|
Command: |
Generate a Secure Message with Integrity over data to be sent from the Issuer back to the Card. Optionally, Secure Messaging with Confidentiality is provided in which case the message data must be supplied encrypted under a Transport Key. In this latter case the command first decrypts the message data using the Transport Key before re-encrypting it using a Session Key. |
|
Notes: |
This command performs a similar function to the KU command. It has been adapted to support the EMV2000 session key mechanism The KU command provided modes to enable the use of the Issuer Master Key for both integrity and confidentiality. This was to support an option in M/Chip 2.1. The M/Chip 4 specification recommends that different keys are used for integrity and confidentiality. To support this recommendation, this command does not allow generation of keys for integrity and confidentiality from the same master key.
|
|
Field |
Length & Type |
Details |
|
COMMAND MESSAGE |
||
|
Message header |
m A |
(Subsequently returned to the Host unchanged). |
|
Command code |
2 A |
Value KY. |
|
Mode Flag |
1 N |
0 = Integrity only 2 = Integrity and Confidentiality 4 = Integrity and PIN Change Note: Modes 1 & 3 not used. The KU command used these modes for Integrity and Confidentiality using the same Master Key. This is not supported in the KY command |
|
Scheme-ID |
1 N |
Only present for Modes 4. Identifier for the card Scheme: 0 = VIS 1.4.0 1 = M/Chip 4 Used to determine which padding method to use for PIN Change. |
|
*MK-SMI(LMK) |
32 H or 1A+32H |
The Master Key for Secure Messaging with Integrity encrypted under Variant 2 of LMK pair 28-29. |
|
PAN/PAN Sequence No |
8 B |
Pre-formatted PAN/PAN Sequence number |
|
Branch/Height parameters |
1N |
0 = Branch factor 2; Tree Height 16 1 = Branch factor 4; Tree Height 8 |
|
Application Transaction Counter |
2 B |
The ATC from the card. This is used for Session Key Generation. |
|
Plaintext Message Data Length |
4H |
Plaintext Message Data Length |
|
Plaintext Message Data |
n B |
Plaintext Message Data. |
|
Delimiter |
1 A |
Delimiter of previous field, “;”. |
|
*MK-SMC(LMK) |
32 H or 1A+32H |
Only present if Mode Flag = 2 or 4. The Master Key for Secure Messaging with Confidentially encrypted under Variant 3 of LMK pair 28-29. |
|
TK(LMK) |
32 H or 1A+32H |
Only present if Mode Flag = 2. Transport Key encrypted under LMK pair 30-31. This key was used to encrypt the supplied message. |
|
Offset |
4 H |
Only present if Mode Flag = 2 or 4. Position within Plaintext data to insert Ciphertext data. Must be between 0000 and Plaintext Message Data length. If Offset = n, Ciphertext is inserted AFTER the nth byte of the Plaintext. (ie if length of Plaintext data is 0039, and Offset is 39, Ciphertext data is placed at the end of the plaintext message. If Mode = 4, this is used to specify the New PIN Block position. |
|
Cipher Text Message Data Length |
4 H |
Only Present if Mode = 2 or 4. Length in bytes of data in next field. |
|
Cipher Text Message Data |
n B |
Only Present if Mode Flag = 2 or 4. Cipher Text Message supplied encrypted using a Transport Key (TK). It must be a multiple of 8 bytes long. Note that no additional padding is performed on the decrypted message before the re-encryption process. If Mode Flag = 4, this is used for the New PIN Block. If Destination PIN Block Type = 42 this is used for Current PIN Block concatenated with New PIN Block |
|
Delimiter |
1 A |
Only Present if Mode Flag = 2 or 4. Delimiter of previous field, “;”.
|
|
Source PIN Encryption Key Type |
1 N |
Only present if Mode Flag = 4 0 = ZPK
|
|
Source PIN Encryption Key |
16 H or 1A+32H or 1A+48H |
Only present if Mode Flag = 4. Source PIN Encryption Key, encryption
depending on the Source PIN Encryption Key Type:-
|
|
Source PIN Block Format |
2 N |
Only Present if Mode Flag = 4. The format code for the source PIN
block. |
|
Field |
Length & Type |
Details |
|
Destination PIN Block format |
2 N |
Only Present if Mode Flag = 4. 34 = Standard EMV PIN Block |
|
Account Number |
12 N |
Only present if Mode Flag = 4. The 12 right most digits of the account number, excluding the check digit, used for PIN Block translation. |
|
*MK-AC(LMK) |
32H or 1A+32H |
Only present if Mode Flag = 4 AND Destination PIN Block Format = 41 or 42. The Issuer Master Key for Application Cryptograms, encrypted under variant 1 of LMK pair 28-29. This is required to create PIN Blocks for Visa PIN Change. |
|
End message delimiter |
1 C |
Optional. Must be present if a message trailer is present. Value X’19. |
|
Message trailer |
n A |
Optional. Maximum length 32 characters. |
|
Field |
Length & Type |
Details |
|
RESPONSE MESSAGE |
||
|
Message header |
m A |
Returned to the Host unchanged. |
|
Response code |
2 A |
Value KZ |
|
Error Code |
2 N |
00 – No error 04 – Invalid Mode flag 05 – Invalid Scheme-ID 06 – Invalid Offset 07 – Invalid ciphertext message length parameter 08 – Ciphertext message length error 09 – TK or ZPK/TPK parity error 10 – MK-SMI parity error 11 – MK-SMC parity error 12 – No keys in user storage 13 – LMK parity error 15 – Error in input data 21 – Invalid user storage index 23 – Invalid PIN block format code 50 Source PIN Encryption Key Type, not set to 0 or 1 51 – MK-AC parity error 80 – Data length error 81 – Data not a multiple of 8 bytes |
|
MAC |
8 B |
The calculated 64 bit MAC. |
|
Re-encrypted ciphertext Data Length |
4 H |
Length in bytes of data in next field. Only present for modes 1, 2, 3 or 4. |
|
Re-encrypted ciphertext message Data |
n B |
Re-encrypted Ciphertext message. Only present for modes 1, 2, 3 or 4. |
|
End message delimiter |
1 C |
Present only if present in the command message. Value X’19. |
|
Message trailer |
n A |
Present only if present in the command message. Maximum length 32 characters. |