...
Once the transaction is complete, exporting the card data (encrypted) is as simple as:
Code Block |
---|
Devvar devagnos = new Dev( Agnos(this, this, this) ... // Transaction ... devagnos.exportCardData() |
This function, if successful, will return a block of data, which content is described below.
...
Card data are formatted as a BER-TLV byte string. The card data byte string is encrypted using the AES-CBC algorithm and a 128 bits AES key, Kpan-session and a shared IV, IVpan-session. The key and IV are unique for each encoded card data. Kpan-session is wrapped using the RSA-2048 4096 Kpan-pub using the PKCS#1 RSA-OAEP algorithm with SHA-1 as digest.
The format of the PAN cryptogram is:
...
E(card-data) = ID(Kpan-pub)|| IVpan-session ||ERSA-OAEP-SHA-1(Kpan-pub, Kpan-session)||Eaes-ecb(Kpan-session, IVpan-session, card-data)
With:
ID(Kpan-pub) is the public key identifier.
Which translates into:
Note |
---|
Cryptogram format changed starting secure client v1.0.9 |
Object | Length (bytes) | Comments |
---|---|---|
RSA Key ID length | 12 | Length of the RSA key ID (MSB) |
RSA Key ID | var | RSA key ID used for the session key encryption |
Encrypted KEK 256length | 2 | Length of the encrypted KEK block (MSB - should be 512) |
Encrypted KEK | 512 | Encrypted KEK block:
|
Encrypted card data length | 2 | Length of the encrypted card data block (MSB ) |
Encrypted sensitive card data | var | Encrypted sensitive card data:
|
The sensitive card data are organized in a simple TLV stream before being encrypted.
Example
Below is an example of data received after a successful card data export:
Code Block |
---|
053cb9dd2f509ead9d7d203cf268e9df4f61b88ccf4a7cf25e62c19099088689a7098309be3ed7d3e61c3a7
26d56a45124f1ce7f1551db784d4452e8da020bf7732e9365e9092643d5ebde4fb6a8706d83fc46fab5f0
7d0729abd11604207565f6c513d81ebbae3d81a4f131b5ff1eef45b06febc2d49ffd37956f418c61322c5
df44552170af975f1a35dfda7dce7304a3637dcce962e4a466cf77d9374af8400f1cc029c037f37e3bcbf
2279adba8383145b226d4c4be4fa95381f66845ccd56a3b98fe933fac5b9e379ad55ce46b997a62ff1455
0719421f8891d49396f9b7ee203493bc140958081d1525857e1df74ff3fb6d367577cf2dd1636e4961cce
391a2943f79035e1e076d4f210a3b3c657d79cbda1c22ee1e4f28dbe71679b9fd14ea01645209825507cc
161522f505524279b3379aaa45dfd3e697c79024b28523b9ba2f267cc477413cb87b57ba5696d2983599d
ccbcd08ab9cd15d36f2507022a81e4f1f684089e9679ab5e8f06bb8efbe66e78500fb0187e142cce11499
76c5aec2b1b6b |
Which can be split into:
The key ID:
Code Block |
---|
3cb9dd2f50 |
The encrypted KEK:
Code Block |
---|
9ead9d7d203cf268e9df4f61b88ccf4a7cf25e62c19099088689a7098309be3ed7d3e61c3a726d56a4512
4f1ce7f1551db784d4452e8da020bf7732e9365e9092643d5ebde4fb6a8706d83fc46fab5f07d0729abd1
1604207565f6c513d81ebbae3d81a4f131b5ff1eef45b06febc2d49ffd37956f418c61322c5df44552170
af975f1a35dfda7dce7304a3637dcce962e4a466cf77d9374af8400f1cc029c037f37e3bcbf2279adba83
83145b226d4c4be4fa95381f66845ccd56a3b98fe933fac5b9e379ad55ce46b997a62ff14550719421f88
91d49396f9b7ee203493bc140958081d1525857e1df74ff3fb6d367577cf2dd1636e4961cce391a2943f7
90 |
The encrypted card data:
Code Block |
---|
35e1e076d4f210a3b3c657d79cbda1c22ee1e4f28dbe71679b9fd14ea01645209825507cc161522f50552
4279b3379aaa45dfd3e697c79024b28523b9ba2f267cc477413cb87b57ba5696d2983599dccbcd08ab9cd
15d36f2507022a81e4f1f684089e9679ab5e8f06bb8efbe66e78500fb0187e142cce1149976c5aec2b1b6
b |
Applying an RSA decryption (RSA/ECB/OAEPWithSHA-256AndMGF1Padding
) on the “encrypted KEK” block will lead to:
The KEK:
Code Block |
---|
68bd9a24627d8a40f64d7a365d6bfd07 |
The IV:
Code Block |
---|
b7edc9e4625c73bd2fcbdb9b2cc77672 |
Applying a AES decryption (AES/CBC/NoPadding
) on the “encrypted card data” block will provide the following data:
Code Block |
---|
563342353431333333303035373030343036325e4355535420494d50204d43203430362f5e32353132323
03130323234303038373057115413330057004062d2512201022400870f5a0854133300570040629f6b11
5413330057004062d2512201022400870f000000000000000000000000000000000000000000000000000
0 |
Which can be split into:
Tag ‘56’ (Track1)
Code Block |
---|
42353431333333303035373030343036325e4355535420494d50204d43203430362f5e32353132323
031303232343030383730 |
Tag ‘57’ (Track2)
Code Block |
---|
5413330057004062d2512201022400870f |
Tag ‘5A’ (PAN)
Code Block |
---|
5413330057004062 |
Tag ‘9F6B’ (Track2 data)
Code Block |
---|
5413330057004062d2512201022400870f |
Padding
...
HMAC Key ID length | 2 | Length of the HMAC key ID (MSB) |
HMAC Key ID | var | HMAC key ID used for the checksum calculation |
HMAC length | 2 | Length of the HMAC checksum (MSB - should be 32) |
HMAC | 32 | AES-CBC-256 checksum |