on the joint security of encryption and signature in emv
play

On the Joint Security of Encryption and Signature in EMV Jean Paul - PowerPoint PPT Presentation

May 02, 2023 •318 likes •711 views

Background on EMV A New Attack on EMV Positive Results Concluding Remarks On the Joint Security of Encryption and Signature in EMV Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler CT-RSA 2012 29th

  1. Background on EMV A New Attack on EMV Positive Results Concluding Remarks On the Joint Security of Encryption and Signature in EMV Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler CT-RSA 2012 29th February 2012 Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 1/18

  2. Background on EMV A New Attack on EMV Positive Results Concluding Remarks Outline Background on EMV 1 A New Attack on EMV 2 Positive Results 3 Concluding Remarks 4 Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 2/18

  3. Background on EMV A New Attack on EMV Positive Results Concluding Remarks The EMV Standard EMV stands for Europay, Mastercard and VISA, and it is the de facto global standard for IC credit/debit cards – Chip & PIN . As of Q3 2011, there were more than 1.34 billion EMV cards in use worldwide. The standard specifies the inter-operation of IC cards with Point-Of-Sale terminals (POS) and Automated Teller Machines (ATM) . Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 3/18

  4. Background on EMV A New Attack on EMV Positive Results Concluding Remarks The EMV Standard EMV stands for Europay, Mastercard and VISA, and it is the de facto global standard for IC credit/debit cards – Chip & PIN . As of Q3 2011, there were more than 1.34 billion EMV cards in use worldwide. The standard specifies the inter-operation of IC cards with Point-Of-Sale terminals (POS) and Automated Teller Machines (ATM) . Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 3/18

  5. Background on EMV A New Attack on EMV Positive Results Concluding Remarks The EMV Standard EMV stands for Europay, Mastercard and VISA, and it is the de facto global standard for IC credit/debit cards – Chip & PIN . As of Q3 2011, there were more than 1.34 billion EMV cards in use worldwide. The standard specifies the inter-operation of IC cards with Point-Of-Sale terminals (POS) and Automated Teller Machines (ATM) . Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 3/18

  6. Background on EMV A New Attack on EMV Positive Results Concluding Remarks EMV Cards EMV cards contain a ‘Chip’ which allows them to perform cryptographic computations. All EMV cards contain a symmetric key which they share with the Issuing Bank. Most cards are also equipped with RSA keys to compute signatures for card authentication and transaction authorization, and encrypt the PIN between the terminal and the card. Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 4/18

  7. Background on EMV A New Attack on EMV Positive Results Concluding Remarks Transaction Flow An EMV transaction progresses over three stages: Card Authentication : Static Data Authentication (SDA), Dynamic Data Authentication (DDA/CDA). Cardholder Verification : paper Signature, PIN – online/offline – cleartext/encrypted. Transaction Authorization : A successful transaction ends with the card producing a Transaction Certificate (TC) – a MAC computed over the transaction details. CDA cards additionally compute a digital signature over the transaction details and the TC. Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 5/18

  8. Background on EMV A New Attack on EMV Positive Results Concluding Remarks Transaction Flow An EMV transaction progresses over three stages: Card Authentication : Static Data Authentication (SDA), Dynamic Data Authentication (DDA/CDA). Cardholder Verification : paper Signature, PIN – online/offline – cleartext/encrypted. Transaction Authorization : A successful transaction ends with the card producing a Transaction Certificate (TC) – a MAC computed over the transaction details. CDA cards additionally compute a digital signature over the transaction details and the TC. Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 5/18

  9. Background on EMV A New Attack on EMV Positive Results Concluding Remarks Transaction Flow An EMV transaction progresses over three stages: Card Authentication : Static Data Authentication (SDA), Dynamic Data Authentication (DDA/CDA). Cardholder Verification : paper Signature, PIN – online/offline – cleartext/encrypted. Transaction Authorization : A successful transaction ends with the card producing a Transaction Certificate (TC) – a MAC computed over the transaction details. CDA cards additionally compute a digital signature over the transaction details and the TC. Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 5/18

  10. Background on EMV A New Attack on EMV Positive Results Concluding Remarks Transaction Flow An EMV transaction progresses over three stages: Card Authentication : Static Data Authentication (SDA), Dynamic Data Authentication (DDA/CDA). Cardholder Verification : paper Signature, PIN – online/offline – cleartext/encrypted. Transaction Authorization : A successful transaction ends with the card producing a Transaction Certificate (TC) – a MAC computed over the transaction details. CDA cards additionally compute a digital signature over the transaction details and the TC. Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 5/18

  11. Background on EMV A New Attack on EMV Positive Results Concluding Remarks Transaction Flow An EMV transaction progresses over three stages: Card Authentication : Static Data Authentication (SDA), Dynamic Data Authentication (DDA/CDA). Cardholder Verification : paper Signature, PIN – online/offline – cleartext/encrypted. Transaction Authorization : A successful transaction ends with the card producing a Transaction Certificate (TC) – a MAC computed over the transaction details. CDA cards additionally compute a digital signature over the transaction details and the TC. Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 5/18

