Wiki source code of PayEx IFSF H2H Security specification
Version 3.1 by Pål-Eirik Askerød on 2017/10/30 08:25
| 1 | == Key schemes == |
| 2 | |
| 3 | Currently PayEx only support H2H Shared keys for MAC, PIN and Data Encryption. |
| 4 | |
| 5 | This solution defines three different keys which are shared with the 3rd party that integrates the PayEx H2H IFSF protocol. |
| 6 | |
| 7 | 3rd partys will be assigned a uniq key version that needs to be specified in requests towards PayEx Host. |
| 8 | |
| 9 | |
| 10 | === Security Related Control Information === |
| 11 | |
| 12 | This information is transported in P-53 towards PayEx Host. **For scheme H2H Shared keys only 53-6 needs to be populated with the version of keys**. |
| 13 | |
| 14 | This field (53-6) needs to be present in all request that have MAC, PIN or encrypted data. (P-127) |
| 15 | |
| 16 | |=Element|=Name|=Format|=Attribute|=Description |
| 17 | |53| |n|2|LLVAR length field |
| 18 | |53-1|Master key generation number|n|1|Identifies the master key generation. **Currently NOT supported** |
| 19 | |53-2|Key version of master key|n|1|Identifies the key version. **Currently NOT supported** |
| 20 | |53-3|MAC random value|b|16|ZKA MAC random value. **Currently NOT supported** |
| 21 | |53-4|PAC random value|b|16|((( |
| 22 | ZKA PAC random value. Zero filled if no PIN block in the message. **Currently NOT supported** |
| 23 | ))) |
| 24 | |53-5|Data encryption random value|b|16|ZKA Data encryption random value. **Currently NOT supported** |
| 25 | |53-6|H2H Key version|n|2|Version of keys shared by PayEx with 3rd party. Eks "02" |
| 26 | |
| 27 | === PIN Encryption Methodology === |
| 28 | |
| 29 | This information is transported in P-48.14 field towards PayEx Host. |
| 30 | |
| 31 | |=Element|=Name|=Format|=Attribute|=Description |
| 32 | |48| |n|3|LLLVAR length field |
| 33 | |48-14|PIN Encryption Methodology|ans|2|Identifies the key version used for pin block encryption. Supported values listed below. |
| 34 | |
| 35 | ‘13’: PayEx H2H shared keys |
| 36 | |
| 37 | ‘33’: ZKA MS/SK PAC H2H (**Currently not supported**) |
| 38 | |
| 39 | When P-52 is present in request, this field must also be present. When field P-52 is NOT present, field 48-14 should also NOT be present. |
| 40 | |
| 41 | The value currently supported by PayEx is ‘13’ and refers to PayEx H2H shared keys. **Other values are currently not supported**. |
| 42 | |
| 43 | PayEx H2H shared key scheme defines a pin encryption key that is used to encrypt the pin block. See PIN section for details. |
| 44 | |
| 45 | |
| 46 | === Message Authentication Code (MAC) === |
| 47 | |
| 48 | We use ANS X9.9 Option 1 (binary data) procedure using ISO 16609 CBC-mode Triple-DES (TDES) encryption of the data. |
| 49 | |
| 50 | Uses a double-length key. |
| 51 | |
| 52 | |
| 53 | ==== Mac calculation method: ==== |
| 54 | |
| 55 | [[image:1509348013142-123.png||height="450" width="908"]] |
| 56 | |
| 57 | |
| 58 | |
| 59 | === PIN === |
| 60 | |
| 61 | |
| 62 | |
| 63 | === Data encryption === |