Open Smart Card Shell Test on doemv.js - EMV SDA Test

2023-11-04 05:32

本文主要是介绍Open Smart Card Shell Test on doemv.js - EMV SDA Test,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

  • Summary
  • Retrieve Issuer Public key Modulus
    • Get RID
    • Get CA public key index and CA
    • Retrieval of Issuer Public Key
  • Verify SSAD
    • Decrypt SSAD
    • Verify SSAD
  • Reference

Summary

Test the Open Smart Card Shell on “doemv.js” on credit card for the EMV SDA function, get into the detail to understand the EMV SDA procedure steps.

The Certification Authority Public Key (PCA) is stored in the IC Terminal. PCA will be used to decrypt Issuer PK Certificate, and to extracts the P1 key (Issuer Public Key). P1 key will be used to decrypt the SSAD (Signed Static Application Data).

Refer to below EMV v4.3 Book 2 - EMVCo SDA flow (Chapter 5: 5 Static Data Authentication (SDA) page 51).

SDA Flow

I tested with below reader and expired credit card.
Reader

Expired Credit Card.

Credit card

Retrieve Issuer Public key Modulus

Get RID

To get Application Provider Identifier (RID), we extract the first five bytes of the Application Identifier (AID). In the test it is:A000000003 (Visa)

Get CA public key index and CA

Then read the Certification Authority Public Key Index from the ICC, the index can be read out through tag 8F (Certification Authority Public Key Index). In the test, the index is 0x08. It indicates below CA.

d.addSchemePublicKey(new ByteString("A000000003", HEX), 8, new Key("schemepublickeys/kp_visa_1408_08.xml"));

The CA value is:
D9FD6ED75D51D0E30664BD157023EAA1FFA871E4DA65672B863D255E81E137A51DE4F72BCC9E44ACE12127F87E263D3AF9DD9CF35CA4A7B01E907000BA85D24954C2FCA3074825DDD4C0C8F186CB020F683E02F2DEAD3969133F06F7845166ACEB57CA0FC2603445469811D293BFEFBAFAB57631B3DD91E796BF850A25012F1AE38F05AA5C4D6D03B1DC2E568612785938BBC9B3CD3A910C1DA55A5A9218ACE0F7A21287752682F15832A678D6E1ED0B

Retrieval of Issuer Public Key

Decrypt the Issuer PK Certificate with CA to get issuer public key, both Issuer PK Certificate and CA should be the same length, in the test, the length is 176 bytes.

Issuer PK Certificate with CA can be retrieved from tag 90.
6751D5FE447XXXXXX…

Also need the Issuer Public Key Remainder, it can be retrieved from tag 92.
CCE4335A1XXXX….

Refer to below EMV v4.3 Book 2 - EMVCo SDA flow (5.3 Retrieval of Issuer Public Key page 59).

SDA flow

Use BP-Tools - Cryptographic Calculator to verify as below,

Retrieve CA PK

After decryption, go through 12 steps to verify the result, as below,

Step 1: CA PK Modulus and Issuer’s Public Key Certificate having the same size: Passed
Step 2: Recovered Data Trailer check: equal to ‘BC’, Passed
Step 3: Recovered Data Header check (0x6A): Passed
Step 4: Certificate Format check (0x02): Passed
Step 5: Hash Input Data is as below,
Data Format + Issuer Identifier + Certificate Expiration Date + Certificate Serial Number + Hash Algorithm Indicator + Issuer Public Key Algorithm Indicator + Issuer Public Key Length + Issuer Public Key Exponent Length + Issuer Public Key + Issuer Public Key Remainder + Issuer public key exponent, in the test,
02414746FF1221033E130101B001D46C29DA316C72D55D63176628EF2DD491BC9770210E4B6D79B115FC540FE50E129DD2E9AD14972522AF96BA4A70B466F092C52AC2A6A1C18B5E3EEC81FAB11479D7BEA323935D355468CA205FA409F900E8EBD3094F1753A6FC7E54E22421710427B16C83C26C123536F3753E151B979AA697F91E8069CFABF6FD33CD1DB41694AF755E06D1C0C87840EEA7CCE4335A1A3CD7E4271A50B8D804D95ABA4E349811244D73336D196A6D969F25025B27D903

