0% found this document useful (0 votes)

574 views

Mchip Card Application Cryptographic Algorithms

Uploaded by

奇刘

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

574 views

Mchip Card Application Cryptographic Algorithms

Uploaded by

奇刘

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 180

M/Chip Card Application

Cryptographic
Algorithms
March 2010
Notices
Proprietary Rights The information contained in this document is proprietary and
confidential to MasterCard International Incorporated, one or more of its
affiliated entities (collectively "MasterCard"), or both.
This material may not be duplicated, published, or disclosed, in
whole or in part, without the prior written permission of MasterCard.
MasterCard provides the information in this document (or in any
translated document) to its customers for internal use only, “AS IS,” and
makes no representations or warranties of any kind with respect to such
information, including, but not limited to, its accuracy or reliability.

Trademarks Trademark notices and symbols used in this document reflect the
registration status of MasterCard trademarks in the United States. Please
consult with the Customer Operations Services team or the MasterCard
Law Department for registration status of particular product, program, or
service names outside the United States.
All third-party product and service names are trademarks or registered
trademarks of their respective owners.

Information MasterCard provides details about the standards used for this
Available Online document—including times expressed, language use, excerpted text,
and contact information—on the Member Publications Support page
available on MasterCard OnLine®. Go to Member Publications Support
for centralized information.

Translation A translation of any MasterCard manual, bulletin, release, or other

MasterCard document into a language other than English is intended
solely as a convenience to MasterCard customers. In no event shall
MasterCard be liable for any damages resulting from a customer's reliance
on any translated document. The English version of any MasterCard
document will take precedence over any translated version in any legal
proceeding.

Publication Code MAC

©2008–2010 MasterCard
March 2010 • M/Chip Card Application Cryptographic Algorithms
Summary of Changes
This document reflects changes associated with the M/Chip Application Cryptographic Algorithm
manual.

Description of Change Where to Look

Corrected Reference Documents. Appendix A
Updated Using this Document.
Updated EM, PayPass, and ISO under Sources.
Removed CD, modified DDA description, added SMC and SMI descriptions
to Abbreviations.
Replaced PayPass M/Chip 1.3 with PayPass M/Chip 4. All tables throughout the
document
Add R2 Payment and R2 Data Storage applications in all tables throughout All tables throughout the
the document. Added superscripts and accompanying note where indicated. document
Updated table data under CDA Details. CDA Details
Updated title and text changes for Offline Enciphered PIN Encryption. About Offline Enciphered
PIN Decryption
Updated title for Data Objects for Generating Application Cryptograms Variant 1 and Variant 2
chapters.
Added section for Data Objects for Generating Application Cryptograms Variant 3
Variant 3.
Updated table for Application Cryptograms Generation Process Variant 2 Application Cryptograms
and removed step 5 from How the AC Generation Algorithm Works list. Generation Process Variant
2
Updated title for all of ARPC Validation Process chapters. ARPC Validation Process
Updated steps for ARPC Validation Algorithm Variant 2 and 3. How the ARPC Validation
Algorithm Works
Updated titles for Secure Messaging for Integrity Validation Process. SMI Variant 1 and 2
Updated steps in How the MAC Validation works. Secure Messaging for
Integrity Validation Process
Variant 2
Updated titles for PIN Change Command Decryption Process. PIN Change Command
Variant 1 and 2
Updated step #2 under How the Command is Decrypted. PIN Change Command
Decryption Process Variant
1
Update ICC Session Key Derivation in individual application documents to About ICC Session
include only the derivation method that is applicable. Key Derivation in each
application document
Update paragraph under EMV EMV CSK Method Session
Key
Added Offline Counters Variant 1 matrix. About Encrypted Counters
Added Offline Counters Variant 2 matrix and data. About Encrypted Counters
Updated title for Encrypted Counters Process. Encrypted Counters
Encryption Variant 1

Description of Change Where to Look

Added Encrypted Counters (Variant 2) matrix and text. Encrypted Counters
(Variant 2)
Updated title Dynamic CVC3 Generation. Dynamic CVC3 Generation
Added CBC Mode section. DES and Triple DES
Updated text under RSA and removed Values of Public Key Exponents table. RSA
Updated EMV2000 Session Key Derivation text. EMV2000 Session Key
Derivation
Add paragraph about Data Samples. Notation Used
Corrections to text and data on ARPC Validation Example 1 ARPC Validation Example 1
Corrections to text and data on ARPC Validation Example 2. ARPC Validation Example 2

Corrections to text and data on ARPC Validation Example 3. ARPC Validation Example 3

Correction to text and data on ARPC Validation Example 4. ARPC Validation Example 4

Updated text and date on TC Generation Example 2. TC Generation Example 2

Updated text and date on TC Generation Example 4. TC Generation Example 4

Updated text under Script MAC Validation Example 1. Script MAC Validation
Example 1
Updated text under Script MAC Validation Example 2. Script MAC Validation
Example 2
Updated text under Script MAC Validation Example 3. Script MAC Validation
Example 3
Updated text under Script MAC Validation Example 4 Script MAC Validation
Example 4
Updated data under Generate AC Command. Generate AC Command
Updated text in Offline Encipherment PIN Decryption Details. PIN Decryption Details

©2008–2010 MasterCard
2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Table of Contents
Part 1 - Dynamic Data Authentication.................................................................1

Chapter 1 Standard Dynamic Data Authentication (DDA) ........................... 1-i

Standard DDA.......................................................................................................................... 1-1

Chapter 2 Combined Dynamic Data Authentication and AC Generation

(CDA)................................................................................................................... 2-i
About CDA .............................................................................................................................. 2-1
CDA Details (Variant 1) ........................................................................................................... 2-1
CDA Details (Variant 2) ........................................................................................................... 2-3

Part 2 - Recover AC ...............................................................................................1

Chapter 3 Recover AC ..................................................................................... 3-i

Recover AC With CDA (Variant 1) ........................................................................................... 3-1
Recover AC With CDA (Variant 2) ........................................................................................... 3-2

Part 3 - Offline Enciphered PIN Decryption for Verify........................................1

Chapter 4 Offline Enciphered PIN Decryption for Verify .............................. 4-i

About Offline Enciphered PIN Decryption for Verify .............................................................. 4-1

Part 4 - Offline Enciphered PIN Decryption for Offline Change PIN..................1

Chapter 5 Offline Enciphered PIN Decryption for Offline Change PIN ........ 5-i
About Offline Enciphered PIN Decryption for Offline Change PIN ........................................ 5-1

Part 5 - Application Cryptograms Generation ....................................................1

Chapter 6 Application Cryptograms Generation .......................................... 6-i

About Application Cryptograms............................................................................................... 6-1
Data Objects for Generating Application Cryptograms (Variant 1).......................................... 6-1
Data Objects for Generating Application Cryptograms (Variant 2).......................................... 6-1
Data Objects for Generating Application Cryptograms (Variant 3) .......................................... 6-3
Application Cryptogram Generation Process (Variant 1) ......................................................... 6-6
Application Cryptogram Generation Process (Variant 2) ......................................................... 6-7
Application Cryptogram Generation Process (Variant 3) ......................................................... 6-7
Application Cryptogram Generation Process (Variant 4) ......................................................... 6-8

Part 6 - Issuer Authentication ..............................................................................1

Chapter 7 Issuer Authentication .................................................................... 7-i

About Issuer Authentication .................................................................................................... 7-1
ARPC Validation Process (Variant 1) ........................................................................................ 7-1
ARPC Validation Process (Variant 2) ........................................................................................ 7-1
ARPC Validation Process (Variant 3) ........................................................................................ 7-2

Part 7 - Secure Messaging ....................................................................................1

Chapter 8 Secure Messaging .......................................................................... 8-i

About Secure Messaging .......................................................................................................... 8-1
Secure Messaging for Integrity (SMI) Validation Process (Variant 1) ....................................... 8-2
Secure Messaging for Integrity (SMI) Validation Process (Variant 2) ....................................... 8-2
Secure Messaging for Integrity (SMI) Validation Process (Variant 3) ....................................... 8-3
PIN CHANGE Command Decryption Process (Variant 1) ........................................................ 8-4
PIN CHANGE Command Decryption Process (Variant 2) ........................................................ 8-5
PIN CHANGE Command Decryption Process (Variant 3) ........................................................ 8-6

Part 8 - ICC Session Key Derivation .....................................................................1

Chapter 9 ICC Session Key Derivation ........................................................... 9-i

About ICC Session Key Derivation .......................................................................................... 9-1

Chapter 10 MasterCard Proprietary SKD Method....................................... 10-i

MasterCard Proprietary SKD Method Key...............................................................................10-1
AC Session Key.......................................................................................................................10-1
Secure Messaging Session Key................................................................................................10-2

Chapter 11 EMV2000 Method Key ............................................................... 11-i

EMV2000 Method Key ............................................................................................................11-1

Chapter 12 EMV CSK Method....................................................................... 12-i

EMV CSK Method Key ............................................................................................................12-1
AC Session Key.......................................................................................................................12-2
Secure Messaging Session Key................................................................................................12-2

Part 9 - ICC Dynamic Number Generation ...........................................................1

Chapter 13 ICC Dynamic Number Generation ............................................. 13-i

ICC Dynamic Number Generation Process .............................................................................13-1

Part 10 - Encrypted Counters ...............................................................................1

Chapter 14 Encrypted Counters ................................................................... 14-i

Encrypted Counters ................................................................................................................14-1
Encrypted Counters Encryption (Variant 1) ............................................................................14-1
Encrypted Counters Encryption (Variant 2) ............................................................................14-2

Part 11 - Dynamic CVC3 ........................................................................................1

Chapter 15 Dynamic CVC3 ............................................................................ 15-i

Dynamic CVC3 Generation .....................................................................................................15-1

Part 12 - Data Storage ..........................................................................................1

Chapter 16 Data Storage .............................................................................. 16-i

Data Storage — OWHF1 Function..........................................................................................16-1
Data Storage — OWHF2 Function..........................................................................................16-2

Part 13 - Cryptographic Primitives .......................................................................1

Chapter 17 Cryptographic Primitives ........................................................... 17-i

About DES and Triple-DES .....................................................................................................17-1
MAC ........................................................................................................................................17-2
RSA .........................................................................................................................................17-2
SHA-1......................................................................................................................................17-4
EMV 2000 Session Key Derivation ..........................................................................................17-4

Part 14 - Examples.................................................................................................1

Chapter 18 Notation Used ............................................................................ 18-i

Notation Used .........................................................................................................................18-1

Chapter 19 Purchase with Online Authorization ........................................ 19-i

MasterCard Proprietary Session Key Derivation for AC ..........................................................19-1
EMV2000 Session Key Derivation for AC................................................................................19-1
Common Session Key Derivation for AC ................................................................................19-3
ARQC Generation (Example 1) ...............................................................................................19-4
ARQC Generation (Example 2) ...............................................................................................19-5
ARQC Generation (Example 3) ...............................................................................................19-7
ARQC Generation (Example 4) ...............................................................................................19-9
ARPC Validation (Example 1) ...............................................................................................19-10
ARPC Validation (Example 2) ...............................................................................................19-11
ARPC Validation (Example 3) ...............................................................................................19-13

ARPC Validation (Example 4) ...............................................................................................19-14

TC Generation (Example 1) ..................................................................................................19-15
TC Generation (Example 2) ..................................................................................................19-16
TC Generation (Example 3) ..................................................................................................19-18
TC Generation (Example 4) ..................................................................................................19-20
Dynamic CVC3 Generation ...................................................................................................19-21

Chapter 20 PIN Change ................................................................................. 20-i

MasterCard Proprietary Session Key Derivation for PIN Change Script Decryption (Example
1) ............................................................................................................................................20-1
MasterCard Proprietary Session Key Derivation for PIN Change Script Decryption (Example
2) ............................................................................................................................................20-2
EMV2000 Session Key Derivation for PIN Change Script Decryption .....................................20-3
Common Session Key Derivation for PIN Change Script Decryption .....................................20-5
PIN Change Script Decryption (Example 1) ............................................................................20-6
PIN Change Script Decryption (Example 2) ............................................................................20-7
PIN Change Script Decryption (Example 3) ............................................................................20-8
PIN Change Script Decryption (Example 4) ............................................................................20-9
MasterCard Proprietary Session Key Derivation for Script MAC (Example 1) .......................20-10
MasterCard Proprietary Session Key Derivation for Script MAC (Example 2) .......................20-11
EMV2000 Session Key Derivation for Script MAC .................................................................20-13
Common Session Key Derivation for Script MAC .................................................................20-14
Script MAC Validation (Example 1) .......................................................................................20-15
Script MAC Validation (Example 2) .......................................................................................20-17
Script MAC Validation (Example 3) .......................................................................................20-21
Script MAC Validation (Example 4) .......................................................................................20-23

Chapter 21 Dynamic Data Authentication................................................... 21-i

Generation of the ICC Dynamic Number................................................................................21-1
Generation of the Signed Dynamic Application Data .............................................................21-1

Chapter 22 Combined DDA / AC Generation .............................................. 22-i

GENERATE AC Command ......................................................................................................22-1
SDAD Computation ................................................................................................................22-1
GENERATE AC Response........................................................................................................22-7

Chapter 23 Offline Enciphered PIN Decription ............................................ 23-i

Offline Enciphered PIN Decryption Details ............................................................................23-1

Chapter 24 Data Storage .............................................................................. 24-i

Data Storage Details................................................................................................................24-1

Appendix A Reference Information ............................................................... A-i

Using this Document ............................................................................................................... A-1
Sources .................................................................................................................................... A-4
Abbreviations........................................................................................................................... A-5
Conventions............................................................................................................................. A-7
Contact Us ............................................................................................................................... A-8

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 v
Part 1 - Dynamic Data
Authentication
Chapter 1 Standard Dynamic Data Authentication (DDA)

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 1-i
Standard Dynamic Data Authentication (DDA)
Standard DDA

Standard DDA
This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 X Select 4 Lite 4 X Select 4 X Payment
1.0 1.0 1.0 1.0
2.2 SDA Lite 4 X Select 4 Lite 4 X Select 4 X Data Storage
1.1a 1.1a 1.1a 1.1a
X 2.2 DDA Lite 4 X Select 4 Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

About Standard DDA

Standard Dynamic Data Authentication (DDA) is executed when processing
the INTERNAL AUTHENTICATE command. The Integrated Circuit Card (ICC)
generates a digital signature on ICC-resident/generated data and on data
received from the terminal as identified by the ICC Dynamic Data Authentication
Data Object List (DDOL).

Keys and Certificates

To support DDA, the ICC is personalized with its own unique ICC Public Key
pair consisting of a private signature key Sic and the corresponding public
verification key Pic. The ICC public key is present on the ICC in the form of an
ICC Public Key certificate signed by the Issuer Private Key. Similarly, the issuer
public key is present in the ICC in the form of an issuer Public Key certificate
signed by the Certification Authority Private Key.

Dynamic Application Data to Be Signed (Input to the Hash

Algorithm)
The ICC generates the Signed Dynamic Application Data as described in Part III
of EMV, Integrated Circuit Card Specification for Payment Systems, Book 2 –
Digital Signature Scheme Giving Message Recovery on the data specified in this
table using the ICC Private Key SIC:

Field Name Length Description

Signed Data Format 1 ‘05’ ‘０５’，与ＰＢＯＣ３．０第７部分相同

Hash Algorithm Indicator 1 Identifies the hash algorithm used to

produce the hash result (= ‘01’ for SHA-1)
ICC Dynamic Data Length 1 Identifies the length 9 (=LDD) of the ICC
dynamic data in bytes
ICC Dynamic Data 9 ('08' || ICC Dynamic Number)
ＩＣ卡动态数：ＩＣＣ　Ｄｙｎａｍｉｃ　Ｎｕｍｂｅｒ，无ＴＡＧ，长度１６字节
ＩＣＣ　Ｄｙｎａｍｉｃ　Ｎｕｍｂｅｒ　（Ｔｅｒｍｉｎａｌ）：ＴＡＧ＇９Ｆ４Ｃ＇　，长度８字节，
ＩＣ卡动态数据：ＩＣＣ　Ｄｙｎａｍｉｃ　Ｄａｔａ，无ＴＡＧ，长度　９，　３８，　５２，　５４　ｏｒ　６８
ＩＣ卡不可预知数：ＩＣＣ　Ｕｎｐｒｅｄｉｃｔａｂｌｅ　Ｎｕｍｂｅｒ，无ＴＡＧ
终端不可预知数，Ｕｎｐｒｅｄｉｃｔａｂｌｅ　Ｎｕｍｂｅｒ，ＴＡＧ　值９Ｆ３７，４字节
Ｕｎｐｒｅｄｉｃｔａｂｌｅ　Ｎｕｍｂｅｒ　（Ｎｕｍｅｒｉｃ）：ＴＡＧ　９Ｆ６Ａ，４字节，终端发送给ＩＣ卡，用于ＣＣＣ指令
©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 1-1
Standard Dynamic Data Authentication (DDA)
Standard DDA

Field Name Length Description

Pad Pattern NIC - 34 (NIC - 34) padding bytes of value ‘BB’
Terminal Dynamic Data 4 Unpredictable Number, as provided by
the terminal in the data of the INTERNAL
AUTHENTICATE command1

For More Information

The ICC Dynamic Number Generation Process contains a description of the
method for computing the ICC Dynamic Number. The signature of the dynamic
application data is performed according to EMV, Integrated Circuit Card
Specification for Payment Systems, Book 2 — Security and Key Management.

1. DDOL for all M/Chip implementations is specified to be equal to ‘9F3704’.

©2008–2010 MasterCard
1-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Chapter 2 Combined Dynamic Data Authentication and
AC Generation (CDA)

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 2-i
Combined Dynamic Data Authentication and AC Generation (CDA)
About CDA

About CDA

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 X Select 4 Lite 4 X Select 4 X Payment
1.0 1.0 1.0 1.0
2.2 SDA Lite 4 X Select 4 Lite 4 X Select 4 X Data Storage
1.1a 1.1a 1.1a 1.1a
2.2 DDA Lite 4 X Select 4 Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

Keys and Certificates

To support Combined Dynamic Data Authentication and Application
Cryptogram Generation (CDA), the ICC is personalized with its own unique ICC
Public Key pair consisting of a private signature key SIC and the corresponding
public verification key PIC. The ICC public key is present on the ICC in the
form of an ICC Public Key certificate signed the Issuer Private Key.

Similarly, the issuer public key is present in the ICC in the form of an issuer
Public Key certificate signed the Certification Authority Private Key.

CDA Details (Variant 1)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 X Select 4 Lite 4 1.0 X Select 4 X Payment
1.0 1.0
2.2 SDA Lite 4 X Select 4 Lite 4 X Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA Lite 4 X Select 4 Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

Dynamic Application Data to Be Signed (input to the hash

algorithm)
The ICC generates the Signed Dynamic Application Data as described in Part III
of EMV, Integrated Circuit Card Specification for Payment Systems, Book 2 –
Digital Signature Scheme Giving Message Recovery on the data specified in this
table using the ICC Private Key SIC:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 2-1
Combined Dynamic Data Authentication and AC Generation (CDA)
CDA Details (Variant 1)

Field Name Length Description

Signed Data Format 1 ‘05’
Hash Algorithm Indicator 1 Identifies the hash algorithm used to
produce the hash result (= ‘01’ for SHA-1)
ICC Dynamic Data Length 1 Contains the length 38 (=LDD) of the ICC
dynamic data in bytes
ICC Dynamic Data 38 Dynamic data generated by and/or
stored in the ICC
Pad Pattern NIC - 63 (NIC - 63) padding bytes of value ‘BB’
Terminal Dynamic Data 4 Unpredictable Number, as provided by
the terminal in the data of the INTERNAL
AUTHENTICATE command 1

Content of the ICC Dynamic Data

The ICC Dynamic Data shall consist of the concatenation of this data:

Field Name Length Description

ICC Dynamic Number 1 ‘08’
Length
ICC Dynamic Number 8 Computed by the M/Chip Advance
application in the GET PROCESSING
OPTIONS
Cryptogram Information 1 Value of Cryptogram Information Data as
Data defined by the application
Application Cryptogram 8 TC or ARQC computed by the ICC
Transaction Data Hash 20 Hash result computed by the application
Code on the value field of PDOL Related Data
(empty if PDOL Related Data is ‘8300’),
CDOL1 Related Data, CDOL2 Related
Data (in case of a second Generate AC
command) and Generate AC Response
Data (except the Signed Dynamic
Application Data)

The content of CDOL1, CDOL2 and the value field of PDOL are defined by the
application.

For More Information

The ICC Dynamic Number Generation Process contains a description of
the method for computing the ICC Dynamic Number. The signature of the
ICC dynamic application data is performed according to EMV, Integrated
Circuit Card Specification for Payment Systems, Book 2 — Security and Key
Management.

1. DDOL for all M/Chip implementations is specified to be equal to ‘9F3704’.

©2008–2010 MasterCard
2-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Combined Dynamic Data Authentication and AC Generation (CDA)
CDA Details (Variant 2)

CDA Details (Variant 2)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 Select 4 Lite 4 Select 4 Payment
1.0 1.0 1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

Dynamic Application Data to Be Signed (input to the hash

Field Name Length Description

Signed Data Format 1 ‘05’
Hash Algorithm Indicator 1 Identifies the hash algorithm used to
produce the hash result (= ‘01’ for SHA-1)
ICC Dynamic Data Length 1 Contains the length 38 or 54 (=LDD) of
the ICC dynamic data in bytes
ICC Dynamic Data 38 or 54 Dynamic data generated by and/or
stored in the ICC
Pad Pattern (NIC - 63) or (NIC - 63) or (NIC - 79) padding bytes of
(NIC - 79) value ‘BB’
Terminal Dynamic Data 4 Unpredictable Number, as provided by
the terminal in the data of the INTERNAL
AUTHENTICATE command 2

Content of the ICC Dynamic Data

In case DS Status [8..7] = ‘00b’ (no data storage), the ICC Dynamic Data shall
consist of the concatenation of the following fields:

2. DDOL for all M/Chip implementations is specified to be equal to ‘9F3704’.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 2-3
Combined Dynamic Data Authentication and AC Generation (CDA)
CDA Details (Variant 2)

Field Name Length Description

ICC Dynamic Number 1 ‘08’
Length
ICC Dynamic Number 8 Computed by the M/Chip Advance
application in the GET PROCESSING
OPTIONS
Cryptogram Information 1 Value of Cryptogram Information Data as
Data defined by the application
Application Cryptogram 8 AAC, TC or ARQC computed by the ICC
Transaction Data Hash 20 Hash result computed by the application
Code on the value field of PDOL Related Data
(empty if PDOL Related Data is ‘8300’),
CDOL1 Related Data, CDOL2 Related
Data (in case of a second Generate AC
command) and Generate AC Response
Data (except the Signed Dynamic
Application Data)

In all other cases, the ICC Dynamic Data shall consist of the concatenation
of the following fields:

Field Name Length Description

ICC Dynamic Number 1 ‘08’
Length
ICC Dynamic Number 8 Computed by the M/Chip Advance
application in the GET PROCESSING
OPTIONS
Cryptogram Information 1 Value of Cryptogram Information Data as
Data defined by the application
Application Cryptogram 8 AAC, TC or ARQC computed by the ICC
Transaction Data Hash 20 Hash result computed by the application
Code on the value field of PDOL Related Data
(empty if PDOL Related Data is ‘8300’),
CDOL1 Related Data, CDOL2 Related
Data (in case of a second Generate AC
command) and Generate AC Response
Data (except the Signed Dynamic
Application Data)
DS Summary 2 8 Summary retrieved from the slot data
DS Summary 3 8 New summary generated when updating
the ODS

The content of CDOL1, CDOL2 and the value field of PDOL are defined by the
application.
Note that when the DS Data is present in the Generate AC command,
CDOL1/CDOL2 Related Data is only part of the First Generate AC/Second
Generate AC command data.

©2008–2010 MasterCard
2-4 March 2010 • M/Chip Card Application Cryptographic Algorithms
Combined Dynamic Data Authentication and AC Generation (CDA)
CDA Details (Variant 2)

For More Information

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 2-5
Part 2 - Recover AC
Chapter 3 Recover AC

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 3-i
Recover AC
Recover AC With CDA (Variant 1)

Recover AC With CDA (Variant 1)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 Select 4 Lite 4 Select 4 X Payment
1.0 1.0 1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

What is Recover AC?

Recover AC is a recovery mechanism used when the ICC has been torn from
the terminal before the transaction has been completed.

