Applied Cryptography Spring 2016 Payment cards. Some books about payment cards.

Applied Cryptography Spring 2016 Payment cards

Some books about payment cards

History of Plastic Cards Plastic Cards initially used for ID purposes. Plastic Card used for Payment issued by Diners Club, 1950. Secure against forgery and tampering: Embossing and Tipping Holograms and Micro Printing. Invisible Patterns using fluorescent fibers. Signature Panel Unfortunately security not fool proof.

Card Taxonomy SOURCE: BURGER, CAROLL & ASSOCIATESBURGER, CAROLL & ASSOCIATES

Magnetic Stripe Cards Stores data on Magnetic Stripes in machine readable form. Allows automation. Minimizes paper utilization. How Magnetic Stripe Cards Work Each Track divided into Domains Flux Reversal with in domain = 1 No Flux Reversal with in domain = 0 Track shown below = 0 1 1 0 0 1 0 1

Magnetic Stripe Cards: Issues Data Carrying Capacity Each domain in a track is one-75 th of an inch. Typical length of a track around 4 inches. Each magnetic stripe card has three such tracks. Data such a card can carry is approximately 140 bytes. Security: Low Data world readable.Card readers available for less than $50. Data world writable. Encoders available for $1000. Skimming. Corruption of Data in magnetic fields.

Magnetic Stripe Cards There are three tracks on the magstripe. Each track is about one-tenth of an inch wide. The ISO/IEC standard 7811, which is used by banks, specifies: Track one is 210 bits per inch (bpi), and holds 79 6-bit plus parity bit read- only characters. Track two is 75 bpi, and holds 40 4-bit plus parity bit characters. Track three is 210 bpi, and holds 107 4-bit plus parity bit characters. Your credit card typically uses only tracks one and two. Track three is a read/write track (which includes an encrypted PIN, country code, currency units and amount authorized), but its usage is not standardized among banks.

Magnetic Stripe Cards The information on track one is contained in two formats: A, which is reserved for proprietary use of the card issuer, and B, which includes the following: Start sentinel - one character Format code="B" - one character (alpha only) Primary account number - up to 19 characters Separator - one character Country code - three characters Name - two to 26 characters Separator - one character Expiration date or separator - four characters or one character Discretionary data - enough characters to fill out maximum record length (79 characters total) End sentinel - one character Longitudinal redundancy check (LRC) - one character

Magnetic Stripe Cards The format for track two, developed by the banking industry, is as follows: Start sentinel - one character Primary account number - up to 19 characters Separator - one character Country code - three characters Expiration date or separator - four characters or one character Discretionary data - enough characters to fill out maximum record length (40 characters total) LRC - one character

How to store cryptographic keys? IBM 4758 PCI Cryptographic Coprocessor

Smart Cards Magnetic stripe 140 bytes, cost $0.20-0.75 Memory cards 1-4 KB memory, no processor, cost $1.00-2.50 Optical memory cards 4 megabytes read-only (CD-like), cost $7.00-12.00 Microprocessor cards Embedded microprocessor (OLD) 8-bit processor, 16 KB ROM, 512 bytes RAM Equivalent power to IBM XT PC, cost $7.00-15.00 32-bit processors now available Intelligent, active devices with defenses

Smart Card Structure Contacts (8) SOURCE: SMART CARD FORUM Epoxy Microprocessor Contacts Card (Upside-down) Contacts:

Old Smart Card Architecture SOURCE: SMART CARD FORUM EEPROM: Electrically Erasable Programmable Read-Only Memory

Vcc : power supply RST : reset Vpp : EEPROM writing voltage (still used?) CLK : clock GND : ground I/O : input/output SC contacts (ISO/IEC 7816 part 2)

SC contacts (8-pin and 6-pin versions)

8 (16, 32) bit CPU Often at 3.5795 or 4.9152 MHz RAM : 128 bytes- 16 Kbytes ROM : 1 - 32 Kbytes Contains the code EEPROM : 1 - 32 Kbytes Contains the data A small part are OTP (One Time Programmable) bytes Optional: Random Noise Generation, sensors, security logic, Modular Exponentiations Unit or Co-processor What are Smart Cards?

