Upload
lamthuan
View
225
Download
0
Embed Size (px)
Citation preview
Smart Cards and Payments Security Bryan Ichikawa
Vice President, Unisys
Smart Card Alliance Educational
Institute
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Agenda
• Security Overview
• The Basics of Security - Building Blocks
Principals of Security
Security Functions
• How Security Works
• Payments Security
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Security is Relative
• A system is only as secure as its weakest point
• What is secure today may be broken tomorrow
• Security has a cost and it is up to each business to decide the level of fraud it can cope with
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Security is an Attitude, Not a Position
• A perfectly secure system is always too expensive
• The ideal system should be able to detect fraud and move to the next level of security when an unacceptable level of fraud is reached
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
How Secure Is It?
• What is the Cost to Deploy Security?
• What are You Protecting?
• What is the Cost of Loss or Breach?
• Is the Deployed System Useable?
• Is the System Upgradeable?
How Secure Does it Have to Be?
Smart Card System Architecture
A smart card application consists of– Cards
– Security application modules
– Terminals
– Collection devices
– Network(s)
– Node computers
– Back end system
But also of– Software In cards
In terminals
In back end systems
– Policies
– Security surveillance
– Administration activities Key management
Personalization
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Responsibilities & Parties
• Cards
• Card Issuer
• Network / Terminals
• Merchant
• Background System
Network
Security Technology Overview
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Security vs. Cryptography
• Security is the set of :
Data Integrity
Authentication
Non-Repudiation
Confidentiality
• Cryptography is the set of mathematical
algorithms used to implement security
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Data Integrity
• The assurance that the data has arrived intact, with no tampering or corruption of the bits.
• Data Integrity is achieved electronically through the use of cryptographic checksums (one-way hashs) over the data.
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Authentication
• The binding of the sender’s (or issuer’s) credentials to the data. This process can be likened to your personal signature
• It is unique to you and canbe recognized (verified) laterby all parties involved
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Non-Repudiation
• The fact that a third party can verify your authentication (e.g., your signature) on a transaction means that you cannot deny participation in the transaction
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Confidentiality/Privacy
• Encryption (scrambling) of the data to prevent unauthorized disclosure.
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Mechanics of Security
• Cryptographic algorithms (mathematical
processes) used to implement security
• Hashing Algorithms
• Symmetric Encryption
• Asymmetric Encryption
Hashing Algorithms
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
One Way Hash Functions
• Creates a small data string that uniquely characterizes the
data (the message digest/hash )
• It is infeasible to find a message that hashes to a
particular value (i.e. one cannot recalculate the original
message from the hash result)
• It is infeasible to find two different messages that hash to
the same value
• By recalculating a new hash and comparing it with the
received hash, message integrity can be verified
• The hash function is not secret (e.g. public domain
algorithms - MD4, MD5, SHA-1)
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Hashing Algorithm at Work
MESSAGE
DIGEST
(fixed length)HASHING ALGORITHM
hashVariable
length
input data
Symmetric Cryptography
Encryption Concepts
ENCRYPTION
Key
Algorithm
Plaintext Ciphertext
DECRYPTION
Key
Algorithm
Original
Plaintext
The Above Model is Applicable to Symmetric (Secret Key) as Well as
Asymmetric (Public key) Cryptographic Techniques
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Foundation
• EncryptionThe process of disguising a message in such a way as
to hide its substance
Requires an encryption ALGORITHM and an encryption KEY
H E L L O
L I P P S
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Symmetric Key Systems
• ApproachSame key used to encrypt and decrypt information
• AttributesFast
Key Distribution is Required (physical, electronic)
Scalability Requires Management Systems
Compromise is Critical. Loss can be Broad
• BenefitsConfidentiality, Integrity thru Encryption
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Symmetric Encryption/Decryption
• Secret Key used to encrypt data
• Sender and receiver must have same key
• Key distribution and compromise recovery are difficult
KeyGeneration
DES
This is plain
text. It can be
a document,
image, or any
other data file
12A7BC54410
9FD00A6293F
ECC7293B9B
CAA12020384
AC6F4D93B8
DES
This is plain
text. It can be
a document,
image, or any
other data file
SecretKey
SecretKey
Bob Alice
Same Key
Asymmetric Cryptography(Most commonly known as Public Key Cryptography)
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Public Keys
• A public and corresponding private key are mathematically related hence referred to as a public/private key pair.
• The private key is kept secret, the public key is published i.e Directory, File, Newspaper, etc.
• By knowing the public key, it is mathematically infeasible to calculate the corresponding private key.
