On the Security of the EMV Secure Messaging

We present new attacks against the EMV financial transaction security system (known in Europe as “Chip and PIN”), specifically on the back-end API support for sending secure messages to EMV smartcards. EMV is the new electronic payment system designed by VISA and Mastercard and widely deployed throughout Europe in the last 12 months. It aims to eventually supersede magnetic-stripe systems. Customers carry smartcards which, upon payment, engage in cryptographic protocols to authenticate themselves to their issuing bank. At the issuing bank (the “back end” for short), the Hardware Security Modules (HSMs), which are tasked with PIN storage and verification for ATM networks, have been extended to provide new EMV security functionality. The HSMs now authenticate and manage the massive card base, ensuring security in an environment particularly wary of insider attack. The back-end HSMs expose a security Application Programming Interface (security API), which the untrusted banking application layer uses to perform cryptographic operations, and which enforces a security policy on the usage of the secret data it handles. In the last five years, the security of HSM APIs has come under close scrutiny from the academic community, and, recently, a number of HSM manufacturers have made their EMV functionality available for study. The new EMV functionality includes three basic classes of commands: firstly, those to verify authorisation requests and produce responses or denials; secondly, those to manage the personalisation of smartcards during the issue process; and thirdly those to produce secure command messages, which are decrypted, verified and executed by smartcards for the purpose of updating security parameters in the field. This paper concentrates on this last class. Such secure messaging commands are used for many purposes: to change the PIN on a card, adjust the offline spending limits, replace cryptographic keys, or toggle international roaming. We present two attacks, which, together, completely undermine the security of EMV secure messaging, assuming a corrupt insider with access to the HSM API for a brief period. Our first attack allows the injection of chosen plaintext into the encrypted field of a secure message destined for an EMV smartcard (this could be used to update the card’s PIN or session key). The second attack discloses any card-exportable secret data, for instance a unique card authentication key. Only one of the two devices, the IBM 4758 CCA, was found vulnerable to this second class of attack, but it is particularly significant, because it is passive with respect to the card. Therefore, if such an attack were used to defraud a bank, it would be much harder to trace. Both attacks exploit the malleability of the CBC