Formal analysis of EMV

Similar documents
Formal models of bank cards for free

CONTACTLESS PAYMENTS. Joeri de Ruiter. University of Birmingham. (some slides borrowed from Tom Chothia)

Formal Analysis of the EMV Protocol Suite

Electronic Payments Part 1

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

Chip & PIN is definitely broken. Credit Card skimming and PIN harvesting in an EMV world

Chip & PIN notes on a dysfunctional security system

Chip & PIN is definitely broken v1.4. Credit Card skimming and PIN harvesting in an EMV world

Securing Card-Not-Present Transactions through EMV Authentication. Matthew Carter and Brienne Douglas December 18, 2015

The SmartLogic Tool: Analysing and Testing Smart Card Protocols

Relay attacks on card payment: vulnerabilities and defences

Overview of Contactless Payment Cards. Peter Fillmore. July 20, 2015

JCB Terminal Requirements

Chip and PIN is Broken a view to card payment infrastructure and security

EMV: Integrated Circuit Card Specifications for Payment Systems

Payment systems. Tuomas Aura T Information security technology

Using EMV Cards to Protect E-commerce Transactions

EMV (Chip-and-PIN) Protocol

Fundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors

Security Failures in Smart Card Payment Systems: Tampering the Tamper-Proof

Payment systems. Tuomas Aura T Information security technology. Aalto University, autumn 2012

SMARTCARD FRAUD DETECTION USING SECURE ONETIME RANDOM MOBILE PASSWORD

Banking Security Architecture

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

The EMV Readiness. Collis America. Guy Berg President, Collis America

PayPass M/Chip Requirements. 10 April 2014

EMV: A to Z (Terms and Definitions)

EMV and Restaurants What you need to know! November 19, 2014

How To Protect A Smart Card From Being Hacked

EMV Frequently Asked Questions for Merchants May, 2014

EMV : Frequently Asked Questions for Merchants

Euronet s EMV Chip Solutions Superior Protection with Enhanced Security against Fraud

Extending EMV payment smart cards with biometric on-card verification

EMV and Small Merchants:

Joeri de Ruiter Sicco Verwer

How Smartcard Payment Systems Fail. Ross Anderson Cambridge

White Paper. EMV Key Management Explained

How Secure are Contactless Payment Systems?

M/Chip Functional Architecture for Debit and Credit

MOBILE CHIP ELECTRONIC COMMERCE: ENABLING CREDIT CARD PAYMENT FOR MOBILE DEVICES

EMV-TT. Now available on Android. White Paper by

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE

Electronic Payment Systems case studies

Acquirer Device Validation Toolkit (ADVT)

A Guide to EMV Version 1.0 May 2011

Frequently Asked Questions (FAQ) on HSBC Chip Credit Cards

Chip and PIN is Broken

FAQ EMV. EMV Overview

MasterCard PayPass. M/Chip, Acquirer Implementation Requirements. v.1-a4 6/06

Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?

Securing Mobile Payment Protocol. based on EMV Standard

The Canadian Migration to EMV. Prepared By:

Payment systems. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2015

First Data s Program on EMV

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

Requirements for an EMVCo Common Contactless Application (CCA)

Designed to Fail: A USB-Connected Reader for Online Banking

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Smart Cards for Payment Systems

Changing Consumer Purchasing Patterns. John Mayleben, CPP SVP, Technology and Product Development Michigan Retailers Association

PCI and EMV Compliance Checkup

Visa Recommended Practices for EMV Chip Implementation in the U.S.

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Prevention Is Better Than Cure EMV and PCI

Smart Tiger STARCHIP SMART TIGER PAYMENT PRODUCT LINE. Payment. STiger SDA. STiger DDA. STiger DUAL

RELIABILITY OF CHIP & PIN EVIDENCE IN BANKING DISPUTES

A Novel Card-Present Payment Scheme using NFC Technology

EMVCo Letter of Approval - Contact Terminal Level 2

EMV: Background and Implications for Credit Unions

Master Thesis Towards an Improved EMV Credit Card Certification

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

Introductions 1 min 4

What Merchants Need to Know About EMV

Beyond Cards and Terminals: Considerations for Testing Host-to-Host EMV Processing

EMV EMV TABLE OF CONTENTS

EMVCo Letter of Approval - Contact Terminal Level 2

Don t trust POS terminals! Verify in-shop payments with your phone

What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

PAGE ONE Economics CLASSROOM EDITION. The Smart-Chip Credit Card: A Current Solution

Preparing for EMV chip card acceptance

EMVCo Letter of Approval - Terminal Level 2

E M V I M P L E M E N TAT I O N T O O L S F O R S U C C E S S, P C I & S E C U R I T Y. February 2014

Card Technology Choices for U.S. Issuers An EMV White Paper

Fall Conference November 19 21, 2013 Merchant Card Processing Overview

FAQ on EMV Chip Debit Card and Online Usage

Payments Transformation - EMV comes to the US

What is EMV? What is different?

