The Looming EMV "Y2K Moment"
Updated: Oct 5, 2019
The Current State Of EMV Cryptography
Security of modern chip / EMV card in-store payments is fully protected by cryptography.
Symmetric cryptography algorithm (i.e. 3DES) is mandated and used in all types of EMV cards globally, as the basis for creating unique per transaction EMV transaction cryptograms. Transaction cryptogram's role is to provide protection from transaction replay attacks and also to ensure the integrity of the EMV transaction data, so that nobody can modify it during transaction authorization, clearing and settlement processing.
On top of always present symmetric cryptography, for the EMV cards that also need to be able to participate in offline transactions, the current version of EMV standard mandates the usage of Public Key Cryptography, for POS terminals to be able to perform:
offline card authentication, i.e. for POS to be able to recognize and distinguish genuine cards from counterfeit clones, all without need to contact the card issuing host during the transaction. NOTE: ability to perform offline transactions is a 'must have feature', especially when EMV cards need to be used for fast public transport offline payment use cases, where each offline transaction must complete in less than 300ms
PIN encryption by POS terminal, for ability of the card to execute offline PIN verification.
The RSA, as the earliest and most popular Public Key Cryptography (PKI) algorithm, has been chosen as the official PKI scheme for EMV cards, and has been used in every payment network’s EMV implementation, since the EMV standard was introduced about twenty years ago. Each payment network today acts as its own EMV RSA Certificate Authority and maintains its own EMV RSA Public Key hierarchy, in support of the overall standardized EMV RSA based Public Key infrastructure.
How Does EMV POS Terminal Distinguish Genuine Card From The Fake One?
Together with always mandatory symmetric 3DES transaction cryptogram key, each offline capable EMV card is also loaded with set of unique RSA keys and certificates, during card production and personalization:
card's unique Card RSA Private Key
Card RSA Public Key Certificate (which is Card RSA Public Key, signed by Card Issuer RSA Private Key)
Card Issuer RSA Public Key Certificate (which is Card Issuer RSA Public Key, signed by Payment Network RSA Private Key)
Each POS terminal which is capable of participating in offline EMV transactions is loaded with Payment Network RSA Public Key (separate instance for each payment network supported)
Typical offline card authentication algorithm follows standardized sequence of message exchanges between POS and the card:
POS first recognizes (using SELECT command), which payment network's card is being used for transaction
POS reads out of the card's significant data items (using multiple READ RECORD commands), the most important data being Card Number (PAN), Card RSA Public Key Certificate and Card Issuer Public Key Certificate
POS uses Payment Network RSA PublicKey to verify signature of the Card Issuer Public Key Certificate. NOTE: at this point, if the verification is successful, POS establishes trust in Card Issuer RSA Public Key Certificate
POS then uses already trusted Card Issuer Public Key Certificate, to verify the signature of the Card RSA Public Key Certificate. NOTE: at this point, if the verification is successful, POS establishes trust in Card RSA Public Key Certificate
Once POS trusts Card RSA Public Key Certificate, it sends to the card the RANDOM NUMBER (as a payload of the INTERNAL AUTHENTICATE command)
Card produces RSA signature of the received RANDOM NUMBER data, using its unique Card RSA Private Key and returns the signature together with original RANDOM NUMBER back to the POS
POS uses already trusted Card RSA Public Key Certificate to verify the signature returned by the card. If the signature is verified correctly, then the card is proven to be genuine (as it proves that card contains matching Card RSA Private Key to the Card RSA Public Key Certificate that POS trusted since step #4). NOTE: if the returned RSA signature of the RANDOM NUMBER is wrong and can not be verified, then the card is considered counterfeit card and transaction flow is immediately terminated.
At the end of the step #7, the POS has fully confirmed that the card is genuine card, manufactured by the trusted card issuer and that it can be used for the rest of the EMV transaction flow that would result in creation of the unique transaction cryptogram.
The EMV Key Size Challenge
The strength of any Public Key Cryptography algorithm, like RSA in EMV's case, is directly dependent on its underlying key size. The longer the key pairs, the more difficult and challenging it is for the fraudsters to ‘break’ the crypto scheme, i.e. to reverse engineer the ‘private key’ based on their knowledge of corresponding ‘public key’. As long as that ‘reverse engineering’ time is proven to be impractically long and expensive, compared to the expected financial gain, the security is considered acceptable, i.e. the underlying payments system can be declared to be ultimately secure.
Unfortunately, the improvements in factorization techniques, combined with increases in raw computing power in last ten years, mainly due to the proliferation of GPUs (allowing an order of magnitude more processing parallelism than traditional CPUs), mean that RSA keys shorter than 1408-bit are already considered practically unsafe and easily breakable for EMV usage. All payment networks have already mandated that Issuers and Acquirers must upgrade the RSA key sizes in their cards and POS terminals respectively, to at least 1408-bit as of Jan 2018. Then, starting Jan 2025, the 1408-bit RSA key size will have to be decommissioned and replaced with 1984-bit key. The anticipated lifetime of RSA 1984-bit key size would only be until the end of year 2027. That’s when the current EMV’s journey with using RSA cryptography will have to end pretty much, because trying to increase RSA key sizes beyond 1984-bit, will exceed the maximum allowed size of the existing EMV standard command and response messages.
That means that the requirement to handle RSA keys longer than 1984-bit would require significant redesign of the existing offline card authentication message exchange, which would result in significant increase in number of command and response messages to transport all RSA keys and signatures out of the card and will likely jeopardize the existing performance target of 300ms for the EMV offline transactions.
In order to avoid these negative consequences, from now until the end of 2027, something must be done, in order to preserve the existing EMV message structure and not to jeopardize significant investment in the design of the EMV standard protocol.
New Generation EMV Will Move Away From RSA
The new generation of EMV must take advantage of the increased processing capability of the constantly improving card chips and POS hardware, and must move away from RSA cryptography toward apparently much more efficient ECC algorithm (Elliptic Curve Cryptography), which requires approximately an order of magnitude shorter key sizes, for the same level of underlying security. Luckily this will fully eliminate the need for prohibitively expensive redesign of the underlying EMV message structures and will preserve the basics of the existing EMV protocol and preserve offline transaction performance.
As an added bonus, the proposed EMVCo migration toward ECC will also feature an addition of secure channel establishment phase, between the POS terminal and the ECC compliant EMV card, which will prevent any ‘Man In The Middle’ type attacks inside the POS devices, currently being done by using various types of wedges and/or shims.
Planning For ‘Y2K like’ EMV Upgrade
Remaining time until end of 2027 is a very short. The payments industry shall not underestimate the challenge it is facing, due to the need to:
completely replace all currently issued EMV cards based on RSA with new generation cards based on ECC
upgrade software in all of the EMV compliant POS terminals to fully support the ECC requirements by the 2027 deadline.
This clearly feels the EMV’s big ‘Y2K moment’.
Although the EMV message structure and basic protocol can be preserved, the fact that ECC digital signature and encryption algorithms are very different than the RSA equivalents, implies that significant implementation and testing effort will be required as part of the migration.
This is daunting task indeed, which must be carefully planned and executed, but there is no obvious alternative. The only question is – how much will the EMV’s farewell party to RSA cryptography cost and can the payments card industry survive it?