Smart Card & E-passport
|
|
- Ashley Copeland
- 7 years ago
- Views:
Transcription
1 Smart Card & E-passport Bingsheng Zhang 1,2 1 Cybernetica AS, Estonia 2 University of Tartu, Estonia MTAT applied crypto, 2009s
2 Table of content Introduction of Smart Cards Types of Smart Cards Magnetic Stripe Cards Chip Cards Contactless Smart Cards Types of Terminals Automatic Teller Machines (ATM) Point of Sales (POS) Contactless Terminals User Authentication PIN Generation Techniques PIN Verification Techniques Brief Introduction of Related Attacks Electronic Passports & ID Cards RFID
3 Smart Cards
4 Introduction of Smart Cards What are smart cards? A smart card: can participate in an automated electronic transaction, is used primarily to add security and is not easily forged or copied. Keith E. Mayes and Konstantinos Markantonakis, Royal Holloway, UK Store data securely Host or run a range of security algorithms and functions Intelligent (Smart): handles computations (e.g. crypto); manages data (e.g. OS, file system, access control); makes informed security decisions (e.g. block itself).
5 Introduction of Smart Cards Life Cycle of a Smart Card Manufacturing: [e.g. Infineon] ROM hard mask Initialize: [e.g. Gemalto] E 2 PROM soft mask Personalize: [Card Issuer] E 2 PROM data, keys etc. for an individual user! Use it: [e.g. ATM] issue commands (APDU) Death: [e.g. local bank] invalidate the chip/destroy the card
6 Introduction of Smart Cards Crypto Functionalities of Smart Cards 1 Cardholder verification by the card Check PIN or biometric data Not always done with crypto, but otherwise necessary to activate the crypto capabilities of the card Key generation, its secure storage, safe usage online bank Encrypt data (public and secret key) s, files, etc... e.g. PKI secure messaging
7 Introduction of Smart Cards Crypto Functionalities of Smart Cards 2 Authentication (from weaker to stronger): Integrity checks (CRC, or better: cryptographic hash) Origin checks (storing a static signature) Dynamic Challenge-Reply card authentication (proof of identity, should be a Zero-knowledge mechanism). Dynamic authentication of any data with a 3-DES cryptogram or a MAC (symmetric-key signatures) Dynamic authentication of any data with a public- key digital signature Provides authenticity and non-repudiation of every individual action taken in a complex protocol! Verification: the authenticity of a terminal/external word.
8 Introduction of Smart Cards Crypto Functionalities of Smart Cards 2 PayTV Broadcast Encryption and Traitor Tracing Storing private data (passwords etc...) Origin checks (storing a static signature) Phone cards GSM / 3G phones (SIM Card) Electronic passport, ID Bank Cards Home Banking, Internet Shopping Electronic purse, parking Student cards (restaurant, library, etc.) Building pass, Transport Tickets
9 Introduction of Smart Cards History Plastic Money 1950 Invention of plastic money (PVC): Frank Diners Club [NY] issues first universal plastic charge credit cards for businessmen and VIP travel and entertainment needs Franklin Nat. Bank [NY] introduced ChargeIt credit cards. Shops called the bank for approval if larger amount (first authorizations!) American Express launches their bank card accepted across the US Bank of America launches BankAmericard VISA. 1960s Banks started issuing revolving credit cards. Interbank MasterCharge MasterCard.
10 Introduction of Smart Cards History Payment Cards 1968 Invention of integrated circus card (ICC) [German] Similar ICC [Japan] Use ICC to replace cash in remote payment system [France] The first widely used smart cards in financial market were public pay phone cards [France].
11 Introduction of Smart Cards History ATMs 1967 First cash machines [DeLaRue] with punch cards. By Barclays Bank [UK] and Societe Marseillaise [France] First magnetic stripe card launched in France for access control Lloyds Bank Cashpoint [UK] is the first online ATM using plastic cards with a magnetic stripe. 1980s ATMs in the US 1980s Debit Cards introduced by banks.
12 Types of Smart Cards Magnetic Stripe Cards
13 Types of Smart Cards Insecure (Nicolas T. Courtois claims As long as some merchants accept them, they will be fraud... ) Someone thinks magnetic stripe card is not smart card because it can not satisfy the definition smart card is not easily forged or copied. No access control
14 Types of Smart Cards Track 1 ISO 7813: Track 1 can contain up to 76 alphanumeric data characters with a recording density of 210 BPI (bits per inch) and a character configuration of 7 bits per character. AAMVA standards: Track 1 can contain up to 82 alphanumeric data characters with a recording density of 210 BPI and a character configuration of 7 bits per character.
15 Types of Smart Cards Track 2 Track 3 ISO 7813: Track 2 can contain up to 40 numeric data characters with a recording density of 75 BPI and a character configuration of 5 bits per character. AAMVA standards: Track 2 can contain up to 40 numeric data characters with a recording density of 75 BPI and a character configuration of 5 bits per character. ISO 7813: Track 3 can contain up to 107 numeric characters with a recording density of 210 BPI and a character configuration of 5 bits per character. AAMVA standards: Track 3 can contain up to 82 alphanumeric characters with a recording density of 210 BPI and a character configuration of 5 bits per character. AAMVA American Association of Motor Vehicle Administrators
16 Types of Smart Cards What is stored in the magnetic stripe of credit card? Could be PIN? No!
17 Types of Smart Cards
18 Types of Smart Cards SS: Start Sentinel and symbolized with the character % FC: Format Code (1 character) from alphabetic A to Z PAN: Primary Account Number (Maximum 19 digits) FS: Field Separator and usually uses character ˆ NAME: cardholders name (Maximum 26 characters) ADDITIONAL DATA: expiration data (YYMM) and service code (3 digits) DISCRETIONAL DATA: PVKI/PVV or Offset/CVV or CVC ES: End Sentinel character LRC: Longitudinal Redundancy Check (XOR all characters above)
19 Types of Smart Cards SS: Start Sentinel (HEX B) PAN: Primary Account Number (Maximum 19 digits) FS: Field Separator (HEX D) and usually uses character = ADDITIONAL DATA: expiration data (YYMM) and service code (3 digits) DISCRETIONAL DATA: PVKI/PVV or Offset/CVV or CVC ES: End Sentinel character? LRC: Longitudinal Redundancy Check (XOR all characters above)
20 Types of Smart Cards SS: Start Sentinel and symbolized with the character ; FC: Format Code (2 digits from 00 to 99) PAN: Primary Account Number (Maximum 19 digits) FS: Field Separator and usually uses character = ADDITIONAL DATA: expiration data (YYMM) and service code (3 digits) DISCRETIONAL DATA: PVKI/PVV or Offset/CVV or CVC ES: End Sentinel character (HEX F) LRC: Longitudinal Redundancy Check (XOR all characters above)
21 Types of Smart Cards Chip Cards
22 Types of Smart Cards
23 Types of Smart Cards Memory/wired logic Cards NVM: non-volatile memory(e 2 PROM, Flash memory) Simple function e.g. prepay card
24 Types of Smart Cards Smart Cards Microcontroller = CPU + memory Universal turing machine, software driven Flexibility Security features [Hardware DES]
25 Types of Smart Cards Crypto-processor IC Cards Additional crypto- processor for RSA or elliptic curves Hardware security counter-measures
26 Types of Smart Cards Contactless Smart Cards with RF transceiver 0.1s per transaction much less energy even less computing power
27 Types of Smart Cards Memory on Smart Cards ROM ( hard mask : C/Assembly, contains OS, secure file access, I/O, libraries[crypto!], JVM) Kbytes nowadays RAM (expensive) 4-16 Kbytes nowadays NVM ( soft mask, compiled C, more libraries) EPROM: 1980s,very hard to erase it E 2 PROM: 8-64 Kbytes, recently 128K, 256K GSM SIM. Flash memory (new trend) Much cheaper, dense and shrinkable process Random read, harder to manage, hard to rewrite and very slow to erase Spansion 2006: 1 Giga in a SIM card!
28 Types of Smart Cards Clock and Maximum Computing Power Year Clock speed Co-processor Time MHz No RSA-512, 2 mins MHz Yes RSA-1024, 500ms MHz Yes RSA-2048, 500ms MHz Yes RSA-2048, 50ms Today MHz Yes RSA-2048, 10ms
29 Types of Terminals Automatic Teller Machines
30 Types of Terminals In the 1980s, ATM network were widely used. Many banks encrypted data by software. Today, banks use Hardware Security Module (HSM), a temper-resistant cryptographic processor to support ATMs. After a customer entering his PIN, the account number, PIN and PVV will be encrypted with a terminal master key within the HSM of each ATM. The terminal master key is shared with its bank, and each bank connects to a switch provided by an organization, such as VISA. The security modules in these switches translate transactions.
31 Types of Terminals
32 Types of Terminals Point of Sales (POS)
33 Types of Terminals Four basic steps in a EMV POS transaction: Read application data: information from customer s bank card. Card authentication: the terminal uses the issuer s public key to verify the signature through Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Data Authentication (CDA). Cardholder verification: for Pin verification, encrypt PIN with issuer s public key, and send it to card. (signature verification) Transaction authorization: the terminal may select the transaction authorized offline or online. the terminal confirms that the card account has enough money for the transaction.
34 Types of Terminals
35 Types of Terminals Contactless Terminals
36 User Authentication User Authentication Something the user has (e.g. ID card, phone). Something the user knowns (e.g. password, PIN). Something the user is (e.g. signature, fingerprint or biometric). Question: how many people will have PIN collision on average?
37 User Authentication CVV2 of VISA CVC2 of MasterCard CID of American Express
38 User Authentication Static Data Authentication
39 User Authentication Dynamic Data Authentication
40 User Authentication IBM 3624 PIN Generation Algorithm Algorithm input parameters: 64 bits validation data (customer s account number or related customer s personal details, e.g. name) 64 bits decimalization table 4 bits assigned PIN length 128 bits PIN generation key
41 User Authentication IBM 3624 PIN Generation Algorithm EDE triple encrypt the validation data with 128 bits PIN generation key. Transform the ciphertext into decimal digits, using a decimalization table. The validation data is stored as ASCII character Customer s PIN will be selected by a certain length of the decimal replacement digits, according to the PIN length parameter.