Step 6: Hashing Result:
Use SHA-1 Hash to calculate the hash result.
D553BF6A78E42CDEF6C9ECD0B74F64C42883615A
Step 7: Hash Result Comparison: Passed
Step 8: Issuer Identifier check: Skipped (DIY)
Step 9: Certificate Expiry Date check: Passed
Step 10: RID revocation check: Skipped (optional DIY)
Step 11: PK Algorithm Indicator check: Passed
Step 12: Issuer Public Key Modulus:
Issuer Public Key Modulus is Issuer Public Key + Issuer Public Key Remainder.
In the test:
D46C29DA316C72D55D63176628EF2DD491BC9770210E4B6D79B115FC540FE50E129DD2E9AD14972522AF96BA4A70B466F092C52AC2A6A1C18B5E3EEC81FAB11479D7BEA323935D355468CA205FA409F900E8EBD3094F1753A6FC7E54E22421710427B16C83C26C123536F3753E151B979AA697F91E8069CFABF6FD33CD1DB41694AF755E06D1C0C87840EEA7CCE4335A1A3CD7E4271A50B8D804D95ABA4E349811244D73336D196A6D969F25025B27D9

Verify SSAD

Decrypt SSAD

Decrypt the Signed Application Data (SSAD) by using the Issuer Public Key Modulus retrieved from above steps.

The SSAD (Signed Static Application Data) is retrieved from tag 93.

Another input is Static Data. It is the data to be authenticated, for the test, it includes the Application Primary Account Number (PAN) and Application Expiration Date. It reads 5A0841474630XXXXXXXX5F2403170831.

Static Data also includes the Static Data Authentication Tag List (Tag 9F4A), here the value is 0x82. 0x82 value was read through GET PROCESSING OPTIONS Command (80A8), first two bytes is Application Interchange Profile (AIP), tag 0x82, value here is 7C00.

So the Static Data to be authenticated is
5A0841474630XXXXXXXX5F24031708317C00

Verify SSAD

After decryption, go through 7 steps to verify the SSAD.

Refer to below EMV v4.3 Book 2 - EMVCo SDA flow (5.4 Verification of Signed Static Application Data, page 61).

Verify SSAD

Step 1: Issuer PK Modulus and Signed Static Application Data having the same length: 176 bytes, Passed
Step 2: Recovered Data Trailer check: 0xBC Passed
Step 3: Recovered Data Header check (0x6A): Passed
Step 4: Certificate Format check (0x03): Passed
Step 5: Build Hash Input Data
Signed Data Format + Hash Algorithm Indicator + Data Authentication Code + Pad Pattern + Static Data to be authenticated

0301DAC5BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB5A0841474630XXXXXXXX5F24031708317C00
Step 6: Hashing Result: 7181E1FA49DB71FC48DEFD2CC249F20F4615B9B2
Step 7: Hash Result Comparison:
Use SHA-1 Hash to calculate the hash result.

Use BP-Tools - Cryptographic Calculator to verify as below,
Verify SSAD

Reference

Open Smart Card Shell Static Data Authentication (SDA)
Test SHA-1 Hash
Open Smart Card Shell Test on dump.js
Github scsh-scripts/emv/doemv.js
BP-Tools - Cryptographic Calculator
EMV_v4.3_Book_3_Application_Specification - EMVCo
EMV v4.3 Book 2 - EMVCo

这篇关于Open Smart Card Shell Test on doemv.js - EMV SDA Test的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/343588

