Function Name Function Code Page
ENCIPHER_2 EE0800 180
DECIPHER_2 EE0801 182
ENCIPHER_3 EE0804 184
DECIPHER_3 EE0805 186
ENCIPHER-KTM1 EE0806 188
B-ENCIPHER-ECB 84 190
B-DECIPHER-ECB 85 191
Mark II Programmers Guide Chapter 15
Card Issuance (SHP Toolkit EMV) D
Request Content Length Attribute Description
EE0800 3 h Function Code FM 1 h Function Modifier = 00 DPK-Spec Var K-Spec Key specifier for DPK
(Formats: 0 - 3, 10, 11, 13, 20, 51) Response Content Length Attribute Description
EE0800 3 h Function Code rc 1 h Return Code OCV 8 h Output Chaining Value eDPK(Data) Var h Cipher text
This function enciphers the supplied data using a host-stored session key (DPK) supplied within a key specifier.
The function performs single-DES or triple-DES encipherment, as determined by the length of the supplied key, and supports both Electronic Code Book (ECB) and Cipher Block Chaining (CBC) modes of operation. The function supports encipherment of large messages (or data files) either by one call to the function or by multiple calls. For CBC encipherment using multiple calls, chaining values must be maintained between calls.
DPK-Spec Key specifier incorporating a single or double length host-stored or HSM-stored DPK.
CM Specifies the mode of operation for the encipherment:
0 Electronic Code Book (ECB) 1 Cipher Block Chaining (CBC)
ICV Chaining value for CBC encipherment. For encipherment of a message or file using one call, or on the first call of a multi-call encipherment, this field should be set to the required value of the Initialization Vector (IV). On subsequent calls of a multi-call encipherment, the field should be set to the value of the OCB provided by the previous call.
For ECB encipherment, this field will be ignored.
OCV Chaining value for CBC encipherment. For encipherment of a message or file using a multi-call encipherment, the value in this field should be used as the ICV in the next call.
For ECB encipherment, this field will be set to zero.
Data Plaintext data to be enciphered. Must be a multiple of 8 bytes long.
Mark II Programmers Guide Chapter 15 Data Ciphering Functions
NOTES
• This function supercedes functions 80, 82.
• When the function modifier is missing, the function returns error code 24, missing function code.
SHP Toolkit MK2
int EFT_EE0800_Encipher (
IN UCHAR FM,
IN KEYSPEC *DPK,
IN UCHAR CipherMode,
IN UCHAR ICV[8],
IN EFTBUFFER *clear_data,
OUT UCHAR OCV[8],
OUT EFTBUFFER *enc_data ) ;
Mark II Programmers Guide Chapter 15
Card Issuance (SHP Toolkit EMV) D
Request Content Length Attribute Description
EE0801 3 h Function Code FM 1 h Function Modifier = 00 DPK-Spec Var K-Spec Key specifier for DPK
(Formats: 0 - 3, 10, 11, 13, 20, 51) Response Content Length Attribute Description
EE0801 3 h Function Code rc 1 h Return Code OCV 8 h Output Chaining Value Data Var h Deciphered data
This function deciphers the supplied data using a host-stored session key (DPK) supplied within a key specifier.
The function performs single-DES or triple-DES decipherment, as determined by the length of the supplied key, and supports both Electronic Code Book (ECB) and Cipher Block Chaining (CBC) modes of operation. The function supports decipherment of large messages (or data files) either by one call to the function or by multiple calls. For CBC decipherment using multiple calls, chaining values must be maintained between calls.
DPK-Spec Key specifier incorporating a single or double length host-stored or HSM-stored DPK.
CM Specifies the mode of operation for the decipherment:
0 Electronic Code Book (ECB) 1 Cipher Block Chaining (CBC)
ICV Chaining value for CBC decipherment. For decipherment of a message or file using one call, or on the first call of a multi-call decipherment, this field should be set to the required value of the Initialization Vector (IV). On subsequent calls of a multi-call decipherment, the field should be set to the value of the OCB provided by the previous call.
For ECB decipherment, this field will be ignored.
eDPK(Data) Cipher text to be deciphered. Must be a multiple of 8 bytes long.
OCV Chaining value for CBC decipherment. For decipherment of a message or file using a multi-call decipherment, the value in this field should be used as the ICV in the next call.
For ECB decipherment, this field will be set to zero.
Mark II Programmers Guide Chapter 15 Data Ciphering Functions
Data Deciphered plaintext data.
NOTES
• This function supercedes functions 81, 83.
• When the function modifier is missing, the function returns error code 24, missing function code.
