EMV离线数据认证-CDA模式3
[英]EMV Offline Data Authentication - CDA Mode 3
问题描述
The EMV Spec 4.3 Vol 2 defines the different modes for CDA ("Combined Data Authentication") with a chart: 
EMV Spec 4.3 Vol 2 使用图表定义了 CDA(“组合数据认证”)的不同模式:
+----+-------------------+-----------------------------------+
|Mode|Request CDA on ARQC|Request CDA on 2nd GEN AC (TC) |
| | |after approved online authorisation|
+----+-------------------+-----------------------------------+
| 1 | Yes | Yes |
| 2 | Yes | No |
| 3 | No | No |
| 4 | No | Yes |
+----+-------------------+-----------------------------------+
My question: If a PinPad is in CDA Mode 3, does it actually perform the data authentication step at all?我的问题:如果 PinPad 处于 CDA 模式 3,它是否真的执行数据验证步骤?
The PinPad I am using is in CDA Mode 3 and it appears to be doing so sometime in the ARPC validation/TC generation step as evidenced by the Byte 1, Bit 8 of the TVR being set to zero at that time.我正在使用的 PinPad 处于 CDA 模式 3,它似乎在 ARPC 验证/TC 生成步骤的某个时间这样做,正如 TVR 的字节 1、位 8 当时设置为零所证明的那样。 However, the chart above would lead me to believe that it is not.但是,上面的图表会让我相信事实并非如此。
Unfortunately, I don't have a UL or Collis tool to get inside the PinPad to see the PinPad/chip flow.不幸的是,我没有 UL 或 Collis 工具来进入 PinPad 以查看 PinPad/芯片流。
1 个解决方案
解决方案1
2 已采纳 2020-08-24 07:06:00
Short answer to your question is YES - the acceptance device will perform card authentication.对您的问题的简短回答是肯定的——接受设备将执行卡验证。 When it comes to ODA, it might be also SDA (already obsolete) or DDA that will happen regardless of CDA mode.当谈到 ODA 时,无论 CDA 模式如何,它也可能是 SDA(已经过时)或 DDA。
CDA mode 3 means only that ODA will not be performed if other CAM (Card Authentication Method) is available. CDA 模式 3 仅表示如果其他 CAM(卡身份验证方法)可用,则不会执行 ODA。 It will still happen for offline accepted transactions.对于离线接受的交易,它仍然会发生。
To clarify, the Card Authentication Methods:澄清一下,卡验证方法:
- Offline CAM = PKI based Offline Data Authentication which CDA is an example of离线 CAM = 基于 PKI 的离线数据认证,其中 CDA 是一个例子
- Online CAM = symmetric cryptography based verification of cryptograms during online communication.在线 CAM = 在线通信期间基于对称加密的密码验证。
In early days of EMV implementation acceptance devices had quite limited processing power - they were mostly based on 8-bit microcontrollers which meant it took ages to perform RSA with larger modulus.在 EMV 实施的早期,验收设备的处理能力非常有限——它们大多基于 8 位微控制器,这意味着需要很长时间才能执行具有更大模数的 RSA。 That's why CDA mode 3 was introduced - to avoid performing resource-heavy offline CAM when online CAM is available - in online transactions.这就是在在线交易中引入 CDA 模式 3 的原因——以避免在在线 CAM 可用时执行资源密集型离线 CAM。 That was perceived an optimization in the time and was recommended by schemes and EMVCo.这在当时被认为是一种优化,并被 schemes 和 EMVCo 推荐。 In today terms, CDA mode 1 is widely adopted and I don't remember any recent Type Approvals with CDA mode 3. If you have a device with it, you might be dealing with an old device with an expired approval.在今天,CDA 模式 1 被广泛采用,我不记得最近有任何关于 CDA 模式 3 的类型批准。如果你有一个带有它的设备,你可能正在处理一个批准过期的旧设备。
ARPC verification (Issuer Authentication step) you mention is not reflected in TVR B1b8 - it's only an indication that ODA was not performed, which (apart from CDA mode 3 situation) might also be when card and terminal do not support any common authentication method (some online-only terminals do not need to perform ODA; some non-expiring cards do not support ODA as well).您提到的 ARPC 验证(发行者身份验证步骤)未反映在 TVR B1b8 中-这仅表示未执行 ODA,这(除了 CDA 模式 3 情况外)也可能是卡和终端不支持任何通用身份验证方法(一些只在线的终端不需要执行ODA;一些非过期卡也不支持ODA)。 Issuer Authentication might be explicit (when AIP in the card indicates it and you received ARPC in the response), but might happen also implicitly (when AIP doesn't indicate it but card requests ARPC in CDOL2) and you might not see it indicated in TVR.发行者身份验证可能是显式的(当卡中的 AIP 指示它并且您在响应中收到 ARPC 时),但也可能隐式发生(当 AIP 未指示它但卡在 CDOL2 中请求 ARPC 时)并且您可能看不到它指示TVR。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.