Dynamic Application Data to be Signed (Input to the Hash

Algorithm)
The ICC generates the Signed Dynamic Application Data as described in Part III
of EMV, Integrated Circuit Card Specification for Payment Systems, Book 2 —
Digital Signature Scheme Giving Message Recovery on the data specified in this
table using the ICC Private Key Sic:

Field Name Length Description

Signed Data Format 1 ‘05’
Hash Algorithm Indicator 1 Identifies the hash
algorithm used to produce
the has result (= ‘01’ for
SHA-1)
ICC Dynamic Data Length 1 Contains the length 38
(=Ldd) of the ICC dynamic
data in bytes
ICC Dynamic Data 38 Dynamic data computed
by the ICC
Pad Pattern (Nic – 63) (Nic – 63) padding bytes of
value ‘BB’
Unpredictable Number 4 Unpredictable Number
(Recovery) retrieved from the ICC

Content of the ICC Dynamic Data

The ICC Dynamic Data shall consist of the concatenation of the following fields:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 3-1
Recover AC
Recover AC With CDA (Variant 2)

Field Name Length Description

ICC Dynamic Number 1 ‘08’
Length
ICC Dynamic Number 8 ICC Dynamic Number
computed by the ICC
Cryptogram Information 1 Cryptogram Information
Data (Recovery) Data retrieved from the
ICC
Application Cryptogram 8 Application Cryptogram
(Recovery) retrieved from the ICC
Hash Result (Recovery) 20 Hash result retrieved from
the ICC

Signature
The signature of the dynamic application data for Recover AC with CDA is
performed using the same method and input as defined in EMV, Integrated
Circuit Card Specification for Payment Systems, Book 2 — Security and Key
Management to sign for Dynamic Application Data for CDA.

For More Information

The ICC Dynamic Number Generation Process contains a description of the
method for computing the ICC Dynamic Number.

Recover AC With CDA (Variant 2)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 Select 4 Lite 4 Select 4 Payment
1.0 1.0 1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

What is Recover AC?

Recover AC is a recovery mechanism used when the ICC has been torn from
the terminal before the transaction has been completed.

©2008–2010 MasterCard
3-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Recover AC
Recover AC With CDA (Variant 2)

Dynamic Application Data to be Signed (Input to the Hash

Field Name Length Description

Signed Data Format 1 ‘05’
Hash Algorithm Indicator 1 Identifies the hash
algorithm used to produce
the has result (= ‘01’ for
SHA-1)
ICC Dynamic Data Length 1 Contains the length 38
or 54 (=Ldd) of the ICC
dynamic data in bytes
ICC Dynamic Data 38 or 54 Dynamic data computed
by the ICC
Pad Pattern (Nic – 63) or (Nic – 79) (Nic – 63) or (Nic – 79)
padding bytes of value
‘BB’
Unpredictable Number 4 Unpredictable Number
(Recovery) retrieved from the ICC

Content of the ICC Dynamic Data

In case DS Status [8..7] = ‘00b’ (No data storage) the ICC Dynamic Data shall
consist of the concatenation of the following fields:

Field Name Length Description

In all other cases, the ICC Dynamic Data shall consist of the concatenation
of the following fields:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 3-3
Recover AC
Recover AC With CDA (Variant 2)

Field Name Length Description

For More Information

The ICC Dynamic Number Generation Process contains a description of the
method for computing the ICC Dynamic Number.

©2008–2010 MasterCard
3-4 March 2010 • M/Chip Card Application Cryptographic Algorithms
Part 3 - Offline Enciphered
PIN Decryption for Verify
Chapter 4 Offline Enciphered PIN Decryption for Verify

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 4-i
Offline Enciphered PIN Decryption for Verify
About Offline Enciphered PIN Decryption for Verify

About Offline Enciphered PIN Decryption for Verify

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 X Select 4 1.0 Lite 4 1.0 X Select 4 X Payment
1.0
2.2 SDA Lite 4 X Select 4 Lite 4 X Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 X Select 4 Lite 4 X Select 4
DDA 1.1b 1.1b 1.1b 1.1b

What is offline Enciphered PIN Decryption?

The terminal may submit the PIN enciphered rather than in clear text. In that
case the PIN is enciphered using public key cryptography, under a public key
whose private counterpart is stored in the ICC. The ICC deciphers the PIN, using
the relevant private key, prior to comparison with the ICC-stored reference PIN.

DDA key versus a Dedicated key

The M/Chip application can use either the ICC Private Key, or a dedicated
key for offline PIN decipherment. The choice of the key to use is fixed at
personalization as follows:
If the Application Control[1][5] is set The M/Chip application uses ...
to ...
‘1b’ a dedicated key for offline PIN decipherment,
the ICC PIN Encipherment Private Key
‘0b’ the ICC Private Key

For More Information

The offline PIN decipherment is performed according to EMV, Integrated
Circuit Card Specification for Payment Systems, Book 2 — Security and Key
Management.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 4-1
Part 4 - Offline Enciphered
PIN Decryption for Offline
Change PIN
Chapter 5 Offline Enciphered PIN Decryption for Offline
Change PIN

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 5-i
Offline Enciphered PIN Decryption for Offline Change PIN
About Offline Enciphered PIN Decryption for Offline Change PIN

About Offline Enciphered PIN Decryption for Offline

Change PIN
This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

What is offline Enciphered PIN Decryption?

The terminal may submit the new PIN enciphered rather than in clear text. In
that case the new PIN is enciphered using public key cryptography, under a
public key whose private counterpart is stored in the ICC. The ICC deciphers
the new PIN, using the relevant private key, prior to storing it as the new
reference PIN.

DDA key versus a Dedicated key

For More Information

The offline PIN decipherment is performed similarly to the method detailed
in EMV, Integrated Circuit Card Specification for Payment Systems, Book 2
— Security and Key Management for the Offline PIN Decipherment for the
VERIFY command.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 5-1
Part 5 - Application
Cryptograms Generation
Chapter 6 Application Cryptograms Generation

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 6-i
Application Cryptograms Generation
About Application Cryptograms

About Application Cryptograms

Application Cryptograms (AC) are generated by the ICC in response to the
GENERATE AC command.

Data Objects for Generating Application Cryptograms

(Variant 1)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
X Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 Payment
1.0
X 2.2 SDA Lite 4 Select 4 Lite 4 Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
X 2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

TC, AAC and ARQC Data Elements

The data objects used to generate the cryptogram are the following:

Field Name Length

Amount, Authorized (numeric) 6 ９Ｆ０２

Amount, Other (numeric) 6 ９Ｆ０３

Terminal Country Code 2 ９Ｆ１Ａ

Terminal Verification Results 5 ９５

Transaction Currency Code 2 ５Ｆ２Ａ

Transaction Date 3 ９Ａ

Transaction Type 1 ９Ｃ

Unpredictable Number 4 终端数据元９Ｆ３７

Application Interchange Profile 2 ８２

ATC 2 ９Ｆ３６

Card Verification Results 4 ９Ｆ５２

Data Objects for Generating Application Cryptograms

(Variant 2)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 6-1
Application Cryptograms Generation
Data Objects for Generating Application Cryptograms (Variant 2)

Ｖａｒｉａｎｔ　１　什么时候使用　Ｖａｒｉａｎｔ　１　？
M/Chip
Ｖａｒｉａｎｔ　２
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
　　　ｏｐｔｉｏｎ　１
　　　ｏｐｔｉｏｎ　２ Lite 2.1 X Lite 4 1.0 X Select 4 1.0 X Lite 4 1.0 X Select 4 Payment
Ｖａｒｉａｎｔ　３（不适用于Ｍ／Ｃｈｉｐ　Ａｄｖａｎｃｅ） 1.0
　　　ｏｐｔｉｏｎ　１
2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 Data
　　　ｏｐｔｉｏｎ　２
1.1a 1.1a 1.1a 1.1a Storage
　　　ｏｐｔｉｏｎ　３ａ　
　　　ｏｐｔｉｏｎ　３ｂ 2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4
　　　ｏｐｔｉｏｎ　３ｃ 1.1b 1.1b 1.1b 1.1b

TC, AAC and ARQC Data Elements

Data input to AC computation depends on the Application Control. The data
objects used are listed below and are used in the specified order.
ｔｈｅ　ｅｉｇｈｔ－ｂｙｔｅ　ｐｌａｉｎｔｅｘｔ　ｏｆｆｌｉｎｅ　ｃｏｕｎｔｅｒｓ
Ｐｌａｉｎｔｅｘｔ／Ｅｎｃｒｙｐｔｅｄ　Ｃｏｕｎｔｅｒｓ，８、１６字节，
无ＴＡＧ　
Option 1: Do Not Include Offline Counters
第２字节第１位，表示“Ｉｎｃｌｕｄｅ　Ｃｏｕｎｔｅｒｓ　Ｉｎ　ＡＣ”
If the Application Control [2][1] = '0b', the plaintext offline counters are not
included in the data used for the AC computation. The set of data input (TC,
AAC and ARQC Data Elements) to the AC computation is defined as follows:

Field Name Length

Amount, Authorized (numeric) 6
Amount, Other (numeric) 6
Terminal Country Code 2
Terminal Verification Results 5
Transaction Currency Code 2
Transaction Date 3
Transaction Type 1
Unpredictable Number 4
Application Interchange Profile 2
ATC 2
Card Verification Results 6 只有ＣＶＲ长度与前面不同

Option 2: Include Offline Counters

If the Application Control [2][1] = '1b' (include Counters in AC), the set of data
input to the AC computation is the same as with Application Control [2][1] =
'0b', but with the following data appended:
如果Ｅｎｃｒｙｐｔ　Ｏｆｆｌｉｎｅ　Ｃｏｕｎｔｅｒｓ位置０
• If the Application Control [1][1] = '0b', the eight-byte plaintext offline
counters as defined here:

Field Name Length

Cumulative Offline Transaction Amount 6
６＋１＋１　＝　８　ｂｙｔｅ

©2008–2010 MasterCard
6-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Application Cryptograms Generation
Data Objects for Generating Application Cryptograms (Variant 3)

Field Name Length

Consecutive Offline Transactions Number 1
One byte set to ‘FF’ 1
如果Ｅｎｃｒｙｐｔ　Ｏｆｆｌｉｎｅ　Ｃｏｕｎｔｅｒｓ位置１
• If the Application Control [1][1] = '1b', the result of the algorithm as
described in Encrypted Counters Encryption Variant 1.

Data Objects for Generating Application Cryptograms (Variant

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 X Payment
1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

Option 1: The application supports V.2.05, V.2.1 and V.2.2

Host Backward Compatibility
(Application Control [5][4..2] = '001b', or Application Control [5][4..2] = '010b')

TC, AAC and ARQC Data Elements

Data input to AC computation depends on the Application Control. The data
objects used are listed below and are used in the specified order.

Field Name Length

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 6-3
Application Cryptograms Generation
Data Objects for Generating Application Cryptograms (Variant 3)

*The mapping of the 6–byte internal CVR to the four bytes used for the
cryptogram generation is detailed in the card application specifications.

Option 2: The application supports V.1.1 and V.1.3 Host

Backward Compatibility or MAS4C
(Application Control [5][4..2] = '011b' or Application Control [6][3] = '1b')

TC, AAC and ARQC Data Elements

Data input to AC computation depends on the Application Control. The data
objects used are listed below and are used in the specified order.

Option 2a: Do Not Include Offline Counters

If the Application Control [2][1] = '0b' (do not include Offline Counters in AC)
the set of data input (TC, AAC and ARQC Data Elements) to the AC computation
is defined as follows:

Field Name Length

Option 2b: Include Offline Counters

If the Application Control [2][1] = '1b' (Include Counters in AC) the set of data
input to the AC computation is the same as with Application Control [2][1] =
'0b', but with the following data appended:

• If the Application Control [1][1] = '0b' (Don’t Encrypt Offline Counters),

the 8 or 16 bytes Plaintext Counters as defined in the card application
specifications.
• If the Application Control [1][1] = '1b' (Encrypt Offline Counters), the 8 or 16
bytes Encrypted Counters as defined here:
The Encrypted Counters are the result of the algorithm as described in
Encrypted Counters Encryption Variant 2 applied on the Plaintext Counters
defined above.

©2008–2010 MasterCard
6-4 March 2010 • M/Chip Card Application Cryptographic Algorithms
Application Cryptograms Generation
Data Objects for Generating Application Cryptograms (Variant 3)

Option 3: The application supports No Host Backward

Compatibility
(Application Control [5][4..2] = '000b')

TC, AAC and ARQC Data Elements

Data input to AC computation depends on the Application Control. The data
objects used are listed below and are used in the specified order.

Option 3a: Do not include Offline Counters

If the Application Control [2][1] = '0b' (don’t include Counters in AC) the set
of data input (TC, AAC and ARQC Data Elements) to the AC computation is
defined as follows:

Field Name Length

Option 3b: Include Offline Counters but not last Online

ATC
If the Application Control [2][1] = '1b' (include Counters in AC) and Application
Control [5][5] = ‘0b’ (Don’t Include Last Online ATC in IAD) the set of data input
to the AC computation is the same as with Application Control [2][1] = ‘0b’,
but with the following data appended:

• If the Application Control [1][1] = '0b' (Don’t Encrypt Offline Counters),

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 6-5
Application Cryptograms Generation
Application Cryptogram Generation Process (Variant 1)

Option 3c: Include Offline Counters and Last Online ATC

If the Application Control [2][1] = '1b' (Include Counters in AC) and the
Application Control [5][5] = ‘1b’ (Include Last Online ATC in IAD), the set of
data input to the AC computation is the same as with Application Control [2][1]
= '1b' and Application Control [5][5] = ‘0b’ (Option 3b), but with the following
data appended:

Field Name Length

Last Online ATC 2

Application Cryptogram Generation Process (Variant 1)

This topic applies to the following M/Chip Card Applications:
生成　ＡＣ　的过程，
ＡＤＶＡＮＣＥ　只适用于　Ｖａｒｉａｎｔ　１、２、３ M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
X Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 Payment
1.0 1.0
X 2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
X 2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

How the AC Generation Algorithm Works

The AC generation for a first and second GENERATE AC contains the following
steps:

1. The ICC concatenates the previously listed Data Elements in the order
specified, to create a block of data.
2. The ICC pads this block of data according to method 2 of ISO/IEC
9797-1 Standard, Information technology – Security techniques – Message
Authentication Codes - Part 1: Mechanisms using a block cipher.
It first adds a mandatory byte with hexadecimal ‘80’ to the right,
and then adds the smallest number of hexadecimal ‘00’ bytes
to the right, so that the length of the resulting message M :=
(M||‘80’||‘00’||‘00’||...||‘00’) is a multiple of eight bytes.
3. The ICC formats the padded data into 8-byte data blocks, labeled D1, D2,
… , Dn.
4. The ICC derives the 16-byte MasterCard proprietary session key SKAC as
specified in Encrypted Counters Encryption Variant 1.
见　Ｃｈａｐｔｅｒ　１４　Ｅｎｃｒｙｐｔｅｄ　Ｃｏｕｎｔｅｒｓ
5. The ICC computes the MAC on the message M as detailed in Cryptographic
Primitives to generate the AC using the session key SKAC. The AC is the
eight-byte final result.

©2008–2010 MasterCard
6-6 March 2010 • M/Chip Card Application Cryptographic Algorithms
Application Cryptograms Generation
Application Cryptogram Generation Process (Variant 2)

Application Cryptogram Generation Process (Variant 2)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 X Select 4 1.0 X Lite 4 1.0 X Select 4 Payment
1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

How the AC Generation Algorithm Works

The AC generation for a first and second GENERATE AC contains the following
steps:

1. The ICC concatenates the previously listed Data Elements in the order
specified, to create a block of data.
2. The ICC pads this block of data according to method 2 of ISO/IEC
9797-1 Standard, Information technology – Security techniques – Message
Authentication Codes - Part 1: Mechanisms using a block cipher.
It first adds a mandatory byte with hexadecimal ‘80’ to the right,
and then adds the smallest number of hexadecimal ‘00’ bytes
to the right, so that the length of the resulting message M :=
(M||‘80’||‘00’||‘00’||...||‘00’) is a multiple of eight bytes.
3. The ICC formats the padded data into 8-byte data blocks, labeled D1, D2,
… , Dn.
4. The ICC derives the 16-byte session key SKAC as specified in ICC Session
Key Derivation.

• If Application Control[1][2] = ‘0b’, the MasterCard Proprietary SDK

method is used.
• If Application Control[1][2] = ‘1b’, the EMV2000 SDK method is used.
5. The ICC computes the MAC on the message M as detailed in Cryptographic
Primitives to generate the AC using the session key SKAC. The AC is the
eight-byte final result.

Application Cryptogram Generation Process (Variant 3)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 6-7
Application Cryptograms Generation
Application Cryptogram Generation Process (Variant 4)

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 Payment
1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA X Lite 4 Select 4 X Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

How the AC Generation Algorithm Works

The AC generation for a first and second GENERATE AC contains the following
steps:

• For first GENERATE AC, the ICC derives the 16-byte session key SKAC as
specified in ICC Session Key Derivation

a. If Application Control[1][2] = ‘0b’, the MasterCard Proprietary SDK

method is used.
b. If Application Control[1][2] = ‘1b’, the EMV CSK method is used.
• For second GENERATE AC, the ICC uses the session key SKAC generated
by the first GENERATE AC
5. The ICC computes the MAC on the message M as detailed in Cryptographic
Primitives to generate the AC using the session key SKAC. The AC is the
eight-byte final result.

Application Cryptogram Generation Process (Variant 4)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
6-8 March 2010 • M/Chip Card Application Cryptographic Algorithms
Application Cryptograms Generation
Application Cryptogram Generation Process (Variant 4)

How the AC Generation Algorithm Works

The AC generation for a first and second GENERATE AC contains the following
steps:

• For first GENERATE AC, the ICC derives the 16-byte session key SKAC as
specified in About ICC Session Key Derivation.

a. If Application Control[1][2] = ‘0b’, the MasterCard Proprietary SDK

method is used.
b. If Application Control[1][2] = ‘1b’, the EMV CSK method is used.
• For second GENERATE AC with EMV CSK method (If Application
Control [1][2] = ‘1b’), the ICC uses the session key SKAC generated by the
first GENERATE AC, otherwise the ICC derives the 16–byte session key
SKAC as specified in About ICC Session Key Derivation.

a. If Application Control[1][2] = ‘0b’, the MasterCard Proprietary SDK

method is used.
b. If Application Control[1][2] = ‘1b’, the EMV CSK method is used.
5. The ICC computes the MAC on the message M as detailed in MAC to
generate the AC using the session key SKAC. The AC is the eight-byte final
result.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 6-9
Part 6 - Issuer Authentication
Chapter 7 Issuer Authentication

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 7-i
Issuer Authentication
About Issuer Authentication

ＡＲＰＣ　Ｒｅｓｐｏｎｓｅ　Ｃｏｄｅ　　　Ｔａｇ：–　　　Ｌｅｎｇｔｈ：２　【ＡＲＣ】
About Issuer Authentication Ａｕｔｈｏｒｉｓａｔｉｏｎ　Ｒｅｓｐｏｎｓｅ　Ｃｏｄｅ（ＡＲＣ）　Ｔａｇ：　＇８Ａ＇　

In response to an authorization request, the following process takes place:

发卡行先生成ＡＲＣ， 1. The issuer generates a two-byte ARPC Response Code.
然后根据ＡＲＱＣ和ＡＲＣ生成ＡＲＰＣ
2. The issuer generates an eight-byte ARPC by computing a MAC on the ARQC
and the ARPC Response Code.
3. The ARPC and the ARPC Response Code are transmitted to the ICC as the
Issuer Authentication Data.
4. The ICC validates the issuer response by re-computing the ARPC, and
comparing it to the ARPC received from the issuer.

ARPC Validation Process (Variant 1)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
X Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 Payment
1.0 1.0
X 2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
X 2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

How the ARPC Validation Algorithm Works

The ARPC Response Code used in this operation is received by the ICC in
the Issuer Authentication Data.

The validation of the ARPC is as follows:

1. The ICC performs an exclusive-OR operation:

ARQC Å (ARPC Response Code||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)

2. The ICC applies the DES3 algorithm (as specified in Cryptographic
不使用　Ｓｅｓｓｉｏｎ　ｋｅｙ Primitives) using the AC Master Key MKAC to the result of the exclusive-OR
operation in step 1. The ARPC is the eight-byte result.
3. The ICC validates the issuer response by checking that the ARPC the ICC
computed in Step 2 is equal to the ARPC received in the authorization
response.

ARPC Validation Process (Variant 2)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 7-1
Issuer Authentication
ARPC Validation Process (Variant 3)

How the ARPC Validation Algorithm Works

The ARPC Response Code used in this operation is received by the ICC in
the Issuer Authentication Data.

The validation of the ARPC is as follows:

1. The ICC performs an exclusive-OR operation:

ARQC Å (ARPC Response Code||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)

2. The ARPC session key is as follows:

• If the MasterCard Proprietary SKD1 method is used (If Application

Control[1][2] = ‘0b’), the ICC uses the AC Master Key MKAC (as specified
in Appendix A, “Cryptographic Algorithms”) to the result of the
exclusive-OR operation in step 1.
• If the EMV 2000 method is used (If Application Control[1][2] = ‘1b’), the
ICC uses the 16-byte session key SKAC, as previously derived for the first
AC generation (as specified in Appendix A, “Cryptographic Algorithms”)
to the result of the exclusive-OR operation in step 1.
3. The ARPC is the eight-byte result of the DES3 algorithm.
4. The ICC authenticates the issuer response by checking that the ARPC the
ICC computed in Step 2 is equal to the ARPC received in the authorization
response.

ARPC Validation Process (Variant 3)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 X Payment
1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

1. The MasterCard Proprietary SKD method was referred to in previous versions of this manual as "M/Chip 2.1
Session Key Derivation".

©2008–2010 MasterCard
7-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Issuer Authentication
ARPC Validation Process (Variant 3)

How the ARPC Validation Algorithm Works

The ARPC Response Code used in this operation is received by the ICC in
the Issuer Authentication Data.

The validation of the ARPC is as follows:

1. The ICC performs an exclusive-OR operation:

ARQC Å (ARPC Response Code||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)

2. Depending on the Key Derivation Method:

• If the MasterCard Proprietary SKD2method is used (If Application

Control[1][2] = ‘0b’), the ICC uses the AC Master Key MKAC (as specified
in About DES and Triple-DES) to the result of the exclusive-OR
operation in step 1.
• If the EMV CSK method is used (If Application Control[1][2] = ‘1b’), the
ICC uses the 16-byte session key SKAC, as previously derived for the AC
generation (as specified in About DES and Triple-DES) to the result of
the exclusive-OR operation in step 1.
3. The ARPC is the eight-byte result of the DES3 algorithm.
4. The ICC authenticates the issuer response by checking that the ARPC the
ICC computed in Step 2 is equal to the ARPC received in the authorization
response.

2. The MasterCard Proprietary SKD method was referred to in previous versions of this manual as "M/Chip 2.1
Session Key Derivation".

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 7-3
Part 7 - Secure Messaging
Chapter 8 Secure Messaging

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 8-i
Secure Messaging
About Secure Messaging

About Secure Messaging

What is Secure Messaging?
Secure Messaging is used for Issuer Script Commands that enable the issuer to
send post-issuance script messages securely to the ICC.

If the script command has been authenticated, the command is executed by

the ICC.

Objectives
The objectives of secure messaging are to ensure the following:

Objectives Description
Message integrity Message integrity is achieved using a Message
Authentication Code (MAC).
Data confidentiality Data confidentiality is achieved by enciphering the plain
text command data.
Issuer authentication Issuer authentication is achieved using a Message
Authentication Code (MAC).

Input: RAND
对于第１个发卡行脚本命令， Secure Messaging for Integrity (SMI) uses an eight-byte data value RAND as
ＲＡＮＤ是ＧＡＣ１响应的密文。 input to the SMI MAC computation. In the case of MasterCard proprietary
　对于第２个命令，ＲＡＮＤ＋１ SKD the RAND is also used for the session key derivation. For the first script
　 command processed in the transaction, RAND is the AC provided by the card
ＭＣ　ＳＫＤ和　ＥＭＶ　ＣＳＫ　方式都使用 in response to the first GENERATE AC command. For subsequent commands,
ＲＡＮＤ计算ＭＡＣ， RAND is obtained by incrementing the RAND used for the previous command
　 by 1.
但是ＭＣ　ＳＫＤ　还使用ＲＡＮＤ计算
过程密钥（ＲＡＮＤ每次＋１）。 Specifically, RAND, as a multi-byte counter, is incremented in the same way
ＥＭＶ　ＣＳＫ　使用　ＧＡＣ１　ＡＣ密文计算 as the two-byte ATC. Therefore, incrementing RAND when its least significant
过程密钥（ＡＣ每次不变）。 byte is 0xFF results in the next least significant byte being incremented and the
　 least significant byte being set to 0x00. In the unlikely event that all the bytes of
RAND equal 0xFF, the RAND is incremented by setting all its bytes to 0x00 (that
is, the RAND counter wraps around).
ＲＡＮＤ超上限，则清零。
In the case of MasterCard proprietary SKD, the RAND value used in a script
command for the session key derivation is identical to the one used for the
Secure Messaging for Integrity MAC computation.

