Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 963
- Points
- 113
Smart cards are breaking into our lives more and more decisively. Cell phones, access control systems, e-tickets, information security systems, voting systems, e-passports and various identification cards, bank cards, cars and satellite TV are just a few examples of their applications. There are several billion smart cards circulating in the world today. These are mainly SIM / UICC cards (Subscriber Identification Module / Universal Integrated Circuit Card) of cell phones, bank cards, cards for paying for travel in transport, telephone calls in street telephones and commercial television services, cards for solving government problems (social cards, electronic passports, etc.) and information security tasks.
According to the estimates of the European association Eurosmart, in 2008 the leading manufacturers of chips for microprocessor cards (Infineon, Renesas Technology, STMicroelectonics, NXP Semiconductors, Samsung, Atmel, etc.) produced more than five billion smart cards. Before the latest global financial crisis, smart card sales were growing at a rate of 15% per year.
The capabilities of smart cards are also growing. Today, 0.13 and 0.18 micron design standards are often used for their manufacture. Microprocessors created in accordance with such design standards can have a RAM size of 4-8 KB, a non-volatile rewritable EEPROM memory size of up to 64-128 KB, use 32-bit central processors of a microcircuit operating at a clock frequency of up to 33-66 MHz.
The new characteristics of the card, in turn, allow the use of new technologies. The set of functions that ensure the safety of operations performed with the use of smart cards is expanded, and the characteristics of the communication subsystem of the card are improved. The smart card is gradually establishing itself as a secure general-purpose hardware and software platform, becoming an integral part of a variety of information systems. At the same time, the security of computing and the mobility of a smart card (the ability to carry the card with you, for example, in a pocket of clothes) remain its main advantages over alternative computing means.
The most important condition for the mass distribution of smart cards is the availability of standards that determine their characteristics and functionality. Today the ISO / IEC 7816 standard is the basic standard for all types of cards produced. It is of a general nature, defining the requirements for the electrical and mechanical parameters of the card, communication protocols, file structure, data elements, and the smart card command system. Therefore, in certain areas of human activity, specialized standards appear that clarify the ISO / IEC 7816 standard for specific applications. An example of such a refinement of the ISO / IEC 7816 standard in the field of cashless payments is the EMV specifications, which are described in a significant part of this book.
The purpose of this book is to give the reader a general, systematic understanding of the microprocessor cards used in banking. It can be viewed as a guide to the four voluminous books of the EMV standard and the specifications of payment systems created on their basis. The book provides a first insight into the open operating systems used in microprocessor cards, as well as the universal GlobalPlatform, which is used for secure remote downloading, installation, extradition of applications and their configuration after the card is issued. The role of the GlobalPlatform is constantly growing. Today it is given an important place not only for downloading applications to bank microprocessor cards, but also in mobile payments and other applications.
Finally, an entire chapter of the book is devoted to describing the current state of affairs in the field of contactless bank payments.
The book contains a systematic description of the EMV standard. The emphasis is placed on its most important aspects, the subtleties and implementation features of the underlying methods and algorithms are revealed. It analyzes the impact of migration on microprocessor cards on the security of card transactions and on the bank's processing system, offers recommendations on the technology for choosing solutions for bank migration to microprocessor cards.
The first chapter provides an overview of card technology. It tells about the architecture of the payment system, its participants, the distribution of functions and responsibilities between them. Provides information on the main international standards used for cards with magnetic stripe and microprocessor cards, on the inter-host data exchange standard underlying the interfaces of banking processing centers with all known payment systems.
A significant place in the first chapter is occupied by the problem of the security of operations performed with the use of magnetic stripe cards. The classification of the existing types of fraud is presented. It describes the main means of combating card fraud available in the framework of magnetic stripe cards.
The second chapter provides general information on microprocessor cards. It tells about the architecture of the microcircuit, its main elements and their characteristics, the production process of microprocessor cards. A general description of the communication protocols used in chip cards, the card initialization process at the beginning of a payment transaction is given. In addition, it provides an introduction to the Java Card and MULTOS multi-application operating systems, as well as the GlobalPlatform, which provides secure loading, installation and uninstallation of card applications.
In the second chapter, considerable attention is paid to the physical security of a microprocessor card, various types of physical attacks and ways to counter them. The chapter ends with a description of the general trends in the development of microprocessor cards.
