Cardholder Verification Method (CVM) and DDA in EMV Cards

Cardholder Verification Method (CVM)

• Prevents use of lost/stolen card PIN (chip-and-PIN) and signature (chip-and-signature)
• No CVM for low-value transactions only

Public Key Generation and Distribution under DDA

• Illustrates how public keys are generated and distributed under the Dynamic Data Authentication protocol

DDA and PIN Verification

• DDA and PIN verification

Relay Attack on EMV Cards

• EMV cards vulnerable to relay attacks launched via malicious POS terminals

ISO/IEC 9798-4 Standard

• Key-based authentication using message authentication codes standardized in ISO/IEC 9798-4 document

One-time Password (OTP)

• Example authentication protocol using MAC, commonly implemented for Internet banking
• Vulnerable to Man-in-the-Middle (MiTM) attack if attacker is able to place himself between customer and bank’s server, e.g., via phishing attack

Authenticated Key Establishment (AKE) Protocols

• After successful authentication, secure communications often require AKE protocols
• AKE protocol consists of:
  • Authentication: Using long-term keys or passwords to verify identities of communicating parties
  • Key establishment: Establishing short-term session keys for connection session
• Session key protects subsequent communications using authenticated encryption, achieving notion of secure channel, e.g., TLS, SSH, IPsec, VPN

Key Establishment Protocols

• Categorized into key transport or key agreement protocols

Decentralized vs. Centralized

• Administrator can be malicious

Storing Hashed Passwords

• Stored using cryptographically secure hash function h()
• Vulnerable to attacks, e.g., rainbow tables

Using Salt

• Adding random bits (salt) to password makes pre-computed rainbow tables infeasible

Dictionary Attack

• Even salted hashed passwords can be vulnerable to dictionary attacks with increasing computing power
• Skillful attackers can recover even long passwords

NIST’s New Password Guidelines

• Issued in 2017, regarding digital identity guidelines

Alternative Approach by Bruce Schneier

• Recommends scheme to create strong password

Key Derivation Functions

• Used to further slow down dictionary and brute-force attacks
• Generate password hashes, controlling amount of time to verify a single password guess
• Example: SCrypt KDF, designed to use large amounts of RAM to thwart password attacks using custom-built parallel circuits like ASIC and GPU

Example Password Hashes in Cisco Devices

• Options for storing hashed passwords in Cisco devices
• Hashed password is base64-encoded, with type of algorithm identified by number at the beginning of the string

Cisco’s Base64 Encoding

• Different base64 table used

Key-Based Authentication

• Implemented using keys stored in secure devices, a “what you have” type of authentication
• Implementation options: symmetric-key encryption, digital signatures, MACs

Earliest Key-Based Authentication Protocol

• Implemented in IFF system, a simple challenge-response protocol using a secret key
• Mutual authentication with IFF: to prevent friendly fighters from shooting down each other
• Vulnerable to reflection attacks

ISO/IEC 9798-2 Standard

• Key-based authentication using secret-key encryption standardized in ISO/IEC 9798-2 document