PBOC/emv dda (Dynamic Data Authentication)

Reprinted please indicate the source

Author: Pony

 

In the previous article, we talked about SDA. The steps of DDA can be understood as follows: Execute SDA first, and then perform the steps unique to DDA. this article focuses on this unique step. this unique step not only enables DDA to have the SDA function (to ensure that the data on the card is not modified after personalization), but also to prevent the card from being copied and forged.

 

Step 1: Obtain the IC public key

 

The issuer's public key obtained in the SDA phase also has a purpose in DDA, that is, to restore the IC card's public key. It can be expressed using the following formula:

Issuer's public key + IC card Public Key Certificate + RSA algorithm = IC card Public Key

 

The IC card Public Key Certificate is a string of ciphertext data that is read from the card in the Data Reading phase. It is similar to the following:

* Tag 9F46 ICC Public Key Certificate * - Len 50 * - Value 79 DE 85 4F 1F 84 9E 8B 42 9D 72 6A 8B 93 F0 E9  *  83 06 B7 7F A8 78 67 26 B4 F6 25 6B ED 87 9F 2C  *  24 52 24 DD 93 1C A8 0D 44 D8 C6 A5 5E 6D A9 BB  *  E5 F3 E2 7F 65 98 28 E4 2D 27 A1 7C 33 49 88 83  *  34 D7 46 3C 0C 6E C7 BA 93 D6 27 65 44 FB BF C5  

 

Step 2: Obtain the dynamic data of the signature

The terminal first initiates an internal authentication command to the card. The data field of the command is the data specified in ddol, and ddol is returned to the terminal when the card is reading data, tell the terminal what terminal data is needed to generate dynamic signature data. example:

* Tag 9F49 Dynamic Data Authentication Data (DDOL)*   - Len   15*   - Value 9F 02 06 9F 03 06 9F 1A 02 95 05 5F 2A 02 9A 03 *       9C 01 9F 37 04

 

Note that 9f37 (unpredictable number of terminals) is a must for ddol.

 

The data in ddol sent from the card terminal plus the dynamic data generated by the card (such as ATC), and the private key of the IC card (note that this private key is placed in the secure storage area, generate a ciphertext data, which is called the dynamic application data of the signature. then the card returns the data to the terminal through internal authentication.

 

Step 3: Verify the hash value

The formula is as follows:

IC card Public Key + dynamic Signature Application Data + RSA = data

Data A includes two parts: I call it A1, and I call it hash result.

 

The terminal uses A1 to add data specified by ddol, and uses the specified hash algorithm to calculate a hash result B.

A and B are compared. If they are equal, DDA is successful. Otherwise, it fails.

 

As mentioned earlier, DDA can prevent card copying. From the above process, we can see that even if you copy a card, SDA can pass (because static data is the same ), however, due to the security of the private key of the IC card, dynamic signature verification certainly fails.