IBM Crypto Education Community

Expand all | Collapse all

CVN18 using ICSF programs

  • 1.  CVN18 using ICSF programs

    Posted Thu July 14, 2022 04:30 PM
    I am trying to generate the ARQC as following:
    1. Generate Token using 'DATAM'||'INTERNAL'||DOUBLE' as input in CSNBKTG.
    2. Concatenating PAN||PAN SEQ (4123456789012345||02) and generate 16 byte value '2345678901234502'x
    then XOR with 'FFFFFFFFFFFFFFFF'x and generate new PAN data = '2345678901234502DCBA9876FEDCBAFD'x
    3. Using CSNBDKG, using above PAN Data and input array 'TDES-ENC' we generate new key (Guess it is UDK)
    4. Using CSNBDKG using above UDK , ATC '0012000000000000'x, ' and input array 'SESS-XOR', generated Session Key
    5. Using CSNBMGN using above generated Session key and entire Cryptogram data (Amount, Other Amount, Currency code, Date Currency Code, ATC, Unpredict#, AIP... & '8000000000000000' (totally 48 bytes), generated ARQC.

    This ARQC value is not matching with the received one. Not sure if this is the correct method to generate ARQC. Please guide me with correct steps and values which I need to use to generate ARQC and ARPC for CVN18.

    ------------------------------
    Dipin Jose
    ------------------------------


  • 2.  RE: CVN18 using ICSF programs

    Posted Fri July 15, 2022 06:57 PM
    In CVN18,  You need a DKYGENKY – option DKL1 DMAC MDK.  The second derivation is with a second TDES-ENC.  The derivation data is : 

    ATC || 0xF0 || 0x00 || 0x00…0x00 || ATC || 0x0F || 0x00 || 0x00…0x00 
    This will give you the session key. 
    You can also use CSNBEAC, it will do all the work ... 




    ------------------------------
    Martin Provost
    ------------------------------



  • 3.  RE: CVN18 using ICSF programs

    Posted Sat July 16, 2022 01:48 AM
    Hi Martin;

    Thanks for the response. I am trying to generate the ARQC as following:
    1. Generate Token using 'DATAM'||'INTERNAL'||DOUBLE' as input in CSNBKTG.

    2. Concatenating PAN||PAN SEQ (4123456789012345||02) and generate 16 byte value '2345678901234502'x
    then XOR with 'FFFFFFFFFFFFFFFF'x and generate new PAN data = '2345678901234502DCBA9876FEDCBAFD'x

    3. In CSNBDKG program, using MDK which is DKYGENKY - DKYL0 DMAC , above PAN Data and input array 'TDES-ENC' we generate new key (Guess it is UDK)

    4. Using CSNBDKG using above UDK , ATC '0012000000000000'x, ' and input array 'SESS-XOR', generated Session Key
        Tried different ATC combinations as follow to generated various Session keys, but couldn't generate correct ARQC value in next step :( :
         1. '00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
         2. '00 12 F0 00 00 00 00 00 00 12 0F 00 00 00 00 00 00 00'
         3. '00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 00 FF ED'

    5. Using CSNBMGN using above generated Session key and entire Cryptogram data (Amount, Other Amount, Currency code, Date Currency Code, ATC, Unpredict#, AIP... & '8000000000000000' (totally 48 bytes), generated ARQC.

    I tried with CSNBEAC using MDK - DKYGENKY - DKYL0 DMAC and used ATC value as mentioned - '00 12 F0 00 00 00 00 00 00 12 0F 00 00 00 00 00 00 00'. I am getting error with reason code '27'. 

    A control vector violation occurred.

    REASONCODES: This reason code also corresponds to these ICSF reason codes: 272C (10028), 2730 (10032), 2734 (10036), 2744 (10052), 2768 (10088), 278C (10124), 3E90 (16016), 2724 (10020).

    Could you please guide me. 



    ------------------------------
    Dipin Jose
    ------------------------------



  • 4.  RE: CVN18 using ICSF programs

    Posted Tue July 19, 2022 03:10 PM
    You need a DKYGENKY - DKYL1 DMAC MDK.  This is why you have a reason code 27, control vector violation. 

    ------------------------------
    Martin Provost
    ------------------------------



  • 5.  RE: CVN18 using ICSF programs

    Posted Tue July 19, 2022 11:13 PM
    @Martin Provost

    Thanks for your response. Is there any way we can validate ARQC and Generate ARPC for CVN 18 using ​DKYGENKY - DKYL0 DMAC MDK. Currently DKYGENKY - DKYL0 DMAC MDK key is used by the Chip Card issuing (printing) vendors. They generated the sample values for us as part of testing. So we both are using same key. Installing new Key with DKYL1 is not possible.

