mar 11, 2003mårten trolin1 previous lecture diffie-hellman key agreement authentication...
Post on 19-Dec-2015
218 views
TRANSCRIPT
Mar 11, 2003 Mårten Trolin 1
PreviousPrevious lecture lecture
Diffie-Hellman key agreementAuthenticationCertificatesCertificate Authorities
Mar 11, 2003 Mårten Trolin 2
Today’s Today’s AgendaAgenda – – SmartcardsSmartcards
The problem we want to solveGeneral information on smart-cardsNew possibilitiesTransaction overviewEMV
Mar 11, 2003 Mårten Trolin 3
Problems with Magnetic Problems with Magnetic StripeStripe
Easy to copy– Possible to make an exact copy of the magnetic-
stripe image
Off-line risk management very rudimentary– No possibility to put risk levels on individual cards
or groups of cards
Transactions can be modified by dishonest merchants
Smart-cards address these problems
Mar 11, 2003 Mårten Trolin 4
What Is a Smart-CardWhat Is a Smart-Card
A smart-card is a small computerOften placed on a credit-card sized
plastic cardCan have contacts or be contact-lessHas a well-defined interface
– Can have secret information that is protected from direct access
First appeared in the 1970s
Mar 11, 2003 Mårten Trolin 5
Advantages with Smart-Advantages with Smart-CardsCards
Can have secret data– Data used for internal computations and never
revealed in clear– Example: PIN and keys can be stored on card
Can process data and save information– Count transactions– Check PIN and count unsuccessful tries– Different behavior depending on geographic location– Cryptographic functions
Uses the secret keys
Mar 11, 2003 Mårten Trolin 6
New FunctionalityNew Functionality
Off-line risk management– Can be configured at an individual level
Off-line card-holder verification– PIN stored on card
Resistant to skimming attacksTransactions cryptographically
authenticated– Reduces fraud rate
Mar 11, 2003 Mårten Trolin 7
Off-line PINOff-line PIN
Increases speed for low-amount transactions
PIN is checked by card– PIN is never revealed outside card. After a
predefined number of tries, the PIN functionality is blocked.
Can be sent to card in clear or encrypted– Depends on card and terminal functionality.
Mar 11, 2003 Mårten Trolin 8
Card Authentication to Card Authentication to TerminalTerminal
Authentication to prevent use of fake cards Certifies that the card was not modified after
issuance Prevents alteration of risk-related parameters Two types – static and dynamic
– Static – no special requirements on card. Does not stop skimming attacks. (Skimmed cards will be detected on-line.)
– Dynamic – requires RSA functionality on card. Prevents skimming attacks.
Mar 11, 2003 Mårten Trolin 9
Online AuthorizationOnline Authorization
If card or terminal wants to go online, the transaction is verified online
On-line transactions are digitally authenticated– Prevents use of fake cards– Prevents the merchant from re-using the card
number The response from the issuer is digitally
authenticated– Important to avoid, e.g., wrongful change of PIN
and update of risk parameters.
Mar 11, 2003 Mårten Trolin 10
Smart-Smart-ccard Tard Transaction ransaction FlowFlowCard Terminal Acquirer Issuer
Card – terminalinteraction
On-line authorization(conditional)
Card – terminal interaction(if after online authorization)
Transaction data transfer(possibly including declined transactions’ info)
Mar 11, 2003 Mårten Trolin 11
Smart-Smart-ccard Tard Transaction ransaction FlowFlowCard Terminal Acquirer Issuer
Card – terminalinteraction
On-line authorization(conditional)
Card – terminal interaction(if after online authorization)
Transaction data transfer(possibly including declined transactions’ info)
Mar 11, 2003 Mårten Trolin 12
Interaction between Card Interaction between Card and Terminaland Terminal
Cards authenticates itself to the terminalOffline risk control used to decide
whether to go online or not– If card wants to go online, transaction is
checked online– If terminal wants to go online, transaction is
checked online
Mar 11, 2003 Mårten Trolin 13
Smart-Smart-ccard Tard Transaction ransaction FlowFlowCard Terminal Acquirer Issuer
Card – terminalinteraction
On-line authorization(conditional)
Card – terminal interaction(if after online authorization)
Transaction data transfer(possibly including declined transactions’ info)
Mar 11, 2003 Mårten Trolin 14
Interaction between card Interaction between card and issuerand issuer
If the decision is to go online, a message is sent to the issuer– Message includes information on the interaction
between card and terminal Issuer checks that the message is
cryptographically correct The issuer either approves or declines the
authorization The response from the issuer can be
cryptographically authenticated
Mar 11, 2003 Mårten Trolin 15
Smart-Smart-ccard Tard Transaction ransaction FlowFlowCard Terminal Acquirer Issuer
Card – terminalinteraction
On-line authorization(conditional)
Card – terminal interaction(if after online authorization)
Transaction data transfer(possibly including declined transactions’ info)
Mar 11, 2003 Mårten Trolin 16
Interaction between Card Interaction between Card and Terminal, Part 2and Terminal, Part 2
Based on the result from the issuer, transaction is either approved or declined.
Mar 11, 2003 Mårten Trolin 17
Smart-Smart-ccard Tard Transaction ransaction FlowFlowCard Terminal Acquirer Issuer
Card – terminalinteraction
On-line authorization(conditional)
Card – terminal interaction(if after online authorization)
Transaction data transfer(possibly including declined transactions’ info)
Mar 11, 2003 Mårten Trolin 18
Interaction between card Interaction between card and issuer, part 2and issuer, part 2
If the transaction is approved, a message containing transaction data is sent to the issuer.
In case of a dispute, this message can be used by the issuer to prove that the transaction is valid.– Same function as a signature for magnatic
cards.
Mar 11, 2003 Mårten Trolin 19
Post-issuance AdaptationsPost-issuance Adaptations
Used to address change in risk– Student finds permanent work – risk decreases– Client misses a payment for a loan – indicates
increased risk
Used to change settings– PIN change at ATM
React to new circumstances– Block application if card number in stop-list
Mar 11, 2003 Mårten Trolin 20
ScriptsScripts
Sent from host to card at online transaction Contains information to be processed by card Standard commands include
– Change value of a risk parameter– Change off-line PIN– Block application– Unblock application
Mar 11, 2003 Mårten Trolin 21
EMV – Europay, EMV – Europay, MasterCard, VisaMasterCard, Visa
Necessary to have standards for smart-cards– Physical size– Electrical connection– API for payment applications
Any smart-card must be usable anywhere Europay, MasterCard and Visa have created
specifications named EMV for this purpose
Mar 11, 2003 Mårten Trolin 22
EMV and CryptographyEMV and Cryptography
EMV specifies how the principles for authentication– Card – terminal, static or dynamic– Card – issuer, using MACs
Suggests algorithms for computation of MAC– Providers may use other algorithms
Mar 11, 2003 Mårten Trolin 23
SummarySummary
Smart-cards solve the security problems associated with magnetic-stripe cards.
Enables more powerful offline risk control. Whether to process transaction offline or online
is a joint decision between card and terminal. The EMV specifications ensure worldwide
acceptance of smart-cards.