Download presentation
Presentation is loading. Please wait.
1
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities
2
Mar 11, 2003Mårten Trolin2 Today’s Agenda – Smartcards The problem we want to solve General information on smart-cards New possibilities Transaction overview EMV
3
Mar 11, 2003Mårten Trolin3 Problems with Magnetic Stripe Easy to copy – Possible to make an exact copy of the magnetic- stripe image Off-line risk management very rudimentary – No possibility to put risk levels on individual cards or groups of cards Transactions can be modified by dishonest merchants Smart-cards address these problems
4
Mar 11, 2003Mårten Trolin4 What Is a Smart-Card A smart-card is a small computer Often placed on a credit-card sized plastic card Can have contacts or be contact-less Has a well-defined interface – Can have secret information that is protected from direct access First appeared in the 1970s
5
Mar 11, 2003Mårten Trolin5 Advantages with Smart- Cards Can have secret data – Data used for internal computations and never revealed in clear – Example: PIN and keys can be stored on card Can process data and save information – Count transactions – Check PIN and count unsuccessful tries – Different behavior depending on geographic location – Cryptographic functions Uses the secret keys
6
Mar 11, 2003Mårten Trolin6 New Functionality Off-line risk management – Can be configured at an individual level Off-line card-holder verification – PIN stored on card Resistant to skimming attacks Transactions cryptographically authenticated – Reduces fraud rate
7
Mar 11, 2003Mårten Trolin7 Off-line PIN Increases speed for low-amount transactions PIN is checked by card – PIN is never revealed outside card. After a predefined number of tries, the PIN functionality is blocked. Can be sent to card in clear or encrypted – Depends on card and terminal functionality.
8
Mar 11, 2003Mårten Trolin8 Card Authentication to Terminal Authentication to prevent use of fake cards Certifies that the card was not modified after issuance Prevents alteration of risk-related parameters Two types – static and dynamic – Static – no special requirements on card. Does not stop skimming attacks. (Skimmed cards will be detected on-line.) – Dynamic – requires RSA functionality on card. Prevents skimming attacks.
9
Mar 11, 2003Mårten Trolin9 Online Authorization If card or terminal wants to go online, the transaction is verified online On-line transactions are digitally authenticated – Prevents use of fake cards – Prevents the merchant from re-using the card number The response from the issuer is digitally authenticated – Important to avoid, e.g., wrongful change of PIN and update of risk parameters.
10
Mar 11, 2003Mårten Trolin10 Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)
11
Mar 11, 2003Mårten Trolin11 Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)
12
Mar 11, 2003Mårten Trolin12 Interaction between Card and Terminal Cards authenticates itself to the terminal Offline risk control used to decide whether to go online or not – If card wants to go online, transaction is checked online – If terminal wants to go online, transaction is checked online
13
Mar 11, 2003Mårten Trolin13 Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)
14
Mar 11, 2003Mårten Trolin14 Interaction between card and issuer If the decision is to go online, a message is sent to the issuer – Message includes information on the interaction between card and terminal Issuer checks that the message is cryptographically correct The issuer either approves or declines the authorization The response from the issuer can be cryptographically authenticated
15
Mar 11, 2003Mårten Trolin15 Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)
16
Mar 11, 2003Mårten Trolin16 Interaction between Card and Terminal, Part 2 Based on the result from the issuer, transaction is either approved or declined.
17
Mar 11, 2003Mårten Trolin17 Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)
18
Mar 11, 2003Mårten Trolin18 Interaction between card and issuer, part 2 If the transaction is approved, a message containing transaction data is sent to the issuer. In case of a dispute, this message can be used by the issuer to prove that the transaction is valid. – Same function as a signature for magnatic cards.
19
Mar 11, 2003Mårten Trolin19 Post-issuance Adaptations Used to address change in risk – Student finds permanent work – risk decreases – Client misses a payment for a loan – indicates increased risk Used to change settings – PIN change at ATM React to new circumstances – Block application if card number in stop-list
20
Mar 11, 2003Mårten Trolin20 Scripts Sent from host to card at online transaction Contains information to be processed by card Standard commands include – Change value of a risk parameter – Change off-line PIN – Block application – Unblock application
21
Mar 11, 2003Mårten Trolin21 EMV – Europay, MasterCard, Visa Necessary to have standards for smart-cards – Physical size – Electrical connection – API for payment applications Any smart-card must be usable anywhere Europay, MasterCard and Visa have created specifications named EMV for this purpose
22
Mar 11, 2003Mårten Trolin22 EMV and Cryptography EMV specifies how the principles for authentication – Card – terminal, static or dynamic – Card – issuer, using MACs Suggests algorithms for computation of MAC – Providers may use other algorithms
23
Mar 11, 2003Mårten Trolin23 Summary Smart-cards solve the security problems associated with magnetic-stripe cards. Enables more powerful offline risk control. Whether to process transaction offline or online is a joint decision between card and terminal. The EMV specifications ensure worldwide acceptance of smart-cards.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.