Version 5.3 by Pål-Eirik Askerød on 2017/12/18 14:32
Show last authors
1 == Key schemes ==
2
3 Currently PayEx only support H2H Shared keys for MAC, PIN and Data Encryption.
4
5 This solution defines three different keys which are shared with the 3rd party that integrates the PayEx H2H IFSF protocol.
6
7 3rd partys will be assigned a unique key version that needs to be specified in requests towards PayEx Host.
8
9
10 == How to generate test keys ==
11
12 (% border="1" cellspacing="0" class="Table" style="border-collapse:collapse; border:solid windowtext 1.0pt; margin-left:-.25pt; width:0cm" %)
13 |(% style="border-style:solid; border-width:1.0pt; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:37.15pt" width="50" %)(((
14 (% style="margin:0cm 0cm 0.0001pt" %)
15 (% style="font-size: 11pt; font-family: Calibri, sans-serif" %)** **
16 )))|(% style="border-left:none; border-style:solid; border-width:1.0pt; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:229.5pt" width="306" %)(((
17 (% style="margin:0cm 0cm 0.0001pt" %)
18 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**Name**
19 )))|(% style="border-left:none; border-style:solid; border-width:1.0pt; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:171.0pt" width="228" %)(((
20 (% style="margin:0cm 0cm 0.0001pt" %)
21 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**KCV, total**
22 )))
23 |(% style="border-style:solid; border-top:none; border-width:1.0pt; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:37.15pt" width="50" %)(((
24 (% style="margin:0cm 0cm 0.0001pt" %)
25 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**1**
26 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:229.5pt" width="306" %)(((
27 (% style="margin:0cm 0cm 0.0001pt" %)
28 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**BHISOENC.IFSFTST.1**
29
30 (% style="margin:0cm 0cm 0.0001pt" %)
31 (% style="font-size: 11pt; font-family: Calibri, sans-serif" %)** **
32 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:171.0pt" width="228" %)(((
33 (% style="margin:0cm 0cm 0.0001pt" %)
34 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**4C12B4**
35 )))
36 |(% style="border-style:solid; border-top:none; border-width:1.0pt; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:37.15pt" width="50" %)(((
37 (% style="margin:0cm 0cm 0.0001pt" %)
38 (% style="font-size: 11pt; font-family: Calibri, sans-serif" %)** **
39 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:229.5pt" width="306" %)(((
40 (% style="margin:0cm 0cm 0.0001pt" %)
41 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**K1:7686 D6CB 708F 2319
42 108A 7AB6 9E8C 6416
43 kcv: B7DB 1260**
44 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:171.0pt" width="228" %)(((
45 (% style="margin:0cm 0cm 0.0001pt" %)
46 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**K2: 2D30 6353 8E47 C074**
47
48 (% style="margin:0cm 0cm 0.0001pt" %)
49 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)** 6A9F AA53 84C9 3F0A**
50
51 (% style="margin:0cm 0cm 0.0001pt" %)
52 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**Kcv: 25B57BF7**
53 )))
54 |(% style="border-style:solid; border-top:none; border-width:1.0pt; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:37.15pt" width="50" %)(((
55 (% style="margin:0cm 0cm 0.0001pt" %)
56 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**2.**
57 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:229.5pt" width="306" %)(((
58 (% style="margin:0cm 0cm 0.0001pt" %)
59 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**BHISOMAC.IFSFTST.1**
60
61 (% style="margin:0cm 0cm 0.0001pt" %)
62 (% style="font-size: 11pt; font-family: Calibri, sans-serif" %)** **
63 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:171.0pt" width="228" %)(((
64 (% style="margin:0cm 0cm 0.0001pt" %)
65 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**7CC660**
66 )))
67 |(% style="border-style:solid; border-top:none; border-width:1.0pt; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:37.15pt" width="50" %)(((
68 (% style="margin:0cm 0cm 0.0001pt" %)
69 (% style="font-size: 11pt; font-family: Calibri, sans-serif" %)** **
70 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:229.5pt" width="306" %)(((
71 (% style="margin:0cm 0cm 0.0001pt" %)
72 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**K1: 07C8 A734 29BA 2A43**
73
