Breaking and Fixing Unlinkability of the Key Agreement Protocol for 2nd Gen EMV Payments

To address privacy problems with the EMV standard, EMVco proposed a Blinded Diffie-Hellman key establishment protocol. We point out that active attackers were not previously accounted for in the privacy requirements of this proposed protocol, despite the fact that an active attacker can compromise unlinkability. Here, we adopt a strong definition of unlinkability that does account for active attackers and propose an enhancement of the protocol proposed by EMVco where we make use of Verheul certificates. We prove that our protocol does satisfy strong unlinkability, while preserving authentication.

[1]  Raheel Ahmad,et al.  The π-Calculus: A theory of mobile processes , 2008, Scalable Comput. Pract. Exp..

[2]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[3]  Ralf Sasse,et al.  The EMV Standard: Break, Fix, Verify , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[4]  Cas J. F. Cremers,et al.  Operational Semantics and Verification of Security Protocols , 2012, Information Security and Cryptography.

[5]  Gaven J. Watson,et al.  An analysis of the EMV channel establishment protocol , 2013, IACR Cryptol. ePrint Arch..

[6]  Ross Horne,et al.  Breaking Unlinkability of the ICAO 9303 Standard for e-Passports Using Bisimilarity , 2019, ESORICS.

[7]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[8]  Cas Cremers,et al.  Prime, Order Please! Revisiting Small Subgroup and Invalid Curve Attacks on Protocols using Diffie-Hellman , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[9]  Ross Horne,et al.  A Bisimilarity Congruence for the Applied pi-Calculus Sufficiently Coarse to Verify Privacy Properties , 2018, ArXiv.

[10]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[11]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[12]  Eric R. Verheul,et al.  Self-Blindable Credential Certificates from the Weil Pairing , 2001, ASIACRYPT.

[13]  Sjouke Mauw,et al.  Distance-Bounding Protocols: Verification without Time and Location , 2018, IEEE Symposium on Security and Privacy.

[14]  Ralf Küsters,et al.  Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[15]  Bart Jacobs,et al.  Performance Issues of Selective Disclosure and Blinded Issuing Protocols on Java Card , 2009, WISTP.

[16]  Bart Jacobs,et al.  Developing Efficient Blinded Attribute Certificates on Smart Cards via Pairings , 2010, CARDIS.

[17]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[18]  Xuexian Hu,et al.  Security Analysis of EMV Channel Establishment Protocol in An Enhanced Security Model , 2014, ICICS.

[19]  Shang-Wei Lin,et al.  Quasi-Open Bisimilarity with Mismatch is Intuitionistic , 2018, LICS.

[20]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[21]  Vincent Cheval,et al.  DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[22]  David Baelde,et al.  A Method for Verifying Privacy-Type Properties: The Unbounded Case , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[23]  Benedikt Schmidt,et al.  Formal analysis of key exchange protocols and physical protocols , 2012 .

[24]  Tom Chothia,et al.  Security Analysis and Implementation of Relay-Resistant Contactless Payments , 2020, CCS.