applied cryptography spring 2015 payment cards. some books about payment cards

Applied Cryptography

Spring 2015

Payment cards

Some books about payment cards

History of Plastic Cards

Plastic Cards initially used for ID purposes. Plastic Card used for Payment issued by Diners

Club, 1950. Secure against forgery and tampering:

Embossing and Tipping Holograms and Micro Printing. Invisible Patterns using fluorescent fibers. Signature Panel

Unfortunately security not fool proof.

Card Taxonomy

M ag ne ticS tripe

W ie ga nd B ar riumF e rr i te

M ag ne tic

R ad ioF req u en cy

M em ory O n ly W ith M ic roP roce ssor

W r ite O n ce(E P RO M )

M em ory O n ly W ith M ic roP roce ssor

W r ite M a ny(E E P R O M )

S m a rt M em o ry

IC Ca rds

B a r C od esS o fts tr ip

O C R O p tica lM em o ry

O p tica l

M ach ine R e ad ab le C ards

SOURCE: BURGER, CAROLL & ASSOCIATES

Magnetic Stripe Cards Stores data on Magnetic Stripes in machine

readable form. Allows automation. Minimizes paper utilization. How Magnetic Stripe Cards Work

Each Track divided into Domains Flux Reversal with in domain = 1 No Flux Reversal with in domain = 0 Track shown below = 0 1 1 0 0 1 0 1

Magnetic Stripe Cards: Issues

Data Carrying Capacity Each domain in a track is one-75th of an inch. Typical length of a track around 4 inches. Each magnetic stripe card has three such tracks. Data such a card can carry is approximately 140 bytes.

Security: Low Data world readable.Card readers available for less than

$50. Data world writable. Encoders available for $1000. Skimming. Corruption of Data in magnetic fields.

Magnetic Stripe Cards

There are three tracks on the magstripe. Each track is about one-tenth of an inch wide. The ISO/IEC standard 7811, which is used by banks, specifies:

Track one is 210 bits per inch (bpi), and holds 79 6-bit plus parity bit read-only characters. Track two is 75 bpi, and holds 40 4-bit plus parity bit characters. Track three is 210 bpi, and holds 107 4-bit plus parity bit characters.

Your credit card typically uses only tracks one and two. Track three is a read/write track (which includes an encrypted PIN, country code, currency units and amount authorized), but its usage is not standardized among banks.

Magnetic Stripe CardsThe information on track one is contained in two formats:

A, which is reserved for proprietary use of the card issuer,

and B, which includes the following: Start sentinel - one character Format code="B" - one character (alpha only) Primary account number - up to 19 characters Separator - one character Country code - three characters Name - two to 26 characters Separator - one character Expiration date or separator - four characters or one character Discretionary data - enough characters to fill out maximum record length (79 characters total) End sentinel - one character Longitudinal redundancy check (LRC) - one character

Magnetic Stripe Cards

The format for track two, developed by the banking industry, is as follows:

Start sentinel - one character Primary account number - up to 19 characters Separator - one character Country code - three characters Expiration date or separator - four characters or one character Discretionary data - enough characters to fill out maximum record length (40 characters total) LRC - one character

How to store cryptographic keys?

IBM 4758 PCI Cryptographic Coprocessor

Smart Cards

Magnetic stripe 140 bytes, cost $0.20-0.75

Memory cards 1-4 KB memory, no processor, cost $1.00-2.50

Optical memory cards 4 megabytes read-only (CD-like), cost $7.00-12.00

Microprocessor cards Embedded microprocessor

(OLD) 8-bit processor, 16 KB ROM, 512 bytes RAM Equivalent power to IBM XT PC, cost $7.00-15.00 32-bit processors now available

Intelligent, active devices with defenses

Smart Card Structure

Contacts (8)SOURCE: SMART CARD FORUM

Epoxy

Microprocessor

Contacts

Card(Upside-down)

Contacts:

Old Smart Card Architecture

SOURCE: SMART CARD FORUM

EEPROM:ElectricallyErasableProgrammableRead-OnlyMemory

• Vcc : power supply• RST : reset• Vpp : EEPROM writing voltage (still used?) • CLK : clock• GND : ground• I/O : input/output