相关文章

JS+HTML实现在线图片水印添加工具

《JS+HTML实现在线图片水印添加工具》在社交媒体和内容创作日益频繁的今天,如何保护原创内容、展示品牌身份成了一个不得不面对的问题,本文将实现一个完全基于HTML+CSS构建的现代化图片水印在线工具... 目录概述功能亮点使用方法技术解析延伸思考运行效果项目源码下载总结概述在社交媒体和内容创作日益频繁的

Node.js 数据库 CRUD 项目示例详解(完美解决方案)

《Node.js数据库CRUD项目示例详解(完美解决方案)》:本文主要介绍Node.js数据库CRUD项目示例详解(完美解决方案),本文给大家介绍的非常详细,对大家的学习或工作具有一定的参考... 目录项目结构1. 初始化项目2. 配置数据库连接 (config/db.js)3. 创建模型 (models/

shell编程之函数与数组的使用详解

《shell编程之函数与数组的使用详解》:本文主要介绍shell编程之函数与数组的使用,具有很好的参考价值,希望对大家有所帮助,如有错误或未考虑完全的地方,望不吝赐教... 目录shell函数函数的用法俩个数求和系统资源监控并报警函数函数变量的作用范围函数的参数递归函数shell数组获取数组的长度读取某下的

SpringShell命令行之交互式Shell应用开发方式

《SpringShell命令行之交互式Shell应用开发方式》本文将深入探讨SpringShell的核心特性、实现方式及应用场景,帮助开发者掌握这一强大工具,具有很好的参考价值,希望对大家有所帮助,如... 目录引言一、Spring Shell概述二、创建命令类三、命令参数处理四、命令分组与帮助系统五、自定

Python 中的 with open文件操作的最佳实践

《Python中的withopen文件操作的最佳实践》在Python中,withopen()提供了一个简洁而安全的方式来处理文件操作,它不仅能确保文件在操作完成后自动关闭,还能处理文件操作中的异... 目录什么是 with open()?为什么使用 with open()?使用 with open() 进行

使用Node.js制作图片上传服务的详细教程

《使用Node.js制作图片上传服务的详细教程》在现代Web应用开发中,图片上传是一项常见且重要的功能,借助Node.js强大的生态系统,我们可以轻松搭建高效的图片上传服务,本文将深入探讨如何使用No... 目录准备工作搭建 Express 服务器配置 multer 进行图片上传处理图片上传请求完整代码示例

Spring Shell 命令行实现交互式Shell应用开发

《SpringShell命令行实现交互式Shell应用开发》本文主要介绍了SpringShell命令行实现交互式Shell应用开发,能够帮助开发者快速构建功能丰富的命令行应用程序,具有一定的参考价... 目录引言一、Spring Shell概述二、创建命令类三、命令参数处理四、命令分组与帮助系统五、自定义S

用js控制视频播放进度基本示例代码

《用js控制视频播放进度基本示例代码》写前端的时候,很多的时候是需要支持要网页视频播放的功能,下面这篇文章主要给大家介绍了关于用js控制视频播放进度的相关资料,文中通过代码介绍的非常详细,需要的朋友可... 目录前言html部分:JavaScript部分:注意:总结前言在javascript中控制视频播放

Node.js net模块的使用示例

《Node.jsnet模块的使用示例》本文主要介绍了Node.jsnet模块的使用示例,net模块支持TCP通信,处理TCP连接和数据传输,具有一定的参考价值,感兴趣的可以了解一下... 目录简介引入 net 模块核心概念TCP (传输控制协议)Socket服务器TCP 服务器创建基本服务器服务器配置选项服

mac安装nvm(node.js)多版本管理实践步骤

《mac安装nvm(node.js)多版本管理实践步骤》:本文主要介绍mac安装nvm(node.js)多版本管理的相关资料,NVM是一个用于管理多个Node.js版本的命令行工具,它允许开发者在... 目录NVM功能简介MAC安装实践一、下载nvm二、安装nvm三、安装node.js总结NVM功能简介N