Paper 2013/031

An Analysis of the EMV Channel Establishment Protocol

Chris Brzuska, Nigel P. Smart, Bogdan Warinschi, and Gaven J. Watson


With over 1.6~billion debit and credit cards in use worldwide, the EMV system (a.k.a. ``Chip-and-PIN'') has become one of the most important deployed cryptographic protocol suites. Recently, the EMV consortium has decided to upgrade the existing RSA based system with a new system relying on Elliptic Curve Cryptography (ECC). One of the central components of the new system is a protocol that enables a card to establish a secure channel with a card reader. In this paper we provide a security analysis of the proposed protocol, we propose minor changes/clarifications to the ``Request for Comments'' issued in Nov 2012, and demonstrate that the resulting protocol meets the intended security goals. The structure of the protocol is one commonly encountered in practice: first run a key-exchange to establish a shared key (which performs authentication and key confirmation), only then use the channel to exchange application messages. Although common in practice, this structure takes the protocol out of the reach of most standard security models for key-exchange. Unfortunately, the only models that can cope with the above structure suffer from some drawbacks that make them unsuitable for our analysis. Our second contribution is to provide new security models for channel establishment protocols. Our models have a more inclusive syntax, are quite general, deal with a realistic notion of authentication (one-sided authentication as required by EMV), and do not suffer from the drawbacks that we identify in prior models.

Available format(s)
Publication info
Published elsewhere. Major revision. ACM-CCS 2013
Contact author(s)
nigel @ cs bris ac uk
2013-11-05: last of 5 revisions
2013-01-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Chris Brzuska and Nigel P.  Smart and Bogdan Warinschi and Gaven J.  Watson},
      title = {An Analysis of the {EMV} Channel Establishment Protocol},
      howpublished = {Cryptology ePrint Archive, Paper 2013/031},
      year = {2013},
      doi = {10.1145/2508859.2516748},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.