• Public Key algorithms are less efficient in terms of encryption than symmetric algorithms.
• Public Key systems are generally considered to be more flexible and secure than Symmetric Key systems.
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Key Generation
• Key pair is use in public key cryptographyKey generation provides the basis for trust
Public key bound in certificate and shared
Private key protected and never shared
Key PairGeneration
PrivateKey
PublicKey
CertificationAuthorityUser Name
OrganizationLocation Digital
Certificate
End UserToken
X.509Directory
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Using Public Keys to Solve a Problem
• The question is how to get the Secret Key to Alice
• Let’s take the secret key and treat it as data
KeyGeneration
DES
This is plain
text. It can be
a document,
image, or any
other data file
12A7BC54410
9FD00A6293F
ECC7293B9B
CAA12020384
AC6F4D93B8
DES
This is plain
text. It can be
a document,
image, or any
other data file
SecretKey
SecretKey
Bob Alice
Same Key
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Public KeyAlgorithm
Using Secret and Public Key Technologies
• This fundamentally demonstrates how public key algorithms can deliver confidentiality
• We do not use public key technology against the message itself because of basic inefficiencies (slow)
Public KeyAlgorithm
Alice’sPublicKey
Alice’sPrivate
Key
Bob Alice
SecretKey
SecretKey
Alice’sCertificate
Alice’sToken
Digitized vs. Digital Signature
•A Digitized signature is a scanned image that can be pasted on any document
•A Digital Signature is a numeric value that is created by performing a cryptographic transformation of the data using the “signer’s” private key
1A56B29FF6310CD3926109F200D5
EF719A274C66821B09AC3857FD62
301AA2700AB3758B6FE93DD
Digitized SignatureDigital Signature
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Public KeyAlgorithm
Public KeyAlgorithm
Digital Signatures - Part 1
This is plain
text. It can be
a document,
image, or any
other data file
12A7BC54410
9FD00A6293F
ECC7293B9B
CAA12020384
AC6F4D93B8
This is plain
text. It can be
a document,
image, or any
other data file
Bob’sPrivate
Key
Bob’sPublicKey
Bob Alice
Bob’sCertificate
•Bob uses his own private key to sign•Alice uses Bob’s public key to verify•Result is Pass or Fail•Anybody can use Bob’s public key and recover message
Bob’sToken
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Public KeyAlgorithm
HashingAlgorithm
Public KeyAlgorithm
Digital Signatures - Part 2
This is plain
text. It can be
a document,
image, or any
other data file
hash
This is plain
text. It can be
a document,
image, or any
other data file
Bob’sPrivate
Key
Bob’sPublicKey
Bob Alice
Bob’s Certificate
Bob’s Token
hash
hash
HashingAlgorithm
hash
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
HashingAlgorithm
Public KeyAlgorithm
HashingAlgorithm
Putting it All Together - Signing & Encrypting
This is plain text.
It can be a
document, image,
or any other data
file
hash
Bob’sPrivate
Key
Bob’sPublicKey
Bob Alice
Bob’s Certificate
Bob’s Tokenhash
hash
hash
KeyGeneration
DES
12A7BC544109F
D00A6293FECC7
293B9BCAA1202
0384AC6F4D93B
8
Alice’s Public Key
Alice’s Private Key
Secret Key
Secret Key
Alice’s CertificateAlice’s Token
Public KeyAlgorithmPublic Key
Algorithm
Public KeyAlgorithm
DESThis is plain text.
It can be a
document, image,
or any other data
file
PKI
Public Key Infrastructure
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
What is a Public Key Infrastructure?
• Client and Server Applications
• Protocols
• Digital Signatures, Certificates
• Certification Authority
• Public Key Directory/Repository
• Legacy IT Systems
• Smart Cards
Public Key Infrastructure
Public KeyCertificates
CertificationAuthorities
PKIServices
Public Key Infrastructure
Certificate
Management
Public Key
Management
Token
ManagementRegistration
Management
Information
Dist. & Mgmt
X.509
Payments Security
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Contactless Payments Overview
• “Contactless payment” refers to a payment process that uses radio frequency to exchange transactional data between a consumer’s contactless card and a merchant’s point-of-sale
• Unlike traditional credit, debit or prepaid cards, no physical contact needs to occur between a contactless payment card and hardware at the point-of-saleThe contactless card must be within a few inches of the
contactless reader at the point-of-sale to transmit data
After transactional data is captured via a contactless reader at the point-of-sale, transactions flow through the traditional payment infrastructure in the traditional manner
Transaction Processing
In step 1, the antenna in the card converts the contactless reader’s electromagnetic signals into energy to power the chip. Subsequently, transaction data is exchanged between the contactless card and the terminal.
