Amadis

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Foreword

Some card data (tags) are considered sensitive from a security perspective, especially the Primary Account Number (or PAN). This Primary Account Number can be found in several places (PAN tag, Track1 equivalent, Track2 equivalent, etc…) and must be protected throughout the transaction.

The Agnos SDK in conjunction with the Secure Client SDK will take card of securing those tags (encrypted backup) and obfuscate them so that no one (e.g. no application) can access them in clear.

Exporting the card data

Once the transaction is complete, exporting the card data (encrypted) is as simple as:

Dev dev = new Dev()
...
// Transaction
...
dev.exportCardData()

This function, if successful, will return a block of data, which content is described below.

Sensitive data block format

Card data are formatted as a BER-TLV byte string. The card data byte string is encrypted using the AES-CBC algorithm and a 128 bits AES key, Kpan-session and a shared IV, IVpan-session. The key and IV are unique for each encoded card data. Kpan-session is wrapped using the RSA-2048 Kpan-pub using the PKCS#1 RSA-OAEP algorithm with SHA-1 as digest.

The format of the PAN cryptogram is:

E(card-data) = ID(Kpan-pub)|| IVpan-session ||ERSA-OAEP-SHA-1(Kpan-pub, Kpan-session)||Eaes-ecb(Kpan-session, IVpan-session, card-data)

With:

  • ID(Kpan-pub) is the public key identifier.

Which translates into:

Object

Length (bytes)

Comments

ID length

1

Length of the key ID

Key ID

var

RSA key ID used for the session key encryption

Encrypted KEK

256

Encrypted KEK block:

  • encrypted with RSA key (RSA/ECB/OAEPWithSHA-256AndMGF1Padding)

  • cleartext contains the KEK (16 bytes) and the IV (16 bytes)

Encrypted sensitive card data

var

Encrypted sensitive card data:

  • encrypted with KEK key (AES/CBC/NoPadding)

  • cleartext which can contain the following tags:

    • ‘56’ (Track1)

    • ‘57’ (Track2)

    • ‘5A’ (PAN)

    • ‘90’ (Issuer Public Key Certificate)

    • ‘9F46’ (ICC Public Key Certificate)

    • ‘9F6B’ (Track2 data - MasterCard)

The sensitive card data are organized in a simple TLV stream before being encrypted.

Example

Below is an example of data received after a successful card data export:

053cb9dd2f509ead9d7d203cf268e9df4f61b88ccf4a7cf25e62c19099088689a7098309be3ed7d3e61c3a7
26d56a45124f1ce7f1551db784d4452e8da020bf7732e9365e9092643d5ebde4fb6a8706d83fc46fab5f0
7d0729abd11604207565f6c513d81ebbae3d81a4f131b5ff1eef45b06febc2d49ffd37956f418c61322c5
df44552170af975f1a35dfda7dce7304a3637dcce962e4a466cf77d9374af8400f1cc029c037f37e3bcbf
2279adba8383145b226d4c4be4fa95381f66845ccd56a3b98fe933fac5b9e379ad55ce46b997a62ff1455
0719421f8891d49396f9b7ee203493bc140958081d1525857e1df74ff3fb6d367577cf2dd1636e4961cce
391a2943f79035e1e076d4f210a3b3c657d79cbda1c22ee1e4f28dbe71679b9fd14ea01645209825507cc
161522f505524279b3379aaa45dfd3e697c79024b28523b9ba2f267cc477413cb87b57ba5696d2983599d
ccbcd08ab9cd15d36f2507022a81e4f1f684089e9679ab5e8f06bb8efbe66e78500fb0187e142cce11499
76c5aec2b1b6b

Which can be split into:

  • The key ID: 

3cb9dd2f50

  • The encrypted KEK:

9ead9d7d203cf268e9df4f61b88ccf4a7cf25e62c19099088689a7098309be3ed7d3e61c3a726d56a4512
4f1ce7f1551db784d4452e8da020bf7732e9365e9092643d5ebde4fb6a8706d83fc46fab5f07d0729abd1
1604207565f6c513d81ebbae3d81a4f131b5ff1eef45b06febc2d49ffd37956f418c61322c5df44552170
af975f1a35dfda7dce7304a3637dcce962e4a466cf77d9374af8400f1cc029c037f37e3bcbf2279adba83
83145b226d4c4be4fa95381f66845ccd56a3b98fe933fac5b9e379ad55ce46b997a62ff14550719421f88
91d49396f9b7ee203493bc140958081d1525857e1df74ff3fb6d367577cf2dd1636e4961cce391a2943f7
90

  • The encrypted card data:

35e1e076d4f210a3b3c657d79cbda1c22ee1e4f28dbe71679b9fd14ea01645209825507cc161522f50552
4279b3379aaa45dfd3e697c79024b28523b9ba2f267cc477413cb87b57ba5696d2983599dccbcd08ab9cd
15d36f2507022a81e4f1f684089e9679ab5e8f06bb8efbe66e78500fb0187e142cce1149976c5aec2b1b6
b

Applying an RSA decryption (RSA/ECB/OAEPWithSHA-256AndMGF1Padding) on the “encrypted KEK” block will lead to:

  • The KEK:

68bd9a24627d8a40f64d7a365d6bfd07

  • The IV:

b7edc9e4625c73bd2fcbdb9b2cc77672

Applying a AES decryption (AES/CBC/NoPadding) on the “encrypted card data” block will provide the following data:

563342353431333333303035373030343036325e4355535420494d50204d43203430362f5e32353132323
03130323234303038373057115413330057004062d2512201022400870f5a0854133300570040629f6b11
5413330057004062d2512201022400870f000000000000000000000000000000000000000000000000000
0

Which can be split into:

  • Tag ‘56’ (Track1)

42353431333333303035373030343036325e4355535420494d50204d43203430362f5e32353132323
031303232343030383730

  • Tag ‘57’ (Track2)

5413330057004062d2512201022400870f

  • Tag ‘5A’ (PAN)

5413330057004062

  • Tag ‘9F6B’ (Track2 data)

5413330057004062d2512201022400870f

  • Padding

0000000000000000000000000000000000000000000000000000

  • No labels