42 User Authentication IBM 3624 PIN Generation Algorithm
43 User Authentication IBM 3624 PIN Offset Generation Algorithm
44 User Authentication German Banking Pool PIN Generation Algorithm Algorithm input parameters: 64 bits validation data (customer s account number or related customer s personal details, e.g. name) 64 bits decimalization table 128 bits PIN generation key
45 User Authentication German Banking Pool PIN Generation Algorithm
46 User Authentication IBM 3624 PIN Verification Algorithm Algorithm input parameters: 64 bits validation data (customer s account number or related customer s personal details, e.g. name) 64 bits decimalization table 4 bits PIN check length 128 bits PIN generation key Offset data Customer entered PIN
47 User Authentication IBM 3624 PIN Verification Algorithm
48 User Authentication German Banking Pool PIN Verification Algorithm Algorithm input parameters: 64 bits validation data (customer s account number or related customer s personal details, e.g. name) 64 bits decimalization table 128 bits PIN generation key Offset data Customer entered PIN
49 User Authentication German Banking Pool PIN Verification Algorithm
50 User Authentication VISA PIN Verification Value (PVV) 4 decimal digits stored in the magnetic stripe of bank card or in the main database of issuing bank. PVV is cryptographic signature of PIN. PVV is calculated from the account number and compare with the stored PVV in the card. In magnetic stripe, credit data is in track 1 and 2, including personal account number, expired date, PVV/Offset/CVV/PVKI/CVC... POS terminal card reader read data on track 2.
51 User Authentication VISA PVV Generation Algorithm Algorithm input parameters: 64 bits transformed security parameter (TSP) 128 bits PVV generation key
52 User Authentication VISA PVV Generation Algorithm
53 User Authentication VISA PVV Verification Algorithm Algorithm input parameters: 64 bits transformed security parameter (TSP) 16 bits referenced PVV 128 bits PVV verification key
54 User Authentication VISA PVV Verification Algorithm
55 Brief Introduction of Related Attacks Bank Card Skimming Attack
56 Brief Introduction of Related Attacks ATM Fraud Attack
57 Brief Introduction of Related Attacks ATM Keypad Frauds Attack
58 Brief Introduction of Related Attacks Cards Trapping Attack
59 Brief Introduction of Related Attacks Relay Attack
60 Brief Introduction of Related Attacks Relay Attack(2)
61 Brief Introduction of Related Attacks Other Attacks Chemical Attack Yes Card Test PIN (power off) Sidechannel Attacks
62 Electronic Passports & ID Cards Electronic Passports
63 Electronic Passports & ID Cards Chip integrated in the cover Main goal: store biometric data Machine Readable Zone (MRZ)
64 Electronic Passports & ID Cards Personal and biometric data (photo) protected by basic access control (BAC) Key = f(mrz) PA: Passive Authentication: PKI, all data authenticated by a mandatory static signature. Digital signatures with RSA, ECC or both. AA: challenge-response Active data Authentication Extra data (fingerprint, iris): Extended Access Control (EAC) mechanism
65 Electronic Passports & ID Cards
66 Electronic Passports & ID Cards
67 Electronic Passports & ID Cards European E-passport timeline
68 Electronic Passports & ID Cards
69 Electronic Passports & ID Cards ICAO International Civil Aviation Organization (ICAO) U.N. specialized agency, established in 1944 Aviation safety & security
70 Electronic Passports & ID Cards ICAO 9303 ICAO 9303, 6th Edition System, based on mainstream standards: ISO 7816-X ISO Entities: Issuer: state printing house, embassy, local authorities etc. Contact-less chip embedded in the cover. Terminal, called inspection system. Memory requirement: 32K E 2 PROM minimum. Typically K.
71 Electronic Passports & ID Cards Data in e-passports (Data Groups) DG1 Machine readable zone (MRZ) DG2 Biometric data: face DG3 Biometric data:fingerprints DG4 Biometric data: iris DG5 Picture of the holder as printed in the passport DG6 Reserved for future use DG7 Signature of the holder as printed in the passport DG8 Encoded security features - data features DG9 Encoded security features - structure features DG10 Encoded security features - substance features DG11 Additional personal details (address, phone) DG12 Additional document details (issue date, issued by) DG13 Optional data (anything) DG14 Data for securing secondary biometrics (EAC) DG15 Active Authentication public key info
72 Electronic Passports & ID Cards Access Control Basic Access Control (BAC) For facial image, and other data that is is possible to acquire from other sources (e.g. digital camera). Terminal has to have physical access to optically readable Machine Readable Zone (MRZ) of the passport. Extended Access Control (EAC), optional For fingerprints and other data that does not exist on passport for now. For verification by and authorized inspection system, that has to prove his identity to the passport.
