Home

 Cryptography of EMV cards

1.1 Cryptographic Algorithms

Let us briefly consider a ``Chip and PIN" credit card. Its operation is specified by the EMV Specifications . The EMV Specifications prescribe cryptographic methods to be used for
  1. card authentication to a terminal,
  2. cardholder (bearer of the card) authentication,
  3. secret transmission of data between a card, a terminal, which receives the card, and banks, which participate in the transaction and
  4. verification of integrity (inviolability) of data.
The EMV Specifications further describe which cryptographic algorithms are considered reliable. These include:
  1. RSA (Rivest-Shamir-Adleman cryptosystem) for the card authentication and cardholder authentication,
  2. 3-DES for the data transmission between a card, a terminal and a bank and
  3. SHA-1 (Secure Hash Algorithm) for the data integrity verification.
RSA is a realization of public key cryptography. In public key cryptography, each user creates a pair of cryptographic keys - a public key and a private key. The private key is kept secret, whilst the public key may be distributed to anyone. Messages are encrypted with the recipient's public key and can only be decrypted with the recipient's private key. The keys are related mathematically, but the private key cannot be calculated from the public key in any practical amount of time. Transforming a message with the two RSA keys, public key and private key, successively, in either order, yields the message back.
SHA-1 computes a secure hash (or a digest) - a string of fixed length (160 symbols in the case of SHA-1) of zeros and ones, for any given data string (of zeros and ones). The property of the secure hash is that to find a string of data, which corresponds to a predetermined hash, is a practically insoluble task. The combination of the data and its hash, jointly encrypted using a private (secret) key, are commonly referred to as data ``signed" by this private key. For long data commonly only the hash is encrypted and the signature is the combination of the data and the encrypted hash.

1.2 Card Authentication

Authentication of the information, which is contained on a card, can be carried out by the method of Static Data Authentication (SDA), according to the EMV Specifications. Before a card is issued to a customer - during the process of card personalization,
  1. the data that identifies the card, such as primary account number (PAN) and expiry date (for the sake of simplicity herein will be referred to as the ``card number"), and its hash are encrypted by the RSA algorithm using a private key of the bank and placed on the card;
  2. the corresponding public key of the bank and its hash are encrypted by the RSA algorithm using the private key of the credit company and also placed on the card.
The public key of the credit company is available in each terminal. When a cardholder inserts the card in the terminal,
  1. the terminal decrypts the public key of the bank and its hash using the public key of the credit company and verifies the integrity of the public key of the bank using its hash.
  2. the terminal decrypts the card number and its hash using the public key of the bank and verifies the integrity of the card number according to its hash.
Really, if the card number and its hash correspond to each other, then one who encrypted them knew the private key of the bank. Indeed, the card number and its hash were decrypted using the public key of the bank, whose integrity is similarly confirmed by the signature of the credit company. This method guaranties the authenticity of the information on the card. However, it does not guaranty the authenticity of the card itself. In fact, an illegal card, which contains a copy of the accessible information from a legal card, would pass authentication by this method.
To prevent illegal card duplication, it is necessary that in order to answer questions presented by a terminal, the card would use some information, which cannot be directly read from the card, i.e., the card must encrypt something using its own private key. To this end, the method of Dynamic Data Authentication (DDA) is applied. The following data is placed on the card during the process of card personalization:
  1. the ``ICC (integrated circuit card) private key" which will be accessible only to the card itself and cannot be read by the terminal,
  2. the corresponding public key of the card, signed by the bank, and
  3. the public key of the bank, signed by the credit company.
When a cardholder inserts the card in a terminal,
  1. the terminal decrypts the public key of the bank and its hash using the public key of the credit company and verifies the integrity of the public key of the bank using its hash,
  2. the terminal decrypts the public key of the card and its hash using the public key of the bank and verifies the integrity of the public key of the card using its hash,
  3. the terminal provides an unpredictable number to the card,
  4. the card signs the unpredictable number and the card number using its private key. The card then transfers the signed data to the terminal.
  5. The terminal decrypts this signature using the public key of the card and verifies the integrity of the unpredictable number and the card number and thus ensures that the card knows its own private key.
Such a card cannot be illegally copied, since its private key, required for this authentication process, cannot be copied. This private key resides in a tamper-evident secure memory which must destroy itself when tampered.

1.3 Cardholder Authentication

A ``Chip and PIN" card can contain additional public and private keys (called PIN encipherment keys) for encryption and decryption of a Personal Identification Number (PIN) using RSA algorithm. Otherwise, public and private keys of the card used for Dynamic Data Authentication can be utilized for encryption and decryption of a PIN. According to the EMV Specifications,
  1. A cardholder inserts the card in a terminal and enters his PIN on a secure tamper-evident PIN pad to prove his right to use the card.
  2. The card generates an unpredictable number and provides it and the PIN encipherment public key to a terminal for PIN encryption.
  3. The terminal transfers the public key and the unpredictable number to the PIN pad for encryption of the PIN entered by the cardholder.
  4. The PIN pad encrypts the PIN jointly with the unpredictable number and transfers the encrypted PIN and the unpredictable number to the terminal.
  5. The terminal transfers the encrypted PIN and the unpredictable number to the card.
  6. The card uses the corresponding private key to decrypt the received PIN and the unpredictable number and compares the decrypted PIN and the unpredictable number with the sample being stored secretly in the card.
Then the GENERATE-AC command of the terminal, including Transaction Data (TD), triggers the card to produce a cryptographic signature that can be verified by the bank which issued the card. In particular, if both the card and the terminal agree on completing the transaction offline (based on both entities risk management policies) the card returns a TC (Transaction Certificate) approving the transaction and the terminal sends it to the bank.

It is excerpt from the Rankdemocracy paper.
Ċ
Rank Democracy,
May 20, 2014, 1:30 AM