Smart Cards and
EMV
1
Smart Cards
and EMV
Michael J Ganley
Smart Cards and
EMV
2
Agenda
•
Introduction to smart cards
•
Smart card infrastructure
•
Introduction to EMV
•
EMV Cryptography
•
Concluding remarks
Smart Cards and
EMV
3
Introduction to Smart Cards
•
Introduction to smart cards
•
Smart card infrastructure
•
Introduction to EMV
•

EMV Cryptography
•
Concluding remarks
Smart Cards and
EMV
4
What is a Smart Card?
•
A smart card (also called a chip card or an integrated
circuit card (ICC)) is a credit card sized plastic card
containing a microprocessor.
•
A Subscriber Identification Module (SIM), used in a mobile
phone, is essentially a cut-down smart card.
•
A smart card may be a contact card or a contact-less
(proximity) card; some cards are of both types (combi-
card); a contact card requires a card reader to allow
communication with the card.
•
A smart card application may be extremely simple
(essentially a memory card, such as a phone card) or very
complex (e.g. a credit application); cards may be single
application or multiple application.
Smart Cards and
EMV
5
Smart Card Architecture
RA
M

Wire-
bonds
EEPROM
ROM
Processo
r
Source: ORGA Systems UK, “ORGA - Smart Cards Basics”
Smart Cards and
EMV
6
Smart Card Memory
ROM
EEPROM
RAM
Operating System
Application Data &
OS Extensions
OS Work Space
≈
≈
1000 times slower
1000 times slower
to write than RAM
to write than RAM
ROM EEPROM RAM
Min
Max
~3Kb
~64Kb ~128Kb ~3Kb
~1Kb ~128b

Smart Cards and
EMV
7
Operating Systems
•
Most smart cards, today, have proprietary operating systems.
•
Java Card – smart card capable of running a Java program.
–
Communicates with OS via Java Card Virtual Machine.
–
“Write once, run anywhere” concept.
•
Multos – proprietary OS, endorsed by MasterCard (amongst others).
–
High levels of security (ITSEC level 6 for some chips).
–
Demonstrates basic principle of “the higher the complexity, the lower the
assurance level”.
–
Mondex electronic purse is a Multos application.
•
Windows for Smart Cards – MicroSoft initiative, now largely disappeared.
•
Open Platform – “a global and open multi-industry interoperable
framework”, promoted by Visa (amongst others).
Smart Cards and
EMV
8
Smart Card Security (1)

•
Physical Security
–
Chip construction (micro-technology); protected layers
–
Address and data lines that logically belong together are
intermingled in different layers.
–
Phantom transistors are embedded in the circuitry to make
examination more difficult.
–
Upper and lower limits for clock frequency hinder the examination
of the circuitry.
•
Logical Security
–
The operation of the card is controlled by an operating system. No
information that is not meant to be read out can be discovered from
the card.
–
“Firewalling” of applications
Smart Cards and
EMV
9
Smart Card Security (2)
•
Cryptographic Security
–
Encryption
–

Digital signature
–
Cryptographic isolation of cards
•
Access Control
–
Password or PIN (card lock after number of incorrect attempts)
–
Biometrics
•
Attacks
–
Intrusive attacks (e.g. probing) are possible, but extremely expensive
and require specialist knowledge and equipment.
–
Non-intrusive attacks may be possible (e.g. timing attacks or
differential power analysis)
Smart Cards and
EMV
10
Standards
•
ISO 7816-1: Physical Characteristics - defines the physical dimensions of contact
smart cards and their electrical resistance. It also describes the physical location
of an IC card’s magnetic stripe and embossing area.
•
ISO7816-2: Dimensions and Location of Contacts - defines the location, purpose
and electrical characteristics of the card’s metallic contacts.
•
ISO 7816-3: Electronic Signals and Transmission Protocols - defines the voltage

and current requirements (protocols T = 0 as standard; T = 1 available on
request; T = 14 used in Japan).
•
ISO 7816-4: Inter-industry Commands for Interchange - establishes a set of
commands for CPU cards across all industries to provide access, security and
transmission of card data
•
ISO 7816-5: Numbering System and Registration Procedure for Application
Identifiers - establishes standards for Application Identifiers (AIDs).
•
ISO 7816-6: Inter-industry data elements - details the physical transportation of
device and transaction data, answer to reset and transmission protocols.
Smart Cards and
EMV
11
Typical Applications (1)
Smart Cards and
EMV
12
Typical Applications (2)
•
For example:
–
Credit/debit (e.g. EMV)
–
Electronic purse (e.g. Visa Cash, Mondex, Geldkarte)
–
Loyalty (e.g. Shell)
–
Access control