73 Electronic Passports & ID Cards MRZ Coding Passport number (9 chars typically) Data of birth Expiration date 3 check digits (as CVV2 in bank cards)
74 Electronic Passports & ID Cards BAC Stage 1 MRZ SHA-1 truncated to 128 bits Then key derivation function following CWA
75 Electronic Passports & ID Cards BAC Stage 2 K = (K MAC,K ENC ) both are used in Authenticated Encryption (EA) EA = Encrypt + transmit a MAC E: A: 3-DES in CBC mode with K ENC FIPS 46-3, ISO , ISO (CBC-MAC, 3-DES, padding mode 2) DES + Retail MAC with K MAC FIPS 46-3, ISO 9797 (MAC algorithm 3, with output transformation 3, without truncation, block, cipher DES, zero IV 8 bytes, padding mode 2)
76 Electronic Passports & ID Cards BAC Stage 3 Used ISO symmetric key establishment mechanism A-chip B-terminal: random R A (64 bits) B-terminal A-chip: EA K (R B,R A,K B ) ( bits) A-chip check R? = R A A A-chip B-terminal: EA K (R A,R B,K A ) ( bits) B-terminal check R B? = R B Derived key: K AB = K A K B BAC Stage 4 Encrypt all the communications from now on (secure messaging)
77 Electronic Passports & ID Cards Signature Schemes and Key Sizes - PA Hash functions: SHA-1 and all SHA-256 RSA with PKCS#1 v1.5 padding (min bits for CSCA (Country Signing CA), 2048 bits for DS (Document Signer ) ). Hungary, France, Spain, Portugal, Italy: RSA SHA-1 Austria, Netherlands: RSA SHA-256 RSA with PSS padding (min bits for CSCA, 2048 for DS) Czech Republic, Norway, Denmark, Japan and Australia: all + SHA-256 DSA: not standardized for key lengths > 1024, not secure enough. ECDSA (min. 256 bits for CSCA, 244 bits for DS) Switzerland, Germany, Russia: SHA-1
78 Electronic Passports & ID Cards Signature Schemes and Key Sizes - AA AA is not widely deployed yet. ISO scheme 1, not proven secure, grey zone Czech Republic, Belgium, Austria DSA and ECDSA also permitted but not widely used for AA
79 Electronic Passports & ID Cards EAC Crypto Chip authentication: Diffie-Hellman (PKCS#3) 1024 or 1536 bit prime Elliptic Curve Diffie-Hellman (ISO 15946, BSI TR-03111) Mostly 224 bit curves, sometimes 256 or 384 bits. Terminal authentication: RSA keys bits, two signature schemes RSA PKCS#1 v1.5 + SHA-1 or SHA-256 (more popular, grey zone) RSA-PSS + SHA-1 or SHA-256 (provably secure) ECDSA-160/256 + SHA-1, SHA-224 or SHA-256
80 RFID RFID
81 RFID Mifare Claassic Cards The encryption used by the MIFARE Classic card uses a key that is only 48 bits long The MIFARE Classic 1K offers 1024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. They can be programmed for operations like reading, writing, increasing value blocks, etc.
82 RFID Mifare Claassic Cards Mifare Claassic Cards Data Layout
83 RFID ISO A ISO A authentication protocol
84 RFID Authentication Trace Step Sender Hex Comments 01 Reader 26 req type A 02 Tag answer req 03 Reader select 04 Tag c2 a8 2d f4 b3 uid, bcc 05 Reader c2 a8 2d f4 b3 ba a3 select (uid) 06 Tag 08 b6 dd mifare 1k 07 Reader a auth (block 30) 08 Tag c0 a4 n T 09 Reader 7d db 9b eb 5d 83 n R ks 1, a R ks 2 10 Tag 8b d a T ks 3 10 Tag a 5 ks 3 (failed)
85 RFID Crypto 1
86 RFID Demo Authentication protocol Property Public platform independent Near Field Communication (NFC) library (libnfc How to program on libnfc. Simple demo for fixing nonce, using ACR 122 reader and libnfc
Implementation of biometrics, issues to be solved
ICAO 9th Symposium and Exhibition on MRTDs, Biometrics and Border Security, 22-24 October 2013 Implementation of biometrics, issues to be solved Eugenijus Liubenka, Chairman of the Frontiers / False Documents
More informationPayment systems. Tuomas Aura T-110.4206 Information security technology
Payment systems Tuomas Aura T-110.4206 Information security technology Outline 1. Money transfer 2. Card payments 3. Anonymous payments 2 MONEY TRANSFER 3 Common payment systems Cash Electronic credit
More informationMobile and Contactless Payment Security
Mobile and Contactless Payment Security v20111118 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph.
More informationPreventing fraud in epassports and eids
Preventing fraud in epassports and eids Security protocols for today and tomorrow by Markus Mösenbacher, NXP Machine-readable passports have been a reality since the 1980s, but it wasn't until after 2001,
More informationRF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards
RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards January 2007 Developed by: Smart Card Alliance Identity Council RF-Enabled Applications and Technology:
More informationPayment systems. Tuomas Aura T-110.4206 Information security technology. Aalto University, autumn 2012
Payment systems Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2012 Outline 1. Money transfer 2. Card payments 3. Anonymous payments 2 MONEY TRANSFER 3 Common payment systems
More informationKeep Out of My Passport: Access Control Mechanisms in E-passports
Keep Out of My Passport: Access Control Mechanisms in E-passports Ivo Pooters June 15, 2008 Abstract Nowadays, over 40 different countries issue biometric passports to increase security on there borders.
More informationA Guide to EMV. Version 1.0 May 2011. Copyright 2011 EMVCo, LLC. All rights reserved.
