C26
44653F9F6043452EC676F51E3CF8EC2AC4B9249630CE522E2E754D5A0629612D
5D7180EBA39802E9DA665C6EA661A8483AB688D5B525B2EB0521BFF5E37211FA
7E882FE3F2FA109CC53800A902296BA6E4C3CCDC84E8EBAAB9EB59A03CCFC819
Exponent 1
9D26A8D1319865D69CD54DF1521358F45BEC78C77D3234A95513FE07CC0B2108
7A91D847FF4EDE22BE4BA7E8DCE046C91C246B0A2989F7615563879C50C563D9
1892B7A0C72964BCD46E6FF9B00EC19C1CF9228FD5AFC4685EEDDDE0133495D9
D66B5C5DE68F9E030B74337F0FFF36821360B11D923738205628A7DCE0F10D5D
FF17AA2CF70DF05E6FBF8263EA2E99EFEC42E614F9D6793A3B2C0715028D11D2
3FEC968BBB1F412BC0BFD253FC1C6356B409D9A8B0A413879B3F6316B8A7B714
6E77916A99F4BFA5C7AC032F4864C5FA594FB6F0615067A96700249E41BAC80E
66183DDD734902DB33D4497D1126C9B3B742C68AF47B62D42BA8E415288B6365
3 Key Management Mechanisms
- 72 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
Version 2.1
Exponent 2
483FC1FB5F079AFF26FDD1D24FE3BDBDDC09DE9BF9B71D3B8AF2FFA70C1CBCAF
EB50D3136D30C58E6F543BB91091D36E02A574463A9A6399D7FE2EAED6E5A51F
8B8073FAE5D1377C7307D60D39B6C6F3B933D0089955D64DF4C67B63BF608F3F
2841C770515CD5EDA4007209D15DEDBC756034C698119E803D40D578A32E4E62
D3DFF4FC381B60B933430EC1336AC6DAB65BE2069542DF23EB61B8240D6DEA96
54122CE061909BB485041AB0EE735490270D161D58F13C95EBE1F7BA8542F4CF
6C8EF391F33973ED1FB8AB62213B33C8FD300F38A774591BFD4C550BD32F88E6
0922B8C261376E7A8570A8373771BE172495DE8A209E681ABEF0216729F37F31
Coefficient
6978A387C201384A23F0E0BCD73737787364460ACF34F2B103AE60181A3E2DAF
D4F26B819F4B1ED7CD9E8CF225922365ACFB408ACC2E87207E339CF72059B94B
09552BFFAED96E486CE29AABDC8B95DA948B19F26CE702FD4D40867B50F5CFF5
7361BD181A7B4AFF4D80C547A5CBF9D2D51E9A1D1C729FF12E84129DCB132DC9
DCEE79F45456A05F232E1B3C31CA02D56EBDBC031C81A85DDE3CA2A5E4CD2F5B
C7D6394AA7F20022B74ED11A730C8C7024053C36500658D10C0622668C41E627
AF714A6EB76BCDC0B888F8AB4046DC5F158D08A5D7F388C76C7F022CE1834FDE
2B443126A9209274DED029D7D4FF7AC4B5AB0C88E8DEFD592D440AE254FBB422
1922
1923
3.4.5.2 Encryption step
1924
1925
The transport key KT to encrypt is the following 112 bits triple DES key:
0000
AE EF 80 98 A7 3D E9 D6 5B BF 26 64 58 04 02 16
|.....=..[.&dX...|
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
Step (i): We generate PS
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
9F
FD
28
20
D8
EF
DB
38
46
60
0B
0A
22
70
F4
99
FE
81
C6
71
49
3B
3C
15
2B
3D
B4
8F
FD
A5
03
BB
03
71
B0
3D
04
E9
B6
97
A8
0B
48
FD
62
6A
79
80
80
D4
6D
43
63
91
68
42
82
35
AD
E9
95
A8
28
4B
D3
AE
36
8A
90
F3
40
89
5C
EB
6D
E7
F8
60
B3
B6
E3
AE
4D
99
59
3B
43
60
7A
43
E4
41
28
BA
9C
9F
3C
EF
B5
C8
BC
DC
25
D1
F3
15
DA
69
84
2F
95
F6
C3
77
E9
09
40
F2
8F
85
10
DB
F7
81
61
1B
9F
E6
19
79
D1
EB
4C
57
09
5D
22
63
85
12
1D
35
F0
D2
CD
DC
AE
3B
FA
64
C1
87
5E
08
70
5A
43
7B
2C
25
D4
62
19
0A
05
7F
66
D4
06
3C
95
69
06
4D
AF
BC
4C
D0
97
A0
FB
70
73
86
4C
1B
20
AC
1E
61
54
CF
E6
EA
3C
DA
B2
73
3B
0D
17
14
C6
48
A8
4C
E0
16
D4
C3
D5
AF
11
31
9E
2E
21
89
43
AE
EA
2F
D3
10
DD
79
9E
7B
85
CD
F1
B2
39
64
DA
84
0E
DF
92
F8
7F
94
42
ED
5F
3A
BE
42
94
27
B9
39
46
6A
98
57
5C
8E
26
ED
CC
9C
B8
C0
8A
5D
49
20
D1
3B
D0
43
54
B2
D4
01
BE
BF
72
49
5D
4A
71
0D
B0
06
76
2D
1F
0D
B2
04
07
4C
68
E7
0C
E7
7F
14
D2
83
40
28
67
E8
10
65
51
30
C6
83
60
A3
8D
11
D7
21
E5
10
B0
A5
F5
57
BE
2E
06
76
F4
1F
31
6F
50
BD
C3
55
E8
EF
A7
2D
AD
B0
C0
0F
0B
F5
9C
2B
7C
D3
75
2C
B2
50
57
0B
E2
38
9B
A3
30
59
ED
7B
1E
|..y.(..bL..j....|
|.+.@.@..........|
|(=...... .9Wr.W.|
| ..\..5...d\I@..|
|..m.<.......](.+|
|..Cm...fa..&Jg.||
|..c.....T1..q.v.|
|8..............u|
|F.h`...<.....e.,|
|`.B..a;..!...Q1.|
|.q..%..i<...v0oP|
|..5...d..C..-.PW|
|"=.....M..B]....|
|p..M....s..I.`..|
|.....y^.;/_ ..U8|
|...Yi..L..:.....|
|..(;..p....;....|
|..KC/LZ...B.L..0|
|...`.WC..y.Ch!-Y|
|qH.z..{.H.'T....|
|I.6C.],p.{.....{|
|;b..w"%sL.9.....|
|<j.A.c....F..
|
1951
1952
3 Key Management Mechanisms
- 73 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
Version 2.1
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
Step (ii): We build the EM block
The block EM, result of the concatenation of 00 || 02 || PS || 00 || Kt is then:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
00
A5
F5
57
BE
2E
06
76
F4
1F
31
6F
50
BD
C3
55
E8
EF
A7
2D
AD
B0
C0
AE
02
0F
0B
F5
9C
2B
7C
D3
75
2C
B2
50
57
0B
E2
38
9B
A3
30
59
ED
7B
1E
EF
9F
FD
28
20
D8
EF
DB
38
46
60
0B
0A
22
70
F4
99
FE
81
C6
71
49
3B
3C
80
15
2B
3D
B4
8F
FD
A5
03
BB
03
71
B0
3D
04
E9
B6
97
A8
0B
48
FD
62
6A
98
79
80
80
D4
6D
43
63
91
68
42
82
35
AD
E9
95
A8
28
4B
D3
AE
36
8A
90
A7
F3
40
89
5C
EB
6D
E7
F8
60
B3
B6
E3
AE
4D
99
59
3B
43
60
7A
43
E4
41
3D
28
BA
9C
9F
3C
EF
B5
C8
BC
DC
25
D1
F3
15
DA
69
84
2F
95
F6
C3
77
E9
E9
09
40
F2
8F
85
10
DB
F7
81
61
1B
9F
E6
19
79
D1
EB
4C
57
09
5D
22
63
D6
85
12
1D
35
F0
D2
CD
DC
AE
3B
FA
64
C1
87
5E
08
70
5A
43
7B
2C
25
D4
5B
62
19
0A
05
7F
66
D4
06
3C
95
69
06
4D
AF
BC
4C
D0
97
A0
FB
70
73
86
BF
4C
1B
20
AC
1E
61
54
CF
E6
EA
3C
DA
B2
73
3B
0D
17
14
C6
48
A8
4C
E0
26
16
D4
C3
D5
AF
11
31
9E
2E
21
89
43
AE
EA
2F
D3
10
DD
79
9E
7B
85
CD
64
F1
B2
39
64
DA
84
0E
DF
92
F8
7F
94
42
ED
5F
3A
BE
42
94
27
B9
39
46
58
6A
98
57
5C
8E
26
ED
CC
9C
B8
C0
8A
5D
49
20
D1
3B
D0
43
54
B2
D4
01
04
BE
BF
72
49
5D
4A
71
0D
B0
06
76
2D
1F
0D
B2
04
07
4C
68
E7
0C
E7
7F
02
14
D2
83
40
28
67
E8
10
65
51
30
C6
83
60
A3
8D
11
D7
21
E5
10
B0
00
16
|....y.(..bL..j..|
|...+.@.@........|
|..(=...... .9Wr.|
|W. ..\..5...d\I@|
|....m.<.......](|
|.+..Cm...fa..&Jg|
|.|..c.....T1..q.|
|v.8.............|
|.uF.h`...<.....e|
|.,`.B..a;..!...Q|
|1..q..%..i<...v0|
|oP..5...d..C..-.|
|PW"=.....M..B]..|
|..p..M....s..I.`|
|.......y^.;/_ ..|
|U8...Yi..L..:...|
|....(;..p....;..|
|....KC/LZ...B.L.|
|.0...`.WC..y.Ch!|
|-YqH.z..{.H.'T..|
|..I.6C.],p.{....|
|.{;b..w"%sL.9...|
|..<j.A.c....F...|
|.....=..[.&dX...|
C6
1C
72
81
74
DF
3E
F1
24
DE
C7
DA
1E
EA
58
DA
3E
58
49
99
3C
0C
A3
54
9A
9C
03
DA
F8
20
AC
03
B2
B5
F3
E8
75
08
19
56
D8
62
2E
89
50
5F
53
A5
|.......3..]PC/..|
|I=.....3..1.....|
|.D..&.3O....N.r.|
|........o.......|
|........`...$.t.|
|y.}....c..B<... |
|T.cL........,.>.|
|................|
|S.p.U....A...2$.|
|.I$3.(..........|
|wy.H.h.......V..|
|h......t.`[..;..|
|Kk...X+.....@..u|
|9...ai.d...m....|
|.[!3..|C.4.C.?X.|
|Sp;.8..b.......V|
|v...."..r....(>.|
|6N..rn.......$Xb|
|...R.nE..[.K.kI.|
|{U...Y.....5....|
|...2.U*>....1.<P|
|..KD":..D$..Wx._|
|w.(...D9....X$.S|
|.....2......=.T.|
1980
1981
1982
Step (iii): Encryption of the block EM
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
The encryption of the block EM by the public RSA key is:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
CB
49
06
9B
F2
79
54
80
53
1B
77
68
4B
39
C4
53
76
36
92
7B
F8
11
77
8F
E3
3D
44
98
EC
CF
C9
D2
B6
49
79
80
6B
88
5B
70
8E
4E
9F
55
C0
F0
B8
F3
AB
BF
91
91
9A
7D
63
A5
70
24
A0
9A
A9
9C
21
3B
DF
D5
81
2E
FC
4B
28
8D
C8
FD
BC
08
1A
80
4C
BD
03
33
48
DE
AB
12
33
02
86
E3
52
D4
32
44
91
2E
FF
C1
26
18
D7
88
A2
9C
55
F4
BB
D3
DA
61
C1
38
18
72
1B
B4
E6
22
A3
A6
CF
92
06
BF
AB
B7
A0
B6
84
28
68
AC
58
69
0C
D2
22
6E
6E
59
55
3A
AD
32
E4
BE
33
D1
19
A2
13
C4
B7
CF
03
8E
2B
D2
7C
2E
FB
CA
45
97
2A
D9
44
DC
33
33
4F
00
EC
63
A3
AF
A0
0E
E8
74
13
64
43
62
CF
9F
90
C7
3E
84
39
C8
AB
13
00
6F
60
AA
10
ED
0F
1B
CD
9E
B1
91
03
A3
72
CF
DF
83
96
44
CB
A6
1C
C2
B4
9B
AB
18
99
8F
41
C6
E6
60
ED
C3
34
F2
0A
F8
5B
81
98
24
A9
BF
5D
31
84
90
B4
42
C3
EB
DD
E5
AA
5B
1E
F9
C7
EA
EA
D8
A3
D2
B1
D0
83
84
50
90
C4
E1
C9
3C
9E
EB
7F
B2
88
16
0B
6D
43
1E
1B
16
4B
35
B5
8F
F9
02
43
06
4E
B6
24
C8
2C
C5
A1
05
E8
FF
40
C2
C2
0B
A8
CD
00
05
31
57
58
3D
2F
F5
B5
19
C9
DD
94
9F
32
0A
56
3B
94
C0
3F
A8
28
24
6B
18
A7
78
24
AB
2008
2009
3 Key Management Mechanisms
- 74 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
Version 2.1
2010
2011
2012
Inside the EnvelopedData CMS data structure, the Recipient data structure is presented in the table
below:
Message Item
Value
Recipient
KeyTransport
Version
0
RecipientIdentification
IssuerAndSerialNumber
Issuer
RelativeDistinguishedName
AtributeType
CountryName
AttributeName
BE
RelativeDistinguishedName
AtributeType
OrganisationName
AttributeName
EPASOrg
RelativeDistinguishedName
AtributeType
OrganisationUnitName
AttributeName
Technical Center of Expertise
RelativeDistinguishedName
AtributeType
CommonName
AttributeName
EPAS Protocols Test CA
SerialNumber
7895CA35014C3D2F1E11B10D
KeyEncryptionAlgorithm
Algorithm
EncryptedKey
RSAEncryption
CBE3ABC8FFCFE433AB1C5D50432FC69A
493DBFFDC192BE3313C2319006F51C9C
064491BC2606334F00B484C44EB57203
9B98910818BFD1006F9B90E1B61981DA
F2EC9A1AD7AB19EC60ABB4C924C974F8
79CF7D8088B7A263AA18423CC8DDDF20
54C9634CA2A013A31099C39E2C943EAC
80D2A5BD9CB6C4AFED8FEBEBC59FF103
53B670035584B7A00F41DD7FA13224B2
1B492433F428CF0E1BC6E5B2050ADEB5
7779A048BB6803E8CDE6AA88E856C7F3
68809ADED3AC8E749E605B16FF3BDAE8
4B6BA9ABDA582B13B1ED1E0B40941E75
39889C126169D26491C3F96DC2C0EA08
C45B2133C10C7C430334C743C23F5819
53703B0238D22E62A3F2EA1E0BA8DA56
768EDF861822FBCF720AEA1BA8283ED8
364ED5E3726ECA9FCFF8D816CD245862
929F81521B6E4590DF5BA34B006B492E
7B552ED4B45997C78381D23505189989
F8C0FC32E6552A3E9698B1B531A73C50
11F04B44223AD9844424D08F57780C5F
77B82891A3AD4439CBA983F95824A353
8FF38D2EA632DCC8A6BF84023DAB54A5
2013
3 Key Management Mechanisms
- 75 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
Version 2.1
2014
2015
The XML encoded structure of the Recipient data structure in the EnvelopedData CMS data structure
is:
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
<Rcpt>
<KeyTrnsprt>
<Vrsn>0</Vrsn>
<RcptId>
<IssrAndSrlNb>
<Issr>
<RltvDstngshdNm>
<AttrTp>CATT</AttrTp>
<AttrVal>BE</AttrVal>
</RltvDstngshdNm>
<RltvDstngshdNm>
<AttrTp>OATT</AttrTp>
<AttrVal>EPASOrg</AttrVal>
</RltvDstngshdNm>
<RltvDstngshdNm>
<AttrTp>OUAT</AttrTp>
<AttrVal>Technical Center of Expertise</AttrVal>
</RltvDstngshdNm>
<RltvDstngshdNm>
<AttrTp>CNAT</AttrTp>
<AttrVal>EPAS Protocols Test CA</AttrVal>
</RltvDstngshdNm>
</Issr>
<SrlNb>eJXKNQFMPS8eEbEN</SrlNb>
</IssrAndSrlNb>
</RcptId>
<KeyNcrptnAlgo>
<Algo>ERSA</Algo>
</KeyNcrptnAlgo>
<NcrptdKey>
y+OryP/P5DOrHF1QQy/Gmkk9v/3Bkr4zE8IxkAb1HJwGRJG8JgYzTwC0hMROtXIDm5iRCBi/0QBvm5D
hthmB2vLsmhrXqxnsYKu0ySTJdPh5z32AiLeiY6oYQjzI3d8gVMljTKKgE6MQmcOeLJQ+rIDSpb2ctsS
v7Y/r68Wf8QNTtnADVYS3oA9B3X+hMiSyG0kkM/Qozw4bxuWyBQretXd5oEi7aAPozeaqiOhWx/NogJr
e06yOdJ5gWxb/O9roS2upq9pYKxOx7R4LQJQedTmInBJhadJkkcP5bcLA6gjEWyEzwQx8QwM0x0PCP1g
ZU3A7AjjSLmKj8uoeC6jaVnaO34YYIvvPcgrqG6goPtg2TtXjcm7Kn8/42BbNJFhikp+BUhtuRZDfW6N
LAGtJLntVLtS0WZfHg4HSNQUYmYn4wPwy5lUqPpaYsbUxpzxQEfBLRCI62YREJNCPV3gMX3e4KJGjrUQ
5y6mD+Vgko1OP840upjLcyKa/hAI9q1Sl
</NcrptdKey>
</KeyTrnsprt>
</Rcpt>
2056
2057
3 Key Management Mechanisms
- 76 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
Version 2.1
The dump of the XML encoded structure of the Recipient data structure without unnecessary spaces
and tabs is:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
0180
0190
01A0
01B0
01C0
01D0
01E0
01F0
0200
0210
0220
0230
0240
0250
0260
0270
0280
0290
02A0
02B0
02C0
02D0
02E0
02F0
0300
0310
0320
0330
0340
0350
0360
0370
0380
0390
03A0
03B0
03C0
03D0
03E0
03F0
0400
3C
74
3C
53
76
72
3E
74
67
67
41
72
74
67
67
55
72
65
73
74
74
74
70
50
41
76
73
46
62
3E
72
52
63
64
72
42
47
4F
76
58
35
49
51
63
54
68
62
37
6F
2F
78
68
45
43
6A
59
32
4E
66
30
34
78
45
6A
50
52
3E
52
72
44
54
3C
72
73
73
54
56
72
73
73
41
56
6E
65
76
76
72
3E
72
3C
44
72
4D
3E
3C
70
53
72
4B
48
6B
52
74
6D
71
7A
33
6D
74
74
4D
78
61
67
4F
37
61
57
50
38
49
54
4A
57
57
77
70
4A
72
38
63
3C
63
6C
73
70
41
56
68
68
54
61
56
68
68
54
61
74
3C
44
44
54
3C
6F
2F
73
3E
50
3C
2F
74
41
70
65
46
72
4A
58
35
78
33
64
63
73
6E
69
75
41
4A
39
52
64
79
31
75
76
74
46
36
5A
50
7A
4E
55
34
70
56
70
4E
74
3E
74
61
64
64
3C
6C
61
64
64
3C
6C
65
2F
73
73
70
41
74
41
74
3C
53
2F
52
6E
3C
74
79
31
34
47
49
44
6E
32
38
4F
53
41
53
57
50
72
72
34
4A
45
67
6F
76
58
68
4E
66
77
78
43
51
30
74
72
74
62
6E
43
74
6C
4E
4E
2F
3E
6C
4E
4E
2F
3E
72
41
74
74
3E
74
6F
74
6E
53
38
49
63
41
2F
6E
3E
51
7A
38
44
68
73
41
67
65
76
44
79
79
6F
65
6F
4C
6B
7A
5A
65
50
6A
69
4C
48
79
51
50
35
75
3E
73
49
3E
67
41
72
3E
6D
6D
41
45
3E
6D
6D
41
54
20
74
6E
6E
43
74
63
74
67
72
65
73
70
6C
41
41
79
51
45
4A
6D
74
59
69
56
4C
37
56
47
42
7A
30
53
51
6B
77
55
43
63
63
6B
41
67
35
45
56
79
70
3C
6E
64
3C
73
54
56
3C
3E
3E
74
50
3C
3E
3E
74
65
6F
74
67
67
4E
72
6F
72
73
6C
45
73
74
67
6C
6C
2B
79
38
67
35
68
4B
4C
4D
4A
59
59
30
51
65
36
32
4A
63
51
33
36
67
6D
70
47
34
6C
66
33
36
6A
3 Key Management Mechanisms
4B
3E
3E
49
68
54
61
2F
3C
3C
74
41
2F
3C
3C
74
63
66
72
73
73
41
56
6C
56
68
4E
62
72
49
6F
67
67
4F
2F
49
59
69
6D
75
65
6C
51
2F
53
6B
72
61
79
75
51
50
78
41
6A
72
37
2B
74
48
55
42
67
6D
4C
65
30
3C
73
64
3C
6C
52
52
41
72
53
52
52
41
72
68
20
56
68
68
54
61
73
61
64
62
45
41
64
3E
6F
6F
72
47
78
7A
52
42
30
69
6A
2B
72
33
6B
65
71
4F
70
65
35
38
37
61
71
4B
42
4A
53
71
4C
4D
44
63
79
3C
49
73
4E
2F
3E
6C
6C
74
54
4F
6C
6C
74
54
6E
45
61
64
64
3C
6C
20
6C
4E
3E
4E
6E
3E
3C
3E
3E
79
6D
6B
54
43
32
79
59
54
72
36
6F
4D
74
69
64
71
64
62
51
41
56
47
6E
55
4C
4E
50
52
58
2B
79
54
2F
73
72
6D
41
42
74
74
74
70
72
74
74
74
70
69
78
6C
4E
4E
2F
3E
54
3E
6D
65
3C
64
3C
41
3C
3C
50
6B
41
77
42
76
53
36
4B
49
38
41
2F
58
4F
4A
39
54
63
77
6A
6E
36
38
68
6E
51
70
43
33
56
4B
72
56
73
3E
3E
74
45
76
76
72
3E
67
76
76
72
3E
63
70
3E
6D
6D
41
45
65
3C
3E
4A
2F
53
4B
6C
2F
4E
2F
6B
62
43
69
4C
54
6F
4B
44
57
39
51
64
68
35
70
6D
4C
4D
6A
61
67
2F
74
74
55
61
49
65
67
61
6E
72
72
3C
3C
74
3C
44
44
54
3C
3C
44
44
54
3C
61
65
3C
3E
3E
74
50
73
2F
3C
58
53
72
65
67
4B
63
50
39
31
30
2F
73
4A
59
67
53
66
42
6F
35
57
67
59
49
41
30
53
4F
6F
34
75
