EMV standard

Hardware Security Modules (HSM)

Erik Poll
Digital Security
Radboud University Nijmegen

EMV
EMV = Europay-Mastercard-Visa
standard for replacing mag-stripe with chip
interesting standard, as it is all public
www.emvco.com
100s of pages
originally for contact smartcard, but now also for RFIDs

EMV 2004 spec

Book 1: ICC to Terminal Interface Requirements

Book 2: Security and Key Management
Book 3: Application Specification
Book 4: Cardholder, Attendant and Acquirer
Interface Specifications

EMV roll-out
first version of standard 1996
UK rollout Oct 2003-Feb 2006 (Chip and PIN)
www.chipandpin.co.uk

continental Europe still migrating for credit cards

eg see www.vanstripnaarchip.nl
but many national payment schemes use smartcards

USA sticking to magstripe

and skipping contact cards to move to RFID

Why smartcards?
preventing skimming/cloning
also: shift in liability to customer

PIN replacing signatures for non-repudiation

process of checking and contesting very different
some public debate on this
eg see http://www.chipandspin.co.uk/spin.pdf

and to non-complying merchants

eg since jan 2005, UK merchant that cannot conform to

EMV is liable
5

Does it work?
97

98

99

00

01

02

03

04

05

06

2007

card not
present

10

14

29

73

96

110

122

151

183

213

292

counterfeit

20

27

50

107

160

149

110

130

97

100

144*

lost/stolen

66

66

80

102

114

108

112

115

89

68

56

mail intercept

13

12

15

18

27

37

45

73

40

15

10

card ID theft

13

17

14

17

15

21

30

37

31

32

33

122

135

188

317

412

425

420

504

439

438

535

Total

UK card fraud in millions of

*domestic drop 32%

[Source: apacs.org.uk]
6

EMV security techniques

card authentication to terminal
Static Data Authentication (SDA)
Dynamic Data Authentication (DDA)

transaction confidentiality & integrity

encryption and MAC

PIN encryption at point of entry (optional)

EMV security techniques

Algorithms used:
3 DES, RSA, SHA-1
possible new algorithm in future, eg ECDSA

RSA digital signature and public key certificates

card unique 3-DES key, derived from Master
Derivation Keys (MKDs)
unique session keys for encryption & MAC

EMV Public Key Certificate

Public Key Certificate

Certificate
Core

General information
about the user and the
application
Users public key

Public Key
Hash of data
Hash Result
Public Key
Remainder

EMV formatting
Signature by a Trusted
Third Party

Static Data Authentication (SDA)

Static authentication data on card is signed with
issuer's private key
Static authentication data includes
Primary Account Number (PAN)
Expiry date

10

SDA

11

SDA - Authorisation Phase

IC Terminal

Terminal:

IC Card

Card provides to terminal:

Uses PKCA to retrieve the

Issuers PKISS which is
certified by the CA

PKISS certified by
Certification Authority (CA)

Uses PKISS to verify the digital

signature of the card data

CE
RT
IFIE
D

Card data with Issuers

digital signature

Card static
data

Signature
OK

12

Weakness of SDA
does not prevent replay attacks:
skimming still an option!
UK banks issue SDA cards, which has caused
criticisms
still, cloning SDA cards will be harder than magstripe
cards, esp. one that looks convincing

DDA repairs this by having a terminal-generated

nonce

13

DDA

14

DDA - Authorisation Phase

INTERNAL AUTHENTICATE

IC Terminal

IC Card

Terminal provides to card:

Unpredictable Number (UN)

Card provides to terminal:

Terminal:

PKISS certified by
Certification Authority (CA)

PKIC certified by Issuer

CE
RT
IFIE
D

CE
RT
IFIE
D

Digital signature on the UN and the ICC

Dynamic Data generated using SKIC

Signature
OK

Uses PKCA to retrieve the

Issuers PKISS which is
certified by the CA
Uses PKISS to retrieve the ICC
PKIC which is certified by the
Issuer
Uses
PKIC to verify the digital

signature on the card and

terminal data

15

Dynamic Data Authentication (DDA)

terminal-generated nonce prevents replays
downside: more expensive card required

16

PIN encryption
encryption of PIN code in tamper-evident secure
keypad
card issuers don't want to trust the entire ATM,
but only the Hardware Security Module (HSM) and
this secure keypad
PIN encrypted with
card's public key PKIC
or card's PIN encipherment public key PKPE

17

Why PIN encryption?

