【静态数据认证】

静态数据认证处理过程中,卡片没有执行任何处理,终端执行的处理流程:
1、认证中心公钥的获取
终端使用卡片上的认证中心公钥索引(PKI)【TAG:8F,Certification Authority Public Key Index】以及注册的应用提供商标识(RID)【TAG:9F06,Application Identifier(AID)-terminal】来获取存储在终端的认证中心公钥和相关信息;

注:认证中心公钥是预先存储在终端里的,通过PKI和RID作为索引找到;

2、发卡行公钥的获取
终端用认证中心公钥验证发卡行公钥证书【TAG:90,Issuer Public Key Certificate】,验证正确则从发卡行公钥证书中取出发卡行公钥;

注:通过第1步获取到认证中心公钥后,使用该公钥经过RSA算法解密发卡行公钥证书【TAG:90】的数据;根据解密后的数据(格式参考Book2,5.3,Table6)验证是否正确,如果正确,则可以获取到发卡行公钥(发卡行公钥有一部分是解密后获得的);

3、签名静态应用数据的验证
终端用发卡行公钥验证签名静态应用数据【TAG:93,Signed Static Application Data】,如果验证不正确,则数据可能被篡改,静态数据认证失败了;

注:通过第2步获取到发卡行公钥后,使用改公钥经过RSA算法解密签名静态应用数据【TAG:93】的数据;根据解密后的数据(格式参考Book2,5.4,Table7)验证是否正确;

4、静态数据认证结果
如果以上所有步骤得以成功执行,则静态数据认证通过;
如果静态数据认证失败,终端设置终端验证结果中的相应指示器,以显示静态数据认证结果,并在随后的处理中使用该指示器决定交易的处理;

【发卡行公钥的获取(Book2,5.3)】

1. If the Issuer Public Key Certificate has a henght different from the length of the Cerfitfication Authority Public Key Modulus obtained in the previous section, SDA has failed.
2. In order to obtain the recovered data speicified in the Table 6, apply the recovery function specified in Annex A2.1 to the Issuer Public Key Certificate using the Certification Authority Public Key in conjunction with the corresponding algorithm. If the Recovered Data Trailer is not equal to 'BC', SDA has failed.
3. Check the Recovered Data Header. If it is not '6A', SDA has failed.
4. Check the Certificate Format. If it is not '02', SDA has failed.
5. Concatenate from left to right the second to the tenth data elements in Table 6(that is, Certificate Format through Issuer Public Key or Leftmost Digits of the Issuer Public Key), followed by th Issuer Public Key Remainder(if present), and finally the Issuer Public Key Exponent.
6. Apply the indicated hash algorithm(derived from the Hash Algorithm Indicator) to the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recoverd Hash Result. If they are not the same, SDA has failed.
8. Verify that the Issuer Identifier mathces the leftmost 3-8 PAN digits (allowing for the possible padding the Issuer Identifier with hexadecimal 'F's). If not, SDA has failed.
9. Verify that the last day of the month specified in the Certificate Expiration Date is equal to or later than today's date. If the Certificate Expiration Date is earlier than today's date, the certificate has expired, in which case SDA has failed.
10.Verify that the concatenation of RID, Certification Authority Public Key Index and Certificate Serial Number is valid. If not, SDA has failed.
11.If the Issuer Public Key Algorithm Indicator is not recognised, SDA has failed.
12.If all the checks above are correct, concatenate the Leftmost Digits of Issuer Public Key and the Issuer Public Key Remainder(if present) to obtain the Issuer Public Key Modulus, and continue with the next steps for the verification of the Signed Static Application Data.

【签名静态应用数据的验证(Book2,5.4)】

1. If the Signed Static Application Data has a length different from the length of the Issuer Public Key Modulus, SDA has failed.
2. In order to abtain the Recovered Data specified in Table 7, apply the recovery function specified in Annex A2.1 on the Signed Static Application Data using the Issuer Public Key in conjunction with the corresponding algorithm. If the Recovered Data Trailer is not equal to 'BC', SDA has failed.
3. Check the Recovered Data Header. If it is not '6A', SDA has failed.
4. Check the Signed Data Format. If it is mot '03', SDA has failed.
5. Concatenate from left to right the second to the fifth data elements in Table7(that is, Signed Static Data Format through Pad Pattern), followed by the static data to the authenticated as specified in section 10.3 of Book 3. If the Statis Data Authentication Tag List is present an contains tags other than 82, then SDA has failed.
6. Apply the indicated hasd algorithm (derived from the Hash Algorithm Indicator) to the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recoverd Hash Result. If they are not the same, SDA has failed.
8. If all of the obove steps were executed successfully, SDA was successful. The Data Authentication Code recovered in Table 7 shall be stored in tag '9F45'.

【EMV L2】SDA静态数据认证处理流程的更多相关文章

  1. PBOC2.0安全系列之—脱机认证之静态数据认证(SDA)

    一,什么是PBOC2.0 2005年3月13日,人民银行发布第55号文,正式颁发了<中国金融集成电路(IC)卡规范>(简称PBOC2.0).该规范补充完善电子钱包/存折应用:增加借/贷记应 ...

