For PIN processing in KAAI appropriate cryptographic algorithms for transaction security (PAC, MAC) as well as key management functions are necessary. In this appendix the following functions are described:
• Triple-DES
• Triple-DES ECB Mode
• Triple-DES CBC Mode
• MAC and Retail CBC-MAC
• Simple CBC-MAC
• Retail CBC-MAC
• Generation of session keys
6.1 Notations
• The operation | defines a concatenation.
• The operation XOR and/or ⊕⊕⊕ defines a bit-level addition modulo 2 without carry: ⊕ 0 + 0 = 0
0 + 1 = 1 1 + 0 = 1 1 + 1 = 0
• The operation PA(.) defines a byte-level parity adjustment on odd parity of the argument.
• For an 8-byte-long key K (single length), eK(.) defines the encryption with a simple DES and dK(.) the corresponding decryption of an 8-byte-long data block.
For each 8-byte-long data block P, eK(dK(P)) = dK(eK(P)) = P is valid.
• For a 16-byte-long key *KK (double length), e*KK(.) defines the encryption with Triple-DES, and d*KK(.) the decryption Triple-DES in the ECB-mode of an 8-byte-long data block.
Hence for each 8-byte data block P
e*KK(d*KK(P)) = d*KK(e*KK(P)) = P is valid.
6.2 Algorithms 6.2.1 Triple DES
The Triple DES or 3-DES method uses 3 DES successive operations with 3 successive 8-byte keys. The Triple-DES and its use in encryption modes is defined in ANSI X9.52 – 1998: Triple Data Encryption Algorithm, Modes of Operation. The most widely used method is EDE (Encrypt-Decrypt-Encrypt):
• the first key K1 is used to encrypt the 8-byte data block
• the result is then decrypted using the second key K2
• the third key K3 is used to produce the final cipher text by encrypting the result from the previous step
By this the encryption of a text block P (8-byte-long) with Triple-DES under a 24-byte-long key K = K1 | K2 | K3 is defined as follows:
Triple-DES K (P) = eK3( dK2( eK1 (P))).
Usually the key used in a 3-DES operation is a 16-byte long key (*KK = KKL | KKR). The leftmost 8-bytes (KKL) are used as key 1 and key 3, the rightmost 8 bytes (KKR) are used as key 2.
By this Triple-DES encryption with a 16-byte-long key *KK results in:
Triple-DES *KK (P) = eKKL( dKKR( eKKL (P))).
Therefore the following notation is used (s. section 6.1): e*KK(.)
6.2.2 Triple DES ECB Mode
The Triple-DES encryption in ECB mode of a data block longer than 8 byte takes place through a gradual encryption of the individual data blocks.
P1|...|Pn is the message P and is divided in 8-byte-long data blocks Pi. The message length which is not a multiple of 8 byte is achieved with appropriate padding.
The Triple-DES encryption in ECB-Mode with 16-byte-long key KK is defined as follows:
Ci = e*KK(Pi) for i=1,...,n
C1|...|Cn are the cipher text-blocks composing the encrypted message.
6.2.3 Single DES CBC Mode
Input-data for the DES in CBC mode are
• an 8-byte long key K
• an 8-byte-long ICV (Initial Chaining Value)
• a message P
P1|...|Pn is the message P divided into 8-byte-long blocks Pi. A message length that is a multiple of 8 byte is obtained by means of appropriate padding.
Encryption with DES in CBC mode is recursively defined as follows:
yo = ICV
yi = eK(yi-1 XOR Pi) for i = 1,…, n
y1 |...|yn are then the encrypted text blocks that belong to the message.
The decryption process is as follows:
yo = ICV
Pi = dK(yi) XOR yi-1 for i =1,…, n
For the DES CBC mode encryption and decryption of messages, the following notation is used:
DES CBC mode encryption: eK(ICV, P) DES CBC mode decryption: dK(ICV, y) For each message P
eK(ICV,dK(ICV,P)) = dK(ICV,eK(ICV,P)) = P is valid.
