Michael J Ganley

1
Michael J Ganley
Smart Cards and EMV
2
Agenda

• Introduction to smart cards
• Smart card infrastructure
• Introduction to EMV
• EMV Cryptography
• Concluding remarks

3
Introduction to Smart Cards

• Introduction to smart cards
• Smart card infrastructure
• Introduction to EMV
• EMV Cryptography
• Concluding remarks

4
What is a Smart Card?

• A smart card (also called a chip card or an
  integrated circuit card (ICC)) is a credit card
  sized plastic card containing a microprocessor.
• A Subscriber Identification Module (SIM), used in
  a mobile phone, is essentially a cut-down smart
  card.
• A smart card may be a contact card or a
  contact-less (proximity) card some cards are of
  both types (combi-card) a contact card requires
  a card reader to allow communication with the
  card.
• A smart card application may be extremely simple
  (essentially a memory card, such as a phone card)
  or very complex (e.g. a credit application)
  cards may be single application or multiple
  application.

5
Smart Card Architecture
6
Smart Card Memory
?1000 times slower to write than RAM
7
Operating Systems

• Most smart cards, today, have proprietary
  operating systems.
• Java Card smart card capable of running a Java
  program.
• Communicates with OS via Java Card Virtual
  Machine.
• Write once, run anywhere concept.
• Multos proprietary OS, endorsed by MasterCard
  (amongst others).
• High levels of security (ITSEC level 6 for some
  chips).
• Demonstrates basic principle of the higher the
  complexity, the lower the assurance level.
• Mondex electronic purse is a Multos application.
• Windows for Smart Cards MicroSoft initiative,
  now largely disappeared.
• Open Platform a global and open multi-industry
  interoperable framework, promoted by Visa
  (amongst others).

8
Smart Card Security (1)

• Physical Security
• Chip construction (micro-technology) protected
  layers
• Address and data lines that logically belong
  together are intermingled in different layers.
• Phantom transistors are embedded in the circuitry
  to make examination more difficult.
• Upper and lower limits for clock frequency hinder
  the examination of the circuitry.
• Logical Security
• The operation of the card is controlled by an
  operating system. No information that is not
  meant to be read out can be discovered from the
  card.
• Firewalling of applications

9
Smart Card Security (2)

• Cryptographic Security
• Encryption
• Digital signature
• Cryptographic isolation of cards
• Access Control
• Password or PIN (card lock after number of
  incorrect attempts)
• Biometrics
• Attacks
• Intrusive attacks (e.g. probing) are possible,
  but extremely expensive and require specialist
  knowledge and equipment.
• Non-intrusive attacks may be possible (e.g.
  timing attacks or differential power analysis)

10
Standards

• ISO 7816-1 Physical Characteristics - defines
  the physical dimensions of contact smart cards
  and their electrical resistance. It also
  describes the physical location of an IC cards
  magnetic stripe and embossing area.
• ISO7816-2 Dimensions and Location of Contacts -
  defines the location, purpose and electrical
  characteristics of the cards metallic contacts.
• ISO 7816-3 Electronic Signals and Transmission
  Protocols - defines the voltage and current
  requirements (protocols T 0 as standard T 1
  available on request T 14 used in Japan).
• ISO 7816-4 Inter-industry Commands for
  Interchange - establishes a set of commands for
  CPU cards across all industries to provide
  access, security and transmission of card data
• ISO 7816-5 Numbering System and Registration
  Procedure for Application Identifiers -
  establishes standards for Application Identifiers
  (AIDs).
• ISO 7816-6 Inter-industry data elements -
  details the physical transportation of device and
  transaction data, answer to reset and
  transmission protocols.

11
Typical Applications (1)
12
Typical Applications (2)

• For example
• Credit/debit (e.g. EMV)
• Electronic purse (e.g. Visa Cash, Mondex,
  Geldkarte)
• Loyalty (e.g. Shell)
• Access control
• Identification
• Transport
• Health
• Entitlement
• Multi-application (for example)
• Malaysia GMPC card identity card, passport,
  health records, driving licence (inc
  endorsements), electronic purse, biometrics.
• Citizen Card transport card, access to local
  services, etc (e.g Aberdeen, Cornwall).

13
The Holy Grail

• The ideal situation is for everybody to have a
  single smart card that contains all necessary
  applications and can be used everywhere.

Dream on!

• Problems include
• Cost
• Lack of infrastructure
• Limitations of smart card technology, competing
  technologies
• Post-issuance updates
• Branding
• etc

14
Smart Card Infrastructure

• Introduction to smart cards
• Smart card infrastructure
• Introduction to EMV
• EMV Cryptography
• Concluding remarks

15
Magnetic Stripe Cards (1)

• It is instructive to consider, initially, the
  infrastructure for magnetic stripe cards and then
  compare that with the smart card infrastructure
  (ignoring the billing side of things).
• For a magnetic stripe card there are essentially
  two aspects to the infrastructure
• Card Issuance
• Data generation, personalisation and issuance
• PIN mailer (in some cases)
• Card Usage
• Transaction (Cardholder, Retailer, Acquirer and
  Issuer)
• Lost or stolen card, forgotten PIN (etc)

16
Magnetic Stripe Cards (2)
17
Smart Cards

• For a smart card there are essentially three
  aspects to the infrastructure
• Card Issuance
• Chip manufacture, card fabrication
• Public Key Infrastructure (in some cases)
• Data generation (some secret), personalisation
  and issuance
• PIN mailer (in some cases)
• Card Usage
• Transaction (Cardholder, Retailer, Acquirer and
  Issuer)
• Post Issuance (Card Management System)
• Lost or stolen card, forgotten PIN (etc)
• Load new applications, update or delete existing
  applications

18
Smart Cards - Issuance
19
Smart Cards - Usage
Security of overall transaction is between the
card and the Card Issuer
20
Smart Cards Post Issuance
Update card via multiple (insecure) channels
21
Introduction to EMV

• Introduction to smart cards
• Smart card infrastructure
• Introduction to EMV
• EMV Cryptography
• Concluding remarks

22
What is EMV?

• Europay, MasterCard and Visa
• EMV2000 Integrated Circuit Card Specification
  for Payment Systems.
• Complies with the ISO 7816 standards
• As well as specifying the functional requirements
  of a payment application, it defines a framework
  for chip based applications. However, is only
  concerned with the Terminal side of transaction
  processing.
• The UK is currently rolling-out EMV-based chip
  cards
• Full compliance by 2005
• Liability issues

23
Context

• EMV2000 Integrated Circuit Card Specification
  for Payment Systems, Version 4.0
• Book 1 ICC to Terminal Interface Requirements
• Book 2 Security and Key Management
• Book 3 Application Specification
• Book 4 Cardholder, Attendant and Acquirer
  Interface Specifications
• Security Architecture based on Book 2
• Full alignment between Europay and MasterCard
• Minor differences between Visa and MasterCard

24
EMV Type Approval

• EMV Type Approval testing is divided into two
  levels
• The Level 1 Type Approval process tests
  compliance with electromechanical
  characteristics, logical interface, and
  transmission protocol requirements defined in
  part 1 of the EMV specifications.
• Level 2 Type Approval tests compliance with
  debit/credit application requirements defined in
  the remainder of the EMV specifications.
• This includes the security requirements,
  including the physical security of devices (Book
  2).

25
EMV Cryptography

• Introduction to smart cards
• Smart card infrastructure
• Introduction to EMV
• EMV Cryptography
• Concluding remarks

26
Cryptographic Techniques
27
EMV Security Techniques

• Security Requirements
• card authentication to terminal
• Static or Dynamic Data Authentication (SDA, DDA)
• transaction integrity
• application cryptogram (MAC)
• secure messaging
• confidentiality (encryption) and integrity (MAC)
• PIN encryption at point of entry (optional)

28
EMV Security Techniques

• Algorithms
• 3-DES, RSA, SHA-1
• possibly new algorithms in the future (e.g.
  ECDSA)
• Mechanisms
• RSA digital signatures and public key
  certificates
• EMV format certificates
• card unique 3-DES keys, derived from Master Keys
• unique session keys for encryption and MAC

29
Public Key Certificate (EMV)
Public Key Certificate
30
Certificate Validation

• Use the public key of the Trusted Third Party
  (that signed the certificate) to encrypt the
  certificate.
• Check EMV format of revealed data (header,
  trailer, certificate format).
• Hash the data (not header, trailer, hash result),
  including public key remainder.
• Validate the calculated hash result against the
  hash result contained in the revealed data.
• Extract the public key (modulus and exponent)
  from the revealed data and the public key
  remainder.

31
Card Authentication

• Before a card transaction can take place, certain
  card data is authenticated by the terminal.
• There are two methods of card authentication,
  both involving RSA and EMV certificates.
• Static Data Authentication (SDA)
• Dynamic Data Authentication (DDA)
• In both cases, a Payment System public key
  certificate is stored in the terminal and an
  Issuer public key certificate is stored on the
  card.
• Payment System certificate is self-signed
• Issuer certificate is signed by the Payment
  System CA
• Payment System CA is the root of the CA
  hierarchy

32
Static Data Authentication (SDA)

• Static data on the card is signed using the RSA
  private key of the Issuer and the result is
  stored on the card.
• Static Authentication Data includes
• Primary Account Number (PAN)
• Application Expiry Date
• Issuer Parameters
• SDA is used to validate that certain data
  elements on the card have not changed since the
  card was issued.
• SDA does not prevent replay attacks.

33
SDA - Initialisation Phase
34
SDA - Authorisation Phase

• Uses PKISS to verify the digital signature of the
  card data

35
Dynamic Data Authentication (DDA)

• DDA provides authenticity and integrity of ICC
  and terminal dynamic application data (signed by
  ICC private key).
• Allows detection of unauthorised alteration of
  ICC data after the card has been personalised.
• Prevents replay attacks and ICC counterfeiting.
• DDA involves a Terminal Unpredictable Number and
  Dynamic ICC Data.

36
DDA - Initialisation Phase
37
DDA - Authorisation Phase
Terminal

• Uses PKCA to retrieve the Issuers PKISS which is
  certified by the CA

• Uses PKISS to retrieve the ICC PKIC which is
  certified by the Issuer

• Uses PKIC to verify the digital signature on the
  card and terminal data

• Digital signature on the UN and the ICC Dynamic
  Data generated using SKIC

38
PIN Encryption (Optional)
39
Offline PIN Encryption

• Offline PIN encryption is an optional process in
  EMV which provides for encryption of entered PIN
  between a secure PIN Pad (may be integrated in
  Terminal) and an ICC.
• A Secure PIN Pad is a tamper-evident device
• Use RSA public key encryption with a choice of
  keys
• ICC Public Key (PKIC), or
• ICC PIN Encipherment Public Key (PKPE)
• PKIC is the same key as used in DDA PKPE is a
  different public key (held in certified form) on
  the card.

40
Offline PIN Processing
Cardholder enters PIN
PIN Pad generates random padding
Create data block to include PIN, UN and random
padding and encrypt with PKIC or PKPE
Decrypt Encrypted PIN Data, using SKIC or SKPE
and validate UN and PIN
41
Transaction Security
42
Transaction Security

• EMV transaction security is based on the use of
  3-DES session keys, derived using certain random
  data and an ICC Master Key.
• The ICC Master Key is derived from the card PAN
  and PAN Sequence Number and an Issuer Master Key.
• The ICC Master Key is unique for each card and is
  stored in the card.
• The Issuer Master Key is stored at the
  Authorising host system, which calculates the ICC
  Master Key and (hence) the session keys
  on-the-fly.
• Different Issuer Master Keys are used for
  transaction integrity and for secure messaging.