contact to
eavesdrop
on PIN

Problems with PEDs (Pin Entry Devices)

incl. a Common Criteria evaluated one

[Thinking inside the box: system-level failures of tamper proofing, Drimer,

Murdoch, Anderson, S&P 2008]
18

Offline PIN Processing

Secure PIN Pad
IC Terminal
Validate PKIC or PKPE
IC Card
GET
CHALLENGE
PKIC or PKPE and UN
Cardholder enters PIN

Unpredictable Number
(UN)

PIN Pad generates random

padding
Create data block to include
PIN, UN and random padding
and encrypt with PKIC or PKPE
Encrypted PIN
Data

VERIFY (includes
Encrypted PIN
Data)

Decrypt Encrypted
PIN Data, using
SKIC or SKPE and
validate UN and
PIN

19

Transaction Security
card's master key derived from issuer master key
by encrypting PAN and PAN sequence number
different issuers master keys for confidentiality
(encryption) and message/transaction integrity (MACs),
resulting in corresponding card's master keys

session key derived from card's master key

by encrypting card's ATC (Application Transaction
Counter) and terminal-supplied nonce (UN = Unpredictable
Number)

20

ICC Master Key Derivation

PAN + PAN
Sequence Number

Inverted PAN +
PAN Sequence
Number

3-DES Encrypt

3-DES Encrypt
(Encrypt/Decrypt/Encrypt)

(Encrypt/Decrypt/Encrypt)
Issuer
Master Key

Issuer
Master Key

ICC Master Key

(left half)

ICC Master Key

(right half)

21

Session Key Derivation

ATC F0 00UN

ATC 0F 00UN

3-DES Encrypt

3-DES Encrypt

(Encrypt/Decrypt/Encrypt)

(Encrypt/Decrypt/Encrypt)

IC Master
Key

IC Master
Key

SKAC(left half)

SKAC(right half)

22

Secure Messaging
Secure messaging is used between the Issuers
host system and the smart card,
eg to update card parameters, application unblock, or
change/unblock PIN

Secure messaging provides data integrity and

origin authentication (with MAC) and
confidentiality (encryption).
Encryption uses 3-DES Cipher Block Chaining (CBC).
MAC as on next slide

23

Message Authentication Code (MAC)

Block 1

Encrypt
SK(L)

Block 2

Block 3

Encrypt

Encrypt

SK(L)

SK(L)

Decrypt
SK(R)
MAC calculated with a 3-DES session key
(derived from the ICC Master Key).
Algorithm defined in ANSI X9.19 and ISO
9797-1
SK(L) = Session Key (left half)
SK(R) = Session Key (right half)

Encrypt
SK(L)

AC

24

Cardholder Verification Methods (CVM)

range of cardholder verification methods
depending on card and the application

terminal and smartcard negotiate CVM

given their lists of allowed/supported method (in order of
preference) with conditions

potential for trouble: forcing terminal/card to fall

back to old CVM
problems with this reportedly fixed

25

CVM codes

26

CVM condition codes

27

Hardware Security Modules

Bank's bank-end has to store issuer's master keys
eg in ATM

Hardware Security Modules (HSMs)

store these keys
and perform required operations on them
keys shouldn't leave HSM unencrypted
HSM are tamper-resistant/evident devices

the complicated APIs of HSM may allow attacks

API attack = combination of API calls may produce
spoofed encrypted message or a reveal key

28

IBM 4758

29

Example HSM API weakness

HSM allows external storage of key K in encrypted form{K}KM
where KM is master key that never leaves HSM
Secure_Messaging_for_Keys operation added in CCA
(Common Cryptographic Architecture) to support EMV
input: {K1}KM, {K2}KM, template, offset
output: {template with K1 inserted at offset}K2

attack:
take template = m ++ '00000000' , offset = |m|
now output is {m ++ K1}K2 = {m}K2 ++ ...
we have an encryption oracle for K2
we can now spoof messages to the EMV smartcard..
30

Example HSM API weakness (cont)

we can go to recover K1
calculate {0000

0000 0000 00yy}K2for 00yyFF

call Secure_Messaging_for_Keys with

template = '0000 0000 0000 0000' , offset = 7
match result with one of the {0000 0000 0000 00yy}K2
revealing the first byte of K1
repeat procedure to calculate other bytes
[A Note on EMV Secure Messaging in the IBM 4758 CCA, B. Adida et al.,
2005]
31

EMV next steps?

hand-held reader to cut card-not-present fraud
cf. online banking in the Netherlands
weakest link then: browser security

integration in mobile phone

which has keyboard & display!

32