【靜態數據認證】

靜態數據認證處理過程中，卡片沒有執行任何處理，終端執行的處理流程：
1、認證中心公鑰的獲取
終端使用卡片上的認證中心公鑰索引（PKI）【TAG：8F，Certification Authority Public Key Index】以及注冊的應用提供商標識（RID）【TAG：9F06，Application Identifier（AID）-terminal】來獲取存儲在終端的認證中心公鑰和相關信息；

注：認證中心公鑰是預先存儲在終端里的，通過PKI和RID作為索引找到；

2、發卡行公鑰的獲取
終端用認證中心公鑰驗證發卡行公鑰證書【TAG：90，Issuer Public Key Certificate】，驗證正確則從發卡行公鑰證書中取出發卡行公鑰；

注：通過第1步獲取到認證中心公鑰后，使用該公鑰經過RSA算法解密發卡行公鑰證書【TAG：90】的數據；根據解密后的數據（格式參考Book2，5.3，Table6）驗證是否正確，如果正確，則可以獲取到發卡行公鑰（發卡行公鑰有一部分是解密后獲得的）；

3、簽名靜態應用數據的驗證
終端用發卡行公鑰驗證簽名靜態應用數據【TAG：93，Signed Static Application Data】，如果驗證不正確，則數據可能被篡改，靜態數據認證失敗了；

注：通過第2步獲取到發卡行公鑰后，使用改公鑰經過RSA算法解密簽名靜態應用數據【TAG：93】的數據；根據解密后的數據（格式參考Book2，5.4，Table7）驗證是否正確；

4、靜態數據認證結果
如果以上所有步驟得以成功執行，則靜態數據認證通過；
如果靜態數據認證失敗，終端設置終端驗證結果中的相應指示器，以顯示靜態數據認證結果，并在隨后的處理中使用該指示器決定交易的處理；

?

---

【發卡行公鑰的獲取（Book2,5.3）】

1. If the Issuer Public Key Certificate has a henght different from the length of the Cerfitfication Authority Public Key Modulus obtained in the previous section, SDA has failed.
2. In order to obtain the recovered data speicified in the Table 6, apply the recovery function specified in Annex A2.1 to the Issuer Public Key Certificate using the Certification Authority Public Key in conjunction with the corresponding algorithm. If the Recovered Data Trailer is not equal to 'BC', SDA has failed.
3. Check the Recovered Data Header. If it is not '6A', SDA has failed.
4. Check the Certificate Format. If it is not '02', SDA has failed.
5. Concatenate from left to right the second to the tenth data elements in Table 6(that is, Certificate Format through Issuer Public Key or Leftmost Digits of the Issuer Public Key), followed by th Issuer Public Key Remainder(if present), and finally the Issuer Public Key Exponent.
6. Apply the indicated hash algorithm(derived from the Hash Algorithm Indicator) to the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recoverd Hash Result. If they are not the same, SDA has failed.
8. Verify that the Issuer Identifier mathces the leftmost 3-8 PAN digits (allowing for the possible padding the Issuer Identifier with hexadecimal 'F's). If not, SDA has failed.
9. Verify that the last day of the month specified in the Certificate Expiration Date is equal to or later than today's date. If the Certificate Expiration Date is earlier than today's date, the certificate has expired, in which case SDA has failed.
10.Verify that the concatenation of RID, Certification Authority Public Key Index and Certificate Serial Number is valid. If not, SDA has failed.
11.If the Issuer Public Key Algorithm Indicator is not recognised, SDA has failed.
12.If all the checks above are correct, concatenate the Leftmost Digits of Issuer Public Key and the Issuer Public Key Remainder(if present) to obtain the Issuer Public Key Modulus, and continue with the next steps for the verification of the Signed Static Application Data.

---

【簽名靜態應用數據的驗證（Book2,5.4）】?

1. If the Signed Static Application Data has a length different from the length of the Issuer Public Key Modulus, SDA has failed.
2. In order to abtain the Recovered Data specified in Table 7, apply the recovery function specified in Annex A2.1 on the Signed Static Application Data using the Issuer Public Key in conjunction with the corresponding algorithm. If the Recovered Data Trailer is not equal to 'BC', SDA has failed.
3. Check the Recovered Data Header. If it is not '6A', SDA has failed.
4. Check the Signed Data Format. If it is mot '03', SDA has failed.
5. Concatenate from left to right the second to the fifth data elements in Table7(that is, Signed Static Data Format through Pad Pattern), followed by the static data to the authenticated as specified in section 10.3 of Book 3. If the Statis Data Authentication Tag List is present an contains tags other than 82, then SDA has failed.
6. Apply the indicated hasd algorithm (derived from the Hash Algorithm Indicator) to the result of the concatenation of the previous step to produce the hash result.
7. Compare the calculated hash result from the previous step with the recoverd Hash Result. If they are not the same, SDA has failed.
8. If all of the obove steps were executed successfully, SDA was successful. The Data Authentication Code recovered in Table 7 shall be stored in tag '9F45'.

?

?

轉載于:https://www.cnblogs.com/utank/p/8469360.html

總結

以上是生活随笔為你收集整理的【EMV L2】SDA静态数据认证处理流程的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。