【静态数据认证】

静态数据认证处理过程中,卡片没有执行任何处理,终端执行的处理流程:
1、认证中心公钥的获取
终端使用卡片上的认证中心公钥索引(PKI)【TAG:8F,Certification Authority Public Key Index】以及注册的应用提供商标识(RID)【TAG:9F06,Application Identifier(AID)-terminal】来获取存储在终端的认证中心公钥和相关信息;

注:认证中心公钥是预先存储在终端里的,通过PKI和RID作为索引找到;

2、发卡行公钥的获取
终端用认证中心公钥验证发卡行公钥证书【TAG:90,Issuer Public Key Certificate】,验证正确则从发卡行公钥证书中取出发卡行公钥;

注:通过第1步获取到认证中心公钥后,使用该公钥经过RSA算法解密发卡行公钥证书【TAG:90】的数据;根据解密后的数据(格式参考Book2,5.3,Table6)验证是否正确,如果正确,则可以获取到发卡行公钥(发卡行公钥有一部分是解密后获得的);

3、签名静态应用数据的验证
终端用发卡行公钥验证签名静态应用数据【TAG:93,Signed Static Application Data】,如果验证不正确,则数据可能被篡改,静态数据认证失败了;

注:通过第2步获取到发卡行公钥后,使用改公钥经过RSA算法解密签名静态应用数据【TAG:93】的数据;根据解密后的数据(格式参考Book2,5.4,Table7)验证是否正确;

4、静态数据认证结果
如果以上所有步骤得以成功执行,则静态数据认证通过;
如果静态数据认证失败,终端设置终端验证结果中的相应指示器,以显示静态数据认证结果,并在随后的处理中使用该指示器决定交易的处理;

【发卡行公钥的获取(Book2,5.3)】

1. If the Issuer Public Key Certificate has a henght different from the length of the Cerfitfication Authority Public Key Modulus obtained in the previous section, SDA has failed.
2. In order to obtain the recovered data speicified in the Table 6, apply the recovery function specified in Annex A2.1 to the Issuer Public Key Certificate using the Certification Authority Public Key in conjunction with the corresponding algorithm. If the Recovered Data Trailer is not equal to 'BC', SDA has failed.
3. Check the Recovered Data Header. If it is not '6A', SDA has failed.
4. Check the Certificate Format. If it is not '02', SDA has failed.
5. Concatenate from left to right the second to the tenth data elements in Table 6(that is, Certificate Format through Issuer Public Key or Leftmost Digits of the Issuer Public Key), followed by th Issuer Public Key Remainder(if present), and finally the Issuer Public Key Exponent.
6. Apply the indicated hash algorithm(derived from the Hash Algorithm Indicator) to the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recoverd Hash Result. If they are not the same, SDA has failed.
8. Verify that the Issuer Identifier mathces the leftmost 3-8 PAN digits (allowing for the possible padding the Issuer Identifier with hexadecimal 'F's). If not, SDA has failed.
9. Verify that the last day of the month specified in the Certificate Expiration Date is equal to or later than today's date. If the Certificate Expiration Date is earlier than today's date, the certificate has expired, in which case SDA has failed.
10.Verify that the concatenation of RID, Certification Authority Public Key Index and Certificate Serial Number is valid. If not, SDA has failed.
11.If the Issuer Public Key Algorithm Indicator is not recognised, SDA has failed.
12.If all the checks above are correct, concatenate the Leftmost Digits of Issuer Public Key and the Issuer Public Key Remainder(if present) to obtain the Issuer Public Key Modulus, and continue with the next steps for the verification of the Signed Static Application Data.

【签名静态应用数据的验证(Book2,5.4)】

1. If the Signed Static Application Data has a length different from the length of the Issuer Public Key Modulus, SDA has failed.
2. In order to abtain the Recovered Data specified in Table 7, apply the recovery function specified in Annex A2.1 on the Signed Static Application Data using the Issuer Public Key in conjunction with the corresponding algorithm. If the Recovered Data Trailer is not equal to 'BC', SDA has failed.
3. Check the Recovered Data Header. If it is not '6A', SDA has failed.
4. Check the Signed Data Format. If it is mot '03', SDA has failed.
5. Concatenate from left to right the second to the fifth data elements in Table7(that is, Signed Static Data Format through Pad Pattern), followed by the static data to the authenticated as specified in section 10.3 of Book 3. If the Statis Data Authentication Tag List is present an contains tags other than 82, then SDA has failed.
6. Apply the indicated hasd algorithm (derived from the Hash Algorithm Indicator) to the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recoverd Hash Result. If they are not the same, SDA has failed.
8. If all of the obove steps were executed successfully, SDA was successful. The Data Authentication Code recovered in Table 7 shall be stored in tag '9F45'.