43
ICC Master Key Derivation

• Issuer Master Key (double length)

44
ICC Master Keys

• An ICC may hold up to four ICC Master Keys, as
  follows, each derived from the corresponding
  Issuer Master Key

45
Session Key Derivation

• Session keys are derived from the appropriate ICC
  Master Key and transaction or unpredictable data.
• For example, when generating an Application
  Cryptogram Session Key (SKAC), the ICCs
  Application Transaction Counter (ATC) and an
  Unpredictable Number (UN) supplied by the
  terminal are used as input (see next slide).
• Session keys for secure messaging are derived
  using the same technique, but with different
  random data.
• The ICC Dynamic Number (IDN) is derived from the
  IMKIDN by performing a straight 3-DES encryption
  of the ATC and UN (suitably padded).

46
AC Session Key Derivation
47
Application Cryptogram Calculation

• Application Cryptogram (AC) is simply a MAC
  calculated with a 3-DES session key (derived from
  the ICC Master Key).
• Algorithm defined in ANSI X9.19 and ISO 9797-1
• SK(L) Session Key (left half)
• SK(R) Session Key (right half)

48
Secure Messaging

• Secure messaging is used between the Issuers
  host system and the smart card, to allow (for
  example) update of certain card parameters,
  application unblock or PIN change/unblock.
• Secure messaging provides data integrity and
  origin authentication (via a MAC) and
  confidentiality (encryption).
• Encryption uses 3-DES Cipher Block Chaining
  (CBC).
• MAC calculated as previously described.
• Secure messaging session keys are derived for
  both services, using the technique previously
  described (using IMKSMI and IMKSMC).

49
Transaction Processing
50
Transaction Processing

• Once application selection, card authentication
  (SDA or DDA), optional PIN verification (etc)
  have taken place, then transaction processing
  begins.
• The basic security mechanism for transaction
  processing is the Application Cryptogram (AC,
  calculated using the session key SKAC).
• There are three types of AC
• Transaction Certificate (TC), for offline
  processing
• Application Authentication Cryptogram (AAC), for
  rejected transaction
• Authorisation Request Cryptogram (ARQC), for
  online authorisation

51
Application Cryptogram Generation
Terminal creates Terminal Data (Amount, Date, ,
Terminal Verification Results) and Unpredictable
Number
ICC calculates AC session key (SKAC), using ATC
and UN
ICC calculates AC on Terminal Data and ICC Data
(Card Verification Results) using SKAC
Terminal processing continues accordingly
52
ARQC and Issuer Processing
Host calculates IMKAC using MKAC and ICC PAN/PAN
Sequence Number
Host calculates SKAC using IMKAC and ATC/UN
Host verifies ARQC and generates an ARPC Response
Code (ARC)
Terminal processing continues accordingly
53
ARPC Verification
ICC verifies ARPC, using IMKAC, ARQC and ARC
Terminal processing continues accordingly
ICC calculates AC (either TC or AAC) using
SKAC TC transaction successfully completed AAC
transaction rejected
54
Concluding Remarks

• Introduction to smart cards
• Smart card infrastructure
• Introduction to EMV
• EMV Cryptography
• Concluding remarks

55
Smart Cards

• Smart cards offer a secure alternative to the
  ubiquitous magnetic stripe card.
• The infrastructure to support smart cards is
  still a long way off, so the migration will take
  many years.
• Multi-application cards are probably the way
  forward (the Holy Grail), but there are many
  issues to be addressed.
• The combination of chip and biometrics will
  provide high levels of protection against fraud
  (but there are issues with civil liberty and
  biometric type 1/type 2 errors).
• EMV in the UK is an excellent starting point.

56
Questions?