Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities."— Presentation transcript:

1 Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities

2 Mar 11, 2003Mårten Trolin2 Today’s Agenda – Smartcards The problem we want to solve General information on smart-cards New possibilities Transaction overview EMV

3 Mar 11, 2003Mårten Trolin3 Problems with Magnetic Stripe Easy to copy – Possible to make an exact copy of the magnetic- stripe image Off-line risk management very rudimentary – No possibility to put risk levels on individual cards or groups of cards Transactions can be modified by dishonest merchants Smart-cards address these problems

4 Mar 11, 2003Mårten Trolin4 What Is a Smart-Card A smart-card is a small computer Often placed on a credit-card sized plastic card Can have contacts or be contact-less Has a well-defined interface – Can have secret information that is protected from direct access First appeared in the 1970s

5 Mar 11, 2003Mårten Trolin5 Advantages with Smart- Cards Can have secret data – Data used for internal computations and never revealed in clear – Example: PIN and keys can be stored on card Can process data and save information – Count transactions – Check PIN and count unsuccessful tries – Different behavior depending on geographic location – Cryptographic functions Uses the secret keys

6 Mar 11, 2003Mårten Trolin6 New Functionality Off-line risk management – Can be configured at an individual level Off-line card-holder verification – PIN stored on card Resistant to skimming attacks Transactions cryptographically authenticated – Reduces fraud rate

7 Mar 11, 2003Mårten Trolin7 Off-line PIN Increases speed for low-amount transactions PIN is checked by card – PIN is never revealed outside card. After a predefined number of tries, the PIN functionality is blocked. Can be sent to card in clear or encrypted – Depends on card and terminal functionality.

8 Mar 11, 2003Mårten Trolin8 Card Authentication to Terminal Authentication to prevent use of fake cards Certifies that the card was not modified after issuance Prevents alteration of risk-related parameters Two types – static and dynamic – Static – no special requirements on card. Does not stop skimming attacks. (Skimmed cards will be detected on-line.) – Dynamic – requires RSA functionality on card. Prevents skimming attacks.

9 Mar 11, 2003Mårten Trolin9 Online Authorization If card or terminal wants to go online, the transaction is verified online On-line transactions are digitally authenticated – Prevents use of fake cards – Prevents the merchant from re-using the card number The response from the issuer is digitally authenticated – Important to avoid, e.g., wrongful change of PIN and update of risk parameters.

10 Mar 11, 2003Mårten Trolin10 Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)

11 Mar 11, 2003Mårten Trolin11 Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)

12 Mar 11, 2003Mårten Trolin12 Interaction between Card and Terminal Cards authenticates itself to the terminal Offline risk control used to decide whether to go online or not – If card wants to go online, transaction is checked online – If terminal wants to go online, transaction is checked online

13 Mar 11, 2003Mårten Trolin13 Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)

14 Mar 11, 2003Mårten Trolin14 Interaction between card and issuer If the decision is to go online, a message is sent to the issuer – Message includes information on the interaction between card and terminal Issuer checks that the message is cryptographically correct The issuer either approves or declines the authorization The response from the issuer can be cryptographically authenticated

15 Mar 11, 2003Mårten Trolin15 Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)

16 Mar 11, 2003Mårten Trolin16 Interaction between Card and Terminal, Part 2 Based on the result from the issuer, transaction is either approved or declined.

17 Mar 11, 2003Mårten Trolin17 Smart-card Transaction Flow CardTerminalAcquirerIssuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)

18 Mar 11, 2003Mårten Trolin18 Interaction between card and issuer, part 2 If the transaction is approved, a message containing transaction data is sent to the issuer. In case of a dispute, this message can be used by the issuer to prove that the transaction is valid. – Same function as a signature for magnatic cards.

19 Mar 11, 2003Mårten Trolin19 Post-issuance Adaptations Used to address change in risk – Student finds permanent work – risk decreases – Client misses a payment for a loan – indicates increased risk Used to change settings – PIN change at ATM React to new circumstances – Block application if card number in stop-list

20 Mar 11, 2003Mårten Trolin20 Scripts Sent from host to card at online transaction Contains information to be processed by card Standard commands include – Change value of a risk parameter – Change off-line PIN – Block application – Unblock application

21 Mar 11, 2003Mårten Trolin21 EMV – Europay, MasterCard, Visa Necessary to have standards for smart-cards – Physical size – Electrical connection – API for payment applications Any smart-card must be usable anywhere Europay, MasterCard and Visa have created specifications named EMV for this purpose

22 Mar 11, 2003Mårten Trolin22 EMV and Cryptography EMV specifies how the principles for authentication – Card – terminal, static or dynamic – Card – issuer, using MACs Suggests algorithms for computation of MAC – Providers may use other algorithms

23 Mar 11, 2003Mårten Trolin23 Summary Smart-cards solve the security problems associated with magnetic-stripe cards. Enables more powerful offline risk control. Whether to process transaction offline or online is a joint decision between card and terminal. The EMV specifications ensure worldwide acceptance of smart-cards.

Download ppt "Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities."

Similar presentations

WHAT IS EMV? A joint effort between Europay, MasterCard and Visa It is a security framework that defines the payment interaction at the physical, electrical,

WHAT IS EMV? A joint effort between Europay, MasterCard and Visa It is a security framework that defines the payment interaction at the physical, electrical,
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
LECTURE 7 REF: CHAPTER 11 ELECTRONIC COMMERCE PAYMENT SYSTEMS PREPARED BY : L. Nouf Almujally Copyright © 2010 Pearson Education, Inc. 1.

LECTURE 7 REF: CHAPTER 11 ELECTRONIC COMMERCE PAYMENT SYSTEMS PREPARED BY : L. Nouf Almujally Copyright © 2010 Pearson Education, Inc. 1.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Mar 25, 2003Mårten Trolin1 Previous lecture – smart-cards Card-terminal authentication Card-issuer authentication.

Mar 25, 2003Mårten Trolin1 Previous lecture – smart-cards Card-terminal authentication Card-issuer authentication.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
May 21, 2002Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

May 21, 2002Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Chapter 8 Web Security.

Chapter 8 Web Security.

Similar presentations

Ads by Google