SC contacts (ISO/IEC 7816 part 2)

SC contacts (8-pin and 6-pin versions)

• 8 (16, 32) bit CPU • Often at 3.5795 or 4.9152 MHz• RAM : 128 bytes- 16 Kbytes• ROM : 1 - 32 Kbytes

• Contains the code• EEPROM : 1 - 32 Kbytes

• Contains the data• A small part are OTP (One Time Programmable) bytes

• Optional:Random Noise Generation, sensors, security logic,Modular Exponentiations Unit or Co-processor

What are Smart Cards?

Component Based Classification

ROM

I/O Interface

EEPROM

CPU

Security Logic

RAM

Chip Card Architecture

Interface Based Classification

Vcc

Reset

Clock

Gnd

Vpp

I/O

Contact Cards: Require insertion into the reader. 6-8 gold plated contacts Contact cards further divided into:

Landing Contacts Sliding Contacts

Limitations Contacts get worn out Card Tearing Electrostatic Discharges

Interface Based ClassificationContactless Cards: No insertion required. Data/Power transfer over RF via antenna inside. Reading Distance: few cms to 50 cms. Used when transaction has to be carried out quickly. Advantages

Higher reliability as lesser moving parts involved. Longer Life, due to lesser wear and tear. Require Lesser Maintenance

Octopus cardUsed in Hong Kong metro


Contactless Cards: Disadvantages

Expensive: Cost can go up to $20 or more. User Fear: Transaction might get carried out without

knowledge. Unsuitable when large data transfer occurs. Time too short

Used in: Transport Industry Access Control Wherever transaction time is low.


Contactless Cards - current state:

The standard for contactless smart card communications is ISO/IEC 14443, dated 2001. It defines two types of contactless cards ("A" and "B"), allows for communications at distances up to 10 cm.

There had been proposals for ISO 14443 types C, D, E and F that have been rejected by the International Organization for Standardization. An alternative standard for contactless smart cards is ISO 15693, which allows communications at distances up to 50 cm.



Visa Contactless (Quick VSDC - "qVSDC", Visa Wave, MSD) MasterCard: (PayPass Magstripe, PayPass MChip) American Express: (Express Pay)

Roll-outs started in 2005 in USA (Asia and Europe - 2006). Contactless (non PIN) transactions cover a payment range of

~$5-50.

There is an ISO 14443 PayPass implementation. All PayPass implementations may be separated on EMV and non

EMV.



Non-EMV cards work like magnetic stripe cards. This is a typical card technology in the USA (PayPass Magstripe and VISA MSD). The cards do not control amount remaining. All payment passes without a PIN and usually in off-line mode. The security level of such a transaction is no greater than with classical magnetic stripe card transaction.

EMV cards have two interfaces (contact and contactless) and they work as a normal EMV card via contact interface. Via contactless interface they work almost like a EMV (card command sequence adopted on contactless features as low power and short transaction time).


Hybrid or Combo Cards Cards which can be used as either Contact Cards or

as Contactless Cards Ways this can be done:

Card could have two interfaces: One for contact readers, other for contactless readers.

Or a contact card can be slipped into a pouch which has battery and antenna.

Not too prevalent, might be used in future when multi application cards are introduced.

OS Based Classification Smart Card Operating Systems (SCOS) are placed

on the ROM and usually occupy lesser than 16 KB. SCOS handle:

File Handling and Manipulation. Memory Management. Data Transmission Protocols.

Various SCOS available are:

Java Card aims at defining a standard smart card computing environment allowing the same Java Card applet to run on different smart cards, much like a Java applet runs on different computers.

Widely used in SIM cards (used in GSM phones) and ATM cards.

Cyberflex MultOS MFCStarCOS Oscar JavaCard

Smart Card Components

Carrier: The basic material of which the card body is made.