A Guide to EMV Version 1.0 May 2011 Objective Provide an overview of the EMV specifications and processes What is EMV? Why EMV? Position EMV in the context of the wider payments industry Define the role
More informationHow To Protect A Smart Card From Being Hacked
Chip Terms Explained A Guide to Smart Card Terminology Contents 1 AAC Application Authentication Cryptogram AID Application Identifier Applet ARQC Authorization Request Cryptogram ARPC Authorization Response
More informationSecurity by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA
Security by Politics - Why it will never work Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA Agenda Motivation Some basics Brief overview epassport (MRTD) Why cloning? How to attack the
More informationGemalto Mifare 1K Datasheet
Gemalto Mifare 1K Datasheet Contents 1. Overview...3 1.1 User convenience and speed...3 1.2 Security...3 1.3 Anticollision...3 2. Gemalto Mifare Features...4 2.1 Compatibility with norms...4 2.2 Electrical...4
More informationSmart Card Technology Capabilities
Smart Card Technology Capabilities Won J. Jun Giesecke & Devrient (G&D) July 8, 2003 Smart Card Technology Capabilities 1 Table of Contents Smart Card Basics Current Technology Requirements and Standards
More informationSmart Cards for Payment Systems
White Paper Smart Cards for Payment Systems An Introductory Paper describing how Thales e-security can help banks migrate to Smart Card Technology Background In this paper: Background 1 The Solution 2
More information2015-11-02. Electronic Payments Part 1
Electronic Payments Part Card transactions Card-Present Smart Cards Card-Not-Present SET 3D Secure Untraceable E-Cash Micropayments Payword Electronic Lottery Tickets Peppercoin Bitcoin EITN4 - Advanced
More informationContactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, 2006. Developed by: Smart Card Alliance Identity Council
Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions July, 2006 Developed by: Smart Card Alliance Identity Council Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked
More informationEMV: A to Z (Terms and Definitions)
EMV: A to Z (Terms and Definitions) First Data participates in many industry forums, including the EMV Migration Forum (EMF). The EMF is a cross-industry body focused on supporting an alignment of the
More informationSecuring Card-Not-Present Transactions through EMV Authentication. Matthew Carter and Brienne Douglas December 18, 2015
Securing Card-Not-Present Transactions through EMV Authentication Matthew Carter and Brienne Douglas December 18, 2015 Outline Problem Card-Not-Present (CNP) vs. PayPal EMV Technology EMV CNP Experiment
More informationWhat is a Smart Card?
An Introduction to Smart Cards and RFIDs Prof. Keith E. Mayes Keith.Mayes@rhul.ac.uk Director of the ISG - Smart Card Centre www.scc.rhul.ac.uk Learning Objectives (MSc MSc) Identify the various types
More informationPayPass - M/Chip Requirements. 5 December 2011
PayPass - M/Chip Requirements 5 December 2011 Notices Proprietary Rights The information contained in this document is proprietary and confidential to MasterCard International Incorporated, one or more
More informationWhite Paper. EMV Key Management Explained
White Paper EMV Key Management Explained Introduction This white paper strides to provide an overview of key management related to migration from magnetic stripe to chip in the payment card industry. The
More informationJCB Terminal Requirements
Version 1.0 April, 2008 2008 JCB International Co., Ltd. All rights reserved. All rights regarding this documentation are reserved by JCB Co., Ltd. ( JCB ). This documentation contains confidential and
More informationGuide to Data Field Encryption
Guide to Data Field Encryption Contents Introduction 2 Common Concepts and Glossary 3 Encryption 3 Data Field Encryption 3 Cryptography 3 Keys and Key Management 5 Secure Cryptographic Device 7 Considerations
More informationStatewatch Briefing ID Cards in the EU: Current state of play
Statewatch Briefing ID Cards in the EU: Current state of play Introduction In March 2010, the Council Presidency sent out a questionnaire to EU Member States and countries that are members of the socalled
More informationFundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors guy_berg@mastercard.com 914.325.8111
Fundamentals of EMV Guy Berg Senior Managing Consultant MasterCard Advisors guy_berg@mastercard.com 914.325.8111 EMV Fundamentals Transaction Processing Comparison Magnetic Stripe vs. EMV Transaction Security
More informationAdvanced Authentication
White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is
More informationPUF Physical Unclonable Functions
Physical Unclonable Functions Protecting next-generation Smart Card ICs with SRAM-based s The use of Smart Card ICs has become more widespread, having expanded from historical banking and telecommunication
More informationPayment systems. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2015
Payment systems Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2015 Outline 1. Card payment 2. (Anonymous digital cash) 3. Bitcoin 2 CARD PAYMENT 3 Bank cards Credit or debit card
More informationOverview of Contactless Payment Cards. Peter Fillmore. July 20, 2015
Overview of Contactless Payment Cards Peter Fillmore July 20, 2015 Blackhat USA 2015 Introduction Contactless payments have exploded in popularity over the last 10 years with various schemes being popular
More informationThe Canadian Migration to EMV. Prepared By:
The Canadian Migration to EMV Prepared By: December 1993 Everyone But The USA Is Migrating The international schemes decided Smart Cards are the way forward Europay, MasterCard & Visa International Produced
More informationI N F O R M A T I O N S E C U R I T Y
NIST Special Publication 800-78-3 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William E. Burr Hildegard Ferraiolo David Cooper I N F
More informationWhat Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization
Frequently Asked Questions What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization Issuers across the United States are beginning to embark in the planning and execution phase
More informationI N F O R M A T I O N S E C U R I T Y
NIST Special Publication 800-78-2 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William. E. Burr I N F O R M A T I O N S E C U R I T Y
More informationMoving to the third generation of electronic passports
Moving to the third generation of electronic passports A new dimension in electronic passport security with Supplemental Access Control (SAC) > WHITE PAPER 2 Gemalto in brief Gemalto is the world leader
More informationVirtual Payment Client Integration Reference. April 2009 Software version: 3.1.21.1
Virtual Payment Client Integration Reference April 2009 Software version: 3.1.21.1 Copyright MasterCard and its vendors own the intellectual property in this Manual exclusively. You acknowledge that you
More informationEMVCo Letter of Approval - Contact Terminal Level 2
May 18, 2015 Richard Pohl Triton Systems of Delaware, LLC 21405 B Street Long Beach MS 39560 USA Re: EMV Application Kernel: Approval Number(s): EMVCo Letter of Approval - Contact Terminal Level 2 Triton
More informationHacking the NFC credit cards for fun and debit ;) Renaud Lifchitz BT renaud.lifchitz@bt.com Hackito Ergo Sum 2012 April 12,13,14 Paris, France
Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz BT renaud.lifchitz@bt.com Hackito Ergo Sum 2012 April 12,13,14 Paris, France Speaker's bio French computer security engineer working at
More informationMIFARE CONTACTLESS CARD TECHNOLOLGY AN HID WHITE PAPER
MIFARE CONTACTLESS CARD TECHNOLOLGY AN HID WHITE PAPER GENERAL The MIFARE contactless smart card and MIFARE card reader/writer were developed to handle payment transactions for public transportation systems.
