Formal analysis of EMV

Transcription

1 Formal analysis of EMV Joeri de Ruiter Digital Security, Radboud University Nijmegen

2 Overview What is EMV? How does EMV work? Known weaknesses Formal analysis of EMV Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 2 / 32

3 What is EMV? Standard for communication between chip based payment cards and terminals Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 32

4 What is EMV? Maintained by Owned by Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 4 / 32

5 What is EMV? Initiated in 1993 Over 1 billion cards in circulation Compliance required for SEPA Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 5 / 32

6 EMV in the Netherlands Migration forwarded from 2013 to 2011 Increased cost of skimming M M M Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 6 / 32

7 Why EMV? Reducing fraud by skimming stolen credit cards used with forged signatures card-not-present fraud Liability shift Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 7 / 32

8 Complexity Over 700 pages Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 8 / 32

9 Complexity Many options and parameterisations 3 card authentication methods 5 cardholder authentication methods 2 types of transactions Parameterisation using Data Object Lists Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 9 / 32

10 Key set-up Card and issuer: symmetric key Issuer: private/public keypair Cards (optionally): private/public keypair Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 10 / 32

11 Protocol phases Initialisation Card authentication Cardholder verification Transaction Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 11 / 32

12 Initialisation Application is selected on smartcard Optionally information is provided by the terminal to the card Data from card is transmitted to the terminal Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 12 / 32

13 Card authentication Static Data Authentication Static data on card signed by issuer Dynamic Data Authentication Using asymmetric crypto Challenge/response mechanism Combined Data Authentication Transaction data signed Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 13 / 32

14 Cardholder verification PIN Online: PIN is checked by the issuer Offline: PIN is checked by the card Unencrypted Encrypted Handwritten signature None Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 14 / 32

15 Transaction Three different cryptograms Transaction Certificate Transaction approved Authorisation Request Cryptogram Online authorisation requested Application Authentication Cryptogram Transaction declined Contains an issuer specific MAC Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 15 / 32

16 Transaction Offline Terminal request Transaction Certificate (TC) Card response with TC or AAC Online Terminal initiated Terminal requests ARQC Card replies with ARQC or AAC Card initiated Terminal requests TC Card replies with ARQC Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 16 / 32

17 Attacking smartcards No direct copying possible Eavesdropping on communication using shim Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 17 / 32

18 Attacking smartcards Existing hardware used for pay TV and SIM cards Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 18 / 32

19 Attacking smartcards Active / wedge attacks Modifying traffic between card and terminal Card oriented Acting as a relay for a genuine card Terminal oriented Abusing access to the card Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 19 / 32

20 Known weaknesses Cloning SDA card Possible for offline transactions Only static data authenticated Card unable to sign data All PIN codes accepted by card Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 20 / 32

21 Known weaknesses DDA wedge attack Possible for offline transactions if DDA is used Terminal cannot verify transaction data Transaction not tied to card authentication Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 21 / 32

22 Known weaknesses Chip & PIN is broken [Murdoch et al. 2010] Possible with both online and offline transactions If card is not reported stolen If PIN-less transactions are allowed Using wedge attack All PIN codes accepted Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 22 / 32

23 Formal analysis Verified using ProVerif Automated security protocol verifier Applied pi-calculus Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 23 / 32

24 Formal analysis Formalisation in F# Functional programming language Developed by Microsoft Research Executable code Translated to applied pi-calculus using FS2PV Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 24 / 32

25 Formalisation Card and terminal formalised Options can be either unspecified or fixed DOLs fixed for Dutch banking cards Over 2500 lines of applied pi-calculus Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 25 / 32

26 Formalisation Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 26 / 32

27 Formalisation // Perform DDA Authentication if requested, otherwise do nothing let card_dda (c, atc, (sic,pic), noncec) dda_enabled = let data = Net.recv c in if Data.INTERNAL_AUTHENTICATE = APDU.get_command data then if dda_enabled then begin let noncet = APDU.parse_internal_authenticate data in let signature = rsa_sign sic (noncec, noncet) in Net.send c (APDU.internal_authenticate_response noncec signature); Net.recv c end else failwith "DDA not supported by card" else data Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 27 / 32

28 Security properties Sanity checks Secrecy of private keys Highest supported autentication method used Transaction authentication Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 28 / 32

29 Security properties Card and terminal agree whether PIN is entered correctly evinj:terminalverifypin(true) ==> evinj:cardverifypin(true) Transaction are authentic evinj:terminaltransactionfinish(sda,dda,cda,pan,atc,true) ==> evinj:cardtransactionfinish(sda2,dda2,cda2,pan,atc,true) Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 29 / 32

30 Results Reduction to 370 lines of F# code Resulting in over 2500 lines of applied pi-calculus All known weaknesses found ProVerif was able to verify most queries Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 30 / 32

31 Results With model including issuer additional weakness found When exactly following the specifications Possible if type of cryptogram is not included in MAC Recommended minimum set of data elements: Terminal: amount, country, verification results, currency, date, transaction type, nonce Card: Application Interchange Profile Application, transaction counter Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 31 / 32

32 Thanks for your attention! Februari 25, 2011 Joeri de Ruiter - Digital Security, Radboud University Nijmegen 32 / 32