...
PIN entry on Tap to Phone solutions, because of its very sensitive nature, is handled by the Secure Client (and the Secure Backend). The flow is relatively simple, the PIN prompt is triggered by one API call. The output of the PIN entry is provided through a callback.
The following figure describes the message flow between the different merchant’s system components involved in the online PIN verification process:
For security reasons, the PAN (card data), returned by the L2/OLA API and the partial PIN block, returned by SCSDK PIN pad are encrypted using two different key set in two independent key spaces, named security domains (identified as PIN and PAN).
It is the role of the merchant’s system to transmit and use the PIN and PAN cryptograms for computing the standard PIN block in a secure environment. The resulting PIN block is used in the actual online PIN verification.
...
PIN prompt
To launch the PIN entry screen, once must call the pinEnter()
method from the AOneAppSecurity
class as follows:
Code Block |
---|
AOneAppSecuritySecureClient.getInstance(this.contextactivity, AOneAppSecurityCbk(this.activity)) .pinEnter(activity, amount, message, min, max, timeout, feedback) |
With:
amount: the amount string, including currency (ex: $ 51.00)
message: the customer message (ex: Please enter PIN)
min: the minimum number of PIN digits (usually 4)
max: the maximum number of PIN digits
timeout: the PIN entry timeout in seconds
feedback: physical and audible feedback flags (ex:
AOneAppSecurity.PIN_ENTRY_FB_HAPTIC or AOneAppSecurity.PIN_ENTRY_FB_SOUND)
Info |
---|
Once the |
...
The format of the partial PIN block cryptogram is:
...
E(PIN block) = IDLength||ID(Kpin-pub)||ERSA-OAEP-SHA-1(Kpin-pub, Kpin-session)||Eaes-ecb(Kpin-session, pin-block)
Which translates into:
Note |
---|
The format of the PIN block cryptogram changed staring secure client v1.0.9 |
Object | Length (bytes) | Comments |
---|---|---|
RSA Key ID length | 12 | Length of the key ID (MSB) |
RSA Key ID | var | RSA key ID used for the session key encryption |
Encrypted KEK length | 2 | Length of the encrypted KEK (MSB - should be 512) |
Encrypted KEK | 256512 | Encrypted KEK block:
|
Encrypted pseudo PIN block length | 2 | Length of the encrypted PIN block (MSB - should be 16) |
Encrypted pseudo PIN block | 16 | Encrypted pseudo PIN block:
|
HMAC Key ID length | 2 | Length of the HMAC key ID (MSB) |
HMAC Key ID | var | HMAC key ID used for the checksum calculation |
HMAC length | 2 | Length of the HMAC checksum (MSB - should be 32) |
HMAC | 32 | AES-CBC-256 checksum |
The pseudo PIN block is encoded in the following way:
...
0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
0xB9 | 0x6F | 0x4A | 0x31 | 0x06 | 0x9E | 0x73 | 0x48 | 0x9A | 0xA7 | 0xD3 | 0x60 | 0xD1 | 0x62 | 0xE3 | 0xD4 |
Example
Below is an example of data received after a successful PIN entry:
Code Block |
---|
07544553544b45592cc79bfa8faf135681df750ad36f2bc347c48ba49f6a3d7d17df442f46edee2783b5f
f0b6e82d5f8be7eb47063a992f6e43f1303dc715eb1049b03a4465358485276304d3165e9bb877c864693
7813dbb396b97a3570564e818c5df82b073a950022badb8c39ecf50e1366fb0bcc8e9474bc1bedba5da3d
feb298a300c90fd5b5c7cfc0f3ca88b6239fdf120a96083a22e0ce319c628b309519d9f1eaa675dd433d0
e7e5e8dbed56fc293431f7e5f57e76e9bd6930c89e268f07996f2275e76363250b437137942c0e42a5d83
b60a56862ad67d11254f1557eaeecc583f51d88719bcad3b09b262459a5a12ab30b18b02101cb17980749
78f429eb06ad64439914b18234b1c80f9040f1649f1a2894e7 |
Which can be split into:
The key ID length:
Code Block |
---|
07 |
The key ID:
Code Block |
---|
544553544b45 |
The encrypted KEK:
Code Block |
---|
2cc79bfa8faf135681df750ad36f2bc347c48ba49f6a3d7d17df442f46edee2783b5ff0b6e82d5f8be7eb
47063a992f6e43f1303dc715eb1049b03a4465358485276304d3165e9bb877c8646937813dbb396b97a35
70564e818c5df82b073a950022badb8c39ecf50e1366fb0bcc8e9474bc1bedba5da3dfeb298a300c90fd5
b5c7cfc0f3ca88b6239fdf120a96083a22e0ce319c628b309519d9f1eaa675dd433d0e7e5e8dbed56fc29
3431f7e5f57e76e9bd6930c89e268f07996f2275e76363250b437137942c0e42a5d83b60a56862ad67d11
254f1557eaeecc583f51d88719bcad3b09b262459a5a12ab30b18b02101cb1798074978f429eb06ad6443
99 |
The encrypted pseudo PIN-block:
Code Block |
---|
14b18234b1c80f9040f1649f1a2894e7 |
Applying an RSA decryption (RSA/ECB/OAEPWithSHA-256AndMGF1Padding
) on the “encrypted KEK” block will lead to:
The KEK:
Code Block |
---|
7df1d2d78e33346c316c5099d4a7857b |
The IV:
Code Block |
---|
00000000000000000000000000000000 |
Applying a AES decryption (AES/CBC/NoPadding
) on the “encrypted pseudo PIN-block” will provide the following pseudo PIN block data:
Code Block |
---|
4ef90b543d09a8151fcefe0058585858 |
...