Previous lecture - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Previous lecture

Description:

Student finds permanent work risk decreases ... Europay, MasterCard and Visa have created specifications named EMV for this purpose ... – PowerPoint PPT presentation

Number of Views:161
Avg rating:3.0/5.0
Slides: 24
Provided by: mrtent
Category:

less

Transcript and Presenter's Notes

Title: Previous lecture


1
Previous lecture
  • Diffie-Hellman key agreement
  • Authentication
  • Certificates
  • Certificate Authorities

2
Todays Agenda Smartcards
  • The problem we want to solve
  • General information on smart-cards
  • New possibilities
  • Transaction overview
  • EMV

3
Problems with Magnetic Stripe
  • Easy to copy
  • Possible to make an exact copy of the
    magnetic-stripe image
  • Off-line risk management very rudimentary
  • No possibility to put risk levels on individual
    cards or groups of cards
  • Transactions can be modified by dishonest
    merchants
  • Smart-cards address these problems

4
What Is a Smart-Card
  • A smart-card is a small computer
  • Often placed on a credit-card sized plastic card
  • Can have contacts or be contact-less
  • Has a well-defined interface
  • Can have secret information that is protected
    from direct access
  • First appeared in the 1970s

5
Advantages with Smart-Cards
  • Can have secret data
  • Data used for internal computations and never
    revealed in clear
  • Example PIN and keys can be stored on card
  • Can process data and save information
  • Count transactions
  • Check PIN and count unsuccessful tries
  • Different behavior depending on geographic
    location
  • Cryptographic functions
  • Uses the secret keys

6
New Functionality
  • Off-line risk management
  • Can be configured at an individual level
  • Off-line card-holder verification
  • PIN stored on card
  • Resistant to skimming attacks
  • Transactions cryptographically authenticated
  • Reduces fraud rate

7
Off-line PIN
  • Increases speed for low-amount transactions
  • PIN is checked by card
  • PIN is never revealed outside card. After a
    predefined number of tries, the PIN functionality
    is blocked.
  • Can be sent to card in clear or encrypted
  • Depends on card and terminal functionality.

8
Card Authentication to Terminal
  • Authentication to prevent use of fake cards
  • Certifies that the card was not modified after
    issuance
  • Prevents alteration of risk-related parameters
  • Two types static and dynamic
  • Static no special requirements on card. Does
    not stop skimming attacks. (Skimmed cards will be
    detected on-line.)
  • Dynamic requires RSA functionality on card.
    Prevents skimming attacks.

9
Online Authorization
  • If card or terminal wants to go online, the
    transaction is verified online
  • On-line transactions are digitally authenticated
  • Prevents use of fake cards
  • Prevents the merchant from re-using the card
    number
  • The response from the issuer is digitally
    authenticated
  • Important to avoid, e.g., wrongful change of PIN
    and update of risk parameters.

10
Smart-card Transaction Flow
Card
Terminal
Acquirer
Issuer
Card terminal interaction
On-line authorization (conditional)
Card terminal interaction (if after online
authorization)
Transaction data transfer (possibly including
declined transactions info)
11
Smart-card Transaction Flow
Card
Terminal
Acquirer
Issuer
Card terminal interaction
On-line authorization (conditional)
Card terminal interaction (if after online
authorization)
Transaction data transfer (possibly including
declined transactions info)
12
Interaction between Card and Terminal
  • Cards authenticates itself to the terminal
  • Offline risk control used to decide whether to go
    online or not
  • If card wants to go online, transaction is
    checked online
  • If terminal wants to go online, transaction is
    checked online

13
Smart-card Transaction Flow
Card
Terminal
Acquirer
Issuer
Card terminal interaction
On-line authorization (conditional)
Card terminal interaction (if after online
authorization)
Transaction data transfer (possibly including
declined transactions info)
14
Interaction between card and issuer
  • If the decision is to go online, a message is
    sent to the issuer
  • Message includes information on the interaction
    between card and terminal
  • Issuer checks that the message is
    cryptographically correct
  • The issuer either approves or declines the
    authorization
  • The response from the issuer can be
    cryptographically authenticated

15
Smart-card Transaction Flow
Card
Terminal
Acquirer
Issuer
Card terminal interaction
On-line authorization (conditional)
Card terminal interaction (if after online
authorization)
Transaction data transfer (possibly including
declined transactions info)
16
Interaction between Card and Terminal, Part 2
  • Based on the result from the issuer, transaction
    is either approved or declined.

17
Smart-card Transaction Flow
Card
Terminal
Acquirer
Issuer
Card terminal interaction
On-line authorization (conditional)
Card terminal interaction (if after online
authorization)
Transaction data transfer (possibly including
declined transactions info)
18
Interaction between card and issuer, part 2
  • If the transaction is approved, a message
    containing transaction data is sent to the
    issuer.
  • In case of a dispute, this message can be used by
    the issuer to prove that the transaction is
    valid.
  • Same function as a signature for magnatic cards.

19
Post-issuance Adaptations
  • Used to address change in risk
  • Student finds permanent work risk decreases
  • Client misses a payment for a loan indicates
    increased risk
  • Used to change settings
  • PIN change at ATM
  • React to new circumstances
  • Block application if card number in stop-list

20
Scripts
  • Sent from host to card at online transaction
  • Contains information to be processed by card
  • Standard commands include
  • Change value of a risk parameter
  • Change off-line PIN
  • Block application
  • Unblock application

21
EMV Europay, MasterCard, Visa
  • Necessary to have standards for smart-cards
  • Physical size
  • Electrical connection
  • API for payment applications
  • Any smart-card must be usable anywhere
  • Europay, MasterCard and Visa have created
    specifications named EMV for this purpose

22
EMV and Cryptography
  • EMV specifies how the principles for
    authentication
  • Card terminal, static or dynamic
  • Card issuer, using MACs
  • Suggests algorithms for computation of MAC
  • Providers may use other algorithms

23
Summary
  • Smart-cards solve the security problems
    associated with magnetic-stripe cards.
  • Enables more powerful offline risk control.
  • Whether to process transaction offline or online
    is a joint decision between card and terminal.
  • The EMV specifications ensure worldwide
    acceptance of smart-cards.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Previous lecture" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!