More informationLandscape of eid in Europe in 2013
Landscape of eid in Europe in 2013 July 2013 Eurosmart White Paper Contents Executive Summary 3 1. Purpose of the document 3 2. EU regulation 3 3. EU Member States identification policies 4 3.1. National
More informationEMV 96 Integrated Circuit Card Terminal Specification for Payment Systems
EMV 96 Integrated Circuit Card Terminal Specification for Payment Systems Version 3.0 June 30, 1996 1996 Europay International S.A., MasterCard International Incorporated, and Visa International Service
More informationAcquirer Device Validation Toolkit (ADVT)
Acquirer Device Validation Toolkit (ADVT) Frequently Asked Questions (FAQs) Version: 2.0 January 2007 This document provides users of Visa s Acquirer Device Validation Toolkit (ADVT) with answers to some
More informationCONTACTLESS PAYMENTS. Joeri de Ruiter. University of Birmingham. (some slides borrowed from Tom Chothia)
CONTACTLESS PAYMENTS Joeri de Ruiter University of Birmingham (some slides borrowed from Tom Chothia) Overview EMV Protocol Attacks EMV-Contactless Protocols Attacks Demo Stopping relay attacks What is
More informationHow To Secure A Paypass Card From Being Hacked By A Hacker
PayPass Vulnerabilities Balázs Bucsay http://rycon.hu - earthquake_at_rycon_dot_hu PR-Audit Kft. http://www.praudit.hu/ PayPass PayPass lets you make everyday purchases without having to swipe the magnetic
More informationEMV (Chip-and-PIN) Protocol
EMV (Chip-and-PIN) Protocol Märt Bakhoff December 15, 2014 Abstract The objective of this report is to observe and describe a real world online transaction made between a debit card issued by an Estonian
More informationMACHINE READABLE TRAVEL DOCUMENTS
MACHINE READABLE TRAVEL DOCUMENTS (Logo) TECHNICAL REPORT PKI for Machine Readable Travel Documents offering ICC Read-Only Access Version - 1.1 Date - October 01, 2004 Published by authority of the Secretary
More informationSmart Card. Smart Card applications
Smart Card Chip Plastic card A very secure way of storing a small amount of sensitive data 1 Smart Card applications Retail Sale of goods using Electronic Purses, Credit / Debit Vending machines Loyalty
More informationChapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography
Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:
More informationSmart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi
Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public
More informationChip & PIN is definitely broken. Credit Card skimming and PIN harvesting in an EMV world
Chip & PIN is definitely broken Credit Card skimming and PIN harvesting in an EMV world Andrea Barisani Daniele Bianco Adam Laurie Zac Franken
More informationBanking. Extending Value to Customers. KONA Banking product matrix. KONA@I is leading the next generation of payment solutions.
Smart IC Banking Banking Extending Value to Customers KONA Banking product matrix Contact - SDA Product EEPROM Java Card Type KONA Products KONA@I is leading the next generation of payment solutions Banks,
More informationMitigating Fraud Risk Through Card Data Verification
Risk Management Best Practices 11 September 2014 Mitigating Fraud Risk Through Card Data Verification AP, Canada, CEMEA, LAC, U.S. Issuers, Processors With a number of cardholder payment options (e.g.,
More informationEMVCo Letter of Approval - Contact Terminal Level 2
February 14, 2014 Marat Serpokrylov Closed joint stock company - CENTER OF FINANCIAL TECHNOLOGIES 35, Koltsovo Koltsovo, vosibirsk Region 630559 Russia Re: EMV Application Kernel: Approval Number(s): EMVCo
More informationThe EMV Readiness. Collis America. Guy Berg President, Collis America berg@collisamerica.com +1 651 925 5411
The EMV Readiness Collis America Guy Berg President, Collis America berg@collisamerica.com +1 651 925 5411 1 Collis Solutions & Markets Finance Consultancy Card Payments SEPA Financial Risk Mgmt Test Tools
More informationStronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"
!!!! Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement" Here$is$a$simple,$cost$effective$way$to$achieve$transaction$security$for$ mobile$payments$that$allows$easy$and$secure$provisioning$of$cards.$
More informationPayment and Identification Secure solutions
Payment and Identification Secure solutions ST at a glance STMicroelectronics is a global leader in the semiconductor market serving customers across the spectrum of sense & power, automotive and embedded
More informationPayment Card Industry (PCI) Policy Manual. Network and Computer Services
Payment Card Industry (PCI) Policy Manual Network and Computer Services Forward This policy manual outlines acceptable use Black Hills State University (BHSU) or University herein, Information Technology
More informationHandling of card data in conformance with PCI DSS
Handling of card data in conformance with PCI DSS Version 2 June 2010 Objective MasterCard, Visa, American Express, Diners and JCB have together created the framework PCI DSS (Payment Card Industry Data
More informationFull page passport/document reader Regula model 70X4M
Full page passport/document reader Regula model 70X4M Full page passport reader with no moving parts inside. Automatic reading and authenticity verification of passports, IDs, visas, driver s licenses
More informationA Note on the Relay Attacks on e-passports
A Note on the Relay Attacks on e-passports The Case of Czech e-passports Martin Hlaváč 1 and Tomáš Rosa 1,2 hlavm1am@artax.karlin.mff.cuni.cz and trosa@ebanka.cz 1 Department of Algebra, Charles University
More informationChapter 15 User Authentication
Chapter 15 User Authentication 2015. 04. 06 Jae Woong Joo SeoulTech (woong07@seoultech.ac.kr) Table of Contents 15.1 Remote User-Authentication Principles 15.2 Remote User-Authentication Using Symmetric
More informationSmart Card: The Computer in Your Wallet
Smart Card: The Computer in Your Wallet MIPS Technologies, Inc. June 2002 Smart cards, credit-card-size pieces of plastic incorporating a silicon chip, comprise the highest volume computing platform. Roughly
More informationCombatting Counterfeit Identities: The Power of Pairing Physical & Digital IDs
Combatting Counterfeit Identities: The Power of Pairing Physical & Digital IDs 1 GOVERNMENTS ADOPTING DIGITAL STRATEGIES Governments designing/operating digital ecosystems to create, transform and optimize
More informationEPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION
COMMON CRITERIA PROTECTION PROFILE EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION Draft Version 1.0 TURKISH STANDARDS INSTITUTION TABLE OF CONTENTS Common Criteria Protection Profile...