    One more thing, in the step 3, they are setting ODD Parity while generating key. But not sure how we can set ODD Parity, while generating same using CSNBDKG program, ICSF. Is it because of that we are not able to generate the correct key?
    "3. In CSNBDKG program, using MDK which is DKYGENKY - DKYL0 DMAC , above PAN Data and input array 'TDES-ENC' we generate new key (Guess it is UDK)"

    Could you please let me know how we validate and generate ARQC and ARPC using DYKGENKY - DKYL0 DMAC.




    ------------------------------
    Dipin Jose
    ------------------------------



  • 6.  RE: CVN18 using ICSF programs

    Posted Mon July 25, 2022 08:58 AM
    CVN18 is different from CVN10. Under CVN10, there is only one derivation step from the MDK to a session AC key. Under CVN18, there are two derivation steps:
    MDK -> UDK
    UDK -> Session

    In CCA (ICSF) wording, the MDK is a DKYL1 and the UDK is a DKYL0, which you are showing in steps 3 and 4 above. Under CVN18, there is no way to use an MDK that is DKYL0 because it is one level too low.

    Parity is handled automatically during key derivation.

    ------------------------------
    Eric Rossman
    ------------------------------



  • 7.  RE: CVN18 using ICSF programs

    Posted Mon July 25, 2022 09:32 AM
    @Eric Rossman

    Thanks for your response. Is there any solution to validate and generate ARQC and ARPC using existing MDK ​(DKYGENKY - DKYL0 DMAC). Please note same key is used by the Card issuing team to generate transaction for validation. So not sure how they generated Session Key and ARQC value using same. Might be they are using different method or system. 

    ------------------------------
    Dipin Jose
    ------------------------------



  • 8.  RE: CVN18 using ICSF programs

    Posted Tue July 26, 2022 01:47 PM
    There really isn't a supported way to generate ARQC or ARPC from an MDK that is a DKYGENKY-DKLY0 because to get to a session key from an MDK under CVN18 requires 2 derivations.
    The most likely scenarios are that the MDK that you have is either:
    1. intended for use under CVN18 and thus needs to be created as a DKLY1 key so you can do the two separate derivation steps.
    2. intended for use under CVN10.

    ------------------------------
    Eric Rossman
    ------------------------------



  • 9.  RE: CVN18 using ICSF programs

    Posted Wed July 27, 2022 02:05 AM
    @Eric Rossman

    Thanks again. I have following queries:
    1. Is MDK and Issuer master key AC same?
    2. Can we use Issuer Master Key AC - DKLY0 for CVN18, ARQC verification and ARPC generation? if possible, please provide me steps we need to follow to do same using ICSF modules. 
    3. If we change existing DKLY0 - Issuer Master Key AC will KCV remains same for DKLY1 and DKLY0?

    ​​

    ------------------------------
    Dipin Jose
    ------------------------------



  • 10.  RE: CVN18 using ICSF programs

    Posted Thu July 28, 2022 08:52 AM
    1. What Visa Integrated Circuit Card Specification (VIS) calls the Master Derivation Key that is used to derive the UDK, in EMV is called the Issuer Master Key, IMK.
    2. In CVN10, the Issuer Master Key is used to derive the UDK and the UDK is used to calculate the ARQC. However, in CVN18, the MDK is derived into a UDK and the UDK is derived into the session key to generate or verify Application Cryptograms (ARQC, TC, AAC).
    3. If the same key material is in both the DKYL0 and DKYL1, they would have the same key check value.


    ------------------------------
    Eric Rossman
    ------------------------------



  • 11.  RE: CVN18 using ICSF programs

    Posted Thu July 28, 2022 09:21 AM
    @Eric Rossman

    "In CVN10, the Issuer Master Key is used to derive the UDK and the UDK is used to calculate the ARQC. However, in CVN18, the MDK is derived into a UDK and the UDK is derived into the session key to generate or verify Application Cryptograms (ARQC, TC, AAC)."

    Following steps we did for CVN18 using MDK/Issue Master Key - DKYGENKY-DKLY0,but not able to generate valid ARQC and ARPC. Please guide us to fix same. 

    1. Generate Token using 'DATAM'||'INTERNAL'||DOUBLE' as input in CSNBKTG.

    2. Concatenating PAN||PAN SEQ (4123456789012345||02) and generate 16 byte value '2345678901234502'x
    then XOR with 'FFFFFFFFFFFFFFFF'x and generate new PAN data = '2345678901234502DCBA9876FEDCBAFD'x

    3. In CSNBDKG program, using MDK which is DKYGENKY - DKYL0 DMAC , above PAN Data and input array 'TDES-ENC' we generate new key (Guess it is UDK)

    4. Using CSNBDKG using above UDK , ATC '0012000000000000'x, ' and input array 'SESS-XOR', generated Session Key
        Tried different ATC combinations as follow to generated various Session keys, but couldn't generate correct ARQC value in next step :( :
         1. '00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
         2. '00 12 F0 00 00 00 00 00 00 12 0F 00 00 00 00 00 00 00'
         3. '00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 00 FF ED'

    5. Using CSNBMGN using above generated Session key and entire Cryptogram data (Amount, Other Amount, Currency code, Date Currency Code, ATC, Unpredict#, AIP... & '8000000000000000' (totally 48 bytes), generated ARQC.



