EMV Perso Summary

Summary

Work on EMV perso scripts recently, summarize a few points include Initialize Update, External Authenticate, Store Data.
For some detail data, can refer to my another blog entry GP(Global Platform) External authentication and MAC sending APDU.

INITIALIZE UPDATE

Initialize Update is used to begin the authentication with the applet or Card Manager. Data in will be the host challenge.

CLA INS P1 P2 Lc Data in Le 80h 50h Ker Set Version 00h 08h Host Challenge 00h

Response data is as below,

Field Length(bytes) Key Diversification Data 10 Key Set Version (01-7Fh) or FFh 1 SCP ID (02h) 1 Sequence Counter 2 Card Challenge 6 Card Cryptogram 8

example as below,

<< 80500000080000000000000000>> 611C<< 00C000001C>> 0000507101046E6C8B70FF0200072503683B31FAB7F4E8D8857D0CB4

The host challenge data and response data will be used for external authentication.

EXTERNAL AUTHENTICATE

The External Authentication command authenticates the host to the current applet and open a secure channel to communicate to card. The command will include the security level.

Field Content Length CLA ‘84’ 1 INS ‘82’ 1 P1 Security Level(see below table) 1 CLA ‘00’ 1 CLA ‘10’ 1 CLA Host Cryptogram 8 CLA C-MAC 8

Security level P1,

b8 b7 b6 b5 b4 b3 b2 b1 Description 0 0 0 0 0 0 1 1 Encryption and MAC 0 0 0 0 0 0 0 1 MAC 0 0 0 0 0 0 0 0 No Security

Session Keys

Session Key IC Card Key Derivation Data SKUENC KENC ‘0182’|| sequence counter || ‘000000000000000000000000’ SKUMAC KMAC ‘0101’|| sequence counter || ‘000000000000000000000000’ SKUDEK KDEK ‘0181’|| sequence counter || ‘000000000000000000000000’

Continue with the first example, External Authentication command,

Random Data: 0000000000000000ENC: 404142434445464748494A4B4C4D4E4FMAC: 404142434445464748494A4B4C4D4E4FDEK: 404142434445464748494A4B4C4D4E4FSession ENC: A2268F71917EFE0F33CC6166E1154E27Session MAC: 7A227D376A9DBE23AB50B7DCB45B2093Session DEK: F39FCFB2383B09578723B8C2E03B2729<< 848201001080F1BB4686D30DF9A0B8829AF3E87A16>> 9000

STORE DATA

The STORE DATA command is used to personalize the EMV applications. Multiple DGI(Data Grouping Identifier) may be sent in one STORE DATA command.
STORE DATA Command Coding

Field Content Length CLA ‘84’ or ‘84’ 1 INS ‘E2’ 1 P1 See below table 1 P2 Sequence Number 1 Lc Length of Command data 1 or 3 DGI1 Identifier of first data grouping 2 Length1 Length of first data grouping 1 or 3 Data1 First data to be stored var. DGIn Identifier of n’th data to be stored 2 Lengthn Length of n’th data grouping 1 or 3 Datan n’th data to be stored var. C-MAC Present if CLS = ‘84’ 0 or 8

Coding of P1 in STORE DATA COMMAND

b8 b7 b6 b5-b1 Meaning x Last STORE DATA command indicator 1 Last STORE DATA command 0 Not the last STORE DATA command x x Encryption indicators: 1 1 All DGI encrypted under SKUDEK, session DEK, DES ECB algorithm 0 0 No DGI is encrypted 0 0 Application dependent 1 0 RFU xxxxx RFU

DGI: 8201Length: 48 Original Data: 588C13E98E5294BE0161E432F8B0E77A208D8AAC95A7D8091099AFEC687A72A59C0CB179A327DFB044F0BFAA21D6232E0C29C99BBAD8A735B3952007F49DF43C8000000000000000 Session DEK: 33C1D105492068CD86923711B29E6475Encrypted: 6CF8E1732DE31C85318AB1549978C5D9D67C2CDE8668A4AEBFB36D2C766874B09D968A3DE64E0CE5C53A10F56B2818F4097804BCE8C27C4F9A6993B09C86D4FCC5D7FA98C3AEB6BE<< 80E2600D4B8201486CF8E1732DE31C85318AB1549978C5D9D67C2CDE8668A4AEBFB36D2C766874B09D968A3DE64E0CE5C53A10F56B2818F4097804BCE8C27C4F9A6993B09C86D4FCC5D7FA98C3AEB6BE>> 9000

C-MAC Command

If CLA = ‘84’, it will require to calculate the C-MAC and append to the end of the APDU command. The calculation will be using the session MAC key generated at the External Authentication step, and the IV will be using the C-MAC value generated in last C-MAC computing. Refer to my another blog entry for detail, GP(Global Platform) External authentication and MAC sending APDU.
Example:

Session MAC Key: 7A227D376A9DBE23AB50B7DCB45B2093IV: A0B8829AF3E87A16 << 84E60C002C06A0000000031607A00000000316500E315041592E5359532E4444463031011002C900007CC1FECDA12AA91E>> 6101<< 00C0000001>> 00>> 9000 

Reference

1,Blog Entry: GP(Global Platform) External authentication and MAC sending APDU
2, EMV Card Personalization Specification
3, GlobalPlatform Card Specification Version 2.2 March 2006

---