Basically the title but in more broad context: is there a way for the terminal to verify that the AIP is the one really sent by the card and not replaced in man-in-the-middle attack?
Is Application Interchange Profile (AIP) included in CDA?
1.2k views Asked by Ognyan At
2
There are 2 answers
4
On
There could be two ways to get AIP apart from GPO response:
During Static Data Authentication you can retrieve the value of AIP from ICC public key certificate (As mentioned above). But if Offline Data Authentication is not supported ( profile is online only ) then this trick will not work may be.
You can simply send Get Data Command for AIP ( Tag 82 ) to get the value of AIP (should work most of the time).
Short answer - yes. SDA is 'embedded' in the ICC Public Key recovery process. AIP will always be included if SDA Tag list is present in the card. You can find details in EMV Book 2 chapter 6.4