Smart Cards and
EMV
1
Smart Cards
and EMV
Michael J Ganley
Smart Cards and
EMV
2
Agenda
•
Introduction to smart cards
•
Smart card infrastructure
•
Introduction to EMV
•
EMV Cryptography
•
Concluding remarks
Smart Cards and
EMV
3
Introduction to Smart Cards
•
Introduction to smart cards
•
Smart card infrastructure
•
Introduction to EMV
•

Wire-
bonds
EEPROM
ROM
Processo
r
Source: ORGA Systems UK, “ORGA - Smart Cards Basics”
Smart Cards and
EMV
6
Smart Card Memory
ROM
EEPROM
RAM
Operating System
Application Data &
OS Extensions
OS Work Space
≈
≈
1000 times slower
1000 times slower
to write than RAM
to write than RAM
ROM EEPROM RAM
Min
Max
~3Kb
~64Kb ~128Kb ~3Kb
~1Kb ~128b

•
Physical Security
–
Chip construction (micro-technology); protected layers
–
Address and data lines that logically belong together are
intermingled in different layers.
–
Phantom transistors are embedded in the circuitry to make
examination more difficult.
–
Upper and lower limits for clock frequency hinder the examination
of the circuitry.
•
Logical Security
–
The operation of the card is controlled by an operating system. No
information that is not meant to be read out can be discovered from
the card.
–
“Firewalling” of applications
Smart Cards and
EMV
9
Smart Card Security (2)
•
Cryptographic Security
–
Encryption
–

and current requirements (protocols T = 0 as standard; T = 1 available on
request; T = 14 used in Japan).
•
ISO 7816-4: Inter-industry Commands for Interchange - establishes a set of
commands for CPU cards across all industries to provide access, security and
transmission of card data
•
ISO 7816-5: Numbering System and Registration Procedure for Application
Identifiers - establishes standards for Application Identifiers (AIDs).
•
ISO 7816-6: Inter-industry data elements - details the physical transportation of
device and transaction data, answer to reset and transmission protocols.
Smart Cards and
EMV
11
Typical Applications (1)
Smart Cards and
EMV
12
Typical Applications (2)
•
For example:
–
Credit/debit (e.g. EMV)
–
Electronic purse (e.g. Visa Cash, Mondex, Geldkarte)
–
Loyalty (e.g. Shell)
–
Access control

Lack of infrastructure
–
Limitations of smart card technology, competing technologies
–
Post-issuance updates
–
Branding
–
etc
Smart Cards and
EMV
14
Smart Card Infrastructure
•
Introduction to smart cards
•
Smart card infrastructure
•
Introduction to EMV
•
EMV Cryptography
•
Concluding remarks
Smart Cards and
EMV
15
Magnetic Stripe Cards (1)
•
It is instructive to consider, initially, the infrastructure for
magnetic stripe cards and then compare that with the smart

EMV
17
Smart Cards
•
For a smart card there are essentially three aspects to the
infrastructure:
•
Card Issuance
–
Chip manufacture, card fabrication
–
Public Key Infrastructure (in some cases)
–
Data generation (some secret), personalisation and issuance
–
PIN mailer (in some cases)
•
Card Usage
–
Transaction (Cardholder, Retailer, Acquirer and Issuer)
•
Post Issuance (Card Management System)
–
Lost or stolen card, forgotten PIN (etc)
–
Load new applications, update or delete existing applications
Smart Cards and
EMV
18
Personalisation System

Home PC (via
Internet)
ATM
PoS Terminal
Mobile Phone
Update card via multiple
(insecure) channels
Smart Cards and
EMV
21
Introduction to EMV
•
Introduction to smart cards
•
Smart card infrastructure
•
Introduction to EMV
•
EMV Cryptography
•
Concluding remarks
Smart Cards and
EMV
22
What is EMV?
•
Europay, MasterCard and Visa
•
EMV2000: Integrated Circuit Card Specification for
Payment Systems.

Security Architecture based on Book 2
•
Full alignment between Europay and MasterCard
•
Minor differences between Visa and MasterCard
Smart Cards and
EMV
24
EMV Type Approval
•
EMV Type Approval testing is divided into two levels:
•
The Level 1 Type Approval process tests compliance
with electromechanical characteristics, logical
interface, and transmission protocol requirements
defined in part 1 of the EMV specifications.
•
Level 2 Type Approval tests compliance with
debit/credit application requirements defined in the
remainder of the EMV specifications.
–
This includes the security requirements, including the physical
security of devices (Book 2).
Smart Cards and
EMV
25
EMV Cryptography
•
Introduction to smart cards
•