Session Key Derivation
Introduction
Once the Master Key Derivation process is done, ICC Master Keys may be derivated in ICC Session Keys using
Session Key Derivation process.
The Session keys are used for the Authentication process, the Secure Messaging for Integrity and Secure Messaging
for Confidentiality functionalities.
The Session Keys are derived from the following ICC Master keys.
There are four ICC Master Keys (IMK).
MKAC
= ICC Master Key for Application Cryptogram.
MKSMI
= ICC Master Key for Secure Messaging Integrity.
MKSMC = ICC Master Key for Secure Messaging Confidentiality.
MKIDN
= ICC Master Key for ICC Dynamic Number generation.
Note : The MK are recorded in the ICC Secure Memory during personalization phase.
Note : The SK are different for each transaction.
Session Key Derivation
Key Derivation methods
ICC Session Key Derivation for MasterCard M/Chip 2.1


Input parameters : 16-Byte Master Key (MK), 8-Byte number R (R0-R1-R2-R3-R4-R5-R6-R7)
Output parameters :16-Byte Session Key (SK)
Note : The 8-Byte number R is dependant on the type of Session Key we want to compute.
o
o
For AC session key derivation, R is equal to (2-Byte Application Transaction Counter value + '00'
'00' + 4-Byte Unpredictable Number value).
For SMI and SMC session key derivation, R is equal to (8-Byte Application Cryptogram value).
SKL = DES3 (MK) (R0-R1-'F0'-R3-R4-R5-R6-R7)
SKR = DES3 (MK) (R0-R1-'0F'-R3-R4-R5-R6-R7)
SK = SKL || SKR
ICC Session Key Derivation for EMV2000


Input parameters : 16-Byte Master Key (MK), 8-Byte number R.
Output parameters : 16-Byte Session Key (SK)
R is equal to (2-Byte Application Transaction Counter value || '00' || '00' || '00' || '00' || '00' || '00').
SK = SKD (MK) (R).
SKD function is defined in Functions used for "EMV 2000 AC Session Key Derivation" section.
Session Key Derivation
There are four SKAC types :
* SKARPC
* SKARQC
* SKTC
* SKAAC
=
=
=
=
Session Key used for Authorization ResPonse Cryptogram.
Session Key used for Authorization ReQuest Cryptogram.
Session Key used for Transaction Certificate.
Session Key for Application Authentication Cryptogram.
Key Derivation Methods
There are several processes used to perform Session Key Derivation :
* One is specified by EMV2000 recommendations.
* One is specified by MasterCard recommendations.
* One is specified by Visa recommendations.
Conclusion
Session Key Derivation is the last step in Key Derivation process.
Glossary
ARC
Authorisation Response Code: The issuer's answer to an authorisation request. The issuer's
responses are typically: approve the transaction, decline the transaction, call your bank...
ARQC
Authorisation ReQuest Cryptogram: The cryptogram generated by the card for transactions requiring
online authorization and sent to the issuer in the authorization request. The issuer validates the ARQC
during the online card authentication process to ensure that the card is authentic, was not created
using skimmed data and that data stored in the card has not been altered since card issuance.
ARPC
Authorisation ResPonse Cryptogram: A cryptogram generated by the issuer and sent to the card in
the authorization response. This cryptogram is the result of the Authorization Request Cryptogram
(ARQC) and the issuer’s authorization response code (ARC) encrypted with the card secret key. The
cards validates it during online issuer authentication to ensure that the response came from a valid
issuer.
Authentification
A cryptographic process that validates the integrity of data and its origin.
Card master keys
These keys are used to generate session keys unique for each transaction. The card uses these
session keys to compute ARQCs and validate issuer's ARPCs.
Cryptogram
A numeric value that is the result of data elements put into an algorithm and then encrypted. It is
commonly used to validate data integrity.
DES
Data Encryption Standard is a symmetic cryptographic algorithm.
IAD
Issuer Authentication Data: Data sent to the card from the issuer host for online issuer authentication.
IMK
Issuer Master Keys are used to generate the unique card master keys for each card during
personalisation. The issuer hosts uses them to recover the card master keys to validate ARQCs and
generate ARPCs.
MAC
Message Authentication Code: A numeric value generated using a cryptographic algorithm, which
establishes that the contents of a message have not been changed and that the message was
generated by an authorized entity.
PAN
Primary Account Number is the valid cardholder account number.
PAN SN
PAN Sequence Number identifies and differentiates cards with the same PAN.
Session Key
A temporary cryptographic key computed and no longer valid after the end of the transaction.