Security Analysis of EMV Channel Establishment Protocol in An Enhanced Security Model
The EMV chip-and-pin system is one of the most widely used cryptographic system in securing credit card and ATM transactions. As suggested by the EMV consortium, the existing RSA-based EMV system will be upgraded to Elliptic Curve Cryptography (ECC) based system. In CCS 2013, Brzuska et al. made the first step to analyze the security of the ECC-based EMV channel establishment protocol in a channel establishment security model, and showed that a slightly modified version of the protocol meets the intended security goals. In this paper, we continue this strand of research by analyzing the security of the ECC-based EMV protocol in a strong channel establishment security model which allows the adversary to get ephemeral private keys of the involved parties. We find that the original protocol is not secure in our security model because the adversary can impersonate a Card entity. Then we slightly modify the protocol almost with no addition of computation cost and show that the resulting protocol is secure in our security model under standard cryptographic assumptions.
KeywordsSecurity Model Honest Party Message Privacy Application Message Channel Message
The work is supported by the National Basic Research Program of China (No. 2013CB338003), the National Natural Science Foundation of China (No. 61170278, 91118006), and the 863 project (No. 2012AA01A403).
- 3.Brzuska, C., Smart, N.P., Warinschi, B., Watson, G.J.: An analysis of the EMV channel establishment protocol. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 373–386. ACM, New York (2013)Google Scholar
- 9.EMVCo: EMV-Integrated Circuit Card Specifications for Payment Systems, Book 1: Application Independent ICC to Terminal Interface Requirements (2011)Google Scholar
- 10.EMVCo: EMV-Integrated Circuit Card Specifications for Payment Systems, Book 2: Security and Key Management (2011)Google Scholar
- 11.EMVCo: EMV-Integrated Circuit Card Specifications for Payment Systems, Book 3: Application Specification (2011)Google Scholar
- 12.EMVCo: EMV-Integrated Circuit Card Specifications for Payment Systems, Book 4: Cardholder, Attendant, and Acquirer Interface Requirements (2011)Google Scholar
- 13.EMVCo: EMV ECC Key Establishment Protocols (2012)Google Scholar
- 16.Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 387–398. ACM, New York (2013)Google Scholar
- 19.Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013/367 (2013). http://eprint.iacr.org/
- 24.EMVCo LLC: EMV deployment statistics (2012). http://www.emvco.com/about_emvco.aspx?id=202
- 25.Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and pin is broken. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 433–446, May 2010Google Scholar
- 26.Ogundele, O., Zavarsky, P., Ruhl, R., Lindskog, D.: The implementation of a full EMV smartcard for a point-of-sale transaction. In: 2012 World Congress on Internet Security (WorldCIS), pp. 28–35, June 2012Google Scholar
- 28.Van Herreweghen, E., Wille, U.: Risks and potentials of using EMV for internet payments. In: Proceedings of the USENIX Workshop on Smartcard Technology on USENIX Workshop on Smartcard Technology, WOST 1999, p. 18. USENIX Association, Berkeley (1999)Google Scholar