Carrier should be : Resistant to mechanical failure. Able to withstand high temperatures. Cheap

PVC [Poly Vinyl Chloride], ABS [Acrylonitrile Butadiene Styrene] and PETP [Poly Ethylene Terephthalate] often used. PVC: All rounder ABS: Brittle but withstands higher temperatures PETP: High flexibility


Processor or the CPU Currently all processors are 8 bit ones with CISC

architecture. Typical Clock Speeds: 5 MHz. Reasons:

Card Companies want proven modules. Lower power consumption. Area limitations.

Future: Will slowly move to 32 bit architecture due to JavaCards.


ROM: Read Only Memory Used for storing fixed programs. Holds the SCOS. Typically varies from 2KB to around 16 KB. Once written, cannot be changed. Occupies the least area.

PROM: Programmable Read Only Memory Used for loading card serial number. Very small, typically just 32 bytes.


EEPROM: Electrically Erasable Read Only Memory Used for storing data that might change. Similar to a

HDD. Holds various applications and their data. Can be read or written to subject to permissions. Typically varies from 2KB to 32 KB depending on need.

RAM: Random Access Memory Used as temporary storage. Erased on power off. Typically varies between 128 Bytes to 512 Bytes.

Smart Card ComponentsI/O Interface: Input Output Interface Controls data flow to and from the card. Flow occurs one bit at a time in a half duplex manner. Typical Data flow rate is 9600 bits/sec.

Smart Card Area Restrictions Reasons for 25 mm2 restriction. How it effects component selection

Area required to hold 1 bit with various memories: ROM 10µm x 10µm = 100 µm2 EEPROM 20µm x 20µm = 400 µm2 RAM 40µm x 40µm = 1600 µm2

Smart Card Readers

Smart Card by itself is useless. Requires a reader. Reader is often called the Read-Write Unit as it can

read as well as write to the card. Readers of two types:

Insertion Readers: Cheaper, but manual.

[Card Swipe Machine] Motorized Readers: Automatic card capture and release.

Costly. [Bank ATM Machines]

Cost of a reader varies from $10 to $100. Readers often come with keypad for entry of PIN.

Smart Card Standards

Standards necessary to encourage interoperability.

Main Standards connected to Smart Cards: ISO 7816 EMV GSM OCF


ISO 7816 Part I: Follow on of ISO 7810. Defines Physical Characteristics of a Smart Card.

Physical Dimensions. Response to X-Rays and UV Light. Mechanical Strength. Electrical Resistance of the Contacts. Response to electromagnetic fields and static electricity.


ISO 7816 Part II: Follow on of ISO 7811. This document describes:

Dimensions of the contacts. (2mm by 1.7 mm) Locations of the contacts. Location of the embossing. Location of the magnetic stripe. The arrangement of the chip.


ISO 7816 Part III: Probably the most important specification document. This document describes:

The communication protocol. Functions of various contacts on the smart card. Basic electrical characteristics. Structure of Answer to Reset.

When manufacturers claim to be ISO 7816 compliant, they basically comply with Part I, II and III.

“Smart” Credit Cards

The EMV standard Europay / Mastercard / Visa

Theory is to permit cards from a variety of issuers to be accepted by a common Credit Authorisation Terminal Credit, debit and stored value functionality Supposedly open specifications Support for other “applications”

No current support for Internet payments


EMV standard is a set of three documents covering: Design Aspects of Smart Cards Design Aspects of Smart Card Terminals Debit/Credit Applications on Smart Cards.

First EMV Document covers: Electromechanical Properties Card Session Answer to Reset and Transmission Protocols. Similar to ISO 7816 (Part I and II)

Smart Card Standards Second EMV Document covers:

General Physical Characteristics of the Card Terminal. Security. Card Holder and Acquirer Interface. Software and Data Management.

Third EMV Document Covers: Transaction flow. Exception Handling.