SHP Toolkit MK2
int EFT_EE0801_Decipher (
IN UCHAR FM,
IN KEYSPEC *DPK,
IN UCHAR CipherMode,
IN UCHAR ICV[8],
IN EFTBUFFER *enc_data,
OUT UCHAR OCV[8],
OUT EFTBUFFER *clear_data);
Mark II Programmers Guide Chapter 15
Card Issuance (SHP Toolkit EMV) D
Request Content Length Attribute Description
EE0804 3 h Function Code FM 1 h Function Modifier = 00 DPK-Spec Var K-Spec Key specifier for DPK
(Formats: 0 - 3, 10, 11, 13, 16) Response Content Length Attribute Description
EE0804 3 h Function Code rc 1 h Return Code OCV Var h Output Chaining Value eDPK(Data) Var h Ciphertext
This function enciphers the supplied Data using a session key (DPK) supplied within a key specifier.
The function performs DES or SEED encryption, as determined by the DPK key specifier and supports both Electronic Code Book (ECB) and Cipher Block Chaining (CBC) modes of operation.
The function supports encipherment of large messages (or data files) either by one call to the function or by multiple calls. For CBC encipherment using multiple calls, chaining values must be maintained between calls.
FM = 00. Must be set to zero.
DPK-Spec Key specifier incorporating a single-length or double-length host-stored or HSM –stored DPK.
This field determines the encryption method.
DES – formats 00 – 03 (DES keys only), 10, 11 and 13 SEED – formats 00 – 03 (SEED keys only) and 16
CM Specifies the mode of operation for the encipherment for the response content eDPK(Data):
0 Electronic Code Book (ECB) 1 Cipher Block Chaining (CBC)
ICV Chaining value for CBC encipherment. For encipherment of a message or file using one call, or on the first call of a multi-call encipherment, this field should be set to the required value of the Initialization Vector (IV). On subsequent calls of a multi-call encipherment, the field should be set to the value of the OCB provided by the previous call.
For ECB encipherment, the contents of this field will be ignored.
For DES processing this field must be 8 bytes in length while for SEED processing this field must be 16 bytes in length.
OCV Chaining value for CBC encipherment. For encipherment of a message or file using a multi-call encipherment, the value in this field should be used as the ICV in the next call.
Mark II Programmers Guide Chapter 15 Data Ciphering Functions
For ECB encipherment, the contents of this field will be set to zero.
For DES processing this field will be 8 bytes in length, while for SEED processing this field will be 16 bytes in length.
Data Plaintext data to be enciphered. For DES processing this field must be a multiple of 8 bytes long while for SEED processing it must be a multiple of 16 bytes.
NOTES
• For information on the SEED algorithm see the Glossary.
• When the = 00 is missing, the function returns error code 24, missing function code.
SHP Toolkit MK2
int EFT_EE0804_Encipher3 (
IN UCHAR FM,
IN KEYSPEC *DPK,
IN UCHAR CipherMode, IN EFTBUFFER *ICV,
IN EFTBUFFER *clear_data, OUT EFTBUFFER *OCV, OUT EFTBUFFER *enc_data );
Mark II Programmers Guide Chapter 15
Card Issuance (SHP Toolkit EMV) D
Request Content Length Attribute Description
EE0805 3 h Function Code FM 1 h Function Modifier = 00 DPK-Spec Var K-Spec Key specifier for DPK
(Formats: 0 - 3, 10, 11, 13, 16) CM 1 h Cipher Mode
00 = ECB 01 = CBC
ICV Var h Input Chaining Value eDPK(Data) Var h Ciphertext
Response Content Length Attribute Description
EE0805 3 h Function Code rc 1 h Return Code OCV Var h Output Chaining Value Data Var h Deciphered data
This function deciphers the supplied data using a session key (DPK) supplied within a key specifier.
The function performs DES or SEED decryption, as determined by the DPK key specifier and supports both Electronic Code Book (ECB) and Cipher Block Chaining (CBC) modes of operation.
The function supports decipherment of large messages (or data files) either by one call to the function or by multiple calls. For CBC decipherment using multiple calls, chaining values must be maintained between calls.
FM = 00. Must be set to zero.
DPK-Spec Key specifier incorporating a single-length or double-length host-stored or HSM-host-stored DPK. This field determines the encryption method.
DES – formats 00 – 03 (DES keys only), 10, 11 and 13.
SEED – formats 00 – 03 (SEED keys only) and 16.
CM Specifies the mode of operation for the decipherment:
0 Electronic Code Book (ECB) 1 Cipher Block Chaining (CBC)
ICV Chaining value for CBC decipherment. For decipherment of a message or file using one call, or on the first call of a multi-call decipherment, this field should be set to the required value of the Initialization Vector (IV). On subsequent calls of a multi-call decipherment, the field should be set to the value of the OCB provided by the previous call.