6.2.4 Triple DES CBC Mode
Input-data for the Triple DES in CBC mode are
• an 16-byte long key KK
• an 8-byte-long ICV (Initial Chaining Value)
• a message P
The Triple DES CBC mode encryption / decryption process functions similar to the single DES CBC mode encryption / decryption process. Instead of a single length key K, a double length key KK is used.
P1|...|Pn is the message P divided into 8-byte-long blocks Pi. A message length that is a multiple of 8 byte is obtained by means of appropriate padding.
Encryption with Triple-DES in CBC mode is recursively defined as follows:
yo = ICV
yi = e*KK(yi-1 XOR Pi) for i = 1,…, n
y1 |...|yn are then the encrypted text blocks that belong to the message.
The decryption process is as follows:
yo = ICV
Pi = d*KK(yi) XOR yi-1 for i =1,…, n
For the Triple DES CBC mode encryption and decryption of messages, the following notations are used:
Triple DES CBC mode encryption: e*KK(ICV, P) Triple DES CBC mode decryption: d*KK(ICV, y)
6.2.5 MAC
A Message Authentication Code (MAC) is created for a message using a cryptographic key and sent with the message in order to make the integrity of the message testable for the receiver.
Depending on the length of the key used, various algorithms based on DES are used for MAC creation, all of which generate an 8-byte-long MAC.
6.2.6 Simple CBC-MAC
Input-data for the simple CBC-MAC are
• an 8-byte long key K
• the fixed 8-byte-long ICV = '00…00'
• a message P
The calculation of the simple CBC-MAC for a message is carried out in a similar way to the DES CBC mode encryption from paragraph 6.2.3. The individual cipher text blocks, with the exception of the last block, hereby represent only intermediate results. This last output block forms the simple CBC-MAC:
P1|…|Pn is the message P divided into 8-byte blocks Pi.. A message length that is a multiple of 8-byte is obtained by means of appropriate padding.
The simple CBC-MAC is recursively defined as follows:
yo = ICV = '00..00'
yi = eK(yi-1 XOR Pi) for i =1,…, n
yn is the simple CBC-MAC that belongs to the message.
For formation of the simple CBC-MAC of message P with key K and Initial Chaining Value ICV = '00..00', the following notation is used:
CBC-MAC generation: mK(P)
6.2.7 Retail CBC-MAC
A Retail CBC-MAC is calculated by combining 2 different processes using a 16-byte long key KK. The key is split in 2 halves: KKL and KKR (KK = KKL | KKR).
The first process only uses an 8-byte-long key (KKL) and generates a simple MAC. The second process uses the full 16-byte-long key (KKL| KKR ) and generates the retail MAC.
The Retail CBC-MAC is defined in ANSI X9.19 – 1996 : Financial Institution - Retail Message Authentication.
Input-data for the Retail CBC-MAC are
• an 8-byte long key KK
• the fixed 8-byte-long ICV = '00…00'
• a message P
For the formation of the retail CBC-MAC from a message P divided into n blocks of 8-byte length, first a simple CBC-MAC is formed first as an interim result from the initial n-1 blocks.
To that purpose the left half KKL of the double-length key KK is used as a key.
Next the interim result is XOR-ed with the last message-block. The result is encrypted using a Triple-DES-encryption with key *KK. The final 8-byte output-block is the retail CBC-MAC.
KKL is the 8-byte-long left half of KK and P1|...|Pn the message P is divided into 8-byte-long blocks. A message length that is a multiple of 8 byte is obtained by means of appropriate padding.
The retail CBC-MAC is defined as follows:
y = mKKL(P1|...|Pn-1) y' = e*KK(y XOR Pn)
y' is the retail CBC-MAC belonging to the message.
For generation of the retail CBC-MAC of message P with key *KK and Initial Chaining Value ICV = '00..00' the following notation is used:
Retail CBC-MAC generation: m*KK(P).
