undefined | Better HN

0 pointsavianlyric5mo ago0 comments

Yes EMV chips and the EMV standard are secure elements that were spec’d and have been manufactured since the 80s. The EU has been using these thing pretty much universally since the late 90s.

They’ve also supported offline transactions that entire time. Indeed offline transactions was the norm for a long time because internet connections were expensive. So payment terminals did offline transactions, then literally phoned home at the end of the day to upload all of the day’s transactions.

The transactions themselves are just signed by the cards, and stored by the payment terminals. Interestingly using symmetric encryption, because asymmetric encryption was two expensive to put into debit/credit cards when the EMV spec was originally created.

Card transactions being online by default in the EU is pretty recent phenomenon that only really happens in the past 5-10 years, as internet connections and cheap mobile data plans have become ubiquitous.

0 comments

lxgr5mo ago

EMV has been using asymmetric cryptography for a long time now, even though it's strictly optional in the specs.

Older cards indeed didn't have it for cost reasons, and online-only cards theoretically have no strict need for it even today, but practically, a symmetric-only card is a non-starter these days for several reasons. You won't be able to ride the Tube in London or Subway in NYC with a card that does not support it, for example.

avianlyricOP5mo ago

> You won't be able to ride the Tube in London or Subway in NYC with a card that does not support it, for example.

Those systems all perform online auths at the gate, they don’t rely on offline transactions at all.

Asymmetric encryption is used to prove the identity of the card itself, I.e. prove it’s a real card owned by a real issuer. But it’s not used to sign the transaction itself.

Transaction cryptograms, the cryptographic blob that’s built using data like transaction amounts, method of customer authentication etc only use symmetric encryption. The produced cryptogram itself is then also signed using an asymmetric key, but the asymmetric and symmetric blobs are distinct entities and processes separately by the card network.

Now this is the really important, and completely non-obvious part. Only the symmetrically encrypted transaction cryptogram is sent over the card network to the issuer. All of the asymmetric parts are only used locally by the terminal for validation, then thrown away. So the data produced by the card that is actually stored and eventually sent to the issuer can’t be used for cryptographic non-repudiation, because there’s no mechanism for the merchant to prove using only the transaction cryptogram, and public keys, that a specific transaction was signed by a specific card issued by a specific issuer.

This may seem very strange from a technical perspective, but only because people think that the technical elements of card networks is what prevents fraud. In reality fraud, at least between network participants, is entirely prevented using legal contracts, escrow accounts, and the simple fact that the benefit of abusing the technical measures to commit fraud is simply not worth the consequences. Being a network participant requires you to put millions of dollars in escrow, and be a large enough company that you can realistically move millions of dollars in transactions everyday. Fraud between companies at that level is solved using very expensive lawyers, the technical measures only need to provide enough evidence of tampering to stand up in a court of law, where everyone is under oath, and at risk of personal repercussions for perjury. There is no need for them to be completely fool proof, it’s much easier to just depose the engineers who were ordered to circumvent the technical controls, under threat of prison time, than it is to get every network participant to adopt some complex cryptographic non-repudiation scheme to protect against scenarios that don’t actually occur in reality.

lxgr5mo ago

> Those systems all perform online auths at the gate, they don’t rely on offline transactions at all.

No, there's not enough time for online authorizations at transit turnstiles. They do the online auth as fast as possible, and if it does not go through they put the card on a denylist [1].

But since it would be possible to just make up random valid card numbers on the spot, they do enforce successful offline authentication – using asymmetric cryptography.

> Asymmetric encryption is used to prove the identity of the card itself, I.e. prove it’s a real card owned by a real issuer. But it’s not used to sign the transaction itself.

In CDA, it is used to sign the entire transaction.

> Only the symmetrically encrypted transaction cryptogram is sent over the card network to the issuer. All of the asymmetric parts are only used locally by the terminal for validation, then thrown away.

That's true, but doesn't change the fact that offline authentication is an integral part of EMV. Also, the "then thrown away" part could relatively straightforwardly be changed by the networks if ever necessary. The CDA output provides actual non-repudiation.

> This may seem very strange from a technical perspective, but only because people think that the technical elements of card networks is what prevents fraud.

I'd say it's just a historically grown legacy system, and it would have been too disruptive to retrofit asymmetric cryptograms into it (with its vastly larger cryptograms and every byte of transmission data coming at a premium).

If EMV were redesigned from scratch, it would 100% just use the CDA-style cryptogram for transaction approval as well.

> In reality fraud, at least between network participants, is entirely prevented using legal contracts, escrow accounts, and the simple fact that the benefit of abusing the technical measures to commit fraud is simply not worth the consequences.

On this part I'd agree. The most important factor here is that the type of fraud that could exploit this "symmetric/asymmetric gap" requires a malicious terminal or merchant.

That's not really a common threat scenario in EMV, since fraudulent merchants could already do many other things (such as e.g. tapping commuters' wallets using a concealed POS terminal for low-value payments), and becoming a fully trusted merchant has relatively high entry barriers as a result.

I do suspect that this could change, with EMV becoming more and more accessible for very small merchants using cheap mobile terminals or even regular contactless-capable smartphones. But as I've mentioned, it's not too hard to address these issues using policy.

[1] https://content.tfl.gov.uk/aac-20141217-part-1-item12-contac...

1 more reply

j / k navigate · click thread line to collapse

0 comments

lxgr5mo ago

EMV has been using asymmetric cryptography for a long time now, even though it's strictly optional in the specs.

avianlyricOP5mo ago

> You won't be able to ride the Tube in London or Subway in NYC with a card that does not support it, for example.

Those systems all perform online auths at the gate, they don’t rely on offline transactions at all.

Asymmetric encryption is used to prove the identity of the card itself, I.e. prove it’s a real card owned by a real issuer. But it’s not used to sign the transaction itself.

lxgr5mo ago

> Those systems all perform online auths at the gate, they don’t rely on offline transactions at all.

No, there's not enough time for online authorizations at transit turnstiles. They do the online auth as fast as possible, and if it does not go through they put the card on a denylist [1].

But since it would be possible to just make up random valid card numbers on the spot, they do enforce successful offline authentication – using asymmetric cryptography.

> Asymmetric encryption is used to prove the identity of the card itself, I.e. prove it’s a real card owned by a real issuer. But it’s not used to sign the transaction itself.

In CDA, it is used to sign the entire transaction.

> This may seem very strange from a technical perspective, but only because people think that the technical elements of card networks is what prevents fraud.

If EMV were redesigned from scratch, it would 100% just use the CDA-style cryptogram for transaction approval as well.

On this part I'd agree. The most important factor here is that the type of fraud that could exploit this "symmetric/asymmetric gap" requires a malicious terminal or merchant.

[1] https://content.tfl.gov.uk/aac-20141217-part-1-item12-contac...

1 more reply

j / k navigate · click thread line to collapse