Implementing Electronic Card Payment Systems (Artech House Computer Security Series)

5.6 Issuing EMV ¢ public key certificates

The EMV ¢ public key certificates are issued with a digital signature scheme giving message recovery based on the RSA algorithm. This scheme is described in Appendix F, Section F.3.1 (case 2) of this book. Therefore, in this section we refer to the notations introduced in the aforementioned appendix.

5.6.1 Data items included in the certificate

Let us denote with M = M _R M ² the entity public key data to be signed by the certifier. The length of this data is L , and the byte-length of the certifier public key ( modulus ) is N . The entity can be the issuer (if the certifier is the CA) or the entity can be the ICC or the ICC PIN encipherment (if the certifier is the issuer).

Then the part M _R of the message M that is recoverable from the entity public key certificate consists of N ˆ’ 22 bytes, containing the following data items (which summarizes the content of Tables 1, 6, 7, and 19 in Book 2 [1]):

• Field 1 ”Certificate Format (1 byte): This item distinguishes among several possible certificate formats corresponding to the Issuer Public Key Certificate (02h), or ICC/ICC PIN Encipherment Public Key Certificate (04h).

• Field 2 ”Entity Identifier: This item identifies the entity that owns the public key certificate. Its format depends on the entity requiring the certificate:

  • Issuer Identification Number ” IIN (4 bytes): This represents the leftmost 3 to 8 digits from the PAN ( padded to the right with the hexadecimal digit F), in case the issuer is the entity requiring a certificate signed by the CA;

  • Application PAN (8 bytes): This is padded to the right with the hexadecimal digit F till the bound of 8 bytes, in case the ICC is the entity requiring a certificate signed by the issuer.

• Field 3 ”Certificate Expiration Date (2 bytes): This date in the format MMYY indicates the date after which the certificate is no longer valid.

• Field 4 ”Certificate Serial Number (3 bytes): This data item with binary representation specifies a unique number associated with the certificate. This number is assigned by the CA in the case of an Issuer Public Key Certificate, or by the issuer in the case of an ICC/ICC PIN Encipherment Public Key Certificate.

• Field 5 ”Hash Algorithm Indicator (1 byte): This identifies the hash algorithm used to produce the hash code H . This value is used in step 1 of the algorithm described in Appendix F, Section F.3.1 (case 2). At the moment, SHA-1 is the hash algorithm recommended by the EMV 2000 specifications in Annex B3.1 of Book 2 [1]. Thus, the value of the hash algorithm indicator is set to 01h.

• Field 6 ”Entity Public Key Algorithm Indicator (1 byte): This indicates the type of public key algorithm used by an entity in conjunction with the public key contained in this certificate. At the moment this indicator is set to 01h, indicating an RSA algorithm.

• Field 7 ”Entity Public Key Length (1 byte): This indicates the length in bytes of the entity public key (modulus) that is currently certified. This length is denoted N _I , N _IC , or N _PE , depending whether the entity is the issuer, ICC, or ICC PIN encipherment, respectively.

• Field 8 ”Entity Public Key Exponent Length (1 byte): This indicates the length in bytes of the entity Public Key Exponent that is currently certified. This length is either 1 or 3, depending whether the exponent is 3 or 2 ¹⁶ + 1, respectively.

• Field 9 ”Entity Public Key or Leftmost Digits of the Entity Public Key: The field is of variable length depending on the type of entity:

  • When the entity is the issuer, the length of this field is N _CA ˆ’ 36. If N _I ‰ N _CA ˆ’ 36, this field consists of the full issuer public key modulus, padded to the right with N _CA ˆ’ 36 ˆ’ N _I bytes of value BBh. If N _I > N _CA ˆ’ 36, this field consists of the N _CA ˆ’ 36 most significant bytes of the issuer public key modulus.

