Frrlibuckstrasse 66
CH 8005 Zrich
Tel.: +41 43 433 70 30
Fax.: +41 43 433 70 31
www.abrantix.com
info@abrantix.com
Whitepaper
ax eft-kernel
EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
Date
Author
Fabian Meier
Version
v1.0
Product Name
ax-eft-kernel
Status
Released
Classification
Public
Copyright
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
Table of Content
1
Introduction .................................................................................................................................... 3
Administration .............................................................................................................. 14
Pre-Certification ........................................................................................................... 14
Adapting the kernel to your hardware .......................................................................... 14
Programming support / Application integration ............................................................ 14
References .................................................................................................................................... 15
Contact .......................................................................................................................................... 16
Page 2 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
1 Introduction
Target Audience
Terminal manufacturers who would like to use an existing EMV Level 2 Kernel in order to integrate it with
their existing terminal software.
Key Features
Property
Details
EMV Compliance
Highly configurable
Kernel
Highly Portable
Security Module
Key Benefits
Property
Details
Fast development
Using our Kernel you can launch a new product within weeks. Average
project time is 4 month until receiving certification. (EMV estimates 18
month development time for a Level 2 Kernel)
Certification guaranty
Our Kernel runs on many different platforms and is certified many times.
Page 3 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
Page 4 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
Page 5 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
3.1
Product Features
Details
Property
Language
Ansi C
Code Size
EMV Standard
Certification
Platform
OS
Required Libraries
- C-Library (clib), no Math lib (no floating point numbers used, only
integers)
- SHA-1, RSA (SCM module)
- SHA-1 (EMV Kernel)
Required System
Functions
Security Processor
The key loading and storing mechanism, and the pin input access
can be implemented in a secure processor.
Configuration
Parallel EMV
transactions possible
Yes. Each transaction has one "context" (a struct/object with all state
variables in it).
RAM Memory
Requirements
API model
Threading
Application can be run single threaded. All function calls are nonblocking.
EMV Attributes
Page 6 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
Details
CVM
Standard CVM's
Configurable Options
Risk Management
- Velocity Checking
- Random Selection
- Transaction Log
Page 7 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
3.2
Architecture
Details
EMVK - Kernel
All EMV processing is done here. This code does NOT need any
modification.
Layer that controls the EMVK and the SCM. Interface to the
application code, and also interface to the ICC driver.
Utility library
The EMV functionality is split up into two components: the EMV kernel module, which is intended to run
on a main processor MCU and the EMV security module, which will run on the security processor, if
applicable.
The code that controls the EMV kernel module and the security module is called the EMV Embedding
layer. The EMV Embedding layer communicates with the terminal payment application, and needs to be
adapted to each terminal. A working code sample is part of the SDK.
The EMV module can run in a single threaded application
Page 8 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
3.2.1
EMV Kernel
All the EMV relevant operations are done in this module. This part of the code needs no modification at
all. If the Kernel needs a re-certification after three years, this code will be replaced with the new version
without changing the application.
A Structure/Object named EMV_CONTEXT contains all state variables of one EMV transaction. With
more than one EMV_CONTEXT instances, it is possible to process more than one EMV cards in parallel.
All states of the Kernel are preserved in this instance. The EMV kernel does not require any libraries or
other modules to operate.
Page 9 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
3.2.2
The SCM implements the certificate chain validation and PIN encryption methods required for EMV. It
may or may not run on a dedicated security processor.
The EMV Security Module (SCM) performs the following tasks:
- It stores the CA public keys. Key loading is not part of this interface, but it is assumed that EMV CA keys
are loaded securely as part of application initialization. Each key is identifier by its { RID, Index } bytes.
- Certificate chain validation down to issuer or ICC/Pin encryption certificate, depending on the selected
offline authentication method. During this task, issuer, ICC and PIN encryption keys are be loaded into a
key handle for subsequent operations.
- PIN encryption for Offline-PIN CVM.
- Public key operations on the keys loaded during chain validation.
3.2.3
This component controls the EMV Kernel and the EMV Security Module.
