## Cryptography of EMV cards## 1.1 Cryptographic AlgorithmsLet us briefly consider a ``Chip and PIN" credit card. Its operation is specified by the EMV Specifications . The EMV Specifications prescribe cryptographic methods to be used for- card authentication to a terminal,
- cardholder (bearer of the card) authentication,
- secret transmission of data between a card, a terminal, which receives the card, and banks, which participate in the transaction and
- verification of integrity (inviolability) of data.
- RSA (Rivest-Shamir-Adleman cryptosystem) for the card authentication and cardholder authentication,
- 3-DES for the data transmission between a card, a terminal and a bank and
- SHA-1 (Secure Hash Algorithm) for the data integrity verification.
RSA is a realization of public key cryptography. In public key cryptography, each user creates a pair of cryptographic keys - a public key and a private key. The private key is kept secret, whilst the public key may be distributed to anyone. Messages are encrypted with the recipient's public key and can only be decrypted with the recipient's private key. The keys are related mathematically, but the private key cannot be calculated from the public key in any practical amount of time. Transforming a message with the two RSA keys, public key and private key, successively, in either order, yields the message back.
SHA-1 computes a secure hash (or a digest) - a string of fixed length (160 symbols in the case of SHA-1) of zeros and ones, for any given data string (of zeros and ones). The property of the secure hash is that to find a string of data, which corresponds to a predetermined hash, is a practically insoluble task. The combination of the data and its hash, jointly encrypted using a private (secret) key, are commonly referred to as data ``signed" by this private key. For long data commonly only the hash is encrypted and the signature is the combination of the data and the encrypted hash.
## 1.2 Card AuthenticationAuthentication of the information, which is contained on a card, can be carried out by the method ofStatic Data Authentication (SDA), according to the EMV Specifications. Before a card is issued to a customer - during the process of card personalization,
- the data that identifies the card, such as primary account number (PAN) and expiry date (for the sake of simplicity herein will be referred to as the ``card number"), and its hash are encrypted by the RSA algorithm using a private key of the bank and placed on the card;
- the corresponding public key of the bank and its hash are encrypted by the RSA algorithm using the private key of the credit company and also placed on the card.
- the terminal decrypts the public key of the bank and its hash using the public key of the credit company and verifies the integrity of the public key of the bank using its hash.
- the terminal decrypts the card number and its hash using the public key of the bank and verifies the integrity of the card number according to its hash.
To prevent illegal card duplication, it is necessary that in order to answer questions presented by a terminal, the card would use some information, which cannot be directly read from the card, i.e., the card must encrypt something using its own private key. To this end, the method of Dynamic Data Authentication (DDA) is applied. The following data is placed on the card during the process of card personalization:
- the ``ICC (integrated circuit card) private key" which will be accessible only to the card itself and cannot be read by the terminal,
- the corresponding public key of the card, signed by the bank, and
- the public key of the bank, signed by the credit company.
- the terminal decrypts the public key of the bank and its hash using the public key of the credit company and verifies the integrity of the public key of the bank using its hash,
- the terminal decrypts the public key of the card and its hash using the public key of the bank and verifies the integrity of the public key of the card using its hash,
- the terminal provides an unpredictable number to the card,
- the card signs the unpredictable number and the card number using its private key. The card then transfers the signed data to the terminal.
- The terminal decrypts this signature using the public key of the card and verifies the integrity of the unpredictable number and the card number and thus ensures that the card knows its own private key.
tamper-evident secure memory which must destroy itself when tampered.
## 1.3 Cardholder AuthenticationA ``Chip and PIN" card can contain additional public and private keys (calledPIN encipherment keys) for encryption and decryption of a Personal Identification Number (PIN) using RSA algorithm. Otherwise, public and private keys of the card used for Dynamic Data Authentication can be utilized for encryption and decryption of a PIN. According to the EMV Specifications,
- A cardholder inserts the card in a terminal and enters his PIN on a
*secure tamper-evident PIN pad*to prove his right to use the card. - The card generates an unpredictable number and provides it and the PIN encipherment public key to a terminal for PIN encryption.
- The terminal transfers the public key and the unpredictable number to the PIN pad for encryption of the PIN entered by the cardholder.
- The PIN pad encrypts the PIN jointly with the unpredictable number and transfers the encrypted PIN and the unpredictable number to the terminal.
- The terminal transfers the encrypted PIN and the unpredictable number to the card.
- The card uses the corresponding private key to decrypt the received PIN and the unpredictable number and compares the decrypted PIN and the unpredictable number with the sample being stored secretly in the card.
_{-}AC command of the terminal, including Transaction Data (TD), triggers the card to produce a cryptographic signature that can be verified by the bank which issued the card. In particular, if both the card and the terminal agree on completing the transaction offline (based on both entities risk management policies) the card returns a TC (Transaction Certificate) approving the transaction and the terminal sends it to the bank.
It is excerpt from the Rankdemocracy paper. |