Paper 2013/031

An Analysis of the EMV Channel Establishment Protocol

Chris Brzuska, Nigel P. Smart, Bogdan Warinschi, and Gaven J. Watson

Abstract

With over 1.6~billion debit and credit cards in use worldwide, the EMV system (a.k.a. ``Chip-and-PIN'') has become one of the most important deployed cryptographic protocol suites. Recently, the EMV consortium has decided to upgrade the existing RSA based system with a new system relying on Elliptic Curve Cryptography (ECC). One of the central components of the new system is a protocol that enables a card to establish a secure channel with a card reader. In this paper we provide a security analysis of the proposed protocol, we propose minor changes/clarifications to the ``Request for Comments'' issued in Nov 2012, and demonstrate that the resulting protocol meets the intended security goals. The structure of the protocol is one commonly encountered in practice: first run a key-exchange to establish a shared key (which performs authentication and key confirmation), only then use the channel to exchange application messages. Although common in practice, this structure takes the protocol out of the reach of most standard security models for key-exchange. Unfortunately, the only models that can cope with the above structure suffer from some drawbacks that make them unsuitable for our analysis. Our second contribution is to provide new security models for channel establishment protocols. Our models have a more inclusive syntax, are quite general, deal with a realistic notion of authentication (one-sided authentication as required by EMV), and do not suffer from the drawbacks that we identify in prior models.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Major revision. ACM-CCS 2013
DOI
10.1145/2508859.2516748
Contact author(s)
nigel @ cs bris ac uk
History
2013-11-05: last of 5 revisions
2013-01-29: received
See all versions
Short URL
https://ia.cr/2013/031
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/031,
      author = {Chris Brzuska and Nigel P.  Smart and Bogdan Warinschi and Gaven J.  Watson},
      title = {An Analysis of the EMV Channel Establishment Protocol},
      howpublished = {Cryptology ePrint Archive, Paper 2013/031},
      year = {2013},
      doi = {10.1145/2508859.2516748},
      note = {\url{https://eprint.iacr.org/2013/031}},
      url = {https://eprint.iacr.org/2013/031}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.