If you are really interested check out: http://www.mastercard.com/emv/

Life cycle of smart card

Divided into five phases (on most smart cards)

These phases justified by Limitation of transfer and access of data is incremental

throughout different phases Different areas of smart card protected throughout the life

cycle

Personalisation System

Chip Manufacturer

Card Fabricator

PIN Mailer

Card

Card Issuer

Pre-Personalisation Process (P3)

Card Data

Unpersonalised Card

ChipRaw Materials

Smart cards - Issuance

Fabrication phase

Carried out by the chip manufacturers A Fabrication Key (KF) is added to protect the chip

unique and is derived from a master manufacturer key

Fabrication data will be written to the circuit chip

Pre-personalisation phase

Done by Card manufacturers Chip will be mounted on the plastic card The connection between the chip and the printed

circuit will be made Fabrication key (KF) changed to Personalisation key

(KP) Personalisation lock Vper

No further modification of the KF Physical memory access instructions will be disabled Access of the card can be done only by using logical

memory addressing

Personalisation phase

Conducted by the card issuers Data files contents and application data are written

to the card Information of card holder stored to the chip (PIN,

Unlocking PIN) Utilisation lock Vutil

No further modification of the KP

Card Issuer

AcquirerTerminal

Security of overall transaction is between the card and the Card Issuer

Smart Cards - Usage

Utilisation phase

Phase for the card owners use of the card Access of information on the card will be limited by

the security policies set by the application

Issuer Card Management System and P3

Home PC (via Internet)

ATM

PoS Terminal

Mobile Phone

Update card via multiple (insecure) channels

Smart Cards – Post Issuance

End-of-Life phase

Two ways: 1. invalidation lock

All operations will be disabled (except read)

2. Control system irreversibly blocks access All operations will be disabled

Logical attacks

Starting point:

EEPROM (electrically erasable programmable read only memory) write operations can be affected by unusual voltages and temperatures

information can be trapped by raising or dropping the supplied voltage to the microcontroller

Physical attacks

• Reverse engineering• HNO3 etching and probing, UV light to erase EEPROM,

etching away chip layers, Focussed Ion Beam, …• Danger: real, even the best SC’s won’t be safe aftermore than 3 or 4 years.

• Fault introduction (change clock or power, microwaves)• Bellcore attack (Boneh, DeMillo, Lipton - EUROCRYPT ‘97)• Differential Fault Analysis (Biham, Shamir - CRYPTO ‘97)• Danger: were announced as being theoretical howeverpractical attacks are said to be upcoming.

• Electromagnetic radiation (Van Eyck effect)• See http://www.jastech-emc.com/paper1.htm

• Timing attacks (Kocher - CRYPTO ‘96)• With or without Chinese Remainder Theorem• Danger: very real for unprotected cards

• Power Analysis (Kocher - ‘98)• Simple Power Analysis• Differential Power Analysis• See http://www.cryptography.com/dpa/index.html• Danger: see below ...

Physical attacks

Given enough resources (time, knowledge, equipment,money), no smart card is secure.

Technology to analyze IC’s advances at the samespeed as IC development itself.

So:• Cost for security loss by fraud• Maximize the cost to break in and minimize the consequences of such an attack.

In general

Simple Power AnalysisThe power consumption Ptotal during each clockcycle

can approximately be divided into 3 parts:

constant random data dependent

And as can be seen on the next image: Pinstruction > Pnoise > Pdata

(Pdata not visible)

Which means that groups of instructions and even individualinstructions can be distinguished.

Ptotal = Pinstruction + Pnoise + Pdata

If it would be possible to distinguish between asquare and a multiply operation in RSA, one single powermeasurement will reveal the private key.

Differential Power Analysis

• The power consumption during a cryptographic operation is measured.• Is a statistical attack (-> many measurements).• Applicable for all crypto algorithms and smart cards (when no special measures are taken).• Goal: find the key that is used in the algorithm.• Requirements: digital oscilloscope, smart card reader, computer, software to interface the reader and scope.• Difference with SPA: the attack relies on differences in Pdata

• Hardware solutions:• algorithm in hardware• reduce power consumption, increase noise.

• Software solutions:• add random instructions as to desynchronize, that much so that resynchronization (by software) fails.• don’t let the instructions depend on data or key (e.g. conditional jumps if data bits are set) (SPA only)• if possible reduce the number of times the algorithm can be executed• pay much attention to the beginning and end of the algorithm (DPA only)

Countermeasures

• Most unprotected cards are expected to be vulnerable.• No perfect solution is found yet, and none is not expected (soon).• Smart card companies do investigations and implement their solutions.• These solutions are often kept secret, also because of the security this offers.• Not much third-party checks for these solutions, or without inside information needed for thorough checking.

