Gap
EMV Generate ARQC uses AES-128 session keys (Option A derivation, AES-CMAC). AWS Payment Cryptography verify_auth_request_cryptogram rejects AES-128 E0 master keys — it requires AES-256 E0 keys. As a result, ARQC output cannot currently be cross-checked against APC.
APC cross-check status
❌ BLOCKED — APC rejects AES-128 E0 keys for this endpoint. CyberChef's AES-CMAC + Option A session-key derivation is standard-compliant; this is an APC key-size constraint.
Work required
- Determine whether
EMV Generate ARQC needs to support AES-256 master keys and AES-256 session key derivation
- If yes: extend the operation to accept a 256-bit E0 key and derive accordingly
- Create an AES-256 E0 key in APC, cross-check the ARQC output
- Add cross-checked test vectors to
Payment.mjs
Gap
EMV Generate ARQCuses AES-128 session keys (Option A derivation, AES-CMAC). AWS Payment Cryptographyverify_auth_request_cryptogramrejects AES-128 E0 master keys — it requires AES-256 E0 keys. As a result, ARQC output cannot currently be cross-checked against APC.APC cross-check status
❌ BLOCKED — APC rejects AES-128 E0 keys for this endpoint. CyberChef's AES-CMAC + Option A session-key derivation is standard-compliant; this is an APC key-size constraint.
Work required
EMV Generate ARQCneeds to support AES-256 master keys and AES-256 session key derivationPayment.mjs