Mobile and Contactless Payment Security v20111118 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph. +34 93 184 2788 Peter Fillmore Email: lab@withamlabs.com Slide No. 1
Topics covered in this talk How it works Card Standards EMV/Contactless Basics CVV Explanation Static Data Authentication Combined Dynamic Data Authentication Recent Advances Future areas of research Slide No. 2
How Contactless/NFC/RFID Cards Work Slide No. 3
How NFC/RFID/Contactless Works Electromagnetic induction. Antennas are present in the terminal and the card. The terminal generates a 13.56 MHz carrier signal. This signal powers the card and carries the data. The modulation used to transmit data varies according to the type of card. Slide No. 4
What a card is made of: Cards contain an near-field antenna embedded in the card plastic. A SoC is present in the upper left of the card which connects to the antenna in the card. Slide No. 5
Types of Cards and Standards ID-1 Card ISO 7810 Smart Cards ISO 7816 Contactless Smart Cards Contact Cards CICC Contactless IC Cards ISO 10536 PICC Proximity IC Cards ISO 14443 Contactless Cards VICC Vicinity IC Cards ISO 15693 RICC Remote IC Cards Memory Card Processor Card Processor Card Memory Card 13.56 MHz Processor Card 13.56 MHz Memory Card 13.56 MHz Memory Card(battery) 2.4/5.8 GHz Dual Interface Cards Slide No. 6
The ISO14443 Standard Part 1: Physical Characteristics Part 2: Radio frequency power and signal interface Part 3: Initialization and anticollision Part 4: Transmission Protocol Slide No. 7
Two Types of Card Terminal To Card Type A Type B Modulation ASK 100% ASK 10% Bit Coding Modified Miller Code NRZ-L Synchronization Card To Terminal Bit Level(SOF and EOF) Type A 1 start and 1 stop bit per byte Type B Modulation Load modulation with subcarrier 847kHz, ASK. Bit Coding Manchester Code NRZ-L Load modulation with subcarrier 847kHz, BPSK. Synchronization 1 bit frame sync(sof, EOF) 1 start and 1 stop bit per byte Slide No. 8
ISO14443-A Terminal To Card (Modified Miller, 100% ASK) Sequence X Logical 1 Sequence Y Logical 0 Sequence Z Logical 0 Card To Terminal (Manchester, subcarrier ASK modulated) Sequence D Logical 1 Sequence E Logical 0 Slide No. 9
ISO14443-B Terminal To Card Communications (NRZ-L, 10% ASK) Logical 0 Logical 1 Card To Terminal Communications (NRZ-L, BPSK modulated subcarrier) Logical 1 Phase = 0 degrees Slide No. 10 Logical 0 Phase = 180 degrees
Anti-Collision What is it? Does it matter? Slide No. 11
EMV and Contactless EMV = Chip Card standard Defines use of cards in financial settings Same commands and functions are used in NFC payment cards BER-TLV encoding is used for data Slide No. 12
What is on these Cards? Slide No. 13
Track 1 Explained Card Data: PAN: 5412 7512 3412 3456 Card Holder Name: MR JOHN A. CITIZEN Expiration Date: 01/15 Service Code: 101(International Card, Normal Authorization, Normal Verificiation) % B 5 4 1 2 7 5 1 2 3 4 1 2 3 4 5 6 ^ C I T I Z E N / J O H N A. M R ^ 1 5 0 1 1 0 1 * * *? Start Sentinel Name Format Code Expiry Date Discretionary Data LRC PAN Service Code End Sentinel Slide No. 14
Track 2 Explained Card Data: PAN: 5412 7512 3412 3456 Card Holder Name: MR JOHN A. CITIZEN Expiration Date: 01/15 Service Code: 101(International Card, Normal Authorization, Normal Verificiation) ; 5 4 1 2 7 5 1 2 3 4 1 2 3 4 5 6 = 1 5 0 1 1 0 1 * * *? Start Sentinel Expiry Date Discretionary Data LRC PAN Service Code End Sentinel Slide No. 15
Discretionary Data * * * Discretionary Data This is an optional field for storage of issuer data etc. Is used to store PVKI, PVV, CVV, CVC PVKI/PVV is used for PIN verification by the issuer CVV/CVC is used to verify the track data on the card. Slide No. 16
What keys are on a typical payment card? Key Name Description KD CVC3 MK AC SK AC ICC Derived Key for CVC3 Generation ICC Application Cryptogram Master Key ICC Application Cryptogram Session Key Symmetric Key used for generating the CVC3 Symmetric Key used to derive the session key for generation of the Application Cryptogram Symmetric Key used to generate the Application Cryptogram Slide No. 17
What keys are on a typical card? Key Name Description Pi Issuer Public Key Used to verify signature on static card data. S IC ICC Private Key Generates signature on dynamic data P IC ICC Public Key Used by Terminal for verification of cards signature on dynamic data Slide No. 18
Card Verification Values Explained Many types: CVV/CVC,CVV2/CVC2,iCVV3 CVV/CVC verifies the track data has not been changed on the magnetic stripe However CVV/CVC is a fixed value located with the track data and is read every time your card is swiped Slide No. 19
Card Verification Values Explained CVV2/CVC2 is printed on the card, and not in the discretionary data on the track. Most familiar in CNP transactions Card Not Present i.e Over the phone or Internet purchases use this. However CVV2/CVC2 is also a fixed value printed on the card Slide No. 20