Current status

Advantages with Smart-Cards

Can have secret data Data used for internal computations and never

revealed in clear Example: PIN and keys can be stored on card

Can process data and save information Count transactions Check PIN and count unsuccessful tries Different behavior depending on geographic location Cryptographic functions

Uses the secret keys

New Functionality

Off-line risk management Can be configured at an individual level

Off-line card-holder verification PIN stored on card

Resistant to skimming attacks Transactions cryptographically

authenticated Reduces fraud rate

Off-line PIN

Increases speed for low-amount transactions

PIN is checked by card PIN is never revealed outside card. After a

predefined number of tries, the PIN functionality is blocked.

Can be sent to card in clear or encrypted Depends on card and terminal functionality.

Card Authentication to Terminal

Authentication to prevent use of fake cards Certifies that the card was not modified after

issuance Prevents alteration of risk-related parameters Two types – static and dynamic

Static – no special requirements on card. Does not stop skimming attacks. (Skimmed cards will be detected on-line.)

Dynamic – requires RSA functionality on card. Prevents skimming attacks.

Online Authorization

If card or terminal wants to go online, the transaction is verified online

On-line transactions are digitally authenticated Prevents use of fake cards Prevents the merchant from re-using the card number

The response from the issuer is digitally authenticated Important to avoid, e.g., wrongful change of PIN and

update of risk parameters.

Smart-card Transaction Flow

Card Terminal Acquirer Issuer

Card – terminalinteraction

On-line authorization(conditional)

Card – terminal interaction(if after online authorization)

Transaction data transfer(possibly including declined transactions’ info)

Interaction between Card and Terminal

Cards authenticates itself to the terminal

Offline risk control used to decide whether to go online or not If card wants to go online, transaction is

checked online If terminal wants to go online, transaction is

checked online

Interaction between card and issuer

If the decision is to go online, a message is sent to the issuer Message includes information on the interaction

between card and terminal Issuer checks that the message is

cryptographically correct The issuer either approves or declines the

authorization The response from the issuer can be

cryptographically authenticated

Interaction between Card and Terminal 2

Based on the result from the issuer, transaction is either approved or declined.

Interaction between card and issuer 2

If the transaction is approved, a message containing transaction data is sent to the issuer.

In case of a dispute, this message can be used by the issuer to prove that the transaction is valid. Same function as a signature for magnatic

cards.

Post-issuance Adaptations

Used to address change in risk Student finds permanent work – risk decreases Client misses a payment for a loan – indicates

increased risk

Used to change settings PIN change at ATM

React to new circumstances Block application if card number in stop-list

Scripts

Sent from host to card at online transaction Contains information to be processed by card Standard commands include

Change value of a risk parameter Change off-line PIN Block application Unblock application

EMV – Europay, MasterCard, Visa

Necessary to have standards for smart-cards Physical size Electrical connection API for payment applications

Any smart-card must be usable anywhere Europay, MasterCard and Visa have created

specifications named EMV for this purpose

EMV and Cryptography

EMV specifies how the principles for authentication Card – terminal, static or dynamic Card – issuer, using MACs

Suggests algorithms for computation of MAC Providers may use other algorithms

Parts That Need to Be Secured

Card – terminal authentication Card – issuer interaction Scripts sent to card by issuer

Card – Terminal Authentication

Negotiation of authentication methods


PIN authentication


The issuer has a certificate signed by the payment net (VISA, Europay or MasterCard) The payment net acts as CA (Certificate Authority)

The issuer signs its card with its private key and puts the signature on the card

The issuer’s public key certificate is placed on the card

The terminal knows the root (CA) certificate Using the root certificate, the terminal can verify the

signature presented by the card is valid.