Beyond the terminal, the contactless transaction may follow the existing magnetic stripe processes. Additional authorization may be required for cards processed with an extra security feature called the dynamic CVV.
In step 2, the merchant sends the authorization request to the acquiring processor who routes the transaction to Visa or MasterCard (step 3). Visa or MasterCard routes it to the issuer processor (step 4).
The issuer processes the authorization requests and sends a response to Visa or MasterCard (step 5). Visa or MasterCard forwards the authorization response to the acquirer processor (step 6), who sends the approval or decline message to the merchant (step 7).
new
for
cont
actle
sssa
me
for
cont
actle
ss a
nd m
ag s
trip
e
Illustrative Process Flow for Contactless Credit
Transaction
Once the consumer waves the contactless card in front of the reader, the transaction data from the
contactless card flows across the existing payment-processing infrastructure with the exception of one
additional field in the message format. In other words, from a processing standpoint, the contactless
transaction is very similar to the traditional magnetic stripe transaction.
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Contactless Payments Security Features
• The Payments Industry has Incorporated the Following Tools to Diminish Fraud Risk:Card Specific Encryption
Systematic fraud detection and prevention tools, including: Systematically detect and reject multiple use of the same transaction data
Validate contactless transaction originates from appropriate reader
Use an alternate account number
No use of customer’s name
Dynamic CVV
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Dynamic CVV / DAC
• Contactless cards equipped with a new security feature called dynamic CVV or dynamic authentication codes
• This dynamic CVV is a one-time value generated by an algorithm that was placed on the chip at the time of manufacture
• It is designed to make fraudulent activities such as skimming less effective because the value is unique for every transaction, and the value itself is never transmitted
• This one-time value is difficult to replicate, and ultimately, if the dynamic CVV value does not match, the transaction will not be authorized
• The card associations control issuer mandates for implementation of the dynamic CVV feature on contactless credit cards
Contactless Payment Transactions
MSD - Magnetic Stripe Data Model
DDA - Dynamic Data Authentication Model
Open
interface
Transaction
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Payment Transaction Models
• MSD (Magnetic Stripe Date)
Emulates magnetic stripe transaction
No card-reader authentication
Authorization is performed by back-end systems
Extremely fast (transit system specification compliant)
• DDA (Dynamic Data Authentication)
EMV model
Reader contains payment scheme public keys
Card signs transactions
Reader verifies transactions
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Points for Consideration
• Contactless payment cards are as secure as and probably safer to use than traditional magnetic stripe cardsThe card never leaves the cardholder’s hand during the
transaction
The data that could be theoretically captured by a thief using an illegal handheld reader placed within inches of a person carrying a contactless card amounts to less information than what is printed on the outside of the plastic card or stored on the magnetic stripe
A thief that captures this data cannot make a duplicate credit card to make fraudulent retail purchases or use the credit card account number to make a fraudulent online purchase since the security code printed on the card is not stored inside the chip
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Points for Consideration
• Strong federal protections exist for cardholders under Regulation E (which implements the Electronic Funds Transfer Act (EFTA))The EFTA provides protections for consumers engaged
in electronic funds transfers at the point of sale, ATM, direct deposit, debit card and one-time electronic fund transfers via check
The law requires certain consumer disclosures, change in terms notices, periodic statements and error resolution procedures and notices
It also provides that a consumer’s liability for an unauthorized transfer will not exceed $50
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Points for Consideration, Cont’
• However, “zero liability” protection rules apply to all cards and devices issued by financial institutions in North America
• Industry best practices continue to evolve for the issuance of contactless payment cards and devicesEncryption techniques for added protection against
fraudulent transactions
Removal of the cardholder’s name from the electronic data stored on the chip
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Additional Information
• More detailed information about the security of contactless payments can be found on the Smart Card Alliance website at www.smartcardalliance.org
• Important documents include:Smart Card Alliance Contactless Payment Security
Statement(http://www.smartcardalliance.org/pages/publications-contactless-payment-security-statement)
Contactless Payments Security Questions & Answers(http://www.smartcardalliance.org/pages/publications-contactless-payment-security-qa)
Contactless Payments: Frequently Asked Questions(http://www.smartcardalliance.org/pages/publications-contactless-payments-faq)
Thank You!
Smart Card Alliance
191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828
www.smartcardalliance.org
Bryan Ichikawa
Vice-President, Identity Solutions
Unisys Corporation