Smart Cards and EMV 1 Smart Cards and EMV Michael J Ganley Smart Cards and EMV 2 Agenda • Introduction to smart cards • Smart card infrastructure • Introduction to EMV • EMV Cryptography • Concluding remarks Smart Cards and EMV 3 Introduction to Smart Cards • Introduction to smart cards • Smart card infrastructure • Introduction to EMV • EMV Cryptography • Concluding remarks Smart Cards and EMV 4 What is a Smart Card? • A smart card (also called a chip card or an integrated circuit card (ICC)) is a credit card sized plastic card containing a microprocessor. • A Subscriber Identification Module (SIM), used in a mobile phone, is essentially a cut-down smart card. • A smart card may be a contact card or a contact-less (proximity) card; some cards are of both types (combi- card); a contact card requires a card reader to allow communication with the card. • A smart card application may be extremely simple (essentially a memory card, such as a phone card) or very complex (e.g. a credit application); cards may be single application or multiple application. Smart Cards and EMV 5 Smart Card Architecture RA M Wire- bonds EEPROM ROM Processo r Source: ORGA Systems UK, “ORGA - Smart Cards Basics” Smart Cards and EMV 6 Smart Card Memory ROM EEPROM RAM Operating System Application Data & OS Extensions OS Work Space ≈ ≈ 1000 times slower 1000 times slower to write than RAM to write than RAM ROM EEPROM RAM Min Max ~3Kb ~64Kb ~128Kb ~3Kb ~1Kb ~128b Smart Cards and EMV 7 Operating Systems • Most smart cards, today, have proprietary operating systems. • Java Card – smart card capable of running a Java program. – Communicates with OS via Java Card Virtual Machine. – “Write once, run anywhere” concept. • Multos – proprietary OS, endorsed by MasterCard (amongst others). – High levels of security (ITSEC level 6 for some chips). – Demonstrates basic principle of “the higher the complexity, the lower the assurance level”. – Mondex electronic purse is a Multos application. • Windows for Smart Cards – MicroSoft initiative, now largely disappeared. • Open Platform – “a global and open multi-industry interoperable framework”, promoted by Visa (amongst others). Smart Cards and EMV 8 Smart Card Security (1) • Physical Security – Chip construction (micro-technology); protected layers – Address and data lines that logically belong together are intermingled in different layers. – Phantom transistors are embedded in the circuitry to make examination more difficult. – Upper and lower limits for clock frequency hinder the examination of the circuitry. • Logical Security – The operation of the card is controlled by an operating system. No information that is not meant to be read out can be discovered from the card. – “Firewalling” of applications Smart Cards and EMV 9 Smart Card Security (2) • Cryptographic Security – Encryption – Digital signature – Cryptographic isolation of cards • Access Control – Password or PIN (card lock after number of incorrect attempts) – Biometrics • Attacks – Intrusive attacks (e.g. probing) are possible, but extremely expensive and require specialist knowledge and equipment. – Non-intrusive attacks may be possible (e.g. timing attacks or differential power analysis) Smart Cards and EMV 10 Standards • ISO 7816-1: Physical Characteristics - defines the physical dimensions of contact smart cards and their electrical resistance. It also describes the physical location of an IC card’s magnetic stripe and embossing area. • ISO7816-2: Dimensions and Location of Contacts - defines the location, purpose and electrical characteristics of the card’s metallic contacts. • ISO 7816-3: Electronic Signals and Transmission Protocols - defines the voltage and current requirements (protocols T = 0 as standard; T = 1 available on request; T = 14 used in Japan). • ISO 7816-4: Inter-industry Commands for Interchange - establishes a set of commands for CPU cards across all industries to provide access, security and transmission of card data • ISO 7816-5: Numbering System and Registration Procedure for Application Identifiers - establishes standards for Application Identifiers (AIDs). • ISO 7816-6: Inter-industry data elements - details the physical transportation of device and transaction data, answer to reset and transmission protocols. [...]... PoS Terminal Mobile Phone Update card via multiple (insecure) channels Smart Cards and 20 Introduction to EMV • Introduction to smart cards • Smart card infrastructure • Introduction to EMV • EMV Cryptography • Concluding remarks Smart Cards and 21 What is EMV? • Europay, MasterCard and Visa • EMV2 000: Integrated Circuit Card Specification for Payment Systems – Complies with the ISO 7816 standards... Cards and 23 EMV Type Approval • EMV Type Approval testing is divided into two levels: • The Level 1 Type Approval process tests compliance with electromechanical characteristics, logical interface, and transmission protocol requirements defined in part 1 of the EMV specifications • Level 2 Type Approval tests compliance with debit/credit application requirements defined in the remainder of the EMV specifications... includes the security requirements, including the physical security of devices (Book 2) Smart Cards and 24 EMV Cryptography • Introduction to smart cards • Smart card infrastructure • Introduction to EMV • EMV Cryptography • Concluding remarks Smart Cards and 25 Cryptographic Techniques Smart Cards and 26 EMV Security Techniques • Security Requirements – card authentication to terminal • Static or Dynamic... (optional) Smart Cards and 27 EMV Security Techniques • Algorithms – 3-DES, RSA, SHA-1 – possibly new algorithms in the future (e.g ECDSA) • Mechanisms – RSA digital signatures and public key certificates • EMV format certificates – card unique 3-DES keys, derived from Master Keys – unique session keys for encryption and MAC Smart Cards and 28 Public Key Certificate (EMV) General information about... defines a framework for chip based applications However, is only concerned with the Terminal side of transaction processing • The UK is currently rolling-out EMV- based chip cards – Full compliance by 2005 – Liability issues Smart Cards and 22 Context • EMV2 000: Integrated Circuit Card Specification for Payment Systems, Version 4.0 – Book 1: ICC to Terminal Interface Requirements – Book 2: Security and Key... technology, competing technologies – Post-issuance updates – Branding – etc Smart Cards and 13 Smart Card Infrastructure • Introduction to smart cards • Smart card infrastructure • Introduction to EMV • EMV Cryptography • Concluding remarks Smart Cards and 14 Magnetic Stripe Cards (1) • It is instructive to consider, initially, the infrastructure for magnetic stripe cards and then compare that with... Core User’s public key (including remainder) Public Key Hash of data Hash Result EMV formatting Public Key Remainder Signature (decryption) by a Trusted Third Party Smart Cards and 29 Certificate Validation • Use the public key of the Trusted Third Party (that signed the certificate) to encrypt the certificate • Check EMV format of revealed data (header, trailer, certificate format) • Hash the data...Typical Applications (1) Smart Cards and 11 Typical Applications (2) • For example: – – – – – – – – Credit/debit (e.g EMV) Electronic purse (e.g Visa Cash, Mondex, Geldkarte) Loyalty (e.g Shell) Access control Identification Transport Health “Entitlement” • Multi-application (for example): – Malaysia GMPC card – identity... Smart Cards and 30 Card Authentication • Before a card transaction can take place, certain card data is authenticated by the terminal • There are two methods of card authentication, both involving RSA and EMV certificates –Static Data Authentication (SDA) –Dynamic Data Authentication (DDA) • In both cases, a Payment System public key certificate is stored in the terminal and an Issuer public key certificate . and EMV 1 Smart Cards and EMV Michael J Ganley Smart Cards and EMV 2 Agenda • Introduction to smart cards • Smart card infrastructure • Introduction to EMV. • Smart card infrastructure • Introduction to EMV • EMV Cryptography • Concluding remarks Smart Cards and EMV 4 What is a Smart Card? • A smart card (also