For ECB decipherment, the contents of this field will be ignored.
For DES processing this field must be 8 bytes in length while for SEED processing this field must be 16 bytes in length.
eDPK(Data) Ciphertext to be deciphered. For DES processing this field must be a multiple of 8 bytes long while for SEED processing it must be a multiple of 16 bytes.
OCV Chaining value for CBC decipherment. For decipherment of a
Mark II Programmers Guide Chapter 15 Data Ciphering Functions
message or file using a multi-call decipherment, the value in this field should be used as the ICV in the next call.
For ECB decipherment, the contents of this field will be set to zero.
For DES processing this field will be 8 bytes in length, while for SEED processing this field will be 16 bytes in length.
Data Deciphered plaintext data.
NOTE
• For information on the SEED algorithm see the Glossary.
• When the function modifier is missing, the function returns error code 24, missing function code.
SHP Toolkit MK2
int EFT_EE0805_Decipher3(
IN UCHAR FM,
IN KEYSPEC *DPK,
IN UCHAR CipherMode,
IN EFTBUFFER *ICV,
IN EFTBUFFER *enc_data,
OUT EFTBUFFER *OCV, OUT EFTBUFFER *clear_data);
Mark II Programmers Guide Chapter 15 Data Ciphering Functions
ENCIPHER-KTM1
PHW DSHP D
PSO/PSG U
SHP Toolkit MK2 D
Card Issuance (SHP Toolkit EMV) D
Request Content Length Attribute Description
3 h Function Code
EE0806
FM 1 h Function Modifier = 00 DPK-Spec Var K-Spec Key specifier for DPK
(Formats: 0 - 3, 10, 11, 13, 16)
CM 1 h Cipher Mode
00 = ECB 01 = CBC
ICV Var h Input Chaining Value KTM-Spec Var K-Spec Key specifier for KTM
(Formats: 0 - 3, 10, 11, 13, 16) Response Content Length Attribute Description
EE0806 3 h Function Code
rc 1 h Return Code
OCV Var h Output Chaining Value eDPK(KTM) Var h Ciphertext
This function enciphers the supplied KTM using a session key (DPK) supplied within a key specifier.
The function performs DES or SEED encryption, as determined by the DPK key specifier and supports both Electronic Code Book (ECB) and Cipher Block Chaining (CBC) modes of operation.
FM = 00. Must be set to zero.
DPK-Spec Key specifier incorporating a single-length or double-length host-stored or HSM -stored DPK. This field determines the encryption method.
DES – formats 00 – 03 (DES keys only), 10, 11 and 13.
SEED – formats 00 – 03 (SEED keys only) and 16.
CM Specifies the mode of operation for the encipherment:
0 Electronic Code Book (ECB) 1 Cipher Block Chaining (CBC)
For SEED processing this field must be set to 0 (ECB mode), otherwise error 0C will be returned.
ICV Chaining value for CBC encipherment. For encipherment of a message or file using one call, or on the first call of a multi-call encipherment, this field should be set to the required value of the Initialization Vector (IV). On subsequent calls of a multi-call encipherment, the field should be set to the value of the OCB provided by the previous call.
For ECB or SEED processing the contents of this field will be ignored.
This field must be 8 bytes in length.
KTM-Spec Key specifier incorporating a single-length or double-length host-stored or HSM -stored KTM. When DPK-Spec refers to an HSM or host stored SEED key the KTM must be either a double length DES key or a single length SEED key.
OCV Chaining value for CBC encipherment. For encipherment of a message or file using a multi-call encipherment, the value in this field should be used as the ICV in the next call. For ECB or SEED processing, this field will be set to zero. This field will be 8 bytes in length.
Mark II Programmers Guide Chapter 15 Data Ciphering Functions
eDPK(KTM) KTM key encrypted with DPK according to the algorithm specified.
NOTE
1. This function is an insecure one as it allows KTMs to be encrypted by DPKs. Its use is not recommended by SafeNet.
2. This function currently supports SEED encryption using ECB mode. It does not support SEED CBC mode.
3. This function is not included as standard. It will only be available if selected as an order time option when purchasing a HSM. Please contact SafeNet if you require this functionality or further details.
4. For information on the SEED algorithm see the Glossary.
SHP Toolkit MK2
int EFT_EE0806_EncipherKTM1(
IN UCHAR FM,
IN KEYSPEC *DPK,
IN UCHAR CipherMode,
IN EFTBUFFER *ICV,
IN KEYSPEC *KTM,
OUT EFTBUFFER *OCV, OUT EFTBUFFER *eDPK_KTM);
Mark II Programmers Guide Chapter 15 Data Ciphering Functions