EMV Offline Data Authentication - CDA Mode 3

0
votes

The EMV Spec 4.3 Vol 2 defines the different modes for CDA ("Combined Data Authentication") with a chart:

+----+-------------------+-----------------------------------+
|Mode|Request CDA on ARQC|Request CDA on 2nd GEN AC (TC)     |
|    |                   |after approved online authorisation|
+----+-------------------+-----------------------------------+
| 1  |        Yes        |              Yes                  |
| 2  |        Yes        |              No                   |
| 3  |        No         |              No                   |
| 4  |        No         |              Yes                  |
+----+-------------------+-----------------------------------+

My question: If a PinPad is in CDA Mode 3, does it actually perform the data authentication step at all?

The PinPad I am using is in CDA Mode 3 and it appears to be doing so sometime in the ARPC validation/TC generation step as evidenced by the Byte 1, Bit 8 of the TVR being set to zero at that time. However, the chart above would lead me to believe that it is not.

Unfortunately, I don't have a UL or Collis tool to get inside the PinPad to see the PinPad/chip flow.

1
emv
CDA is done by the terminal, not the PIN Pad device. PIN has not got anything to with CDAAdarsh Nanu
@AdarshNanu CDA is normally performed where the kernel resides - it might be PIN Pad, it might be terminal, it might be device handler (quite ineffective, but feasible and used in some countries). Also, remember that partial kernels might implement some functions (like Cardholder Verification) and may reside physically in different device.Michal Gluchowski

1 Answers

2
votes

Short answer to your question is YES - the acceptance device will perform card authentication. When it comes to ODA, it might be also SDA (already obsolete) or DDA that will happen regardless of CDA mode.

CDA mode 3 means only that ODA will not be performed if other CAM (Card Authentication Method) is available. It will still happen for offline accepted transactions.

To clarify, the Card Authentication Methods:

  • Offline CAM = PKI based Offline Data Authentication which CDA is an example of
  • Online CAM = symmetric cryptography based verification of cryptograms during online communication.

In early days of EMV implementation acceptance devices had quite limited processing power - they were mostly based on 8-bit microcontrollers which meant it took ages to perform RSA with larger modulus. That's why CDA mode 3 was introduced - to avoid performing resource-heavy offline CAM when online CAM is available - in online transactions. That was perceived an optimization in the time and was recommended by schemes and EMVCo. In today terms, CDA mode 1 is widely adopted and I don't remember any recent Type Approvals with CDA mode 3. If you have a device with it, you might be dealing with an old device with an expired approval.

ARPC verification (Issuer Authentication step) you mention is not reflected in TVR B1b8 - it's only an indication that ODA was not performed, which (apart from CDA mode 3 situation) might also be when card and terminal do not support any common authentication method (some online-only terminals do not need to perform ODA; some non-expiring cards do not support ODA as well). Issuer Authentication might be explicit (when AIP in the card indicates it and you received ARPC in the response), but might happen also implicitly (when AIP doesn't indicate it but card requests ARPC in CDOL2) and you might not see it indicated in TVR.