Component Based Classification ROM I/O Interface EEPROM CPU Security Logic RAM Chip Card Architecture

Interface Based Classification Vcc Reset Clock Gnd Vpp I/O Contact Cards: Require insertion into the reader. 6-8 gold plated contacts Contact cards further divided into: Landing Contacts Sliding Contacts Limitations Contacts get worn out Card Tearing Electrostatic Discharges

Interface Based Classification Contactless Cards: No insertion required. Data/Power transfer over RF via antenna inside. Reading Distance: few cms to 50 cms. Used when transaction has to be carried out quickly. Advantages Higher reliability as lesser moving parts involved. Longer Life, due to lesser wear and tear. Require Lesser Maintenance Octopus card Used in Hong Kong metro

Interface Based Classification Contactless Cards: Disadvantages Expensive: Cost can go up to $20 or more. User Fear: Transaction might get carried out without knowledge. Unsuitable when large data transfer occurs. Time too short Used in: Transport Industry Access Control Wherever transaction time is low.

Interface Based Classification Contactless Cards - current state: The standard for contactless smart card communications is ISO/IEC 14443, dated 2001. It defines two types of contactless cards ("A" and "B"), allows for communications at distances up to 10 cm. There had been proposals for ISO 14443 types C, D, E and F that have been rejected by the International Organization for Standardization. An alternative standard for contactless smart cards is ISO 15693, which allows communications at distances up to 50 cm.

Interface Based Classification Contactless Cards - current state: Visa Contactless (Quick VSDC - "qVSDC", Visa Wave, MSD) MasterCard: (PayPass Magstripe, PayPass MChip) American Express: (Express Pay) Roll-outs started in 2005 in USA (Asia and Europe - 2006). Contactless (non PIN) transactions cover a payment range of ~$5-50. There is an ISO 14443 PayPass implementation. All PayPass implementations may be separated on EMV and non EMV.

Interface Based Classification Contactless Cards - current state: Non-EMV cards work like magnetic stripe cards. This is a typical card technology in the USA (PayPass Magstripe and VISA MSD). The cards do not control amount remaining. All payment passes without a PIN and usually in off-line mode. The security level of such a transaction is no greater than with classical magnetic stripe card transaction. EMV cards have two interfaces (contact and contactless) and they work as a normal EMV card via contact interface. Via contactless interface they work almost like a EMV (card command sequence adopted on contactless features as low power and short transaction time).

Interface Based Classification Hybrid or Combo Cards Cards which can be used as either Contact Cards or as Contactless Cards Ways this can be done: Card could have two interfaces: One for contact readers, other for contactless readers. Or a contact card can be slipped into a pouch which has battery and antenna. Not too prevalent, might be used in future when multi application cards are introduced.

OS Based Classification Smart Card Operating Systems (SCOS) are placed on the ROM and usually occupy lesser than 16 KB. SCOS handle: File Handling and Manipulation. Memory Management. Data Transmission Protocols. Various SCOS available are: Java Card aims at defining a standard smart card computing environment allowing the same Java Card applet to run on different smart cards, much like a Java applet runs on different computers. Widely used in SIM cards (used in GSM phones) and ATM cards.  Cyberflex  MultOS  MFC  StarCOS  Oscar  JavaCard

Smart Card Components Carrier: The basic material of which the card body is made. Carrier should be : Resistant to mechanical failure. Able to withstand high temperatures. Cheap PVC [Poly Vinyl Chloride], ABS [Acrylonitrile Butadiene Styrene] and PETP [Poly Ethylene Terephthalate] often used. PVC: All rounder ABS: Brittle but withstands higher temperatures PETP: High flexibility

Smart Card Components Processor or the CPU Currently all processors are 8 bit ones with CISC architecture. Typical Clock Speeds: 5 MHz. Reasons: Card Companies want proven modules. Lower power consumption. Area limitations. Future: Will slowly move to 32 bit architecture due to JavaCards.