More informationSecure Network Communications FIPS 140 2 Non Proprietary Security Policy
Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles
More informationeid Security Frank Cornelis Architect eid fedict 2008. All rights reserved
eid Security Frank Cornelis Architect eid The eid Project > Provides Belgian Citizens with an electronic identity card. > Gives Belgian Citizens a device to claim their identity in the new digital age.
More informationSteps for staying PCI DSS compliant Visa Account Information Security Guide October 2009
Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009 The guide describes how you can make sure your business does not store sensitive cardholder data Contents 1 Contents
More informationMF1 IC S50. 1. General description. Functional specification. 1.1 Contactless Energy and Data Transfer. 1.2 Anticollision. Energy
Rev. 5.2 15 January 2007 Product data sheet 001052 PUBLIC 1. General description NXP has developed the Mifare to be used in contactess smart cards according to ISO/IEC 14443A. The communication layer (
More informationPayPass M/Chip Requirements. 10 April 2014
PayPass M/Chip Requirements 10 April 2014 Notices Following are policies pertaining to proprietary rights, trademarks, translations, and details about the availability of additional information online.
More informationSecurity & Chip Card ICs SLE 44R35S / Mifare
Security & Chip Card ICs SLE 44R35S / Mifare Intelligent 1 Kbyte EEPROM with Interface for Contactless Transmission, Security Logic and Anticollision according to the MIFARE -System Short Product Info
More informationCHAPTER 5 SMART CARD TECHNOLOGY
56 CHAPTER 5 SMART CARD TECHNOLOGY 5.1 INTRODUCTION Today's society is often illustrated as an information society. Technological developments, particularly in the areas of computers and telecommunications
More informationEntrust Smartcard & USB Authentication
Entrust Smartcard & USB Authentication Technical Specifications Entrust IdentityGuard smartcard- and USB-based devices allow organizations to leverage strong certificate-based authentication of user identities
More informationHow Secure are Contactless Payment Systems?
SESSION ID: HT-W01 How Secure are Contactless Payment Systems? Matthew Ngu Engineering Manager RSA, The Security Division of EMC Chris Scott Senior Software Engineer RSA, The Security Division of EMC 2
More informationDigital Signatures. Nicolas T. Courtois - University College of London
Nicolas T. Courtois - University College of London Roadmap Legal aspects What are Digital Signatures? How Secure they are? Main realizations known Applications 2 1. What is a [Digital] Signature? Legal
More informationSide Channel Analysis and Embedded Systems Impact and Countermeasures
Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks Cryptographic devices Side
More informationEMV and Small Merchants:
September 2014 EMV and Small Merchants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service
More informationSPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128
SPC5 Software Cryptography Library Data brief SHA-512 Random engine based on DRBG-AES-128 RSA signature functions with PKCS#1v1.5 ECC (Elliptic Curve Cryptography): Key generation Scalar multiplication
More informationAuthentication requirement Authentication function MAC Hash function Security of
UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy
More informationCaught in the Maze of Security Standards
Caught in the Maze of ΓΝΩΘΙΣ Know Thyself ΑΥΤΟΝ Security Standards Dieter Gollmann Hamburg University of Technology What this talk is not about 1. Designing security protocols is difficult and error prone
More informationA DATA AUTHENTICATION SOLUTION OF ADS-B SYSTEM BASED ON X.509 CERTIFICATE
27 TH INTERNATIONAL CONGRESS OF THE AERONAUTICAL SCIENCES A DATA AUTHENTICATION SOLUTION OF ADS-B SYSTEM BASED ON X.509 CERTIFICATE FENG Ziliang*, PAN Weijun* / ** 1, WANG Yang* * Institute of Image and
More informationOperational and Technical security of Electronic Passports
European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union Operational and Technical security of Electronic Passports Warsaw, Legal
More informationNACCU 2013. Migrating to Contactless: 2013 1
NACCU 2013 Migrating to Contactless: 2013 1 AGENDA The demise of cards has been predicted for many years. When will this really happen? This presentation by two card industry experts will cover the rise
More informationThe Technology Is Ready. Philip Andreae Philip Andreae & Associates
The Technology Is Ready Philip Andreae Philip Andreae & Associates Why are you Here The globe is in migration to EMV June 2003: Visa Canada announced its plans to migrate to chip January 8, CTV W-5 documented
More informationDigital Signatures. Nicolas T. Courtois - University College London
Nicolas T. Courtois - University College London Roadmap Legal aspects What are Digital Signatures? How Secure they are? Main realizations known Applications 2 1. What is a [Digital] Signature? Legal Aspects
More informationECE 646 - Lecture 1. Security Services. Need for information security. widespread use of data processing equipment: computer security
ECE 646 - Lecture 1 Security Services Need for information security widespread use of data processing equipment: computer security widespread use of computer networks and distributed computing systems:
More informationSecure Data Exchange Solution
Secure Data Exchange Solution I. CONTENTS I. CONTENTS... 1 II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. SECURE DOCUMENT EXCHANGE SOLUTIONS... 3 INTRODUCTION... 3 Certificates
More informationVisa Recommended Practices for EMV Chip Implementation in the U.S.