  2. 静态数据认证(SDA)与动态数据认证(DDA)的区别

    PBOC/EMV里有两个非常重要的概念,SDA(staticdataauthentication)和DDA(dynamicdataauthentication),分别叫做静态数据认证和动态数据认证.这 ...

  3. 【EMV L2】DDA标准动态数据认证处理流程

    [标准动态数据认证DDA] 标准动态数据处理过程,除了动态签名由卡片生成以外,其他都是由终端执行的.处理过程: 1.认证中心公钥的获取终端使用认证中心公钥索引(PKI)以及卡片中的注册的应用提供商标识 ...

  4. PBOC2.0安全系列之—脱机认证之动态数据认证(DDA)

    动态数据认证: 一,什么是动态数据认证(DDA) 由于上篇<< PBOC2.0安全系列之—脱机认证之静态数据认证(SDA)>>已经对静态数据认证部分做了详细的分析,一些基本知识 ...

  5. PBOC/EMV 中SDA和DDA简介

    PBOC/EMV里有两个非常重要的概念,SDA(static data authentication)和DDA(dynamic data authentication),分别叫做静态数据认证和动态数据 ...

  6. 【EMV L2】GPO响应以及AIP、AFL

    [GPO命令] 终端通过GPO(Get Processing Options)命令 通知卡片交易开始.命令数据为PDOL指定的终端数据. [GPO响应] 卡片在GPO命令的响应中返回AIP和AFL:A ...

  7. 【EMV L2】CDA复合动态数据认证/应用密文生成

    复合动态数据认证/应用密文生成处理流程:对于复合动态数据认证/应用密文生成,终端执行标准动态数据认证的步骤1到3:1.认证中心公钥的获取终端使用认证中心公钥索引(PKI)以及卡片中的注册的应用提供商标 ...

  8. Linux内核网络数据包处理流程

    Linux内核网络数据包处理流程 from kernel-4.9: 0. Linux内核网络数据包处理流程 - 网络硬件 网卡工作在物理层和数据链路层,主要由PHY/MAC芯片.Tx/Rx FIFO. ...

  9. Dcloud课程5 php如何实现文件缓存技术(静态数据缓存)

    Dcloud课程5 php如何实现文件缓存技术(静态数据缓存) 一.总结 一句话总结:保存在磁盘上的静态文件,用PHP生成数据到静态文件中.其实cookie和session使用的就是这样的技术,所以c ...

随机推荐

  1. mysql awr v1.0.3修正说明以及发布

    本版本计划修正或者包含如下内容: 1.innodb buffer_pool只是分配的vm大小,实际并不一定真正使用这么多,还可能会有内存泄露,故调整从innodb_buffer_pool_stats获 ...

  2. AJAX跨域问题以及解决思路(更新中)

    跨域的三大原因(同时满足) 浏览器限制 跨域 XHR请求 解决思路: 让浏览器不做限制,指定参数,让浏览器不做校验,但该方法不太合理,它需要每个人都去做改动. 不要发出XHR请求,这样就算是跨域,浏览 ...

  3. 廖雪峰 JavaScript 学习笔记(判断、循环)

    条件判断  固定格式:if () { ... } else { ... } ,else可选 1.多行条件判断,通常把else if连写在一起,来增加可读性 例子: var age = 3; if (a ...

  4. ONOS架构-概览

    这个是阅读https://wiki.onosproject.org/display/ONOS/Architecture+Guide是顺便翻译的,目前断断续续在阅读,今天先贴一部分 概览 基于osgi, ...

  5. 异步核心接口IAsyncResult的实现

    要实现异步编程,就需要正确的实现IAsyncResult接口.IAsyncResult共有四个属性: public interface IAsyncResult { object AsyncState ...

  6. 网络模型 —— OSI七层模型,TCP五层模型,以及区分

    1. OSI七层模型 OSI层  介绍 功能 TCP/IP协议 应用层 操作系统或网络应用程序提供访问网络服务的接口. 文件传输.浏览器.电子邮件 HTTP, FTP, TFTP, SNMP, DNS ...

  7. mysql,Jdbc工具类,只需一条sql实现简单查询

    import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import ...

  8. python----集合用法总结

    集合也是一种数据类型,一个类似列表东西,它的特点是无序的,不重复的,也就是说集合中是没有重复的数据集合的作用:1.它可以把一个列表中重复的数据去掉,而不需要你再写判断2.可以做关系测试,比如说有两个班 ...

  9. 微信小程序Promise对象

    Promise 对象 Promise 的含义 基本用法 Promise.prototype.then() Promise.prototype.catch() Promise.prototype.fin ...

  10. MVC和MVVM对比

    被误解的 MVC MVC 的历史 MVC,全称是 Model View Controller,是模型 (model)-视图 (view)-控制器 (controller) 的缩写.它表示的是一种常见的 ...