Skip to main content
SpringerLink
Log in

Building General-Purpose Security Services on EMV Payment Cards

  • Conference paper
Security and Privacy in Communication Networks (SecureComm 2012)

Abstract

The Generic Authentication Architecture (GAA) is a standardised extension to the mobile telephony security infrastructures that supports the provision of security services to network applications. We have proposed a generalised version of GAA which enables almost any pre-existing infrastructure to be used as the basis for the provision of generic security services, and have examined a GAA instantiation supported by Trusted Computing. In this paper we study another instantiation of GAA, this time building on the widely deployed EMV security infrastructure. This enables the existing EMV infrastructure to be used as the basis of a general-purpose authenticated key establishment service in a simple and uniform way, and also provides an opportunity for EMV-aware third parties to provide novel security services. We also discuss possible applications and issues of privacy and trust.

This work was partially sponsored by the National Natural Science Foundation of China under Grant (No. U1135004 and 61170080), the Guangdong Province Universities and Colleges Pearl River Scholar Funded Scheme (2011), the Guangzhou Metropolitan Science and Technology Planning Project (No. 2011J4300028), the Fundamental Research Funds for the Central Universities (No. 2009ZZ0035 and 2011ZG0015), the Guangdong Provincial Natural Science Foundation (No. 9351064101000003) and the High-level Talents Project of Guangdong Institutions of Higher Education (2012).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 3G AMERICAS: Identity Management Overview of Standards & Technologies for Mobile and Fixed Internet (2009)

    Google Scholar 

  2. 3rd Generation Partnership Project (3GPP): Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS). Technical Specification TS 33.222, Version 9.1.0 (2009)

    Google Scholar 

  3. 3rd Generation Partnership Project (3GPP): Identity management and 3GPP security interworking; Identity management and Generic Authentication Architecture (GAA) interworking. Technical Report TS 33.924, Version 9.1.0 (2009)

    Google Scholar 

  4. 3rd Generation Partnership Project (3GPP): Technical Specification Group Services and Systems Aspects, Generic Authentication Architecture (GAA), Generic Bootstrapping Architecture. Technical Specification TS 33.220, Version 9.2.0 (2009)

    Google Scholar 

  5. Chen, C., Laitinen, P., Asokan, N., Mitchell, C.: Leveraging GAA for one-time password authentication from an untrusted computer (submitted)

    Google Scholar 

  6. Chen, C., Mitchell, C.J., Tang, S.: Building General Purpose Security Services on Trusted Computing. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 16–31. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  7. Chen, C., Mitchell, C., Tang, S.: Ubiquitous One-Time Password Service Using the Generic Authentication Architecture. Mobile Networks and Applications (to appear), http://rd.springer.com/article/10.1007/s11036-011-0329-z

  8. Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  9. EMV: EMV Integrated Circuit Card Specifications for Payment Systems Version 4.2—Book 1: Application Independent ICC to Terminal Interface Requirements (June 2008)

    Google Scholar 

  10. EMV: EMV Integrated Circuit Card Specifications for Payment Systems Version 4.2—Book 2: Security and Key Management (June 2008)

    Google Scholar 

  11. EMV: EMV Integrated Circuit Card Specifications for Payment Systems Version 4.2—Book 3: Application Specification (June 2008)

    Google Scholar 

  12. EMV: EMV Integrated Circuit Card Specifications for Payment Systems Version 4.2—Book 4: Cardholder, Attendant, and Acquirer Interface Requirements (June 2008)

    Google Scholar 

  13. Eronen, P., Tschofenig, H.: Pre-shared key ciphersuites for transport layer security (TLS). Internet Engineering Task Force, RFC 4279 (Informational) (December 2005)

    Google Scholar 

  14. Holtmanns, S., Niemi, V., Ginzboorg, P., Laitinen, P., Asokan, N.: Cellular Authentication for Mobile and Internet Services. John Wiley and Sons (2008)

    Google Scholar 

  15. International Organization for Standardization, Genève, Switzerland: ISO/IEC 9798-4:1999, Information technology—Security techniques—Entity authentication—Part 4: Mechanisms using a cryptographic check function (1999)

    Google Scholar 

  16. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. Internet Engineering Task Force, RFC 2104 (Informational) (February 1997)

    Google Scholar 

  17. Pashalidis, A., Mitchell, C.J.: Single Sign-On Using Trusted Platforms. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 54–68. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  18. Pashalidis, A., Mitchell, C.J.: Using GSM/UMTS for single-sign on. In: Proceedings of SympoTIC 2003, Joint IST Workshop on Mobile Future and Symposium on Trends in Communications, pp. 146–152. IEEE Press (2003)

    Google Scholar 

  19. Pashalidis, A., Mitchell, C.J.: Using EMV Cards for Single Sign-On. In: Katsikas, S.K., Gritzalis, S., López, J. (eds.) EuroPKI 2004. LNCS, vol. 3093, pp. 205–217. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  20. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th USENIX Security Symposium, pp. 17–32. USENIX Association (2005)

    Google Scholar 

  21. Urienand, P.: Introducing TLS-PSK authentication for EMV devices. In: Proceedings of CTS 2010, International Symposium on Collaborative Technologies and Systems, pp. 371–377. IEEE Press (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, South China University of Technology, Guangzhou, 510640, China

    Chunhua Chen & Shaohua Tang

  2. Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, UK

    Chris J. Mitchell

Authors
  1. Chunhua Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shaohua Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chris J. Mitchell
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, M.C. 0401, 10027-7003, New York, NY, USA

    Angelos D. Keromytis

  2. Dipartimento di Matematica, Università degli Studi Roma Tre, Largo San Leonardo Murialdo 1, 00146, Rome, Italy

    Roberto Di Pietro

Rights and permissions

Reprints and permissions

Copyright information

© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Chen, C., Tang, S., Mitchell, C.J. (2013). Building General-Purpose Security Services on EMV Payment Cards. In: Keromytis, A.D., Di Pietro, R. (eds) Security and Privacy in Communication Networks. SecureComm 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 106. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36883-7_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-36883-7_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-36882-0

  • Online ISBN: 978-3-642-36883-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation