Key Management and its Relationship to Cryptography: SDA

Key Management and Relationship to Cryptography: Part I | SDA

I learned a lot from the Cryptography course so I decided to share with other Cybrary users how it relates to my field in the payment industry using ICCs (Integrated Circuit Cards).

SDA stands for Static Data Authentication in the EMV world. SDA is performed on a card by the terminal using digital signature techniques to confirm that the data resident on an ICC. This detects modification of a data after personalisation.

SDA requires that a CA (certificate authority), signs the IPK (issuer public keys). Below diagram shows what plays out during the process.

This is the scenario that plays out

The issuer of chip card gets a CA and gives the CA her Public Key (P_I). The CA merges the P_I with the CA's Private Key (S_CA) and issues an Issuer PK Certificate.

The Issuer PK is then encoded into the ICC together with the Signed Static Application Data (SSAD), which is a combination of the Static Application Data and the Issuer Private Key (S_I).

When a cardholder uses the ICC on a terminal, the Acquirer decrypts or deciphers the message with the CA's Public Key (P_CA) that corresponds with the Private Key (S_CA) pair to verify the ICC's authenticity and uses the Issuer's P_I to confirm that the ICC's SSAD was signed by the Issuer.

ICCs that support SDA will contain the following elements:

§  CA Public Key Index – which contains a number that indicates which of the application’s CA public keys and its related algorithm that resides in the terminal to be used with the ICC.

§  Issuer Public Key Certificate – this is provided by the CA to the card issuer.

§  Signed Static Authentication Data (SSAD) – generated by the issue using a private key that is the pair to the public key authenticated in the Issuer Public Key Certificate. It is the digital signature (DS) protecting the data elements in the ICC.

References

Diagram culled from EMV 4.3 Book 2