56
59
59
36
34
6B
2F
73
73
41
52
41
72
2F
73
73
70
41
2F
73
73
70
41
6C
72
2F
3C
3C
74
41
74
52
2F
4B
72
6C
79
6F
65
72
35
76
48
68
30
6D
64
51
45
70
38
33
7A
6F
78
57
4B
6E
36
78
4C
33
50
32
52
4C
6D
73
32
4B
6F
68
- 77 -
70
6E
6E
6C
74
54
41
74
74
3E
74
41
74
74
3E
74
20
74
52
52
41
72
53
20
6C
49
4E
6C
4E
4E
3E
79
70
44
2F
4A
4D
51
68
50
6A
36
62
51
58
77
45
2F
78
78
42
67
30
6D
34
74
42
5A
74
59
62
59
4A
31
41
72
3E
64
74
74
70
74
6E
6E
4F
74
74
6E
6E
4F
74
43
69
6C
6C
74
54
20
43
74
73
51
4E
62
63
45
4E
74
4F
33
77
52
42
72
68
7A
4D
32
4E
2B
34
69
4E
62
4F
4A
6A
50
4B
59
67
62
44
53
6E
55
52
47
4F
49
|<Rcpt><KeyTrnspr|
|t><Vrsn>0</Vrsn>|
|<RcptId><IssrAnd|
|SrlNb><Issr><Rlt|
|vDstngshdNm><Att|
|rTp>CATT</AttrTp|
|><AttrVal>BE</At|
|trVal></RltvDstn|
|gshdNm><RltvDstn|
|gshdNm><AttrTp>O|
|ATT</AttrTp><Att|
|rVal>EPASOrg</At|
|trVal></RltvDstn|
|gshdNm><RltvDstn|
|gshdNm><AttrTp>O|
|UAT</AttrTp><Att|
|rVal>Technical C|
|enter of Experti|
|se</AttrVal></Rl|
|tvDstngshdNm><Rl|
|tvDstngshdNm><At|
|trTp>CNAT</AttrT|
|p><AttrVal>EPAS |
|Protocols Test C|
|A</AttrVal></Rlt|
|vDstngshdNm></Is|
|sr><SrlNb>eJXKNQ|
|FMPS8eEbEN</SrlN|
|b></IssrAndSrlNb|
|></RcptId><KeyNc|
|rptnAlgo><Algo>E|
|RSA</Algo></KeyN|
|crptnAlgo><Ncrpt|
|dKey>y+OryP/P5DO|
|rHF1QQy/Gmkk9v/3|
|Bkr4zE8IxkAb1HJw|
|GRJG8JgYzTwC0hMR|
|OtXIDm5iRCBi/0QB|
|vm5DhthmB2vLsmhr|
|XqxnsYKu0ySTJdPh|
|5z32AiLeiY6oYQjz|
|I3d8gVMljTKKgE6M|
|QmcOeLJQ+rIDSpb2|
|ctsSv7Y/r68Wf8QN|
|TtnADVYS3oA9B3X+|
|hMiSyG0kkM/Qozw4|
|bxuWyBQretXd5oEi|
|7aAPozeaqiOhWx/N|
|ogJre06yOdJ5gWxb|
|/O9roS2upq9pYKxO|
|x7R4LQJQedTmInBJ|
|hadJkkcP5bcLA6gj|
|EWyEzwQx8QwM0x0P|
|CP1gZU3A7AjjSLmK|
|j8uoeC6jaVnaO34Y|
|YIvvPcgrqG6goPtg|
|2TtXjcm7Kn8/42Bb|
|NJFhikp+BUhtuRZD|
|fW6NLAGtJLntVLtS|
|0WZfHg4HSNQUYmYn|
|4wPwy5lUqPpaYsbU|
|xpzxQEfBLRCI62YR|
|EJNCPV3gMX3e4KJG|
|jrUQ5y6mD+Vgko1O|
|P840upjLcyKa/hAI|
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
2125
2126
2127
0410
0420
0430
Version 2.1
39 71 31 53 6C 3C 2F 4E 63 72 70 74 64 4B 65 79
3E 3C 2F 4B 65 79 54 72 6E 73 70 72 74 3E 3C 2F
52 63 70 74 3E 20
|9q1Sl</NcrptdKey|
|></KeyTrnsprt></|
|Rcpt>
|
2128
2129
3 Key Management Mechanisms
- 78 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
Version 2.1
2130
3.4.5.3
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
We use the result of the previous section with the EncryptedKey message item value:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
CB
49
06
9B
F2
79
54
80
53
1B
77
68
4B
39
C4
53
76
36
92
7B
F8
11
77
8F
Decryption step
E3
3D
44
98
EC
CF
C9
D2
B6
49
79
80
6B
88
5B
70
8E
4E
9F
55
C0
F0
B8
F3
AB
BF
91
91
9A
7D
63
A5
70
24
A0
9A
A9
9C
21
3B
DF
D5
81
2E
FC
4B
28
8D
C8
FD
BC
08
1A
80
4C
BD
03
33
48
DE
AB
12
33
02
86
E3
52
D4
32
44
91
2E
FF
C1
26
18
D7
88
A2
9C
55
F4
BB
D3
DA
61
C1
38
18
72
1B
B4
E6
22
A3
A6
CF
92
06
BF
AB
B7
A0
B6
84
28
68
AC
58
69
0C
D2
22
6E
6E
59
55
3A
AD
32
E4
BE
33
D1
19
A2
13
C4
B7
CF
03
8E
2B
D2
7C
2E
FB
CA
45
97
2A
D9
44
DC
33
33
4F
00
EC
63
A3
AF
A0
0E
E8
74
13
64
43
62
CF
9F
90
C7
3E
84
39
C8
AB
13
00
6F
60
AA
10
ED
0F
1B
CD
9E
B1
91
03
A3
72
CF
DF
83
96
44
CB
A6
1C
C2
B4
9B
AB
18
99
8F
41
C6
E6
60
ED
C3
34
F2
0A
F8
5B
81
98
24
A9
BF
5D
31
84
90
B4
42
C3
EB
DD
E5
AA
5B
1E
F9
C7
EA
EA
D8
A3
D2
B1
D0
83
84
50
90
C4
E1
C9
3C
9E
EB
7F
B2
88
16
0B
6D
43
1E
1B
16
4B
35
B5
8F
F9
02
43
06
4E
B6
24
C8
2C
C5
A1
05
E8
FF
40
C2
C2
0B
A8
CD
00
05
31
57
58
3D
2F
F5
B5
19
C9
DD
94
9F
32
0A
56
3B
94
C0
3F
A8
28
24
6B
18
A7
78
24
AB
C6
1C
72
81
74
DF
3E
F1
24
DE
C7
DA
1E
EA
58
DA
3E
58
49
99
3C
0C
A3
54
9A
9C
03
DA
F8
20
AC
03
B2
B5
F3
E8
75
08
19
56
D8
62
2E
89
50
5F
53
A5
|.......3..]PC/..|
|I=.....3..1.....|
|.D..&.3O....N.r.|
|........o.......|
|........`...$.t.|
|y.}....c..B<... |
|T.cL........,.>.|
|................|
|S.p.U....A...2$.|
|.I$3.(..........|
|wy.H.h.......V..|
|h......t.`[..;..|
|Kk...X+.....@..u|
|9...ai.d...m....|
|.[!3..|C.4.C.?X.|
|Sp;.8..b.......V|
|v...."..r....(>.|
|6N..rn.......$Xb|
|...R.nE..[.K.kI.|
|{U...Y.....5....|
|...2.U*>....1.<P|
|..KD":..D$..Wx._|
|w.(...D9....X$.S|
|.....2......=.T.|
2156
2157
The value of mLen is 384 (or 180)
2158
2159
3 Key Management Mechanisms
- 79 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
Version 2.1
2160
2161
Step (i): Decryption of the block EncryptedKey
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
The decryption of the EncryptedKey message item by the private RSA key provides the following
block EM by:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
00
A5
F5
57
BE
2E
06
76
F4
1F
31
6F
50
BD
C3
55
E8
EF
A7
2D
AD
B0
C0
AE
02
0F
0B
F5
9C
2B
7C
D3
75
2C
B2
50
57
0B
E2
38
9B
A3
30
59
ED
7B
1E
EF
9F
FD
28
20
D8
EF
DB
38
46
60
0B
0A
22
70
F4
99
FE
81
C6
71
49
3B
3C
80
15
2B
3D
B4
8F
FD
A5
03
BB
03
71
B0
3D
04
E9
B6
97
A8
0B
48
FD
62
6A
98
79
80
80
D4
6D
43
63
91
68
42
82
35
AD
E9
95
A8
28
4B
D3
AE
36
8A
90
A7
F3
40
89
5C
EB
6D
E7
F8
60
B3
B6
E3
AE
4D
99
59
3B
43
60
7A
43
E4
41
3D
28
BA
9C
9F
3C
EF
B5
C8
BC
DC
25
D1
F3
15
DA
69
84
2F
95
F6
C3
77
E9
E9
09
40
F2
8F
85
10
DB
F7
81
61
1B
9F
E6
19
79
D1
EB
4C
57
09
5D
22
63
D6
85
12
1D
35
F0
D2
CD
DC
AE
3B
FA
64
C1
87
5E
08
70
5A
43
7B
2C
25
D4
5B
62
19
0A
05
7F
66
D4
06
3C
95
69
06
4D
AF
BC
4C
D0
97
A0
FB
70
73
86
BF
4C
1B
20
AC
1E
61
54
CF
E6
EA
3C
DA
B2
73
3B
0D
17
14
C6
48
A8
4C
E0
26
16
D4
C3
D5
AF
11
31
9E
2E
21
89
43
AE
EA
2F
D3
10
DD
79
9E
7B
85
CD
64
F1
B2
39
64
DA
84
0E
DF
92
F8
7F
94
42
ED
5F
3A
BE
42
94
27
B9
39
46
58
6A
98
57
5C
8E
26
ED
CC
9C
B8
C0
8A
5D
49
20
D1
3B
D0
43
54
B2
D4
01
04
BE
BF
72
49
5D
4A
71
0D
B0
06
76
2D
1F
0D
B2
04
07
4C
68
E7
0C
E7
7F
02
14
D2
83
40
28
67
E8
10
65
51
30
C6
83
60
A3
8D
11
D7
21
E5
10
B0
00
16
|....y.(..bL..j..|
|...+.@.@........|
|..(=...... .9Wr.|
|W. ..\..5...d\I@|
|....m.<.......](|
|.+..Cm...fa..&Jg|
|.|..c.....T1..q.|
|v.8.............|
|.uF.h`...<.....e|
|.,`.B..a;..!...Q|
|1..q..%..i<...v0|
|oP..5...d..C..-.|
|PW"=.....M..B]..|
|..p..M....s..I.`|
|.......y^.;/_ ..|
|U8...Yi..L..:...|
|....(;..p....;..|
|....KC/LZ...B.L.|
|.0...`.WC..y.Ch!|
|-YqH.z..{.H.'T..|
|..I.6C.],p.{....|
|.{;b..w"%sL.9...|
|..<j.A.c....F...|
|.....=..[.&dX...|
AE EF 80 98 A7 3D E9 D6 5B BF 26 64 58 04 02 16
|.....=..[.&dX...|
2188
2189
The EM block is split in 5 blocks: 00 || 02 || PS || 00 || Kt
2190
2191
2192
Step (ii): Retrieving the data (KT key)
2193
0000
2194
2195
2196
2197
3 Key Management Mechanisms
- 80 -
3.4 RSAEncryption Key Encryption
Card Payment Protocols Security
2198
Version 2.1
4 Encryption Mechanisms
2199
2200
4.1 Introduction
2201
2202
Data encryption uses only the CBC (Cypher Block Chaining) encryption mode as defined in ISO/IEC
18033-3.
2203
The following encryption cryptographic algorithms are supported:
2204
2205
1. Triple DES encryption with key of 112 bits as defined by the Federal Information Processing
Standards in FIPS PUB 46-3 Data Encryption Standard (DES), using the Keying option 2,
2206
2207
2. AES encryption with key of 128 bits as defined by the Federal Information Processing
Standards in FIPS 197 - November 6, 2001 - Advanced Encryption Standard.
2208
2209
2210
2211
Encryption uses the EnvelopedData CMS structure
2212
2213
4 Encryption Mechanisms
- 81 -
4.1 Introduction
Card Payment Protocols Security
Version 2.1
2214
4.2 Resulting CMS Structure
2215
2216
Data encryption is transported inside the EnvelopedData choice of the generic CMS data structure
ContentInformationType.
2217
The EnvelopedData CMS data structure, used for encryption, is detailed in the table below.
SensitiveData
Mult.
Usage
ContentType
[1..1]
Value "EnvelopedData"
EnvelopedData
[1..1]
Data protection by encryption.
Version
[0..1]
default 0
Version of the data structure, current version is 0.
Recipient
[1..1]
Information related to the encryption key as defined by the key
management.
...
see:
section 3.1: DUKPT Key Management,
section 3.2: UKPT Key Management,
section 3.3: RSAES-OAEP Key Encryption.
[1..1]
Encrypted data with the data encryption key.
ContentType
[1..1]
Type of encrypted data. Allowed values:
EnvelopedData: Encrypted data content is a CMS
EnvelopedData structure.
AuthenticatedData: Encrypted data content is a CMS
AuthenticatedData structure.
SignedData:
Encrypted data content is a CMS SignedData
structure.
DigestedData: Encrypted data content is a CMS DigestedData
structure.
PlainData:
Encrypted application data is not a CMS data
structure.
ContentEncryptionAlgorithm
[1..1]
Algorithm used to encrypt the data.
Algorithm
[1..1]
Encryption algorithm:
DES112CBC CBC mode with Triple DES encryption using a
double length cryptographic key (112 bits)
AES128CBC CBC mode with AES encryption using a 128 bits
cryptographic key.
AES192CBC AES (Advanced Encryption Standard) CBC
(Chaining Block Cypher) encryption with a 192 bits
cryptographic key as defined by the Federal
Information Processing Standards (FIPS 197 –
November 6, 2001 - Advanced Encryption
Standard).
AES256CBC AES (Advanced Encryption Standard) CBC
(Chaining Block Cypher) encryption with a 256 bits
cryptographic key as defined by the Federal
Information Processing Standards (FIPS 197 –
November 6, 2001 - Advanced Encryption
Standard).
Parameter
[0..1]
Optional Initial Value of the CBC encryption.
If Parameter is absent, a sequence of null bytes have to be used,
with the length of block defined by the encryption algorithm (8 bytes
for DES and 16 bytes for AES).
EncryptionFormat
[0..1]
see KeyTransport/KeyEncryptionAlgorithm/EncryptionFormat.
InitialisationVector
[1..1]
The 8-bytes-length (DES) or 16-bytes-length (AES) initial value of
the CBC mode.
BytePadding
[0..1]
see KeyTransport/KeyEncryptionAlgorithm/BytePadding.
[1..1]
Result of the encryption.
EncryptedContent
EncryptedData
2218
2219
2220
2221
4 Encryption Mechanisms
- 82 -
4.2 Resulting CMS Structure
Card Payment Protocols Security
2222
Version 2.1
4.3 Encryption/Decryption
2223
2224
4.3.1 CBC Encryption Process
2225
2226
(i) The encoded plaintext data, including the envelope, forms the data M to encrypt.
2227
(ii) Padding of the data before M encryption:
2228
a. LB is the number of bytes of an encryption block (8 for DES and 16 for AES)
2229
2230
b. The hexadecimal byte 80 is added at the end of M according to ISO/IEC 9797-1 method
2.
2231
2232
c. If the new length of M is not a multiple of LB, M is extended by null bytes (hexadecimal
00), to reach a length which is a multiple of LB.
2233
(iii) The result M of the padded data is split into blocks of LB bytes M1...Mn
2234
2235
2236
2237
2238
(iv) With the encryption key K, and initialising C0 by the value of InitialisationVector, the encrypted
data is the concatenation of C1...Cn, where
Ci = EK (Ci-1 xor Mi)
EK being the encryption algorithm (TDES or AES) with K
Initialisation
Vector
C0
K
M1
M2
Mn
xor
xor
xor
E
K
C1
2239
2240
2241
E
C2
K
E
Cn
Figure 17 : CBC Encryption Process
4 Encryption Mechanisms
- 83 -
4.3 Encryption/Decryption
Card Payment Protocols Security
2242
Version 2.1
4.3.2 CBC Decryption Process:
2243
2244
(i) LB is the number of bytes of an encryption block (8 for DES and 16 for AES)
The encrypted data C is split into blocks of LB bytes C1...Cn
2245
2246
2247
2248
(ii) With the encryption key K, and initialising C0 by the value of InitialisationVector, compute the
following blocs M1...Mn, where
Mi = DK (Ci) xor Ci-1
DK being the decryption algorithm (TDES or AES) with K
2249
2250
2251
2252
2253
2254
(iii) The last block Mn is right padded with the hexadecimal byte 80 according to ISO/IEC 9797-1
method 2, followed by a sequence of 0 to LB-1 null bytes, hexadecimal 00 (if this not the case,
decryption has failed, most probably because a wrong encryption key).
Remove the byte(s) of padding of the block Mn. The decrypted data is the concatenation of the
blocs M1...Mn to form the data block M.
2255
(iv) M is the encoded plaintext data, including the envelope. M must be parsed.
C1
K
Initialisation
Vector
2256
2257
2258
C0
D
C2
K
D
Cn
K
D
xor
xor
xor
M1
M2
Mn
Figure 18 : CBC Decryption Process
2259
2260
2261
4 Encryption Mechanisms
- 84 -
4.3 Encryption/Decryption
Card Payment Protocols Security
Version 2.1
2262
4.3.3 Special Encryption/Decryption
2263
2264
As introduced in the beginning of the section, a deviation of the CBC mode is used for the transport of
encrypted cardholder PIN.
2265
2266
The EnvelopedData/EncryptedContent CMS data structure is the same without the presence of
Algorithm/Parameter, as presented in the table below.
SensitiveData
Mult.
Usage
ContentType
[1..1]
Value "EnvelopedData"
EnvelopedData
[1..1]
Data protection by encryption.
Version
[0..1]
see EnvelopedData
Recipient
[1..1]
see EnvelopedData
[1..1]
see EnvelopedData
ContentType
[1..1]
see EnvelopedData
ContentEncryptionAlgorithm
[1..1]
Algorithm used to encrypt the data.
[1..1]
Encryption algorithm without padding:
DES112CBC Triple DES encryption using a double length
cryptographic key (112 bits)
AES128CBC AES encryption using a 128 bits cryptographic
key.
[1..1]
Result of the encryption block (8 bytes for triple DES, 16 bytes for
AES).
...
EncryptedContent
Algorithm
EncryptedData
2267
2268
2269
2270
2271
2272
2273
The encryption process encrypts directly the plaintext data M (8 bytes for DES and 16 bytes for AES)
without padding and InitialisationVector. The encrypted data is C = EK (M), EK being the encryption
algorithm (TDES or AES) with K.
The decryption process decrypts directly the encrypted data C (8 bytes for DES and 16 bytes for AES)
without InitialisationVector. The decrypted data is M = DK (C), DK being the decryption algorithm
(TDES or AES) with K.