ISO/IEC 7816-4 Standard

The Secure Messaging format defined in this specification is based on the
ISO/IEC 7816-4 Standard, Information technology - Identification cards –
Integrated circuit(s) cards with contacts – Part 4: Inter-industry commands for
interchange. Proprietary Secure Messaging for integrity is indicated for any EMV
command by the second nibble of the CLA byte set to a hexadecimal ‘4’.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 8-1
Secure Messaging
Secure Messaging for Integrity (SMI) Validation Process (Variant 1)

Secure Messaging for Integrity (SMI) Validation Process

(Variant 1)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
X Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 Payment
1.0
X 2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
X 2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

How the MAC Validation Works

When the command received by the ICC has been transmitted using Secure
Messaging for Integrity, the command data field consists of the command data,
concatenated to the right with the MAC.

The MAC is validated as detailed below:

1. The following data is concatenated, in the order specified:

• CLA, INS, P1, P2, Lc

• ATC
• RAND
• Plain text data contained in the command data field (if present)
2. The ICC pads this block according to method 2 of ISO/IEC 9797-1 Standard,
Information technology – Security techniques – Message Authentication
Codes - Part 1: Mechanisms using a block cipher, first by adding a mandatory
byte with hexadecimal ‘80’ to the right, and then by adding the smallest
number of hexadecimal ‘00’ bytes to the right, so that the length of the
resulting message M is a multiple of 8 bytes.
3. This block of data is formatted into eight-byte data blocks, labeled D1, D2,
…, Dn.
4. An SMI MasterCard Proprietary session key SKSMI must be derived as
specified in About ICC Session Key Derivation.
5. The MAC is generated using the session key SKSMI as detailed in
Cryptographic Primitives.
6. The command shall not be accepted if the 8-byte MAC resultant value is
different to the one present at the end of the command data field.

Secure Messaging for Integrity (SMI) Validation Process

(Variant 2)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
8-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Secure Messaging
Secure Messaging for Integrity (SMI) Validation Process (Variant 3)

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 1.0 X Select 4 1.0 X Lite 4 1.0 X Select 4 Payment
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

How the MAC Validation Works

When the command received by the ICC has been transmitted using Secure
Messaging for Integrity, the command data field consists of the command data,
concatenated to the right with the MAC.

The MAC is validated as detailed below:

1. The following data is concatenated, in the order specified:

• CLA, INS, P1, P2, Lc

• ATC
• RAND
• Plain text data contained in the command data field (if present).
2. The ICC pads this block according to method 2 of ISO/IEC 9797-1 Standard,
Information technology – Security techniques – Message Authentication
Codes - Part 1: Mechanisms using a block cipher, first by adding a mandatory
byte with hexadecimal ‘80’ to the right, and then by adding the smallest
number of hexadecimal ‘00’ bytes to the right, so that the length of the
resulting message M is a multiple of 8 bytes.
3. This block of data is formatted into eight-byte data blocks, labeled D1, D2,
…, Dn.
4. The ICC derives the 16–byte SMI session key SKSMI as specified in About
ICC Session Key Derivation when:

• If Application Control[1][2]=’0b’, the MasterCard Proprietary SKD method

is used.
• If Application Control[1][2]='1b', the EMV2000 method is used and the
EMV2000 SMI session key has not already been derived for the current
value of the ATC.
5. The MAC is generated using the session keys SKSMI as detailed in
Cryptographic Algorithms.
6. The command shall not be accepted if the 8-byte MAC resultant value is
different to the one present at the end of the command data field.

Secure Messaging for Integrity (SMI) Validation Process

(Variant 3)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 8-3
Secure Messaging
PIN CHANGE Command Decryption Process (Variant 1)

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

How the MAC Validation Works

When the command received by the ICC has been transmitted using Secure
Messaging for Integrity, the command data field consists of the command data,
concatenated to the right with the MAC.

The MAC is validated as detailed below:

1. The following data is concatenated, in the order specified:

• CLA, INS, P1, P2, Lc

• ATC
• RAND
• Plain text data contained in the command data field (if present).
2. The ICC pads this block according to method 2 of ISO/IEC 9797-1 Standard,
Information technology – Security techniques – Message Authentication
Codes - Part 1: Mechanisms using a block cipher, first by adding a mandatory
byte with hexadecimal ‘80’ to the right, and then by adding the smallest
number of hexadecimal ‘00’ bytes to the right, so that the length of the
resulting message M is a multiple of 8 bytes.
3. This block of data is formatted into eight-byte data blocks, labeled D1, D2,
…, Dn.
4. An SMI session key SKSMI must be derived as specified in About ICC Session
Key Derivation when:

• MasterCard Proprietary SKD method is used (if Application

Control[1][2]=’0b’ )
• If the EMV CSK session key derivation is used (if Application
Control[1][2]='1b' ) and the CSK SMI session key has not already been
derived for the current value of the ATC
5. The MAC is generated using the session key SKSMI as detailed in
Cryptographic Algorithms.
6. The command shall not be accepted if the 8-byte MAC resultant value is
different to the one present at the end of the command data field.

PIN CHANGE Command Decryption Process (Variant 1)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
8-4 March 2010 • M/Chip Card Application Cryptographic Algorithms
Secure Messaging
PIN CHANGE Command Decryption Process (Variant 2)

Introduction
The PIN CHANGE command is protected by combining Secure Messaging
for Integrity with the privacy of the data provided by Secure Messaging for
Confidentiality.

How the Command is Decrypted

The received command data field consists of the encrypted command data,
concatenated to the right with the MAC.

The ICC must perform the following steps to decrypt the command:

1. The MAC is validated as described in the Secure Messaging for Integrity

Process, with the command data being the encrypted command data.
2. The encrypted command data is decrypted as detailed below, to obtain
the plain text command data.

a. A MasterCard Proprietary session key SKSMC session key is derived as

specified in About ICC Session Key Derivation.
b. The decryption of the 8-byte enciphered command data (the encrypted
PIN block) with the double length session key SKSMC takes place as
follows:

M := DES3-1 (SKSMC)[X]

PIN CHANGE Command Decryption Process (Variant 2)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 8-5
Secure Messaging
PIN CHANGE Command Decryption Process (Variant 3)

Introduction
The PIN CHANGE command is protected by combining Secure Messaging
for Integrity with the privacy of the data provided by Secure Messaging for
Confidentiality.

How the Command is Decrypted

The received command data field consists of the encrypted command data,
concatenated to the right with the MAC.

The ICC must perform the following steps to decrypt the command:

1. The MAC is validated as described in the Secure Messaging for Integrity

Process, with the command data being the encrypted command data.
2. The encrypted command data is decrypted as detailed below, to obtain
the plain text command data.

a. The session key SKSMC is defined as follows:

The decryption of a secure message does not involve session key
derivation when:

• the EMV2000 SKD session key derivation is used (as indicated in the
Application Control) and
• the EMV2000 session key SKSMC has already been derived for the
current value of the ATC, and is still present in the key container.
Otherwise, a session key SKSMC session key must be derived as specified
in About ICC Session Key Derivation.

• If Application Control[1][2] = ‘0b’, the MasterCard Proprietary SKD

method is used.
• If Application Control[1][2] = ‘1b’, the EMV2000 method is used.
b. The decryption of the 8-byte enciphered command data (the encrypted
PIN block) with the double length session key SKSMC takes place as
follows:

M:=DES3-1 (SKSMC)[X]

PIN CHANGE Command Decryption Process (Variant 3)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

©2008–2010 MasterCard
8-6 March 2010 • M/Chip Card Application Cryptographic Algorithms
Secure Messaging
PIN CHANGE Command Decryption Process (Variant 3)

Introduction
The PIN CHANGE command is protected by combining Secure Messaging
for Integrity with the privacy of the data provided by Secure Messaging for
Confidentiality.

How the Command is Decrypted

The received command data field consists of the encrypted command data,
concatenated to the right with the MAC.

The ICC must perform the following steps to decrypt the command:

1. The MAC is validated as described in the Secure Messaging for Integrity

Process, with the command data being the encrypted command data.
2. The encrypted command data is decrypted as detailed below, to obtain
the plain text command data.

a. The session key SKSMC is defined as follows:

The decryption of a secure message does not involve session key
derivation when:

• the CSK session key derivation is used if Application Control[1][2]

= ‘1b’ and
• the CSK SMC session key has already been derived for the current
value of the ATC, and is still present in the key container.
Otherwise, a session key SKSMC session key must be derived as specified
in ICC Session Key Derivation.

• If Application Control[1][2] = ‘0b’, the MasterCard Proprietary SKD

method is used.
• If Application Control[1][2] = ‘1b’, the EMV CSK method is used.
b. The decryption of the 8-byte enciphered command data (the encrypted
PIN block) with the double length session key SKSMC takes place as
follows:

M:=DES3-1 (SKSMC)[X]

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 8-7
Part 8 - ICC Session Key
Derivation
Chapter 9 ICC Session Key Derivation

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 9-i
ICC Session Key Derivation
About ICC Session Key Derivation

About ICC Session Key Derivation

An ICC contains ICC master keys. The ICC session keys are derived from the
ICC master keys using the following key derivation methods:

• The MasterCard Proprietary SKD1 method

• The EMV CSK method
• The EMV2000 method

1. The MasterCard Proprietary SKD method was referred to in previous versions of this manual as "M/Chip 2.1
Session Key Derivation".

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 9-1
Chapter 10 MasterCard Proprietary SKD Method

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 10-i
MasterCard Proprietary SKD Method
MasterCard Proprietary SKD Method Key

MasterCard Proprietary SKD Method Key

Description
The MasterCard Proprietary SKD method is an algorithm for deriving session
keys for computing Application Cryptograms and secure messaging cryptograms.
This algorithm uses a 16-byte Master Key MK and an eight-byte number R =
(R0||R1||R2||R3||R4||R5||R6||R7), and produces a 16-byte session key.

This is denoted later as:

ｄｅｎｏｔｅ　，指示、表示
SK := SKDMCI(MK) [R]

Structure of the Session Key

SK := (SKL||SKR)

Left Part
使用双长度密钥加密８字节数据， The left part of the double-length session key is obtained by applying the DES3
当双长度密钥的左右两部分相同时， algorithm with the double-length ICC Master Key to the eight-byte data-block,
加密结果等于只使用左部分密钥加密。 obtained by replacing the third most significant byte R2 of R by the byte ‘F0’.
比如１１２２３３４４５５６６７７８８１１２２３３４４５５６６７７８８作为密钥，
加密００００００００００００００００的结果， SKL := DES3(MK) [(R0||R1||‘F0’||R3||R4||R5||R6||R7)]
与１１２２３３４４５５６６７７８８作为密钥
加密００００００００００００００００的结果相同。
Right Part
The right part of the double-length session key is obtained by applying the DES3
algorithm with the double-length ICC Master Key to the eight-byte data-block,
obtained by replacing the third most significant byte R2 of R by the byte ‘0F’.

SKR := DES3(MK) [(R0||R1||‘0F’||R3||R4||R5||R6||R7)]

AC Session Key
Derivation
The AC session key SKAC is derived using an eight-byte number R formed with
the ATC and the UN as follows:

R := (ATC ||‘00’||‘00’|| UN)

SKAC := SKDMCI(MKAC)[(ATC||‘00’||‘00’|| UN)]

Data Elements
The following Data Elements involved in the Application Cryptogram Session
Key Derivation (MasterCard Proprietary SKDMCI):

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 10-1
MasterCard Proprietary SKD Method
Secure Messaging Session Key

Value Tag Length

Application Transaction Counter (ATC) ‘9F36’ 2
Unpredictable Number (UN) ‘9F37’ 4

Secure Messaging Session Key

Secure Messaging session keys SKSMI and SKSMC are derived using an eight-byte
number R filled with a new value (RAND) for each script command.

RAND
For the first script command processed in the transaction, RAND is the AC
provided by the card in response to the first GENERATE AC command. For
subsequent script commands, RAND is obtained by incrementing the RAND
used for the previous command by 1.

Specifically, RAND, as a multi-byte counter, is incremented in the same way

as the two-byte ATC. Therefore, incrementing RAND when its least significant
byte is 0xFF results in the next least significant byte being incremented and the
least significant byte being set to 0x00. In the unlikely event that all the bytes
of RAND equal 0xFF, the RAND is incremented by setting all its bytes to 0x00
(i.e. the RAND counter wraps around).

R := RAND

SKSMI := SKDMCI(MKSMI) [R]

SKSMC := SKDMCI(MKSMC) [R]

The RAND value used for the session key derivation is identical to the one used
for the Secure Messaging Integrity MAC computation.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 11-i
EMV2000 Method Key
EMV2000 Method Key

EMV2000 Method Key

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 1.0 X Select 4 1.0 X Lite 4 1.0 X Select 4 Payment
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

EMV2000
The algorithm for deriving session keys (SKAC, SKSMI, SKSMC) used for
computing application cryptograms, validating scripts received with secure
messaging, and for verifying ARPCs is defined in EMV2000, Integrated Circuit
Card Specification for Payment Systems, Book 2 – Security and Key Management,
Version 4.0, December 31 2000.

Structure of the Session Key

This method uses as derivation data the two-byte Application Transaction
Counter (ATC) of the ICC and the Session Key Derivation (EMV2000) function
defined in EMV2000:

SK :=
SKDEMV2000(MK)[(ATC||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)]

Initializing Value
The initializing value IV of the EMV2000 session key derivation is a 16-byte
string of binary zeros:

IV := (‘00’||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’||
‘00’||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)

Data Elements

Value Tag Length

Application Transaction ‘9F36’ 2
Counter (ATC)

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 11-1
EMV2000 Method Key
EMV2000 Method Key

First Session Key Derivation

Depending on the card personalization, the very first session key derivation
could have no preceding session key. In this case, this first session key should
be derived by the card in the same way as the issuer derives session keys (i.e.,
from the appropriate ICC Master key and IV). To compute subsequent session
keys, the ICC uses the key token (GP, P, ATCSK). The value of the new key
token must be stored in secure memory. Specifically:

GP := IKH-2, ATCSK/b2

P := IKH-1, ATCSK/b

where "/" denotes integer division, H is the height of the tree and b is the
branch factor.
For M/Chip implementation, the height of the tree H is 8 and the branch factor b
is 4.

Other Session Key Derivations

Depending on the value of the ATC compared to the ATCSK stored on the ICC,
the following cases are possible:

• If ATC > ATCSK then the session key can be derived as described in
EMV2000, Integrated Circuit Card Specification for Payment Systems, Book
2 – Security and Key Management, Version 4.0, December 31 2000. When
this is done, the values of GP and P stored in the ICC must be updated and
ATCSK must be set to ATC.
• If ATC SK = ATCSK then the session key has already been derived and does
not require to be derived again.
• If ATC < ATCSK then session key derivation must fail.

Secure Messaging Session Key

For Secure Messaging a new session key is derived at the beginning of a new
session and is used for all the script commands of the same session provided
the session key derivation method is not changed during the session.

The session key is computed as follows:

SKSMI := SKDEMV2000(MKSMI) [(ATC || '00' || '00' ||

'00' || '00' || '00' || '00')]

SKSMC := SKDEMV2000(MKSMC) [(ATC || '00' || '00' ||

'00' || '00' || '00' || '00')]

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 12-i
EMV CSK Method
EMV CSK Method Key

EMV CSK Method Key

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

EMV
The algorithm for deriving session keys (SKAC, SKSMI, SKSMC) used for computing
application cryptograms, validating scripts received with secure messaging, and
for verifying ARPCs is defined in EMV, Integrated Circuit Card Specification for
Payment Systems, Book 2 – Security and Key Management. Version 4.2, June
2008.

Structure of the Session Key

The derivation of the session key is denoted as:

SK := SKDCSK(MK) [R]

SK := (SKL||SKR)

Left Part
The left part of the double-length session key is obtained by applying the DES3
algorithm with the double-length ICC Master Key to the eight-byte data-block,
obtained by replacing the third most significant byte R2 of R by the byte ‘F0’.

SKL := DES3(MK) [(R0||R1||‘F0’||R3||R4||R5||R6||R7)]

Right Part
The right part of the double-length session key is obtained by applying the DES3
algorithm with the double-length ICC Master Key to the eight-byte data-block,
obtained by replacing the third most significant byte R2 of R by the byte ‘0F’.

SKR := DES3(MK) [(R0||R1||‘0F’||R3||R4||R5||R6||R7)]

Ｒ可以是ＲＡＮＤ或ＡＣ

AC Session Key
Derivation
For AC session key derivation:

R := (ATC ||‘00’||‘00’||‘00’|| ‘00’||‘00’||‘00’)

就是计算Ｌｅｆｔ　Ｐａｒｔ，Ｒ２替换成Ｆ０ SKAC :=
计算Ｒｉｇｈｔ　Ｐａｒｔ，Ｒ２替换成０Ｆ， SKDCSK(MKAC)[(ATC||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)]
执行ＤＥＳ３算法，使用ＭＫＡＣ密钥，
然后连接ＳＫＬ和ＳＫＲ，得到ＳＫＤ　ＣＳＫ
Data Elements
Data Elements Involved in the Application Cryptogram Session Key Derivation
(SKDCSK):

Value Tag Length

Application Transaction Counter (ATC) ‘9F36’ 2

Secure Messaging Session Key

For Secure Messaging a new session key is derived at the beginning of a new
session and is used for all the scripts of the same session provided the session
key derivation method is not changed during the session.

The diversification value R is the Application Cryptogram returned in response

to the first GENERATE AC command:

R := Application Cryptogram

SKSMI := SKDCSK(MKSMI)[R]

SKSMC := SKDCSK(MKSMC)[R]

©2008–2010 MasterCard
12-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Part 9 - ICC Dynamic Number
Generation
Chapter 13 ICC Dynamic Number Generation

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 13-i
ICC Dynamic Number Generation
ICC Dynamic Number Generation Process

ICC Dynamic Number Generation Process

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 X Select 4 1.0 Lite 4 1.0 X Select 4 X Payment
1.0
2.2 SDA Lite 4 X Select 4 Lite 4 X Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
X 2.2 DDA Lite 4 X Select 4 Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

Description
The ICC Dynamic Number (IDN) is generated by the ICC. A DES3 encryption
with the 16-byte DES3 ICC Master Key MKIDN is applied on an 8-byte buffer
formed by the ICC Application Transaction Counter (ATC) right padded with
6 zero-bytes.

IDN :=
DES3(MKIDN)[(ATC||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)]

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 13-1
Part 10 - Encrypted Counters
Chapter 14 Encrypted Counters

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 14-i
Encrypted Counters
Encrypted Counters

Encrypted Counters
This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 1.0 X Select 4 1.0 X Lite 4 1.0 X Select 4 X Payment
1.0
2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

Encrypted Counters
• The ICC contains offline counters to protect against a fraudulent use of the
card in offline mode.
• The ICC may be personalized to include these offline counters in the Issuer
Application Data (IAD) in clear or in encrypted form. The IAD is transmitted
to the issuer.

Encrypted Counters Encryption Key

The encryption key ECK is a variant of the AC session key (SKAC), computed as
follows:

SKAC := (SKL||SKR)

ECKL :=
SKL Å (‘59’||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)

ECKR :=
SKR Å (‘95’||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)

ECK := (ECKL||ECKR)

Encrypted Counters Encryption (Variant 1)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 1.0 X Select 4 1.0 X Lite 4 1.0 X Select 4 Payment
1.0
2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 14-1
Encrypted Counters
Encrypted Counters Encryption (Variant 2)

How the Counters Are Encrypted

These Plaintext Counters are encrypted in ECB Mode, as defined in ISO/IEC
10116 Standard, Information technology – Security techniques – Modes of
operation for an n-bit block cipher.

Encrypted Counters := DES3(ECK) [Plain Text Counters]

Encrypted Counters Encryption (Variant 2)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 Select 4 1.0 Lite 4 Select 4 X Payment
1.0 1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

How the Counters Are Encrypted

1. Build the Plaintext Counters field. The content of the Plaintext Counters
field depends on the counters selected for inclusion. The Plaintext Counters
field may be 8 or 16 bytes.
2. Depending on the Plaintext Counters field:

a. If the Plaintext Counters Field is a single 8–byte block, the block is

encrypted in Triple DES (ECB Mode), as defined in ISO/IEC 10116
Standard, Information technology- Security techniques — Modes of
operation for an n-bit block cipher.

Encrypted Counters := DES3(ECK) [Plaintext Counters]

The Triple DES encryption is done in ECB mode.
b. If the Plaintext Counters Field is coded on two 8–byte blocks, the blocks
are encrypted in Triple DES (CBC Mode with IV = 0), as defined in
ISO/IEC 10116 Standard, Information technology — Security techniques
— Modes of operation for an n-bit block cipher.

Encrypted Counters := DES3(ECK) [Plaintext Counters]

The Triple DES encryption is done in CBC mode.

©2008–2010 MasterCard
14-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Part 11 - Dynamic CVC3
Chapter 15 Dynamic CVC3

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 15-i
Dynamic CVC3
Dynamic CVC3 Generation

Dynamic CVC3 Generation

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 X Lite 4 1.0 X Select 4 X Payment
1.0
2.2 SDA Lite 4 Select 4 X Lite 4 X Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA Lite 4 Select 4 X Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

Description
PayPass defines a dynamic CVC3 for the Track 1 Data (CVC3TRACK1) and a
dynamic CVC3 for the Track 2 Data (CVC3TRACK2).

Both cryptograms are generated by the ICC by applying the same secret key
on the same dynamic data (UN and ATC), but with a different initialization
vector (IVCVC3TRACK1 for CVC3TRACK1 and IVCVC3TRACK2 for CVC3TRACK2). The
initialization vectors are static data stored on the IC.

How CVC3 Generation Works

The CVC3TRACK1 is generated using DES3 encipherment as follows:

1. Concatenate the data listed in this table in the order specified to obtain an
8-byte data block (D):

Data Element Length

IVCVC3TRACK1 2 bytes
Unpredictable Number (UN) 4 bytes
Application Transaction Counter 2 bytes

2. Calculate O as follows:

O := DES3(KDCVC3) [D]
3. The two least significant bytes of O are the CVC3TRACK1.

CVC3TRACK2 is generated in the same way by replacing IVCVC3TRACK1 with

IVCVC3TRACK2.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 15-1
Part 12 - Data Storage
Chapter 16 Data Storage

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 16-i
Data Storage
Data Storage — OWHF1 Function

Data Storage — OWHF1 Function

The data storage mechanism relies on the OWHF1 and OWHF2 functions.

OWHF1 Function
This section is only applicable to M/Chip Advance Data Storage:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 Select 4 Lite 4 1.0 Select 4 Payment
1.0 1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

M/Chip Advance Data Storage

OWHF1 computes an 8-byte hash value R based on the following input:

Data Object Length

DS Summary 1 8
Amount, Authorized (numeric) 6
Transaction Currency Code 2
Reference Control Parameter 1
First/Second Generate AC Indicator 1
DS Unpredictable Number 4
Unpredictable Number 4
DSPK 12

The process is detailed below:

• Create a 2-byte value A by concatenating, from left to right

– The 2 leftmost bits from Reference Control Parameter

– The 2 rightmost bits from First/Second Generate AC Indicator
– The 12 rightmost bits from Transaction Currency Code

• Create 8-byte blocks X1 and X2 as follows:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 16-1
Data Storage
Data Storage — OWHF2 Function

X1 := DS Summary 1 Å (Amount, Authorised (Numeric) || DS

Unpredictable Number [3..4])

X2 := A || Unpredictable Number || DS Unpredictable

Number [1..2]

• Generate three temporary DES keys K1, K2 and K3 as follows:

K1[i] := DSPK[i], for i = 1, 2, ... , 6

K1[7] := DS Unpredictable Number[1]

K1[8] := DS Unpredictable Number[2]

K2[i] := DSPK[6 + i], for i = 1, 2, ... , 6

K2[7] := DS Unpredictable Number[3]

K2[8] := DS Unpredictable Number[4]

K3 := DES(K1)[X1] Å X1

• Compute output R as follows:

R := X1 Å X2 Å DES(K3)[DES-1(K2)[DES(K3)[X2]]

Data Storage — OWHF2 Function

OWHF2 Function
This section is only applicable to M/Chip Advance Data Storage:

M/Chip Advance Data Storage

OWHF2 computes an 8-byte hash value R based on the following input:

Data Object Length

DS Input T 8
DS Requested Operator ID 8
DSPK 12

©2008–2010 MasterCard
16-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Data Storage
Data Storage — OWHF2 Function

The process is detailed below:

• Generate two temporary DES keys K1 and K2 as follows:

K1[i] := DSPK[i], for i = 1, 2, ... , 6

K1[7] := DS Requested Operator ID[5]

K1[8] := DS Requested Operator ID[6]

K2[i] := DSPK[6 + i], for i = 1, 2, ... , 6

K2[7] := DS Requested Operator ID[7]

K2[8] := DS Requested Operator ID[8]

• Set X as follows:

X := DS Input T Å DS Requested Operator ID

• Compute output R as follows:

R := DS Input T Å DES(K1)[DES-1(K2)[DES(K1)[X]]

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 16-3
Part 13 - Cryptographic
Primitives
Chapter 17 Cryptographic Primitives

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 17-i
Cryptographic Primitives
About DES and Triple-DES

About DES and Triple-DES

DES is used for various types of security measures for M/Chip Applications.