  12. Background on EMV A New Attack on EMV Positive Results Concluding Remarks The Cambridge Attack At Oakland ’10 the following Wedge Attack was presented, it allows an attacker to make transactions without the card’s PIN. The wedge manipulates the communication between the card and the terminal so that the terminal believes PIN verification was successful, while the card thinks that a paper signature was used instead. CARD WEDGE TERMINAL Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 6/18

  13. Background on EMV A New Attack on EMV Positive Results Concluding Remarks The Cambridge Attack At Oakland ’10 the following Wedge Attack was presented, it allows an attacker to make transactions without the card’s PIN. The wedge manipulates the communication between the card and the terminal so that the terminal believes PIN verification was successful, while the card thinks that a paper signature was used instead. The card’s view of the cardholder verification is transmitted to the terminal in a format which it may not comprehend, and the attack can go undetected even during online and CDA transactions. The attack can easily be prevented, by ensuring that the terminal inspects the card’s view of the cardholder verification. Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 6/18

  14. Background on EMV A New Attack on EMV Positive Results Concluding Remarks Our Contribution The EMV standard allows the same RSA key-pair to be used for both encryption and signature. Folklore dictates key separation, but sharing keys reduces processing and storage costs. No formal analysis exists that shows whether this is detrimental for the security of EMV or not. This is exactly the aim of our paper, we present an attack that exploits key reuse in EMV, together with positive results about upcoming versions of the standards. Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 7/18

  15. Background on EMV A New Attack on EMV Positive Results Concluding Remarks A New Attack on EMV Our attack exploits the reuse of RSA keys in an EMV card to allow an attacker to make transactions without the card’s PIN. The attack is only applicable to a CDA card in an offline transaction. If the countermeasure against the Cambridge attack is in place our attack would still work! The attack builds on Bleichenbacher’s attack against RSA with PKCS#1 encoding (CRYPTO ‘98). Jean Paul Degabriele , Anja Lehmann, Kenneth G. Paterson, Nigel P . Smart and Mario Strefler | On the Joint Security of Encryption and Signature in EMV 8/18

Recommend

Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003

Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003

Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Encryption PKCS #1 v1.5 PKCS #1 v2.0 : OAEP Signature

286 views • 17 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

I5020 Computer Security Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License.

740 views • 53 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
G e MSS : A Gr e at Multivariate Short Signature Ludovic Perret (CryptoNext Security) joint work

G e MSS : A Gr e at Multivariate Short Signature Ludovic Perret (CryptoNext Security) joint work

G e MSS : A Gr e at Multivariate Short Signature Ludovic Perret (CryptoNext Security) joint work with A. Casanova (CS), J.-C. Faugre (CryptoNext Security), G. Macario-Rat (Orange), J. Patarin (UVSQ) and J. Ryckeghem (SU/INRIA) The Second PQC

510 views • 22 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
W3C Workshop on Next Steps for XML Signature and XML Encryption The importance of incorporating

W3C Workshop on Next Steps for XML Signature and XML Encryption The importance of incorporating

W3C Workshop on Next Steps for XML Signature and XML Encryption The importance of incorporating XAdES extensions into ongoing XML-Sig work Authors: Juan Carlos Cruellas Universitad Politcnica de Catalua cruellas@ac.upc.edu Giles

404 views • 29 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
Security and DRM Joseph Chou Texas Instruments IETF 60 PERM BOF 1 Security and DRM DRM is

Security and DRM Joseph Chou Texas Instruments IETF 60 PERM BOF 1 Security and DRM DRM is

Security and DRM Joseph Chou Texas Instruments IETF 60 PERM BOF 1 Security and DRM DRM is Based on Security Principals Authentication (device, user, service) Key management, data encryption and signature for data confidentiality

204 views • 6 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Distinguishing iterated encryption E. Lambooij eran@hideinplainsight.io This is joint work with:

Distinguishing iterated encryption E. Lambooij eran@hideinplainsight.io This is joint work with:

Distinguishing iterated encryption E. Lambooij eran@hideinplainsight.io This is joint work with: Orr Dunkelman, Nathan Keller and Tanja Lange CRYPTACUS Workshop, 16-18 November 2017 1 / 15 Question: Does security increase if we encrypt twice

567 views • 22 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin Grgoire 1 , 2 Gilles Barthe 3 Federico Olmedo 3 1 Microsoft Research - INRIA Joint Centre, France 2 INRIA Sophia Antipolis - Mditerrane, France 3

837 views • 51 slides
Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should not reveal the persons height Shafi Goldwasser and Silvio Micali, 1982 1 Design of Encryption Algorithms Encryption algorithms are

421 views • 7 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan

Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan

Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group Motivation To Improve/Restore the Usefulness of Email

487 views • 28 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals are *NOT* At rest encryption Best practices for web/HTTP going to encryption How perfectly and good we are- we made

529 views • 18 slides
User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security Provide

User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security Provide

User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security Provide end-to-end security User security info to server WS Security XML Encryption XML Signature Tokens

221 views • 6 slides
Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at

Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at

Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at rest and communication channels Security of Computation on Sensitive Inputs Secure multiparty computation (MPC) Differential privacy methods

595 views • 43 slides
Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information

Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information

Motivation Security Correctness Performance Bibliography Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R.

851 views • 64 slides

More recommend