M
K
E
C
K
C
2274
2275
2276
D
M
Figure 19 : Special Encryption/Decryption
2277
2278
4 Encryption Mechanisms
- 85 -
4.3 Encryption/Decryption
Card Payment Protocols Security
2279
Version 2.1
4.4 Examples
2280
2281
4.4.1 Data to Encrypt
2282
2283
As an example of input, we will use the PlainCardData data structure of the Acquirer protocol, using
the XML/Schema encoding of the ISO 20022 ca.001.001.02 message.
2284
2285
2286
2287
2288
2289
2290
The card data contains:
The PAN: 9913 3300 8057 4602
A card sequence number of 00
The expiration date in December 2014
The content value of the PlainCardDatadata structure is then presented in the table below.
2291
Message Item
Value
PlainCardData
PAN
9913330080574602
CardSequenceNumber
00
ExpiryDate
2014-12
CardSecurityCode
CSCManagement
CSCPresent
CSCValue
9915
2292
2293
The resulting XML encoded structure is:
2294
2295
2296
2297
2298
2299
2300
2301
2302
<PlainCardData>
<PAN>9913330080574602</PAN>
<CardSeqNb>00</CardSeqNb>
<XpryDt>2014-12</XpryDt>
<CardSctyCd>
<CSCMgmt>PRST</CSCMgmt>
<CSCVal>9915</CSCVal>
</CardSctyCd>
</PlainCardData>
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
Once unnecessary spaces and carriage returns are removed, PlainCardData is:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
3C
50
34
65
4E
31
53
50
53
61
3C
50
41
36
71
62
32
63
52
43
6C
2F
6C
4E
30
4E
3E
3C
74
53
56
3E
50
61
3E
32
62
3C
2F
79
54
61
3C
6C
69
39
3C
3E
58
58
43
3C
6C
2F
61
6E
39
2F
30
70
70
64
2F
3E
43
69
43
31
50
30
72
72
3E
43
39
61
6E
61
33
41
3C
79
79
3C
53
39
72
43
72
33
4E
2F
44
44
43
43
31
64
61
64
33
3E
43
74
74
53
4D
35
53
72
44
30
3C
61
3E
3E
43
67
3C
63
64
61
30
43
72
32
3C
4D
6D
2F
74
44
74
38
61
64
30
43
67
74
43
79
61
61
30
72
53
31
61
6D
3E
53
43
74
3E
35
64
65
34
72
74
3C
43
64
61
3C
37
53
71
2D
64
3E
43
56
3E
3E
|<PlainCardData><|
|PAN>991333008057|
|4602</PAN><CardS|
|eqNb>00</CardSeq|
|Nb><XpryDt>2014-|
|12</XpryDt><Card|
|SctyCd><CSCMgmt>|
|PRST</CSCMgmt><C|
|SCVal>9915</CSCV|
|al></CardSctyCd>|
|</PlainCardData>|
2316
2317
2318
4 Encryption Mechanisms
- 86 -
4.4 Examples
Card Payment Protocols Security
2319
Version 2.1
4.4.2 Triple DES Encryption with a 112 bits Key
2320
2321
The encryption block length of the Triple DES cryptographic algorithm is 8 bytes.
2322
The length of the data M to encrypt is 176 bytes.
2323
2324
2325
2326
Applying the padding process, the hexadecimal byte 80 is appended according to ISO/IEC 9797-1
method 2, followed by 7 null bytes to reach a length of 184 bytes which is a multiple of the encryption
block length, 8 bytes:
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
3C
50
34
65
4E
31
53
50
53
61
3C
80
50
41
36
71
62
32
63
52
43
6C
2F
00
6C
4E
30
4E
3E
3C
74
53
56
3E
50
00
61
3E
32
62
3C
2F
79
54
61
3C
6C
00
69
39
3C
3E
58
58
43
3C
6C
2F
61
00
6E
39
2F
30
70
70
64
2F
3E
43
69
00
43
31
50
30
72
72
3E
43
39
61
6E
00
61
33
41
3C
79
79
3C
53
39
72
43
00
72
33
4E
2F
44
44
43
43
31
64
61
64
33
3E
43
74
74
53
4D
35
53
72
44
30
3C
61
3E
3E
43
67
3C
63
64
61
30
43
72
32
3C
4D
6D
2F
74
44
74
38
61
64
30
43
67
74
43
79
61
61
30
72
53
31
61
6D
3E
53
43
74
3E
35
64
65
34
72
74
3C
43
64
61
3C
37
53
71
2D
64
3E
43
56
3E
3E
|<PlainCardData><|
|PAN>991333008057|
|4602</PAN><CardS|
|eqNb>00</CardSeq|
|Nb><XpryDt>2014-|
|12</XpryDt><Card|
|SctyCd><CSCMgmt>|
|PRST</CSCMgmt><C|
|SCVal>9915</CSCV|
|al></CardSctyCd>|
|</PlainCardData>|
|........
|
2340
2341
2342
The test key that will be used is the data encryption DUKPT key for request:
A75D 20F7 0451 7545
3E29 259D 3B08 A72A
2343
2344
2345
Using the Initialisation Vector value A27BB46D1C306E09, the encryption of the padded card data
provides the values below:
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
CB
F9
3E
F1
66
F2
67
59
8F
0A
6F
BB
85
5A
94
DB
15
B0
F0
7D
B4
0D
C4
2C
48
D4
ED
D3
84
91
EA
CC
94
B0
3A
D3
F2
0B
F9
FC
94
6E
A6
BB
E2
E8
9A
D6
F3
EE
A5
64
09
E7
4B
D6
F1
3F
09
17
63
69
3C
BF
C4
F8
43
47
1E
FA
C0
D3
3C
BF
F7
70
82
8E
70
E0
55
77
58
78
4D
CF
0B
24
C4
30
AF
CB
D0
F1
17
BB
E9
4E
6F
AC
0E
71
93
08
F9
2B
D9
71
BD
1B
19
5F
67
C2
92
12
7A
DC
8E
24
FB
62
1D
9F
1A
21
9B
1A
1E
0B
05
A0
80
4B
71
1E
20
FC
BF
61
F1
21
B2
1F
8B
61
A9
33
4B
6A
96
85
BA
BB
10
85
C0
29
CC
3C
91
7B
E8
28
8E
83
30
68
D6
38
BC
25
D5
74
5B
4B
DF
BE
C2
34
4E
A4
68
29
|..H..c<M.q.....t|
|.Z...i..N.$.!.([|
|>....<..o......K|
|....d.p$..b.....|
|f........_.K..0.|
|...n...0qg.qa.h.|
|g...KCp......).4|
|Y}...G....! 3.8N|
|......U.....K<..|
|....?.w.+z..j.%h|
|o.:...X....a.{.)|
|.,....x.
|
2359
2360
4 Encryption Mechanisms
- 87 -
4.4 Examples
Card Payment Protocols Security
2361
Version 2.1
Without the content value of Recipient, the EnvelopedData CMS data structure would be :
2362
Message Item
Value
ProtectedCardData
ContentType
EnvelopedData
EnvelopedData
Recipient
…
EncryptedContent
ContentType
PlainData
ContentEncryptionAlgorithm
Algorithm
DES112CBC
Parameter
InitialisationVector
EncryptedData
A27BB46D1C306E09
CB8548F2F3633C4DE9718E0BF185E874
F95AD40BEE69BFCF4EBD240521BA285B
3E94EDF9A53CF70B6F1BFBA0B2BB8E4B
F1DBD3FC64BF7024AC1962801F1083DF
6615849409C482C40E5F1D4B8B8530BE
F2B0916EE7F88E3071679F7161C068C2
67F0EAA64B4370AF93C21A1EA929D634
597DCCBBD647E0CB0892212033CC384E
8FB494E2F11E55D0F9129BFC4B3CBCA4
0A0DB0E83FFA77F12B7A1ABF6A912568
6FC43A9A09C05817D9DC1E61967BD529
BB2CD3D617D378BB
2363
2364
2365
2366
4 Encryption Mechanisms
- 88 -
4.4 Examples
Card Payment Protocols Security
2367
Version 2.1
4.4.3 AES Encryption with a 128 bits Key
2368
2369
The encryption block length of the AES cryptographic algorithm is 16 bytes.
2370
The length of the data M to encrypt is 176 bytes.
2371
2372
2373
2374
Applying the padding process, the hexadecimal byte 80 is appended according to ISO/IEC 9797-1
method 2, followed by 15 null bytes to reach a length of 192 bytes which is a multiple of the encryption
block length, 16 bytes:
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
3C
50
34
65
4E
31
53
50
53
61
3C
80
50
41
36
71
62
32
63
52
43
6C
2F
00
6C
4E
30
4E
3E
3C
74
53
56
3E
50
00
61
3E
32
62
3C
2F
79
54
61
3C
6C
00
69
39
3C
3E
58
58
43
3C
6C
2F
61
00
6E
39
2F
30
70
70
64
2F
3E
43
69
00
43
31
50
30
72
72
3E
43
39
61
6E
00
61
33
41
3C
79
79
3C
53
39
72
43
00
72
33
4E
2F
44
44
43
43
31
64
61
00
64
33
3E
43
74
74
53
4D
35
53
72
00
44
30
3C
61
3E
3E
43
67
3C
63
64
00
61
30
43
72
32
3C
4D
6D
2F
74
44
00
74
38
61
64
30
43
67
74
43
79
61
00
61
30
72
53
31
61
6D
3E
53
43
74
00
3E
35
64
65
34
72
74
3C
43
64
61
00
3C
37
53
71
2D
64
3E
43
56
3E
3E
00
|<PlainCardData><|
|PAN>991333008057|
|4602</PAN><CardS|
|eqNb>00</CardSeq|
|Nb><XpryDt>2014-|
|12</XpryDt><Card|
|SctyCd><CSCMgmt>|
|PRST</CSCMgmt><C|
|SCVal>9915</CSCV|
|al></CardSctyCd>|
|</PlainCardData>|
|................|
2388
2389
2390
The AES 128 bits test key has the same value as the DUKPT test base key:
3723 3E89 0B01 04E9
BC94 3D0E 45EA E5A7
2391
2392
2393
Using the Initialisation Vector value A27BB46D1C306E09 7E26BE8E9363DB28, the encryption of the
padded card data provides the values below:
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
74
30
E9
D1
F2
F2
E0
B5
17
EB
CF
04
51
69
81
35
63
48
CD
3D
E4
B7
81
C5
17
87
DF
EB
17
4D
C6
4C
AA
94
B6
31
83
17
67
E4
38
7A
32
EF
76
5B
AC
6E
80
00
D6
B2
7B
95
84
13
85
55
AA
57
EC
A0
CE
6F
D7
B4
D3
DD
C7
AC
45
DA
03
97
39
FA
0D
60
5B
91
17
D0
41
0C
3B
6F
00
E0
90
57
36
3A
5F
F4
3A
28
36
8F
97
96
58
1F
75
86
B8
3D
25
D5
25
3E
95
39
4C
8D
98
52
11
9C
6B
AC
31
DB
C2
67
5A
16
3B
88
2C
F0
3B
2F
53
1E
37
D3
3E
8B
75
C0
77
20
7F
D5
0A
C2
35
DB
D0
38
4F
B3
4F
FA
B3
75
96
6E
29
C8
9F
73
DD
A4
54
4F
D1
DA
5E
89
1F
C2
10
BC
41
F0
93
94
23
F7
D5
7A
E5
7D
1C
32
90
97
97
C2
55
5B
|tQ.....;6%1S..^.|
|0i.....o.>...n.z|
|...g..9....75)..|
|.5...o...9g....}|
|.c.8{...XLZ>....|
|.HMz..`W....8s.2|
|...2..[6u.;uO.A.|
|.=L....:.R......|
|...v..._..,wOT..|
|...[U...=.. .O..|
|.....EA:%k;...#U|
|..1nW..(../.u..[|
2407
2408
4 Encryption Mechanisms
- 89 -
4.4 Examples
Card Payment Protocols Security
2409
Version 2.1
Without the content value of Recipient, the EnvelopedData CMS data structure would be :
2410
Message Item
Value
ProtectedCardData
ContentType
EnvelopedData
EnvelopedData
Recipient
…
EncryptedContent
ContentType
PlainData
ContentEncryptionAlgorithm
Algorithm
AES128CBC
Parameter
InitialisationVector
EncryptedData
A27BB46D1C306E097E26BE8E9363DB28
7451178380EC033B362531530A965ED5
3069871700A0976F8F3EDB1EC26E897A
E981DF67D6CE39009795C23735291FE5
D135EBE4B26FFAE0963967D3DBC8C27D
F26317387BD70D90584C5A3ED09F101C
F2484D7A95B460571F8D168B3873BC32
E0CDC63284D35B3675983B754FDD4190
B53D4CEF13DD913A865288C0B3A4F097
17E4AA7685C7175FB8112C774F549397
EBB7945B55ACD0F43D9CF020FA4F94C2
CF81B6ACAA45413A256B3B7FB3D12355
04C5316E57DA0C28D5AC2FD575DAF75B
2411
2412
4 Encryption Mechanisms
- 90 -
4.4 Examples
Card Payment Protocols Security
Version 2.1
2413
4.4.4 Special Encryption/Decryption
2414
Taking an example of PIN encryption with the following elements:
2415
2416
A Triple DES encryption,
The test PIN encryption DUKPT key: 5E64 F1AB F25D C45E 7F62 9EC2 B302 0715
2417
2418
A PIN block value of: 3408 667E EBDD BCAD
2419
The result of the triple DES encryption is: 4560 A060 B4C6 727F
2420
2421
Without the content value of Recipient, the EnvelopedData CMS data structure would be :
Message Item
Value
EncryptedPINBlock
ContentType
EnvelopedData
EnvelopedData
Recipient
…
EncryptedContent
ContentType
PlainData
ContentEncryptionAlgorithm
Algorithm
EncryptedData
DES112CBC
4560A060B4C6727F
2422
2423
2424
4 Encryption Mechanisms
- 91 -
4.4 Examples
Card Payment Protocols Security
2425
Version 2.1
5 MAC Mechanisms
2426
2427
5.1 Introduction
2428
The following MAC cryptographic algorithms are supported by nexo implementations:
2429
2430
2431
2432
1. Triple DES algorithm with double length key (112 Bit), using the retail CBC (Cipher Block
Chaining) mode as defined in ISO 9807 and ANSI X9.19 with the padding method 2 from
ISO9797-1, on the result of the SHA-256 digest of the message body as defined in FIPS 1802. This is used by legacy system, and will disappear after their upgrade.
2433
2434
2. Triple DES algorithm with double length key, using the retail CBC mode, applied to the SHA256 digest of the data.
2435
2436
3. The CMAC authentication mode as defined by the NIST recommendation 800-38B, using the
AES encryption algorithm with 128 bits key length, applied to the SHA-256 digest of the data.
2437
2438
2439
4. The CMAC authentication mode as defined by the NIST recommendation 800-38B, using the
Triple DES encryption algorithm with double length key, applied to the SHA-256 digest of the
data.
2440
2441
2442
5.2 Resulting CMS Structure
2443
2444
MAC is transported inside the AuthenticatedData alternative of the generic CMS data structure
ContentInformationType.
2445
The AuthenticatedData CMS data structure is detailed in the table below.
SecurityTrailer
Mult.
Usage
ContentType
[1..1]
Value "AuthenticatedData"
AuthenticatedData
[1..1]
Message Authentication Code.
Version
[0..1]
default 0
Version of the data structure, current version is 0.
Recipient
[1..1]
Information related to the MAC generation key as defined by the
key management.
...
MACAlgorithm
Algorithm
5 MAC Mechanisms
see:
section 3.1: DUKPT Key Management
[1..1]
Algorithm to compute message authentication code (MAC).
[1..1]
Cryptographic algorithms for the MAC. Allowed values:
RetailCBCMAC: Retail CBC (Chaining Block Cypher) MAC
(Message Authentication Code) (cf. ISO 9807, ANSI
X9.19) - (ASN.1 Object Identifier: id-retail-cbc-mac).
RetailSHA1MAC: Retail-CBC-MAC with SHA-1 (Secure Hash
standard) - (ASN.1 Object Identifier: id-retail-cbc-macsha-1) with padding Method 2 from ISO9797-1.
RetailSHA256MAC Retail-CBC-MAC with SHA-256 (Secure
Hash standard) - (ASN.1 Object Identifier: id-retail-cbcmacsha-256).
SHA256CMACwithAES128: CMAC (Cipher based Message
Authentication Code) defined by the National Institute of
Standards and Technology (NIST 800-38B - May 2005),
using the block cipher Advanced Encryption Standard
with a 128 bits cryptographic key, approved by the
Federal Information Processing Standards (FIPS 197 November 6, 2001 - Advanced Encryption Standard).
- 92 -
5.1 Introduction
Card Payment Protocols Security
SecurityTrailer
Version 2.1
Mult.
Usage
SHA384CMACwithAES192: CMAC (Cipher based Message
Authentication Code) defined by the National Institute of
Standards and Technology (NIST 800-38B - May 2005),
using the block cipher Advanced Encryption Standard
with a 192 bits cryptographic key, approved by the
Federal Information Processing Standards (FIPS 197 November 6, 2001 - Advanced Encryption Standard).
The CMAC algorithm is computed on the SHA-384
digest of the message.
SHA512CMACwithAES256: CMAC (Cipher based Message
Authentication Code) defined by the National Institute of
Standards and Technology (NIST 800-38B - May 2005),
using the block cipher Advanced Encryption Standard
with a 256 bits cryptographic key, approved by the
Federal Information Processing Standards (FIPS 197 November 6, 2001 - Advanced Encryption Standard).
The CMAC algorithm is computed on the SHA-512
digest of the message.
[0..1]
Optional Initial Value of the CBC encryption.
If Parameter is absent, a sequence of null bytes have to be used,
with the length of block defined by the encryption algorithm (8 bytes
for DES and 16 bytes for AES).
InitialisationVector
[1..1]
The 8-bytes-length (DES) or 16-bytes-length (AES) initial value of
the CBC mode.
BytePadding
[0..1]
Parameter
EncapsulatedContent
[1..1]
Data to authenticate, Content item is absent as this is a detached
MAC.
ContentType
[1..1]
Type of authenticated data. Allowed values:
EnvelopedData: Authenticated data content is a CMS
EnvelopedData structure.
SignedData:
Authenticated data content is a CMS
SignedData structure.
DigestedData: Authenticated data content is a CMS
DigestedData structure.
PlainData:
Authenticated application data is not a CMS data
structure.
[1..1]
Result of the MAC generation.
MAC
2446
2447
2448
2449
5 MAC Mechanisms
- 93 -
5.2 Resulting CMS Structure
Card Payment Protocols Security
2450
Version 2.1
5.3 MAC Generation and Verification Processes
2451
2452
2453
MAC generation and MAC verification use the same algorithms. MAC is verified by generating the
MAC from the received message, and compared to the received MAC.
2454
2455
5.3.1 Retail-CBC-MAC with SHA-256
2456
2457
2458
(i) Compute the SHA-256 digest D on the encoded body of the message, including the envelope,
as transmitted by the transport level:
2459
2460
2461
2462
2463
2464
2465
For the MAC verification of a received message, the digest is computed on the body as
received by the transport level.
For the MAC generation of a message to send, the body shall have no change after the
generation of the digest.
(ii) Padding of the data D: the hexadecimal byte 80 is appended to D according to ISO/IEC 97971 method 2. If the new length is not a multiple of 8, D is padded by null bytes (hexadecimal
00), to reach a length multiple of 8.
2466
(iii) The result D of the padded data is split into blocks of 8 bytes D1...Dn
2467
2468
2469
2470
(iv) With the left part KL of the MAC key K, and initialising C0 by 8 null bytes, compute the
sequence C1...Cn-1, where
Ci = EKL (Ci-1 xor Di)
EKL being the DES encryption with KL
2471
2472
2473
(v) The MAC is the result of:
MAC = EK (Cn-1 xor Dn)
EK being the Triple-DES encryption with K
2474
C0
D1
D2
Dn-1
Dn
xor
xor
xor
xor
00...00
KL
DES
C1
2475
2476
2477
KL
DES
KL
C2
DES
Cn-1
K
3DES
MAC
Figure 20 : Retail-CBC-MAC with SHA-256
2478
2479
5 MAC Mechanisms
- 94 -
5.3 MAC Generation and Verification Processes
Card Payment Protocols Security
2480
Version 2.1
5.3.2 CMAC with SHA256
2481
2482
2483
CMAC generation and CMAC verification use the same algorithms. CMAC is verified by generating
the MAC from the received message, and compared to the received MAC.
2484
CMAC can be used with a Triple DES or an AES encryption algorithm.
2485
2486
2487
(i) Compute the SHA-256 digest D on the encoded body of the message, including the envelope,
as transmitted by the transport level:
2488
2489
2490
2491
2492
For the MAC verification of a received message, the digest is computed on the body as
received by the transport level.
For the MAC generation of a message to send, the body shall have no change after the
generation of the digest.
(ii) Generate the subkeys K1 and K2 from the key K (see the algorithm below).