Smart Card Components ROM: Read Only Memory Used for storing fixed programs. Holds the SCOS. Typically varies from 2KB to around 16 KB. Once written, cannot be changed. Occupies the least area. PROM: Programmable Read Only Memory Used for loading card serial number. Very small, typically just 32 bytes.

Smart Card Components EEPROM: Electrically Erasable Read Only Memory Used for storing data that might change. Similar to a HDD. Holds various applications and their data. Can be read or written to subject to permissions. Typically varies from 2KB to 32 KB depending on need. RAM: Random Access Memory Used as temporary storage. Erased on power off. Typically varies between 128 Bytes to 512 Bytes.

Smart Card Components I/O Interface: Input Output Interface Controls data flow to and from the card. Flow occurs one bit at a time in a half duplex manner. Typical Data flow rate is 9600 bits/sec. Smart Card Area Restrictions Reasons for 25 mm 2 restriction. How it effects component selection Area required to hold 1 bit with various memories: ROM 10µm x 10µm = 100 µm2 EEPROM 20µm x 20µm = 400 µm2 RAM 40µm x 40µm = 1600 µm2

Smart Card Readers Smart Card by itself is useless. Requires a reader. Reader is often called the Read-Write Unit as it can read as well as write to the card. Readers of two types: Insertion Readers: Cheaper, but manual. [Card Swipe Machine] Motorized Readers: Automatic card capture and release. Costly. [Bank ATM Machines] Cost of a reader varies from $10 to $100. Readers often come with keypad for entry of PIN.

Smart Card Standards Standards necessary to encourage interoperability. Main Standards connected to Smart Cards: ISO 7816 EMV GSM OCF

Smart Card Standards ISO 7816 Part I: Follow on of ISO 7810. Defines Physical Characteristics of a Smart Card. Physical Dimensions. Response to X-Rays and UV Light. Mechanical Strength. Electrical Resistance of the Contacts. Response to electromagnetic fields and static electricity.

Smart Card Standards ISO 7816 Part II: Follow on of ISO 7811. This document describes: Dimensions of the contacts. (2mm by 1.7 mm) Locations of the contacts. Location of the embossing. Location of the magnetic stripe. The arrangement of the chip.

Smart Card Standards ISO 7816 Part III: Probably the most important specification document. This document describes: The communication protocol. Functions of various contacts on the smart card. Basic electrical characteristics. Structure of Answer to Reset. When manufacturers claim to be ISO 7816 compliant, they basically comply with Part I, II and III.

“Smart” Credit Cards The EMV standard Europay / Mastercard / Visa Theory is to permit cards from a variety of issuers to be accepted by a common Credit Authorisation Terminal Credit, debit and stored value functionality Supposedly open specifications Support for other “applications” No current support for Internet payments

Smart Card Standards EMV standard is a set of three documents covering: Design Aspects of Smart Cards Design Aspects of Smart Card Terminals Debit/Credit Applications on Smart Cards. First EMV Document covers: Electromechanical Properties Card Session Answer to Reset and Transmission Protocols. Similar to ISO 7816 (Part I and II)

Smart Card Standards Second EMV Document covers: General Physical Characteristics of the Card Terminal. Security. Card Holder and Acquirer Interface. Software and Data Management. Third EMV Document Covers: Transaction flow. Exception Handling. If you are really interested check out: http://www.mastercard.com/emv/

Life cycle of smart card Divided into five phases (on most smart cards) These phases justified by Limitation of transfer and access of data is incremental throughout different phases Different areas of smart card protected throughout the life cycle

Personalisation System Chip Manufacturer Card Fabricator PIN Mailer Card Card Issuer Pre-Personalisation Process (P3) Card Data Unpersonalised Card Chip Raw Materials Smart cards - Issuance

Fabrication phase Carried out by the chip manufacturers A Fabrication Key (KF) is added to protect the chip unique and is derived from a master manufacturer key Fabrication data will be written to the circuit chip

Pre-personalisation phase Done by Card manufacturers Chip will be mounted on the plastic card The connection between the chip and the printed circuit will be made Fabrication key (KF) changed to Personalisation key (KP) Personalisation lock Vper No further modification of the KF Physical memory access instructions will be disabled Access of the card can be done only by using logical memory addressing

Personalisation phase Conducted by the card issuers Data files contents and application data are written to the card Information of card holder stored to the chip (PIN, Unlocking PIN) Utilisation lock Vutil No further modification of the KP

Card Issuer Acquirer Terminal Security of overall transaction is between the card and the Card Issuer Smart Cards - Usage

Utilisation phase Phase for the card owners use of the card Access of information on the card will be limited by the security policies set by the application

Issuer Card Management System and P3 Home PC (via Internet) ATM PoS Terminal Mobile Phone Update card via multiple (insecure) channels Smart Cards – Post Issuance

End-of-Life phase Two ways: 1. invalidation lock All operations will be disabled (except read) 2. Control system irreversibly blocks access All operations will be disabled

Logical attacks Starting point: EEPROM (electrically erasable programmable read only memory) write operations can be affected by unusual voltages and temperatures information can be trapped by raising or dropping the supplied voltage to the microcontroller

Physical attacks Reverse engineering HNO 3 etching and probing, UV light to erase EEPROM, etching away chip layers, Focussed Ion Beam, … Danger: real, even the best SC’s won’t be safe after more than 3 or 4 years. Fault introduction (change clock or power, microwaves) Bellcore attack (Boneh, DeMillo, Lipton - EUROCRYPT ‘97) Differential Fault Analysis (Biham, Shamir - CRYPTO ‘97) Danger: were announced as being theoretical however practical attacks are said to be upcoming.

Electromagnetic radiation (Van Eyck effect) See http://www.jastech-emc.com/paper1.htm Timing attacks (Kocher - CRYPTO ‘96) With or without Chinese Remainder Theorem Danger: very real for unprotected cards Power Analysis (Kocher - ‘98) Simple Power Analysis Differential Power Analysis See http://www.cryptography.com/dpa/index.html Danger: see below... Physical attacks

Given enough resources (time, knowledge, equipment, money), no smart card is secure. Technology to analyze IC’s advances at the same speed as IC development itself. So: Cost for security loss by fraud Maximize the cost to break in and minimize the consequences of such an attack. In general

Simple Power Analysis The power consumption P total during each clockcycle can approximately be divided into 3 parts: constant random data dependent And as can be seen on the next image: P instruction > P noise > P data (P data not visible) Which means that groups of instructions and even individual instructions can be distinguished. P total = P instruction + P noise + P data If it would be possible to distinguish between a square and a multiply operation in RSA, one single power measurement will reveal the private key.

Differential Power Analysis The power consumption during a cryptographic operation is measured. Is a statistical attack (-> many measurements). Applicable for all crypto algorithms and smart cards (when no special measures are taken). Goal: find the key that is used in the algorithm. Requirements: digital oscilloscope, smart card reader, computer, software to interface the reader and scope. Difference with SPA: the attack relies on differences in P data

Hardware solutions: algorithm in hardware reduce power consumption, increase noise. Software solutions: add random instructions as to desynchronize, that much so that resynchronization (by software) fails. don’t let the instructions depend on data or key (e.g. conditional jumps if data bits are set) (SPA only) if possible reduce the number of times the algorithm can be executed pay much attention to the beginning and end of the algorithm (DPA only) Countermeasures

Most unprotected cards are expected to be vulnerable. No perfect solution is found yet, and none is not expected (soon). Smart card companies do investigations and implement their solutions. These solutions are often kept secret, also because of the security this offers. Not much third-party checks for these solutions, or without inside information needed for thorough checking. Current status

Advantages with Smart-Cards Can have secret data Data used for internal computations and never revealed in clear Example: PIN and keys can be stored on card Can process data and save information Count transactions Check PIN and count unsuccessful tries Different behavior depending on geographic location Cryptographic functions Uses the secret keys

New Functionality Off-line risk management Can be configured at an individual level Off-line card-holder verification PIN stored on card Resistant to skimming attacks Transactions cryptographically authenticated Reduces fraud rate

Off-line PIN Increases speed for low-amount transactions PIN is checked by card PIN is never revealed outside card. After a predefined number of tries, the PIN functionality is blocked. Can be sent to card in clear or encrypted Depends on card and terminal functionality.

Card Authentication to Terminal Authentication to prevent use of fake cards Certifies that the card was not modified after issuance Prevents alteration of risk-related parameters Two types – static and dynamic Static – no special requirements on card. Does not stop skimming attacks. (Skimmed cards will be detected on-line.) Dynamic – requires RSA functionality on card. Prevents skimming attacks.

Online Authorization If card or terminal wants to go online, the transaction is verified online On-line transactions are digitally authenticated Prevents use of fake cards Prevents the merchant from re-using the card number The response from the issuer is digitally authenticated Important to avoid, e.g., wrongful change of PIN and update of risk parameters.

Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)

Smart-card Transaction Flow [From K.Nguyen]

Smart-card Transaction Flow [From C.Radu]

Interaction between Card and Terminal Cards authenticates itself to the terminal Offline risk control used to decide whether to go online or not If card wants to go online, transaction is checked online If terminal wants to go online, transaction is checked online

Interaction between card and issuer If the decision is to go online, a message is sent to the issuer Message includes information on the interaction between card and terminal Issuer checks that the message is cryptographically correct The issuer either approves or declines the authorization The response from the issuer can be cryptographically authenticated

Interaction between Card and Terminal 2 Based on the result from the issuer, transaction is either approved or declined.

Interaction between card and issuer 2 If the transaction is approved, a message containing transaction data is sent to the issuer. In case of a dispute, this message can be used by the issuer to prove that the transaction is valid. Same function as a signature for magnatic cards.

Post-issuance Adaptations Used to address change in risk Student finds permanent work – risk decreases Client misses a payment for a loan – indicates increased risk Used to change settings PIN change at ATM React to new circumstances Block application if card number in stop-list

Scripts Sent from host to card at online transaction Contains information to be processed by card Standard commands include Change value of a risk parameter Change off-line PIN Block application Unblock application

EMV – Europay, MasterCard, Visa Necessary to have standards for smart-cards Physical size Electrical connection API for payment applications Any smart-card must be usable anywhere Europay, MasterCard and Visa have created specifications named EMV for this purpose

EMV and Cryptography EMV specifies how the principles for authentication Card – terminal, static or dynamic Card – issuer, using MACs Suggests algorithms for computation of MAC Providers may use other algorithms

Parts That Need to Be Secured Card – terminal authentication Card – issuer interaction Scripts sent to card by issuer

Card – Terminal Authentication Negotiation of authentication methods

Card – Terminal Authentication PIN authentication

PIN verification [From C.Radu]

Card – Terminal Authentication The issuer has a certificate signed by the payment net (VISA, Europay or MasterCard) The payment net acts as CA (Certificate Authority) The issuer signs its card with its private key and puts the signature on the card The issuer’s public key certificate is placed on the card The terminal knows the root (CA) certificate Using the root certificate, the terminal can verify the signature presented by the card is valid.

Overview of Keys Used Payment net Issuer Signed certificate Root certificate Card certificate Certificate verified against root certified during transaction

Static Data Authentication (SDA) On card Each card is equipped with a signature on important card data. No secret key on card. Data signed include card number, expiration data, verification methods etc. The signed data is sent to the terminal when transaction is started. Same data and signature used every time (therefore static).

IC TerminalIC Card Issuer Acquirer Payment System Certification Authority (Issuer) SK ISS Private Key (Issuer) PK ISS Public Key Private Key (CA) SK CA Public Key (CA) PK CA Card static data PK ISS certified with SK CA CERTIFIED PK CA distributed to Acquirer for loading in Terminal SDA - Initialisation Phase

IC Terminal IC Card Card provides to terminal: Signature OK Terminal: Uses PK CA to retrieve the Issuer’s PK ISS which is certified by the CA Uses PK ISS to verify the digital signature of the card data Card data with Issuer’s digital signature Card static data PK ISS certified by Certification Authority (CA) CERTIFIED SDA - Authorisation Phase

SDA [From C.Radu]

Signed Static Application Data, Generation PAN Sequence number Verification methods Other parameters... Hashed valued Header Data Authenticaion Code (DAC) Encrypt with issuer private key Signed Static Application Data

Signed Static Application Data, Verification PAN Sequence number Verification methods Other parameters... Hashed valued Header Data Authenticaion Code (DAC) Decrypt with issuer public key Signed Static Application Data

Dynamic Data Authentication (DDA) On card Each card is equipped with a private key and a public key. The public key is in a public key certificate signed by the issuer. At transaction time, the card signs random data with its private key. The terminal checks the signature and verifies the certficate chain. Different data used every time (therefore dynamic).

IC TerminalIC Card Issuer Acquirer Payment System Certification Authority (Issuer) SK ISS Private Key (Issuer) PK ISS Public Key Private Key (CA) SK CA Public Key (CA) PK CA PK ISS certified with SK CA CERTIFIED PK CA distributed to Acquirer for loading in Terminal (ICC) SK IC Private Key (ICC) PK IC Public Key CERTIFIED PK IC certified with SK ISS DDA - Initialisation Phase

IC Terminal IC Card Card provides to terminal: Signature OK Uses PK CA to retrieve the Issuer’s PK ISS which is certified by the CA Uses PK IC to verify the digital signature on the card and terminal data PK ISS certified by Certification Authority (CA) CERTIFIED PK IC certified by Issuer CERTIFIED Uses PK ISS to retrieve the ICC PK IC which is certified by the Issuer Digital signature on the UN and the ICC Dynamic Data generated using SK IC Terminal: Terminal provides to card: Unpredictable Number (UN) INTERNAL AUTHENTICATE DDA - Authorisation Phase

DDA [From C.Radu]

Dynamic Data Authentication Certificate Chain Unpredictable Number Digital Signature Generation of signature with card private key

Comparison – SDA vs. DDA Static Data AuthenticationDynamic Data Authentication Cheaper cards – no need for RSA functionality on card Expensive cards – card needs to perform RSA encryption Fast – no processing on cardSlower – card needs to produce RSA signature Seeing one transaction is enough to produce a card that will be approved off-line Seeing one transaction gives nothing

Card – Issuer Authentication Issuer needs a permanent proof that the transaction has taken place. Protection against fraud that comes from the merchant. Based on symmetric cryptography Issuer places a key on the card at issuing. Issuer keeps the same key for use in authorization processing.

Overview of Keys Used Payment net Issuer Keys for card-issuer authentication Sent during transaction

Application Cryptograms In every request to the issuer, the cards computes a MAC over certain parameters. This MAC is called application cryptogram. The exact algorithm is defined between the issuer and the card.

Issuer Authentication and Secure Messaging If the issuer sends a MAC in the response, the card can verify that the message originates at the issuer. When secure messaging is used, data sent from the issuer to the card is authenticated and/or encrypted. Necessary for script processing Change of risk parameters requires the messages to be secured with a MAC. Change of PIN requires the new PIN to be enciphered.

Computing Application Cryptograms Amount Currency Transaction type Date Other transaction parameters... MAC computation with card key Application cryptogram (8 bytes)

Computing Response Cryptogram (ARPC) Application cryptogram (8 bytes) XOR last two bytes with the response from issuer Encrypt with card key Application Response Cryptogram (ARPC, 8 bytes)

Key Derivation Encryption Issuer master key Card information Unique card key Each key to be put on the card is derived from an issuer master key. An issuer has (at least) one master key for each key type to be placed on the card. The derivation process is performed by taking card data and encrypt it with the corresponding master key. The card information used is PAN (i.e., card number) and sequence number.

EMV transaction security is based on the use of 3-DES session keys, derived using certain random data and an ICC Master Key. The ICC Master Key is derived from the card PAN and PAN Sequence Number and an Issuer Master Key. The ICC Master Key is unique for each card and is stored in the card. The Issuer Master Key is stored at the Authorising host system, which calculates the ICC Master Key and (hence) the session keys “on-the-fly”. Different Issuer Master Keys are used for transaction integrity and for secure messaging. Master keys

Issuer Master Key (double length) PAN + PAN Sequence Number 3-DES Encrypt (Encrypt/Decrypt/Encrypt) ICC Master Key (left half) Inverted PAN + PAN Sequence Number 3-DES Encrypt (Encrypt/Decrypt/Encrypt) ICC Master Key (right half) Issuer Master Key (double length) ICC Master Key Derivation

An ICC may hold up to four ICC Master Keys, as follows, each derived from the corresponding Issuer Master Key: IMK AC IMK SMI IMK SMC IMK IDN To derive session key for calculation of application cryptogram (MAC) for transaction integrity To derive session key for calculation of application cryptogram (MAC) for secure messaging integrity To derive session key for secure messaging confidentiality (encryption) To derive ICC Dynamic Number for use in Dynamic Data Authentication (DDA) ICC Master Keys

Session Keys Encryption Unique card key Session information Session key For security reasons it is often a good idea to use different keys for each transaction. Keys used only for one transaction are called session keys.

Session keys are derived from the appropriate ICC Master Key and transaction or unpredictable data. For example, when generating an Application Cryptogram Session Key (SK AC ), the ICC’s Application Transaction Counter (ATC) and an Unpredictable Number (UN) supplied by the terminal are used as input (see next slide). Session keys for secure messaging are derived using the same technique, but with different “random” data. The ICC Dynamic Number (IDN) is derived from the IMK IDN by performing a straight 3-DES encryption of the ATC and UN (suitably padded). Session Key Derivation

Deriving Session Keys Session keys are derived from the card key and session information. The session information can be the transaction counter, ATC, or some other information sent in the transaction. The data used for session key generation must be available to the issuer to allow the issuer to create the same key. Transaction counter is sent in clear. Other data used for key generation must be available through other means.

ATC  F0  00  UN 3-DES Encrypt (Encrypt/Decrypt/Encrypt) SK AC (left half) IMK AC (double length) ATC  0F  00  UN 3-DES Encrypt (Encrypt/Decrypt/Encrypt) SK AC (right half) IMK AC (double length) Session Key Derivation

Summary Smart-cards protects the merchant, issuer and card-holder against fraud from counterfeited cards and fake transactions. For card – terminal authentication different levels of security is possible, e.g., SDA vs. DDA. Card – issuer authentication gives an electronic seal on transaction data.

Applied Cryptography Spring 2016 Payment cards. Some books about payment cards.

Similar presentations

Presentation on theme: "Applied Cryptography Spring 2016 Payment cards. Some books about payment cards."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Applied Cryptography Spring 2016 Payment cards. Some books about payment cards.

Similar presentations

Presentation on theme: "Applied Cryptography Spring 2016 Payment cards. Some books about payment cards."— Presentation transcript:

Similar presentations

About project

Feedback