Applied Cryptography Spring 2014 Payment cards
History of Plastic Cards • Plastic Cards initially used for ID purposes. • Plastic Card used for Payment issued by Diners Club, 1950. • Secure against forgery and tampering: • Embossing and Tipping • Holograms and Micro Printing. • Invisible Patterns using fluorescent fibers. • Signature Panel • Unfortunately security not fool proof.
Card Taxonomy SOURCE: BURGER, CAROLL & ASSOCIATES
Magnetic Stripe Cards • Stores data on Magnetic Stripes in machine readable form. • Allows automation. • Minimizes paper utilization. • How Magnetic Stripe Cards Work • Each Track divided into Domains • Flux Reversal with in domain = 1 • No Flux Reversal with in domain = 0 • Track shown below = 0 1 1 0 0 1 0 1
Magnetic Stripe Cards: Issues • Data Carrying Capacity • Each domain in a track is one-75th of an inch. • Typical length of a track around 4 inches. • Each magnetic stripe card has three such tracks. • Data such a card can carry is approximately 140 bytes. • Security: Low • Data world readable.Card readers available for less than $50. • Data world writable. Encoders available for $1000. • Skimming. • Corruption of Data in magnetic fields.
Magnetic Stripe Cards There are three tracks on the magstripe. Each track is about one-tenth of an inch wide. The ISO/IEC standard 7811, which is used by banks, specifies: • Track one is 210 bits per inch (bpi), and holds 79 6-bit plus parity bit read-only characters. • Track two is 75 bpi, and holds 40 4-bit plus parity bit characters. • Track three is 210 bpi, and holds 107 4-bit plus parity bit characters. Your credit card typically uses only tracks one and two. Track three is a read/write track (which includes an encrypted PIN, country code, currency units and amount authorized), but its usage is not standardized among banks.
Magnetic Stripe Cards The information on track one is contained in two formats: A, which is reserved for proprietary use of the card issuer, and B, which includes the following: • Start sentinel - one character • Format code="B" - one character (alpha only) • Primary account number - up to 19 characters • Separator - one character • Country code - three characters • Name - two to 26 characters • Separator - one character • Expiration date or separator - four characters or one character • Discretionary data - enough characters to fill out maximum record length (79 characters total) • End sentinel - one character • Longitudinal redundancy check (LRC) - one character
Magnetic Stripe Cards The format for track two, developed by the banking industry, is as follows: • Start sentinel - one character • Primary account number - up to 19 characters • Separator - one character • Country code - three characters • Expiration date or separator - four characters or one character • Discretionary data - enough characters to fill out maximum record length (40 characters total) • LRC - one character
How to store cryptographic keys? IBM 4758 PCI Cryptographic Coprocessor
Smart Cards • Magnetic stripe • 140 bytes, cost $0.20-0.75 • Memory cards • 1-4 KB memory, no processor, cost $1.00-2.50 • Optical memory cards • 4 megabytes read-only (CD-like), cost $7.00-12.00 • Microprocessor cards • Embedded microprocessor • (OLD) 8-bit processor, 16 KB ROM, 512 bytes RAM • Equivalent power to IBM XT PC, cost $7.00-15.00 • 32-bit processors now available • Intelligent, active devices with defenses
Microprocessor Contacts Card (Upside-down) Epoxy Smart Card Structure Contacts: Contacts (8) SOURCE: SMART CARD FORUM
Old Smart Card Architecture EEPROM: Electrically Erasable Programmable Read-Only Memory SOURCE: SMART CARD FORUM
SC contacts (ISO/IEC 7816 part 2) • Vcc : power supply • RST : reset • Vpp : EEPROM writing voltage (still used?) • CLK : clock • GND : ground • I/O : input/output
What are Smart Cards? • 8 (16, 32) bit CPU • Often at 3.5795 or 4.9152 MHz • RAM : 128 bytes- 16 Kbytes • ROM : 1 - 32 Kbytes • Contains the code • EEPROM : 1 - 32 Kbytes • Contains the data • A small part are OTP (One Time Programmable) bytes • Optional: • Random Noise Generation, sensors, security logic, • Modular Exponentiations Unit or Co-processor
ROM EEPROM RAM Security Logic CPU I/O Interface Component Based Classification Chip Card Architecture
Gnd Vcc Vpp Reset I/O Clock Interface Based Classification Contact Cards: • Require insertion into the reader. • 6-8 gold plated contacts • Contact cards further divided into: • Landing Contacts • Sliding Contacts • Limitations • Contacts get worn out • Card Tearing • Electrostatic Discharges
Interface Based Classification Contactless Cards: • No insertion required. • Data/Power transfer over RF via antenna inside. • Reading Distance: few cms to 50 cms. • Used when transaction has to be carried out quickly. • Advantages • Higher reliability as lesser moving parts involved. • Longer Life, due to lesser wear and tear. • Require Lesser Maintenance Octopus card Used in Hong Kong metro
Interface Based Classification Contactless Cards: • Disadvantages • Expensive: Cost can go up to $20 or more. • User Fear: Transaction might get carried out without knowledge. • Unsuitable when large data transfer occurs. Time too short • Used in: • Transport Industry • Access Control • Wherever transaction time is low.
