Apple Pay 令牌 transactionId 是全球唯一的吗?
Is Apple Pay token transactionId globally unique?
我正在调查使用 Apple Pay transactionId 来保护 replay attacks 跨同一支付门的可能性。防御应该依赖参与签名的字段,并且是唯一的。
但是 Payment Token Format Reference 将 paymentData.header.transactionId 描述为
Transaction identifier, generated on the device.
这不足以将其视为全球唯一。
下面是ApplePayJS token的测试例子:
{
"paymentData": {
"version": "EC_v1",
"data": "...",
"signature": "...",
"header": {
"ephemeralPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6jY12R9PoL7bzaC3/ibs6q6+g/cqjSkiO3GVFld2NVUA6kRlq0iJRT+XzfmGFvRs/G2qwgmWY8fKu7p6Ktgxug==",
"publicKeyHash": "AJiEM3d+czut7s1t4QdtRBPjSOxw0D6iWSp1MUdXueM=",
"transactionId": "f8f0c804922303decba1a8a4f7c503df1a6314e44e8db5ae7eb6b7fe0323513b"
}
},
"paymentMethod": {
"displayName": "MasterCard 1471",
"network": "MasterCard",
"type": "debit"
},
"transactionIdentifier": "F8F0C804922303DECBA1A8A4F7C503DF1A6314E44E8DB5AE7EB6B7FE0323513B"
}
在实践中它总是有顶级 transactionIdentifier 字段匹配不区分大小写的嵌套 paymentData.header.transactionId.
docs 说:
transactionIdentifier
A unique identifier for this payment.
This identifier is suitable for use in a receipt.
Google 搜索还发现 How do I process returns with Apple Pay:
In Japan, you can also use the transaction ID on the receipt to find the purchase and process the return.
另外 transactionId 是 64 个十六进制字符或 32 个完整字节长。比 Unique Transaction Identifier format 长。所以有足够的空间来实现真正的全球独一无二。
仍在寻找更直接可靠的证据。
我正在调查使用 Apple Pay transactionId 来保护 replay attacks 跨同一支付门的可能性。防御应该依赖参与签名的字段,并且是唯一的。
但是 Payment Token Format Reference 将 paymentData.header.transactionId 描述为
Transaction identifier, generated on the device.
这不足以将其视为全球唯一。
下面是ApplePayJS token的测试例子:
{
"paymentData": {
"version": "EC_v1",
"data": "...",
"signature": "...",
"header": {
"ephemeralPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6jY12R9PoL7bzaC3/ibs6q6+g/cqjSkiO3GVFld2NVUA6kRlq0iJRT+XzfmGFvRs/G2qwgmWY8fKu7p6Ktgxug==",
"publicKeyHash": "AJiEM3d+czut7s1t4QdtRBPjSOxw0D6iWSp1MUdXueM=",
"transactionId": "f8f0c804922303decba1a8a4f7c503df1a6314e44e8db5ae7eb6b7fe0323513b"
}
},
"paymentMethod": {
"displayName": "MasterCard 1471",
"network": "MasterCard",
"type": "debit"
},
"transactionIdentifier": "F8F0C804922303DECBA1A8A4F7C503DF1A6314E44E8DB5AE7EB6B7FE0323513B"
}
在实践中它总是有顶级 transactionIdentifier 字段匹配不区分大小写的嵌套 paymentData.header.transactionId.
docs 说:
transactionIdentifier
A unique identifier for this payment.
This identifier is suitable for use in a receipt.
Google 搜索还发现 How do I process returns with Apple Pay:
In Japan, you can also use the transaction ID on the receipt to find the purchase and process the return.
另外 transactionId 是 64 个十六进制字符或 32 个完整字节长。比 Unique Transaction Identifier format 长。所以有足够的空间来实现真正的全球独一无二。
仍在寻找更直接可靠的证据。