ISO/IEC 18033-3 Standard

The DES (Data Encryption Standard), as described in the ISO/IEC 18033-3
Standard, Information technology – Security techniques – Encryption algorithms
– Part 3: Block ciphers, is the block cipher used for Application Cryptogram
generation, Issuer Authentication and Secure Messaging.

More precisely, the single-DES and its triple-DES (DES3) version, described
below, are used in the session key derivation and the cryptographic mechanisms
described in parts 3 to 16.

Encryption
The DES algorithm takes as input an eight-byte plain text block X, and an 8-byte
secret key K, and produces an 8-byte ciphertext block Y.

Y:= DES(K)[X]

Triple DES encryption produces an 8–byte ciphertext block Y by encrypting an

8-byte plain text block X with a double-length (16-byte) secret key

K = (KL||KR)
as follows:

Y:= DES3(K)[X] := DES(KL)[DES-1(KR)[DES(KL)[X]]]

Decryption
Reversal of the DES function is denoted as:

X:= DES-1(K)[Y]

Triple DES decryption takes place as follows:

X:= DES3-1(K)[Y]:= DES-1(KL)[DES(KR)[DES-1(KL)[Y]]]

CBC Mode
Triple DES Encryption in CBC mode of an 8n-byte block X with a secret key K
and an 8–byte initial value IV is denoted as:

Y : = DES3CBC(K)[X}

The encryption is performed as follows: Split the 8n-byte block X in n 8–byte

blocks X 1, ...Xn

X = X1 ||...|| Xn

The data encryption consists of encrypting each block as follows:

Y1:=DES3(K)[X1 Å IV]
Yi:=DES3(K)[Xi Å Yi-1] (for i = 2, ..., n)

The result is the 8n-byte value Y formed by concatenating Y1, ..., Yn.

Y: = Y1 ||...|| Yn

MAC
The MAC computation is performed by using:

• A double length key K := (KL||KR), and

• The algorithm 3 specified in ISO 9797-1 as follows:

1. Divide the data into a set of eight-byte data blocks labeled X1, X2, … , Xn
2. Compute the intermediate results for i = 1, 2, … , n

Yi := DES(KL)[Xi Å Yi-1]

Where:

Y0 := 0
3. The MAC is:

MAC := DES(KL) [Des-1(KR) [Yn]]

RSA
EMV
The RSA algorithm is the asymmetric reversible cryptographic algorithm used
in the digital signature scheme described in Part III of EMV, Integrated Circuit
Card Specification for Payment Systems, Book 2 – RSA Algorithm for offline
data authentication.

Input and Output

The RSA algorithm produces a cryptogram whose length equals the size of the
modulus used. The lengths in bytes of the moduli, and the values of the public
exponents involved in static data authentication, dynamic data authentication,
and PIN Encipherment are specified in the following tables. The bit length of all
moduli shall be a multiple of eight, the leftmost bit of its leftmost byte being 1.

Lengths in Bytes of Public Key Moduli

Description Length
Certification Authority Public Key 128 £ NCA £ 248
Modulus
Issuer Public Key Modulus 96 £ NI £ NCA
ICC Public Key Modulus 96 £ NIC £ NI
ICC PIN Encipherment Public Key 96 £ NPE £ NI
Modulus

MasterCard determines the lengths and expiry dates of CA keys for M/Chip
products. Issuers must refer to MasterCard Chip Issuer Security Guidelines
which are based on best industry practice to determine appropriate lengths and
expiry dates for their issuer and ICC keys.

Public Key Algorithm Indicator

The Public Key Algorithm Indicator for the RSA algorithm must be coded as
hexadecimal ‘01’.

Keys
The private key SK of the RSA digital signature scheme, with an odd public key
exponent e, consists of two prime numbers p and q, such that (p – 1) and (q –
1) are co-prime to e and a private exponent d such that:

ed ≡ 1 mod (p – 1)(q – 1)

The corresponding public key PK consists of the public key modulus n = pq

and the public key exponent e.

This document allows for the option to implement RSA private key functions
using the Chinese Remainder Theorem for which some recommendations are
provided in the documents MasterCard Chip Issuer Security Guidelines and
Smart Card Cryptographic Algorithm Implementation Guidelines. However,
specification of this implementation method is beyond the scope of this
document.

Signing Function
The signing function for RSA with an odd public key exponent is defined as:

S = Sign(SK)[X] := Xd mod n, 0 < X < n

where X is the data to be signed, and S the corresponding digital signature.

Recovery Function
The recovery function for RSA with an odd public key exponent is equal to:

X = Recover(PK)[S] := Se mod n

The signing function and the recovery function are used in offline data
authentication and in offline PIN Encipherment. SeePart III of EMV, Integrated
Circuit Card Specification for Payment Systems, Book 2 Annex A2.1 (Digital
Signature Scheme Giving Message Recovery) and sections 5,6, and 7 for further
details.

SHA-1
ISO/IEC 10118-3 Standard
The Secure Hash Algorithm (SHA-1), as described in the ISO/IEC 10118-3
Standard, Information technology – Security techniques – Hash-functions – Part
3: Dedicated hash-functions, and FIPS 180-2, Secure Hash Standard, August
2002 publication, is used in the digital signature scheme used for static and
dynamic data authentication. SHA-1 takes as input messages M of arbitrary
length, and produces a 20-byte hash value H:

H := SHA(M)

SHA-1 Algorithm Indicator

The Hash Algorithm Indicator for this hashing algorithm shall be coded as
hexadecimal ‘01’.

EMV 2000 Session Key Derivation

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 1.0 X Select 4 1.0 X Lite 4 1.0 X Select 4 Payment
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

Principles
The EMV2000 session key derivation function takes as input the 16-byte ICC
Master Key MK and the 2-byte ATC, and produces as output the 16-byte ICC
Session Key SK.

The session key derivation function generates a unique session key for each
ICC application transaction. It does this by generating a "tree" of keys. This tree
has the ICC Master Key at its base and then numerous levels of intermediate
keys above it, each intermediary key being derived from keys beneath it in the
tree. On top of the tree are the session keys, one session key per value of the
Application Transaction Counter (ATC).

©2008–2010 MasterCard
17-4 March 2010 • M/Chip Card Application Cryptographic Algorithms
Cryptographic Primitives
EMV 2000 Session Key Derivation

Parameters
The session key derivation function has two parameters:

• H, the height of the tree, that is, the number of levels of intermediary keys
in the tree excluding the base level;
• b, the branch factor, that is, the number of "child" keys that a "parent" key
(which must be one level lower in the tree) derives.

The number of keys at the ith level is bi, 0 £ I £ H.

The number of possible session keys is bH and this must exceed the maximum
value of the ATC which is 216 - 1.

Key Derivation
Let Φ be the function that maps two 16-byte numbers X and Y and an integer
j onto a 16-byte number as follows:

Z = Φ(X,Y,j) := (DES3(X)[YL Å (j mod b)] ||

DES3(X)[YR Å (j mod b) Å ‘F0’])
where YL and YR are two 8-byte numbers and Y = (YL||YR).

The reverse function Φ-1 of Φ is equal to

Y = Φ-1(X,Z,j) := ((DES3-1(X)[ZL] Å (j mod b))||

(DES3-1(X)[ZR] Å (j mod b) Å ‘F0’))
where ZL and ZR are two 8-byte numbers and Z = (ZL||ZR).

Let define IK0,0 as the ICC Master Key, hence IK0,0 := MK. This key is used to
derive b intermediate keys at level 1 of the tree. For j = 0, ..., b-1:

IK1,j := Φ(MK , IV , j)
where IV is a 16-byte initializing value, not necessarily secret.

An intermediate key in a higher level is derived from its parent and grandparent
using the function Φ. Specifically the jth key (0 £ j £ bi-1) in level i (2 £ i £
H) is derived as

IKi,j := Φ(IKi-1,j/b , IKi-2,j/b2 , j)

where "/" denotes integer division.

Let

X := IKH,ATC Å IKH-2,ATC/b2

The session key SK is defined to be X, with the exception of the least significant
bit of each byte of X which is set to a value that ensures that each of the 16
bytes of SK has an odd number of nonzero bits (this to conform with the odd
parity requirements for DES keys). Note that the forcing of the parity bits of DES
keys only takes place for the session keys, but not for the intermediate keys.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 17-5
Cryptographic Primitives
EMV 2000 Session Key Derivation

Implementation Values
For M/Chip, we have:

• b=4
• H=8
This supports a card limited to perform no more that 216 transactions.
• IV = zero

Implementation in Pseudo-Code
Below a straightforward implementation of the function is given in pseudo-code.
In this implementation (a0, a1, . . . , aH-1) denotes the b-ary representation of
the ATC at the time of the transaction, hence:

ATC = a0bH-1 + a1bH-2 + . . . + aH-2b + aH-1

and GP and P denote grandparent and parent keys, respectively. Let PAR(X)
denote the function that sets the least significant bit of each byte of a 16-byte
number X to odd parity.

The computation of the session key SK from the ICC Master Key MK for the
current value of the ATC takes place as follows:

GP=MK;
P=Φ(MK,IV,a0);
for (i=1;i<H-1;i++){
T=P;
P=Φ(P,GP,ai);
GP=T;
}
SK=PAR(Φ(P,GP,aH-1)ÅGP);

The implementation above uses the MK each time a session key is derived.
However an actual ICC implementation should not reuse the MK for each
session key derivation, but should calculate the session keys from saved
intermediate keys that are changed regularly. This will limit the usage of a
specific key in the cryptographic operations. More details are given below.

In the session key derivation function, the derivation of intermediate level keys
is reversible, that is, given knowledge of an intermediate key and its parent it
is possible to derive its grandparent. This means that a card which stores an
intermediate key IK and its parent can then determine any other key in the tree,
including any session key. Below an example is given in pseudo-code of an
implementation of the session key derivation function using this property and
ensuring that an intermediate key is only used a limited number of times.

In the pseudo-code below, at the beginning of the program P and GP denote

the parent and grandparent keys that were used for the computation of the
previous session key, and at the end they denote the parent and grandparent
keys that were used for the computation of the current session key. For the
computation of the first session key (ATC = 0), these values are initialized as

GP := IKH-2,0
P := IKH-1,0

©2008–2010 MasterCard
17-6 March 2010 • M/Chip Card Application Cryptographic Algorithms
Cryptographic Primitives
EMV 2000 Session Key Derivation

Let (a0, a1, . . . , aH-1) again denote the b-ary representation of the ATC at the
time of the transaction, hence

ATC = a0bH-1 + a1bH-2 + . . . + aH-2b + aH-1

and let (c0, c1, . . . , cH-1) denote the b-ary representation of the value ATCOLD
of the ATC at the time of the previous session key derivation:

ATCOLD = c0bH-1 + c1bH-2 + . . . + cH-2b + cH-1

For ATC = 0, ATCOLD is initialized as ATCOLD := 0.

The computation of the session key SK for the current value of the ATC takes
place as follows:

/* determination of the common node for ATC and ATCOLD */

i=0;
while ((ai==ci)&& (i<H-1))
i++;
/* computation of the new GP and P for the current ATC */
for (j=H-2;j>=i;j--) {
T=GP;
GP=Φ-1(GP,P,cj);
P=T;
}
while (i<H-1) {
T=P;
P=Φ(P,GP,ai);
GP=T;
i++;
}
/* computation of the session key */
SK=PAR(Φ(P,GP,aH-1)ÅGP);
ATCOLD=ATC;

The algorithm above can be made more efficient by storing more than 2
intermediate keys. This however requires more memory.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 17-7
Part 14 - Examples
Chapter 18 Notation Used

Notation Used
Data Input, Intermediate Values
In the following examples, data input and intermediate values are shown as a
succession of byte values against a light gray background. For example:

13 33 90 00 00 61 65

Principal Values, End results of calculations

Principal values, and the end results of calculations, are shown as a succession
of byte values against a dark gray background. For example:

05 01 09 08 56 D3 96 58 A2 EE D9 B1 BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB A0 B1 C2 D3

Data Samples
This document contains data samples to illustrate the cryptographic algorithms
applicable for each version of the chip application. While the computation
is detailed as precisely as possible, data values contained in the samples are
not guaranteed to be correct.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 18-1
Chapter 19 Purchase with Online Authorization

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-i
Purchase with Online Authorization
MasterCard Proprietary Session Key Derivation for AC

MasterCard Proprietary Session Key Derivation for AC

Key
The Card Master Key MKAC for AC computation:

08 DF 34 25 32 20 A7 20 EF F2 C1 34 38 52 E6 3D

Input
For AC computation, the input is the concatenation of:

• The Application Transaction Counter (ATC):

34 56
• Two zero bytes:

00 00
• Terminal Unpredictable Number (UN):

11 11 11 11

Concatenation:

34 56 00 00 11 11 11 11

Output
The concatenation of:

• The Triple-DES Encryption of the input with the third byte replaced by ‘F0’
• The Triple-DES Encryption of the input with the third byte replaced by ‘0F’

This amounts to:

SKAC =
DES3(MKAC)[(ATC||‘F0’||‘00’||‘11’||‘11’||‘11’||‘11’)]||
DES3(MKAC)[(ATC||‘0F’||‘00’||‘11’||‘11’||‘11’||‘11’)]
F5 8F 02 9D 08 75 4D B6 A3 8B 24 7B F9 3C C2 87
The result can be submitted to parity forcing, like the Card Master Keys. This is
not shown here as this is entirely internal to the ICC, and the computation is not
affected. This is not recommended for security reasons.

EMV2000 Session Key Derivation for AC

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-1
Purchase with Online Authorization
EMV2000 Session Key Derivation for AC

Key
The Card Master Key MKAC for AC computation:

08 DF 34 25 32 20 A7 20 EF F2 C1 34 38 52 E6 3D

Input
For AC computation, the input is the concatenation of:

• The Application Transaction Counter (ATC):

34 56
• The b-ary representation (a0, … , a7) of the ATC is:

(0, 3, 1, 0, 1, 1, 1, 2)

Output
Following the algorithm described in Chapter ICC Key Derivation, the
intermediate results P and GP are:

• Round 0 – GP is MKAC, P:

8F 2C 44 84 04 9D 89 5E FC 38 87 39 92 FF 31 C7
• Round 1 – P

:26 72 82 0B C6 44 4F A4 F3 3F 77 C2 29 AC E7 CC
• Round 2 – P:

BD 19 AB 52 5D 14 BF B3 57 69 98 20 7B 98 28 DA
• Round 3 – P:

FC 03 48 6E 7E 78 75 91 5A DE FD 42 8D CA 77 63
• Round 4 – P:

10 A9 BD B3 25 AF CF 3C 26 37 C9 DA 31 7C 74 8D
• Round 5 – P:

A2 54 F0 78 C1 C2 DF 02 1C 5F B4 C8 4B E5 BB E2
• Round 6 – P:

©2008–2010 MasterCard
19-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Purchase with Online Authorization
Common Session Key Derivation for AC

F3 05 46 84 41 BE A4 5B A2 35 A2 8B CD F7 44 B6

The result of the last computation of function Φ(P,GP,a7) is:

51 16 15 DB 96 C8 52 63 D5 5C 0C 02 A8 A0 54 F9

This is bitwise XOR-combined with the GP from round 6 (equals P from round
5):

F3 42 E5 A3 57 0A 8D 61 C9 03 B8 CA E3 45 EF 1B

Parity adjustment results in the SKAC listed above:

F2 43 E5 A2 57 0B 8C 61 C8 02 B9 CB E3 45 EF 1A

Common Session Key Derivation for AC

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment *

1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage *

2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4

1.1b 1.1b 1.1b 1.1b

*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control[5][4..2]='011'.

Key
The Card Master Key MKAC for AC computation:

08 DF 34 25 32 20 A7 20 EF F2 C1 34 38 52 E6 3D

Input
For AC computation, the input is the concatenation of:

• The Application Transaction Counter (ATC):

34 56
• Six zero bytes:

00 00 00 00 00 00

Concatenation:

34 56 00 00 00 00 00 00

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-3
Purchase with Online Authorization
ARQC Generation (Example 1)

Output
The concatenation of:

• The Triple-DES Encryption of the input with the third byte replaced by ‘F0’
• The Triple-DES Encryption of the input with the third byte replaced by ‘0F’

This amounts to:

SKAC = DES3(MKAC)[(ATC||‘F0’||‘00’||‘00’||‘00’||‘00’||‘00’)]||
DES3(MKAC)[(ATC||‘0F’||‘00’||‘00’||‘00’||‘00’||‘00’)]

18 20 25 BA 4F 4B 32 F5 A6 3A 1B A5 E6 84 5D 4E
The result can be submitted to parity forcing, like the Card Master Keys. This is
not shown here as this is entirely internal to the ICC, and the computation is not
affected. This is not recommended for security reasons.

ARQC Generation (Example 1)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
X Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 X Payment*
1.0 1.0
X 2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
X 2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

NOTE
*Variant applicable when the application supports V.2.0.5, V.2.1 and V.2.2 Host
Backward Compatibility: if Application Control [5][4..2]='001' or if Application
Control [5][4..2]='010'.

Key
The Session Key SKAC as derived above:

F5 8F 02 9D 08 75 4D B6 A3 8B 24 7B F9 3C C2 87

©2008–2010 MasterCard
19-4 March 2010 • M/Chip Card Application Cryptographic Algorithms
Purchase with Online Authorization
ARQC Generation (Example 2)

Input
The input is the concatenation of the values of:

• Amount (Authorized):

00 00 00 01 00 00
• Amount (Other):

00 00 00 00 10 00
• Terminal Country Code:

08 40
• Terminal Verification Results:

00 00 00 10 80
• Transaction Currency Code:

08 40 08 40
• Transaction Date:

98 07 04
• Transaction Type:

00
• Unpredictable Number:

11 11 11 11
• Application Interchange Profile (AIP):

58 00
• Application Transaction Counter:

34 56
• Card Verification Results:

03 A4 00 20

Concatenation:

00 00 00 01 00 00 00 00 00 00 10 00 08 40 00 00
00 10 80 08 40 98 07 04 00 11 11 11 11 58 00 34
56 03 A4 00 20

Output
ARQC = MAC(SKAC)[Input]:

DB C1 E0 B8 20 FF E7 DB

ARQC Generation (Example 2)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-5
Purchase with Online Authorization
ARQC Generation (Example 2)

Key
The Key for the ARQC generation depends on the Session Key derivation
algorithm used and is derived as described above:

• For MasterCard proprietary Session Key Derivation

F5 8F 02 9D 08 75 4D B6 A3 8B 24 7B F9 3C C2 87
• For Session Key derivation for EMV 2000 Session Key Derivation

F2 43 E5 A2 57 0B 8C 61 C8 02 B9 CB E3 45 EF 1A

Input
The input is the concatenation of the values of:

• Amount (Authorized):

00 00 00 01 00 00
• Amount (Other):

00 00 00 00 10 00
• Terminal Country Code:

08 40
• Terminal Verification Results:

00 00 00 10 80
• Transaction Currency Code:

08 40
• Transaction Date:

98 07 04
• Transaction Type:

00
• Unpredictable Number:

11 11 11 11
• Application Interchange Profile (AIP):

©2008–2010 MasterCard
19-6 March 2010 • M/Chip Card Application Cryptographic Algorithms
Purchase with Online Authorization
ARQC Generation (Example 3)

58 00
• Application Transaction Counter:

34 56
• Card Verification Results:

03 A4 00 20

Concatenation:

00 00 00 01 00 00 00 00 00 00 10 00 08 40 00 00
00 10 80 08 40 98 07 04 00 11 11 11 11 58 00 34
56 03 A4 00 20

Output
ARQC = MAC(SKAC)[Input]:

• For MasterCard proprietary Session Key Derivation

08 95 B1 A3 BD 0D 6B 20
• For Session Key derivation for EMV 2000 Session Key Derivation

0B 8C CD BA F7 80 BA A8

ARQC Generation (Example 3)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 Payment
1.0
2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 DDA Lite 4 Select 4 Lite 4 Select 4
1.1b 1.1b 1.1b 1.1b

Key
The Session Key SKAC as derived above:

F5 8F 02 9D 08 75 4D B6 A3 8B 24 7B F9 3C C2 87

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-7
Purchase with Online Authorization
ARQC Generation (Example 3)

Input
The input is the concatenation of the values of:

• Amount (Authorized):

00 00 00 01 00 00
• Amount (Other):

00 00 00 00 10 00
• Terminal Country Code:

08 40
• Terminal Verification Results:

00 00 00 10 80
• Transaction Currency Code:

08 40
• Transaction Date:

98 07 04
• Transaction Type:

00
• Unpredictable Number:

11 11 11 11
• Application Interchange Profile (AIP):

58 00
• Application Transaction Counter:

34 56
• Card Verification Results:

A0 80 03 24 20 00

Concatenation1:

00 00 00 01 00 00 00 00 00 00 10 00 08 40 00 00
00 10 80 08 40 98 07 04 00 11 11 11 11 58 00 34
56 A0 80 03 24 20 00

Output
ARQC = MAC(SKAC)[Input]:

08 95 B1 A3 BD 0D 6B 20

1. In this example, the Offline Counters are not included in the generation of the ARQC (Application Control[2][1]
= ‘0b’).

©2008–2010 MasterCard
19-8 March 2010 • M/Chip Card Application Cryptographic Algorithms
Purchase with Online Authorization
ARQC Generation (Example 4)

ARQC Generation (Example 4)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment*
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4
1.1b 1.1b 1.1b 1.1b

NOTE
*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control [5][4..2]='011'.

Key
The Key for the ARQC generation depends on the Session Key derivation
algorithm used and is derived as described above:

• For MasterCard proprietary Session Key Derivation

F5 8F 02 9D 08 75 4D B6 A3 8B 24 7B F9 3C C2 87
• For Common Session Key derivation

18 20 25 BA 4F AB 32 F5 A6 3A 1B A5 E6 84 5D 4E

Input
The input is the concatenation of the values of:

• Amount (Authorized):

00 00 00 01 00 00
• Amount (Other):

00 00 00 00 10 00
• Terminal Country Code:

08 40
• Terminal Verification Results:

00 00 00 10 80
• Transaction Currency Code:

08 40
• Transaction Date:

98 07 04
• Transaction Type:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-9
Purchase with Online Authorization
ARPC Validation (Example 1)

00
• Unpredictable Number:

11 11 11 11
• Application Interchange Profile (AIP):

58 00
• Application Transaction Counter:

34 56
• Card Verification Results:

A0 80 03 24 20 00

Concatenation2

00 00 00 01 00 00 00 00 00 00 10 00 08 40 00 00
00 10 80 08 40 98 07 04 00 11 11 11 11 58 00 34
56 A0 80 03 24 20 00

Output
ARQC = MAC(SKAC)[Input]:

• For MasterCard proprietary Session Key Derivation

08 95 B1 A3 BD 0D 6B 20
• For Common Session Key derivation

F9 F9 12 12 C0 DF 65 BA

ARPC Validation (Example 1)

This topic applies to the following M/Chip Card Applications:

NOTE
*Variant applicable when the application supports V.2.05, V.2.1 and V.2.2 Host
Backward Compatibility: if Application Control[5][4..2]='001' or if Application
Control[5][4..2]='010'.

2. In this example, the Offline Counters are not included in the generation of the ARQC (Application Control[2][1]
= ‘0b’).

©2008–2010 MasterCard
19-10 March 2010 • M/Chip Card Application Cryptographic Algorithms
Purchase with Online Authorization
ARPC Validation (Example 2)

Key
The Key for ARPC validation is the MKAC

08 DF 34 25 32 20 A7 20 EF F2 C1 34 38 52 E6 3D

Input
The input is the XOR of:

• The ARQC:

DB C1 E0 B8 20 FF E7 DB
• The ARPC Response Code (ARC):

30 31

The result of the XOR is:

XOR (ARQC Å ARC||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)):

EB F0 E0 B8 20 FF E7 DB

Output
ARPC = DES3(MKAC)[Input]

05 F7 C0 50 F0 21 F4 79

The received ARPC is valid if it is equal to the previously computed one.

ARPC Validation (Example 2)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-11
Purchase with Online Authorization
ARPC Validation (Example 2)

Key
The Key for the ARPC validation depends on the Session Key derivation
algorithm used and is derived as described above:

• For MasterCard proprietary Session Key Derivation, MKAC

08 DF 34 25 32 20 A7 20 EF F2 C1 34 38 52 E6 3D
• For Session Key derivation for EMV 2000 Session Key Derivation, SKARPC =
SKAC

F2 43 E5 A2 57 0B 8C 61 C8 02 B9 CB E3 45 EF 1A

Input
The input is the XOR of:

• The ARQC:

– For MasterCard proprietary Session Key Derivation

08 95 B1 A3 BD 0D 6B 20
– For EMV 2000 Session Key Derivation

0B 8C CD BA F7 80 BA A8

• The ARPC Response Code (ARC):

00 12

The result of the XOR is:

XOR ( ARQC Å ARC||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)):

• For MasterCard proprietary Session Key Derivation

08 87 B1 A3 BD 0D 6B 20

• For Session Key derivation for EMV 2000 Session Key Derivation

0B 9E CD BA F7 80 BA A8

©2008–2010 MasterCard
19-12 March 2010 • M/Chip Card Application Cryptographic Algorithms
Purchase with Online Authorization
ARPC Validation (Example 3)

Output
ARPC = DES3(MKAC)[Input]

• For MasterCard proprietary Session Key Derivation

ED A5 9D 0D 2B 6D 2A DD

• For EMV 2000 Session Key Derivation

F5 C1 10 87 03 63 78 27 *chg*

The received ARPC is valid if it is equal to the previously computed one.