Interface Based Classification Contactless Cards - current state: The standard for contactless smart card communications is ISO/IEC 14443, dated 2001. It defines two types of contactless cards ("A" and "B"), allows for communications at distances up to 10 cm. There had been proposals for ISO 14443 types C, D, E and F that have been rejected by the International Organization for Standardization. An alternative standard for contactless smart cards is ISO 15693, which allows communications at distances up to 50 cm.
Interface Based Classification Contactless Cards - current state: Visa Contactless (Quick VSDC - "qVSDC", Visa Wave, MSD) MasterCard: (PayPass Magstripe, PayPass MChip) American Express: (Express Pay) Roll-outs started in 2005 in USA (Asia and Europe - 2006). Contactless (non PIN) transactions cover a payment range of ~$5-50. There is an ISO 14443 PayPass implementation. All PayPass implementations may be separated on EMV and non EMV.
Interface Based Classification Contactless Cards - current state: Non-EMV cards work like magnetic stripe cards. This is a typical card technology in the USA (PayPass Magstripe and VISA MSD). The cards do not control amount remaining. All payment passes without a PIN and usually in off-line mode. The security level of such a transaction is no greater than with classical magnetic stripe card transaction. EMV cards have two interfaces (contact and contactless) and they work as a normal EMV card via contact interface. Via contactless interface they work almost like a EMV (card command sequence adopted on contactless features as low power and short transaction time).
Interface Based Classification Hybrid or Combo Cards • Cards which can be used as either Contact Cards or as Contactless Cards • Ways this can be done: • Card could have two interfaces: One for contact readers, other for contactless readers. • Or a contact card can be slipped into a pouch which has battery and antenna. • Not too prevalent, might be used in future when multi application cards are introduced.
OS Based Classification • Smart Card Operating Systems (SCOS) are placed on the ROM and usually occupy lesser than 16 KB. • SCOS handle: • File Handling and Manipulation. • Memory Management. • Data Transmission Protocols. • Various SCOS available are: Java Card aims at defining a standard smart card computing environment allowing the same Java Card applet to run on different smart cards, much like a Java applet runs on different computers. Widely used in SIM cards (used in GSM phones) and ATM cards.
Smart Card Components Carrier: The basic material of which the card body is made. • Carrier should be : • Resistant to mechanical failure. • Able to withstand high temperatures. • Cheap • PVC [Poly Vinyl Chloride], ABS [Acrylonitrile Butadiene Styrene] and PETP [Poly Ethylene Terephthalate] often used. • PVC: All rounder • ABS: Brittle but withstands higher temperatures • PETP: High flexibility
Smart Card Components Processor or the CPU • Currently all processors are 8 bit ones with CISC architecture. • Typical Clock Speeds: 5 MHz. • Reasons: • Card Companies want proven modules. • Lower power consumption. • Area limitations. • Future: Will slowly move to 32 bit architecture due to JavaCards.
Smart Card Components ROM: Read Only Memory • Used for storing fixed programs. Holds the SCOS. • Typically varies from 2KB to around 16 KB. • Once written, cannot be changed. • Occupies the least area. PROM: Programmable Read Only Memory • Used for loading card serial number. • Very small, typically just 32 bytes.
Smart Card Components EEPROM: Electrically Erasable Read Only Memory • Used for storing data that might change. Similar to a HDD. • Holds various applications and their data. • Can be read or written to subject to permissions. • Typically varies from 2KB to 32 KB depending on need. RAM: Random Access Memory • Used as temporary storage. • Erased on power off. • Typically varies between 128 Bytes to 512 Bytes.
Smart Card Components I/O Interface: Input Output Interface • Controls data flow to and from the card. • Flow occurs one bit at a time in a half duplex manner. • Typical Data flow rate is 9600 bits/sec. Smart Card Area Restrictions • Reasons for 25 mm2 restriction. • How it effects component selection Area required to hold 1 bit with various memories: • ROM 10µm x 10µm = 100 µm2 • EEPROM 20µm x 20µm = 400 µm2 • RAM 40µm x 40µm = 1600 µm2
Smart Card Readers • Smart Card by itself is useless. Requires a reader. • Reader is often called the Read-Write Unit as it can read as well as write to the card. • Readers of two types: • Insertion Readers: Cheaper, but manual. [Card Swipe Machine] • Motorized Readers: Automatic card capture and release. Costly. [Bank ATM Machines] • Cost of a reader varies from $10 to $100. • Readers often come with keypad for entry of PIN.
