EMV Key Types and Derivation

In this article, we will go through EMV keys and derivation.

In this part we will talk about ;
• The key names
• The keys and purposes
• How to derive them

AC Key ; is used for ARQC generation, ARPC verification
MAC Key ; is used for calculation of MAC value
ENC Key ; is used for encrypting data

ICC Master Key Derivation
For more details on this, please check EMV Book 2.

There are 2 options, in this article we will work on Option A only.
This method takes as input the PAN and PAN Sequence Number, plus a k-bit Issuer Master Key IMK, and produce the k-bit ICC Master Key MK in the following way:

Concatenate from left to right the decimal digits of the Application PAN with the PAN Sequence Number (if the PAN Sequence Number is not present, then it is replaced by a ‘00’ byte). If the result X is less than 16 digits long, pad it to the left with hexadecimal zeros in order to obtain an 8-byte number Y in numeric format. If X is at least 16 digits long, then Y consists of the 16 rightmost digits of X in numeric format. Compute the two 8-byte numbers

ZL := DES3(IMK)[Y]
and
ZR := DES3(IMK)[Y ⊕ (‘FF’||’FF’||’FF’||’FF’||’FF’||’FF’||’FF’||’FF’)]
and define
Z := (ZL || ZR)

The 128-bit ICC Master Key MK is then equal to Z, with the exception of the least significant bit of each byte of Z which is set to a value that ensures that each of the 16 bytes of MK has an odd number of nonzero bits (this to conform with the odd parity requirements for DES keys).

PAN (Card Number) 5656781234567891
PSN (Pan Sequence Number) 01
Y = rightmost 16 digits of (PAN || PSN)
Y = ’56 78 12 34 56 78 91 01’
Zl = 3DES(IMK) [Y]
Zl = ‘CB 45 F9 93 BD DA 76 3E’
Zr = 3DES(IMK) [Y EOR ‘FF FF FF FF FF FF FF FF’]
Zr = ‘F0 30 AF 6C E1 76 27 35’
Z = Zl || Zr
Z = ‘CB 45 F9 93 BD DA 76 3E F0 30 AF 6C E1 76 27 35’

The Derived Issuer Master Keys are called as ICC Master Key.

Session Key Derivation
The common session key derivation generates a unique session key for each transaction performed by the application. It does this by enciphering an n-byte diversification value with the k-bit ICC Master Key (MK) to produce a k-bit ICC Session Key (SK) using an n-byte block cipher algorithm ALG in ECB mode.

The n-byte diversification value is represented as
R = R0 || R1 || R2 || … || Rn-1 .

For the session key used to generate and verify the Application Cryptogram and the ARPC, the diversification value is the ATC followed by n-2 bytes of ‘00’:

R := ATC || ‘00’ || ‘00’ || … || ‘00’ || ‘00’ || ‘00’.

For the session keys used for secure messaging, the diversification value R is the Application Cryptogram returned in the response to the first GENERATE AC command followed by n-8 bytes of ‘00’:

R := Application Cryptogram … || ‘00’ || ‘00’ || ‘00’.

For an n-byte block cipher ALG using a k-bit key where k = 8n (AES with k=128) the derivation function F is computed as follows:

SK := ALG (MK) [ R ].

For an n-byte block cipher ALG using a k-bit key where 16n ≥ k > 8n (Triple DES with k=128 or AES with k=192 or 256) R is used to create two n-byte blocks as follows:

F1 = R0 || R1 || ‘F0’ || … || Rn-1.
F2 = R0 || R1 || ‘0F’ || … || Rn-1.

and

SK := Leftmost k-bits of {ALG (MK) [F1] || ALG (MK) [F2] }.

The same session key is used for all commands in a single transaction.
The following examples describe Session Key Derivation for different key types, using the ICC Master Key values defined above and ATC = ‘0001’ and ARQC = ‘1234123412341234’.

Example 1: Session Key Derivation for Cryptogram Generation in 3DES
R = R0 || R1 || R2 || R3 || … || Rn-1
R = ATC || ’00 00 00 00 00 00’
R = ’00 01 00 00 00 00 00 00’
F1 = [R0 || R1 || ‘F0’ || R3 || … || Rn-1]
F1 = ’00 01 F0 00 00 00 00 00’
F2 = [R0 || R1 || ‘0F’ || R3 || … || Rn-1]
F2 = ’00 01 0F 00 00 00 00 00’
SK = leftmost 128 bits of ( 3DES(MK) [F1] || 3DES(MK) [F2] )
SK= ‘E0 11 BB 83 D8 A6 0B EE 3C DE 76 8F 68 56 0B D9’

Example 2: Session Key Derivation for Secure Messaging and Integrity in 3DES
R = R0 || R1 || R2 || R3 || … || Rn-1
R = ARQC = ’12 34 12 34 12 34 12 34’
F1 = [R0 || R1 || ‘F0’ || R3 || … || Rn-1]
F1 = ’ 12 34 F0 34 12 34 12 34’
F2 = [R0 || R1 || ‘0F’ || R3 || … || Rn-1]
F2 = ’ 12 34 0F 34 12 34 12 34’
SK = leftmost 128 bits of ( 3DES(MK) [F1] || 3DES(MK) [F2] )
SK= ‘7A 36 C6 71 D1 57 46 BE 3F 13 98 13 6A FD 95 46’

In next article, we will talk about how to use these derivated keys ...