What is the relationship between the EMV ODA, CA and issuer certificate during the transaction?

Question

What is the relationship between the EMV ODA, CA and issuer certificate during the transaction?

Answer 1

Data Authentication is used for validating authenticity of an EMV payment card when the request for payment is received on POC. The EMV CA is used for generating EMV root certificates and issuing EMV Issuer certificates for banks that issue payment cards to their customers. Index of CA Public key, issuer certificate, and SDA signature with card holder data are sent to the POC, which can then get the CA public key from the POS storage, use the CA Public key to verify the Issuer RSA key in Issuer Certificate, and use the issuer RSA key to decrypt the SDA Signature and verify that what was signed is the same to the card data. In this process also EMV CA CRL, and EMV Issuer CRL is used for validating whether the certificates are not revoked.

Answer 2

ODA = Offline Data Authentication, ODA ( SDA/DDA/CDA) concept uses RSA cryptography therefore CA and issuer come into this place.

you can understand connection between CA and issuer with help of below figure:-

SDA - SDA ensures the authenticity of ICC data. After SDA it is sure that the data from the ICC is real and hasn't changed by anyone. But SDA doesn't assure the uniqueness of ICC data. You can see the diagram of SDA is like,

Here you can see two RSA Pair is using during SDA,
(1) - IssuerRSA

(2) - CA_RSA

this diagram is very descriptive and clear to understand the flow of SDA. Also you can check EMV BOOK 2 for more description about SDA. while DDA flow is like ,

here you can see 3 RSA Pair is using in DDA,

1 - IssuerRSA

2- CA_RSA

3 - ICC RSA ( new RSA key which is unique in all card, Each card generate this RSA pair during personalization of card so this RSA Pair will be different for each card)

SDA guarantees that data on cards is valid because we trust a high level certification authority which signs the data. But an attacker can record a card session and build for example a new virtuel card because same data is used here for all session.

But in DDA flow - we can say it is checking SDA + giving random data to card by Terminal to sign and here this part makes cloning of card impossible because each session use different random number so recording a card session will not work in next card session.

Hope it helps you to know about ODA and connection between CA and issuer. more can you read from SDA and DDA , Gemalto

Answer 3

Offline data authentication is the process to verify the cards authenticity. Terminals are loaded with CA Public key.

• SDA(Static Data Authentication) can assure you the card data has not been altered after the issuance. SDA card contains Signed Static Application Data and Issuer Public Key certificate. CA Public key in the terminal is used to verify the Issuer Public key certificate and issuer Public key is used to verify the signed static application data in the card.
• DDA(Dynamic Data Authentication) can assure the card data has not been altered and that the card as a whole is not cloned. DDA Card Contains ICC Private Key, ICC Public key certificate and Issuer Public Key Certificate. CA Public Key in terminal is used to verify the
  Issuer Public Key certificate. Issuer Public key used to validate the ICC Public Key certificate. ICC Public key used to verify the dynamic signature generated by the card using its ICC Private key.
• CDA/AC(Combined Data Authentication with Cryptogram generation) - Same as DDA card, only difference being Cryptogram Generation and Dynamic signature happens together assuring that Cryptogram came from a valid card.

Answer 4

• You should use CA public key to decrypt issuer public key certificate (tag 0x90)
• The decrypted data format is in EMV 4.3 book 2 Retrieval of Issuer Public Key