Modern electronic cards are called smart cards. This name comes from the fact that these cards contain a tamper-resistent (althougth not tamper-proof) chip that is capable of performing computational operations (like signing or encrypting a block of data) and permanently storing information. The most common example of such cards are, the credit or debit cards that we use to interact with terminals like post of sales (POS) and ATM machines.
Most smart cards follow the EMV (Europay MasterCard Visa, http://tinyurl.com/3k8puz ) standard (also know as chip and pin on English speaking countries) which, currently, is being adopted by most of the countries( http://tinyurl.com/oz9pup9 ). This, was created to reduce the number of frauds that occurred when using the magnetic strip by, authenticating both the card (via a signed certificate stored on the chip) and its holder (via PIN request).
Another goal of the EMV standard is to allow multiple application to coexist on the same card. For example, we may have a card that works like a debit card or a Visa card depending on different factors (for example: country or POS type).
The EMV defines a protocol that can be splitted into three different phases (http://tinyurl.com/p75wus7):
- Card authentication: Ensures that the card information was not tampered with and which bank issued the card.
- Cardholder verification: Executed via PIN insertion by the card holder, and assures to the terminal that the inserted PIN matches the one stored on the card.
- Transaction authorization: Ensures that the transaction that is being performed is properly authorized by the bank that issued the card.
During the card authentication phase, different types of authentication can be performed.
In the Static Data Authentication (SDA), the card presents a certificate signed by the issuing bank and its own information that is signed by the issuing bank private key.
In the Static Data Authentication (SDA), the card presents a certificate signed by the issuing bank and its own information that is signed by the issuing bank private key.
Static Data Authentication (SDA)
On Dynamic Data Authentication (DDA), the card has a private key and is able to perform cryptographic operations like signing a challenge issued by the terminal. This signature is then verified by the terminal using the cards public key certificate that is signed by the issuing bank.
Dynamic Data Authentication (DDA)
If the terminal is able to confirm that the data sent to it is correct, it advances to next phase, the cardholder verification.
The cardholder verification phase is were the owner of the card has to provide proof of ownership by authenticating both to the card and the terminal. The type of authentication mechanism is negotiated between the terminal and the card using an ordered list called cardholder verification method (CVM). According to a study performed by researchers at Cambridge (http://tinyurl.com/p75wus7), this list, normally contains three options:
- PIN verification: Where the cardholder is required to enter a PIN.
- Signature verification: Where the cardholder is required to produce a signature that is visually (manually) confirmed by the comparing the provided signature with the one on the card.
- None: Where no type of authentication is required.
If, for some reason, a terminal is not capable of one of these methods, it may be skipped. For example, in car tolls where we have a person requiring the toll fee, we aren’t required to enter a PIN or perform a signature.
In the PIN verification method, there are two different ways to confirm that the PIN is correct, online and offline. On offline verification, the PIN is sent to the card (encrypted or in clear text) that, compares it to the one that it has stored, updates the number of tries left and, replies according to the validity of the PIN. The reply also includes the number of tries left.
Simplified Offline PIN Verification
In online verification, the PIN is encrypted and sent through a network to the card issuer entity to be verified. Upon receiving it, the issuer will compare it to the one that it has stored and reply accordingly. When the pin is received on the terminal, the number of tries left is updated and a reply is returned to the cardholder. An example of such operations are the ones that are performed at ATM machines, where all PIN verifications are performed online.
Simplified Online PIN Verification
The transaction authorization initiates immediately after the cardholder is verified. During this phase, the terminal is assured that the requested transaction is authorized by the card issuer.
This phase starts with the terminal requesting to the card to generate a cryptographic message (Generate AC) of the transaction details (provided by the terminal). If the card accepts the transaction, it returns a cryptographic message (ARQC) to be sent to the card issuer, otherwise, the transaction is aborted. The returned message contains the description of the transactions plus a message authentication code (MAC) generated using a shared key between the card and the issuer.
When the issuer receives the message, it performs several operations like, verifying that the card is not stolen or there are funds on the account. If the issuing bank accepts the transaction, it will reply with a new cryptographic message (ARC) indicating that the transaction can be executed. This message also contais a MAC (ARPC) which, is generated using the initial message and an authorization response code.
The terminal, upon receiving the issuer message, forwards it to the card. The card will then validate the MAC and, if it checks out, updates its state indicating that the transaction was accepted.
The terminal will then request (Generate AC command) to the card to generate a transaction certificate that indicates that the transaction has been approved (TC). The certificate is then stored by the terminal and a copy is sent to the issuing entity. At this pois the transaction is completed and a receipt is printed.
An option for offline transaction authorization also exists. In this mode, the decision to approve or not a transaction falls on the card and the terminal. This decision is based on proprietary risk evaluation algorithm.
Simplified Online Transaction authorization
At a later time, the terminal sends a batch containing all the approved transactions to the acquiring bank (the entity that provides the terminal) to be processed (http://tinyurl.com/o3uh9lu). This process, depending on the amount of transactions, may occur once or more times a day.
Although there is a great visible effort to prevent attacks, several have been documented. For example, by exploring the fact that static data authentication always provides the same data and that is possible to perform offline PIN verifications, it is possible to clone a SDA smart card. This attack is know as the Yes card.
In the Yes card attack, the information provided by the SDA is copied into a new card. This new card will reply with YES to any PIN that is given. Although this attack is easily avoided by either performing online PIN validation or switching to a DDA card, due to economic reason (cheaper card, cheaper to perform offline PIN validation), there are card issuers and retailers that use these methods, thus are vulnerable to the attack.
Since most cards still come with a functional magnetic strip, it is possible to force the transaction to fallback to this method. Once on this “mode”, it is possible to both copy the information that is switched between the card and the terminal and the PIN.
Researchers at Cambridge University describe an attack where they perform a man-in-the-middle attack by exploiting a flaw in the EMV protocol (http://tinyurl.com/p75wus7). The discovered flaw allows for a stolen card to be used even without knowing the original PIN in offline PIN verification terminals. The attack is made possible due to the fact that the protocol does not authenticate the PIN validation correctly. So, it becomes possible to trick the card into thinking that the cardholder verification method was “None” or “Signature” while fooling the terminal into thinking that the correct PIN was inserted.
EMV protocol attack steps
As it is possible to see, these attacks at some point have to authenticate the cardholder in some manner. So, what is our degree of trust when we use cards that do not require the cardholder to authenticate?In part2, we will explain the contactless payment systems and explore their many wonderful possibilities.
0 comentários :
Post a Comment