2493
2494
2495
2496
(iii) Let b the block size of the encryption algorithm (64 bits for Triple DES, and 128 bits for AES)
Split the digest D into blocks of size b: D1... Dn-1 D*n
If the block D*n has the same size as b (complete block)
Dn = D*n xor K1
2497
2498
2499
2500
(iv) If the size of D*n is lower than b: 1
According to ISO/IEC 9797-1 method 2 add the byte 80 at the end of D*n and complete if
necessary with null bytes 00 to reach the length of a block size b
Dn = D*n xor K2
2501
2502
2503
(v) Initialising C0 by null bytes, compute the sequence C1...Cn-1, where
Ci = EK (Ci-1 xor Di)
EK being the encryption (Triple DES or an AES) with KL
2504
2505
2506
(vi) The MAC is the block Cn:
MAC = Cn
C0
D1
D2
Dn-1
Dn
xor
xor
xor
xor
00...00
K
Enc
C1
2507
2508
2509
2510
K
Enc
K
C2
Enc
Cn-1
K
Enc
MAC
Figure 21 : CMAC with SHA-256
1
This case never happens for D which has the size of an SHA-256 digest.
5 MAC Mechanisms
- 95 -
5.3 MAC Generation and Verification Processes
Card Payment Protocols Security
2511
Version 2.1
Generation of CMAC Subkeys K1 and K2
2512
2513
(i) Build the block L, result of the encryption by K of a block containing null bytes.
2514
2515
2516
2517
2518
(ii) If the most significant bit of L is 0, K1 = L<<1
else K1 = (L<<1) xor R
(X<<1 is the bit string resulting from discarding the leftmost bit of X and appending a bit 0 at
the right)
where R=00…001B for b=8 bytes, and R=00…0087 for b=16 bytes)
2519
2520
(iii) If the most significant bit of K1 is 0, K2 = K1<<1
else K2 = (K1<<1) xor R
b
00
K
00
Enc
L
<<1
L’
yes most significant bit
of L = 0 ?
no
xor
b = 8 bytes
R 00
00 1B
00
00 87
b = 16 bytes
K1
<<1
K 1’
yes most significant bit
of K1 = 0 ?
no
xor
K2
2521
2522
2523
2524
Figure 22 : Generation of CMAC Subkeys
5 MAC Mechanisms
- 96 -
5.3 MAC Generation and Verification Processes
Card Payment Protocols Security
2525
Version 2.1
5.4 Examples
2526
2527
5.4.1 Message Body
2528
2529
2530
As an example of message body to compute a MAC example, we will use the
AcceptorDiagnosticRequest message of the Acquirer protocol, with the XML/Schema encoding of the
ISO 20022 caaa.013.001.02 message.
2531
2532
2533
As input of the AcceptorDiagnosticRequest MAC, the XML encoded body DiagnosticRequest of the
message is:
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
<DgnstcReq>
<Envt>
<AcqrrParamsVrsn>2010-01-01T08:00:00</AcqrrParamsVrsn>
<MrchntId>
<Id>EPASMER001</Id>
<Tp>MERC</Tp>
</MrchntId>
<POIId>
<Id>66000001</Id>
<Tp>OPOI</Tp>
<Issr>ACQR</Issr>
</POIId>
</Envt>
</DgnstcReq>
2548
2549
Once unnecessary spaces and carriage returns are removed, AcceptorDiagnosticRequest is:
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
3C
3E
6E
30
6D
3E
2F
3E
49
2F
3E
72
3E
44
3C
3E
30
73
3C
49
3C
64
49
3C
3E
3C
67
41
32
3A
56
49
64
2F
3E
64
49
3C
2F
6E
63
30
30
72
64
3E
4D
3C
3E
73
2F
44
73
71
31
30
73
3E
3C
72
49
3C
73
50
67
74
72
30
3C
6E
45
54
63
64
54
72
4F
6E
63
72
2D
2F
3E
50
70
68
3E
70
3E
49
73
52
50
30
41
3C
41
3E
6E
36
3E
41
49
74
65
61
31
63
4D
53
4D
74
36
4F
43
64
63
71
72
2D
71
72
4D
45
49
30
50
51
3E
52
3E
61
30
72
63
45
52
64
30
4F
52
3C
65
3C
6D
31
72
68
52
43
3E
30
49
3C
2F
71
45
73
54
50
6E
30
3C
3C
30
3C
2F
45
3E
6E
56
30
61
74
30
2F
50
30
2F
49
6E
76
72
38
72
49
31
54
4F
31
54
73
76
74
73
3A
61
64
3C
70
49
3C
70
73
74
|<DgnstcReq><Envt|
|><AcqrrParamsVrs|
|n>2010-01-01T08:|
|00:00</AcqrrPara|
|msVrsn><MrchntId|
|><Id>EPASMER001<|
|/Id><Tp>MERC</Tp|
|></MrchntId><POI|
|Id><Id>66000001<|
|/Id><Tp>OPOI</Tp|
|><Issr>ACQR</Iss|
|r></POIId></Envt|
|></DgnstcReq>
|
2563
2564
2565
2566
5 MAC Mechanisms
- 97 -
5.4 Examples
Card Payment Protocols Security
Version 2.1
2567
5.4.2 Retail-CBC-MAC
2568
2569
2570
Applying the padding process from ISO/IEC 9797-1 method 2, the hexadecimal byte 80 is appended,
followed by 2 null bytes to reach a length of 208 bytes, multiple of 8:
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
3C
3E
6E
30
6D
3E
2F
3E
49
2F
3E
72
3E
44
3C
3E
30
73
3C
49
3C
64
49
3C
3E
3C
67
41
32
3A
56
49
64
2F
3E
64
49
3C
2F
6E
63
30
30
72
64
3E
4D
3C
3E
73
2F
44
73
71
31
30
73
3E
3C
72
49
3C
73
50
67
74
72
30
3C
6E
45
54
63
64
54
72
4F
6E
63
72
2D
2F
3E
50
70
68
3E
70
3E
49
73
52
50
30
41
3C
41
3E
6E
36
3E
41
49
74
65
61
31
63
4D
53
4D
74
36
4F
43
64
63
71
72
2D
71
72
4D
45
49
30
50
51
3E
52
3E
61
30
72
63
45
52
64
30
4F
52
3C
65
3C
6D
31
72
68
52
43
3E
30
49
3C
2F
71
45
73
54
50
6E
30
3C
3C
30
3C
2F
45
3E
6E
56
30
61
74
30
2F
50
30
2F
49
6E
80
76
72
38
72
49
31
54
4F
31
54
73
76
00
74
73
3A
61
64
3C
70
49
3C
70
73
74
00
|<DgnstcReq><Envt|
|><AcqrrParamsVrs|
|n>2010-01-01T08:|
|00:00</AcqrrPara|
|msVrsn><MrchntId|
|><Id>EPASMER001<|
|/Id><Tp>MERC</Tp|
|></MrchntId><POI|
|Id><Id>66000001<|
|/Id><Tp>OPOI</Tp|
|><Issr>ACQR</Iss|
|r></POIId></Envt|
|></DgnstcReq>...|
2584
2585
2586
The test key that will be used is the message authentication DUKPT key for request message:
5E64 F1AB F25D 3BA1 7F62 9EC2 B302 F8EA
2587
2588
The Retail CBC encryption of the padded data provides the value below2:
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
0D
7A
E6
94
14
05
B9
6B
5D
B0
84
CE
B8
0F
DD
22
F4
C1
A6
C4
7C
54
DE
D9
6F
70
6E
45
34
EE
F9
BA
DD
08
9A
A0
7B
95
28
5B
72
30
59
FE
FB
77
F3
6A
CC
4B
FA
8A
E4
21
BB
03
C3
76
DE
55
23
AC
A8
B6
6A
35
8A
15
BB
61
DA
CC
B1
46
46
CA
F7
F5
AB
9C
25
5A
F8
30
6E
E5
09
2D
20
B0
77
ED
01
31
6C
48
68
53
50
9A
6A
1F
33
09
84
C7
DF
65
30
4C
90
B0
FC
06
D7
E5
E7
E9
34
26
30
7D
C9
22
9E
44
90
A3
DA
4F
91
BE
64
F0
48
F3
E7
2A
96
C5
9F
35
47
6E
57
37
A5
34
DF
05
92
1E
92
85
A1
FE
AF
A5
44
F3
41
DA
49
9E
B5
59
41
25
22
21
D1
17
09
17
AF
A1
3B
44
B9
D9
52
BA
51
09
4F
98
C4
80
31
E1
74
69
58
4B
78
06
5C
E7
32
8A
BE
6A
38
36
12
B1
D8
E3
|..n[.5.....n.!Q.|
|z.Er!....4.W...\|
|."40..%1.&d7D.O.|
|...Y..Zle0.....2|
|.....a.H0}H4A...|
|....v.0hL.......|
|...w..nS."..I.1j|
|k|..U..P..*..;.8|
|]T.j#F...D...Dt6|
|.....F-j....Y.i.|
|..{K.. .....A.X.|
|.o.....3..5.%RK.|
|.p(.j.w..OG.".x.|
2602
2603
2604
The MAC of the message is the last 8 bytes: E7 4F 47 FE 22 BA 78 E3
The SecurityTrailer data structure with the MAC information is presented in the table below.
Message Item
Value
SecurityTrailer
ContentType
AuthenticatedData
AuthenticatedData
Recipient
…
MACAlgorithm
Algorithm
RetailCBCMAC
EncapsulatedContent
ContentType
MAC
PlainData
E74F47FE22BA78E3
2605
2606
2
Since the padding Method 2 is applied, the Retail CBC-MAC follow the algorithm described in section
5.3.1 (Retail-CBC-MAC with SHA-256) without computing the SHA-256 in the step (i) of the algorithm.
5 MAC Mechanisms
- 98 -
5.4 Examples
Card Payment Protocols Security
Version 2.1
2607
5.4.3 Retail-CBC-MAC with SHA-256
2608
2609
The SHA256 digest of the DiagnosticRequest message body is:
2610
2611
0000
0010
2612
2613
2614
Applying the padding process from ISO/IEC 9797-1 method 2, the hexadecimal byte 80 is appended,
followed by 7 null bytes to reach a length of 40 bytes, multiple of 8:
2615
2616
2617
0000
0010
0020
C4 11 A9 4F 56 97 8E A1 8B 9D CA F4 A0 DE 5B 44
09 BE A9 93 87 58 1A CA E5 01 3D 4A 55 38 AF B0
C4 11 A9 4F 56 97 8E A1 8B 9D CA F4 A0 DE 5B 44
09 BE A9 93 87 58 1A CA E5 01 3D 4A 55 38 AF B0
80 00 00 00 00 00 00 00
|...OV.........[D|
|.....X....=JU8..|
|...OV.........[D|
|.....X....=JU8..|
|........
|
2618
2619
2620
The test key that will be used is the message authentication DUKPT key for request message:
5E64 F1AB F25D 3BA1 7F62 9EC2 B302 F8EA
2621
2622
2623
The Retail CBC encryption of the padded SHA256 digest provides the value below:
2624
2625
2626
0000
0010
0020
0C 39 D3 CF 05 F9 F4 97 E0 1E 69 DE 5F 23 F8 72
81 EC 98 C5 B4 12 CD A4 19 E8 06 D6 F2 03 9F B3
21 86 58 17 8E B7 E8 F6
|.9........i._#.r|
|................|
|!.X.....
|
2627
2628
The MAC of the message is the last 8 bytes: 21 86 58 17 8E B7 E8 F6
2629
2630
The SecurityTrailer data structure with the MAC information is presented in the table below.
2631
2632
Without the content value of Recipient, the AuthenticatedData CMS data structure would be:
Message Item
Value
SecurityTrailer
ContentType
AuthenticatedData
AuthenticatedData
Recipient
…
MACAlgorithm
Algorithm
RetailSHA256MAC
EncapsulatedContent
ContentType
MAC
PlainData
218658178EB7E8F6
2633
2634
2635
5 MAC Mechanisms
- 99 -
5.4 Examples
Card Payment Protocols Security
Version 2.1
2636
5.4.4 SHA-256 CMAC with AES
2637
2638
2639
The hereby displayed example uses for AES 128 bits test key the same value as the test DUKPT base
derivation key. The MAC AES key K is then:
2640
37233E89 0B0104E9 BC943D0E 45EAE5A7
2641
2642
Generation of CMAC Subkeys
2643
2644
The AES encryption of the null block with the key K is the block L with the following value:
0000
4B 4F F0 2B 0C F5 10 FC 6E 0D 62 86 D4 33 FD B4
|KO.+....n.b..3..|
2645
2646
2647
The most significant bit of L is 0, K1 is then the value of L<<1:
0000
96 9F E0 56 19 EA 21 F8 DC 1A C5 0D A8 67 FB 68
|...V..!......g.h|
2648
2649
2650
The value of K1 is then:
0000
96 9F E0 56 19 EA 21 F8 DC 1A C5 0D A8 67 FB 68
|...V..!......g.h|
2651
2652
2653
The most significant bit of K1 is 1, the value of K1 <<1 is then:
0000
2D 3F C0 AC 33 D4 43 F1 B8 35 8A 1B 50 CF F6 D0
|-?..3.C..5..P...|
2654
2655
2656
The value of K2 = (K1<<1) xor 87 is then:
0000
2D 3F C0 AC 33 D4 43 F1 B8 35 8A 1B 50 CF F6 57
|-?..3.C..5..P..W|
2657
2658
2659
The value of K2 is then:
0000
2D 3F C0 AC 33 D4 43 F1 B8 35 8A 1B 50 CF F6 57
|-?..3.C..5..P..W|
2660
2661
2662
5 MAC Mechanisms
- 100 -
5.4 Examples
Card Payment Protocols Security
Version 2.1
2663
Generation of the MAC
2664
2665
The SHA256 digest of the DiagnosticRequest message body is:
2666
2667
0000
0010
C4 11 A9 4F 56 97 8E A1 8B 9D CA F4 A0 DE 5B 44
09 BE A9 93 87 58 1A CA E5 01 3D 4A 55 38 AF B0
|...OV.........[D|
|.....X....=JU8..|
2668
2669
2670
The digest is split in 2 blocks, the last one being a complete block D*2:
0010
09 BE A9 93 87 58 1A CA E5 01 3D 4A 55 38 AF B0
|.....X....=JU8..|
2671
2672
2673
The block D2 = D*2 xor K1, is then:
0000
9F 21 49 C5 9E B2 3B 32 39 1B F8 47 FD 5F 54 D8 |.!I...;29..G._T.|
2674
2675
The blocks D1 to D2 are then:
2676
2677
0000
0010
C4 11 A9 4F 56 97 8E A1 8B 9D CA F4 A0 DE 5B 44 |...OV.........[D|
9F 21 49 C5 9E B2 3B 32 39 1B F8 47 FD 5F 54 D8 |.!I...;29..G._T.|
2678
2679
The CBC encryption provides the value C1 to C2 below:
2680
2681
0000
0010
10 B0 E4 4F BE E2 92 C8 BA 31 07 81 36 AC 52 DE |...O.....1..6.R.|
4B C1 AA 74 F2 BB 58 03 D1 41 EA 97 42 2B 4B 73 |K..t..X..A..B+Ks|
2682
2683
2684
The MAC of the message is the last 16 bytes:
4B C1 AA 74 F2 BB 58 03 D1 41 EA 97 42 2B 4B 73
2685
2686
The SecurityTrailer data structure with the MAC information is presented in the table below.
2687
2688
Without the content value of Recipient, the AuthenticatedData CMS data structure would be :
Message Item
Value
SecurityTrailer
ContentType
AuthenticatedData
AuthenticatedData
Recipient
…
MACAlgorithm
Algorithm
SHA256CMACwithAES128
EncapsulatedContent
ContentType
MAC
PlainData
4BC1AA74F2BB5803D141EA97422B4B73
2689
2690
2691
5 MAC Mechanisms
- 101 -
5.4 Examples
Card Payment Protocols Security
2692
Version 2.1
6 Digital Signature Mechanisms
2693
2694
6.1 Introduction
2695
The following digital signature cryptographic algorithms are supported by nexo implementations:
2696
2697
2698
1. Signature algorithm with RSA (PKCS #1 version 2.1), using SHA-256 digest algorithm (ASN.1
Object Identifier: sha256WithRSAEncryption), in conformance to the RFC 3447 (section 9.2
Encoding methods for signatures with appendix-PKCS1-v1_5).
2699
2700
2701
The digital signature is used to sign nexo messages or subset of the message, and only one signer
provides a digital signature in a SignedData data structure.
2702
2703
2704
2705
The following chapters will focus on solutions where the signerIdentification is given by an
IssuerAndSerialNumber element rather than a KEKIdentifier. Nevertheless, the example on chapter
6.4.3 SHA-256 with RSA is also valid for this kind of key identification.
2706
2707
6 Digital Signature Mechanisms
- 102 -
6.1 Introduction
Card Payment Protocols Security
Version 2.1
2708
6.2 Resulting CMS Structure
2709
2710
Digital signature is transported inside the SignedData choice of the generic CMS data structure
ContentInformationType. The SignedData CMS data structure is detailed in the table below.
Or
SecurityTrailer
Mult.
Usage
ContentType
[1..1]
Value "SignedData"
SignedData
[1..1]
Message Authentication Code.
Version
[0..1]
default 1
Version of the data structure, current version is 1.
DigestAlgorithm
[1..1]
Digest algorithm used by the signer to perform its digital signature.
Algorithm
[1..1]
Cryptographic algorithms for digests, allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
[1..1]
Data that have been signed, i.e. input of the digital signature
generation.
[1..1]
Type of signed data. Allowed values:
EnvelopedData: Signed data content is a CMS EnvelopedData
structure.
AuthenticatedData: Signed data content is a CMS
AuthenticatedData structure.
DigestedData: Signed data content is a CMS DigestedData
structure.
PlainData:
Signed application data is not a CMS data
structure.
Certificate
[0..*]
Collection of certificates.
Signer
EncapsulatedContent
ContentType
Or
[1..1]
Identification of the signing and digital signature of the signer.
Version
[0..1]
default 1
Version of the data structure, current version is 1.
SignerIdentification
[1..1]
Identification of the signing key.
[1..1]
Issuer name and serial number of the certificate.
[1..1]
Issuer Name
[1..*]
X.500 attribute.
AttributeType
[1..1]
Type of attribute, allowed values:
CountryName
Country name of the attribute (ASN.1 Object
Identifier: id-at-countryName).
CommonName Common name of the attribute (ASN.1 Object
Identifier: id-at-commonName).
Locality Locality of the attribute (ASN.1 Object Identifier: idatlocalityName).
OrganisationName
Organization name of the attribute
(ASN.1 Object Identifier: id-at-organizationName).
OrganisationUnitName Organization unit name of the attribute
(ASN.1 Object Identifier: id-atorganizationalUnitName).
AttributeValue
[1..1]
Value of the attribute.
[1..1]
Serial number of the certificate.
[1..1]
Identifier of a cryptographic asymmetric key, previously exchanged
between parties.
KeyIdentification
[1..1]
Identification of the key.
KeyVersion
[1..1]
Version of the key.
SequenceNumber
[0..1]
Number of usages of the cryptographic key.
DerivationIdentification
[0..1]
Information to perform key derivation.
IssuerAndSerialNumber
Issuer
RelativeDistinguishedName
SerialNumber
Or
KeyIdentifier
6 Digital Signature Mechanisms
- 103 -
6.2 Resulting CMS Structure
Card Payment Protocols Security
Or
SecurityTrailer
Version 2.1
Mult.
Usage
DigestAlgorithm
[1..1]
Digest algorithm to apply to the data (EncapsulatedContent) before
private encryption.
Algorithm
[1..1]
Identifiation of the algorithm, allowed values:
Cryptographic algorithms for digests, allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
[1..1]
Digital signature algorithm to apply to the data
(EncapsulatedContent).
Algorithm
[1..1]
Digital signature algorithm, allowed values:
RSASSA-PSS
Signature algorithm with Appendix,
Probabilistic Signature Scheme (PKCS #1
version 2.1), - (ASN.1 Object Identifier: idRSASSA-PSS).
SHA1WithRSA Signature algorithms with RSA (PKCS #1
version 2.1), using SHA-1 digest algorithm (ASN.1 Object Identifier:
sha1WithRSAEncryption).
SHA256WithRSA Signature algorithms with RSA (PKCS #1
version 2.1), using SHA-256 digest algorithm (ASN.1 Object Identifier:
sha256WithRSAEncryption).
Parameter
SignatureAlgorithm
[0..1]
Parameter of the RSASSA-PSS signature algorithm.
DigestAlgorithm
[0..1]
Cryptographic algorithm for computing the digest of the label in the
RSASSA-PSS encryption algorithm. Allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
MaskGeneratorAlgorithm
[1..1]
Mask generator function algorithm used by the RSASSA-PSS
signature algorithm.
Algorithm
[1..1]
Algorithm of the mask generator function, allowed value:
MGF1 Mask Generator Function, used for RSA encryption and
RSA igital signature (PKCS #1 version 2.1) - (ASN.1 Object
Identifier: id-mgf1).
Parameter
[0..1]
Parameters associated to the mask generator function
cryptographic algorithm.