It is also the interface to all other system components, such as:
- File reading/writing (keys)
- Communicating with the EMV chip reader driver (ICC interface)
- Getting the PIN data in plaintext from the PINPAD driver
Figure: Interaction between the terminal application and EMV kernel (typically implemented in the EMV
Embedding layer).
3.3
Security Processor
The SCM functionality may run in a security processor, in order to be PCI compliant.
Page 10 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
The security processor is a separate processor with the following properties, in order to guarantee secure
transaction (part of the PCI requirements for a terminal):
- RAM that cannot be accessed from the outside
- Processing of data without observing the register values, for example a debugger cannot see the data in
the MCU.
3.4
3.4.1
System Requirements
- OS independent (The Kernel has been ported to Linux, Windows, Windows CE, a Proprietary
Embedded OS)
3.4.2
3.4.3
Compiler
Details
Modification required
Makefile
Yes
common.h
Yes
emv_tags.h
No
emv.h
No
emv_k_*.c
EMV Kernel.
No
emv_s_scm.h
No (?)
emv_s_main.c
Possible. Reference
Implementation.
emv_tags.c
emv_tags.names.i
emv_k_*.c
Page 11 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
rewritten
bcd.h, bcd.c
Utility library
bcd.c/h: No
der.h, der.c
der.c/h: No
list.c
list.c: No
debug.c
emv.c
emv.c (???
emv_sk_hash.c
3.4.4
3.4.5
According to EMVCo the EMV Kernel requires a true random generator - typically the system (Terminal
hardware) provides this functionality.
3.4.6
Implementation Steps
3.4.7
In order to efficiently debug and develop the code, a debugging facility had been added to trace the
activity of the code. "Trace" has the same meaning as "Logging".
The debug output is sent to SDTOUT, with the TRACE() macro.
The implementation of the TRACE macro is done in common.h
Page 12 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
A number of flags can be turned on and off, in order to create debug output. Simply set the value to 1 to
enable tracing or 0 to disable tracing.
Setting the trace flags is done with the global variable EmvTraceFlags.
3.5
The main effort is to integrate EMV Embedding layer with the existing terminal application. However, the
interaction between the embedding layer and the terminal application is very minimal and straight forward.
Each call to the Embedding layer is a non-blocking call. The kernel runs in the same thread as the main
application. Each call gets returned right away.
This means that a transaction can be canceled any time, the application has full control of the kernel at
any moment.
The kernel requests during each transaction all the available EMV applications from the terminal
application.
Abrantix provides a working reference code for the EMV embedded layer.
Page 13 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
4 Services of Abrantix AG
Abrantix offers a wide range of services that can even more speed up your terminal development. These
services vary from administrative help to technical integration support. We also can help with our long
experience in terminal programming to get your software running.
All these services are offered on demand. Please ask for your quote.
4.1
Administration
The administrative process for a kernel certification is very complex. Abrantix helps you with the
application, the EMV Contract, finding the right Kernel configuration and filling out the EMV ICS
(Implementation conformance statement).
We basically do the full paperwork under your name.
4.2
Pre-Certification
Abrantix has a lot of EMV-Test-Tools that help you to integrate the kernel into your application and run
pre-certification test against your environment.
4.3
4.4
Since we have realized many payment application and many payment protocols, we have a large toolbox
that can help you speed up your development.
Page 14 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
5 References
Existing Applications of the Abrantix EMV Kernel:
- Eftpos applications in Switzerland (Linux, 32bit Arm)
- Bank Teller Pinpad terminal (2 large customers, Swiss Banks, Linux, 32bit Arm)
- Card processing for a parking garage solutions (more than 50 customers, Windows XP, x86)
- Secure Processor in a new EFTPOS terminal, (32 bit MIPS, no OS)
- Company internal simulators for testing (Windows XP, x86)
Page 15 / 16
The Abrantix EMV Level 2 Kernel - a Software Module for EFTPOS Terminals
6 Contact
For more details we are happy to talk to you personally. Please contact:
Abrantix AG
Herr Christian Vetsch
Frrlibuckstrasse 66
8005 Zrich
Switzerland
Telefon: +41 43 433 70 30
Email: christian.vetsch@abrantix.com
Internet: www.abrantix.com
Page 16 / 16