ARPC Validation (Example 3)

This topic applies to the following M/Chip Card Applications:

Key
The Key for ARPC validation is the MKAC

08 DF 34 25 32 20 A7 20 EF F2 C1 34 38 52 E6 3D

Input
The input is the XOR of:

• The ARQC:

08 95 B1 A3 BD 0D 6B 20

• The ARPC Response Code (ARC):

00 12

The result of the XOR is:

XOR ( ARQC Å ARC||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)):

08 87 B1 A3 BD 0D 6B 20

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-13
Purchase with Online Authorization
ARPC Validation (Example 4)

Output
ARPC = DES3(MKAC)[Input]

ED A5 9D 0D 2B 6D 2A DD

The received ARPC is valid if it is equal to the previously computed one.

ARPC Validation (Example 4)

This topic applies to the following M/Chip Card Applications:

NOTE
*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control[5][4..2]='011'.

Key
The Key for the ARPC validation depends on the Session Key derivation
algorithm used and is derived as described above:

• For MasterCard proprietary Session Key Derivation, MKAC

08 DF 34 25 32 20 A7 20 EF F2 C1 34 38 52 E6 3D
• For Common Session Key derivation, SKARPC = SKAC

18 20 25 BA 4F AB 32 F5 A6 3A 1B A5 E6 84 5D 4E

Input
The input is the XOR of:

• The ARQC:

– For MasterCard proprietary Session Key Derivation

08 95 B1 A3 BD 0D 6B 20
– For Common Session Key derivation

F9 F9 12 12 C0 DF 65 BA
• The ARPC Response Code (ARC):

00 12

©2008–2010 MasterCard
19-14 March 2010 • M/Chip Card Application Cryptographic Algorithms
Purchase with Online Authorization
TC Generation (Example 1)

The result of the XOR is:

XOR ( ARQC Å ARC||‘00’||‘00’||‘00’||‘00’||‘00’||‘00’)):

• For MasterCard proprietary Session Key Derivation

08 87 B1 A3 BD 0D 6B 20
• For Common Session Key derivation

F9 EB 12 12 C0 DF 65 BA

Output
ARPC = DES3(MKAC)[Input]

• For MasterCard proprietary Session Key Derivation

ED A5 9D OD 2B 6D 2A DD
• For Common Session Key derivation

65 12 AA 0F FC 50 57 2C

The received ARPC is valid if it is equal to the previously computed one.

TC Generation (Example 1)

This topic applies to the following M/Chip Card Applications:

NOTE
*Variant applicable when the application supports V.2.05, V.2.1 and V.2.2 Host
Backward Compatibility: If Application Control[5][4..2]='001' or if Application
Control[5][4..2]='010'.

Key
The Session Key SKAC as derived above:

F5 8F 02 9D 08 75 4D B6 A3 8B 24 7B F9 3C C2 87

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-15
Purchase with Online Authorization
TC Generation (Example 2)

Input
The input is the concatenation of the (current, refreshed) values of:

• Amount (Authorized):

00 00 00 01 00 00
• Amount (Other):

00 00 00 00 10 00
• Terminal Country Code:

08 40
• Terminal Verification Results:

00 00 00 10 80
• Transaction Currency Code:

08 40
• Transaction Date:

98 07 04
• Transaction Type:

00
• Unpredictable Number:

11 11 11 11
• Application Interchange Profile (AIP):

58 00
• Application Transaction Counter:

34 56
• Card Verification Results:

03 A4 00 20

Concatenation:

00 00 00 01 00 00 00 00 00 00 10 00 08 40 00 00
00 10 80 08 40 98 07 04 00 11 11 11 11 58 00 34
56 03 A4 00 20

Output
TC = MAC(SKAC)[Input]:

DB C1 E0 B8 20 FF E7 DB

TC Generation (Example 2)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
19-16 March 2010 • M/Chip Card Application Cryptographic Algorithms
Purchase with Online Authorization
TC Generation (Example 2)

Key
The Key for the TC generation depends on the Session Key derivation algorithm
used, and is derived as described above:

• For MasterCard proprietary Session Key Derivation

F5 8F 02 9D 08 75 4D B6 A3 8B 24 7B F9 3C C2 87
• For EMV 2000 Session Key Derivation

F2 43 E5 A2 57 0B 8C 61 C8 02 B9 CB E3 45 EF 1A

Input
The input is the concatenation of the (current, refreshed) values of:

• Amount (Authorized):

00 00 00 01 00 00
• Amount (Other):

00 00 00 00 10 00
• Terminal Country Code:

08 40
• Terminal Verification Results:

00 00 00 10 80
• Transaction Currency Code:

08 40
• Transaction Date:

98 07 04
• Transaction Type:

00
• Unpredictable Number:

11 11 11 11
• Application Interchange Profile (AIP):

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-17
Purchase with Online Authorization
TC Generation (Example 3)

58 00
• Application Transaction Counter:

34 56
• Card Verification Results:

A0 80 03 24 20 00

Concatenation3:

00 00 00 01 00 00 00 00 00 00 10 00 08 40 00 00
00 10 80 08 40 98 07 04 00 11 11 11 11 58 00 34
56 A0 80 03 24 20 00

Output
TC = MAC(SKAC)[Input]:

• For MasterCard proprietary Session Key Derivation

08 95 B1 A3 BD 0D 6B 20
• For EMV 2000 Session Key Derivation

0B 8C CD BA F7 80 BA A8

TC Generation (Example 3)

This topic applies to the following M/Chip Card Applications:

Key
The Session Key SKAC as derived above:

F5 8F 02 9D 08 75 4D B6 A3 8B 24 7B F9 3C C2 87

3. In this example, the Offline Counters are not included in the generation of the TC (Application Control[2][1] =
‘0b’).

©2008–2010 MasterCard
19-18 March 2010 • M/Chip Card Application Cryptographic Algorithms
Purchase with Online Authorization
TC Generation (Example 3)

Input
The input is the concatenation of the (current, refreshed) values of:

• Amount (Authorized):

00 00 00 01 00 00
• Amount (Other):

00 00 00 00 10 00
• Terminal Country Code:

08 40
• Terminal Verification Results:

00 00 00 10 80
• Transaction Currency Code:

08 40
• Transaction Date:

98 07 04
• Transaction Type:

00
• Unpredictable Number:

11 11 11 11
• Application Interchange Profile (AIP):

58 00
• Application Transaction Counter:

34 56
• Card Verification Results:

A0 80 03 24 20 00

Concatenation4:

00 00 00 01 00 00 00 00 00 00 10 00 08 40 00 00
00 10 80 08 40 98 07 04 00 11 11 11 11 58 00 34
56 A0 80 03 24 20 00

Output
TC = MAC(SKAC)[Input]:

08 95 B1 A3 BD 0D 6B 20

4. In this example, the Offline Counters are not included in the generation of the TC (Application Control[2][1] =
‘0b’).

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-19
Purchase with Online Authorization
TC Generation (Example 4)

TC Generation (Example 4)

This topic applies to the following M/Chip Card Applications:

NOTE
*Variable applicable when the application supports V.1.1 and V.1.3 Host
Backward Compatibility: if Application Control [5][4..2]='011'.

Key
The Key for the TC generation depends on the Session Key derivation algorithm
used and is derived as described above:

• For MasterCard proprietary Session Key Derivation

F5 8F 02 9D 08 75 4D B6 A3 8B 24 7B F9 3C C2 87
• For Common Session Key derivation

18 20 25 BA 4F AB 32 F5 A6 3A 1B A5 E6 84 5D 4E

Input
The input is the concatenation of the (current, refreshed) values of:

• Amount (Authorized):

00 00 00 01 00 00
• Amount (Other):

00 00 00 00 10 00
• Terminal Country Code:

08 40
• Terminal Verification Results:

00 00 00 10 80
• Transaction Currency Code:

08 40
• Transaction Date:

98 07 04
• Transaction Type:

©2008–2010 MasterCard
19-20 March 2010 • M/Chip Card Application Cryptographic Algorithms
Purchase with Online Authorization
Dynamic CVC3 Generation

00
• Unpredictable Number:

11 11 11 11
• Application Interchange Profile (AIP):

58 00
• Application Transaction Counter:

34 56
• Card Verification Results:

A0 80 03 24 20 00

Concatenation5:

00 00 00 01 00 00 00 00 00 00 10 00 08 40 00 00
00 10 80 08 40 98 07 04 00 11 11 11 11 58 00 34
56 A0 80 03 24 20 00

Output
TC = MAC(SKAC)[Input]:

• For MasterCard proprietary Session Key Derivation

08 95 B1 A3 BD 0D 6B 20
• For Common Session Key derivation

F9 F9 12 12 C0 DF 65 BA

Dynamic CVC3 Generation

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 X Lite 4 1.0 X Select 4 1.0 X Payment
2.2 SDA Lite 4 1.1a Select 4 1.1a X Lite 4 X Select 4 X Data Storage
1.1a 1.1a
2.2 DDA Lite 4 1.1b Select 4 1.1b X Lite 4 X Select 4
1.1b 1.1b

5. In this example, the Offline Counters are not included in the generation of the TC (Application Control[2][1] =
‘0b’).

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 19-21
Purchase with Online Authorization
Dynamic CVC3 Generation

Key
The Key KDCVC3:

46 2F C4 16 E0 E9 3D 04 2C D0 B0 07 31 AB 46 37

Input
The IVCVC3TRACK2 is the following:

0D 14

Dynamic CVC3 (CVC3)

• IVCVC3:

0D 14
• UN:

00 00 08 99
• ATC:

00 5E

The concatenation:

0D 14 00 00 08 99 00 5E

Output
X = DES3(KDCVC3)[Input]:

FB BE E2 25 49 C8 90 89

CVC3 = the two least significant bytes of X:

90 89

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-i
PIN Change
MasterCard Proprietary Session Key Derivation for PIN Change Script Decryption (Example 1)

MasterCard Proprietary Session Key Derivation for PIN

Change Script Decryption (Example 1)
This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
X Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 X Payment
1.0 1.0
X 2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
X 2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant applicable when the application supports V.2.05, V.2.1 and V.2.2 Host
Backward Compatibility: if Application Control [5][4..2]='001' or if Application
Control [5][4..2]='010'.

Key
The Card Master Key MKSMC for Secure Messaging Confidentiality:

DA 83 49 40 98 92 F2 31 61 52 BF 80 7F 46 B6 23

Input
The RAND value depends on the sequence of script commands in a session

• For the first command in a session, the RAND is the last Application
Cryptogram, in this case the ARQC:

DB C1 E0 B8 20 FF E7 DB
• For all the following script commands in a session, the RAND is incremented
by 1 for each command. For the second script command in this session:

DB C1 E0 B8 20 FF E7 DC

Output
The concatenation of:

• The Triple-DES Encryption of X = “the input with the third byte replaced
by ‘F0’ ”
• The Triple-DES Encryption of Y = “the input with the third byte replaced
by ‘0F’ ”

The computation is described as a 2-block ECB (Electronic Code Book mode)

Encryption of “X||Y”.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-1
PIN Change
MasterCard Proprietary Session Key Derivation for PIN Change Script Decryption (Example 2)

This amounts to:

SKSMC = DES3(MKSMC)[X]||DES3(MKSMC)[Y]:

• For the first command in a session

12 D0 18 C9 BF 81 21 0A 18 4E BA E7 0E 4D D7 A3
• For the second command in a session

CB E7 AB 6E C5 30 A0 37 2C 6E 2C 3C 0E F4 74 94
NOTE
The result can be submitted to parity forcing, like the Card Master Keys. This
is not shown here as this is entirely internal to the ICC, and the computation is
not affected.

MasterCard Proprietary Session Key Derivation for PIN

Change Script Decryption (Example 2)
This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 X Select 4 1.0 X Lite 4 1.0 X Select 4 X Payment
1.0 1.0
2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 X Lite 4 X Select 4 X Lite 4 X Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control [5][4..2]='011'.

Key
The Card Master Key MKSMC for Secure Messaging Confidentiality:

DA 83 49 40 98 92 F2 31 61 52 BF 80 7F 46 B6 23

Input
The RAND value depends on the sequence of script commands in a session

• For the first command in a session, the RAND is the last Application
Cryptogram, in this case the ARQC:

08 95 B1 A3 BD 0D 6B 20
• For all the following script commands in a session, the RAND is incremented
by 1 for each command. For the second script command in this session:

08 95 B1 A3 BD 0D 6B 21

©2008–2010 MasterCard
20-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
EMV2000 Session Key Derivation for PIN Change Script Decryption

Output
The concatenation of:

• The Triple-DES Encryption of X = “the input with the third byte replaced
by ‘F0’ ”
• The Triple-DES Encryption of Y = “the input with the third byte replaced
by ‘0F’ ”

The computation is described as a 2-block ECB (Electronic Code Book mode)

Encryption of “X||Y”.

This amounts to:

SKSMC = DES3(MKSMC)[X]||DES3(MKSMC)[Y]:

• For the first command in a session

6E BB EF 87 8A 8D E9 2E CC DE B1 49 C5 22 15 35
• For the second command in a session

16 CD 6A EE CD 70 12 16 F8 E7 1E B6 DD E9 03 65
NOTE
The result can be submitted to parity forcing, like the Card Master Keys. This
is not shown here as this is entirely internal to the ICC, and the computation is
not affected.

EMV2000 Session Key Derivation for PIN Change Script

Decryption
This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 X Select 4 1.0 X Lite 4 1.0 X Select 4 Payment
1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

Key
The Card Master Key MKSMC for Secure Messaging Confidentiality:

DA 83 49 40 98 92 F2 31 61 52 BF 80 7F 46 B6 23

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-3
PIN Change
EMV2000 Session Key Derivation for PIN Change Script Decryption

Input
For all the script commands of a session, the input is the concatenation of:

• The Application Transaction Counter (ATC):

34 56
• The b-ary representation (a0, … , a7) of the ATC is:

(0, 3, 1, 0, 1, 1, 1, 2)

Output
Following the algorithm described in Chapter ICC Key Derivation, the
intermediate results P and GP are:

• Round 0 – GP is MKSMC, P:

94 5E A6 23 DD A4 C1 6F 0E 4F 65 0E 74 DD 04 39
• Round 1 – P:

AD 50 A7 49 E4 E0 B4 ED 75 84 1A 5D 92 D2 6B A3
• Round 2 – P:

62 11 4A E9 98 5E DD DD 80 64 97 6E 1D 8C A0 05
• Round 3 – P:

4F 7C 53 61 FC DF 4E 6E BE A8 DA A8 00 51 ED 60
• Round 4 – P:

5B 04 5D 99 65 47 E0 E9 EC 3E 1F 36 DD E2 3D 73
• Round 5 – P:

6A A3 C4 97 50 42 94 CF A2 D0 35 C4 DD 63 B9 71
• Round 6 – P:

AA D3 91 14 D0 B2 A0 FA EA 8A DC 2D 57 0B F6 3E

The result of the last computation of function Φ(P,GP,a7) is:

1E E6 67 BF FC 54 2D B7 3D BF 53 41 82 18 22 1E

This is bitwise XOR-combined with the GP from round 6 (equals P from round
5):

74 45 A3 28 AC 16 B9 78 9F 6F 66 85 5F 7B 9B 6F

Parity adjustment results in the SKSMC listed above:

75 45 A2 29 AD 16 B9 79 9E 6E 67 85 5E 7A 9B 6E

©2008–2010 MasterCard
20-4 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
Common Session Key Derivation for PIN Change Script Decryption

Common Session Key Derivation for PIN Change Script

Decryption
This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment *

1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage *

2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4

1.1b 1.1b 1.1b 1.1b

NOTE
*Variant
applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control [5][4..2]='011'.

Key
The Card Master Key MKSMC for Secure Messaging Confidentiality:

DA 83 49 40 98 92 F2 31 61 52 BF 80 7F 46 B6 23

Input
For all the script commands of a session, the input is the Application Cryptogram
returned by the first GENERATE AC of the session, in this case the ARQC:

F9 F9 12 12 C0 DF 65 BA

Output
The concatenation of:

• The Triple-DES Encryption of X = “the input with the third byte replaced
by ‘F0’ ”
• The Triple-DES Encryption of Y = “the input with the third byte replaced
by ‘0F’ ”

The computation is described as a 2-block ECB (Electronic Code Book mode)

Encryption of “X||Y”.

This amounts to:

SKSMC = DES3(MKSMC)[X]||DES3(MKSMC)[Y]:

B6 02 B3 17 49 BE 7F EF 61 4E 74 90 44 23 3D 40

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-5
PIN Change
PIN Change Script Decryption (Example 1)

NOTE
The result can be submitted to parity forcing, like the Card Master Keys. This
is not shown here as this is entirely internal to the ICC, and the computation is
not affected.

PIN Change Script Decryption (Example 1)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
X Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 X Payment*
1.0 1.0
X 2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
X 2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant applicable when the application supports V.2.0.5, V.2.1 and V.2.2 Host
Backward Compatibility: if Application Control [5][4..2]='001' or if Application
Control [5][4..2]='010'.

Key
The Session Key SKSMC for Secure Messaging Confidentiality as derived above:

• For the first command in a session

12 D0 18 C9 BF 81 21 0A 18 4E BA E7 0E 4D D7 A3
• For the second command in a session

CB E7 AB 6E C5 30 A0 37 2C 6E 2C 3C 0E F4 74 94

Input
The encrypted PIN block:

• For the first command in a session

B5 50 52 CC 98 DE BE E1
• For the second command in a session

AB 53 1A 15 89 EE E4 99

Output
The encrypted PIN block is one block only. The plaintext PIN block is the
Triple-DES decryption of that block:

©2008–2010 MasterCard
20-6 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
PIN Change Script Decryption (Example 2)

Plaintext PIN block = CBC_DES3-1(SKSMC)[Encrypted PIN block]:

25 12 34 5F FF FF FF FF

The PIN is obtained after removing the padding according to ISO 9564-3:

12345

PIN Change Script Decryption (Example 2)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 1.0 X Select 4 1.0 X Lite 4 1.0 X Select 4 X Payment
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

Key
The Session Key SKSMC for Secure Messaging Confidentiality as derived above:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

6E BB EF 87 8A 8D E9 2E CC DE B1 49 C5 22 15 35
– For the second command in a session

16 CD 6A EE CD 70 12 16 F8 E7 1E B6 DD E9 03 65
• For EMV2000 Session Key Derivation

75 45 A2 29 AD 16 B9 79 9E 6E 67 85 5E 7A 9B 6E

Input
The encrypted PIN block:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

82 1E 64 ED 64 55 9A BA
– For the second command in a session

71 B9 B8 2F 3B B9 73 1A
• For EMV2000 Session Key Derivation

E6 AE 30 C8 2C F4 1F CC

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-7
PIN Change
PIN Change Script Decryption (Example 3)

Output
The encrypted PIN block is one block only. The plaintext PIN block is the
Triple-DES decryption of that block:

Plaintext PIN block = CBC_DES3-1(SKSMC)[Encrypted PIN block]:

25 12 34 5F FF FF FF FF

The PIN is obtained after removing the padding according to ISO 9564-3:

12345

PIN Change Script Decryption (Example 3)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment
1.0
2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

Key
The Session Key SKSMC for Secure Messaging Confidentiality as derived above:

• For the first command in a session

6E BB EF 87 8A 8D E9 2E CC DE B1 49 C5 22 15 35
• For the second command in a session

16 CD 6A EE CD 70 12 16 F8 E7 1E B6 DD E9 03 65

Input
The encrypted PIN block:

• For the first command in a session

82 1E 64 ED 64 55 9A BA
• For the second command in a session

71 B9 B8 2F 3B B9 73 1A

Output
The encrypted PIN block is one block only. The plaintext PIN block is the
Triple-DES decryption of that block:

©2008–2010 MasterCard
20-8 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
PIN Change Script Decryption (Example 4)

Plaintext PIN block = CBC_DES3-1(SKSMC)[Encrypted PIN block]:

25 12 34 5F FF FF FF FF

The PIN is obtained after removing the padding according to ISO 9564-3:

12345

PIN Change Script Decryption (Example 4)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment*
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
2.2 X Lite 4 X Select 4 X Lite 4 X Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control [5][4..2]='011'.

Key
The Session Key SKSMC for Secure Messaging Confidentiality as derived above:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

6E BB EF 87 8A 8D E9 2E CC DE B1 49 C5 22 15 35
– For the second command in a session

16 CD 6A EE CD 70 12 16 F8 E7 1E B6 DD E9 03 65
• For Common Session Key Derivation

B6 02 B3 17 49 BE 7F EF 61 4E 74 90 44 23 3D 40

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-9
PIN Change
MasterCard Proprietary Session Key Derivation for Script MAC (Example 1)

Input
The encrypted PIN block:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

82 1E 64 ED 64 55 9A BA
– For the second command in a session

71 B9 B8 2F 3B B9 73 1A
• For Common Session Key Derivation

66 B2 C2 79 54 4F 38 5F

Output
The encrypted PIN block is one block only. The plaintext PIN block is the
Triple-DES decryption of that block:

Plaintext PIN block = CBC_DES3-1(SKSMC)[Encrypted PIN block]:

25 12 34 5F FF FF FF FF

The PIN is obtained after removing the padding according to ISO 9564-3:

12345

MasterCard Proprietary Session Key Derivation for Script

MAC (Example 1)
This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
X Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 X Payment*
1.0 1.0
X 2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
X 2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant applicable when the application supports V.2.05, V.2.1 and V.2.2 Host
Backward Compatibility: if Application Control [5][4..2]='001' or if Application
Control [5][4..2]='010'.

©2008–2010 MasterCard
20-10 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
MasterCard Proprietary Session Key Derivation for Script MAC (Example 2)

Key
The Card Master Key MKSMI1 for Secure Messaging Integrity:

DA 83 49 40 98 92 F2 31 61 52 BF 80 7F 46 B6 23

Input
The RAND value depends on the sequence of script commands in a session

• For the first command in a session, the RAND is the last Application
Cryptogram, in this case the ARQC:

DB C1 E0 B8 20 FF E7 DB
• For all the following script commands in a session, the RAND is incremented
by 1 for each command. For the second script command in a session:

DB C1 E0 B8 20 FF E7 DC

Output
The concatenation of:

• The Triple-DES Encryption of X = “the input with the third byte replaced
by ‘F0’ ”
• The Triple-DES Encryption of Y = “the input with the third byte replaced
by ‘0F’ ”

The computation is described as a 2-block ECB (Electronic Code Book mode)

Encryption of “X||Y”.

This amounts to:

SKSMI = DES3(MKSMI)[X]||DES3(MKSMI)[Y]:

• For the first command in a session

12 D0 18 C9 BF 81 21 0A 18 4E BA E7 0E 4D D7 A3
• For the second command in a session

MasterCard Proprietary Session Key Derivation for Script

MAC (Example 2)
This topic applies to the following M/Chip Card Applications:

1. For simplification, the MKSMI equal MKSMC in this document

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-11
PIN Change
MasterCard Proprietary Session Key Derivation for Script MAC (Example 2)

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 X Select 4 1.0 X Lite 4 1.0 X Select 4 X Payment*
1.0 1.0
2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
2.2 X Lite 4 X Select 4 X Lite 4 X Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant
applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control [5][4..2]='011'.

Key
The Card Master Key MKSMI2 for Secure Messaging Integrity:

DA 83 49 40 98 92 F2 31 61 52 BF 80 7F 46 B6 23

Input
The RAND value depends on the sequence of script commands in a session

• For the first command in a session, the RAND is the last Application
Cryptogram, in this case the ARQC:

08 95 B1 A3 BD 0D 6B 20
• For all the following script commands in a session, the RAND is incremented
by 1 for each command. For the second script command in a session:

08 95 B1 A3 BD 0D 6B 21

Output
The concatenation of:

• The Triple-DES Encryption of X = “the input with the third byte replaced
by ‘F0’ ”
• The Triple-DES Encryption of Y = “the input with the third byte replaced
by ‘0F’ ”

The computation is described as a 2-block ECB (Electronic Code Book mode)

Encryption of “X||Y”.