Dynamic Card Verification Code 3 How does a contactless payment card avoid these issues? A dynamic value generated for each transaction Allows for Contactless cards to be used in older Magnetic Stripe environments However. This can be set to a static value by the issuer Slide No. 21
Calculation of the Dynamic CVC(CVC3) Concatenate to form 8 byte data block D IVCVC3 Unpredictable Number Application Transaction Counter Calculate O by encrypting D with DES3 using KD CVC3 O:=eKDcvc3(D) The CVC3 obtained by taking the two LSB of O CVC3:= 0000 0000 0000 FFFF && O Slide No. 22
Communication with a Card Slide No. 23
Initial Transaction Flow Contactless Card Terminal Slide No. 24
Static Data Authentication(SDA) Issuer Certificate Authority Acquirer Static Application Data Private Key (Issuer) Si Public Key (Issuer) Pi Private Key(CA) Sca Public Key(CA) Pca Signed Static Application Data(SSAD) Issuer PK Certificate Issuer PK Certificate Slide No. 25
Obtaining Information off the Card(SDA Data) Contactless Card Terminal Slide No. 26
Dynamic Data Authentication(DDA) Issuer Private Key (ICC) Sic Static Application Data Public Key (ICC) Pic Private Key (Issuer) Si Public Key (Issuer) Pi Certificate Authority Private Key(CA) Sca Acquirer ICC PK Certificate Issuer PK Certificate Issuer PK Certificate Public Key(CA) Pca Slide No. 27
Combined DDA/AC Generation(CDA) Contactless Card Terminal Slide No. 28
Generate AC Command Causes the card to compute and return an Application Cryptogram (AC) Application Cryptogram Types: Type Abbreviation Meaning Application Authentication Cryptogram Authorization Request Cryptogram Transaction Certificate AAC ARQC TC Transaction declined Online authorization requested Transaction Approved Slide No. 29
Generate AC Command Generating the Cryptogram Generate the AC Session Key(SK ac ) Concatenate the CDOL data and ICC data Perform a CBC-MAC on the data using SKac. Slide No. 30
Generate AC Command Generating the Signed Dynamic Application Data(SDAD) TC/ARCQ data elements Amount Authorized(Numeric) Unpredictable Number Application Interchange Profile Application Transaction Counter Transaction Data PDOL Elements CDOL Elements CID Application Transaction Counter Issuer Application Data Encrypted by AC Session Key(SK AC ) Hashed with SHA-1 ICC Dynamic Data ICC Dynamic Number Length ICC Dynamic Number Cryptogram Information Data TC or ARQC Transaction Data Hash Code Signed with ICC Private Key Dynamic Application Data Signed Data Format Hash Algorithm Indicator ICC Dynamic Data Length ICC Dynamic Data Pad Pattern Unpredictable Number Slide No. 31
Combined DDA/AC Generation(CDA) Contactless Card Terminal Slide No. 32
Recent Developments NFC Phones Some Android phones now have built in NFC circuitry Code has been added to Android version 2.3.3 Can work with ISO14443 A and B; FeliCa; PROX etc. Android and Payment Cards A separate Secure Element is added to the phone This chip stores the Financial keys and data physically and logically from the Android OS. Functions like a separate Payment card Slide No. 33
Remote Sniffing + Demo REQA Slide No. 34 ATQA Captured from the audio-out of a wide-band receiver from 5 meters away BUT CVC3/CVV3 makes this not worthwhile on contactless payment cards I don t care if someone sniffs my pants!
Emissions Power Analysis Powerful class of attack Relies on capturing of emissions from cryptographic operations to determine the key used. Successfully demonstrated on the MIFARE DESFire (MF3ICD40) Card as used in the Victorian Myki transport card Unique keys in payments cards mitigate this attack See the paper Side-Channel Analysis of Cryptographic RFIDs with Analog Demodulation - Timo Kasper, David Oswald, and Christof Paar for more infomation Slide No. 35
Remote Sniffing using Software Defined Radios Potential for capturing and demodulating traces from a distance Other presentations today will be covering SDR technologies EMV works with Common Criteria testing to provide protection profile for cards Side channel analysis is part of the testing Payment cards protected against remote key recovery Slide No. 36
Protecting your card Patent Pending RFID shield/cooking material Highly flexible! Variety of formfactors Also makes a great jacket potato(sour cream not included) Slide No. 37
To Wrap Up Basics of contactless cards Security depends on the implementation Majority of new financial systems are built from existing standards which have been field tested. Technology to create virtual cards is built into the latest smartphones. The connection from the card to the terminal is not secure. It can be sniffed. Slide No. 38
Thank You For more information on what Witham Labs can do for you please visit: http://www.withamlabs.com Contact: Peter Fillmore peter.fillmore@withamlabs.com Slide No. 39