[0..1]
Digest algorithm used in the mask generator function. Allowed
values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
SaltLength
[1..1]
Length of the salt to include in the signature.
TrailerField
[0..1]
Trailer field number.
[1..1]
Digital signature value.
DigestAlgorithm
Signature
2711
2712
6 Digital Signature Mechanisms
- 104 -
6.2 Resulting CMS Structure
Card Payment Protocols Security
2713
Version 2.1
6.3 Digital Signature Generation and Verification Processes
2714
2715
2716
2717
To provide a digital signature, the signer computes a digest of the data to sign, and encrypts the
formatted digest with its private key. The digital signature may be verified by any party with the public
key of the signer.
2718
2719
6.3.1 SHA-256 with RSA
2720
The generation of the digital signature follows the PKCS1-v1_5 specifications:
2721
2722
(i) The length mLen of the RSA signing key modulus have to be larger or equal to 496 bits, and
the length of the data input cannot be greater than 264 bits.
2723
2724
(ii) Compute the SHA-256 digest D on the encoded body of the message, including the envelope,
as transmitted by the transport level:
2725
2726
2727
2728
For the digital signature generation of a message to send, the body shall have no change
after the generation of the digest.
(iii) Encode the ASN.1 value of type DigestInfo, with the OID id-sha256, a null parameter, and
the digest D using the DER encoding. This operation is identical to the concatenation of
2729
2730
2731
2732
the hexadecimal string T: 3031 300D 0609 60 86 48 01 65 03 04 02 01 0500 0420,
and
the digest D
(iv) Generate a padding string PS of length mLen-51 bytes with the hexadecimal value FF.
2733
2734
2735
2736
2737
2738
(v) Encrypt with the private RSA signing key the block EM, where
EM = 00 || 01 || PS || 00 || T || D
|| being the concatenation operator
(the first 00 allows an integer value strictly lower than the RSA key modulus, 01 indicates an
RSA encryption with a private key, the second 00 delimits the Padding String from the data to
encrypt)
2739
Private signing key
00 01 FF
FF 00
T
Message Body
D
SHA256
2740
2741
2742
2743
RSA
Digital Signature
Figure 23 : SHA-256 with RSA Digital Signature
6 Digital Signature Mechanisms
- 105 -
6.3 Digital Signature Generation and Verification Processes
Card Payment Protocols Security
2744
Version 2.1
The verification of the digital signature:
2745
2746
(i) The length mLen of the RSA signing key modulus have to be larger or equal to the length of
the signature S, and the length of the data input cannot be greater than 2 64 bits.
2747
2748
(ii) Compute the SHA-256 digest H on the encoded body of the message, including the envelope,
as transmitted by the transport level:
2749
2750
2751
For the digital signature verification of a received message, the digest is computed on the
body as received by the transport level.
(iii) Decrypt with the public RSA signing key the signature S, to obtain the data block EM.
2752
2753
2754
2755
2756
2757
2758
(iv) Verify that the block EM has the format:
EM = 00 || 01 || PS || 00 || T || D
The first byte has the value 00,
The second byte has the value 01,
PS of length mLen-51 bytes, with the hexadecimal value FF, and is followed by 00,
T has the hexadecimal value: 3031 300D 0609 60 86 48 01 65 03 04 02 01 0500 0420,
D has the same value that the digest H of the message body.
2759
6 Digital Signature Mechanisms
- 106 -
6.3 Digital Signature Generation and Verification Processes
Card Payment Protocols Security
Version 2.1
2760
6.4 Example
2761
6.4.1 Signing Key and Certificate
2762
2763
The RSA key to generate the digital signature has a key length of 3072 bits with the components
dumped below:
RSA Key Component Value
Modulus
BD095898F981BAF42BE20E19339B396C59626690BDF396D20C503CA57C688AF4
1E50552CF1B9DDC4116209DD00C26B673F7EDEE7D0CA6DC2DAA9FF2F8C3A860B
8F835AE60D9E057EDDF1625FAC55A102837FC1C7EF8C0A6C137C5973972ABC40
F4D482F5EBC9754F964B6EECEDBE66DB62AD0DA7B38E05917562E899DF717D27
457693B41E7BF2CBA98855AE2C97DE4B48FD812A520D6D356010F6E8355EC98D
BA3047F2C0CDCD9BE655277F3ED69A788DD80A6A12BCA3D4C7F08662B99D3F70
A9548D7804B5E4A2913A3EC02525BE639ED7D9B986556C5932675642FCC4E659
D828A94C5544AEBBC5446EE6B96A04A0185470296DFC2FFBA73D4074930968DD
810E43D574DD7BE664899DA6E48EB4B3B590E2CAA97C75015C735093AD62E3FD
791AB5718F1FA19673EBAF7ABF3CCD732F31D397FCE790869D2A682DF2324514
181CCE1CDB4E7A4036DABAC26276EE0A3A2D2BE04FB52E58128FF4086C7417CD
ECE75B18783DFA2C05D4A51899307FDCC4A00701300D73B45FFD52E396758CC5
Public Exponent
010001
Private Exponent
17D112A18B6605E8F7926E964C433553EA5B14730E0B9FA7ED373ABCDAD4CD14
FEB0BE5A80461BA3B550F5CF2B665363D9C3215071A4DF795A556ABA51DF99BD
E121FA94DB885A46E6AD9FE84FED25F10C224F86E22E71ADB632C78E61B057B1
936726ECD6FD35D3862B10D9B706732D16DC98C8D53D82841617151935E6B58E
FA187B798911B2C06826AE2CD89F75B96483D3FF4201410E25815DAA59F70C4B
D7F6774A2572888228DDF7B0F778D0537A038B245C21FA3E37C69D17D92CEFAE
0999568D7ED81EE98DD3529FD19C52E890CABB99538A8AAD768E2CA7A1F2191A
8A4C0D1C1431A90C7A8AD3240349E7B30344E9F946EBF9CA556B1348936C04C0
24D45C87204F7E04C828A6A781085E5541451C4111A0AA63F807E32D0F941611
8E9F395E936D5AE530F490B05F76337B4AD6C79CACBFB65A12BC137A5B98F02B
8E7456A123F4C43AC50E2244344A3D86402B74E2A66A28EF69095D0A044D14D9
E164F9F67561B462EB95B65A6298BA636BD9E4A150D02357FB293F0B5CF0C5AD
Prime 1
E67D8DC159476C2CB803BA39BBF3606B3F45434FC07AF91368406B57095D205B
AC88BFAF9462B458F9B4DCC26078B27040766510A19F317021AC87B5BDD618BE
95850BC5A895787F6D134C578F9218EAD686EFED14EAA84804F749794288E24C
EA2A955AA3473EF99A0D536A7AA13E0DFAD7739A42F46C98C55C8066FBA20EDB
91D587A966F061351A46141CEBCFD944E766FBCAA19F251A09BF6BD7E3B8A8FD
F3AD572B7B7FEC9B160C8F8A6FDE5E029D7942A45F5572BD40B04F3CF59F4BF7
Prime 2
D1F548FB2D1A25B094040F6B26B051F99F6E7C9DB34148A458393C08BC2232EB
CDB9E98BD8CB7E1E1A5D133F668E535E1A27FAF807C253057438ADF7846AA656
7E03A4879248DF06A9A8E413F8125CAC14B2093EB043AB4831F16EF7DB04FD34
855D525A6C5BE4E7D2C6B6F02C97BF975BE971C5F8515BBE2FE9BD894B39DF74
CED4BE6BEEF5D35C5D420BDD29111EDCE556D1DC38669AC9D5136FAF44951381
BE2B1F51DD150EB1A591C46242E54715550710E7AB20BAFC50B6D31469F4A623
Exponent 1
5E579BD33D40DFC53A18C47BE7338A0EBBDA14E02AEFEACD87C97E6624BE0A85
9B8C69B16B722F518FFBF8B4531A7427402B75D8A5DEEC34728415144DBCB96A
20F751473966DCE88373F7B68B5C88786F10D259DF4AE150813FDAC2187AC0EE
2C96FB851AFA098BCF038F56311598B9CE27ABF8C3591AAE3972505856BD1189
CC1A73A9E22998104D4DCBE3BE9DD7D7BD43C8E23ADF5227634007DB5929777A
62E85B9ABFB52FDA96DED34E1DD60DF2D214153404958C1E6CC0FDDDFCC79427
Exponent 2
80A494A9E9B19AA43D9CDB41A0FBE9CE53E463905093D08979D0DFBACE62F9E6
4730012C0192755CC6747EE59AD5DBB8CDB7EF6AE77E26563226C458E3166182
9F45661AF703953B44DAC99C7EA3E98A3A47F7A82461E1E1A35035D8C1A6A5E9
F748FDBB8FA72272F44F732967793717EB65F6A3010A0077606E0C06C243DC69
7A8D197B9277A6A07237948356B539BEC8FA502D69955C840BFD13B245083E62
817D747C3944BCB3162A61347F9E71D65D39AE1EF4586299546F2097E26FD717
Coefficient
D175B7C635A4E77C5140848E541B1F75EF83ADEDF347B1727A332FC292142080
8225783A23F9475692A0E14425BEDD0CD72342F243AC24D0901778B91C58A9A2
515F72538BC0F1DC7167FF598247F1CE2A475967256AA3FA63EC1008C8B7FF90
51DF38D7B9B7AC0B86CBDFA141DC22D755898FB471818202734F761D3464C9B0
5E7F0119E80F7BD4F205233B020DB1EEA7CC8DE11BB68CF8A0F82CE8CD3E33C5
2472FC11229F8C0A56F85189D0B7868958E1987D7B7819EB85C5B05FB1CD0448
6 Digital Signature Mechanisms
- 107 -
6.4 Example
Card Payment Protocols Security
Version 2.1
2764
2765
This RSA key is authenticated by a certificate authority with the following information:
Certificate Information
Value
serialNumber
2ABC 40F4 D482 F5EB C975
Issuer
Country Name
BE
Organisation Name
EPASOrg
Organisation Unit Name
Technical Center of Expertise
Common Name
EPAS Protocols Test CA
Validity
notBefore
20130418100646+0100
notAfter
20181001182005+0100
Subject
Country Name
FR
Organisation Name
EPASOrg
Organisation Unit Name
Technical Center of Expertise
Common Name
EPAS Protocol Test Host Authentication
Extensions
keyUsage
DigitalSign
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
The dump of the X.509 certificate is:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
0180
0190
01A0
01B0
01C0
01D0
01E0
01F0
0200
0210
0220
0230
0240
30
BC
86
55
13
04
6E
65
20
43
31
30
31
0E
26
63
70
13
54
63
2A
30
6A
7B
99
10
03
4F
D3
8E
55
8D
5B
18
CD
76
44
82
40
F7
04
07
0B
74
31
50
41
38
30
0B
06
30
61
65
26
65
72
86
82
18
26
B0
BC
71
91
05
A4
54
49
41
EF
6E
B8
9E
05
F4
0D
06
45
13
65
1F
72
30
32
31
30
03
24
6C
72
45
73
79
48
01
F2
65
B7
AC
52
07
D4
4D
0E
9F
D3
67
4A
E2
76
23
D4
01
13
50
1D
72
30
6F
2A
33
31
09
55
06
20
74
50
74
70
86
8A
19
25
97
BB
54
34
BF
B6
D2
44
5F
8F
DE
E4
12
30
82
01
02
41
54
20
1D
74
17
2B
38
06
04
03
43
69
41
20
74
F7
02
DC
C3
9D
6C
1E
12
63
BE
23
5F
3D
D7
91
F8
4C
82
F5
0B
42
53
65
6F
06
6F
13
30
32
03
0A
55
65
73
53
48
69
0D
82
91
7F
E1
FD
B1
DE
46
51
25
F8
FD
94
84
E8
4B
6 Digital Signature Mechanisms
03
EB
05
45
4F
63
66
03
63
32
31
30
55
13
04
6E
65
20
6F
6F
01
01
93
AB
76
A4
DC
04
5B
A6
23
35
5A
87
D5
02
F7
0B
C9
00
31
72
68
20
55
6F
30
30
30
04
07
0B
74
31
50
73
6E
01
81
16
E7
4E
CB
3D
22
F8
35
33
C3
1A
2A
FE
76
FF
A0
75
30
10
67
6E
45
04
6C
31
30
35
06
45
13
65
2F
72
74
30
01
00
49
D4
7C
90
D0
16
99
8C
33
EB
2D
CC
C2
36
2B
03
30
68
30
31
69
78
03
73
33
17
2B
13
50
1D
72
30
6F
20
82
05
D7
5F
ED
D1
6A
B6
FA
DC
AA
D3
D5
61
8B
38
68
A1
02
0D
31
0E
26
63
70
13
20
30
13
30
02
41
54
20
2D
74
4B
01
00
2C
F6
99
6B
A7
21
8F
6F
3C
D6
B5
49
81
64
55
5E
01
06
0B
06
30
61
65
16
54
34
32
31
46
53
65
6F
06
6F
65
A2
03
CF
6C
EA
64
5B
4E
82
07
CB
D2
15
10
29
41
A8
67
02
09
30
03
24
6C
72
45
65
31
30
30
52
4F
63
66
03
63
79
30
82
63
90
04
B9
ED
B3
6D
3F
85
B8
37
38
AF
29
80
4B
02
2A
09
55
06
20
74
50
73
38
31
30
31
72
68
20
55
6F
20
0D
01
FB
6F
24
BA
58
1B
24
F6
28
2E
9A
FD
A0
3B
E0
62
- 108 -
0A
86
06
04
03
43
69
41
74
31
38
30
10
67
6E
45
04
6C
45
06
8F
2F
90
33
95
B9
E9
C7
AA
E5
D7
7C
D1
D0
16
EF
A5
2A
48
03
0A
55
65
73
53
20
30
31
78
30
31
69
78
03
20
6E
09
00
86
4D
6D
46
A0
7A
F2
33
8B
A5
2B
9E
2F
BB
AC
63
|0..#0..........*|
|.@......u0...*.H|
|........0h1.0...|
|U....BE1.0...U..|
|..EPASOrg1&0$..U|
|....Technical Ce|
|nter of Expertis|
|e1.0...U....EPAS|
| Protocols Test |
|CA0*..2013041810|
|1823+0100..20181|
|001182005+01000x|
|1.0...U....FR1.0|
|...U....EPASOrg1|
|&0$..U....Techni|
|cal Center of Ex|
|pertise1/0-..U..|
|.&EPAS Protocol |
|Test Host Key En|
|cryption0...0...|
|*.H.............|
|0.........,.c./.|
|j.......I_.l.o.M|
|{&e%.........$3m|
|......vN|.kd...F|
|....l....j.[.X..|
|.qRT...=..!N...z|
|O..4..."....m$..|
|....cF[...o.?..3|
|..M..Q.5..<..(..|
|UT..#%#33.......|
|.I.D_.5.....7.|+|
|[A._=.Z.-aI.8...|
|..g....*...).../|
|.nJ......8dA);..|
|v......v6hU.....|
|D.v.LK..+.^gKb.c|
6.4 Example
Card Payment Protocols Security
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
26
52
48
B4
46
FE
8F
68
71
31
80
83
D9
00
65
91
E9
11
9E
84
99
96
65
33
30
91
13
FE
3E
26
1C
79
5B
13
49
D9
E6
44
59
9A
8B
58
52
45
45
60
0A
E0
25
9C
28
EB
31
86
30
30
79
AC
03
72
DD
59
D7
AF
58
5A
0E
3E
E3
58
A5
4E
83
71
E2
56
C9
5B
93
9C
33
54
86
36
E5
19
72
7C
1C
A1
0A
2E
5D
D5
17
00
EF
98
DE
0E
1F
EF
30
82
D2
C5
63
24
46
C7
16
F1
97
45
2C
54
8B
62
7F
F2
61
CA
92
18
EF
FD
CF
AF
BB
6C
60
62
8C
6D
C6
A3
74
84
67
DA
6B
0F
CA
7D
06
06
C4
0D
02
6B
27
9B
C2
F4
57
4C
CE
B4
6C
2B
4E
05
0E
3E
26
85
39
71
6C
53
65
27
ED
B2
94
89
3E
9A
98
13
A0
BD
D2
E5
2D
FF
7E
8F
AB
03
03
EB
06
01
F9
6D
7A
14
F6
7C
DD
A7
FB
40
C8
97
0E
96
B2
C9
5F
96
F9
1F
24
AB
AA
1F
59
79
FB
60
01
96
CE
Version 2.1
0250
0260
0270
0280
0290
02A0
02B0
02C0
02D0
02E0
02F0
0300
0310
0320
0330
0340
0350
0360
0370
0380
0390
03A0
03B0
03C0
03D0
03E0
03F0
0400
0410
0420
0430
0440
0450
0460
0470
0480
0490
04A0
04B0
04C0
04D0
04E0
04F0
0500
0510
7D
3F
28
AF
89
1F
5E
A0
9A
30
05
6F
50
05
8B
5A
68
66
ED
34
49
C9
7C
E6
FA
AC
7A
23
2B
C8
E5
78
A8
E0
11
A7
85
28
FE
5D
85
A6
A8
BF
BE
13
82
B7
F9
FA
96
EF
D0
9D
55
55
3C
09
00
75
C1
F0
31
83
DE
2F
C3
7B
7C
E7
A0
93
CF
87
7C
83
F0
36
86
21
EF
B6
3D
E1
31
90
94
6F
54
F0
0520
64 3E 82 79 CE E9 CF
E1
6D
D2
16
F7
E2
97
8C
FF
1D
1D
73
2A
56
F2
DD
3E
20
C2
55
AA
4E
6B
06
02
49
42
5A
E5
55
1B
A1
91
D7
3D
5F
90
40
AB
79
8A
97
3A
1A
C3
53
D5
22
E3
AB
D1
4F
8B
3D
0F
23
78
86
E4
1D
1F
65
4C
32
83
77
17
B2
73
22
65
C6
4B
6B
D9
CC
A8
9E
DB
11
66
AA
1C
E5
B0
45
7F
B6
02
86
0E
07
1F
AB
49
58
FE
24
02
01
04
4C
48
8B
56
C6
FD
B6
9E
34
57
F1
E4
72
2F
0C
57
50
18
9A
9F
5F
1B
E5
66
A5
47
30
A6
DE
C1
86
8E
E6
F0
11
C2
4B
4E
6E
38
0A
27
03
01
18
A4
86
D5
7F
3B
03
D3
3B
EC
3C
EF
9A
14
C4
ED
09
54
49
7A
D5
D2
B1
C7
AE
5E
CE
59
56
0C
82
9C
9D
5F
23
F4
83
63
2C
E7
AC
38
B9
01
00
30
98
F7
EE
30
EC
9A
CC
93
F7
85
8D
84
9D
03
55
4E
34
47
18
B1
66
99
58
48
C0
CE
5E
B1
74
3B
12
D9
11
A7
BF
D2
B5
48
C2
72
C3
1A
00
04
16
E5
0D
2A
74
C4
D6
7C
73
7F
93
88
78
C2
BC
D2
A5
9E
EB
25
A9
E2
E0
FE
6A
CE
45
FE
57
05
D8
F7
43
5D
C4
98
F5
67
6E
4E
52
89
0B
01
04
80
18
01
4F
56
23
97
A8
7C
4D
90
66
69
26
A5
D8
A6
08
BA
A4
0F
C2
54
DB
3B
47
99
E6
E2
33
8A
5F
40
87
00
4E
63
97
C8
43
F3
26
16
A3
03
14
4E
01
F4
E3
DF
76
C4
A2
B2
53
0A
D7
40
FA
F7
E6
B1
A6
95
AE
71
A8
87
28
AB
CD
A8
AD
5F
D3
FD
A8
47
7A
53
C2
E6
14
95
D4
CF
F7
33
02
A0
E0
0B
E0
17
89
47
24
3A
17
DA
50
9A
85
A8
A9
7B
BD
47
D1
57
63
65
0E
98
4B
75
A5
F3
61
7D
F5
88
E5
F0
|}&`.....S.....NS|
|?R..t..m......c.|
|(H.]....".Kc.g..|
|..%.g.....N,Hn..|
|.F...-...In..NC.|
|..(.k....X8.rR..|
|^....~..O..8..&.|
|.h1......$'.....|
|.q..}...=......3|
|010...U.........|
|..0...U.#..0....|
|o.y...<sxL....N.|
|P..0...*.H......|
|.......V....*O..|
|.er.k.u..V.0tV..|
|Z...'m....;..#..|
|h.Yc.z.>e.....vG|
|f..$..1 L...|..$|
|...F....2.;.s|.:|
|4.X.W|.U.4...M..|
|I.Z.L./.wW<...S.|
|.......N.....f.P|
||e>...{k....xi..|
|.3.El@|.sr...&@.|
|.0X,+..."/......|
|...TN..Ie..U....|
|z.N....B.W.N...{|
|#..b...ZKPT4....|
|+>q.>...k.IG...G|
|.&..&.|U..z.%...|
|..Va._.........W|
|xy..9...._.f..qc|
|.[[.q.6......T.e|
|....l......X....|
|.I..S$!=.f.Hj;(.|
|..3.e.._f.^..G.K|
|..T.'....G..E..u|
|(D....=@.0Y^....|
|.Y6..Y....V.W...|
|]..l.y1y...t.3_a|
|...`....E..;...}|
|.Xrb>`......._..|
|.R|...o:....C@..|
|.E.m..T..._.].G.|
|.E........#...z.|
|d>.y...