    ------------------------------
    Dipin Jose
    ------------------------------



  • 12.  RE: CVN18 using ICSF programs

    Posted Mon August 01, 2022 09:30 AM
    Hello good morning,
    
    I've used as many of the new APIs as the long way around and everything worked fine.
    
    Clarified the type of IMK key that you must define and the two derivations to obtain the SDK, I recommend you not to use the pad & '80000000000' and check the rules test using EMVMACD, MACLEN8 and I did it validating CSNBMVR but it should work also generating.

    I tell you that to generate the ARPC CVN 18 there are changes, you have to use the same SDK key and concatenate using the ARQC and CSU and the length of the mac is 4 bytes.

    Slds.,Gustavo


    ------------------------------
    Gustavo Ramirez
    ------------------------------



  • 13.  RE: CVN18 using ICSF programs

    Posted Mon August 01, 2022 09:30 AM
    Hello good morning,
    
    I've used as many of the new APIs as the long way around and everything worked fine.
    
    Clarified the type of IMK key that you must define and the two derivations to obtain the SDK, I recommend you not to use the pad '80000000000' and check the rules test using EMVMACD, MACLEN8 and I did it validating CSNBMVR but it should work also generating.

    I tell you that to generate the ARPC CVN18 there are changes, you have to use the same SDK key and concatenate using the ARQC and CSU and the length of the mac is 4 bytes.


    ------------------------------
    Gustavo Ramirez
    ------------------------------



  • 14.  RE: CVN18 using ICSF programs

    Posted Thu December 07, 2023 12:42 PM

    i need your support? 

    I am implementing cvn18 with the support of new control:
     
    1: we use CSNBKTB with the keyword 'DES'
    'INTERNAL'
    'DOUBLE'
    'DKYL1 ' and in key-type 'DKYGENKY'
     
    Then we go to CSNBEAC with the keywords:
    'TDES'
    'VERARQC'
    'VISA'
    'CVN18'
    'PAN-16'
     
    it's right?


    ------------------------------
    Luis Romero
    ------------------------------



  • 15.  RE: CVN18 using ICSF programs

    Posted Thu December 07, 2023 02:24 PM
    Hello Luis, good morning,  I'm going to review the routine and get back to you. I haven't watched the program for a few months.  slds., Gustavo






  • 16.  RE: CVN18 using ICSF programs

    Posted Tue December 12, 2023 04:44 PM
    Thanks for your answer, you will have the example?


    ------------------------------
    Luis Romero
    ------------------------------



  • 17.  RE: CVN18 using ICSF programs

    Posted Thu December 07, 2023 12:48 PM
    I need your support, I am implementing cvn18 with the support of new control:
     
    1: we use CSNBKTB with the keyword 'DES'
    'INTERNAL'
    'DOUBLE'
    'DKYL1 ' and in key-type 'DKYGENKY'
     
    Then we go to CSNBEAC with the keywords:
    'TDES'
    'VERARQC'
    'VISA'
    'CVN18'
    'PAN-16'
     
    it's right?


    ------------------------------
    Luis Romero
    ------------------------------



  • 18.  RE: CVN18 using ICSF programs

    Posted Thu December 07, 2023 01:16 PM

    Hi Luis

    It's been a long, I don't remember much. 

    Are you using same Master Key which is used for CVN10?

    You can contact me via dipinjose@gmail.com



    ------------------------------
    Dipin Jose
    ------------------------------



  • 19.  RE: CVN18 using ICSF programs

    Posted Fri December 08, 2023 05:36 PM

    Hi Luis,

    There is a CVN 18 REXX sample here https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/anna-deng1/2021/02/09/rexx-sample?CommunityKey=6593e27b-caf6-4f6c-a8a8-10b62a02509c&tab=recentcommunityblogsdashboard

    I hope it helps



    ------------------------------
    Fernando Pellisario
    ------------------------------



  • 20.  RE: CVN18 using ICSF programs

    Posted Tue December 12, 2023 08:53 AM
    I HAVE A DOUBT ABOUT THE EXAMPLE, BECAUSE FOR CVN18 IN STEP 2 CSNBDCM, I SEE THAT Generate an ICC Master Application Cryptogram Key (AC). The Unique DEA Key will be a DKYGENKY DMAC DKYL0 AND NOT DKYL11 token.


    ------------------------------
    Luis Romero
    ------------------------------



  • 21.  RE: CVN18 using ICSF programs

    Posted Tue December 12, 2023 08:52 AM

    Hello Martin, if I am using CANVA, WHAT OTHER ROUTINE WOULD I USE TO COMPLETE THE PROCESS FOR CVN18? THIS FRAGMENT WAS SHARED WITH ME IN REXX



    ------------------------------
    Luis Romero
    ------------------------------