74 (% style="margin:0cm 0cm 0.0001pt" %)
75 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)** 7C76 C8BC 4551 7607**
76
77 (% style="margin:0cm 0cm 0.0001pt" %)
78 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**Kcv: 6224 DE35**
79 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:171.0pt" width="228" %)(((
80 (% style="margin:0cm 0cm 0.0001pt" %)
81 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**K2: AC1E CA72 9927 7D74**
82
83 (% style="margin:0cm 0cm 0.0001pt" %)
84 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)** ED65 EED4 0065 097B**
85
86 (% style="margin:0cm 0cm 0.0001pt" %)
87 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**Kcv: 6320 95D1**
88 )))
89 |(% style="border-style:solid; border-top:none; border-width:1.0pt; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:37.15pt" width="50" %)(((
90 (% style="margin:0cm 0cm 0.0001pt" %)
91 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**3.**
92 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:229.5pt" width="306" %)(((
93 (% style="margin:0cm 0cm 0.0001pt" %)
94 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**BHISOPIN.IFSFTST.1**
95
96 (% style="margin:0cm 0cm 0.0001pt" %)
97 (% style="font-size: 11pt; font-family: Calibri, sans-serif" %)** **
98 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:171.0pt" width="228" %)(((
99 (% style="margin:0cm 0cm 0.0001pt" %)
100 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**866C07**
101 )))
102 |(% style="border-style:solid; border-top:none; border-width:1.0pt; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:37.15pt" width="50" %)(((
103 (% style="margin:0cm 0cm 0.0001pt" %)
104 (% style="font-size: 11pt; font-family: Calibri, sans-serif" %)** **
105 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:229.5pt" width="306" %)(((
106 (% style="margin:0cm 0cm 0.0001pt" %)
107 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**K1: F210 F201 7A3E 3D89**
108
109 (% style="margin:0cm 0cm 0.0001pt" %)
110 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)** 20D9 B53D 1C49 13EF**
111
112 (% style="margin:0cm 0cm 0.0001pt" %)
113 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**Kcv 10EC E3C4**
114 )))|(% style="border-bottom:solid windowtext 1.0pt; border-left:none; border-right:solid windowtext 1.0pt; border-top:none; padding:0cm 5.4pt 0cm 5.4pt; vertical-align:top; width:171.0pt" width="228" %)(((
115 (% style="margin:0cm 0cm 0.0001pt" %)
116 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**K2: 7133 9066 2BF9 5F8D**
117
118 (% style="margin:0cm 0cm 0.0001pt" %)
119 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)** 2863 D2B4 1E17 7D5C**
120
121 (% style="margin:0cm 0cm 0.0001pt" %)
122 (% lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; font-size: 10pt" %)**Kcv: F116 767E**
123 )))
124
125 **Procedure to create complete keys:
126 K1 Xor K2 = key. Then copy 8 first bytes of key to the end of key to a total of 24 bytes.**
127
128 **Check key against total KCV.
129 Create 8 byte array with zero bytes and encrypt with Triple-DES ECB and compare 4 first bytes to total KCV. If they match key is genereated correctly**
130
131
132 == Security Related Control Information ==
133
134 This information is transported in field P-53 towards PayEx Host. **For scheme H2H Shared keys only 53-1 needs to be populated with the version of keys**.
135
136 This field (53-1) needs to be present in all request that have MAC, PIN or encrypted data. Field P-53 is binary with LLVAR length.
137
138 |=Element|=Name|=Format|=Attribute|=Description
139 |53| |n|2|LLVAR length field
140 |53-1|H2H Key version|n|2|Version of keys shared by PayEx with 3rd party. Eks "02"
141 |53-2|Master key generation number|n|1|Identifies the master key generation. **Currently NOT supported**
142 |53-3|Key version of master key|n|1|Identifies the key version. **Currently NOT supported**
143 |53-4|MAC random value|b|16|(((
144 ZKA MAC random value. **Currently NOT supported**
145 )))
146 |53-5|PAC random value|b|16|ZKA PAC random value. **Currently NOT supported**
147 |53-6|Data encryption random value|b|16|ZKA Data encryption random value. **Currently NOT supported**
148
149 **PayEx shared key scheme**
150
151 PayEx supplies key version to be sent in 53-1. This scheme defines 3 different keys for MAC, PIN and Data encryption which will be shared between PayEx and 3rd party.