|
2851
2852
6 Digital Signature Mechanisms
- 109 -
6.4 Example
Card Payment Protocols Security
2853
2854
Version 2.1
The RSA key of the certificate authority signing this X.509 certificate has a key length of 4096 bits with
the components dumped below:
RSA Key Component Value
Modulus
A97F45122196E7353C89C240F5D163CF7B9B6A0899440C3D3F3C431BF898BFDE
121407E57E4B6EA2A85E52742659E05087CBC69E2EF6A301B9000A9DA4216951
B793B70B3D27EA9BD6E80584929C55AA5D315CF691F789E677E52105065CC79C
20C58384DF934640A80E7F970088650663610B80B478B17E5863B910332C89DF
3F1FEE47E8A96E9A413CD69410693FECBA0388D2DDB4B6B33341CF9D523AC561
729C5854512EDE984AEB1D937E3C8F74F527FFEFE710CBD2A6819CA0A3C8C7CB
C237E1B60A66D790E5DFFCE5EF1B8BA241E284FBF32345AC74D179382DA7D714
E63CE04084FD904C3AAE0CAC44CCB17A4DFB4B5917971BE12B24FBC17E1E20DD
DC363E45D1659C80D5FF087C51FBED5846C43C0D3580C1C7E8BE91629FDE96F7
A5E531E0166AFE88CC3AFE4EB642F9E51F02E007CB482B4E91D588965F53C73D
8CA2A2D4F7A8663F492CB1623906417A553C9D4DFB2CF55CE6290956C5E80009
7F0E8C974E879BCB981977377FA6A3750DBF478F57C0C7338F45BA83F54670E3
5DDBAC4E30665338A75C0D61DF6918721E885054C85BC3CACD2206468C8A84BB
8B3432CE2D8B2F46B3E25124E956E401AA4194066C01ADC9E633DD2BFE794C87
10F3B94766986465135B8B395F832166A17F9E7EDD8DCB0D19125307CC32B76B
7009113A1BD91C5A2815E0A5A533B8A6ABFC47F0D11A668A2791E9F2F6088A5D
Public Exponent
010001
Private Exponent
2329168FF34DD57A92AB55139AAAAC14CF6466F38FAFB1064786DDB900B1D723
5F06AEB8A9A1463B11C8373C86F41FF734A44DF8646F9F52ED28980B299010C3
F5DBFB9DA63B108CF160C23C45198F1FBF234D508CE917BF2A61EA9E9B3A45E2
1A5E3EB1229BEF77DC24DDCCDA3C7110892F096ED28132F8ADA74A2D9520091D
B97F8B33798D2437758F044844BB409A7FDFD9D33C508F91CEF138FB3EA2986D
65940F32B6808D86740C1FDF87D1524505D21D628BC14D36CE79969F303AA74F
9A63733C0B1E585B63843A770C49DF86723A6631C9B7286DE4F1CB3E9F21F119
11C5D1133143545AABD58D2573442F10DAFA651FFF27C68DC8206CE52F9F5A5B
B51BEDC9E488312A3B6FEB3C3F216C06B1DEAC0EEFBF0923146338A642D98136
45AD19BA6F057946FB7DD6C590E232ED8B7B41431D6970362F0D4DBCBD9B24E7
4C3B3339B312D350DF8CB61DED711FCDC184F06FB9D8F89E68BAC2ABBFADDF52
88946DE053723075CD4F429B413D7FD870A104145A6ACE893A20258864FAD2A8
6A1F5AD252269AF71283593929304F86D9720A43161E26ABA6B19E9E870B1B39
952B6D97EAA88904F8D5D33BC00C87AC207D30EB07FC90FC5EA1423AA7AED534
30DAA12A68E5FA78CC42336D34273F6530BFA098085990EA2A12252E68B5E166
67086DB85B22FF747ECC0AA74F3687A9C058ABF9B891CE423FDE410D6E3CE121
Prime 1
C68BEBAFB00F0A1B7150AB24BDFC6E9ACCB413951857EEF62EC81D78B7F4E432
CF653F969F81F6C26FB6ACC300302F583853C654B823E48EA617540F2EAE10A9
D46C005A539F270AFC86E8A1FDA9B66960B5C4B6D1746F5B616A6B90D8B1E822
C3AF0ED1097550D87B55C5B6651CBFE769A16051FAA4F416DEECBA79FD9252BC
D99694FEA3981A50E329ECB367988A5FAEEB7C81FDAD8276B11CFC3AD0A85E65
53AB5D661EFA4D26A30157BD9FEA3428EB452F20D33525B2A9151BF542885B38
BF2FDAFA3CD3C3B48754822A5EF648D91A4CB3F98BCD222CC1497CB530A91B29
F1C52ED3F3242E1D6AB0A790708A3CB96D6DD718A7F1B4579EE6D0941DC06CE5
Prime 2
DA8B67A93CB27D2F5B7D2F86454FD2A57D20258058B3AE74999665E03C8A95A4
739D338B1312AD7E39EDBECADB3151A5172D198ABA2D1D6C88DFBA3462D52805
ADCF44070423098B0DC7D12CC767109860B1D1674F37CA2A3E03A425A76ECAB5
2737392460DB0221E90E099F02623FC93631E34C146B8DBD7367C0365C329704
C6D2304E0B4A8519737162556E0D36952D24A830DC8BDB1EDE7062C0DA000C26
44653F9F6043452EC676F51E3CF8EC2AC4B9249630CE522E2E754D5A0629612D
5D7180EBA39802E9DA665C6EA661A8483AB688D5B525B2EB0521BFF5E37211FA
7E882FE3F2FA109CC53800A902296BA6E4C3CCDC84E8EBAAB9EB59A03CCFC819
Exponent 1
9D26A8D1319865D69CD54DF1521358F45BEC78C77D3234A95513FE07CC0B2108
7A91D847FF4EDE22BE4BA7E8DCE046C91C246B0A2989F7615563879C50C563D9
1892B7A0C72964BCD46E6FF9B00EC19C1CF9228FD5AFC4685EEDDDE0133495D9
D66B5C5DE68F9E030B74337F0FFF36821360B11D923738205628A7DCE0F10D5D
FF17AA2CF70DF05E6FBF8263EA2E99EFEC42E614F9D6793A3B2C0715028D11D2
3FEC968BBB1F412BC0BFD253FC1C6356B409D9A8B0A413879B3F6316B8A7B714
6E77916A99F4BFA5C7AC032F4864C5FA594FB6F0615067A96700249E41BAC80E
66183DDD734902DB33D4497D1126C9B3B742C68AF47B62D42BA8E415288B6365
6 Digital Signature Mechanisms
- 110 -
6.4 Example
Card Payment Protocols Security
Version 2.1
Exponent 2
483FC1FB5F079AFF26FDD1D24FE3BDBDDC09DE9BF9B71D3B8AF2FFA70C1CBCAF
EB50D3136D30C58E6F543BB91091D36E02A574463A9A6399D7FE2EAED6E5A51F
8B8073FAE5D1377C7307D60D39B6C6F3B933D0089955D64DF4C67B63BF608F3F
2841C770515CD5EDA4007209D15DEDBC756034C698119E803D40D578A32E4E62
D3DFF4FC381B60B933430EC1336AC6DAB65BE2069542DF23EB61B8240D6DEA96
54122CE061909BB485041AB0EE735490270D161D58F13C95EBE1F7BA8542F4CF
6C8EF391F33973ED1FB8AB62213B33C8FD300F38A774591BFD4C550BD32F88E6
0922B8C261376E7A8570A8373771BE172495DE8A209E681ABEF0216729F37F31
Coefficient
6978A387C201384A23F0E0BCD73737787364460ACF34F2B103AE60181A3E2DAF
D4F26B819F4B1ED7CD9E8CF225922365ACFB408ACC2E87207E339CF72059B94B
09552BFFAED96E486CE29AABDC8B95DA948B19F26CE702FD4D40867B50F5CFF5
7361BD181A7B4AFF4D80C547A5CBF9D2D51E9A1D1C729FF12E84129DCB132DC9
DCEE79F45456A05F232E1B3C31CA02D56EBDBC031C81A85DDE3CA2A5E4CD2F5B
C7D6394AA7F20022B74ED11A730C8C7024053C36500658D10C0622668C41E627
AF714A6EB76BCDC0B888F8AB4046DC5F158D08A5D7F388C76C7F022CE1834FDE
2B443126A9209274DED029D7D4FF7AC4B5AB0C88E8DEFD592D440AE254FBB422
2855
2856
6 Digital Signature Mechanisms
- 111 -
6.4 Example
Card Payment Protocols Security
2857
Version 2.1
6.4.2 Message Body to Sign
2858
2859
2860
2861
As example of message body to compute a digital signature example, we will use the
ManagementPlanReplacement message of the TMS protocol, with the XML/Schema encoding of the
ISO 20022 catm.002.001.02 message.
2862
2863
2864
As input of the ManagementPlanReplacement digital signature, the XML encoded body
ManagementPlan of the message is:
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
<MgmtPlan>
<POIId>
<Id>66000001</Id>
<Tp>OPOI</Tp>
<Issr>TMGT</Issr>
</POIId>
<TermnlMgrId>
<Id>epas-acquirer-TM1</Id>
<Tp>TMGT</Tp>
</TermnlMgrId>
<DataSet>
<Id>
<Tp>AQPR</Tp>
<CreDtTm>2013-04-18T10:52:27.95+02:00</CreDtTm>
</Id>
<Cntt>
<Actn>
<Tp>DWNL</Tp>
<Adr>
<PmryAdr>TM1.Test.EPASOrg.eu</PmryAdr>
<PmryPortNb>5001</PmryPortNb>
</Adr>
<DataSetId>
<Tp>MGTP</Tp>
</DataSetId>
<Trggr>DATE</Trggr>
<TmCond>
<StartTm>2013-04-24T22:45:00</StartTm>
<Prd>10000</Prd>
<ReTry>
<Dely>10</Dely>
<MaxNb>2</MaxNb>
</ReTry>
</TmCond>
</Actn>
</Cntt>
</DataSet>
</MgmtPlan>
2904
2905
6 Digital Signature Mechanisms
- 112 -
6.4 Example
Card Payment Protocols Security
Version 2.1
2906
2907
Once unnecessary spaces and carriage returns are removed, ManagementPlanReplacement is:
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
0180
0190
01A0
01B0
01C0
01D0
01E0
01F0
0200
3C
3E
64
49
3C
67
71
54
72
65
2F
33
2E
54
63
3E
4D
65
79
72
44
54
49
54
74
34
74
50
3E
3E
79
6E
65
4D
3C
3E
73
2F
72
75
70
6D
74
54
2D
39
6D
74
3C
31
75
50
79
61
50
64
72
61
54
54
72
31
32
3E
3E
74
67
49
3C
73
50
49
69
3E
6E
3E
70
30
35
3E
6E
41
2E
3C
6F
50
74
3C
3E
67
72
32
6D
64
30
3C
3C
3C
3E
6D
64
54
72
4F
64
72
54
6C
3C
3E
34
2B
3C
3E
64
54
2F
72
6F
61
2F
3C
67
74
32
3E
3E
3C
2F
2F
2F
3C
74
3E
70
3E
49
3E
65
4D
4D
49
3C
2D
30
2F
3C
72
65
50
74
72
53
54
54
72
54
3A
3C
3C
2F
4D
54
43
2F
50
36
3E
54
49
3C
72
47
67
64
43
31
32
49
54
3E
73
6D
4E
74
65
70
72
3E
6D
34
50
52
44
61
6D
6E
4D
6C
36
4F
4D
64
49
2D
54
72
3E
72
38
3A
64
70
3C
74
72
62
4E
74
3E
67
3C
3E
35
72
65
65
78
43
74
67
61
30
50
47
3E
64
54
3C
49
3C
65
54
30
3E
3E
50
2E
79
3E
62
49
3C
67
54
32
3A
64
54
6C
4E
6F
74
6D
6E
30
4F
54
3C
3E
4D
2F
64
54
44
31
30
3C
44
6D
45
41
35
3E
64
2F
72
6D
30
30
3E
72
79
62
6E
3E
74
3E
30
49
3C
54
65
31
54
3E
70
74
30
3C
43
57
72
50
64
30
3C
3E
44
3E
43
31
30
31
79
3E
3E
64
3C
50
3C
30
3C
2F
65
70
3C
70
3C
3E
54
3A
2F
6E
4E
79
41
72
30
2F
3C
61
44
6F
33
3C
30
3E
3C
3C
3E
2F
6C
50
30
2F
49
72
61
2F
3E
44
41
6D
35
43
74
4C
41
53
3E
31
41
54
74
41
6E
2D
2F
30
3C
4D
2F
3C
44
61
4F
31
54
73
6D
73
49
3C
61
51
3E
32
72
74
3C
64
4F
3C
3C
64
70
61
54
64
30
53
30
44
61
52
2F
61
6E
49
3C
70
73
6E
2D
64
2F
74
50
32
3A
65
3E
2F
72
72
50
2F
72
3E
53
45
3E
34
74
30
65
78
65
41
74
3E
49
2F
3E
72
6C
61
3E
54
61
52
30
32
44
3C
54
3E
67
6D
50
3E
4D
65
3C
3C
2D
61
3C
6C
4E
54
63
61
64
49
3C
3E
4D
63
3C
65
53
3C
31
37
74
41
70
54
2E
72
6D
3C
47
74
2F
53
32
72
2F
79
62
72
74
53
|<MgmtPlan><POIId|
|><Id>66000001</I|
|d><Tp>OPOI</Tp><|
|Issr>TMGT</Issr>|
|</POIId><TermnlM|
|grId><Id>epas-ac|
|quirer-TM1</Id><|
|Tp>TMGT</Tp></Te|
|rmnlMgrId><DataS|
|et><Id><Tp>AQPR<|
|/Tp><CreDtTm>201|
|3-04-18T10:52:27|
|.95+02:00</CreDt|
|Tm></Id><Cntt><A|
|ctn><Tp>DWNL</Tp|
|><Adr><PmryAdr>T|
|M1.Test.EPASOrg.|
|eu</PmryAdr><Pmr|
|yPortNb>5001</Pm|
|ryPortNb></Adr><|
|DataSetId><Tp>MG|
|TP</Tp></DataSet|
|Id><Trggr>DATE</|
|Trggr><TmCond><S|
|tartTm>2013-04-2|
|4T22:45:00</Star|
|tTm><Prd>10000</|
|Prd><ReTry><Dely|
|>10</Dely><MaxNb|
|>2</MaxNb></ReTr|
|y></TmCond></Act|
|n></Cntt></DataS|
|et></MgmtPlan> |
2942
2943
2944
6 Digital Signature Mechanisms
- 113 -
6.4 Example
Card Payment Protocols Security
Version 2.1
2945
6.4.3 SHA-256 with RSA
2946
2947
2948
2949
The SHA256 digest of the ManagementPlanReplacement message body is:
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
0000
0010
C3 61 49 C6 87 19 B1 CC 56 8E 25 69 26 ED 8D 81
CE 66 90 6B 44 BE 43 9D BA 97 3B 63 8E 6D 45 35
|.aI.....V.%i&...|
|.f.kD.C...;c.mE5|
Applying the padding process, the block result is dumped below:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
00
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
0D
C3
CE
01
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
06
61
66
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
09
49
90
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
60
C6
6B
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
86
87
44
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
48
19
BE
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
01
B1
43
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
65
CC
9D
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
03
56
BA
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
04
8E
97
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
02
25
3B
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
01
69
63
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
00
05
26
8E
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
30
00
ED
6D
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
31
04
8D
45
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
FF
30
20
81
35
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|................|
|.............010|
|...`.H.e....... |
|.aI.....V.%i&...|
|.f.kD.C...;c.mE5|
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
After encryption by the RSA signing private key, we have the digital signature of the
ManagementPlanReplacement message body:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
A7
17
3D
7D
D0
A7
EA
24
DE
1F
46
29
4E
84
D2
70
EE
28
D7
EB
9E
BE
8D
82
86
BD
8C
16
53
F0
1A
C2
7D
74
91
26
13
CD
7C
66
D1
CE
A3
49
74
A1
54
83
B8
77
CF
46
36
2F
DF
C8
00
86
E9
09
BB
C0
DB
45
5F
BF
C6
BB
6C
4C
36
AF
7F
1A
E7
E0
42
1B
5F
AA
CA
8D
C4
67
BE
F2
5C
01
5B
EA
46
0C
72
81
08
9A
27
1A
C6
44
77
E1
69
CE
0A
F1
65
E4
8E
1C
95
31
C8
F1
76
0D
44
6C
74
2B
5D
AB
2C
16
65
54
21
B9
20
EF
40
41
F9
F5
A8
9C
35
BD
9F
A1
C4
6A
CF
AC
3C
95
E2
E2
8F
B1
A2
66
06
8E
28
65
5D
CB
27
C2
ED
40
61
EB
1F
55
1C
1E
75
95
E0
C9
82
9C
B5
78
55
F9
8B
B8
34
29
FD
C4
3A
95
15
0F
01
A0
1D
63
C1
7A
0F
9C
C3
60
96
AF
19
0A
2A
81
12
B9
E5
44
9F
D0
A1
48
9D
F4
32
ED
C4
87
9E
C5
DA
19
AC
3A
5A
3E
29
30
43
C4
A5
D0
B8
F5
6F
C3
F3
C6
7C
48
FF
41
75
3B
93
96
90
E8
48
89
4C
65
70
89
DA
F8
F3
F7
4C
32
B2
1F
33
03
76
6C
B2
0D
7D
83
D0
A8
78
26
F2
AC
7E
B3
20
9E
73
00
F1
05
C0
0B
18
0B
C4
0F
F1
0C
4F
0C
FB
1A
74
45
39
18
F3
CC
70
8C
9D
B7
B7
F4
7F
DA
31
32
63
2B
8D
37
6E
A7
DC
F9
8A
F1
65
38
76
98
4E
7C
96
6F
7B
97
EF
83
19
4D
70
91
7F
E4
51
C6
04
0F
89
D4
20
12
28
5B
04
F8
1B
68
2A
95
19
3D
4D
10
5D
34
1A
0D
36
B2
EF
04
B4
F0
61
01
C7
25
C1
96
F8
1A
BA
FC
21
01
4D
CB
|
']<u
v cp]|
| w
z Al + 4|
|=
,
u
|
|} F D
; 7 |
| S6Bwe
}OnQ6|
| / T `
|
|
_i!