Implication of EMV Migration for the U.S. Transportation Industry. May 1, Implication of EMV Migration for the U.S. Transportation Industry

Guide to Data Field Encryption

A RE T HE U.S. CHIP RULES ENOUGH?

Risks of Offline Verify PIN on Contactless Cards

Transcription:

Formal analysis of EMV Erik Poll Joeri de Ruiter Digital Security group, Radboud University Nijmegen

Overview The EMV standard Known issues with EMV Formalisation of the EMV standard in F# Formal analysis using FS2PV and ProVerif Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 2

EMV Started 1993 by EuroPay, MasterCard, Visa Common standard for communication between 1. smartcard chip in bank or credit card (aka ICC) 2. terminal (POS or ATM) 3. issuer back-end Specs controlled by which is owned by Over 1 billion cards in use EMV-compliance required for Single Euro Payment Area Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 3

Why EMV? Goal: reducing fraud by 1. skimming 2. stolen credit cards used with forged signatures 3. card-not-present fraud (EMV-CAP) And also some transfer of liability? Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 4

Does EMV reduce skimming? UK introduced EMV in 2006 Skimming fraud with UK cards, in millions 2005 2006 2007 2008 domestic 79 46 31 36 foreign 18 53 113 134 Magstripe can still be cloned and used in countries that don t use the chip (notably USA) Worse still: chip provides the Track 2 magstripe data There are now moves to remove this `feature Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 5

Man-in-the-Middle attacks using a shim possibly invisible inside terminal eavesdropping or modifying traffic old-fashioned version (mainly used for hacking pay TV) newer, thin versions (used for studying SIM locking) Erik Poll Digital Security, Radboud University Nijmegen 6

The EMV protocol suite EMV is not a protocol, but a protocol toolkit suite : many options and parameterisations (incl. proprietary ones) 3 different card authentication mechanisms SDA, DDA, CDA 5 different cardholder verification mechanisms online PIN, offline plaintext PIN, offline encrypted PIN, handwritten signature, no card holder verification 2 types of transactions: offline, online All these mechanisms again parameterised by Data Object Lists (DOLs) Specification public but very complex (>750 pages) Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 7

EMV basics: key set-up Card and issuer have shared symmetric key which the terminal does not have Issuer has private/public keypair, used to sign data which the terminal can verify Some cards have a private/public keypair, used to sign data which the terminal can verify Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 8

EMV basics: parameterisation using DOLs Data Object Lists specify a list of data elements and their formats eg date, country, amount, primary acount number (pan), application transaction counter (atc), card/terminal generated nonce, Card contains several DOLs that specify inputs required by the card (signed/maced) output produced by the card at some protocol step Eg CDOL specifies which data is signed in a transaction cryptogram Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 9

EMV protocol phases I. Initialisation Terminal reads some data from the card, incl. several DOLs I. Card Authentication II. Cardholder Verification (optional) III. Transaction Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 10

II. Card Authentication: SDA 1. SDA Static Data Authentication card present static data (card no, expiry date etc) signed by issuer problem: can be replayed, so card can be cloned clone will always say offline PIN check succeeded hence: offline terminal can be fooled transaction is signed (MACed) using symmetric key, but terminal cannot check this MAC issuer will spot this fraud later Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 11

II. Card Authentication: DDA 1. SDA Static Data Authentication 2. DDA Dynamic Data Authentication card has (Pub,Priv) keypair and does challenge-response requires more expensive card than SDA: one that can do asymmetric crypto problem : card authenticated, but not the transaction hence: offline terminal can still be fooled issuer will spot fraud later Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 12

II. Card Authentication: CDA 1. SDA Static Data Authentication 2. DDA Dynamic Data Authentication 3. CDA Combined Data Authentication card has (Pub,Priv) keypair, as in DDA signature now added over all the transaction data so even an offline terminal can check authenticity Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 13

II. Card Authentication 1. SDA Static Data Authentication 2. DDA Dynamic Data Authentication 3. CDA Combined Data Authentication Most cards in use are SDA or DDA SDA is being phased out eg Visa & Mastercard forbid issuance of offline capable SDA cards starting 1/1/2011 Nobody seems to be phasing in CDA cards yet Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 14

III. Cardholder Verification Mechanisms 1. PIN a. online: PIN checked by the issuer b. offline: PIN checked by the chip unencrypted PIN could be eavesdropped using shim encrypted requires a card that can do asymmetric crypto 1. Handwritten signature 2. Nothing Note: only offline PIN involves the smartcard chip Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 15

