Security Analysis of EMV Channel Establishment Protocol in An Enhanced Security Model

  • Yanfei Guo
  • Zhenfeng Zhang
  • Jiang Zhang
  • Xuexian Hu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8958)


The EMV chip-and-pin system is one of the most widely used cryptographic system in securing credit card and ATM transactions. As suggested by the EMV consortium, the existing RSA-based EMV system will be upgraded to Elliptic Curve Cryptography (ECC) based system. In CCS 2013, Brzuska et al. made the first step to analyze the security of the ECC-based EMV channel establishment protocol in a channel establishment security model, and showed that a slightly modified version of the protocol meets the intended security goals. In this paper, we continue this strand of research by analyzing the security of the ECC-based EMV protocol in a strong channel establishment security model which allows the adversary to get ephemeral private keys of the involved parties. We find that the original protocol is not secure in our security model because the adversary can impersonate a Card entity. Then we slightly modify the protocol almost with no addition of computation cost and show that the resulting protocol is secure in our security model under standard cryptographic assumptions.


Security Model Honest Party Message Privacy Application Message Channel Message 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The work is supported by the National Basic Research Program of China (No. 2013CB338003), the National Natural Science Foundation of China (No. 61170278, 91118006), and the 863 project (No. 2012AA01A403).


  1. 1.
    Anderson, R., Bond, M., Choudary, O., Murdoch, S.J., Stajano, F.: Might financial cryptography kill financial innovation? – the curious case of EMV. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 220–234. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  3. 3.
    Brzuska, C., Smart, N.P., Warinschi, B., Watson, G.J.: An analysis of the EMV channel establishment protocol. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 373–386. ACM, New York (2013)Google Scholar
  4. 4.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 453. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  5. 5.
    Coron, J.-S., Naccache, D., Tibouchi, M.: Fault attacks against EMV signatures. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 208–220. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  6. 6.
    Coron, J.-S., Naccache, D., Tibouchi, M., Weinmann, R.-P.: Practical cryptanalysis of ISO/IEC 9796-2 and EMV signatures. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 428–444. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  7. 7.
    Degabriele, J.P., Lehmann, A., Paterson, K.G., Smart, N.P., Strefler, M.: On the joint security of encryption and signature in EMV. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 116–135. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  8. 8.
    Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to fail: card readers for online banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  9. 9.
    EMVCo: EMV-Integrated Circuit Card Specifications for Payment Systems, Book 1: Application Independent ICC to Terminal Interface Requirements (2011)Google Scholar
  10. 10.
    EMVCo: EMV-Integrated Circuit Card Specifications for Payment Systems, Book 2: Security and Key Management (2011)Google Scholar
  11. 11.
    EMVCo: EMV-Integrated Circuit Card Specifications for Payment Systems, Book 3: Application Specification (2011)Google Scholar
  12. 12.
    EMVCo: EMV-Integrated Circuit Card Specifications for Payment Systems, Book 4: Cardholder, Attendant, and Acquirer Interface Requirements (2011)Google Scholar
  13. 13.
    EMVCo: EMV ECC Key Establishment Protocols (2012)Google Scholar
  14. 14.
    Fujioka, A., Suzuki, K.: Designing efficient authenticated key exchange resilient to leakage of ephemeral secret keys. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 121–141. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  15. 15.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 467–484. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  16. 16.
    Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 387–398. ACM, New York (2013)Google Scholar
  17. 17.
    Huang, H.: Strongly secure one round authenticated key exchange protocol with perfect forward security. In: Boyen, X., Chen, X. (eds.) ProvSec 2011. LNCS, vol. 6980, pp. 389–397. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  18. 18.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  19. 19.
    Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013/367 (2013).
  20. 20.
    Krawczyk, H.: HMQV: a high-performance secure diffie-hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  21. 21.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  22. 22.
    LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  23. 23.
    Li, Y., Schäge, S., Yang, Z., Kohlar, F., Schwenk, J.: On the security of the pre-shared key ciphersuites of TLS. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 669–684. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  24. 24.
    EMVCo LLC: EMV deployment statistics (2012).
  25. 25.
    Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and pin is broken. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 433–446, May 2010Google Scholar
  26. 26.
    Ogundele, O., Zavarsky, P., Ruhl, R., Lindskog, D.: The implementation of a full EMV smartcard for a point-of-sale transaction. In: 2012 World Congress on Internet Security (WorldCIS), pp. 28–35, June 2012Google Scholar
  27. 27.
    Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Crypt. 46(3), 329–342 (2008)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Van Herreweghen, E., Wille, U.: Risks and potentials of using EMV for internet payments. In: Proceedings of the USENIX Workshop on Smartcard Technology on USENIX Workshop on Smartcard Technology, WOST 1999, p. 18. USENIX Association, Berkeley (1999)Google Scholar
  29. 29.
    Yang, Z.: Efficient eCK-secure authenticated key exchange protocols in the standard model. In: Qing, S., Zhou, J., Liu, D. (eds.) ICICS 2013. LNCS, vol. 8233, pp. 185–193. Springer, Heidelberg (2013) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Yanfei Guo
    • 1
  • Zhenfeng Zhang
    • 1
  • Jiang Zhang
    • 1
  • Xuexian Hu
    • 1
  1. 1.Trusted Computing and Information Assurance LaboratoryInstitute of Software, Chinese Academy of SciencesBeijingChina

Personalised recommendations