Derive ICC MK (CSNBDCM and CSNEDCM)

CALL CSNBDCM(
             return_code,
             reason_code,
             exit_data_length,
             exit_data,
             rule_array_count,
             rule_array,
             issuer_master_key_identifier_length,
             issuer_master_key_identifier,
             icc_master_key_identifier_length,
             icc_master_key_identifier,
             transport_key_identifier_length,
             transport_key_identifier,
             pan_length,
             pan,
             pan_seq_number,
             reserved1_length,
             reserved1,
             reserved2_length,
             reserved2)

return_code

Direction	Type
Output	Integer

The return code specifies the general result of the callable service. ICSF and cryptographic coprocessor return and reason codes lists the return codes.

reason_code

Direction	Type
Output	Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes assigned to it that indicate specific processing problems. ICSF and cryptographic coprocessor return and reason codes lists the reason codes.

exit_data_length

Direction	Type
Input/Output	Integer

The length of the data that is passed to the installation exit. The data is identified in the exit_data parameter.

exit_data

Direction	Type
Input/Output	String

The data that is passed to the installation exit.

rule_array_count

Direction	Type
Input	Integer

The number of keywords you supplied in the rule_array parameter. The minimum value is 3 and the maximum value is 5.

rule_array

Direction	Type
Input	String

Keywords that provide control information to the callable service. The keywords must be in contiguous storage with each of the keywords left-justified in its own 8-byte location and padded on the right with blanks.

Table 1. Rule array keywords for Derive ICC MK

Keyword	Meaning
Algorithm (Required)
TDES	Specifies the use of Triple-DES.
Key mode (One required). Defines the key derivation mechanism.
VISA	Use this key mode for Visa Cryptogram Version 10 key derivation.
MC	Use this key mode for MasterCard M/CHIP 2.1 key derivation.
Output key type (One required). See the issuer_master_key_identifier and icc_master_key_identifier parameters for more information.
AC	Derives the ICC Master Application Cryptogram Key. This key is used to generate and verify the ARQC and ARPC. When the VISA key mode is specified, the issuer master key must be of a DKYL0 DKYGENKY key and the derived ICC master key will be of type MAC. When the MC key mode is specified, the issuer master key must be a DKYL1 DKYGENKY key and the derived ICC master key will be a DKYL0 DKYGENKY key.
MAC	Derives the ICC Master Secure Messaging Authentication Key. This key is used to provide integrity for EMV scripting. When the VISA key mode is specified, the issuer master key must be of a DKYL0 DKYGENKY key and the derived ICC master key will be of type MAC. When the MC key mode is specified, the issuer master key must be a DKYL1 DKYGENKY key and the derived ICC master key will be a DKYL0 DKYGENKY key.
ENC	Derives the ICC Master Secure Messaging Confidentiality Key. This key is used to provide confidentiality for EMV scripting. When the MC key mode is specified, the issuer master key must be a DKYL1 DKYGENKY key and the derived ICC master key will be a DKYL0 DKYGENKY key. Not valid with key mode VISA.
DATA	Derives the ICC Master DATA Key. This key is used for functions that require encryption and decryption of EMV fields. When the MC key mode is specified, the issuer master key must be a DKYL1 DKYGENKY key and the derived ICC master key will be a DKYL0 DKYGENKY key. Not valid with key mode VISA.
Key encryption (Optional)
MASTER	Specifies to return the ICC master key as an internal token encrypted under the master key. This is the default.
XPORT	Specifies to return the ICC master key as external token encrypted under the transport_key_identifier.
Control flag (Optional)
APPANSEQ	Specifies to append the PAN sequence number when the card specific master key is derived. See the descriptions of pan and pan_seq_number. The default is not to append the PAN sequence number.

issuer_master_key_identifier_length

Direction	Type
Input	Integer

Specifies the length of the issuer_master_key_identifier parameter in bytes. The value must be 64.

issuer_master_key_identifier

Direction	Type
Input/Output	String

A 64-byte DES key identifier (either an internal token or key label) for the issuer master key. The issuer master key is the key from which the ICC master key is derived.

If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.

The key algorithm must be DES and the key type must be DKYGENKY. The value subtype and key usage attributes required are listed in Table 2.

