What is ARQC?

Each EMV transaction request is supposed to contain ARQC, which is a cryptogram generated from
the transaction data. In the context of EMV, a cryptogram can be thought of as a digital signature on
the financial transaction. A valid, verifiable cryptogram tells you two things:

 the financial message originated from the source that it claims to be from
 the contents of the message have not been altered 

There are two cryptograms used in EMV: ARQC (Authorisation Request Cryptogram) and ARPC
(Authorisation Response Cryptogram). The first one, ARQC, is generated by the card (after taking
some values from the terminal), and hence it's part of a request message. The second one, ARPC, is
generated by the issuer and hence it's part of a response message.

Steps for ARQC Generation

There are four basic steps to ARQC generation:
1. Card Key Derivation 
2. Session Key Derivation 
3. Preparation of Input Data in ARQC Calculation
4. Encryption/ Hashing (the final step that gives the ARQC)
Restating the above list, the first step is to derive the card key and then use the card key to derive a
session key. In parallel, we need to prepare some data and then encrypt that data with the session
key derived in the previous step.

Exact details vary from one chip program to another!

Step 1 and 2: Card and Session Key Derivation

When a card is out in the field, it already contains Issuer Master Key. But to create an ARQC for a
particular transaction, two new keys are required: the first key is called Card Key and the second key
is called Session Key. Each EMV scheme (such as M/Chip and Visa) has its own algorithm for
generation of the card key and/ or the session key. Some of these algorithms are standardized and
part of the EMV specification while some others are proprietary with the vendor.

The Card Key is unique to the card and the Session Key is unique to the transaction. It's Session Key
which is used for the final encryption in step 4.

Step 3: Data Preparation

In parallel to the key derivation as described above, an important step of ARQC generation is
“preparation of input data”, mentioned as point #3 in the list above. Once again, which EMV tags are
concatenated to prepare this input data is EMV scheme specific.

Step 4: ARQC Generation 

Finally, once the Session Key and Input Data are ready, the Input Data is encrypted using the Session
Key to give the ARQC.
Posted by Jaywalker at 12:30 AM 
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: algorithm, arqc
30 comments: