PBOC2.0 specification borrows the key used by the application

1 3DES master key

Purpose: Protection of online transaction messages using 3DES block cipher algorithm and key with double key length

Issuing card master key - needs to be installed in the card personalization system, transaction and authorization system

Card Master Key - The card is distributed by the issuing bank master key when the card is personalized, and the card issuing bank does not need to store it. (The issuer generates and uses several issuer 3DES master keys and derives several unique 3DES master keys for the card using the card PAN and PAN serial numbers.)

Process Key - The 3DES key used in the card transaction process is decentralized and exported by the IC card master key in the card only when needed.

The issuing bank master key includes:

1) The issuing bank applies the cryptographic master key IMKAC: AC is used to authenticate the transaction message between the card and the issuing bank transaction authorization system. An application secret message AC, such as ARQC, ARPC, AAC or TC, is a message authentication code MAC calculated using a process key. The process key is decentralized and derived by the corresponding IC card master key MKAC, and this IC card master key MKAC is derived by the issuer IMKAC and written to the card upon personalization.

2) Issuer Security Message Master Key IMKSMC and IMKSMI: Issuer Security Message SM is used for message transmission security between card and transaction authorization system during specific transaction process after card issuance (such as card lock, application lock or unlock, Card data update, PIN change or PIN unlock). In the above process, different keys should be used for message encryption and message integrity protection. The security message is encrypted using the secure message encryption process key SKSMC, which is derived from the card security message encryption master key MKSMC. The MAC of the security message is calculated using the secure message MAC process key SKSMI, which is derived from the card security message integrity master key MKSMI. The issuer security message master keys IMKSMC and IMKSMI are used to derive MKSMC and MKSMI, respectively.

2 Key used by SDA

The SDA requires the issuing bank to sign the specific static data and write the signature data to the card using the private key of the issuing bank RSA public-private key pair when the card is personalized.

First, the issuing bank generates the RSA public-private key pair of the issuing bank, and then the issuing card's public key is issued by the IC card root CA to issue the issuing bank public key certificate, and the issuing bank's private key is used to sign the static data. When the card is personalized, the issuing bank writes the issuing bank public key certificate and the signed card static data to the card. The format of the issuing bank certificate and the signed static data can be found in the PBOC 2.0 security specification and the financial IC card debit/credit application root CA public key authentication specification.

The terminal performs the following steps during the verification of the card SDA:

1. Read the issuing bank public key certificate from the card.
2. Verify the issuer certificate using the IC card root CA public key stored in the terminal.
3. From the card issuer certificate parsing the card line public key.
4. Read the card static signature data and verify the signature of the static data with the issuing bank public key.

See Financial IC Card Debit/Credit Application Root CA Public Key Certification Specification.

3 Key used by Card Dynamic Data Authentication (DDA)

DDA requires the card to have its own RSA public-private key pair, and its public key is issued by the issuing bank in accordance with the PBOC2.0 security specification.

The card private key is stored in the card, and a dynamic signature data is signed by the terminal during the card performing DDA process. The card's public key is used by the terminal when verifying the card DDA. The RSA public-private key pair of the IC card is unique to each IC card. The card public-private key pair is generated by the issuing bank during the card personalization process, and then the card issuing bank writes the card private key to the card, and signs the card public key to generate a card public key certificate and then writes the card public key certificate into the card.

In the process of verifying the card DDA of the terminal, firstly, the public key certificate of the issuing bank read from the card is verified by using the IC card root CA public key stored in the terminal, and then the issuing card public key is parsed from the issuing bank certificate and the issuing bank public key is used. Verify the IC card public key certificate read from the card, then parse the card public key from the IC card public key certificate, and use the card public key to verify the signature of the DDA signature data sent by the card.

Composite Dynamic Data Authentication CDA is an extension of DDA. The CDA not only signs the dynamic transaction data using the card private key, but also signs the application password message. This protects against attacks against transactional data.

4 other keys

In addition to the above-mentioned keys for the card transaction process, the issuing bank also needs to have a key for the secure transmission of personalized data during the card personalization process, as described in Section 10.9 of this standard. For multi-application IC cards, in addition to the above keys, keys for other applications may be required.





Stainless steel flour sifter is one of our products. It is made from food grade material which can pass FDA tests or even LFGB tests. When we want some fine flour in on baking, a flour sifter should turn up to finish this mission. We just pull the button on handle, flour will go through mesh on bottom of the sifter. As a manufacturer, we concentrate on creating more functional gadgets all the time. Because of this, we earn a good name between our customers with our ice cream scoop, measuring cup and spoon and cake ring.

Flour Sifters

Baking Sifter,Flour Sifters,Stainless Steel Sifter,Manual Flour Sifter

Yangjiang Kasonn Industrial & Trading Co., Ltd. , https://www.kasonn.com