2. For simplification, the MKSMI equal MKSMC in this document

©2008–2010 MasterCard
20-12 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
EMV2000 Session Key Derivation for Script MAC

This amounts to:

SKSMI = DES3(MKSMI)[X]||DES3(MKSMI)[Y]:

• For the first command in a session

6E BB EF 87 8A 8D E9 2E CC DE B1 49 C5 22 15 35
• For the second command in a session

EMV2000 Session Key Derivation for Script MAC

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 1.0 X Select 4 1.0 X Lite 4 1.0 X Select 4 Payment
1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

Key
The Card Master Key MKSMI3 for Secure Messaging Integrity:

DA 83 49 40 98 92 F2 31 61 52 BF 80 7F 46 B6 23

Input
For all the script commands of a session, the input is the concatenation of:

• The Application Transaction Counter (ATC):

34 56
• The b-ary representation (a0, … , a7) of the ATC is:

(0, 3, 1, 0, 1, 1, 1, 2)

3. For simplification, the MKSMI equal MKSMC in this document

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-13
PIN Change
Common Session Key Derivation for Script MAC

Output
Following the algorithm described in Chapter ICC Key Derivation, the
intermediate results P and GP are:

• Round 0 – GP is MKSMI, P:

94 5E A6 23 DD A4 C1 6F 0E 4F 65 0E 74 DD 04 39
• Round 1 – P:

AD 50 A7 49 E4 E0 B4 ED 75 84 1A 5D 92 D2 6B A3
• Round 2 – P:

62 11 4A E9 98 5E DD DD 80 64 97 6E 1D 8C A0 05
• Round 3 – P:

4F 7C 53 61 FC DF 4E 6E BE A8 DA A8 00 51 ED 60
• Round 4 – P:

5B 04 5D 99 65 47 E0 E9 EC 3E 1F 36 DD E2 3D 73
• Round 5 – P:

6A A3 C4 97 50 42 94 CF A2 D0 35 C4 DD 63 B9 71
• Round 6 – P:

AA D3 91 14 D0 B2 A0 FA EA 8A DC 2D 57 0B F6 3E

The result of the last computation of function Φ(P,GP,a7) is:

1E E6 67 BF FC 54 2D B7 3D BF 53 41 82 18 22 1E

This is bitwise XOR-combined with the GP from round 6 (equals P from round
5):

74 45 A3 28 AC 16 B9 78 9F 6F 66 85 5F 7B 9B 6F

Parity adjustment results in the SKSMI listed above:

75 45 A2 29 AD 16 B9 79 9E 6E 67 85 5E 7A 9B 6E

Common Session Key Derivation for Script MAC

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment *

1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage *

2.2 DDA X Lite 4 X Select 4 X Lite 4 X Select 4

1.1b 1.1b 1.1b 1.1b

©2008–2010 MasterCard
20-14 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
Script MAC Validation (Example 1)

NOTE
*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control [5][4..2]='011'.

Key
The Card Master Key MKSMI for Secure Messaging Integrity:

DA 83 49 40 98 92 F2 31 61 52 BF 80 7F 46 B6 23

Input
For all the script commands of a session, the input is the Application Cryptogram
returned by the first GENERATE AC of the session, in this case the ARQC:

F9 F9 12 12 C0 DF 65 BA

Output
The concatenation of:

• The Triple-DES Encryption of X = “the input with the third byte replaced
by ‘F0’ ”
• The Triple-DES Encryption of Y = “the input with the third byte replaced
by ‘0F’ ”

The computation is described as a 2-block ECB (Electronic Code Book mode)

Encryption of “X||Y”.

This amounts to:

SKSMI = DES3(MKSMI)[X]||DES3(MKSMI)[Y]:

B6 02 B3 17 49 BE 7F EF 61 4E 74 90 44 23 3D 40
NOTE
The result can be submitted to parity forcing, like the Card Master Keys. This
is not shown here as this is entirely internal to the ICC, and the computation is
not affected.

Script MAC Validation (Example 1)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
X Lite 2.1 Lite 4 1.0 Select 4 1.0 Lite 4 1.0 Select 4 X Payment*
1.0
X 2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
X 2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-15
PIN Change
Script MAC Validation (Example 1)

NOTE
*Variant applicable when the application supports V.2.05, V.2.1 and V.2.2 Host
Backward Compatibility: if Application Control [5][4..2]='001' or if Application
Control [5][4..2]='010'.

Key
The Session Key SKSMI for Secure Messaging Integrity as derived above:

• For the first command in a session

12 D0 18 C9 BF 81 21 0A 18 4E BA E7 0E 4D D7 A3
• For the second command in a session

CB E7 AB 6E C5 30 A0 37 2C 6E 2C 3C 0E F4 74 94

Input
The complete ICC command:

• For the first command in a session

84 24 00 02 10 B5 50 52 CC 98 DE BE E1 E8 1A 60
D2 7A B0 5F AF
• For the second command in a session

84 24 00 02 10 AB 53 1A 15 89 EE E4 99 06 F7 66
E7 35 31 C4 2E

Output
For Secure Messaging Integrity (MAC validation), the ICC command consists of
the concatenation of:

• The command header (CLA INS P1 P2). For PIN Change, this is:

84 24 00 02 10
• The script data. In this case, the encrypted PIN block (EncData) as received
in the command data:

– For the first command in a session

B5 50 52 CC 98 DE BE E1
– For the second command in a session

AB 53 1A 15 89 EE E4 99
• The ScriptMAC:

– For the first command in a session

E8 1A 60 D2 7A B0 5F AF
– For the second command in a session

06 F7 66 E7 35 31 C4 2E

©2008–2010 MasterCard
20-16 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
Script MAC Validation (Example 2)

The ScriptMAC is validated by concatenating:

• The command header (CLA INS P1 P2). For PIN Change, this is:

84 24 00 02 10
• The last ATC:

34 57
• The RAND value depends on the sequence of script commands in a session

– For the first script command in a session, the RAND is the last
Application Cryptogram, in this case the ARQC

DB C1 E0 B8 20 FF E7 DB
– For all the following script commands in a session, the RAND is
incremented by 1 for each command. For the second script command
in this session:

DB C1 E0 B8 20 FF E7 DC
• The script data. In this case, the encrypted PIN block (EncData) as received
in the command data:

– For the first command in a session

B5 50 52 CC 98 DE BE E1
– For the second command in a session

AB 53 1A 15 89 EE E4 99

The concatenation:

• For the first command in a session

84 24 00 02 10 34 57 DB C1 E0 B8 20 FF E7 DB B5
50 52 CC 98 DE BE E1
• For the second command in a session

84 24 00 02 10 34 57 DB C1 E0 B8 20 FF E7 DC AB
53 1A 15 89 EE E4 99

ScriptMAC = MAC(SKSMI)[Input]:

• For the first command in a session

E8 1A 60 D2 7A B0 5F AF
• For the second command in a session

06 F7 66 E7 35 31 C4 2E

The MAC is identical to the one contained in the command script.

Script MAC Validation (Example 2)

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-17
PIN Change
Script MAC Validation (Example 2)

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 X Lite 4 X Select 4 1.0 X Lite 4 1.0 X Select 4 Payment
1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

Key
The Session Key SKSMI for Secure Messaging Integrity as derived above:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

6E BB EF 87 8A 8D E9 2E CC DE B1 49 C5 22 15 35
– For the second command in a session

16 CD 6A EE CD 70 12 16 F8 E7 1E B6 DD E9 03 65
• For EMV2000 Session Key Derivation

75 45 A2 29 AD 16 B9 79 9E 6E 67 85 5E 7A 9B 6E

Input
The complete ICC command:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

84 24 00 02 10 82 1E 64 ED 64 55 9A BA DC 7F BE
36 5D C8 67 80
– For the second command in a session

84 24 00 02 10 71 B9 B8 2F 3B B9 73 1A 5F 59 4E
2A 99 44 AD 5A
• For EMV2000 Session Key Derivation

– For the first command in a session

84 24 00 02 10 E6 AE 30 C8 2C F4 1F CC 47 86 F5
A1 58 00 61 16
– For the second command in a session

84 24 00 02 10 E6 AE 30 C8 2C F4 1F CC 35 DB 83
E1 08 CF 64 6F

©2008–2010 MasterCard
20-18 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
Script MAC Validation (Example 2)

Output
For Secure Messaging Integrity (MAC validation), the ICC command consists of
the concatenation of:

• The command header (CLA INS P1 P2). For PIN Change, this is:

84 24 00 02 10
• The script data. In this case, the encrypted PIN block (EncData) as received
in the command data:
For MasterCard proprietary Session Key – For the first command in a session
Derivation
82 1E 64 ED 64 55 9A BA
– For the second command in a
session

71 B9 B8 2F 3B B9 73 1A
For EMV2000 Session Key Derivation E6 AE 30 C8 2C F4 1F CC

• The ScriptMAC:
For MasterCard proprietary Session Key – For the first command in a session
Derivation
DC 7F BE 36 5D C8 67 80
– For the second command in a
session

5F 59 4E 2A 99 44 AD 5A
For EMV2000 Session Key Derivation – For the first command in a session

47 86 F5 A1 58 00 61 16
– For the second command in a
session

35 DB 83 E1 08 CF 64 6F

The ScriptMAC is validated by concatenating:

• The command header (CLA INS P1 P2). For PIN Change, this is:

84 24 00 02 10
• The last ATC:

34 57
• The RAND value depends on the sequence of script commands in a session

– For the first script command in a session, the RAND is the last
Application Cryptogram, in this case the ARQC

08 95 B1 A3 BD 0D 6B 20
– For all the following script commands in a session, the RAND is
incremented by 1 for each command. For the second script command
in this session:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-19
PIN Change
Script MAC Validation (Example 2)

08 95 B1 A3 BD 0D 6B 21
• The script data. In this case, the encrypted PIN block (EncData) as received
in the command data:
For MasterCard proprietary Session Key – For the first command in a session
Derivation
82 1E 64 ED 64 55 9A BA
– For the second command in a
session

71 B9 B8 2F 3B B9 73 1A
For EMV2000 Session Key Derivation E6 AE 30 C8 2C F4 1F CC

The concatenation:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

84 24 00 02 10 34 57 08 95 B1 A3 BD 0D 6B 20 82
1E 64 ED 64 55 9A BA
– For the second command in a session

84 24 00 02 10 34 57 08 95 B1 A3 BD 0D 6B 21 71
B9 B8 2F 3B B9 73 1A
• For EMV2000 Session Key Derivation

– For the first command in a session

84 24 00 02 10 34 57 08 95 B1 A3 BD 0D 6B 20 E6
AE 30 C8 2C F4 1F CC
– For the second command in a session

84 24 00 02 10 34 57 08 95 B1 A3 BD 0D 6B 21 E6
AE 30 C8 2C F4 1F CC

ScriptMAC = MAC(SKSMI)[Input]:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

DC 7F BE 36 5D C8 67 80
– For the second command in a session

5F 59 4E 2A 99 44 AD 5A
• For EMV2000 Session Key Derivation

– For the first command in a session

47 86 F5 A1 58 00 61 16
– For the second command in a session

35 DB 83 E1 08 CF 64 6F

©2008–2010 MasterCard
20-20 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
Script MAC Validation (Example 3)

The MAC is identical to the one contained in the command script.

Script MAC Validation (Example 3)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 Payment
1.0 1.0
2.2 SDA X Lite 4 X Select 4 X Lite 4 X Select 4 Data
1.1a 1.1a 1.1a 1.1a Storage
2.2 Lite 4 Select 4 Lite 4 Select 4
DDA 1.1b 1.1b 1.1b 1.1b

Key
The Session Key SKSMI for Secure Messaging Integrity as derived above:

• For the first command in a session

6E BB EF 87 8A 8D E9 2E CC DE B1 49 C5 22 15 35
• For the second command in a session

16 CD 6A EE CD 70 12 16 F8 E7 1E B6 DD E9 03 65

Input
The complete ICC command:

• For the first command in a session

84 24 00 02 10 82 1E 64 ED 64 55 9A BA DC 7F BE
36 5D C8 67 80
• For the second command in a session

84 24 00 02 10 71 B9 B8 2F 3B B9 73 1A 5F 59 4E
2A 99 44 AD 5A

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-21
PIN Change
Script MAC Validation (Example 3)

Output
For Secure Messaging Integrity (MAC validation), the ICC command consists of
the concatenation of:

• The command header (CLA INS P1 P2). For PIN Change, this is:

84 24 00 02 10
• The script data. In this case, the encrypted PIN block (EncData) as received
in the command data:

– For the first command in a session

82 1E 64 ED 64 55 9A BA
– For the second command in a session

71 B9 B8 2F 3B B9 73 1A
• The ScriptMAC:

– For the first command in a session

DC 7F BE 36 5D C8 67 80
– For the second command in a session

5F 59 4E 2A 99 44 AD 5A

The ScriptMAC is validated by concatenating:

• The command header (CLA INS P1 P2). For PIN Change, this is:

84 24 00 02 10
• The last ATC:

34 57
• The RAND value depends on the sequence of script commands in a session

– For the first script command in a session, the RAND is the last
Application Cryptogram, in this case the ARQC

08 95 B1 A3 BD 0D 6B 20
– For all the following script commands in a session, the RAND is
incremented by 1 for each command. For the second script command
in this session:

08 95 B1 A3 BD 0D 6B 21
• The script data. In this case, the encrypted PIN block (EncData) as received
in the command data:

– For the first command in a session

82 1E 64 ED 64 55 9A BA
– For the second command in a session

71 B9 B8 2F 3B B9 73 1A

©2008–2010 MasterCard
20-22 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
Script MAC Validation (Example 4)

The concatenation:

• For the first command in a session

84 24 00 02 10 34 57 08 95 B1 A3 BD 0D 6B 20 82
1E 64 ED 64 55 9A BA
• For the second command in a session

84 24 00 02 10 34 57 08 95 B1 A3 BD 0D 6B 21 71
B9 B8 2F 3B B9 73 1A

ScriptMAC = MAC(SKSMI)[Input]:

• For the first command in a session

DC 7F BE 36 5D C8 67 80
• For the second command in a session

5F 59 4E 2A 99 44 AD 5A

The MAC is identical to the one contained in the command script.

Script MAC Validation (Example 4)

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 Select 4 1.0 Lite 4 1.0 Select 4 X Payment*
1.0 1.0
2.2 SDA Lite 4 Select 4 Lite 4 Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
2.2 X Lite 4 X Select 4 X Lite 4 X Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control [5][4..2]='011'.

Key
The Session Key SKSMI for Secure Messaging Integrity as derived above:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

6E BB EF 87 8A 8D E9 2E CC DE B1 49 C5 22 15 35
– For the second command in a session

16 CD 6A EE CD 70 12 16 F8 E7 1E B6 DD E9 03 65
• For Common Session Key Derivation

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-23
PIN Change
Script MAC Validation (Example 4)

B6 02 B3 17 49 BE 7F EF 61 4E 74 90 44 23 3D 40

Input
The complete ICC command:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

84 24 00 02 10 82 1E 64 ED 64 55 9A BA DC 7F BE
36 5D C8 67 80
– For the second command in a session

84 24 00 02 10 71 B9 B8 2F 3B B9 73 1A 5F 59 4E
2A 99 44 AD 5A
• For Common Session Key Derivation

– For the first command in a session

84 24 00 02 10 66 B2 C2 79 54 4F 38 5F BA 3B 21
A7 86 F9 F0 05
– For the second command in a session

84 24 00 02 10 66 B2 C2 79 54 4F 38 5F 01 15 17
6D 2A D0 9F 5D

Output
For Secure Messaging Integrity (MAC validation), the ICC command consists of
the concatenation of:

• The command header (CLA INS P1 P2). For PIN Change, this is:

71 B9 B8 2F 3B B9 73 1A
For Common Session Key Derivation 66 B2 C2 79 54 4F 38 5F
• The ScriptMAC:
For MasterCard proprietary Session Key – For the first command in a session
Derivation
DC 7F BE 36 5D C8 67 80
– For the second command in a
session

©2008–2010 MasterCard
20-24 March 2010 • M/Chip Card Application Cryptographic Algorithms
PIN Change
Script MAC Validation (Example 4)

5F 59 4E 2A 99 44 AD 5A
For Common Session Key Derivation – For the first command in a session

BA 3B 21 A7 86 F9 F0 05
– For the second command in a
session

01 15 17 6D 2A D0 9F 5D

The ScriptMAC is validated by concatenating:

• The command header (CLA INS P1 P2). For PIN Change, this is:

84 24 00 02 10
• The last ATC:

34 57
• The RAND value depends on the sequence of script commands in a session

– For the first script command in a session, the RAND is the last
Application Cryptogram, in this case the ARQC

08 95 B1 A3 BD 0D 6B 20
– For all the following script commands in a session, the RAND is
incremented by 1 for each command. For the second script command
in this session:

08 95 B1 A3 BD 0D 6B 21
• The script data. In this case, the encrypted PIN block (EncData) as received
in the command data:

For MasterCard proprietary Session Key – For the first command in a session
Derivation
82 1E 64 ED 64 55 9A BA
– For the second command in a
session

71 B9 B8 2F 3B B9 73 1A
For Common Session Key Derivation 66 B2 C2 79 54 4F 38 5F

The concatenation:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

84 24 00 02 10 34 57 08 95 B1 A3 BD 0D 6B 20 82
1E 64 ED 64 55 9A BA
– For the second command in a session

84 24 00 02 10 34 57 08 95 B1 A3 BD 0D 6B 21 71
B9 B8 2F 3B B9 73 1A

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 20-25
PIN Change
Script MAC Validation (Example 4)

• For Common Session Key Derivation

– For the first command in a session

84 24 00 02 10 34 57 08 95 B1 A3 BD 0D 6B 20 66
B2 C2 79 54 4F 38 5F
– For the second command in a session

84 24 00 02 10 34 57 08 95 B1 A3 BD 0D 6B 21 66
B2 C2 79 54 4F 38 5F

ScriptMAC = MAC(SKSMI)[Input]:

• For MasterCard proprietary Session Key Derivation

– For the first command in a session

DC 7F BE 36 5D C8 67 80
– For the second command in a session

5F 59 4E 2A 99 44 AD 5A
• For Common Session Key Derivation

– For the first command in a session

BA 3B 21 A7 86 F9 F0 05
– For the second command in a session

01 15 17 6D 2A D0 9F 5D

The MAC is identical to the one contained in the command script.

©2008–2010 MasterCard
20-26 March 2010 • M/Chip Card Application Cryptographic Algorithms
Chapter 21 Dynamic Data Authentication

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 21-i
Dynamic Data Authentication
Generation of the ICC Dynamic Number

Generation of the ICC Dynamic Number

This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 X Select 4 1.0 Lite 4 1.0 X Select 4 X Payment*
1.0
2.2 SDA Lite 4 X Select 4 Lite 4 X Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
2.2 Lite 4 X Select 4 Lite 4 X Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant
applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control[5][4..2]='011'.

Key
The card Master Key MKIDN for ICC Dynamic Number Generation:

08 A1 04 5E 86 2F 1F EF 31 2A 8C AE D5 80 9D AE

Input
The concatenation of:

• The Application Transaction Counter (ATC):

12 34
• Six zero bytes:

00 00 00 00 00 00

Concatenation:

12 34 00 00 00 00 00 00

Output
The Triple-DES encryption of the input:

IDN = DES3(MKIDN)[Input]

56 D3 96 58 A2 EE D9 B1

Generation of the Signed Dynamic Application Data

This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 21-1
Dynamic Data Authentication
Generation of the Signed Dynamic Application Data

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite Lite 4 X Select 4 Lite 4 X Select 4 X Payment*
2.1 1.0 1.0 1.0 1.0
2.2 Lite 4 X Select 4 Lite 4 X Select 4 X Data
SDA 1.1a 1.1a 1.1a 1.1a Storage*
2.2 Lite 4 X Select 4 Lite 4 X Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control[5][4..2]='011'.

ICC Private Key

The ICC Private Key, given in “standard” format:

Modulus:

A2 BC C5 CE BA C3 19 6B 7E 93 3B 1A 46 66 A6 7D
ED 64 2B A3 CE 89 5C 31 8A 3D FC 12 65 B3 B9 CF
FC 12 FD E5 16 8E 84 19 06 50 E1 74 17 EC 8B 04
A4 E9 85 E0 D4 E1 AF 4B 76 08 4F 44 A1 F2 7F E8
65 E5 FA B2 07 AA 71 52 37 A6 D1 F7 BA CF 1E 2D
DF FB 5A F2 40 00 93 58 4A FA F0 7D FC 73 F8 6C
94 E6 2C 2C FF 44 3D 90 87 EF C1 90 A8 68 24 5C
06 40 0E 06 A3 D2 0B 1C D5 D0 AB 86 CF 88 1B 81
39 DD 50 BD 06 35 12 41 12 A4 93 37 1C 88 9C 53
51 3C D5 CE 3F E3 7B B7 A2 0A AA 97 90 29 08 10
73 F2 31 1A 0C 0E 1D A9 AC 8E B3 45 AB 81 0D 8B

Private Exponent d:

0A D9 62 85 3F A6 9B 4B 6E D6 9D 8A 48 F5 C6 D5
31 F5 9C 82 63 1A 39 58 A2 D0 EE AB E4 A5 94 EB
BB 78 BB 97 CE 4D C4 8A 33 9E FD F6 AC 42 F8 33
82 75 F7 DB C9 EC E9 8D 90 66 F4 37 C6 87 A2 20
8F 53 99 3F 11 93 E5 6B E1 93 A7 99 0C 74 35 36
42 21 D2 DC F3 33 3D 05 C7 A4 65 30 4C 34 96 96
14 DD 4D C9 7B 2D 8B 70 63 7D A2 C3 DA CD 6F EE
FB 05 13 3B 7F E2 C3 54 FA 75 CF 1C 02 69 A4 73
E2 EB BC CE 4E 9F 4B 1A BF FC 57 75 E6 28 E4 C5
21 94 9C 1D 15 DC AB 95 FF C0 11 64 76 18 C4 6C
06 34 98 31 FD 11 60 8F A5 D8 DD DB 8F 56 0D B3

The same ICC Private Key, given in the commonly used “Chinese Remainder
Theorem” format:

©2008–2010 MasterCard
21-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Dynamic Data Authentication
Generation of the Signed Dynamic Application Data

The prime p:

C7 0E 73 F0 30 3C C8 83 21 C3 60 AA 7E 57 13 A7
81 B8 80 72 16 16 AA D4 09 A5 5E 7C D8 77 75 F9
52 2C F6 03 51 8B 29 C8 D1 72 6C 2D 1E 00 20 54
98 AA 6C 77 A5 F6 84 70 5D 72 79 BB B4 A5 08 21
8C ED 4F 3D A5 CF 6F 78 AA EE 1D 0E 79 79 00 73
67 CC 99 02 23 A2 C8 25

The exponent used modulo p (this is the private exponent d reduced modulo
p–1):

84 B4 4D 4A CA D3 30 57 6B D7 95 C6 FE E4 B7 C5
01 25 AA F6 B9 64 71 E2 B1 18 E9 A8 90 4F A3 FB
8C 1D F9 57 8B B2 1B DB 36 4C 48 1E 14 00 15 8D
BB 1C 48 4F C3 F9 AD A0 3E 4C 51 27 CD C3 5A C1
08 9E 34 D3 C3 DF 9F A5 C7 49 68 B4 50 FB 55 A2
45 33 10 AC 17 C1 DA C3

The prime q:

D1 4A 8E B9 55 22 5D 1E 3A 2B 3C B4 49 41 FE 53
31 DA B7 A4 C0 47 EA 87 47 4E 8F 0D 4D 11 23 28
D6 BC 92 DF 59 CC 4E EE 1C 9A D4 79 4C DF 8B 5B
3A 31 06 D6 FA 2C B0 55 FC 15 36 5E 43 50 65 CC
18 DC 56 76 FE E6 16 43 6B EF 29 1D BE 90 74 CB
8D 0D 1A 66 21 D3 77 EF

The exponent used modulo q (this is the private exponent d reduced modulo
q–1):

8B 87 09 D0 E3 6C 3E 14 26 C7 7D CD 86 2B FE E2
21 3C 7A 6D D5 85 47 04 DA 34 5F 5E 33 60 C2 1B
39 D3 0C 94 E6 88 34 9E BD BC 8D A6 33 3F B2 3C
D1 76 04 8F 51 73 20 39 52 B8 CE E9 82 35 99 32
BB 3D 8E F9 FF 44 0E D7 9D 4A 1B 69 29 B5 A3 32
5E 08 BC 44 16 8C FA 9F

The inverse of q modulo p:

44 8B EF 26 9A AB 94 68 F9 C2 F5 C2 36 70 11 3E
C0 B7 1A 4D F3 F6 98 BF A4 81 BF 3E C2 C3 6F 1B
41 02 FD 42 B0 EB FD AF FC 29 E4 24 62 35 8B B8
3B A2 E9 73 C2 49 50 37 A7 C3 02 12 05 79 7E 49
9C 15 DF E4 11 91 53 5E D1 7E 23 DF 41 4C 71 C6
60 A5 07 B4 E2 1D 8D E3

The inverse of p modulo q:

89 38 5E C5 94 CE 7E 58 57 DE C3 A8 98 1D B8 B8
C4 FE 69 3F B4 5A 38 49 47 1B 01 EA 20 B1 DB CB
CD 70 D5 34 51 A4 C4 43 FC E1 AA 71 49 42 91 DA
D2 B8 09 59 A9 B9 63 AC B8 64 BF DF 69 31 15 5B
3C 81 F0 C9 72 2E E1 F6 D0 FB 43 FD F8 44 CC 08
85 34 03 1B 03 32 B5 73

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 21-3
Dynamic Data Authentication
Generation of the Signed Dynamic Application Data

NOTE
Typically, only one of the inverses given here is used.