  • When the entity is the ICC (for signing), the length of this field is N _I ˆ’ 42. If N _IC ‰ N _I ˆ’ 42, this field consists of the full ICC public key modulus, padded to the right with N _I ˆ’ 42 ˆ’ N _IC bytes of value BBh. If N _IC > N _I ˆ’ 42, this field consists of the N _I ˆ’ 42 most significant bytes of the ICC public key modulus.

  • When the entity is the ICC PIN encipherment, the length of this field is N _I ˆ’ 42. If N _PE ‰ N _I ˆ’ 42, this field consists of the full ICC PIN encipherment public key modulus, padded to the right with N _I ˆ’ 42 ˆ’ N _PE bytes of value BBh. If N _PE > N _I ˆ’ 42, this field consists of the N _PE ˆ’ 42 most significant bytes of the ICC PIN encipherment public key modulus.

The part M ² of the message M (entity public key data) that has to be separately transmitted for certificate verification has variable length, containing the following data items (which summarizes the content of Tables 1, 6, 7, and 19 in Book 2 [1]):

• Field 10 ”Entity Public Key Remainder: This is a field of variable length depending on the type of entity as follows :

  • When the entity is the issuer, the length is either 0 or N _I ˆ’ N _CA + 36. This field is only present if N _I > N _CA ˆ’ 36, and consists of the N _I ˆ’ N _CA + 36 least significant bytes of the issuer public key modulus.

  • When the entity is the ICC (for signing), the length is either 0 or N _IC ˆ’ N _I + 42. This field is only present if N _IC > N _I ˆ’ 42, and consists of the N _IC ˆ’ N _I + 42 least significant bytes of the ICC public key modulus.

  • When the entity is the ICC PIN encipherment, the length is either 0 or N _PE ˆ’ N _I + 42. This field is only present if N _PE > N _I ˆ’ 42, and consists of the N _PE ˆ’ N _I + 42 least significant bytes of the ICC PIN encipherment public key modulus.

• Field 11 ”Entity Public Key Exponent: This is a field of length 1 or 3 bytes, depending whether the exponent is 3 or 2 ¹⁶ + 1.

• Field 12 ”Static Data to Be Authenticated: This is a field of variable length, which is present only in the ICC public key data to be signed by the issuer [i.e., when the entity is the ICC (for signing)].

5.6.2 Generating the public key certificate

In order to generate the Issuer Public Key Certificate, the CA applies the algorithm described in Appendix F, Section F.3.1 (case 2), on the issuer public key data (as described in Section 5.6.1 where the entity is the issuer) with the following RSA parameters: n _S = n _CA and d _S = d _CA .

• The Issuer Public Key Certificate, of length N _CA , is generated every time an issuer adopts the EMV ¢ debit/credit application supervised by a CA. Subsequently, this certificate is regenerated every time the CA public key changes.

• The Issuer Public Key Certificate is loaded during the personalization of every card managed by the issuer, which supports off-line data authentication (Section 6.4) and/or enciphered PIN verification by the card (Section 6.6.5).

In order to obtain the ICC Public Key Certificate, of length N _I , the issuer applies the algorithm described in Appendix F, Section F.3.1 (case 2), on the ICC public key data (as described in Section 5.6.1 where the entity is the ICC) with the following RSA parameters: n _S = n _I and d _S = d _I . The issuer generates the ICC Public Key Certificate for each card that supports off-line DDA (Section 6.4.3). This certificate is loaded in the card during its personalization stage.

In order to obtain the ICC PIN Encipherment Public Key Certificate, of length N _I , the issuer applies the algorithm described in Appendix F, Section F.3.1 (case 2), on the ICC PIN encipherment public key data (as described in Section 5.6.1 where the entity is the ICC PIN encipherment). The issuer uses the following RSA parameters: n _S = n _I and d _S = d _I . The issuer generates the ICC PIN Encipherment Public Key Certificate for each card that supports enciphered PIN verification by the card (Section 6.6.5). This certificate is loaded in the card during its personalization stage.