One more weakness Terminal can be fooled into thinking a transaction was with PIN, while card & issuer know it was without PIN using a wedge aka Man-in-the-Middle attack for online and offline transactions root cause: terminal cannot authenticate response to offline pin verification [Murdoch, Drimer, Anderson, Bond, Chip & PIN is broken, 2010] This allows a stolen card to be used without PIN, but only as long as the card is not reported stolen (for online) if issuer allows PIN-less transactions (as is case in UK) or if the issuer misses the correct checks for this in the back-end Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 16

IV. Transaction For the transaction the card generates cryptograms ie data with a MAC, and for CDA-cards, also a digital signature For online transaction the card generates 2 cryptograms first cryptogram (ARQC) forwarded to the bank for approval second cryptogram (TC) confirming the transaction only after the card receives approval by the bank For offline transaction the card just generates onetc cryptogram A card may refuse an offline transaction, and force the terminal to go online Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 17

Complexity of the EMV specs Moral of the story: specs too complex to understand long specs, split over 4 books little discussion of security goals or design choices little abstraction or modularity Eg why not build on a notion of session level integrity & confidentiality as in SSL/TLS? Who really takes responsibility for ensuring these specs are secure? EMVCo, credit card companies, or banks? Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 18

Formalising EMV? Can formal security analysis tools cope with EMV? First attempt: formalising EMV in ProVerif Horrible! If-statements in applied pi-calculus cause huge duplication Second attempt: formalising EMV in F# Much better! F# allows sequential if-statements & functions Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 19

Formalisation of EMV in F# Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 20

Formalisation of EMV in F# EMV can be formalised in 370 lines of F# code including all options SDA, DDA, CDA any card holder verification mechanism off/online transations Booleans parameters controlling these options can be left unspecified (to study all these options) or fixed (to consider just one) but remaining configuration (DOLs) has to be fixed we use minimal assumptions on DOLs taken from Dutch bank/credit cards hardcoded in the model, but could easily be changed Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 21

Part of EMV model: DDA // Perform DDA Authentication if requested, otherwise do nothing let card_dda (c, atc, (sic,pic), noncec) dda_enabled = let data = Net.recv c in if Data.INTERNAL_AUTHENTICATE = APDU.get_command data then if dda_enabled then begin let noncet = APDU.parse_internal_authenticate data in let signature = rsa_sign sic (noncec, noncet) in Net.send c (APDU.internal_authenticate_response noncec signature); Net.recv c end else failwith "DDA not supported by card" else data Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 22

Analysis of the F# model F# can be translated to pi calculus by FS2PV tool and then analysed using ProVerif Translation to pi calculus explodes things a bit 370 lines of F# becomes 3 kloc of pi calculus But ProVerif can still verify security properties usually in minutes, but this requires some care! Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 23

Properties checked with ProVerif 1. sanity checks to ensure absence of deadlock 2. secrecy of private keys 3. highest supported card authentication method is used eg no fallback to say SDA can be forced 1. transaction security : if a transaction is completed, then everyone agrees on the parameters (eg with/without pin, off/online, amount, ) query evinj:terminaltransactionfinish(sda,dda,cda,pan,amount, ) ==> evinj:cardtransactioninit(sda,dda,cda,pan,amount, ). No new attacks found, but all existing weaknesses confirmed Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 24

Future work Including formal model of the issuer we don t know the configuration, so can only check EMV s example configuration Using F7 instead of ProVerif for verification F7 might give better /more predictable response time Making F# model executable with helper functions that implement low-level smartcard interaction, the model could interact with real cards and terminals gives high confidence that our model is correct could be used for model-based testing? Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 25

Future work: EMV CAP? use EMV chip for internet banking or e-commerce EMV CAP defined on top of EMV: an EMV-CAP session is an aborted EMV session internet banking Mastercard : CAP (Card Authentication Program) Visa : DPA (Dynamic Passcode Authentication) e-commerce Mastercard: SecureCode Visa: Verified by Visa CAP specs are secret but have been partially reverse-engineered also some patents discuss EMV-CAP Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 26

Reverse engineering EMV-CAP Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 27

Conclusions EMV protocol suite is far too complicated too many options, written down in confusing way Formalisation possible in F# and result is comprehensible! Formal analysis using FS2PV & ProVerif reveals all known weaknesses The future of skimming Will skimmers move to the USA? For skimming cards there, or using the data they skim here? Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 28

cross-channel possibilities traditional skimming tampered CAP readers harvest data via eshopping? use data for ebanking? Erik Poll & Joeri de Ruiter Digital Security, Radboud University Nijmegen 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information