152
153 **ZKA scheme (Currently not supported)**
154
155 PayEx defines the value of 53-2 and 53-3. Note that a set of different values are defined for both test and production. Also values are unique for every third party (host).
156
157 For optimal security it is a good practice to use different random values for the MAC and PAC. However the security impact of having the same random number for PAC and MAC is very limited. Especially because in the MK/SK security scheme an XOR of the Master key with a fixed Control Mask is done, where the Control Mask value is different for PIN and MAC. So even if the MAC session key would be compromised the PIN session key still cannot be determined even when the same random number is used. It is important to assure that different random numbers are used for every transaction.
158
159
160 == Message Authentication Code (MAC) ==
161
162 We use ANS X9.9 Option 1 (binary data) procedure using ISO 16609 CBC-mode Triple-DES (TDES) encryption of the data.
163
164 PayEx uses a double-length key. (128 bit)
165
166 The input for the MAC calculation/verification will be the SHA-256 of the IFSF message. The message length header and the MAC block itself are not included, however the MAC bit in the bitmap is part of the message and is already set when calculating the MAC.
167
168
169 ==== Mac calculation method: ====
170
171 [[image:1509348361585-795.png||height="352" width="720"]]
172
173 Figure shows the MAC calculation for ANS X9.9 Option 1 (binary data). In this figure, KEY is a 64-bit key, and T1 through Tn are 64-bit data blocks of text. If Tn is less than 64 bits long, binary zeros are appended to the right of Tn. Data blocks T1...Tn are DES CBC-encrypted with all output discarded except for the final output block, On.
174
175 Note: ANS X9.19 Basic Procedure and ISO/IEC 9797-1 MAC Algorithm 1 are the same as ANS X9.9 Option 1.
176
177
178 ==== Transport of MAC ====
179
180 MAC value is transported in P-64 or P-128 towards PayEx. P-128 is used when P-127 is present. Field is binary with a length of 8.
181
182
183 == Personal Identification Number (PIN) ==
184
185 Pin enciphered block is transported in P-52 towards PayEx. Format is binary, length 8.
186
187 PIN-block format is ISO-0 (same as ANS X9.8, VISA-1, and ECI-1).
188
189 Pin encryption key must be used to encrypt pin block sent to PayEx.
190
191
192 ==== PIN Encryption Methodology ====
193
194 This information is transported in P-48.14 field towards PayEx Host.
195
196 |=Element|=Name|=Format|=Attribute|=Description
197 |48| |n|3|LLLVAR length field
198 |48-14|PIN Encryption Methodology|ans|2|Identifies the PIN encryption scheme used for pin block encryption. Supported values listed below.
199
200 ‘13’: PayEx H2H shared keys
201
202 ‘33’: ZKA MS/SK PAC H2H (**Currently not supported**)
203
204 When P-52 is present in request, this field must also be present. When field P-52 is NOT present, field 48-14 should also NOT be present.
205
206 The value currently supported by PayEx is ‘13’ and refers to PayEx H2H shared keys. **Other values are currently not supported**.
207
208 PayEx H2H shared key scheme defines a pin encryption key that is used to encrypt the pin block.
209
210 == Data encryption ==
211
212 Encrypted card data (track2) is transported in P-127 field towards PayEx. Format is LLLBinary
213
214 Data must be encrypted with Triple-DES CBC mode using the data encryption key provided by PayEx.
215
216 This field has TLV format.
217
218 Tag (3 hex chars) is field number in BCD. Eks: P-35='035'
219
220 Length (2 hex chars) is the length of the data field in hex.
221
222 Value encrypted field value in hex
223
224 Complete TLV data is packed to binary and padded to a multiple of 8 bytes.
225
226 Track2 eksempel in hex:
227
228 035257071557105754509915D19034000040000000F00000 (24 bytes)
229
230 Tag: 035
231
232 Length: 25x = 37
233
234 Value: 7071557105754509915D19034000040000000
235
236 Padding: F00000 ( Padding contains an end sentinel)