Smart Card Standards • Standards necessary to encourage interoperability. • Main Standards connected to Smart Cards: • ISO 7816 • EMV • GSM • OCF
Smart Card Standards ISO 7816 Part I: • Follow on of ISO 7810. • Defines Physical Characteristics of a Smart Card. • Physical Dimensions. • Response to X-Rays and UV Light. • Mechanical Strength. • Electrical Resistance of the Contacts. • Response to electromagnetic fields and static electricity.
Smart Card Standards ISO 7816 Part II: • Follow on of ISO 7811. • This document describes: • Dimensions of the contacts. (2mm by 1.7 mm) • Locations of the contacts. • Location of the embossing. • Location of the magnetic stripe. • The arrangement of the chip.
Smart Card Standards ISO 7816 Part III: • Probably the most important specification document. • This document describes: • The communication protocol. • Functions of various contacts on the smart card. • Basic electrical characteristics. • Structure of Answer to Reset. • When manufacturers claim to be ISO 7816 compliant, they basically comply with Part I, II and III.
“Smart” Credit Cards • The EMV standard • Europay / Mastercard / Visa • Theory is to permit cards from a variety of issuers to be accepted by a common Credit Authorisation Terminal • Credit, debit and stored value functionality • Supposedly open specifications • Support for other “applications” • No current support for Internet payments
Smart Card Standards • EMV standard is a set of three documents covering: • Design Aspects of Smart Cards • Design Aspects of Smart Card Terminals • Debit/Credit Applications on Smart Cards. • First EMV Document covers: • Electromechanical Properties • Card Session • Answer to Reset and Transmission Protocols. • Similar to ISO 7816 (Part I and II)
Smart Card Standards • Second EMV Document covers: • General Physical Characteristics of the Card Terminal. • Security. • Card Holder and Acquirer Interface. • Software and Data Management. • Third EMV Document Covers: • Transaction flow. • Exception Handling. • If you are really interested check out: http://www.mastercard.com/emv/
Life cycle of smart card • Divided into five phases (on most smart cards) • These phases justified by • Limitation of transfer and access of data is incremental throughout different phases • Different areas of smart card protected throughout the life cycle
Card Fabricator Chip Raw Materials Unpersonalised Card Chip Manufacturer Card Issuer Card Data Card Personalisation System PIN Mailer Pre-Personalisation Process (P3) Smart cards - Issuance
Fabrication phase • Carried out by the chip manufacturers • A Fabrication Key (KF) is added to protect the chip • unique and is derived from a master manufacturer key • Fabrication data will be written to the circuit chip
Pre-personalisation phase • Done by Card manufacturers • Chip will be mounted on the plastic card • The connection between the chip and the printed circuit will be made • Fabrication key (KF) changed to Personalisation key (KP) • Personalisation lock Vper • No further modification of the KF • Physical memory access instructions will be disabled • Access of the card can be done only by using logical memory addressing
Personalisation phase • Conducted by the card issuers • Data files contents and application data are written to the card • Information of card holder stored to the chip (PIN, Unlocking PIN) • Utilisation lock Vutil • No further modification of the KP
Card Issuer Acquirer Terminal Smart Cards - Usage Security of overall transaction is between the card and the Card Issuer
Utilisation phase • Phase for the card owners use of the card • Access of information on the card will be limited by the security policies set by the application
Home PC (via Internet) Issuer Card Management System and P3 ATM Mobile Phone PoS Terminal Smart Cards – Post Issuance Update card via multiple (insecure) channels
End-of-Life phase • Two ways: • 1. invalidation lock • All operations will be disabled (except read) • 2. Control system irreversibly blocks access • All operations will be disabled
Logical attacks Starting point: • EEPROM (electrically erasable programmable read only memory) write operations can be affected by unusual voltages and temperatures • information can be trapped by raising or dropping the supplied voltage to the microcontroller
Physical attacks • Reverse engineering • HNO3 etching and probing, UV light to erase EEPROM, • etching away chip layers, Focussed Ion Beam, … • Danger: real, even the best SC’s won’t be safe after • more than 3 or 4 years. • Fault introduction(change clock or power, microwaves) • Bellcore attack (Boneh, DeMillo, Lipton - EUROCRYPT ‘97) • Differential Fault Analysis (Biham, Shamir - CRYPTO ‘97) • Danger: were announced as being theoretical however • practical attacks are said to be upcoming.