【EMV L2】SDA静态数据认证处理流程的更多相关文章

  1. PBOC2.0安全系列之—脱机认证之静态数据认证(SDA)

    一,什么是PBOC2.0 2005年3月13日,人民银行发布第55号文,正式颁发了<中国金融集成电路(IC)卡规范>(简称PBOC2.0).该规范补充完善电子钱包/存折应用:增加借/贷记应 ...

  2. 静态数据认证(SDA)与动态数据认证(DDA)的区别

    PBOC/EMV里有两个非常重要的概念,SDA(staticdataauthentication)和DDA(dynamicdataauthentication),分别叫做静态数据认证和动态数据认证.这 ...

  3. 【EMV L2】DDA标准动态数据认证处理流程

    [标准动态数据认证DDA] 标准动态数据处理过程,除了动态签名由卡片生成以外,其他都是由终端执行的.处理过程: 1.认证中心公钥的获取终端使用认证中心公钥索引(PKI)以及卡片中的注册的应用提供商标识 ...

  4. PBOC2.0安全系列之—脱机认证之动态数据认证(DDA)

    动态数据认证: 一,什么是动态数据认证(DDA) 由于上篇<< PBOC2.0安全系列之—脱机认证之静态数据认证(SDA)>>已经对静态数据认证部分做了详细的分析,一些基本知识 ...

  5. PBOC/EMV 中SDA和DDA简介

    PBOC/EMV里有两个非常重要的概念,SDA(static data authentication)和DDA(dynamic data authentication),分别叫做静态数据认证和动态数据 ...

  6. 【EMV L2】GPO响应以及AIP、AFL

    [GPO命令] 终端通过GPO(Get Processing Options)命令 通知卡片交易开始.命令数据为PDOL指定的终端数据. [GPO响应] 卡片在GPO命令的响应中返回AIP和AFL:A ...

  7. 【EMV L2】CDA复合动态数据认证/应用密文生成

    复合动态数据认证/应用密文生成处理流程:对于复合动态数据认证/应用密文生成,终端执行标准动态数据认证的步骤1到3:1.认证中心公钥的获取终端使用认证中心公钥索引(PKI)以及卡片中的注册的应用提供商标 ...

  8. Linux内核网络数据包处理流程

    Linux内核网络数据包处理流程 from kernel-4.9: 0. Linux内核网络数据包处理流程 - 网络硬件 网卡工作在物理层和数据链路层,主要由PHY/MAC芯片.Tx/Rx FIFO. ...

  9. Dcloud课程5 php如何实现文件缓存技术(静态数据缓存)

    Dcloud课程5 php如何实现文件缓存技术(静态数据缓存) 一.总结 一句话总结:保存在磁盘上的静态文件,用PHP生成数据到静态文件中.其实cookie和session使用的就是这样的技术,所以c ...

随机推荐

  1. File 与 FileStream 文件运用

    using System.IO; using System.Text; using UnityEngine; /// <summary> /// File 一次性控制 (小文件) /// ...

  2. Learning-Python【补充篇】:Python之可变类型与不可变类型

    可变类型 值变了,但是id没有变,证明没有生成新的值而是在改变原值,原值是可变类型 不可变类型 值变了,id也跟着变,证明是重新开辟一块内存空间生成了新的值,而不是在改变原值,原值是不可变类型

  3. 【NOI 2015】品酒大会

    Problem Description 一年一度的"幻影阁夏日品酒大会"隆重开幕了.大会包含品尝和趣味挑战两个环节,分别向优胜者颁发"首席品酒家"和" ...

  4. 6th-Python基础——集合、函数

    1.集合 主要作用: (1)去重 (2)关系测试,交集.差集difference().并集union().反向差集symmetric_difference().子集issubset().父集issup ...

  5. Flex外包公司——案例汇总

    Flex做的案例汇总: http://flex.org/showcase/ http://taggraph.com/everybody http://demoprod.informationbuild ...

  6. C#以太坊基础入门

    在这一部分,我们将使用C#开发一个最简单的.Net控制台应用,来接入以太坊节点,并打印 所连接节点旳版本信息.通过这一部分的学习,你将掌握以下技能: 如何使用节点仿真器 如何在命令行访问以太坊节点 如 ...

  7. Codeforces 1107 E - Vasya and Binary String

    E - Vasya and Binary String 思路:区间dp + 记忆化搜索 转移方程看上一篇博客. 代码: #pragma GCC optimize(2) #pragma GCC opti ...

  8. 第 8 章 容器网络 - 065 - 容器在 Weave 中如何通信和隔离?

    首先在host2 执行如下命令: weave launch 10.12.31.22 这里必须指定 host1 的 IP 10.12.31.22,这样 host1 和 host2 才能加入到同一个 we ...

  9. localStorage、sessionStorage用法以及区别

    设置: sessionStorage.setItem("key", "value");localStorage.setItem("site" ...

  10. HTML中引用外部JS文件失效原因

    今天在练习中碰到“引用外部的一个js文件但是却失效”的情况,实在不懂,百度后才知是引用的位置不对,错误的代码如下: <head> <meta charset="UTF-8& ...