Another model that the UK could try
By Dave Birch posted Oct 13 2009 at 6:18 PM[Dave Birch] I'm going provide a case study on the use of multi-application smart cards with EMV "chip and PIN" software on them that I think contains some useful nuggets for us in the UK to ponder over, because the case study is about combining payment (EMV) and digital signature (PKI) applications on the same card.
Identity folks will have to understand a little about the payment folks' EMV standard to understand the dynamics. There are actually three flavours of EMV, the international card scheme standard for chip transactions. These are Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Data and Application Cryptogram (CDA). Most of the cards out on the streets in the UK are SDA cards without enciphered PIN (the PIN is not encrypted from the PIN pad into the card).
SDA cards are cheapest, which is why our banks issue them, but they can be cloned and used in terminals that are offline, so they are a security risk. DDA cards are not vulnerable in this way, but they are more expensive, both because the cards are more sophisticated -- they have a cryptographic co-processor to handle asymmetric cryptography and take longer to "personalise" -- but UK banks will have to replace SDA with DDA by end of 2010 (indeed, Consult Hyperion work with banks to help them to migrate in a cost-effective way). CDA cards cost the same as DDA, but still need to be planned for.
For technical reasons, CDA cards are more secure than DDA cards. Why? Because CDA protects against the "wedge attack". It is possible to insert a device that would let a genuine DDA card generate a legitimate digital signature but then intercept the request for an application cryptogram and return a bogus one for a different amount to the terminal. The terminal would carry on regardless. This is not possible with CDA since both the DDA signature and cryptogram are delivered by the card at the same time.
OK, so all this is well-known, but why does it matter to the digital ID world? Well, if a bank goes to the expense of issuing DDA or CDA cards, then the presence of re-usable cryptographic software and the cryptographic co-processor mean that it is a minimum of cost and complexity for the card to carry an additional PKI application as well as the EMV application. Almost all of the PKI application's "guts" are already on the card because they are used by the EMV application. What's more, the card can generate its own key pairs (which is very good for security) and then, provided you have the infrastructure, third parties can sign the card's public key(s) to create a wide variety of public key certificates to deliver interesting services. The card can store these certificates if it has enough memory or store pointers to the certificates online somewhere if it doesn't.
Here's a real example.
Brazil is one of those markets that we need to pay attention to. They've had an ambitious national PKI programme running for a while and are committed to online services and e-government. It's also growth market for payments, a potential battleground between bank-led and mobile-led money transfer, a laboratory for agent-based banking and a major influence on the rest of Latin America as well as being a huge market in its own right. So I'm always curious to see how things are developing there.
Banrisul is the largest bank in the south of Brazil, with over 3m customers, 3000 ATMs and 100,000 POS terminals. A few years ago, they decided to migrate their payment cards to EMV (the terminals in Brazil have mostly been upgraded already -- the last couple of times I've been there I used my UK chip and PIN cards without a problem) and, unlike a great many other banks, they decided to do it properly. They decided to issue CDA cards with enciphered offline PIN. So then they began to look around for other applications that they could put on the same card to make it better, deliver new services, reduce churn or whatever might help with the business case.
Meanwhile, back in 2001, the government of Brazil started developing a national PKI (ICP in Portugese) and had created a national CA together with the legal infrastructure needed to make it all work. About 2m national certificates have already been issued (in total, I mean, not to Banrisul customers) and these are mainly used filing tax returns (about 20m so far).
Brazil has entered the 21st century making clear choices with regard to some core technological matters and reflecting these choices in an objective political framework... The choices were for an authentication technologies framework based on a national public key infrastructure in which the public and the private intertwine...
[From Three Cheers for João-de-Barro at Marcelo Thompson]
The states began to develop their own CAs and RAs (AC and AR in Portugese) -- there are now more than 1,000 CAs -- so Banrisul decided to make a PKI application that worked with the national PKI. They put a PKI application with a bank certificate on each card they send out. The customers can then go to a bank branch and use this certificate to obtain a state government certificate (the bank's branches are all RAs) and then use this to obtain a national certificate.
The bank also decided to give out free smart card readers. They are simple, cheap USB readers to work with a browser plug-in. When customers make online transactions using their smart cards, they get higher transaction limits. Customers are therefore using the same card, same reader and same PIN to log on to their bank and to buy stuff: a straightforward way to have more security.
Next year, the bank expects to issue another 1.5m cards and upgrade some customers' from the simple USB card readers to readers with secure built-in keypads and displays for even higher security. Meanwhile, some of the banks here have not even started to roll out the already dated EMV-based 2FA (Visa's DPA and Microsoft's CAP).
Most significantly, [hackers] are now undeterred by systems that create temporary passwords, such as RSA’s SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. If you computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account.
[From How Hackers Snatch Real-Time Security ID Numbers - Bits Blog - NYTimes.com]
There's no doubt in my mind that end-to-end hardware-based encryption and authentication is mopre secure, more flexible and more effective than the always intended to be a stopgap "token authentication", but what does this have to do with the UK? The UK is in the throes of developing a national identity management system but it has an architecture centred on the ID card and the ID register. But there are two other obvious secure computing platforms that should form part of the infrastructure: bank-issued EMV cards and mobile operator-issued SIM cards (EMV cards and SIM cards are actually the same chips but with different application software). And the use case for the public is using the card, not using digital certificates, which really should be the heart of the transactional components.
Why should we consider this architecture? Well, the government here is very muddled about national identity infrastructure. The current system jumbles about passports and identity cards and delivers few compelling use cases. The next administration will certainly want to alter the cost-benefit equation in some way. Suppose that the vision for national identity focused on the certificate rather than the card or biographical details? Then, as a user of the scheme, I might have a certificate on my purpose-built national identity card (so that's a minority of the population taken care of), I might have a certificate on my bank card (so that's the overwhelming majority of the population taken care of) and I might have a certificate in my mobile phone (so that's 99.9% of the population taken care of).
The Spanish Ministry of Industry, Tourism and Commerce will distribute around 500,000 electronic ID information packs across the country... The information packages will contain an electronic ID card reader, an installation CD and the software for service use on computers, as well as information manuals.
[From 'Spain govt offers 500,000 electronic ID information packs']
The government could give out free smart card readers (as they do in Spain) or leave it to the banks to distribute them. In practice, I think the example set by a modern country such as Turkey is most attractive: I log in to the government with some ID number, the government sends a message to my mobile phone (over-the-air or via NFC in the future), the PKI in my SIM decodes the challenge and signs the response, and I'm connected. Securely and simply. And if other service providers want me to log in in the same way, they can issue their own certificates as well.
There's another point to be made here, too: why not just use PKI-based identity management and forget about EMV for remote transactions? It's a good point, but it's a topic for another day, such as November 4th, when I'll be chairing at ID WORLD -- see you there!
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
On the issue of fraud with chip & pin, Steven Mason and Roger Porkess have just published an article on a survey of losses at http://www.newlawjournal.co.uk/nlj/content/chip-pin-fallacies .
An upgrade to the card security to address the cloning problem can't come soon enough, it seems. The number of potential frauds seems too high for comfort. I'm not sure if my reading is right, but it seems that people have somewhere between a 6% and 20% chance of having some fraudulent transactions.
[Dave Birch] Thanks for the pointer, very interesting read.
Posted by: Iang (chip & pin fallacies) | 16/10/2009 at 04:31 PM