ICC Public Key

The ICC Public Key corresponding to the above ICC Private Key:

Modulus:

Exponent:

03
NOTE
The ICC Public Key is used only for DDA verification.

©2008–2010 MasterCard
21-4 March 2010 • M/Chip Card Application Cryptographic Algorithms
Dynamic Data Authentication
Generation of the Signed Dynamic Application Data

Input
The Dynamic Application Data to be signed. It is the concatenation of:

• Signed Data Format:

05
• Hash Algorithm Indicator (SHA-1):

01
• ICC Dynamic Data Length:

09
• ICC Dynamic Data (the randomly generated ICC Dynamic Number IDN,
preceded by its length on one byte ‘08’):

08 56 D3 96 58 A2 EE D9 B1
• Pad Pattern (176–34 = 142 bytes, as the ICC Public Key Modulus is 176
bytes long):

BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB
• Terminal Dynamic Data, which is the concatenation of the values of the
data elements indicated in the DDOL:
Unpredictable Number:

A0 B1 C2 D3

Therefore, the Dynamic Application Data to be Signed (i.e. input to the SHA-1
hash algorithm) equals:

05 01 09 08 56 D3 96 58 A2 EE D9 B1 BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB A0 B1 C2 D3

the SHA-1 result of which is:

8E 8A 2B F6 0D E6 B9 A3 19 38 FA 8E F4 A4 11 B4
AB 1A 53 18

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 21-5
Dynamic Data Authentication
Generation of the Signed Dynamic Application Data

Signature Generation
First, concatenate:

• The header byte:

6A
• The leftmost 80–22 = 58 bytes of the message (the Dynamic Application
Data):

8E 8A 2B F6 0D E6 B9 A3 19 38 FA 8E F4 A4 11 B4
AB 1A 53 18
• And the trailer byte:

This results in the Input:

6A 05 01 09 08 56 D3 96 58 A2 EE D9 B1 BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB 8E 8A 2B F6 0D
E6 B9 A3 19 38 FA 8E F4 A4 11 B4 AB 1A 53 18 BC

Apply the RSA private transformation to this, i.e. raise it to the power ‘d’
modulo the ICC Public Key Modulus. This can be done using the standard
representation or CRT representation. This is outside the scope of this
document. The Signed Dynamic Application Data equals:

©2008–2010 MasterCard
21-6 March 2010 • M/Chip Card Application Cryptographic Algorithms
Dynamic Data Authentication
Generation of the Signed Dynamic Application Data

SDAD = (Input)d mod (ICC Public Key Modulus):

0E 3E 5F 59 62 F0 04 74 85 CE 92 B9 6F 52 C9 8B
39 A1 DC F7 28 AE E8 BA D4 6C E5 2E 91 03 FB A7
2D 63 01 50 5F 2D 66 0F E8 78 5B 68 72 02 92 B6
8C 92 0B 50 8C 8D A9 DA 0B E3 52 01 CD BB C9 FA
DF 65 7D E8 98 89 70 2C 87 44 8D 27 2F 66 2B D6
33 75 E1 5D 4A F1 89 99 0B 81 FB E3 8B 40 44 92
99 BB 1C 2E DD 8C E5 C3 EA 18 BC 03 E6 C8 66 41
71 96 1C 0E 75 47 CB 3B 55 3C 66 81 2A 54 4B AA
43 92 C6 AE 23 16 F2 69 1C 7F 6D D3 B6 8E BC A4
FC 77 AB F8 E7 2B CF 85 69 45 7B 83 4C 52 3D A3
EC 56 2E 7B DD 57 8E 21 88 7F D1 72 DB 7D 12 9B

This concludes the ICC computations for Dynamic Data Authentication. The
following sections deal with the terminal verification of the SDAD.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 21-7
Chapter 22 Combined DDA / AC Generation

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 22-i
Combined DDA / AC Generation
GENERATE AC Command

GENERATE AC Command
This topic applies to the following M/Chip Card Applications:

NOTE
*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control[5][4..2]='011'.

The content of the first GENERATE AC command is follows:

CLA INS P1 P2 Lc Data Le

80 AE 50 00 2B 00000000029900000000000000560000 00
00000009780604010011223344220000
0000000000000000010002

The CDOL1 Related Data is:

• Amount Authorized is ‘000000000299’

• Amount Other is ‘000000000000’ (no cashback)
• Terminal Country Code is ‘0056’ (Belgium)
• Terminal Verification Results is ‘0000000000’
• Transaction Currency Code is ‘0978’ (Euro)
• Transaction Date is ‘010607’ (7 June, 2001)
• Transaction Type is ‘00’ (Goods and Services)
• Unpredictable Number is ‘11223344’
• Terminal Type is ‘22’ (Merchant terminal, offline with online capability)
• DAC is ‘0000’ (not filled because SDA not performed)
• IDN is ‘0000000000000000’ (not filled because DDA not returned)
• CVM result is ‘010002’ (offline plaintext PIN verification successfully
performed)
NOTE
This example supposes the issuer did not define any CDOL1 extension during
the ICC personalization.

SDAD Computation
This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 22-1
Combined DDA / AC Generation
SDAD Computation

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 X Select 4 1.0 Lite 4 1.0 X Select 4 X Payment*
1.0 1.0
2.2 SDA Lite 4 X Select 4 Lite 4 X Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
2.2 Lite 4 X Select 4 Lite 4 X Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control[5][4..2]='011'.

TC, Encrypted Counters, IAD and Transaction Data Hash

Code
Before the ICC can generate the SDAD, the Transaction Certificate (TC) and the
Transaction Data Hash Code must be calculated as follows:

• The TC is computed by applying the MAC algorithm defined in

Cryptographic Algorithms to the following input data:

– Values of the first 8 data elements identified in CDOL1

00 00 00 00 02 99 00 00 00 00 00 00 00 56 00 00
00 00 00 09 78 01 06 07 00 11 22 33 44
– Application Interchange Profile

79 00
– Application Transaction Counter

00 02
– Card Verification Results

90 40 03 23 00 00
The concatenation:

00 00 00 00 02 99 00 00 00 00 00 00 00 56 00 00
00 00 00 09 78 01 06 07 00 11 22 33 44|79 00|00
02|90 40 03 23 00 00
using key SKAC

EF 4F C8 E6 19 2F 91 6B 08 8F 85 C1 85 02 54 49
to obtain the TC = MAC(SKAC)[input]

04 FC BE 25 FE EA BD 0C
NOTE
A session key is derived and an ‘80’ padding byte is appended to the input
data as part of this process.

©2008–2010 MasterCard
22-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Combined DDA / AC Generation
SDAD Computation

• The encrypted counters are computed by applying Triple-DES encryption to

input comprising of plaintext counters (COTA=’000000000498’, COTN=’00’)
appended with ‘FF’:

00 00 00 00 04 98 00 FF
and using the session key SK constructed by XOR’ing the SKAC with:

59 00 00 00 00 00 00 00 95 00 00 00 00 00 00 00
returning the SK value:

B6 4F C8 E6 19 2F 91 6B 9D 8F 85 C1 85 02 54 49
The encrypted counters are then computed as DES3(SK)[Input] =

84 E3 AC 20 74 2D C3 66
• Construct the IAD from:

Key Derivation Index (determined by 01

issuer)
Cryptogram Version Number (EMV 12
session key, no counters in AC
computation)
Card Verification Result (CVR) 90 40 03 23 00 00
– TC generated
– Combined AC generated at first
Generate AC
– PTC = ‘03’
– No successful Offline PIN
verification performed
– Domestic Transaction
– Terminal Erroneously Considers
Offline PIN OK
IDN (2 leftmost significant bytes). The 00 00
IDN obtained from the terminal is null
because the DDA/CDA signature is yet
to be verified by terminal
Encrypted counters 84 E3 AC 20 74 2D C3 66

• The Transaction Data Hash Code is computed by applying the SHA-1 hash
algorithm to input data consisting of all the values identified in CDOL1 and
the TLV data, contained in the response to the GENERATE AC command,
with the exception of the SDAD (see details in Generate AC Response):

00 00 00 00 02 99 00 00 00 00 00 00 00 56 00 00
00 00 00 09 78 01 06 07 00 11 22 33 44 22 00 00
00 00 00 00 00 00 00 00 01 00 02|9F 27 01 40|9F
36 02 00 02|9F 10 12 01 12 90 40 03 23 00 00 00
00 84 E3 AC 20 74 2D C3 66
The Transaction Data Hash Code is equal to SHA-1[input] =

D1 37 03 30 56 A4 08 8C F4 FF C8 0D C0 44 5A 60
D3 FA 0A D9

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 22-3
Combined DDA / AC Generation
SDAD Computation

Computation of IDN
The ICC must compute the ICC Dynamic Number (IDN) for inclusion in the
recoverable part of the CDA signature. The IDN is the 8-byte quantity derived
by the card using Triple-DES (ECB) encryption as defined in Cryptographic
Algorithms. See the worked example for DDA for an example of IDN
computation (ICC Dynamic Number Generation Process). In this case the IDN
happens to be equal to:

E7 3A C4 64 CA 63 9D 58
NOTE
When the first GENERATE AC command is sent by the terminal during CDA
generation, the IDN has not yet been obtained from the ICC. The IDN data field
therefore displays the default value ’00 00 00 00 00 00 00 00’ when CDOL1
identifies IDN. This default value is then included in the Transaction Data Hash
Code.

©2008–2010 MasterCard
22-4 March 2010 • M/Chip Card Application Cryptographic Algorithms
Combined DDA / AC Generation
SDAD Computation

Computation of SDAD Hash

The Dynamic Application Data to be Signed (i.e. input to the SDAD hash) is
the concatenation of:

• Signed Data Format:

05
• Hash Algorithm Indicator (SHA-1):

01
• ICC Dynamic Data Length:

26
• ICC Dynamic Data:

– The ICC Dynamic Number IDN as computed above, preceded by its

length on one byte ‘08’):

08 E7 3A C4 64 CA 63 9D 58
– CID:

40
– TC:

04 FC BE 25 FE EA BD 0C
– Transaction Data Hash Code:

D1 37 03 30 56 A4 08 8C F4 FF C8 0D C0 44 5A 60
D3 FA 0A D9
• Pad Pattern (176–63 = 113 bytes, as the example ICC Public Key Modulus is
176 bytes long):

BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB
• Terminal Dynamic Data, which is the concatenation of the values of the
data elements indicated in the DDOL:
Unpredictable Number:

11 22 33 44

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 22-5
Combined DDA / AC Generation
SDAD Computation

Thus the Dynamic Data to be signed (i.e. input to hash algorithm) is equal to:

05|01|26|08 E7 3A C4 64 CA 63 9D 58|40|04 FC BE
25 FE EA BD 0C|D1 37 03 30 56 A4 08 8C F4 FF C8
0D C0 44 5A 60 D3 FA 0A D9|BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB|11 22 33 44

and the SDAD_Hash is equal to SHA-1[input] =

B4 4C 05 03 DB 57 8E D6 0A FA 0E 78 26 15 14 6E
F5 59 E7 C5

Signature Generation
All but the Terminal Dynamic Data is recoverable from the signature thus the
input to the Sign() function is constructed as follows.

First, concatenate:

• The header byte:

6A
• The leftmost 176–22 = 154 bytes of the message (the Dynamic Application
Data):

05 01 26 08 E7 3A C4 64 CA 63 9D 58 40 04 FC BE
25 FE EA BD 0C D1 37 03 30 56 A4 08 8C F4 FF C8
0D C0 44 5A 60 D3 FA 0A D9 BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB
(we need 176–22 bytes, as the ICC Public Key Modulus is 176 bytes long).
• The result of application of the Hash Algorithm (SHA-1) to the complete
message:

B4 4C 05 03 DB 57 8E D6 0A FA 0E 78 26 15 14 6E
F5 59 E7 C5
• and the trailer byte

©2008–2010 MasterCard
22-6 March 2010 • M/Chip Card Application Cryptographic Algorithms
Combined DDA / AC Generation
GENERATE AC Response

This results in the input:

6A 05 01 26 08 E7 3A C4 64 CA 63 9D 58 40 04 FC
BE 25 FE EA BD 0C D1 37 03 30 56 A4 08 8C F4 FF
C8 0D C0 44 5A 60 D3 FA 0A D9 BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB
BB BB BB BB BB BB BB BB BB BB BB B4 4C 05 03 DB
57 8E D6 0A FA 0E 78 26 15 14 6E F5 59 E7 C5 BC

Apply the RSA private transformation Sign() to this result, i.e. raise it to the
power ‘d’ modulo the ICC Public Key Modulus. This can be done using the
standard representation or CRT representation. This is outside the scope of this
manual. Using the ICC Private Key and ICC Public Key Modulus defined in the
previous section, the Signed Dynamic Application Data equals:

SDAD = (Input)d mod (ICC Public Key Modulus):

79 ED 26 F1 30 58 3C C2 86 63 FD 68 AD 8D F8 D9
CE 36 78 C5 FB AF BE C4 F7 BF A6 63 58 84 B2 E3
6B 72 38 B3 51 D4 95 D2 ED BD D2 F3 EB 00 29 3B
A1 56 86 B2 07 F5 BE 84 56 3F 48 79 2B 25 7B 4C
F9 94 48 92 8A C8 03 16 F7 5D 7A 78 21 46 28 2B
BF B7 20 2C 36 6D 2D ED 1E 48 6A B5 AF E7 D7 E8
43 E4 0E A8 5C 51 5D DB 61 16 34 41 17 10 20 5F
EC 02 E0 11 3F A4 13 98 DC 4E 09 EC 82 BD 38 A0
4A 7E 99 23 9C B1 76 94 6E A8 C6 9C C7 C2 1E 75
B6 E3 CC AA 2F 76 E2 E3 57 CE AF E0 3C CB 2F B0
04 CF EC 97 34 67 4D 6D 3A 22 F5 1F B4 9B 6E 4D

GENERATE AC Response
This topic applies to the following M/Chip Card Applications:

M/Chip
M/Chip 2 M/Chip 4 PayPass M/Chip 4 Advance
Lite 2.1 Lite 4 1.0 Select 4 1.0 X Lite 4 1.0 X Select 4 X Payment*
1.0
2.2 SDA Lite 4 Select 4 X Lite 4 X Select 4 X Data
1.1a 1.1a 1.1a 1.1a Storage*
2.2 Lite 4 Select 4 X Lite 4 X Select 4
DDA 1.1b 1.1b 1.1b 1.1b

NOTE
*Variant
applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control[5][4..2]='011'.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 22-7
Combined DDA / AC Generation
GENERATE AC Response

The content of the GENERATE AC response is the following:

where the:

• CID refers to a TC:

40
• ATC is:

00 02
• SDAD is:

©2008–2010 MasterCard
22-8 March 2010 • M/Chip Card Application Cryptographic Algorithms
Chapter 23 Offline Enciphered PIN Decription

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 23-i
Offline Enciphered PIN Decription
Offline Enciphered PIN Decryption Details

Offline Enciphered PIN Decryption Details

This topic applies to the following M/Chip Card Applications:

NOTE
*Variant applicable when the application supports V.1.1 and V.1.3 Host Backward
Compatibility: if Application Control[5][4..2]='011'.

ICC PIN Encipherment Public Key

There are two possibilities for the ICC PIN Encipherment Public Key:

1. It is the same key as the ICC Public Key used for Dynamic Data
Authentication. In this case, the same ICC Public Key Certificate is used
as well.
2. It is a specific key, uniquely used for PIN Encipherment. The ICC PIN
Encipherment Public Key Certificate has a slightly different format than the
ICC Public Key Certificate. The Static Data to be authenticated is omitted.

ICC PIN Encipherment Private Key

The ICC PIN Encipherment Private Key, given in the form of modulus and
exponent

Modulus:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 23-1
Offline Enciphered PIN Decription
Offline Enciphered PIN Decryption Details

Private Exponent d:

PIN Decryption
The Encipher PIN Data:

39 97 F6 15 E6 05 20 41 D4 C7 00 96 3B 78 A4 B3
B2 68 53 29 7F A9 D4 93 81 38 86 A9 42 76 12 2C
13 41 DB 19 95 76 32 C7 AA 0A B2 8B D5 BF 89 F7
C9 80 65 BD 7C E0 30 7A 64 1F 7D D5 13 FC 52 ED
1D FB 9D 82 0A B4 F4 F2 43 B9 D5 AF 26 24 61 16
1D 8A 1B 79 CA B8 AC 99 1A F9 09 D8 28 DA 6A CC
A2 40 C3 2A 38 B0 E6 35 83 35 1F 5C A5 0F 39 27
BE 6A ED 9E A0 D5 3F 2C 4A F2 D9 A6 38 B8 DD 28
AF A8 02 7F BD 36 63 26 56 87 81 6A DD 82 C7 81
EF 81 CF B1 2B 30 35 7D FD 31 E5 A0 6C A3 7C FA
29 E2 75 74 AB E2 DC ED 46 9B 87 F0 53 3F 8B B8

is submitted to the RSA Sign() function:

X = (EncPINData)d mod (ICC PIN Encipherment Public Key Modulus).

This results in:

7F|25 12 34 5F FF FF FF FF|1A 2B 3C 4D 5E 6F 70
81|FC 02 7D 70 F1 28 4A 48 41 08 48 28 80 20 B8
25 F5 3D F1 54 B7 32 9C B0 24 3A 6E 5A D2 16 F2
E1 02 B5 1D 41 2F 2D 44 43 6C 18 04 7B BC AD CF
C1 96 D9 A8 BC AC 80 9F 1E BF 5C 3F 1A 1D DC E4
6D 37 07 F8 4D F6 76 BE A4 0A FD CE 50 E9 9A 6B
03 F7 7B 32 28 48 3B 25 1A A0 61 54 A6 2A A1 77
03 6B 27 80 AC 95 BC 05 B2 D8 7B A9 81 07 76 93
A9 30 9B D0 06 47 44 8A 77 94 F2 E5 96 39 D6 6C
06 0E B2 3C F8 96 41 F9 40 43 24 87 CD EA 18 B7
10 34 75 75 C4 28 00 8B 52 BF 9F 61 FF C9 F2 49
(Separators ‘|’ are inserted to ease parsing).

The recovered data header is the first field:

The ICC Unpredictable Number is the third field:

1A 2B 3C 4D 5E 6F 70 81

©2008–2010 MasterCard
23-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Offline Enciphered PIN Decription
Offline Enciphered PIN Decryption Details

and is equal to the value provided in answer to the previous GET CHALLENGE.

The PIN is retrieved from the PIN block, which is the second field:

25 12 34 5F FF FF FF FF

which encodes a PIN:

12345

This PIN is then compared by the ICC to the Reference PIN value stored in
the ICC.

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 24-i
Data Storage
Data Storage Details

Data Storage Details

This section illustrates the cryptographic functions required to store data on an
ICC, specifically:

• The Summary function

• The Digest function

These functions rely on the Partial Key Computation function.

OWHF1 Function
This topic applies to the following M/Chip Card Applications:

Key
The DSPK key is as follows:

16 18 20 28 2A 2C 2C 2E
30 42 44 46

Input
For the OWHF1 function, the input consists of:

• DS Summary 1:

12 23 34 45 56 67 78 89
• Amount, Authorized (numeric):

00 00 00 00 12 34
• Transaction Currency Code:

08 40
• Reference Control Parameter:

80
• First/Second Generate AC Indicator:

01
• DS Unpredictable Number:

11 22 33 44

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 24-1
Data Storage
Data Storage Details

• Unpredictable Number:

55 66 77 88

Output
For the OWHF1 function, the output is computed as follows:

• The 2-byte A is formed by concatenating the 2 leftmost bits from Reference

Control Parameter, the 2 rightmost bits from First/Second Generate AC
Indicator and the 12 rightmost bits from Transaction Currency Code

98 40
• Construct X1 as DS Summary 1 Å (Amount, Authorised (Numeric) || DS
Unpredictable Number [3..4])

12 23 34 45 44 53 4B CD
• Construct X2 as A || Unpredictable Number || DS Unpredictable Number
[1..2]

98 40 11 22 33 44 11 22
• Generate the three temporary DES keys K1, K2 and K3
K1 is Concatenation of the 6 first bytes of DSPK and the first 2 bytes of
DS Unpredictable Number:

16 18 20 28 2A 2C 11 22
K2 is Concatenation of the 6 last bytes of DSPK and the last 2 bytes of DS
Unpredictable Number:

2C 2E 30 42 44 46 33 44
K3 = DES(KL1)[X1] Å X1

90 3C 16 E0 2B 71 5F 95
• The result R = X1 Å X2 Å DES(KL3)[DES-1(K2)[DES(K3)[X2]]

EF AE 11 92 03 64 ED 60

OWHF2 Function
This topic applies to the following M/Chip Card Applications:

©2008–2010 MasterCard
24-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Data Storage
Data Storage Details

Key
The DSPK key is as follows:

16 18 20 28 2A 2C 2C 2E
30 42 44 46

Input
For the OWHF2 function, the input consists of:

• DS Input T:

12 23 34 45 56 67 78 89
• DS Requested Operator ID:

81 99 82 99 83 99 84 99

Output
For the OWHF2 function, the output is computed as follows:

• Generate the two temporary DES keys K1 and K2

K1 is Concatenation of the 6 first bytes of DSPK and bytes 5 and 6 of DS
Requested Operator ID:

16 18 20 28 2A 2C 83 99
K2 is Concatenation of the 6 last bytes of DSPK and bytes 7 and 8 of DS
Requested Operator ID:

2C 2E 30 42 44 46 84 99
• Generate X = DS Input T Å DS Requested Operator ID:

93 BA B6 DC D5 FE FC 10
• The result R = DS Input T Å DES(K1)[DES-1(K2)[DES(K1)[X]]

84 7D F9 B8 7A 9D CB DE

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 24-3
Appendix A Reference Information

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 A-i
Reference Information
Using this Document

Using this Document

Purpose
The MasterCard M/Chip Card Application Cryptographic Algorithms manual
specifies the cryptographic algorithms supported by the M/Chip family of
payment applications. The following table accompanies each topic, showing
which applications it is applicable to (X). If a topic applies to all applications,
there is no table. This example indicates that the information only applies
to M/Chip cards implementing the three versions of M/Chip cryptographic
algorithms.

M/Chip 2 M/Chip 4 PayPass M/Chip 4 M/Chip Advance

X Lite 2.1 Lite 4 Select Lite 4 1.0 Select Payment
1.0 4 1.0 4 1.0
X 2.2 Lite 4 Select Lite 4 Select Data Storage
SDA 1.1a 4 1.1a 4 1.1a
1.1a
X 2.2 Lite 4 Select Lite 4 Select
DDA 1.1b 4 1.1b 4 1.1b
1.1b

M/Chip AdvanceTM supports legacy compatibility with previous versions of

M/Chip 2, M/Chip 4 and PayPass M/Chip 4. Therefore, all the cryptographic
algorithms of M/Chip 2, M/Chip 4 and PayPass M/Chip 4 must be implemented
in M/Chip Advance cards. The effective cryptographic algorithm used by the
card for computation depends on the personalization of the device as coded in
the Application Control. In case of a M/Chip Advance application, details are
given in the M/Chip Advance variants.

Contents
This manual describes how to implement cryptography in order to support
M/Chip specifications for EMV transactions and for post-issuance card
administration. It describes the security features to support the applications
defined in the following manuals:

• M/Chip 4 Version 1.1 Card Application Specifications for Debit and Credit
• M/Chip 4 Version 1.0 Card Application Specifications for Debit and Credit
• M/Chip Lite 2.1, July 2003
• M/Chip 2.2 Card Application Specification
• MasterCard PayPass Magnetic Stripe Technical Specification Version 3.3
December 2007
• MasterCard PayPass M/Chip 4 Technical Specification Version 1.3.1
September 2008
• M/Chip Advance Card Application Specification-Payment, Version 1.0,
November 2009
• M/Chip Advance Card Application Specification-Payment & Data Storage,
Version 1.0, November 2009

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 A-1
Reference Information
Using this Document

Scope
It is not the purpose of this manual to cover all cryptographic security
requirements for the general management of sensitive application data, keys
and PINs. Security guidelines for M/Chip implementations are provided
in the manual MasterCard Security Guidelines for M/Chip4 Developers.
Recommendations for security parameters settings are given in the manual
MasterCard M/Chip 4 Version 1.1 Issuer Security Guidelines.

Audience
This manual is intended for developers of M/Chip applications.

Times Expressed
MasterCard is a global company with locations in many time zones. The
MasterCard operations and business centers are in the United States. The
operations center is in St. Louis, Missouri, and the business center is in
Purchase, New York.

For operational purposes, MasterCard refers to time frames in this document

as either “St. Louis time” or “New York time.” Coordinated Universal Time
(UTC) is the basis for measuring time throughout the world. You can use the
following table to convert any time used in this document into the correct
time in another zone.

St. Louis, Purchase, New UTC

Missouri, USA York, USA Eastern
Central Time Time
Standard time 09:00 10:00 15:00
(first Sunday in November
to second Sunday in
March1)
Daylight saving time 09:00 10:00 14:00
(second Sunday in
March to first Sunday
in November2)

Excerpted Text
At times, this document may include text excerpted from another document. A
note before the repeated text always identifies the source document. In such
cases, we include the repeated text solely for the reader’s convenience. The
original text in the source document always takes legal precedence.

1. For Central European Time, last Sunday in October to last Sunday in March.
2. For Central European Time, last Sunday in March to last Sunday in October.

©2008–2010 MasterCard
A-2 March 2010 • M/Chip Card Application Cryptographic Algorithms
Reference Information
Using this Document

Language Use
The spelling of English words in this document follows the convention used for
U.S. English as defined in Merriam-Webster’s Collegiate Dictionary. MasterCard
is incorporated in the United States and publishes in the United States.
Therefore, this publication uses U.S. English spelling and grammar rules.

An exception to the above spelling rule concerns the spelling of proper nouns.
In this case, we use the local English spelling.

Revisions
MasterCard periodically may issue revisions to this document to accommodate
enhancements and changes, or as corrections are required. With each revision,
a Summary of Changes describes how the text changed.

MasterCard may publish revisions to this document in a MasterCard bulletin,

another MasterCard publication, or on MasterCard OnLine®. A subsequent
revision is effective as of the date indicated in that publication or on MasterCard
OnLine and has precedence over any previous edition. In the event of a conflict
between this document and a subsequently published edition, the subsequently
published edition shall have precedence.

Related Information
The following documents and resources provide information related to the
subjects discussed in this manual. For descriptions of these documents, please
refer to the List of Manuals in the Member Publications product on MasterCard
OnLine®:

• Security Guidelines for M/Chip 4 Developers

• Smart Card Cryptographic Algorithm Implementation Guidelines
• Smart Card Application Security Guidelines for MasterCard, Version 1.0
– July 2003
• MasterCard Chip Issuer Security Guidelines
• M/Chip Lite 2.1, July 2003
• M/Chip 4 Version 1.0 Card Application Specifications for Debit and Credit
• M/Chip 4 Version 1.1 Card Application Specifications for Debit and Credit
• M/Chip 2.2 Card Application Specification

Other documents provide useful information but are subject to the signature of
a license agreement to obtain them:

• MasterCard PayPass Magnetic Stripe Technical Specification Version 3.3

December 2007
• MasterCard PayPass M/Chip 4 Technical Specification Version 1.3.1
September 2008
• M/Chip Advance Card Application Specification Payment Version 1.0
November 2009
• M/Chip Advance Card Application Specification Payment and Data Storage
Version 1.0 November 2009
• Security Guidelines for M/Chip Advance Developers December 2009

Members that use the Cirrus® service and logo or that process online debit
transactions should refer to the debit processing manuals recommended by the
Customer Operations Services team.

For definitions of key terms used in this document, please refer to the
MasterCard Dictionary on the Member Publications home page (on MasterCard
OnLine® and the MasterCard Electronic Library CD-ROM).

To order MasterCard manuals, please use the Ordering Publications service on

MasterCard OnLine®, or contact the Customer Operations Services team.

Sources
In addition, when preparing this manual the following publications and
standard documents were consulted.

EMV
• EMV, Integrated Circuit Card Specification for Payment Systems, Book 2 –
Security and Key Management. Version 4.2, June 2008
• EMV, Integrated Circuit Card Specification for Payment Systems, Book 3 –
Application Specification. Version 4.2, June 2008
• EMV, Integrated Circuit Card Specification for Payment Systems, Book 4 –
Cardholder, Attendant and Acquirer Interface Requirements. Version 4.2,
June 2008
• EMV2000, Integrated Circuit Card Specification for Payment Systems, Book
2 – Security and Key Management. Version 4.0, December 31, 2000
• EMV2000, Integrated Circuit Card Specification for Payment Systems, Book
3 – Application Specification. Version 4.0, December 31, 2000
• EMV2000, Integrated Circuit Card Specification for Payment Systems, Book
4 – Cardholder, Attendant and Acquirer Interface Requirements. Version
4.0, December 31, 2000
• EMV ’96, Integrated Circuit Card Specification for Payment Systems - Part 2:
Data Elements and Commands, Version 3.1.1, May 31, 1998
• EMV ’96, Integrated Circuit Card Specification for Payment Systems – Part 3:
Application Selection, Version 3.1.1, May 31, 1998

©2008–2010 MasterCard
A-4 March 2010 • M/Chip Card Application Cryptographic Algorithms
Reference Information
Abbreviations

• EMV ’96, Integrated Circuit Card Specification for Payment Systems – Part
4: Security Aspect, Version 3.1.1, May 31, 1998
• EMV Issuer and Application Security Guidelines. Version 2.2, May 2009
EMV specifications and bulletins are available on www.emvco.com. Consult the
EMVCo Bulletins for up-to-date information.

PayPass
• PayPass – M/Chip, Security Architecture. Version 1.2, November 2007
• PayPass – Mag Stripe, Security Architecture. Version 1.3, November 2007

FIPS
FIPS PUB 180-2, Secure Hash Standard, August 2002

ISO
• ISO/IEC 7813, Information technology - Identification cards – Financial
Transaction Cards
• ISO/IEC 7816-4, Information technology - Identification cards – Integrated
circuit(s) cards with contacts – Part 4: Inter-industry commands for
interchange
• ISO/IEC 9796-2, Information technology - Security techniques - Digital
signature schemes giving message recovery. – Part 2: Integer factorization
based mechanisms
• ISO/IEC 9797-1, Information technology – Security techniques – Message
Authentication Codes - Part 1: Mechanisms using a block cipher
• ISO/IEC 10116, Information technology – Security techniques – Modes of
operation for an n-bit block cipher
• ISO/IEC 10118-3, Information technology – Security techniques –
Hash-functions – Part 3: Dedicated hash-functions
• ISO/IEC 18033-3, Information technology – Security techniques – Encryption
algorithms – Part 3: Block ciphers
• ISO 9564-1, Banking – Personal Identification Number management and
security – Part 1: Basic principles, and requirements for online PIN handling
in ATM & POS systems
• ISO 9564-2, Banking – Personal Identification Number management and
security – Part 2: Approved algorithm(s) for PIN encipherment
• ISO 9564-3, Banking – Personal Identification Number management and
security – Part 3: Requirements for offline PIN handling in ATM & POS
systems
• ISO 11568, Banking - Key Management

Abbreviations
The following abbreviations are used in this document:

©2008–2010 MasterCard
M/Chip Card Application Cryptographic Algorithms • March 2010 A-5
Reference Information
Abbreviations

Abbreviation Description
AAC Application Authentication Cryptogram
AC Application Cryptogram
APDU Application Protocol Data Unit
ARPC Authorization Response Cryptogram
ARQC Authorization Request Cryptogram
ASN Abstract Syntax Notation
ATC Application Transaction Counter
b Binary
CA Certification Authority
CAM Card Authentication Method
CBC Cipher Block Chaining
CDA Combined DDA/Application Cryptogram Generation
CDOL Card Risk Management Data Object List
CLA Class Byte of the Command Message

CSK Common Session Key

CVN Cryptogram Version Number

DDA Dynamic Data Authentication
DES Data Encryption Standard

DIS Draft International Standard

DDOL Dynamic Data Authentication Data Object List
ECB Electronic Code Book
ECK Encryption Key
EMV Europay MasterCard Visa
Hex. Hexadecimal
IAD Issuer Application Data
ICC Integrated Circuit Card
IDN ICC Dynamic Number
INS Instruction Byte of Command Message
KDI Key Derivation Index
LDD Length of the ICC Dynamic Data
MK Master Key
n Numeric
NCA Length of the Certification Authority Public Key
Modulus
NI Length of the Issuer Public Key Modulus
NIC Length of the ICC Public Key Modulus
P1 Parameter 1

©2008–2010 MasterCard
A-6 March 2010 • M/Chip Card Application Cryptographic Algorithms
Reference Information
Conventions

Abbreviation Description
P2 Parameter 2
PCA Certification Authority Public Key
PI Issuer Public Key
PIC ICC Public Key
PDOL Processing Options Data Object List
PK Public Key
RSA Rivest, Shamir, Adleman algorithm
SCA Certification Authority Private Key
SDA Static Data Authentication
SHA Secure Hash Algorithm
SI Issuer Private Key
SIC ICC Private Key
SK Session Key (or private key in RSA context)
SKD Session Key Derivation
SMC Secure Messaging for Confidentiality

SMI Secure Messaging for Integrity

TC Transaction Certificate
YYMMD Year Month Day

Conventions
The M/Chip Application Cryptographic Algorithm manual utilizes the following
standard conventions.

Notation Meaning
‘0’ to ‘9’ and ‘A’ to ‘F’ 16 hexadecimal digits.
‘x..y’ Hexadecimal value.
A := B A is assigned the value of B.
A=B Value of A is equal to the value of B.
A º B (mod n) Integers A and B are congruent modulo the integer n, that is,
there exists an integer d such that (A - B) = dn.
A mod n The reduction of the integer A modulo the integer n, that is,
the unique integer 0 £ r < n for which there exists an integer
d such that A = dn + r.
Y := DES(K)[X] Encipherment of a 64-bit data block X with the DES algorithm
using a 56-bit secret key K.
X = DES-1(K)[Y] Decipherment of a 64-bit data block Y with the DES algorithm
using a 56-bit secret key K.

Notation Meaning
Y := DES3(K)[X] Encipherment of a 64-bit data block X with the Triple-DES
algorithm as specified in About DES and Triple-DES, using
a 112-bit secret key K.
X = DES3-1(K)[Y] Decipherment of a 64-bit data block Y with the Triple-DES
algorithm as specified in About DES and Triple-DES, using
a 112-bit secret key K.
Y := MAC(K)[X] Computation of the 8-byte MAC on the message X using key
K and the MAC algorithm specified in [EMV] Annex A1.2 and
ISO/IEC 9797-1 Algorithm 3 with DES as the block cipher.
Note that padding of X is performed as part of the MAC
algorithm.
Y := Sign (S)[X] The signing of a data block X with the RSA algorithm as
specified in RSA, using the private key S.
X = Recover(P)[Y] The recovery of the data block X with the RSA algorithm as
specified in RSA, using the public key P.
C := (A || B) The concatenation of an n-bit number A and an m-bit number
B, which is defined as C = 2m A + B.
H := SHA[M] Hashing of a message M of arbitrary length using the SHA-1
algorithm as specified in SHA-1.
|n| Length of an integer n in bits.
XÅY The bit-wise exclusive-OR of the data blocks X and Y. If one
data block is shorter than the other then it is first padded to
the left with sufficient binary zeros to make it the same length
as the other.

MasterCard continually strives to improve user documents. User feedback helps

MasterCard accomplish this goal.

Please provide feedback about this document to Manuals and Publications at

publications@mastercard.com.

Support
Please address your questions about MasterCard programs and services to the
Customer Operations Services team as follows:
Phone 1-800-999-0363 or 1-636-722-6176
1-636-722-6292 (Spanish language support)
Fax 1-636-722-7192
Telex 434800 answerback: 434800 ITAC UI

Address MasterCard Worldwide

Customer Operations Services
2200 MasterCard Boulevard
O’Fallon MO 63368-7263
USA
E-Mail • Canada, Caribbean, Latin America, and United States:
customer_support@mastercard.com
• Australia and New Zealand:
csd@mastercard.com
• China, Hong Kong, and Taiwan:
helpdesk.gc@mastercard.com
• Southeast Asia:
helpdesk.singapore@mastercard.com
• Japan/Guam:
opetokyo@mastercard.com
• Korea:
korea_helpdesk@mastercard.com
• Europe and South Asia/Middle East/Africa:
css@mastercard.com
• Spanish language support:
lagroup@mastercard.com
• Vendor Relations, all regions:
vendor.program@mastercard.com
• Chip help, all regions
chip_help@mastercard.com
Contacting Member Relations representatives assist U.S. members with
Your U.S. marketing inquiries. They interpret member requests and
Member Relations requirements, analyze them, and if approved, monitor their
Representative progress through the various MasterCard departments. This
does not cover support for day-to-day operational problems,
which the Customer Operations Services team addresses.
For the name of your U.S. Member Relations representative,
contact your local Member Relations office:
• 1-678-459-9000 Atlanta
• 1-847-375-4000 Chicago
• 1-924-249-2000 Purchase
• 1-925-866-7700 San Francisco
Contacting The regional representatives work out of the regional offices.
Your Regional Their role is to serve as intermediaries between the members
Representative and other departments in MasterCard. Members can inquire
and receive responses in their own languages and during their
offices’ hours of operation.
For the name of the location of the regional office serving your
area, call the Customer Operations Services team.

I Heard The Owl Call My Name Novel
100% (1)
I Heard The Owl Call My Name Novel
8 pages
Customer Interface Specification
100% (6)
Customer Interface Specification
874 pages
VCPS 2.2 Jan2016
No ratings yet
VCPS 2.2 Jan2016
243 pages
EMV Implementation Tandem Supplemental Guide
100% (2)
EMV Implementation Tandem Supplemental Guide
355 pages
Vts Description Guide Vdep Third Party Solutions
No ratings yet
Vts Description Guide Vdep Third Party Solutions
32 pages
MChip Advance Common Personalization Specification Version 1.2.1
No ratings yet
MChip Advance Common Personalization Specification Version 1.2.1
52 pages
MChip 4 Issuer Guide To Debit and Credit Parameter Management, Dec2004
100% (1)
MChip 4 Issuer Guide To Debit and Credit Parameter Management, Dec2004
318 pages
MasterCard Relay Resistancer Protocol 09022021
100% (1)
MasterCard Relay Resistancer Protocol 09022021
58 pages
0ikL3QgQKCejxyundxQ8 CoursematerialA4-1569849373450
No ratings yet
0ikL3QgQKCejxyundxQ8 CoursematerialA4-1569849373450
82 pages
Vip System Sms Atm Processing Specs Intl
100% (1)
Vip System Sms Atm Processing Specs Intl
207 pages
15b Kinematics
No ratings yet
15b Kinematics
15 pages
Technical - Specifications-PayPass - PDS v1.9 (June 2014)
100% (2)
Technical - Specifications-PayPass - PDS v1.9 (June 2014)
107 pages
J-Secure 2.0 Acquirer Implementation Guide - v1.2
No ratings yet
J-Secure 2.0 Acquirer Implementation Guide - v1.2
32 pages
Authorization Manual
No ratings yet
Authorization Manual
471 pages
Base I Technical Specs - Vol 2
No ratings yet
Base I Technical Specs - Vol 2
314 pages
Acquirer Credit and Debit - Dual Message
No ratings yet
Acquirer Credit and Debit - Dual Message
641 pages
EMV CPS v1.1
67% (3)
EMV CPS v1.1
104 pages
Public Key Infrastructure - Certification Authority Interface
No ratings yet
Public Key Infrastructure - Certification Authority Interface
44 pages
EMV v4.3 Book1 ICC To Terminal Interface 2011113003541414
100% (1)
EMV v4.3 Book1 ICC To Terminal Interface 2011113003541414
189 pages
PayPass MChip Requirements 2013 PDF
No ratings yet
PayPass MChip Requirements 2013 PDF
75 pages
ABU Guide Oct 27 2020
No ratings yet
ABU Guide Oct 27 2020
134 pages
EMV Transaction Result Analysis
67% (3)
EMV Transaction Result Analysis
3 pages
EMV v4.2 Book 4
100% (1)
EMV v4.2 Book 4
155 pages
PayPass UserGuide
No ratings yet
PayPass UserGuide
252 pages
Iso8583 Especs
No ratings yet
Iso8583 Especs
118 pages
Visa VIS Specification 15 - May - 2009
92% (13)
Visa VIS Specification 15 - May - 2009
558 pages
EMV v4.2 Book 1 ICC To Terminal Interface CR05
100% (1)
EMV v4.2 Book 1 ICC To Terminal Interface CR05
197 pages
Master Card Icc Card
100% (1)
Master Card Icc Card
233 pages
book2-EMV v4.2 Book 2 Security and Key Management CR05 - 20090122094212
No ratings yet
book2-EMV v4.2 Book 2 Security and Key Management CR05 - 20090122094212
176 pages
Introduction To MChip Advance Card Application Specifications - Payment
No ratings yet
Introduction To MChip Advance Card Application Specifications - Payment
38 pages
EMV v4.3 Book2 Security and Key Management 20111130035544327
No ratings yet
EMV v4.3 Book2 Security and Key Management 20111130035544327
174 pages
EMV (Chip & PIN) Protocol: Märt Bakhoff Supervised: Arnis Paršovs
No ratings yet
EMV (Chip & PIN) Protocol: Märt Bakhoff Supervised: Arnis Paršovs
41 pages
PayPass - MChip (V1.3)
No ratings yet
PayPass - MChip (V1.3)
125 pages
PayPass - MChip - Acquirer - Imlementation - Requirements - PPMCAIR (V1.0 - July 2008)
No ratings yet
PayPass - MChip - Acquirer - Imlementation - Requirements - PPMCAIR (V1.0 - July 2008)
88 pages
ISO Global 2008 3
100% (1)
ISO Global 2008 3
294 pages
Vip System Sms Atm Processing Specs Intl
No ratings yet
Vip System Sms Atm Processing Specs Intl
210 pages
VSDC Issuer Ig Vis 1.5
100% (1)
VSDC Issuer Ig Vis 1.5
266 pages
PayPass - MChip 4 Card Technical Specification (V1.3.1)
75% (4)
PayPass - MChip 4 Card Technical Specification (V1.3.1)
46 pages
Visa Integrated Circuit Card Specification (VIS) (15560)
100% (1)
Visa Integrated Circuit Card Specification (VIS) (15560)
581 pages
Part IV Debit Credit Application Security Specification
100% (1)
Part IV Debit Credit Application Security Specification
87 pages
EMVCo 3DS SDKSpec 220 122018
No ratings yet
EMVCo 3DS SDKSpec 220 122018
130 pages
Quick Chip For EMV and QVSDC, Specification Version 2.0 (Visa, 2017)
No ratings yet
Quick Chip For EMV and QVSDC, Specification Version 2.0 (Visa, 2017)
18 pages
A Guide To EMV Chip Technology v3.0 1
No ratings yet
A Guide To EMV Chip Technology v3.0 1
33 pages
Part V IC Card Internet Multipurpose Terminal Specification
No ratings yet
Part V IC Card Internet Multipurpose Terminal Specification
144 pages
Fis 8583-2017
No ratings yet
Fis 8583-2017
600 pages
POS DynmCurrConv
No ratings yet
POS DynmCurrConv
58 pages
Dynamic Currency Conversion Performance Guide
No ratings yet
Dynamic Currency Conversion Performance Guide
24 pages
Terminal Specification For VMJC V1 34
No ratings yet
Terminal Specification For VMJC V1 34
232 pages
Interregional Interchange Guide
No ratings yet
Interregional Interchange Guide
114 pages
Visa Secure August 2021 Release Notes 1.0
No ratings yet
Visa Secure August 2021 Release Notes 1.0
9 pages
Part V Contactless Integrated Circuit Card Payment Specification
100% (1)
Part V Contactless Integrated Circuit Card Payment Specification
103 pages
ADVT User Guide 6.0
No ratings yet
ADVT User Guide 6.0
163 pages
Pin Block Formats: David Tushie
No ratings yet
Pin Block Formats: David Tushie
3 pages
Interchange Fee
No ratings yet
Interchange Fee
3 pages
EMV - Understanding
No ratings yet
EMV - Understanding
3 pages
EMV v4.3 Book 1 ICC To Terminal Interface 2012060705394541
No ratings yet
EMV v4.3 Book 1 ICC To Terminal Interface 2012060705394541
189 pages
Canada's Role in the Payment Processing Industry
From Everand
Canada's Role in the Payment Processing Industry
Robert Ronning
No ratings yet
MCHIP 4 Version 1.1 Security and Key Management
No ratings yet
MCHIP 4 Version 1.1 Security and Key Management
93 pages
Credit-Debit Sim Mchip Key Set
No ratings yet
Credit-Debit Sim Mchip Key Set
30 pages
Personalization Data Specifications: For Debit and Credit On Chip
No ratings yet
Personalization Data Specifications: For Debit and Credit On Chip
71 pages
EMV v4.2 Book 2 Security and Key Management CR05 20111118072236762
No ratings yet
EMV v4.2 Book 2 Security and Key Management CR05 20111118072236762
177 pages
EMV
100% (1)
EMV
32 pages
Skateboarding: Design and Development Guidance For Skateboarding
No ratings yet
Skateboarding: Design and Development Guidance For Skateboarding
52 pages
Molloy College Division of Education Lesson Plan
No ratings yet
Molloy College Division of Education Lesson Plan
12 pages
The Force Awakens - (SWR09a) Character Folio - Tiras
No ratings yet
The Force Awakens - (SWR09a) Character Folio - Tiras
8 pages
UKMT - IMC - Intermediate Mathematical Challenge 2016 - Solutions
No ratings yet
UKMT - IMC - Intermediate Mathematical Challenge 2016 - Solutions
11 pages
Role of Peoples and Nations in Protecting The Natural Environment
No ratings yet
Role of Peoples and Nations in Protecting The Natural Environment
38 pages
Download full Engaging in culturally relevant math tasks fostering hope in the middle and high school classroom 1st Edition Lou E. Matthews ebook all chapters
100% (3)
Download full Engaging in culturally relevant math tasks fostering hope in the middle and high school classroom 1st Edition Lou E. Matthews ebook all chapters
40 pages
Qu b-Ud-Dīn A Mad Walīullāh Ibn Abd-Ur-Ra Īm Ibn Wajīh-Ud-Dīn Ibn Mu A Am Ibn Man Ūr Al - Umarī Ad-Dehlawī (
No ratings yet
Qu b-Ud-Dīn A Mad Walīullāh Ibn Abd-Ur-Ra Īm Ibn Wajīh-Ud-Dīn Ibn Mu A Am Ibn Man Ūr Al - Umarī Ad-Dehlawī (
4 pages
CV Siggard
No ratings yet
CV Siggard
3 pages
Coursebook Answers Chapter 6 Asal Physics
No ratings yet
Coursebook Answers Chapter 6 Asal Physics
5 pages
The Fastest, Easiest, Effective, Entertaining
100% (1)
The Fastest, Easiest, Effective, Entertaining
16 pages
Student Handbook - Leading Learning
No ratings yet
Student Handbook - Leading Learning
25 pages
Counting Methods and Techniques in Experiment
100% (1)
Counting Methods and Techniques in Experiment
9 pages
Mammalian Tissues Post-Lab Worksheet
No ratings yet
Mammalian Tissues Post-Lab Worksheet
5 pages
BSR Five-Step Guide To Stakeholder Engagement
No ratings yet
BSR Five-Step Guide To Stakeholder Engagement
19 pages
Human Relations Era
100% (2)
Human Relations Era
43 pages
Recognition of The Elements of Financial Statements
No ratings yet
Recognition of The Elements of Financial Statements
1 page
Efficiency of Gas Turbine
100% (2)
Efficiency of Gas Turbine
10 pages
Ds-pp-0107 - Mechanical Data Sheet For Swivel Joints (Rev.0)
No ratings yet
Ds-pp-0107 - Mechanical Data Sheet For Swivel Joints (Rev.0)
3 pages
Measurement and Simulation of Residual Stress in Type 304 Weld Overlay Stainless Steel Pipe
No ratings yet
Measurement and Simulation of Residual Stress in Type 304 Weld Overlay Stainless Steel Pipe
13 pages
Adobe CCT - Datasheet
No ratings yet
Adobe CCT - Datasheet
2 pages
Car Elevator Quotation - SAWA Parking Systems
No ratings yet
Car Elevator Quotation - SAWA Parking Systems
5 pages
Tech Link
No ratings yet
Tech Link
8 pages
Mat 4 Medium Ability
No ratings yet
Mat 4 Medium Ability
2 pages
Tooth Ankylosis: Clinical, Radiographic and Histological
No ratings yet
Tooth Ankylosis: Clinical, Radiographic and Histological
9 pages
The Rizal Memorial Colleges, Inc
No ratings yet
The Rizal Memorial Colleges, Inc
4 pages
Power Crisis in The Philippines
100% (1)
Power Crisis in The Philippines
1 page
(Ebook) Indo-Pacific Strategies and Foreign Policy Challenges : The US-China Strategic Competition by James Platte, Hyun Ji Rim ISBN 9781032454481, 9781003377061, 9781000901016, 9781000901139, 1032454482, 1003377068, 1000901017, 1000901130 pdf download
100% (1)
(Ebook) Indo-Pacific Strategies and Foreign Policy Challenges : The US-China Strategic Competition by James Platte, Hyun Ji Rim ISBN 9781032454481, 9781003377061, 9781000901016, 9781000901139, 1032454482, 1003377068, 1000901017, 1000901130 pdf download
51 pages
Processing of Remote Sensing Data
No ratings yet
Processing of Remote Sensing Data
508 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.