–
Identification
–
Transport
–
Health
–
“Entitlement”
•
Multi-application (for example):
–
Malaysia GMPC card – identity card, passport, health records,
driving licence (inc endorsements), electronic purse, biometrics.
–
“Citizen Card” – transport card, access to local services, etc (e.g
Aberdeen, Cornwall).
Smart Cards and
EMV
13
The “Holy Grail”
•
The ideal situation is for everybody to have a single
smart card that contains all necessary applications
and can be used everywhere.
Dream on!
•
Problems include:
–
Cost
–

Lack of infrastructure
–
Limitations of smart card technology, competing technologies
–
Post-issuance updates
–
Branding
–
etc
Smart Cards and
EMV
14
Smart Card Infrastructure
•
Introduction to smart cards
•
Smart card infrastructure
•
Introduction to EMV
•
EMV Cryptography
•
Concluding remarks
Smart Cards and
EMV
15
Magnetic Stripe Cards (1)
•
It is instructive to consider, initially, the infrastructure for
magnetic stripe cards and then compare that with the smart

card infrastructure (ignoring the billing side of things).
•
For a magnetic stripe card there are essentially two aspects to
the infrastructure:
•
Card Issuance
–
Data generation, personalisation and issuance
–
PIN mailer (in some cases)
•
Card Usage
–
Transaction (Cardholder, Retailer, Acquirer and Issuer)
–
Lost or stolen card, forgotten PIN (etc)
Smart Cards and
EMV
16
Magnetic Stripe Cards (2)
Card Issuer
Personalisation System
Raw Materials
Card Data
PIN Mailer
Card
Acquirer
Terminal
Transaction System
Smart Cards and

EMV
17
Smart Cards
•
For a smart card there are essentially three aspects to the
infrastructure:
•
Card Issuance
–
Chip manufacture, card fabrication
–
Public Key Infrastructure (in some cases)
–
Data generation (some secret), personalisation and issuance
–
PIN mailer (in some cases)
•
Card Usage
–
Transaction (Cardholder, Retailer, Acquirer and Issuer)
•
Post Issuance (Card Management System)
–
Lost or stolen card, forgotten PIN (etc)
–
Load new applications, update or delete existing applications
Smart Cards and
EMV
18
Personalisation System

Chip Manufacturer
Card Fabricator
Smart Cards - Issuance
PIN Mailer
Card
Card Issuer
Pre-Personalisation
Process (P3)
Card Data
Unpersonalised Card
Chip
Raw Materials
Smart Cards and
EMV
19
Smart Cards - Usage
Card Issuer
Acquirer
Terminal
Security of overall
transaction is
between the card and
the Card Issuer
Smart Cards and
EMV
20
Smart Cards – Post Issuance
Issuer Card
Management
System and P3

Home PC (via
Internet)
ATM
PoS Terminal
Mobile Phone
Update card via multiple
(insecure) channels
Smart Cards and
EMV
21
Introduction to EMV
•
Introduction to smart cards
•
Smart card infrastructure
•
Introduction to EMV
•
EMV Cryptography
•
Concluding remarks
Smart Cards and
EMV
22
What is EMV?
•
Europay, MasterCard and Visa
•
EMV2000: Integrated Circuit Card Specification for
Payment Systems.

–
Complies with the ISO 7816 standards
•
As well as specifying the functional requirements of a
payment application, it defines a framework for chip
based applications. However, is only concerned with
the Terminal side of transaction processing.
•
The UK is currently rolling-out EMV-based chip
cards
–
Full compliance by 2005
–
Liability issues
Smart Cards and
EMV
23
Context
•
EMV2000: Integrated Circuit Card Specification for
Payment Systems, Version 4.0
–
Book 1: ICC to Terminal Interface Requirements
–
Book 2: Security and Key Management
–
Book 3: Application Specification
–
Book 4: Cardholder, Attendant and Acquirer Interface Specifications
•

Security Architecture based on Book 2
•
Full alignment between Europay and MasterCard
•
Minor differences between Visa and MasterCard
Smart Cards and
EMV
24
EMV Type Approval
•
EMV Type Approval testing is divided into two levels:
•
The Level 1 Type Approval process tests compliance
with electromechanical characteristics, logical
interface, and transmission protocol requirements
defined in part 1 of the EMV specifications.
•
Level 2 Type Approval tests compliance with
debit/credit application requirements defined in the
remainder of the EMV specifications.
–
This includes the security requirements, including the physical
security of devices (Book 2).
Smart Cards and
EMV
25
EMV Cryptography
•
Introduction to smart cards
•

Smart card infrastructure
•
Introduction to EMV
•
EMV Cryptography
•
Concluding remarks