Table 2. Derive ICC MK: Key requirements

Master key	VISA	MC
Application Cryptogram Key (AC)	DMAC, DKYL0	DMAC, DKYL1
Secure Messaging Authentication Key (MAC)	DMAC, DKYL0	DMAC, DKYL1
Secure Messaging Confidentiality Key (ENC)	N/A	DMPIN, DKYL1
Data Key (DATA)	N/A	DDATA, DKYL1

icc_master_key_identifier_length

Direction	Type
Input	Integer

This parameter specifies the length of the icc_master_key_identifier parameter in bytes. The value must be 64.

icc_master_key_identifier

Direction	Type
Output	String

A 64-byte CCA DES key identifier for the ICC master key. The ICC master key is the DES key from which session keys are derived.

On output, this is the derived key token containing the ICC master key. If the XPORT rule is specified, the key token is returned in external format wrapped by the transport_key_identifier. Otherwise, it is returned in internal format.

If the issuer_master_key_identifier is compliant-tagged, a compliant-tagged token is generated.

The attributes of the generated key (See the output key type rules for a description of key types derived by this service based on the selected key mode):

Table 3. Derive ICC MK: Key type and key usage attributes of the generated keys

Master key	VISA	MC
Application Cryptogram Key (AC)	MAC	DKYGENKY, DMAC, DKYL0
Secure Messaging Authentication Key (MAC)	MAC	DKYGENKY, DMAC, DKYL0
Secure Messaging Confidentiality Key (ENC)	N/A	DKYGENKY, DMPIN, DKYL0
Data Key (DATA)	N/A	DKYGENKY, DDATA, DKYL0

transport_key_identifier_length

Direction	Type
Input	Integer

This parameter specifies the length of the transport_key_identifier parameter in bytes. When the XPORT keyword is specified, the value must be 64. Otherwise, the value must be 0.

transport_key_identifier

Direction	Type
Input/Output	String

The identifier of the key to wrap the generated keys. This key must be an EXPORTER key type specified as an operational key token or as a key label of an EXPORTER key in key storage. When the transport_key_identifier_length is zero, this parameter is ignored.

If the NOCV bit is on in the internal key token containing the transport key, the transport key (not the transport key variant) is used to encipher the generated key. For example, the key has been installed in the cryptographic key data set through the key generator utility program or the key entry hardware using the NOCV parameter; or you are passing the transport key in the internal key token with the NOCV bit on and your program is running in supervisor state or key 0-7.

The NOCV bit is shown in Table 1.

If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.

pan_length

Direction	Type
Input	Integer

Length in bytes of the pan parameter. The value must be 10.

pan

Direction	Type
Input	String

The 10-byte EMV card’s Primary Account Number. The data must be in compressed numeric format and right justified in a 10-byte field, padded to the left with zeroes. For example, PAN 1234567890 must be provided as x’00000000001234567890’.

This data is used in combination with the PAN sequence number to derive the card’s master key. The exact set of rules is described in EMV Integrated Circuit Card Specification for Payment Systems Version 4.2 (EMV4.2) Book 2, Annex A1.4.

pan_seq_number

Direction	Type
Input	String

The 1-byte sequence number of the EMV card’s Primary account Number. If the APPANSEQ control flag rule array keyword was specified, this PAN sequence number is used in combination with the PAN to derive the card’s master key. The exact set of rules is described in EMV Integrated Circuit Card Specification for Payment Systems Version 4.2 (EMV4.2) Book 2, Annex A1.4.

reserved1_length

Direction	Type
Input	Integer

Length in bytes of the reserved1 parameter. The value must be 0.

reserved1

Direction	Type
Input	String

This field is ignored.

reserved2_length

Direction	Type
Input	Integer

Length in bytes of the reserved2 parameter. The value must be 0.

reserved2

Direction	Type
Input	String

This field is ignored.

SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS.

The caller does not require authorization to each of these services, only to Derive ICC MK. Additionally, the caller must have the required access control points enabled.

To use a NOCV key-encrypting key, the NOCV KEK usage for export-related functions access control must be enabled in addition to the other access control points listed.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.