1 / 23

Previous lecture

Previous lecture. Diffie-Hellman key agreement Authentication Certificates Certificate Authorities. Today’s Agenda – Smartcards. The problem we want to solve General information on smart - cards New possibilities Transaction overview EMV. Problems with Magnetic Stripe. Easy to copy

lamya
Download Presentation

Previous lecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Previous lecture • Diffie-Hellman key agreement • Authentication • Certificates • Certificate Authorities Mårten Trolin

  2. Today’s Agenda – Smartcards • The problem we want to solve • General information on smart-cards • New possibilities • Transaction overview • EMV Mårten Trolin

  3. Problems with Magnetic Stripe • Easy to copy • Possible to make an exact copy of the magnetic-stripe image • Off-line risk management very rudimentary • No possibility to put risk levels on individual cards or groups of cards • Transactions can be modified by dishonest merchants • Smart-cards address these problems Mårten Trolin

  4. What Is a Smart-Card • A smart-card is a small computer • Often placed on a credit-card sized plastic card • Can have contacts or be contact-less • Has a well-defined interface • Can have secret information that is protected from direct access • First appeared in the 1970s Mårten Trolin

  5. Advantages with Smart-Cards • Can have secret data • Data used for internal computations and never revealed in clear • Example: PIN and keys can be stored on card • Can process data and save information • Count transactions • Check PIN and count unsuccessful tries • Different behavior depending on geographic location • Cryptographic functions • Uses the secret keys Mårten Trolin

  6. New Functionality • Off-line risk management • Can be configured at an individual level • Off-line card-holder verification • PIN stored on card • Resistant to skimming attacks • Transactions cryptographically authenticated • Reduces fraud rate Mårten Trolin

  7. Off-line PIN • Increases speed for low-amount transactions • PIN is checked by card • PIN is never revealed outside card. After a predefined number of tries, the PIN functionality is blocked. • Can be sent to card in clear or encrypted • Depends on card and terminal functionality. Mårten Trolin

  8. Card Authentication to Terminal • Authentication to prevent use of fake cards • Certifies that the card was not modified after issuance • Prevents alteration of risk-related parameters • Two types – static and dynamic • Static – no special requirements on card. Does not stop skimming attacks. (Skimmed cards will be detected on-line.) • Dynamic – requires RSA functionality on card. Prevents skimming attacks. Mårten Trolin

  9. Online Authorization • If card or terminal wants to go online, the transaction is verified online • On-line transactions are digitally authenticated • Prevents use of fake cards • Prevents the merchant from re-using the card number • The response from the issuer is digitally authenticated • Important to avoid, e.g., wrongful change of PIN and update of risk parameters. Mårten Trolin

  10. Smart-card Transaction Flow Card Terminal Acquirer Issuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info) Mårten Trolin

  11. Smart-card Transaction Flow Card Terminal Acquirer Issuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info) Mårten Trolin

  12. Interaction between Card and Terminal • Cards authenticates itself to the terminal • Offline risk control used to decide whether to go online or not • If card wants to go online, transaction is checked online • If terminal wants to go online, transaction is checked online Mårten Trolin

  13. Smart-card Transaction Flow Card Terminal Acquirer Issuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info) Mårten Trolin

  14. Interaction between card and issuer • If the decision is to go online, a message is sent to the issuer • Message includes information on the interaction between card and terminal • Issuer checks that the message is cryptographically correct • The issuer either approves or declines the authorization • The response from the issuer can be cryptographically authenticated Mårten Trolin

  15. Smart-card Transaction Flow Card Terminal Acquirer Issuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info) Mårten Trolin

  16. Interaction between Card and Terminal, Part 2 • Based on the result from the issuer, transaction is either approved or declined. Mårten Trolin

  17. Smart-card Transaction Flow Card Terminal Acquirer Issuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info) Mårten Trolin

  18. Interaction between card and issuer, part 2 • If the transaction is approved, a message containing transaction data is sent to the issuer. • In case of a dispute, this message can be used by the issuer to prove that the transaction is valid. • Same function as a signature for magnatic cards. Mårten Trolin

  19. Post-issuance Adaptations • Used to address change in risk • Student finds permanent work – risk decreases • Client misses a payment for a loan – indicates increased risk • Used to change settings • PIN change at ATM • React to new circumstances • Block application if card number in stop-list Mårten Trolin

  20. Scripts • Sent from host to card at online transaction • Contains information to be processed by card • Standard commands include • Change value of a risk parameter • Change off-line PIN • Block application • Unblock application Mårten Trolin

  21. EMV – Europay, MasterCard, Visa • Necessary to have standards for smart-cards • Physical size • Electrical connection • API for payment applications • Any smart-card must be usable anywhere • Europay, MasterCard and Visa have created specifications named EMV for this purpose Mårten Trolin

  22. EMV and Cryptography • EMV specifies how the principles for authentication • Card – terminal, static or dynamic • Card – issuer, using MACs • Suggests algorithms for computation of MAC • Providers may use other algorithms Mårten Trolin

  23. Summary • Smart-cards solve the security problems associated with magnetic-stripe cards. • Enables more powerful offline risk control. • Whether to process transaction offline or online is a joint decision between card and terminal. • The EMV specifications ensure worldwide acceptance of smart-cards. Mårten Trolin

More Related