The Retail CBC-MAC is defined in ANSI X9.19 – 1996 : Financial Institution - Retail Message Authentication.
6.3 Generation of Session Keys
The generation of session keys is based on the communication link key used for the two communication partners, exchanged random values and fixed values (control vectors). A common algorithm for the generation of session keys is used which is independent from the specific communication link. But the used "input key" depends whether a terminal to host or a host to host communication happens. So the following two situations must be considered:
• For the interface between the POS Terminal and the Acquirer host session keys will be used that have been derived from the double length (16-byte long) unique terminal key (UTK). This unique terminal key will remain static during the whole life cycle of the used HSM (or PED).
• For the interface between the Network Operator host and the Acquirer host session keys will be used that have been derived from the double length (16-byte long) communication link key KACQ,NO. This communication link key is unique for the combination acquirer and network operator. The key KACQ,NO is stored in the HSM of the network operator. The acquirer may also store this key in the HSM or the specific communication link key KACQ,NO is derived from the correspondent master key MKACQ and the ID of the network operator.
The duration of a session is set for the transmission of exactly one message. In order to preserve a high level of security, a different key is used for each message. This also applies to related request- and response messages within an application.
*K is a 16-byte-long application-specific unique Key (UTK or KACQ,NO) and *CV is a 16-byte-long fixed value (control vector). *K and *CV consist of two 8-byte blocks each (left and right), which have following relationship:
K = K1|K2 and CV = CV1|CV2 with K1, K2, CV1, CV2 ∈∈∈∈ (F2)64
Four intermediate key parts TKn are generated as follows:
TK1 = K1 XOR CV1 TK2 = K2 XOR CV1 TK3 = K1 XOR CV2
TK4 = K2 XOR CV2
A dynamic session-key SK is dynamically generated from these intermediate key parts as follows:
SK = PA( [d*TK1TK2(RND1)] | [d*TK3TK4(RND2)] ) (*)
where RND = RND1|RND2 indicates a 16-byte long random number (concatenated from two 8-eight byte blocks RND1 and RND2), which was generated for this specific session.
For the dynamic generation of session keys according to (*) the following notation is used:
SK = PA( d*K.CV(RND) )
Then the two final PAC and MAC session keys are generated with separate values for the Control Vectors and the Random Numbers. This is done as follows:
SK = PA( d*K.CV(RND) )
For the calculation of the SKMAC the following fixed value CVMAC is used:
CVMAC = '00 00 4D 00 03 41 00 00' | '00 00 4D 00 03 21 00 00'.
For the calculation of the SKPAC the following fixed value CVPAC is used CVPAC = '00 21 5F 00 03 41 00 00' | '00 21 5F 00 03 21 00 00'.
A 16-byte long random number RNDMAC for calculation of a SKMAC is used.
A 16-byte-long random number RNDPAC for calculation of a SKPAC is used.
This results in the following:
SKMAC = PA( d*K.CVMAC (RNDMAC) ) SKPAC = PA( d*K.CVPAC (RNDPAC) )
The field (BMP 64 or 128) that will contain the MAC value in a message is the Retail CBC-MAC of this message calculated with SKMAC defined in chapter 6.2.7. As defined in Pos. 9-10 of BMP53 the following MAC Generation Modes are available:
• The default MAC protects the complete message contents.
• For the partial MAC, which is used in communications between terminal and acquirer via concentrators, the following BMPs must be protected by the partial MAC:
o In requests BMPs 1, 2, 3, 4, 49, 52, 53 and 57 (without sequence number).
o In responses BMPs 1, 2, 3, 4, 49, 39, 53 and 57 (without sequence number).
Other BMPs may be modified or additional BMPs may be added/removed by concentrators.
The use of partial MAC has to be agreed with each individual credit card institution.
The field (BMP 52) that will contain the PAC is the 3-DES encryption of the ISO 9564-1 Format 0 or Format 1 PIN block with the message and session specific key SKPAC defined in 6.2.2.