CVK PAIR?

Feb 9, 2010 at 9:11 PM

Hello, I have already downloaded the sim and have complied it in VS 2008 and have connected to it, and it works great. I am just wondering if there is any way to find out what CVK pair was used to generate the CVV for the given account number. I have the PAN, the EXPDATE, the SVC, and the CVV(generated using Generate VISA CVV), and I am wondering if I can use this info to find out what CVK pair was used to generate the CVV. Now obviously I already know what CVK pair was used for the CVV i have just generated but I am wondering if there is a process to do this in reverse.

Thanks, Mitur

Coordinator
Feb 9, 2010 at 10:27 PM

CVVs are the first three numerical digits of an encrypted block which is the result of two DES operations mixed with a XOR operation. It's obviously non-trivial to generate the CVV without knowing the key otherwise CVVs would have become totally useless and obsolete. 

The only way to find the key would be to break it. To generate a CVV, one DES operation uses a single-length key and the other uses a double-length key. Attacks have been known to exist for Triple-DES, especially when triple-length keys are not used (see http://en.wikipedia.org/wiki/Triple_des#Security and http://people.scs.carleton.ca/~paulv/papers/Euro90.pdf). These attacks are not always practical but they become increasingly possible due to the large-scale availability of large amounts of RAM and processing power of new processors and video card GPUs (see http://www.newscientist.com/article/dn12825). In the case of CVV, matters are a bit complicated by the fact that CVV is comprised of the first three numerical digits of the DES/XOR operation, so the block 2FFF 3FFF 4FFF 5FFF yields a CVV equal to 234 - same as the block F2FF FF3F FFF4 5FFF.