Cryptography Reference
In-Depth Information
OFFLINE DATA AUTHENTICATION
In order to authorise an EMV card transaction, a terminal must first decide
whether to do an offline check, or whether to conduct a stronger online check
that involves communicating with the card issuer. The decision as to which check
to conduct depends on the transaction amount and the number of transactions
conducted since the last online check.
Offline data authentication does not involve the card issuer. In its most basic
form, it provides a means of gaining assurance that the information stored on an
EMV card has not been changed since the payment card was created by the card
issuer. In other words, it provides data origin authentication of the fundamental
card data. The stronger mechanisms also provide entity authentication of the
card. Offline data authentication of a payment card can be conducted directly by
a terminal that the card has been inserted into.
It is impractical to provide this offline service using symmetric cryptography,
since each terminal would need to share a symmetric key with every possible
issuer. The use of key translation, as discussed in Section 12.4.2 for magnetic stripe
PIN verification, requires the issuer to be online. Thus public-key cryptography,
in the form of a digital signature scheme, is used to provide offline data
authentication. For space efficiency reasons, EMV cards use a type of RSA
digital signature scheme with message recovery (see Section 7.3.5) to provide
this assurance.
EMV provides three offline data authentication mechanisms:
Static Data Authentication
(SDA) is the simplest technique. All that is checked is
the digital signature on the card data that is stored on the card. Verification
of this digital signature requires access to the issuer's verification key. Clearly
it is not reasonable to expect every terminal to have direct access to every
issuer's verification key. Thus EMV employs a simple certificate hierarchy (see
Section 11.3.3). In this case the card stores a public-key certificate containing
the verification key of the issuer. This certificate is signed by the PCO, and the
PCO's verification key is installed in every terminal supporting EMV.
Dynamic Data Authentication
(DDA) goes one step further and provides this
assurance in a dynamic way that differs for each transaction, hence providing
another layer of security against card counterfeiting. DuringDDA, a challenge-
response protocol is run that provides entity authentication of the card. In this
case each card has its own RSA key pair and includes a public-key certificate for
the card's verification key, signed by the issuer, as well as the issuer's public-key
certificate, signed by the PCO. We thus have a three-level public-key certificate
chain. The card computes a digital signature on the card data as well as some
information unique to the current authentication session. The terminal uses
the certificates offered by the card to verify this digital signature.
Combined Data Authentication
(CDA) is similar to DDA, except that the card also
signs the transaction data, thus providing assurance that the card and terminal
have the same view of the transaction. This protects against man-in-the-middle
