Session Key Derivation Introduction Once the Master Key Derivation process is done, ICC Master Keys may be derivated in ICC Session Keys using Session Key Derivation process. The Session keys are used for the Authentication process, the Secure Messaging for Integrity and Secure Messaging for Confidentiality functionalities. The Session Keys are derived from the following ICC Master keys. There are four ICC Master Keys (IMK). MKAC = ICC Master Key for Application Cryptogram. MKSMI = ICC Master Key for Secure Messaging Integrity. MKSMC = ICC Master Key for Secure Messaging Confidentiality. MKIDN = ICC Master Key for ICC Dynamic Number generation. Note : The MK are recorded in the ICC Secure Memory during personalization phase. Note : The SK are different for each transaction. Session Key Derivation Key Derivation methods ICC Session Key Derivation for MasterCard M/Chip 2.1 Input parameters : 16-Byte Master Key (MK), 8-Byte number R (R0-R1-R2-R3-R4-R5-R6-R7) Output parameters :16-Byte Session Key (SK) Note : The 8-Byte number R is dependant on the type of Session Key we want to compute. o o For AC session key derivation, R is equal to (2-Byte Application Transaction Counter value + '00' '00' + 4-Byte Unpredictable Number value). For SMI and SMC session key derivation, R is equal to (8-Byte Application Cryptogram value). SKL = DES3 (MK) (R0-R1-'F0'-R3-R4-R5-R6-R7) SKR = DES3 (MK) (R0-R1-'0F'-R3-R4-R5-R6-R7) SK = SKL || SKR ICC Session Key Derivation for EMV2000 Input parameters : 16-Byte Master Key (MK), 8-Byte number R. Output parameters : 16-Byte Session Key (SK) R is equal to (2-Byte Application Transaction Counter value || '00' || '00' || '00' || '00' || '00' || '00'). SK = SKD (MK) (R). SKD function is defined in Functions used for "EMV 2000 AC Session Key Derivation" section. Session Key Derivation There are four SKAC types : * SKARPC * SKARQC * SKTC * SKAAC = = = = Session Key used for Authorization ResPonse Cryptogram. Session Key used for Authorization ReQuest Cryptogram. Session Key used for Transaction Certificate. Session Key for Application Authentication Cryptogram. Key Derivation Methods There are several processes used to perform Session Key Derivation : * One is specified by EMV2000 recommendations. * One is specified by MasterCard recommendations. * One is specified by Visa recommendations. Conclusion Session Key Derivation is the last step in Key Derivation process. Glossary ARC Authorisation Response Code: The issuer's answer to an authorisation request. The issuer's responses are typically: approve the transaction, decline the transaction, call your bank... ARQC Authorisation ReQuest Cryptogram: The cryptogram generated by the card for transactions requiring online authorization and sent to the issuer in the authorization request. The issuer validates the ARQC during the online card authentication process to ensure that the card is authentic, was not created using skimmed data and that data stored in the card has not been altered since card issuance. ARPC Authorisation ResPonse Cryptogram: A cryptogram generated by the issuer and sent to the card in the authorization response. This cryptogram is the result of the Authorization Request Cryptogram (ARQC) and the issuer’s authorization response code (ARC) encrypted with the card secret key. The cards validates it during online issuer authentication to ensure that the response came from a valid issuer. Authentification A cryptographic process that validates the integrity of data and its origin. Card master keys These keys are used to generate session keys unique for each transaction. The card uses these session keys to compute ARQCs and validate issuer's ARPCs. Cryptogram A numeric value that is the result of data elements put into an algorithm and then encrypted. It is commonly used to validate data integrity. DES Data Encryption Standard is a symmetic cryptographic algorithm. IAD Issuer Authentication Data: Data sent to the card from the issuer host for online issuer authentication. IMK Issuer Master Keys are used to generate the unique card master keys for each card during personalisation. The issuer hosts uses them to recover the card master keys to validate ARQCs and generate ARPCs. MAC Message Authentication Code: A numeric value generated using a cryptographic algorithm, which establishes that the contents of a message have not been changed and that the message was generated by an authorized entity. PAN Primary Account Number is the valid cardholder account number. PAN SN PAN Sequence Number identifies and differentiates cards with the same PAN. Session Key A temporary cryptographic key computed and no longer valid after the end of the transaction.