CHIP ADVISORY #20, UPDATED JULY 11, 2012 Visa Recommended Practices for EMV Chip Implementation in the U.S. Summary As issuers, acquirers, merchants, processors and vendors plan and begin programs to adopt
More informationIntroducing etoken. What is etoken?
Introducing etoken Nirit Bear September 2002 What is etoken? Small & portable reader-less Smartcard Standard USB connectivity Logical and physical protection Tamper evident (vs. tamper proof) Water resistant
More informationW.A.R.N. Passive Biometric ID Card Solution
W.A.R.N. Passive Biometric ID Card Solution Updated November, 2007 Biometric technology has advanced so quickly in the last decade that questions and facts about its cost, use, and accuracy are often confused
More informationChip Card & Security ICs Mifare NRG SLE 66R35
Chip Card & Security ICs Mifare NRG Intelligent 1 Kbyte Memory Chip with Interface for Contactless Transmission according to the Mifare -System Short Product Information April 2007 Short Product Information
More informationA Guide to EMV Version 1.0 May 2011
Table of Contents TABLE OF CONTENTS... 2 LIST OF FIGURES... 4 1 INTRODUCTION... 5 1.1 Purpose... 5 1.2 References... 5 2 BACKGROUND... 6 2.1 What is EMV... 6 2.2 Why EMV... 7 3 THE HISTORY OF EMV... 8
More informationSmart Tiger STARCHIP SMART TIGER PAYMENT PRODUCT LINE. Payment. STiger SDA. STiger DDA. STiger DUAL
PAYMENT CATALOG Smart Tiger Payment STiger SDA Static or Java Card Modules offer for Contact SDA markets STARCHIP SMART TIGER PAYMENT PRODUCT LINE is a versatile compound of a Highly Secure Microcontroller,
More informationCryptography and Network Security Digital Signature
Cryptography and Network Security Digital Signature Xiang-Yang Li Message Authentication Digital Signature Authentication Authentication requirements Authentication functions Mechanisms MAC: message authentication
More informationEMVCo Letter of Approval - Terminal Level 2
April 06, 2011 Lorraine LEPINE France Telecom Direction Publiphonie (FT/OPF/MHGP/DMP/PUB) Orange Village, 1 avenue Nelson Mandela 94745 ARCUEIL France Re: EMV Application Kernel: Approval Number(s): EMVCo
More informationINTRODUCTION to CRYPTOGRAPHY & CRYPTOGRAPHIC SERVICES on Z/OS BOSTON UNIVERSITY SECURITY CAMP MARCH 14, 2003
INTRODUCTION to CRYPTOGRAPHY & CRYPTOGRAPHIC SERVICES on Z/OS BOSTON UNIVERSITY SECURITY CAMP MARCH 14, 2003 History of Cryptography The concept of securing messages through cryptography has a long history.
More informationElectronic machine-readable travel documents (emrtds) The importance of digital certificates
Electronic machine-readable travel documents (emrtds) The importance of digital certificates Superior security Electronic machine-readable travel documents (emrtds) are well-known for their good security.
More informationEMV-TT. Now available on Android. White Paper by
EMV-TT A virtualised payment system with the following benefits: MNO and TSM independence Full EMV terminal and backend compliance Scheme agnostic (MasterCard and VISA supported) Supports transactions
More informationENHANCING ATM SECURITY USING FINGERPRINT AND GSM TECHNOLOGY
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 4, April 2014,
More informationExercise 1: Set up the Environment
RFID Lab Gildas Avoine, 2014 Contact: gildas.avoine@irisa.fr Objective: Learn how much it is easy to read contactless tags, possibly simulate/clone. Requirement: Hardware: Reader SCL3711 or ACR122, Reader
More informationETSI TS 102 176-2 V1.2.1 (2005-07)
TS 102 176-2 V1.2.1 (2005-07) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 2: Secure channel protocols and algorithms
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography
More informationMobile Payment: The next step of secure payment VDI / VDE-Colloquium. Hans-Jörg Frey Senior Product Manager May 16th, 2013
Mobile Payment: The next step of secure payment VDI / VDE-Colloquium May 16th, 2013 G&D has been growing through continuous innovation Server software and services Token and embedded security Cards for
More information