Implementing Electronic Card Payment Systems (Artech House Computer Security Series)

5.3 Entities and certifiers

In the EMV 2000 specifications there are two types of entities requiring certificates on their public keys: the issuer of a card containing an EMV ¢ debit/credit application and the ICC.

5.3.1 Issuer requires a public key certificate

When the issuer is the entity that requires an EMV ¢ public key certificate, the material to be certified is the issuer public key, which consists of the issuer public key modulus , denoted n _I with the byte-length N _I , and the Issuer Public Key Exponent (tag 9F32), denoted e _I . The corresponding certificate is referred to as the Issuer Public Key Certificate (tag 90). The actual upper limitation on N _I is 248 bytes, while the value of e _I can be either 3 or 2 ¹⁶ + 1. In this case, the certificate format, which is an item of the certificate content that distinguishes among several types of certificate formats, is set to 02h.

In this case the certifier is named the Certification Authority (CA), which runs an RSA digital signature scheme with recovery (see Appendix F, Section F.3). This scheme is parameterized with the certification authority public key modulus, denoted n _CA with the byte-length N _CA , the certification authority public key exponent, denoted e _CA , and the certification authority secret key exponent, denoted d _CA . The actual upper limitation on N _CA is 248 bytes, while the value of e _CA can be either 3 or 2 ¹⁶ + 1. Moreover, the relationship between N _I and N _CA has to be N _I ‰ N _CA .

A card association or a payment system operator proposing an EMV ¢ debit/credit application can play the role of the CA.

5.3.2 ICC requires a public key certificate

When the ICC is the entity that requires an EMV ¢ public key certificate, the material to be certified can be:

• The ICC public key modulus, denoted n _IC with the byte-length N _IC , and the ICC Public Key Exponent (tag 9F47), denoted e _IC . The ICC public key consists of the pair ICC public key modulus and ICC Public Key Exponent. The corresponding certificate is referred to as the ICC Public Key Certificate (tag 9F46). The actual limitation on N _IC is 248 bytes, while the value of e _IC can be either 3 or 2 ¹⁶ + 1. In this case, the certificate format is set to 04h. The associated RSA scheme is used by the card for digitally signing information that includes at least a random number received from the terminal. This is performed with the corresponding ICC private key, consisting of the pair ICC public key modulus n _IC and the ICC secret key exponent d _IC .

• The ICC PIN encipherment public key modulus, denoted n _PE with the byte-length N _PE , and the ICC PIN Encipherment Public Key Exponent (tag 9F2E), denoted e _PE . The ICC PIN encipherment public key consists of the pair ICC PIN encipherment public key modulus and ICC PIN Encipherment Public Key Exponent. The corresponding certificate is referred to as the ICC PIN Encipherment Public Key Certificate (tag 9F2D). The actual upper limitation on N _PE is 248 bytes, while the value of e _PE can be either 3 or 2 ¹⁶ + 1. In this case, the certificate format is set also to 04h. The terminal uses the ICC PIN encipherment public key ( n _PE , e _PE ) for creating a digital envelope that includes the cardholder's PIN, which is sent encrypted for local verification in the card. The card uses the corresponding ICC PIN encipherment private key ( n _PE , d _PE ), for decrypting the digital envelope. The parameter d _PE is referred to as the ICC PIN encipherment secret key exponent.

In this case the certifier is the card's issuer, which runs an RSA digital signature scheme with recovery (see Appendix F, Section F.3). The scheme is parameterized with the issuer public key modulus ( n _I ), the Issuer Public Key Exponent ( e _I ), and the issuer secret key exponent, denoted d _I . The issuer private key, which consists of the issuer public key modulus and the issuer secret key exponent ( n _I , d _I ), is used for signing the certificates for the ICC. Note that N _I , N _IC , and N _PE , should respect the relations N _IC ‰ N _I and N _PE ‰ N _I .