Overview of Keys Used

Payment net

Issuer

Signed certificate

Root certificate

Card certificate

Certificate verified against root certified during transaction

Static Data Authentication (SDA)

S ign e d a pp lica tio n d a taIn d ivid ua l fo r e ach ca rd

Issu er ce rtif ica te

R o o t ce rtf ica te

On card

Each card is equipped with a signature on important card data. No secret key on card.

Data signed include card number, expiration data, verification methods etc.

The signed data is sent to the terminal when transaction is started.

Same data and signature used every time (therefore static).

IC TerminalIC Card

Issuer Acquirer

Payment SystemCertification Authority

(Issuer)SKISS

Private Key

(Issuer)PKISS

Public Key

Private Key

(CA)SKCA

Public Key

(CA)PKCA

Card static

data

PKISS certified

with SKCA

CERTIFIED

PKCA distributed to Acquirerfor loading in Terminal

SDA - Initialisation Phase

IC Terminal

IC Card

Card provides to terminal:

Signature OK

Terminal:

• Uses PKCA to retrieve the Issuer’s PKISS which is certified by the CA

• Uses PKISS to verify the digital signature of the card data

• Card data with Issuer’s digital signature

Card static

data

• PKISS certified by Certification Authority (CA)

CERTIFIED

SDA - Authorisation Phase

Signed Static Application Data, Generation

PAN

Sequence number

Verification methods

Other parameters... Hashed valued

Header

Data Authenticaion Code (DAC)

Encrypt with issuer private key

Signed Static Application Data

Signed Static Application Data, Verification

PAN

Sequence number

Verification methods

Other parameters...Hashed valued

Header

Data Authenticaion Code (DAC)

Decrypt with issuer public key

Signed Static Application Data

Dynamic Data Authentication (DDA)

T ra nsac tion de p en d en t d a tas ig ne d b y th e ca rd

C a rd pu b lic ke y ce rtica te

Issu er ce rtif ica te

R o o t ce rtf ica te

On card

Each card is equipped with a private key and a public key.

The public key is in a public key certificate signed by the issuer.

At transaction time, the card signs random data with its private key.

The terminal checks the signature and verifies the certficate chain.

Different data used every time (therefore dynamic).

IC TerminalIC Card

Issuer Acquirer

Payment SystemCertification Authority

(Issuer)SKISS

Private Key

(Issuer)PKISS

Public Key

Private Key

(CA)SKCA

Public Key

(CA)PKCA

PKISS certified

with SKCA

CERTIFIED

PKCA distributed to Acquirerfor loading in Terminal

(ICC)SKIC

Private Key

(ICC)PKIC

Public Key

CERTIFIED

PKIC certified

with SKISS

DDA - Initialisation Phase

IC Terminal

IC Card

Card provides to terminal:

Signature OK

• Uses PKCA to retrieve the Issuer’s PKISS which is certified by the CA

• Uses PKIC to verify the digital signature on the card and terminal data

• PKISS certified by Certification Authority (CA)

CERTIFIED

• PKIC certified by Issuer

CERTIFIED

• Uses PKISS to retrieve the ICC PKIC which is certified by the Issuer

• Digital signature on the UN and the ICC Dynamic Data generated using SKIC

Terminal:

Terminal provides to card:

• Unpredictable Number (UN)

INTERNAL AUTHENTICATE

DDA - Authorisation Phase

Dynamic Data Authentication

Certificate Chain

Unpredictable Number

Digital Signature

Generation of signature with card private key

Comparison – SDA vs. DDA

Static Data Authentication Dynamic Data Authentication

Cheaper cards – no need for RSA functionality on card

Expensive cards – card needs to perform RSA encryption

Fast – no processing on card Slower – card needs to produce RSA signature

Seeing one transaction is enough to produce a card that will be approved off-line

Seeing one transaction gives nothing

Card – Issuer Authentication

Issuer needs a permanent proof that the transaction has taken place.

Protection against fraud that comes from the merchant.

Based on symmetric cryptography Issuer places a key on the card at issuing. Issuer keeps the same key for use in

authorization processing.

Overview of Keys Used

Payment net

Issuer

Keys for card-issuerauthentication

Sent during transaction

Application Cryptograms

In every request to the issuer, the cards computes a MAC over certain parameters.