|
|$
fx :
|
| }
U ZHxt
|
| t
> &E
|
|F
e@( *)L 9e a|
|)& g Ae 0e 8 |
|N
]4 Cp~ v( |
|
)
[%|
| | \ '
pN |
|pfE 1
D
| |
| _[ 5 :
s
|
|(
@
oh |
|
Fv a oL {* |
| I
H 2
|
| tlrD
!|
| L ljU
= |
| T6 t
2|3 1 MM|
|
+ c H 2M |
3003
3004
6 Digital Signature Mechanisms
- 114 -
6.4 Example
Card Payment Protocols Security
Version 2.1
3005
3006
Inside the SecurityTrailer, the SignedData CMS data structure is presented in the table below:
Message Item
Value
SecurityTrailer
SignedData
ContentType
SignedData
DigestAlgorithm
Algorithm
SHA256
EncapsulatedContent
ContentType
Certificate
PlainData
308204FF308202E7A003020102020A2ABC40F4D482F5EBC975300D06092A8648
86F70D01010B05003068310B300906035504060C0242453110300E060355040A
0C07455041534F726731263024060355040B0C1D546563686E6963616C204365
6E746572206F6620457870657274697365311F301D06035504030C1645504153
2050726F746F636F6C732054657374204341302A181332303133303431383130
303634362B30313030181332303138313030313138323030352B303130303078
310B300906035504060C0246523110300E060355040A0C07455041534F726731
263024060355040B0C1D546563686E6963616C2043656E746572206F66204578
70657274697365312F302D06035504030C26455041532050726F746F636F6C20
5465737420486F73742041757468656E7469636174696F6E308201A2300D0609
2A864886F70D01010105000382018F003082018A0282018100BD095898F981BA
F42BE20E19339B396C59626690BDF396D20C503CA57C688AF41E50552CF1B9DD
C4116209DD00C26B673F7EDEE7D0CA6DC2DAA9FF2F8C3A860B8F835AE60D9E05
7EDDF1625FAC55A102837FC1C7EF8C0A6C137C5973972ABC40F4D482F5EBC975
4F964B6EECEDBE66DB62AD0DA7B38E05917562E899DF717D27457693B41E7BF2
CBA98855AE2C97DE4B48FD812A520D6D356010F6E8355EC98DBA3047F2C0CDCD
9BE655277F3ED69A788DD80A6A12BCA3D4C7F08662B99D3F70A9548D7804B5E4
A2913A3EC02525BE639ED7D9B986556C5932675642FCC4E659D828A94C5544AE
BBC5446EE6B96A04A0185470296DFC2FFBA73D4074930968DD810E43D574DD7B
E664899DA6E48EB4B3B590E2CAA97C75015C735093AD62E3FD791AB5718F1FA1
9673EBAF7ABF3CCD732F31D397FCE790869D2A682DF2324514181CCE1CDB4E7A
4036DABAC26276EE0A3A2D2BE04FB52E58128FF4086C7417CDECE75B18783DFA
2C05D4A51899307FDCC4A00701300D73B45FFD52E396758CC50203010001A30F
300D300B0603551D0F040403020780300D06092A864886F70D01010B05000382
0201007604AD896554B8D71E07076970E14C3F42E6638B758E50C305C3E1DD8A
BC3ECA02150AF5101D36814638150E4FA73E5D92E579983B498BDA29FBE9CE14
A793F12F5FB08961B73DC1C83FB37467B2C5BAFFF61CF61B793638EA21E3418B
CAB5C71EBA2025230CECF6A0B9893013F7F5B4E66419A60455CC90C5FEF596B7
6FA914F35ADFE088E1525B34E1C3F1192BF81D59FF67F311A1F7E614E9332F9C
6CEA0DDB9F0C0EEB5708AC2DB20F017F06079A1B7C03254F25BBA13E214185A0
567AAC722003504888AB4A9F5ACFD0C3ACD4D4C3C3A75D830B96B1792077DD6F
F00C6FDA53CCB1FA6A2FF1C856F7798BF83132F623840FB212E710C6FE505AC6
45380383E5EBA7ECCF08E22622CCD8748DD04CD6ECDA3508D83A4DEBA96D0523
DB8764395EDAB59A424217805BD8D715F401D5442727B06D07CBC2D605E0CA4E
47F7527A3E300EA69675EB77714598971B2653DD0B734043365FAFA45909314A
85FFB46BA34F88B228E99D53739D3F00E78D3CEADEE736DAAE115CE50AC10EBF
B0AC5871244BBA0711071B1E40FA1CC60E1258D6D49788F723B14E04F48D5889
8261C37398B5510DC47F5C5EF6D7D27B0C80F2876F2B02571C8BACE29174221B
DCB5647042B4B67DF7D131E9324670CB64D2E1B15977D651FCA48FEF628EA2B1
37A9236FEB7C34E19D8FDF437C8408A56CE062B2CC435D85EC65A25D8B41B512
067CAB
Signer
SignerIdentification
IssuerAndSerialNumber
Issuer
6 Digital Signature Mechanisms
- 115 -
6.4 Example
Card Payment Protocols Security
Version 2.1
RelativeDistinguishedName
AttributeType
CountryName
AttributeValue
BE
RelativeDistinguishedName
AttributeType
OrganisationName
AttributeValue
EPASOrg
RelativeDistinguishedName
AttributeType
OrganisationUnitName
AttributeValue
Technical Center of Expertise
RelativeDistinguishedName
AttributeType
CommonName
AttributeValue
EPAS Protocols Test CA
SerialNumber
2ABC40F4D482F5EBC975
DigestAlgorithm
Algorithm
SHA256
SignatureAlgorithm
Algorithm
Signature
SHA256WithRSA
A786B87F275D3C75C1C4FF76C463705D17BD771A1AAB95957A87416C0F2B9134
3D8CCFE7C62CE2E00F9E75B2F18D7F1A7D1646E04416E2C99CC53B0D0C37E40D
D053364277658F82C3DA937D4F6E5136A7F02F1BE154B19C601996830CA7C6B2
EA1ADF5F6921A2B596AC90D0FBDC04EF24C2C8AACEB96678AF3AE8A81AF90F04
DE7D00CA0A200655195A4878748A89B41F74868DF1EF8EF90A3E892645F1D4F0
4691E9C46540288B2A294CF23965206129260967E44165B8813065AC18381201
4E13BBBE8EF95D341243707EF37628C784CDC0F21CF5CB29B9C489B3CC985B25
D27CDB5C95A827FDE5A5DA20704E04C170664501319CC2C444D0F89E8C7CF896
EED15F5BC835ED3A9FB8F3739D961BF828CEBFEAF1BD4095D0F5F700B76F681A
D7A3C646769F6115A16F4CF1B77B2ABAEB49BB0C0DA1EB0F48C33205F49795FC
9E746C7244C41F019DF3B2C07FEF1921BEA14C816C6A55A0F4C61F0BDA833D01
8D54360874CF1C1D327C331831194D4D8283AF9A2BAC1E63ED48030B324D10CB
3007
3008
6 Digital Signature Mechanisms
- 116 -
6.4 Example
Card Payment Protocols Security
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
Version 2.1
The XML encoded structure of the digital signature in the SecurityTrailer with the certificate of the
signer is:
<SctyTrlr>
<CnttTp>SIGN</CnttTp>
<SgndData>
<DgstAlgo>
<Algo>HS25</Algo>
</DgstAlgo>
<NcpsltdCntt>
<CnttTp>DATA</CnttTp>
</NcpsltdCntt>
<Cert>
MIIE/zCCAuegAwIBAgIKKrxA9NSC9evJdTANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGDAJCRTEQMA
4GA1UECgwHRVBBU09yZzEmMCQGA1UECwwdVGVjaG5pY2FsIENlbnRlciBvZiBFeHBlcnRpc2UxHzAd
BgNVBAMMFkVQQVMgUHJvdG9jb2xzIFRlc3QgQ0EwKhgTMjAxMzA0MTgxMDA2NDYrMDEwMBgTMjAxOD
EwMDExODIwMDUrMDEwMDB4MQswCQYDVQQGDAJGUjEQMA4GA1UECgwHRVBBU09yZzEmMCQGA1UECwwd
VGVjaG5pY2FsIENlbnRlciBvZiBFeHBlcnRpc2UxLzAtBgNVBAMMJkVQQVMgUHJvdG9jb2wgVGVzdC
BIb3N0IEF1dGhlbnRpY2F0aW9uMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAvQlYmPmB
uvQr4g4ZM5s5bFliZpC985bSDFA8pXxoivQeUFUs8bndxBFiCd0AwmtnP37e59DKbcLaqf8vjDqGC4
+DWuYNngV+3fFiX6xVoQKDf8HH74wKbBN8WXOXKrxA9NSC9evJdU+WS27s7b5m22KtDaezjgWRdWLo
md9xfSdFdpO0Hnvyy6mIVa4sl95LSP2BKlINbTVgEPboNV7JjbowR/LAzc2b5lUnfz7WmniN2ApqEr
yj1MfwhmK5nT9wqVSNeAS15KKROj7AJSW+Y57X2bmGVWxZMmdWQvzE5lnYKKlMVUSuu8VEbua5agSg
GFRwKW38L/unPUB0kwlo3YEOQ9V03XvmZImdpuSOtLO1kOLKqXx1AVxzUJOtYuP9eRq1cY8foZZz66
96vzzNcy8x05f855CGnSpoLfIyRRQYHM4c2056QDbausJidu4KOi0r4E+1LlgSj/QIbHQXzeznWxh4
PfosBdSlGJkwf9zEoAcBMA1ztF/9UuOWdYzFAgMBAAGjDzANMAsGA1UdDwQEAwIHgDANBgkqhkiG9w
0BAQsFAAOCAgEAdgStiWVUuNceBwdpcOFMP0LmY4t1jlDDBcPh3Yq8PsoCFQr1EB02gUY4FQ5Ppz5d
kuV5mDtJi9op++nOFKeT8S9fsIlhtz3ByD+zdGeyxbr/9hz2G3k2OOoh40GLyrXHHrogJSMM7PaguY
kwE/f1tOZkGaYEVcyQxf71lrdvqRTzWt/giOFSWzThw/EZK/gdWf9n8xGh9+YU6TMvnGzqDdufDA7r
VwisLbIPAX8GB5obfAMlTyW7oT4hQYWgVnqsciADUEiIq0qfWs/Qw6zU1MPDp12DC5axeSB33W/wDG
/aU8yx+mov8chW93mL+DEy9iOED7IS5xDG/lBaxkU4A4Pl66fszwjiJiLM2HSN0EzW7No1CNg6Teup
bQUj24dkOV7atZpCQheAW9jXFfQB1UQnJ7BtB8vC1gXgyk5H91J6PjAOppZ163dxRZiXGyZT3QtzQE
M2X6+kWQkxSoX/tGujT4iyKOmdU3OdPwDnjTzq3uc22q4RXOUKwQ6/sKxYcSRLugcRBxseQPocxg4S
WNbUl4j3I7FOBPSNWImCYcNzmLVRDcR/XF7219J7DIDyh28rAlcci6zikXQiG9y1ZHBCtLZ999Ex6T
JGcMtk0uGxWXfWUfykj+9ijqKxN6kjb+t8NOGdj99DfIQIpWzgYrLMQ12F7GWiXYtBtRIGfKs=
</Cert>
<Sgnr>
<SgnrId>
<IssrAndSrlNb>
<RltvDstngshdNm>
<AttrTp>CATT</AttrTp>
<AttrVal>BE</AttrVal>
</RltvDstngshdNm>
<RltvDstngshdNm>
<AttrTp>OATT</AttrTp>
<AttrVal>EPASOrg</AttrVal>
</RltvDstngshdNm>
<RltvDstngshdNm>
<AttrTp>OUAT</AttrTp>
<AttrVal>Technical Center of Expertise</AttrVal>
</RltvDstngshdNm>
<RltvDstngshdNm>
<AttrTp>CNAT</AttrTp>
<AttrVal>EPAS Protocols Test CA</AttrVal>
</RltvDstngshdNm>
<SrlNb>KrxA9NSC9evJdQ==</SrlNb>
</IssrAndSrlNb>
<DgstAlgo>
<Algo>HS25</Algo>
</DgstAlgo>
6 Digital Signature Mechanisms
- 117 -
6.4 Example
Card Payment Protocols Security
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
Version 2.1
<SgntrAlgo>
<Algo>ERS2</Algo>
</SgntrAlgo>
<Sgntr>
p4a4fyddPHXBxP92xGNwXRe9dxoaq5WVeodBbA8rkTQ9jM/nxizi4A+edbLxjX8afRZG4EQW4s
mcxTsNDDfkDdBTNkJ3ZY+Cw9qTfU9uUTan8C8b4VSxnGAZloMMp8ay6hrfX2khorWWrJDQ+9wE
7yTCyKrOuWZ4rzroqBr5DwTefQDKCiAGVRlaSHh0iom0H3SGjfHvjvkKPokmRfHU8EaR6cRlQC
iLKilM8jllIGEpJgln5EFluIEwZawYOBIBThO7vo75XTQSQ3B+83Yox4TNwPIc9cspucSJs8yY
WyXSfNtclagn/eWl2iBwTgTBcGZFATGcwsRE0PiejHz4lu7RX1vINe06n7jzc52WG/gozr/q8b
1AldD19wC3b2ga16PGRnafYRWhb0zxt3squutJuwwNoesPSMMyBfSXlfyedGxyRMQfAZ3zssB/
7xkhvqFMgWxqVaD0xh8L2oM9AY1UNgh0zxwdMnwzGDEZTU2Cg6+aK6weY+1IAwsyTRDL
</Sgntr>
</SgnrId>
</Sgnr>
</SgndData>
</SctyTrlr>
3084
3085
6 Digital Signature Mechanisms
- 118 -
6.4 Example
Card Payment Protocols Security
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
Version 2.1
Once unnecessary spaces and carriage returns are removed, SecurityTrailer structure is:
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00A0
00B0
00C0
00D0
00E0
00F0
0100
0110
0120
0130
0140
0150
0160
0170
0180
0190
01A0
01B0
01C0
01D0
01E0
01F0
0200
0210
0220
0230
0240
0250
0260
0270
0280
0290
02A0
02B0
02C0
02D0
02E0
02F0
0300
0310
0320
0330
0340
0350
0360
0370
0380
0390
03A0
03B0
03C0
03D0
03E0
03F0
0400
0410
3C
70
53
67
6C
4E
74
3E
43
67
43
47
77
51
42
45
73
46
64
67
6C
78
72
77
77
47
45
6D
6A
6C
70
4D
6A
30
30
71
43
41
5A
53
73
6E
76
2B
48
41
73
52
30
4C
6F
62
71
77
41
5A
4D
67
30
6D
4B
39
36
47
63
4B
53
3E
67
6F
67
63
54
3C
65
41
39
39
43
4D
55
43
49
65
42
55
63
4D
4D
4D
4D
44
43
4D
61
63
63
4A
62
49
61
68
41
76
4D
44
38
50
6A
33
37
39
37
64
48
53
4E
35
45
71
4A
4D
56
47
6B
5A
71
65
76
6E
32
4F
63
53
6E
3E
6F
70
70
2F
72
77
65
77
51
41
30
77
45
48
67
48
33
7A
44
44
44
41
67
43
47
69
32
6B
32
45
57
6B
59
51
35
46
62
33
44
66
34
4E
62
57
6E
50
56
6C
72
56
53
6D
55
46
77
49
58
52
7A
53
30
69
74
49
64
3C
3E
73
3E
4E
74
49
76
30
59
34
39
77
4E
42
4E
4A
51
41
45
45
42
4A
77
51
35
42
55
56
77
46
39
69
38
6C
73
41
6E
37
71
46
77
53
35
4C
76
32
37
55
79
53
57
64
53
52
6C
6D
78
71
7A
70
35
30
79
47
44
41
3C
6C
44
63
3E
42
4A
42
44
47
79
64
6C
6C
56
76
67
30
77
78
34
47
48
47
70
76
78
51
67
31
75
47
41
59
35
38
64
65
47
69
4B
43
6D
6F
79
42
4A
6E
6A
4E
2B
57
75
77
6F
64
31
31
4E
6F
36
72
54
4E
61
6C
2F
74
41
70
4D
41
64
41
56
41
5A
56
62
63
42
64
51
4D
4D
4F
4D
55
52
41
59
5A
4C
51
56
64
4D
39
4D
6D
62
70
78
35
43
58
62
39
32
6D
79
4B
6A
66
31
65
59
51
75
4B
33
70
41
63
63
4C
51
34
6 Digital Signature Mechanisms
72
3C
74
67
44
64
54
73
49
67
54
51
51
31
7A
47
6E
6E
41
47
30
54
42
44
51
6A
56
31
32
69
7A
56
47
47
49
77
49
50
46
58
42
39
34
36
42
65
32
64
36
6C
62
7A
4D
41
35
76
38
57
59
75
56
59
79
66
44
45
6C
2F
61
6F
67
43
41
6C
49
49
41
73
51
55
45
56
52
52
4D
39
45
67
67
49
73
45
42
55
46
42
41
4D
56
68
49
30
49
6D
6C
78
46
44
2B
78
4E
76
4B
39
6D
49
6F
37
66
53
37
7A
56
33
45
53
78
38
38
49
62
2B
72
43
3E
3E
73
6E
3C
74
45
4B
4E
46
47
45
6D
6A
6C
70
4D
6A
77
78
54
77
77
51
42
45
73
46
74
67
7A
6C
42
42
42
42
69
6F
69
4B
44
56
38
4A
74
78
49
4E
77
57
77
31
58
45
45
38
4F
4F
7A
66
78
79
61
31
3E
6E
3C
48
74
74
2F
64
2F
4B
42
41
44
43
4D
61
63
63
46
62
4B
4D
4D
4D
43
4D
55
43
49
65
42
55
64
62
6F
41
69
75
5A
69
43
62
57
6F
57
64
44
66
56
62
52
6D
68
35
32
35
62
4C
51
74
55
6F
30
52
75
4C
3C
74
44
53
41
74
43
43
7A
72
67
44
41
67
43
47
69
32
6B
32
68
44
6A
44
51
41
30
77
45
48
67
48
43
6E
6A
51
67
76
70
76
64
63
75
51
58
55
61
53
61
54
2F
6E
6D
4B
62
6C
75
2F
39
4C
4A
5A
35
52
73
6C
43
74
67
32
6C
3E
6E
6E
43
78
6B
42
4A
77
51
35
42
55
56
78
67
41
41
55
59
34
39
77
4E
42
4E
4A
42
52
41
45
4B
51
43
51
30
4C
59
4B
4F
2B
65
64
34
56
4C
69
4B
4B
6D
6E
61
75
56
4F
4F
5A
66
51
4A
67
6E
54
73
35
67
3C
74
74
43
41
71
6F
43
48
47
70
76
78
51
7A
54
32
78
72
44
47
79
64
6C
6C
56
76
49
70
4E
46
43
72
39
65
41
61
4E
44
58
57
7A
46
73
67
41
4E
35
52
47
59
35
6E
30
31
74
7A
38
59
69
53
74
70
74
3C
6F
43
74
74
41
39
68
4D
52
52
41
59
5A
48
51
49
4D
4E
4F
4D
56
41
5A
56
62
63
42
64
62
59
42
41
41
34
38
55
77
71
6E
66
4B
53
6A
64
6C
45
7A
32
6E
4F
56
4B
61
50
33
6B
59
36
35
48
64
6A
- 119 -
74
3E
41
2F
3E
6E
54
3E
75
4E
6B
51
54
56
31
32
69
7A
56
46
6A
44
44
44
51
31
7A
47
6E
6E
41
47
33
32
67
41
59
67
35
46
6D
66
67
38
72
32
67
70
39
50
63
41
54
6A
57
4B
67
55
58
4F
75
36
35
4D
75
2F
54
3C
6C
41
3C
74
70
3C
65
53
69
73
45
42
55
46
42
41
4D
52
41
59
45
45
51
55
45
56
52
52
4D
39
4E
46
6B
4F
45
34
62
55
74
38
56
48
78
37
57
4F
35
62
32
70
39
37
78
6C
53
42
76
4C
50
39
43
34
34
51
|<SctyTrlr><CnttT|
|p>SIGN</CnttTp><|
|SgndData><DgstAl|
|go><Algo>HS25</A|
|lgo></DgstAlgo><|
|NcpsltdCntt><Cnt|
|tTp>DATA</CnttTp|
|></NcpsltdCntt><|
|Cert>MIIE/zCCAue|
|gAwIBAgIKKrxA9NS|
|C9evJdTANBgkqhki|
|G9w0BAQsFADBoMQs|
|wCQYDVQQGDAJCRTE|
|QMA4GA1UECgwHRVB|
|BU09yZzEmMCQGA1U|
|ECwwdVGVjaG5pY2F|
|sIENlbnRlciBvZiB|
|FeHBlcnRpc2UxHzA|
|dBgNVBAMMFkVQQVM|
|gUHJvdG9jb2xzIFR|
|lc3QgQ0EwKhgTMjA|
|xMzA0MTgxMDA2NDY|
|rMDEwMBgTMjAxODE|
|wMDExODIwMDUrMDE|
|wMDB4MQswCQYDVQQ|
|GDAJGUjEQMA4GA1U|
|ECgwHRVBBU09yZzE|
|mMCQGA1UECwwdVGV|
|jaG5pY2FsIENlbnR|
|lciBvZiBFeHBlcnR|
|pc2UxLzAtBgNVBAM|
|MJkVQQVMgUHJvdG9|
|jb2wgVGVzdCBIb3N|
|0IEF1dGhlbnRpY2F|
|0aW9uMIIBojANBgk|
|qhkiG9w0BAQEFAAO|
|CAY8AMIIBigKCAYE|
|AvQlYmPmBuvQr4g4|
|ZM5s5bFliZpC985b|
|SDFA8pXxoivQeUFU|
|s8bndxBFiCd0Awmt|
|nP37e59DKbcLaqf8|
|vjDqGC4+DWuYNngV|
|+3fFiX6xVoQKDf8H|
|H74wKbBN8WXOXKrx|
|A9NSC9evJdU+WS27|
|s7b5m22KtDaezjgW|
|RdWLomd9xfSdFdpO|
|0Hnvyy6mIVa4sl95|
|LSP2BKlINbTVgEPb|
|oNV7JjbowR/LAzc2|
|b5lUnfz7WmniN2Ap|
|qEryj1MfwhmK5nT9|
|wqVSNeAS15KKROj7|
|AJSW+Y57X2bmGVWx|
|ZMmdWQvzE5lnYKKl|
