【静态数据认证】

静态数据认证处理过程中,卡片没有执行任何处理,终端执行的处理流程:
1、认证中心公钥的获取
终端使用卡片上的认证中心公钥索引(PKI)【TAG:8F,Certification Authority Public Key Index】以及注册的应用提供商标识(RID)【TAG:9F06,Application Identifier(AID)-terminal】来获取存储在终端的认证中心公钥和相关信息;

注:认证中心公钥是预先存储在终端里的,通过PKI和RID作为索引找到;

2、发卡行公钥的获取
终端用认证中心公钥验证发卡行公钥证书【TAG:90,Issuer Public Key Certificate】,验证正确则从发卡行公钥证书中取出发卡行公钥;

注:通过第1步获取到认证中心公钥后,使用该公钥经过RSA算法解密发卡行公钥证书【TAG:90】的数据;根据解密后的数据(格式参考Book2,5.3,Table6)验证是否正确,如果正确,则可以获取到发卡行公钥(发卡行公钥有一部分是解密后获得的);

3、签名静态应用数据的验证
终端用发卡行公钥验证签名静态应用数据【TAG:93,Signed Static Application Data】,如果验证不正确,则数据可能被篡改,静态数据认证失败了;

注:通过第2步获取到发卡行公钥后,使用改公钥经过RSA算法解密签名静态应用数据【TAG:93】的数据;根据解密后的数据(格式参考Book2,5.4,Table7)验证是否正确;

4、静态数据认证结果
如果以上所有步骤得以成功执行,则静态数据认证通过;
如果静态数据认证失败,终端设置终端验证结果中的相应指示器,以显示静态数据认证结果,并在随后的处理中使用该指示器决定交易的处理;

【发卡行公钥的获取(Book2,5.3)】

1. If the Issuer Public Key Certificate has a henght different from the length of the Cerfitfication Authority Public Key Modulus obtained in the previous section, SDA has failed.
2. In order to obtain the recovered data speicified in the Table 6, apply the recovery function specified in Annex A2.1 to the Issuer Public Key Certificate using the Certification Authority Public Key in conjunction with the corresponding algorithm. If the Recovered Data Trailer is not equal to 'BC', SDA has failed.
3. Check the Recovered Data Header. If it is not '6A', SDA has failed.
4. Check the Certificate Format. If it is not '02', SDA has failed.
5. Concatenate from left to right the second to the tenth data elements in Table 6(that is, Certificate Format through Issuer Public Key or Leftmost Digits of the Issuer Public Key), followed by th Issuer Public Key Remainder(if present), and finally the Issuer Public Key Exponent.
6. Apply the indicated hash algorithm(derived from the Hash Algorithm Indicator) to the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recoverd Hash Result. If they are not the same, SDA has failed.
8. Verify that the Issuer Identifier mathces the leftmost 3-8 PAN digits (allowing for the possible padding the Issuer Identifier with hexadecimal 'F's). If not, SDA has failed.
9. Verify that the last day of the month specified in the Certificate Expiration Date is equal to or later than today's date. If the Certificate Expiration Date is earlier than today's date, the certificate has expired, in which case SDA has failed.
10.Verify that the concatenation of RID, Certification Authority Public Key Index and Certificate Serial Number is valid. If not, SDA has failed.
11.If the Issuer Public Key Algorithm Indicator is not recognised, SDA has failed.
12.If all the checks above are correct, concatenate the Leftmost Digits of Issuer Public Key and the Issuer Public Key Remainder(if present) to obtain the Issuer Public Key Modulus, and continue with the next steps for the verification of the Signed Static Application Data.

【签名静态应用数据的验证(Book2,5.4)】

1. If the Signed Static Application Data has a length different from the length of the Issuer Public Key Modulus, SDA has failed.
2. In order to abtain the Recovered Data specified in Table 7, apply the recovery function specified in Annex A2.1 on the Signed Static Application Data using the Issuer Public Key in conjunction with the corresponding algorithm. If the Recovered Data Trailer is not equal to 'BC', SDA has failed.
3. Check the Recovered Data Header. If it is not '6A', SDA has failed.
4. Check the Signed Data Format. If it is mot '03', SDA has failed.
5. Concatenate from left to right the second to the fifth data elements in Table7(that is, Signed Static Data Format through Pad Pattern), followed by the static data to the authenticated as specified in section 10.3 of Book 3. If the Statis Data Authentication Tag List is present an contains tags other than 82, then SDA has failed.
6. Apply the indicated hasd algorithm (derived from the Hash Algorithm Indicator) to the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recoverd Hash Result. If they are not the same, SDA has failed.
8. If all of the obove steps were executed successfully, SDA was successful. The Data Authentication Code recovered in Table 7 shall be stored in tag '9F45'.

【EMV L2】SDA静态数据认证处理流程的更多相关文章

  1. PBOC2.0安全系列之—脱机认证之静态数据认证(SDA)

    一,什么是PBOC2.0 2005年3月13日,人民银行发布第55号文,正式颁发了<中国金融集成电路(IC)卡规范>(简称PBOC2.0).该规范补充完善电子钱包/存折应用:增加借/贷记应 ...