This MAC is called application cryptogram. The exact algorithm is defined between the issuer

and the card.

Issuer Authentication and Secure Messaging

If the issuer sends a MAC in the response, the card can verify that the message originates at the issuer.

When secure messaging is used, data sent from the issuer to the card is authenticated and/or encrypted.

Necessary for script processing Change of risk parameters requires the messages to be

secured with a MAC. Change of PIN requires the new PIN to be enciphered.

Computing Application Cryptograms

Amount

Currency

Transaction type

Date

Other transaction parameters...

MAC computation with card key

Application cryptogram (8

bytes)

Computing Response Cryptogram (ARPC)

Application cryptogram (8

bytes)

XOR last two bytes with the response from

issuer

Encrypt with card key

Application Response

Cryptogram (ARPC,8 bytes)

Key Derivation

EncryptionIssuer

master key

Card information

Unique card key

Each key to be put on the card is derived from an issuer master key. An issuer has (at least) one

master key for each key type to be placed on the card.

The derivation process is performed by taking card data and encrypt it with the corresponding master key. The card information used is

PAN (i.e., card number) and sequence number.

EMV transaction security is based on the use of 3-DES session keys, derived using certain random data and an ICC Master Key.

The ICC Master Key is derived from the card PAN and PAN Sequence Number and an Issuer Master Key.

The ICC Master Key is unique for each card and is stored in the card.

The Issuer Master Key is stored at the Authorising host system, which calculates the ICC Master Key and (hence) the session keys “on-the-fly”.

Different Issuer Master Keys are used for transaction integrity and for secure messaging.

Master keys

Issuer Master Key (double length)

PAN + PAN Sequence Number

3-DES Encrypt(Encrypt/Decrypt/Encrypt)

ICC Master Key (left half)

Inverted PAN + PAN Sequence

Number


ICC Master Key (right half)

Issuer Master Key (double length)

ICC Master Key Derivation

An ICC may hold up to four ICC Master Keys, as follows, each derived from the corresponding Issuer Master Key:

IMKA

CIMKSMI

IMKSM

C

IMKIDN

To derive session key for calculation of application cryptogram (MAC) for

transaction integrity To derive session key for calculation of application cryptogram (MAC) for secure

messaging integrity To derive session key for secure

messaging confidentiality (encryption) To derive ICC Dynamic Number for use

in Dynamic Data Authentication (DDA)

ICC Master Keys

Session Keys

EncryptionUnique card

key

Session information

Session key

For security reasons it is often a good idea to use different keys for each transaction.

Keys used only for one transaction are called session keys.

Session keys are derived from the appropriate ICC Master Key and transaction or unpredictable data.

For example, when generating an Application Cryptogram Session Key (SKAC), the ICC’s Application Transaction Counter (ATC) and an Unpredictable Number (UN) supplied by the terminal are used as input (see next slide).

Session keys for secure messaging are derived using the same technique, but with different “random” data.

The ICC Dynamic Number (IDN) is derived from the IMKIDN by performing a straight 3-DES encryption of the ATC and UN (suitably padded).

Session Key Derivation

Deriving Session Keys

Session keys are derived from the card key and session information.

The session information can be the transaction counter, ATC, or some other information sent in the transaction.

The data used for session key generation must be available to the issuer to allow the issuer to create the same key. Transaction counter is sent in clear. Other data used for key generation must be available

through other means.

ATC F0 00UN


SKAC(left half)

IMKAC

(double length)

ATC 0F 00UN


SKAC(right half)

IMKAC

(double length)

Session Key Derivation

Summary

Smart-cards protects the merchant, issuer and card-holder against fraud from counterfeited cards and fake transactions.

For card – terminal authentication different levels of security is possible, e.g., SDA vs. DDA.

Card – issuer authentication gives an electronic seal on transaction data.

applied cryptography spring 2015 payment cards. some books about payment cards

Documents

character slide

characters separator

smart cards magnetic

payment cards

character discretionary

readwrite track

character alpha

character country code