|MVUSuu8VEbua5agS|
|gGFRwKW38L/unPUB|
|0kwlo3YEOQ9V03Xv|
|mZImdpuSOtLO1kOL|
|KqXx1AVxzUJOtYuP|
|9eRq1cY8foZZz669|
|6vzzNcy8x05f855C|
|GnSpoLfIyRRQYHM4|
|c2056QDbausJidu4|
|KOi0r4E+1LlgSj/Q|
6.4 Example
Card Payment Protocols Security
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
0420
0430
0440
0450
0460
0470
0480
0490
04A0
04B0
04C0
04D0
04E0
04F0
0500
0510
0520
0530
0540
0550
0560
0570
0580
0590
05A0
05B0
05C0
05D0
05E0
05F0
0600
0610
0620
0630
0640
0650
0660
0670
0680
0690
06A0
06B0
06C0
06D0
06E0
06F0
0700
0710
0720
0730
0740
0750
0760
0770
0780
0790
07A0
07B0
07C0
07D0
07E0
07F0
0800
0810
0820
0830
0840
0850
49
73
42
46
47
4E
46
55
6D
38
34
4A
66
79
68
4D
6B
76
68
68
66
47
68
49
44
77
57
53
6C
4E
70
43
6E
48
78
32
6A
6E
4B
52
55
43
32
63
43
6B
69
64
4D
47
72
6E
6E
43
74
6C
4E
4E
2F
3E
6C
4E
4E
2F
3E
72
41
74
62
42
4D
41
41
42
41
75
59
50
46
69
73
78
34
37
47
71
77
39
44
42
51
71
70
44
39
35
36
30
62
51
4A
39
52
58
54
6A
77
42
6C
59
31
69
74
30
6A
6A
51
66
3E
64
67
41
72
3E
6D
6D
41
45
3E
6D
6D
41
54
20
74
6E
48
64
41
67
31
67
41
4E
34
73
51
39
49
62
30
50
61
52
2F
2B
41
35
59
30
31
47
33
78
36
45
51
68
37
31
5A
36
34
54
51
78
34
63
39
36
4C
75
71
39
31
4B
3C
53
73
54
56
3C
3E
3E
74
50
3C
3E
3E
74
65
6F
74
67
51
53
31
4D
55
6B
4F
63
74
6F
35
6F
6C
72
47
61
59
54
45
59
37
6F
57
71
32
2F
6D
44
66
7A
55
65
42
4A
69
2B
69
7A
36
73
6A
4E
4A
7A
5A
47
4B
39
32
73
53
72
68
54
61
2F
3C
3C
74
41
2F
3C
3C
74
63
66
72
73
58
6C
7A
42
64
71
43
65
31
43
50
70
68
2F
4C
67
45
7A
5A
55
72
62
67
66
44
61
4C
47
73
57
6A
41
74
36
58
6B
79
71
2F
65
33
7A
37
69
39
78
78
44
46
3D
67
6C
64
3C
6C
52
52
41
72
53
52
52
41
72
68
20
56
68
7A
47
74
41
44
68
41
42
6A
46
70
2B
74
39
79
75
56
57
4B
36
56
66
56
57
43
55
2B
2F
7A
37
32
57
42
50
47
57
4B
33
73
51
49
6D
44
6B
39
57
4E
66
37
3C
6E
4E
4E
2F
3E
6C
6C
74
54
4F
6C
6C
74
54
6E
45
61
64
6 Digital Signature Mechanisms
Version 2.1
65
4A
46
41
77
6B
67
77
6C
51
7A
2B
7A
68
72
59
63
74
2F
54
77
41
6E
73
35
38
44
6C
77
4E
34
39
38
6A
79
51
4F
75
4B
50
37
4C
49
58
39
58
36
49
47
2F
72
62
6D
41
42
74
74
74
70
72
74
74
74
70
69
78
6C
4E
7A
6B
2F
47
51
69
45
64
44
72
35
6E
33
7A
58
6B
79
2F
67
4D
69
4D
71
2F
61
79
45
42
6A
6F
64
6A
76
41
5A
6B
6D
63
78
6F
46
56
44
51
45
66
6B
51
57
43
49
3E
3E
74
45
76
76
72
3E
67
76
76
72
3E
63
70
3E
6D
6E
77
39
6A
45
47
41
70
44
31
64
4F
42
32
48
77
51
67
64
76
73
6C
73
51
78
78
79
61
69
31
6B
58
43
4F
54
78
64
32
59
63
4F
52
79
69
78
57
6A
49
69
65
64
3C
3C
74
3C
44
44
54
3C
3C
44
44
54
3C
61
65
3C
3E
57
66
55
44
41
39
64
63
42
45
6B
46
79
47
48
45
78
69
57
6E
4C
54
63
77
65
2B
39
78
4A
43
4F
46
31
70
33
53
55
32
63
78
42
44
68
47
36
55
62
70
58
72
3E
52
41
72
2F
73
73
70
41
2F
73
73
70
41
6C
72
2F
3C
78
39
75
7A
77
77
67
4F
63
42
75
4B
44
33
72
2F
66
4F
66
47
62
79
69
36
53
6D
69
6B
69
4E
56
66
67
70
51
6F
33
71
53
67
50
63
32
39
54
66
2B
57
59
74
3C
6C
74
54
41
74
74
3E
74
41
74
74
3E
74
20
74
52
52
68
7A
4F
41
49
30
53
46
50
30
56
65
2B
6B
6F
66
37
46
39
7A
49
57
41
7A
42
6F
4F
55
4C
67
37
51
58
5A
74
58
4F
34
52
34
53
52
38
79
4A
79
74
7A
74
3E
49
74
74
70
74
6E
6E
4F
74
74
6E
6E
4F
74
43
69
6C
6C
34
45
57
4E
48
42
74
4D
68
32
35
54
7A
32
67
31
31
53
6E
71
50
37
44
55
33
76
45
34
4D
36
61
42
67
31
7A
2F
64
52
4C
53
4E
2F
72
31
47
6B
38
67
42
3C
73
76
72
3E
74
67
67
41
72
74
67
67
55
72
65
73
74
74
50
6F
64
4D
67
41
69
50
33
67
6D
38
64
4F
4A
74
6C
57
38
44
41
6F
55
31
33
38
44
41
32
54
74
31
79
36
51
74
50
58
75
57
57
58
41
5A
63
6A
4E
59
74
53
73
44
54
3C
72
73
73
54
56
72
73
73
41
56
6E
65
76
76
- 120 -
66
41
59
41
44
51
57
30
59
55
44
53
47
4F
53
4F
72
7A
78
64
58
54
45
4D
57
63
37
34
48
65
5A
55
6B
33
45
47
77
4F
67
4E
49
46
6C
48
4D
2B
4F
72
52
67
72
73
70
41
56
68
68
54
61
56
68
68
54
61
74
3C
44
44
6F
63
7A
73
41
73
56
4C
71
59
74
39
65
6F
4D
5A
64
54
47
75
38
34
69
50
2F
68
49
50
53
75
70
51
35
64
4D
75
44
55
63
62
6D
37
63
42
74
39
47
4C
49
6E
41
74
3E
74
61
64
64
3C
6C
61
64
64
3C
6C
65
2F
73
73
|IbHQXzeznWxh4Pfo|
|sBdSlGJkwf9zEoAc|
|BMA1ztF/9UuOWdYz|
|FAgMBAAGjDzANMAs|
|GA1UdDwQEAwIHgDA|
|NBgkqhkiG9w0BAQs|
|FAAOCAgEAdgStiWV|
|UuNceBwdpcOFMP0L|
|mY4t1jlDDBcPh3Yq|
|8PsoCFQr1EB02gUY|
|4FQ5Ppz5dkuV5mDt|
|Ji9op++nOFKeT8S9|
|fsIlhtz3ByD+zdGe|
|yxbr/9hz2G3k2OOo|
|h40GLyrXHHrogJSM|
|M7PaguYkwE/f1tOZ|
|kGaYEVcyQxf71lrd|
|vqRTzWt/giOFSWzT|
|hw/EZK/gdWf9n8xG|
|h9+YU6TMvnGzqDdu|
|fDA7rVwisLbIPAX8|
|GB5obfAMlTyW7oT4|
|hQYWgVnqsciADUEi|
|Iq0qfWs/Qw6zU1MP|
|Dp12DC5axeSB33W/|
|wDG/aU8yx+mov8ch|
|W93mL+DEy9iOED7I|
|S5xDG/lBaxkU4A4P|
|l66fszwjiJiLM2HS|
|N0EzW7No1CNg6Teu|
|pbQUj24dkOV7atZp|
|CQheAW9jXFfQB1UQ|
|nJ7BtB8vC1gXgyk5|
|H91J6PjAOppZ163d|
|xRZiXGyZT3QtzQEM|
|2X6+kWQkxSoX/tGu|
|jT4iyKOmdU3OdPwD|
|njTzq3uc22q4RXOU|
|KwQ6/sKxYcSRLugc|
|RBxseQPocxg4SWNb|
|Ul4j3I7FOBPSNWIm|
|CYcNzmLVRDcR/XF7|
|219J7DIDyh28rAlc|
|ci6zikXQiG9y1ZHB|
|CtLZ999Ex6TJGcMt|
|k0uGxWXfWUfykj+9|
|ijqKxN6kjb+t8NOG|
|dj99DfIQIpWzgYrL|
|MQ12F7GWiXYtBtRI|
|GfKs=</Cert><Sgn|
|r><SgnrId><IssrA|
|ndSrlNb><RltvDst|
|ngshdNm><AttrTp>|
|CATT</AttrTp><At|
|trVal>BE</AttrVa|
|l></RltvDstngshd|
|Nm><RltvDstngshd|
|Nm><AttrTp>OATT<|
|/AttrTp><AttrVal|
|>EPASOrg</AttrVa|
|l></RltvDstngshd|
|Nm><RltvDstngshd|
|Nm><AttrTp>OUAT<|
|/AttrTp><AttrVal|
|>Technical Cente|
|r of Expertise</|
|AttrVal></RltvDs|
|tngshdNm><RltvDs|
6.4 Example
Card Payment Protocols Security
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
0860
0870
0880
0890
08A0
08B0
08C0
08D0
08E0
08F0
0900
0910
0920
0930
0940
0950
0960
0970
0980
0990
09A0
09B0
09C0
09D0
09E0
09F0
0A00
0A10
0A20
0A30
0A40
0A50
0A60
0A70
0A80
0A90
0AA0
0AB0
0AC0
0AD0
0AE0
0AF0
0B00
0B10
0B20
0B30
0B40
0B50
0B60
74
3E
74
6F
74
6E
72
2F
53
3C
3E
74
32
6C
79
52
41
41
45
64
55
47
32
79
42
52
66
45
6A
49
6F
34
38
65
54
75
35
64
6E
75
66
5A
57
59
44
2B
74
6E
53
6E
43
74
63
74
67
78
53
72
41
3C
72
3C
67
64
65
38
2B
51
42
39
41
6B
54
72
6C
48
61
6C
45
37
54
79
57
47
37
32
44
61
74
53
33
78
31
45
31
72
72
63
67
4E
72
6F
72
73
41
72
6C
6C
2F
41
2F
6F
64
39
72
65
57
54
75
5A
68
43
35
61
76
52
6C
77
35
4E
59
6C
63
52
57
31
66
4A
58
7A
71
55
5A
49
3E
3E
74
73
41
56
6C
56
68
39
6C
4E
67
44
6C
41
3E
50
64
6B
64
34
4E
55
6C
6F
79
44
53
6A
36
49
5A
58
77
57
32
77
58
47
39
59
75
6C
73
56
4E
54
41
3C
3C
79
68
54
61
73
61
64
4E
4E
62
6F
67
67
6C
3C
48
78
54
62
73
6B
54
6F
72
4B
77
48
76
63
47
61
54
50
79
69
73
31
2F
77
52
77
66
73
61
67
55
77
2F
2F
54
64
3C
6C
20
6C
4E
53
62
3E
3E
73
6F
67
53
58
6F
51
4C
6D
4A
61
4D
57
72
54
68
6B
52
45
77
51
49
58
42
52
76
67
43
57
77
79
42
44
68
32
73
53
53
72
6 Digital Signature Mechanisms
Version 2.1
4E
2F
3E
54
3E
6D
43
3E
3C
48
74
3E
6F
67
42
61
39
78
63
33
6E
4D
57
4F
65
30
4B
6C
70
59
53
63
53
77
45
49
6F
33
68
4E
65
2F
30
30
43
79
67
67
6C
6D
41
45
65
3C
3E
39
3C
44
53
41
3C
3E
6E
78
71
6A
6A
78
5A
38
70
72
75
66
69
50
51
4A
4F
51
39
66
54
30
4E
7A
62
62
6F
64
37
78
7A
67
54
6E
6E
72
3E
74
50
73
2F
3C
65
2F
67
32
6C
41
3C
74
50
35
4D
58
54
59
43
38
4A
57
51
6F
6F
43
67
42
33
63
4E
67
50
65
72
32
30
65
47
78
68
78
36
52
72
64
3E
3C
74
41
74
52
53
76
49
73
35
67
6C
2F
72
39
57
2F
38
73
2B
38
61
44
5A
44
6D
6B
69
6C
49
42
73
74
54
69
30
2F
67
7A
73
78
6B
38
77
2B
44
49
44
41
72
53
20
6C
72
4A
73
74
3C
6F
67
53
3E
32
56
6E
61
4E
43
62
79
51
34
4B
30
6D
4C
6E
42
2B
70
63
42
65
36
71
61
78
50
79
68
4C
64
61
4C
64
61
74
54
20
43
74
6C
64
73
41
2F
3E
6F
67
70
78
65
78
66
44
77
34
36
2B
72
43
48
52
4B
35
54
38
75
6C
63
6A
6E
38
31
74
53
52
76
32
4D
4B
3C
3E
74
74
70
50
41
76
4E
51
72
6C
41
3C
3E
6E
34
47
6F
69
52
44
39
56
68
39
7A
69
33
66
69
45
68
33
63
61
47
48
37
62
36
33
4D
4D
71
6F
6E
36
2F
3C
61
72
3E
72
3C
44
62
3D
41
67
6C
53
45
74
61
4E
64
7A
5A
66
71
53
72
77
72
41
53
48
6C
46
4F
59
53
67
5A
7A
6A
31
50
73
4D
51
46
4D
77
77
53
2F
3E
- 121 -
54
3C
6F
2F
73
3E
3D
6E
6F
67
67
52
72
34
77
42
69
47
6B
54
78
66
45
6F
47
47
55
4D
6C
37
6F
4A
6E
46
34
7A
41
47
71
79
66
4D
39
7A
65
67
53
3C
70
41
74
41
74
4B
3C
64
3E
6F
6E
53
41
66
58
62
34
34
44
66
6E
58
37
71
56
6A
38
38
75
76
78
73
2F
41
6C
63
6C
52
75
42
41
67
41
47
59
6E
67
2F
|tngshdNm><AttrTp|
|>CNAT</AttrTp><A|
|ttrVal>EPAS Prot|
|ocols Test CA</A|
|ttrVal></RltvDst|
|ngshdNm><SrlNb>K|
|rxA9NSC9evJdQ==<|
|/SrlNb></IssrAnd|
|SrlNb><DgstAlgo>|
|<Algo>HS25</Algo|
|></DgstAlgo><Sgn|
|trAlgo><Algo>ERS|
|2</Algo></SgntrA|
|lgo><Sgntr>p4a4f|
|yddPHXBxP92xGNwX|
|Re9dxoaq5WVeodBb|
|A8rkTQ9jM/nxizi4|
|A+edbLxjX8afRZG4|
|EQW4smcxTsNDDfkD|
|dBTNkJ3ZY+Cw9qTf|
|U9uUTan8C8b4VSxn|
|GAZloMMp8ay6hrfX|
|2khorWWrJDQ+9wE7|
|yTCyKrOuWZ4rzroq|
|Br5DwTefQDKCiAGV|
|RlaSHh0iom0H3SGj|
|fHvjvkKPokmRfHU8|
|EaR6cRlQCiLKilM8|
|jllIGEpJgln5EFlu|
|IEwZawYOBIBThO7v|
|o75XTQSQ3B+83Yox|
|4TNwPIc9cspucSJs|
|8yYWyXSfNtclagn/|
|eWl2iBwTgTBcGZFA|
|TGcwsRE0PiejHz4l|
|u7RX1vINe06n7jzc|
|52WG/gozr/q8b1Al|
|dD19wC3b2ga16PGR|
|nafYRWhb0zxt3squ|
|utJuwwNoesPSMMyB|
|fSXlfyedGxyRMQfA|
|Z3zssB/7xkhvqFMg|
|WxqVaD0xh8L2oM9A|
|Y1UNgh0zxwdMnwzG|
|DEZTU2Cg6+aK6weY|
|+1IAwsyTRDL</Sgn|
|tr></SgnrId></Sg|
|nr></SgndData></|
|SctyTrlr>
|
6.4 Example
Card Payment Protocols Security
Version 2.1
3271
3272
7 Digest Mechanisms
3273
3274
7.1 Introduction
3275
The following message digest algorithms are supported by nexo implementations:
3276
3277
1. SHA1 Message digest algorithm SHA-1 as defined in FIPS 180-2 - (ASN.1 Object Identifier:
id-sha1).
3278
3279
2. SHA256 Message digest algorithm SHA-256 as defined in FIPS 180-2 - (ASN.1 Object
Identifier: id-sha256).
3280
3281
3. SHA384 Message digest algorithm SHA-384 as defined in FIPS 180-2 - (ASN.1 Object
Identifier: id-sha384).
3282
3283
4. SHA512 Message digest algorithm SHA-512 as defined in FIPS 180-2 - (ASN.1 Object
Identifier: id-sha512).
3284
3285
7.2 Resulting CMS Structure
3286
3287
Digest is transported inside the DigestedData alternative of the generic CMS data structure
ContentInformationType.
3288
The DigestedData CMS data structure is detailed in the table below.
SecurityTrailer
Mult.
Usage
ContentType
[1..1]
Value "DigestedData"
DigestedData
[1..1]
Digest computed on identified data.
Version
[0..1]
default 0
Version of the data structure, current version is 0.
DigestAlgorithm
[1..1]
Algorithm to compute digest message
Algorithm
[1..1]
Cryptographic algorithms for the digests. Allowed values:
SHA1
Message digest algorithm SHA-1 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha1).
SHA256 Message digest algorithm SHA-256 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha256).
SHA384 Message digest algorithm SHA-384 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha384).
SHA512 Message digest algorithm SHA-512 as defined in FIPS
180-2 - (ASN.1 Object Identifier: id-sha512).
EncapsulatedContent
[1..1]
Data to authenticate, Content item is absent as this is a detached
MAC.
ContentType
[1..1]
Type of digested data. Allowed values:
EnvelopedData: Digested data content is a CMS EnvelopedData
structure.
SignedData:
Digested data content is a CMS SignedData
structure.
AuthenticatedData:
Digested data content is a CMS
AuthenticatedData structure.
PlainData:
Digested application data is not a CMS data
structure.
Content
[0..1]
Data that have been digested.
Absent if the digest is detached, i.e. if the content to hash is
implicitly in another location of the message.
[1..1]
Digest value.
Digest
3289
3290
7 Digest Mechanisms
- 122 -
7.1 Introduction
Card Payment Protocols Security
3291
Version 2.1
7.3 Digest test vectors
3292
3293
3294
The test vectors, given by the RFC 3447, are listed here as a reminder. Only values for message
digest algorithms supported by nexo protocols are presented.
3295
Input
SHA-1 Output
SHA-256 Output
SHA-384 Output
SHA-512 Output
Empty
message
DA39A3EE 5E6B4B0D
3255BFEF 95601890
AFD80709
E3B0C442
9AFBF4C8
27AE41E4
A495991B
98FC1C14
996FB924
649B934C
7852B855
38B060A7
4CD9327E
21FDB711
4C0CC7BF
274EDEBF
D51AD2F1
51AC9638
B1B1E36A
14BE0743
63F6E1DA
E76F65FB
4898B95B
CF83E135
F1542850
D620E405
83F4A921
47D0D13C
FF8318D2
63B931BD
A538327A
7EEFB8BD
D66D8007
0B5715DC
D36CE9CE
5D85F2B0
877EEC2F
47417A81
F927DA3E
“abc”
A9993E36 4706816A
BA3E2571 7850C26C
9CD0D89D
BA7816BF
414140DE
B00361A3
B410FF61
8F01CFEA
5DAE2223
96177A9C
F20015AD
CB00753F
B5A03D69
272C32AB
1A8B605A
8086072B
58BAECA1
45A35E8B
9AC65007
0EDED163
43FF5BED
A1E7CC23
34C825A7
DDAF35A1
CC417349
12E6FA4E
0A9EEEE6
2192992A
36BA3C23
454D4423
2A9AC94F
93617ABA
AE204131
89A97EA2
4B55D39A
274FC1A8
A3FEEBBD
643CE80E
A54CA49F
"abcdbcd
ecdefdefg
efghfghig
hijhijkijklj
klmklmnl
mnomnop
nopq"
84983E44 1C3BD26E
BAAE4AA1 F95129E5
E54670F1
248D6A61
E5C02693
A33CE459
F6ECEDD4
D20638B8
0C3E6039
64FF2167
19DB06C1
09330C33
3D192FC7
53111B17
2FA08086
FCC7C71A
66C3E9FA
F71147E8
82CD1B47
3B3B05D2
E3B0F712
557E2DB9
91746039
8E959B75
8CF4F728
8F7779C6
7299AEAD
501D289E
331B99DE
C7D329EE
5E96E55B
DAE313DA
14FC143F
EB9F7FA1
B6889018
4900F7E4
C4B5433A
B6DD2654
874BE909
“”
"abcdefgh
bcdefghic
defghijdef
ghijkefghi
jklfghijklm
ghijklmnh
ijklmnoijkl
mnopjklm
nopqklmn
opqrlmno
pqrsmnop
qrstnopqr
stu"
3296
3297
7 Digest Mechanisms
- 123 -
7.3 Digest test vectors
