Formal Analysis of the EMV Protocol Suite

Ruiter, Joeri de; Poll, Erik

doi:10.1007/978-3-642-27375-9_7

Cited by 36 publications

(44 citation statements)

References 7 publications

(13 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, it would be possible for an attacker to send a shop reader a valid SDAD and an invalid AC, which the shop would not discover until it send the AC to the bank for payment, this is known as the DDA wedge attack [19]. For a more detailed description of the EMV protocol we refer the reader to [9].…”

Section: Emv and The Paywave/paypass Protocolsmentioning

confidence: 99%

Relay Cost Bounding for Contactless EMV Payments

Chothia

Garcia

Ruiter

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. This paper looks at relay attacks against contactless payment cards, which could be used to wirelessly pickpocket money from victims. We discuss the two leading contactless EMV payment protocols (Visa's payWave and MasterCard's PayPass). Stopping a relay attack against cards using these protocols is hard: either the overhead of the communication is low compared to the (cryptographic) computation by the card or the messages can be cached before they are requested by the terminal. We propose a solution that fits within the EMV Contactless specification to make a payment protocol that is resistant to relay attacks from commercial off-the-shelf devices, such as mobile phones. This solution does not require significant changes to the cards and can easily be added to existing terminals. To prove that our protocol really does stop relay attacks, we develop a new method of automatically checking defences against relay attacks using the applied pi-calculus and the tool ProVerif.

show abstract

Section: Emv and The Paywave/paypass Protocolsmentioning

confidence: 99%

Relay Cost Bounding for Contactless EMV Payments

Chothia

Garcia

Ruiter

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Recently there has been some formal analysis of EMV, but this flaw was not discovered [5]. The model made two errors.…”

Section: A Emv Protocol Flawsmentioning

confidence: 99%

Be Prepared: The EMV Preplay Attack

Bond

Choudary

Murdoch

et al. 2015

IEEE Secur. Privacy

View full text Add to dashboard Cite

Abstract-EMV, also known as "Chip and PIN", is the leading system for smartcard-based payments worldwide; it is widely deployed in Europe and is starting to be introduced in the USA too. It replaces the familiar mag-strip cards with chip cards. A cryptographic protocol is executed between a chip card and bank servers based on a message authentication code (MAC) over transaction data, including a nonce called the unpredictable number.We discovered two protocol flaws: first, the lack of a terminal ID to identify involved parties, and second that the nonce is not generated by the relying party. Together, these make EMV vulnerable to the pre-play attack: pre-recorded transaction data from a target card can be replayed at a future location. This powerful attack can be exploited due to weak random number generators, by a man-in-the-middle between the terminal and the acquirer, or by malware in an ATM or POS terminal.Our investigation started when we discovered that EMV implementers often used counters, timestamps or home-grown algorithms to supply the nonce. We describe the survey methodology we developed to chart the scope of this weakness, evidence from ATM and terminal experiments in the field, and our proof-of-concept attack implementation. Finally, we explore why these flaws evaded detection until now.

show abstract

“…The technique was successfully used to verify implementations of real-world cryptographic protocols such as TLS [35] and EuropayMasterCard-Visa (EMV) [67]. The underlying analysis using ProVerif is, however, not modular and is less robust and less scalable [36] than type-checking.…”

Section: Related Workmentioning

confidence: 99%

Union, intersection and refinement types and reasoning about type disjointness for secure protocol implementations

Backes

Hriţcu

Maffei

2014

JCS

View full text Add to dashboard Cite

We present a new type system for verifying the security of reference implementations of cryptographic protocols written in a core functional programming language.The type system combines prior work on refinement types, with union, intersection, and polymorphic types, and with the novel ability to reason statically about the disjointness of types. The increased expressivity enables the analysis of important protocol classes that were previously out of scope for the type-based analyses of reference protocol implementations. In particular, our types can statically characterize:(i) more usages of asymmetric cryptography, such as signatures of private data and encryptions of authenticated data; (ii) authenticity and integrity properties achieved by showing knowledge of secret data; (iii) applications based on zero-knowledge proofs. The type system comes with a mechanized proof of correctness and an efficient type-checker.

show abstract

Formal Analysis of the EMV Protocol Suite

Cited by 36 publications

References 7 publications

Relay Cost Bounding for Contactless EMV Payments

Relay Cost Bounding for Contactless EMV Payments

Be Prepared: The EMV Preplay Attack

Union, intersection and refinement types and reasoning about type disjointness for secure protocol implementations

Contact Info

Product

Resources

About