Static Data Authentication (SDA)

SDA ensures the authenticity of ICC data. After SDA it is sure that the data from the ICC is real and hasn’t changed by anyone. However SDA doesn’t assure the uniqueness of ICC data.

SDA is a digital signature scheme working with asymmetric cryptograhpy. Asymmetric cryptography uses a pair of keys. If you encode something with the first key, you can only decode it with the second key. The pair of keys is divided into a public and a private key. With the private key the issuer can “sign” critical data on ICC. Only the issuer knows the private key. The public key is not secret. Every terminal has the public key and can decode the signed data. If it conforms to the specification the data is authentic and has not changed.

The Static application data will be signed with the Issuer Private Key (S1) and stored in Signed Application Data (SSAD). The corresponding Issuer Public Key (P1) will be stored in the Issuer PK Certificate. To verify that S1 and P1 are made by the Issuer, the Issuer PK Certificate is signed with a Certification Authority Private Key (SCA). The Certification Authority Public Key (PCA) is stored in the IC Terminal.

For SDA the terminals decrypt the Issuer PK Certificate with the PCA key. If the decryption was successful, the terminal extracts the P1 key to decrypt the SSAD. SDA was successful if the IC Terminal verifies the SSAD.

Retrieval of Certification Authority Public Key

For SDA we need first the Registered Application Provider Identifier (RID) to recognize whether we have a MasterCard or Visa Card because both have different public keys. To get the RID we extract the first five bytes of the Application Identifier (AID).

The next step is to read the Certification Authority Public Key Index from the ICC. Each issuer have serveral public keys. The index reveal us which of them we need to process.

Finally with this index we will decide which key have to use.

Retrieval of Issuer Public Key

With the Certification Authority Public Key we decode the Issuer PK Certificate on the condition that both have the same length.

The certificate contains the following data:

Field Name Length Description
Recovered Data Header 1 Hex Value ‘6A’
Certificate Format 1 Hex Value ’02’
Issuer Identifier 4 Lefmost 3-8 digits from the PAN (padded to the right with Hex ‘F’s)
Certificate Expiration Date 2 MMYY after which this certificate is invalid
Certificate Serial Number 3 Binary number unique to this certificate assigned by the ceritifaction authority
Hash Algorithm Indicator 1 Identifies the hash algorithm used to produce the Hash Result in the digital signature scheme
Issuer Public Key Algorithm Indicator 1 Identifies the digital signature algorithm to be used with the Issuer Public Key
Issuer Public Key Length 1 Identifies the length of the Issuer Public Key Modulus in bytes
Issuer Public Key Exponent Length 1 Identifies the length of the Issuer Public Key Exponent in bytes
Issuer Public Key or Leftmost Digits of the Issuer Public Key* NCA – 36 If NI <= NCA – 36, consists of the full Issuer Public Key padded to the right with NCA – 36- NI bytes of value ‘BB’. If NI > NCA – 36, consists of the NCA – 36 most significant bytes of the Issuer Public Key
Hash Result 20 Hash of the Issuer Public Key and its related information
Recovered Data Trailer 1 Hex value ‘BC’

* NCA = Number of Bytes of Certifiacation Authority Public Key
* NI = Number of Bytes of Issuer Public Key Modulus

After decoding we have to proof 12 steps until we get the Issuer Public Key Modulus. The key consists of the leftmost digits of the Issuer Public Key which are stored in the certificate and the Issuer Public Key Remainder stored in an AEF file of the ICC. To get the Issuer Public Key Modulus concatenate the leftmost digits with the Issuer Public Key Remainder.

Step 1: Issuer Public Key Certificate and Certification Authority Public Key Modulus have the same length.

Step 2: The Recovered Data Trailer is equal to ‘BC’

Step 3: The Recovered Data Header is equal to ‘6A’

Step 4: The Certificate Format is equal to ’02’

Step 5: Concatenation of Certificate Format through Issuer Public Key or Leftmost Digits of the Issuer Public Key, followed by the Issuer Public Key Remainder (if present)(TAG 92), and the Issuer Public Key Exponent (TAG 9F32)

Step 6: Generate hash from concatenation

Step 7: Compare the hash result with the recovered hash result. They have to be equal

Step 8: Verify that the Issuer Identifier matches the lefmost 3-8 PAN digits (TAG 5A)

Step 9: Verify that the last day of the month specified in the Certification Expiration Date is equal to or later than today’s date.

Step 10: Verify that the concatenation of RID, Certification Authority Public Key Index, and Certificate Serial Number is valid. If not, SDA has failed. This step is optional and is to allow the revocation of the Issuer Public Key Certificate against a Certification Revocation List that may be kept by the terminal.

Step 11: Check the Issuer Public Key Algorithm Indicator is recognized.

Step 12: Concatenate the Leftmost Digits of the Issuer Public Key and the Issuer Public Key Remainder (if present) to obtain the Issuer Public Key Modulus

Verification of Signed Static Application Data

We decode the Signed Static Application Data (SSAD) with the Issuer Public Key from the step before.
The decrypted SSAD contains the following data:

Field Name Length Description
Recovered Data Header 1 Hex Value ‘6A’
Signed Data Format 1 Hex Value ’03’
Hash Algorithm Indicator 1 Identifies the hash algorithm used to produce the Hash Result in the digital signature scheme
Data Authentication Code 2 Issuer-assigned code
Pad Pattern NI – 26 Pad pattern consisting of NI – 26 bytes of value ‘BB’
Hash Result 20 Hash of the Static Application Data to be authenticated
Recovered Data Trailer 1 Hex value ‘BC’

Now we have to proof 7 steps. If all steps were successful, SDA was successful:

Step 1: Signed Static Application Data (TAG 93) and Issuer Public Key Modulus have the same length(TAG 9F32)

Step 2: The Recovered Data Trailer is equal to ‘BC’

Step 3: The Recovered Data Header is equal to ‘6A’

Step 4: The Signed Data Format is equal to ’03’

Step 5: Concatenation of Signed Data Format, Hash Algorithm Indicator, Data Authentication Code, Pad Pattern, the data listed by the AFL and finally the SDA Tag List. If the Static Data Authentication Tag List is present and contains tags other than ’82’, then SDA has failed.

Step 6: Generate hash from concatenation

Step 7: Compare recovered hash with generated hash. Store the Data Authentication Code from SSAD in tag ‘9F45’