The Current State Of EMV Cryptography

  • Milos Dunjic , AVP, Payments Innovation Technology Solutions at TD Bank Group

  • 20.11.2017 06:45 am
  • undisclosed , Milos Dunjic is technology executive fascinated with and focused on payments and digital innovation. All opinions are his own and not of his employers

The current version of EMV standard mandates the usage of Public Key Cryptography, for ability of POS terminals to perform offline card authentication (important in transit use cases) and for encrypting PIN by POS, for offline PIN verification by the card. The RSA has been chosen as the official Public Key Cryptography algorithm, in every payment network’s EMV implementation, since EMV was introduced twenty years ago. Each payment network today acts as Certificate Authority and maintains its own Public Key hierarchy, in support of the overall standardized EMV Public Key infrastructure.

The EMV Key Size Challenge

The strength of any Public Key Cryptography algorithm is directly dependent on its underlying key size. The longer the key pairs, the more difficult and challenging it is for the fraudsters to ‘break’ the crypto scheme, i.e. to calculate the ‘private key’ based on their knowledge of corresponding ‘public key’. As long as that ‘calculation’ time is proven to be impractically long and expensive, compared to the expected financial gain, the security is considered acceptable, i.e. the underlying payments system can be declared to be secure.

The improvements in factorization techniques, combined with increases in raw computing power in last ten years, mainly due to the proliferation of GPUs (allowing an order of magnitude more processing parallelism than traditional CPUs), mean that RSA keys shorter than 1408-bit are already considered unsafe for EMV usage. All payment networks have already mandated that Issuers and Acquirers must upgrade the RSA key sizes in cards and POS terminals respectively, to 1408-bit as of Jan 2018. Then, starting Jan 2025, the 1408-bit RSA key size will have to be decommissioned and replaced with 1984-bit key. The anticipated lifetime of RSA 1984-bit key size would only be until the end of year 2027.

That’s when the EMV’s journey with RSA cryptography will end pretty much, because trying to increase RSA key sizes beyond 1984-bit, will exceed the maximum allowed size of the EMV standard command and response messages and require complete redesign of the protocol and command / response message structures. During the next ten years, something must be done, in order to preserve the existing EMV message basic structure and not to jeopardize huge investments already made into the design of the EMV standard.

New Generation EMV Will Move Away From RSA

The new generation of EMV must take advantage of the increased processing capability of the constantly improving card chips and POS hardware, and must move away from RSA toward apparently much more efficient ECC algorithm (Elliptic Curve Cryptography), which requires approximately an order of magnitude shorter key sizes, for the same level of security. Luckily this will fully eliminate the need for prohibitively expensive redesign of the underlying EMV message structures and will preserve the basics of the existing EMV protocol.

As an added bonus, the proposed EMVCo migration toward ECC will also feature an addition of secure channel establishment phase, between the POS terminal and the ECC compliant EMV card, which will prevent any ‘Man In The Middle’ type attacks inside the POS devices, currently being done by using various types of wedges and/or shims.

Planning For ‘Y2K like’ EMV Upgrade

Ten years is a very short time. The payments industry shall not underestimate the challenge it is facing, due to the need to completely replace all currently issued EMV cards with new generation cards and to upgrade software in all of the EMV compliant POS terminals to fully support the ECC requirements by the 2027 deadline. This is clearly the EMV’s big ‘Y2K moment’.

Although the EMV message structure and basic protocol can be preserved, the fact that ECC digital signature and encryption algorithms are very different than the RSA equivalents, implies that significant retesting effort will be required as part of the migration. Addition of the secure channel establishment phase, on top of the basic EMV protocol, additionally complicates the transition.

This is daunting task indeed, which must be carefully planned and executed, but there is no obvious alternative. The only question is – how much will the EMV’s farewell party to RSA’s cost?

Other Blogs