Friday, October 3, 2014

Cryptogram calculation clarity for CBP

This is the key concept and change between EMV and what is required for CBP cryptograms.
Effectively the cryptogram in the CBP payment is created half in the cloud and then the other half when you tap the phone.

The reason for this is because the network connectivity may not allow a scenario like the left side of the diagram below as the UN would get cut off from transmitting from the POS to the calculation space, or it would be subject to network latency and create a "Tap and Hover" effect that would be an awful user experience.

The CBP cryptogram allows all components to be used as before and exposes a "relay threat" only to the android app after the SUK is received, but not to the POS terminal.   It also allows the Phase 2 calculation to happen independent of cloud availability at tap time.  The Phase 1 calculation and delivery to the phone from the cloud is expected to be preformed prior to tapping the phone, but not during the tap itself.

The thought is to offset the relay threat with in app security and sensor rich android OS.

It becomes a net neutral from a security standpoint really, IMO.


  1. Thanks for your post. I’ve been thinking about writing a very comparable post over the last couple of weeks, I’ll probably keep it short and sweet and link to this instead if thats cool. Thanks. do my pre calculus homework

  2. As obvious as this may be, many people still make the mistake of plagiarizing their work, intentionally or unintentionally. You must never plagiarise any content while writing a thesis, since this will really diminish your chances of getting acceptance. See more accounting formulas cheat sheet