  2. 静态数据认证(SDA)与动态数据认证(DDA)的区别

    PBOC/EMV里有两个非常重要的概念,SDA(staticdataauthentication)和DDA(dynamicdataauthentication),分别叫做静态数据认证和动态数据认证.这 ...

  3. 【EMV L2】DDA标准动态数据认证处理流程

    [标准动态数据认证DDA] 标准动态数据处理过程,除了动态签名由卡片生成以外,其他都是由终端执行的.处理过程: 1.认证中心公钥的获取终端使用认证中心公钥索引(PKI)以及卡片中的注册的应用提供商标识 ...

  4. PBOC2.0安全系列之—脱机认证之动态数据认证(DDA)

    动态数据认证: 一,什么是动态数据认证(DDA) 由于上篇<< PBOC2.0安全系列之—脱机认证之静态数据认证(SDA)>>已经对静态数据认证部分做了详细的分析,一些基本知识 ...

  5. PBOC/EMV 中SDA和DDA简介

    PBOC/EMV里有两个非常重要的概念,SDA(static data authentication)和DDA(dynamic data authentication),分别叫做静态数据认证和动态数据 ...

  6. 【EMV L2】GPO响应以及AIP、AFL

    [GPO命令] 终端通过GPO(Get Processing Options)命令 通知卡片交易开始.命令数据为PDOL指定的终端数据. [GPO响应] 卡片在GPO命令的响应中返回AIP和AFL:A ...

  7. 【EMV L2】CDA复合动态数据认证/应用密文生成

    复合动态数据认证/应用密文生成处理流程:对于复合动态数据认证/应用密文生成,终端执行标准动态数据认证的步骤1到3:1.认证中心公钥的获取终端使用认证中心公钥索引(PKI)以及卡片中的注册的应用提供商标 ...

  8. Linux内核网络数据包处理流程

    Linux内核网络数据包处理流程 from kernel-4.9: 0. Linux内核网络数据包处理流程 - 网络硬件 网卡工作在物理层和数据链路层,主要由PHY/MAC芯片.Tx/Rx FIFO. ...

  9. Dcloud课程5 php如何实现文件缓存技术(静态数据缓存)

    Dcloud课程5 php如何实现文件缓存技术(静态数据缓存) 一.总结 一句话总结:保存在磁盘上的静态文件,用PHP生成数据到静态文件中.其实cookie和session使用的就是这样的技术,所以c ...

随机推荐

  1. 基于虹软的Android的人脸识别SDK使用测试

    现在有很多人脸识别的技术我们可以拿来使用:但是个人认为还是离线端的SDK比较实用:所以个人一直在搜集人脸识别的SDK:原来使用开源的OpenCV:最近有个好友推荐虹软的ArcFace, 闲来无事就下来 ...

  2. Windows下使用CMD命令进入和退出MySQL数据库

    一.进入 1.在CMD命令窗口敲入命令 mysql -hlocalhost -uroot -p 后按回车(注意这里的"-h"."-u"."-p&quo ...

  3. 基于C语言的磁引导园丁机器人源程序 --单片机应用

    GardenRobot.c: #include"reg52.h" #include"intrins.h" #define uchar unsigned char ...

  4. Android中使用Thread线程与AsyncTask异步任务的区别

    最近和几个朋友交流Android开发中的网络下载问题时,谈到了用Thread开启下载线程时会产生的Bug,其实直接用子线程开启下载任务的确是很Low的做法,那么原因究竟如何,而比较高大上的做法是怎样? ...

  5. 『TensorFlow』正则化添加方法整理

    一.基础正则化函数 tf.contrib.layers.l1_regularizer(scale, scope=None) 返回一个用来执行L1正则化的函数,函数的签名是func(weights).  ...

  6. SpringMVC+Shiro整合配置文件详解

    http://blog.csdn.net/dawangxiong123/article/details/53020424

  7. python中模块包的离线下载教程

    1.简介 当我们进行Python项目的迁移时(例如迁移到另外一台服务器上),如果该服务器要求离线安装, 往往需要我们将项目中的所需模块包进行离线操作. 2.教程 2.1 首先安装pip2pi模块,它可 ...

  8. 【C/C++】泛型栈

    用 C 语言实现泛型栈 mystack.h #ifndef __MYSTACK_H__ #define __MYSTACK_H__ #include <assert.h> // C sty ...

  9. Nginx的使用(一)Nginx+IIS实现一个网站绑定多个https域名

    使用nginx最初的目的是为了解决iis7下无法配置多个443端口的问题,iis7下不同的域名无法同时绑定443端口,据说iis8是可以的,但是iis8的话需要安装windows server2012 ...

  10. Python *Mix_w5

    1. 字典dict dict  用{}来表示 ,键值对数据{key:value}  key具有唯一性 键:都必须是可哈希的,除了列表,不可变的数据类型都可以当做字典中的键 值  没有任何限制 2. 字 ...