The third chapter describes the basics of building the logical architecture of microprocessor cards. A detailed understanding of the file structure of the card, the commands used, the algorithms for authenticating the card, ensuring the integrity and confidentiality of information exchange between the card and the issuer, algorithms for calculating applied cryptograms, which are proof of the fact of the operation and the result of its completion, are given. When describing the functions of the EMV standard card application, explanations are given that allow you to understand in detail the operation of the algorithms and protocols by which these functions are implemented. The description is based on the latest version of the EMV 4.2 standard.
The fourth chapter describes in detail and in detail the main stages of the transaction processing process, starting with the choice of technology used to execute the transaction, and ending with the description of the Issuer Script Processing procedures and the generation of an application cryptogram.
The fifth chapter is devoted to the procedures for personalizing microprocessor cards. A description of the life cycle of a microprocessor card and the main elements of the EMV Card Personalization Specification is given.
The sixth chapter examines the impact of the migration of microprocessor cards on the bank's system. Possible formulations of the migration problem, the choice of methods for card authentication and verification of its holder are discussed in detail, requirements for the payment terminal are given. Attention is paid to the issue of compatibility of terminal and card applications.
The analysis of the real security of operations with microprocessor cards in today's payment infrastructure and how the use of microprocessor cards allows you to fight the main types of card fraud is presented. The issues of key management, the choice of the hardware and software platform of the microprocessor card and the configuration of its application, the impact of migration on the bank's processing system are also covered.
The seventh chapter is devoted to contactless cards. It discusses the reasons why payment systems and banks are interested in contactless cards, details the physical principles underlying contactless card technology, ISO 14443 standards, EMV Contactless Communication Protocol, EMV Entry Point Specification, MasterCard PayPass standards and VISA Contactless. The chapter ends with a description of the NFC protocol and methods of implementing contactless payments using cell phones. At the same time, various models of using the GlobalPlatform platform for downloading a payment application to a SIM / UICC card of a cell phone are considered.
The eighth chapter contains a comparison of the most well-known EMV applications - M / Chip, VSDC, CPA - in terms of their functionality, transactional security, and implementation features.
Accepting Kozma Prutkov's thesis about the impossibility of grasping the immense, the author limited himself to a detailed presentation in the book of only the EMV standard, periodically dwelling on the features of its implementation in the specifications of leading payment systems. Chapter 8 only summarizes the implementation features of the EMV standard in VSDC, M / Chip 4 and CPA applications. There is no detailed description of the listed applications in the book. At the same time, the reader can be confident that once they understand the basics of EMV smart cards and the information in Chapter 8, they will have no difficulty in mastering the application specifications for smart cards from leading payment systems.
The book includes two appendices. Appendix A summarizes the mathematical foundations of cryptography. The definitions of the basic concepts of algebra (groups, rings, fields) are given and the most important results underlying cryptography are presented. These results are presented at an elementary level accessible to the reader who does not have a university mathematical education. Thus, armed with the necessary perseverance, each reader will be able to understand the "device" of cryptographic algorithms used in the EMV standard, at a level that allows him to independently assess the cryptographic strength of the information protection methods used in the EMV standard, as well as the time required to implement these methods with using various hardware and software.
Appendix B includes the basic concepts used in cryptography, a brief overview of symmetric and asymmetric encryption algorithms, a description of the approach to assessing the cryptographic strength of encryption algorithms.
Many names have been invented for smart cards - smart card, chip card, microprocessor card, and they will be used periodically throughout this book. In this case, the terms "smart card" and "chip card" are used for all types of cards that use a microcircuit for processing operations. Microprocessor cards are smart cards, the microchip of which contains a processor capable of performing various types of calculations. Thus, a microprocessor card is capable of independently making decisions programmed on it by its issuer without contacting the issuer.
In the book, along with translations into Russian of terms used in the standard, their English counterparts are used. This is done so that the reader can confidently find these terms in the specifications of EMV and payment systems. In addition, many of these terms have already become elements of card slang, and specialists in the field of plastic cards often use them in English.
When describing the various procedures used in the processing of a transaction performed using a card, the terms “procedure failed” and “procedure was unsuccessful” are used. The difference between the terms is significant. The fact that "the procedure was unsuccessful" means that during the processing of the operation there were no conditions under which the procedure could be executed. When they say that “the procedure has failed,” it means that the procedure was performed and ended with a negative result.
Let us illustrate the above with the example of the cardholder verification procedure. If, during the processing of the transaction, none of the conditions for the verification of the cardholder were implemented, then they say that the verification procedure was unsuccessful (for example, the terminal analyzed all the conditions specified by the issuer for verification of the cardholder, but the conditions were not met, and as a result, the verification was not carried out) ... If the cardholder was verified, for example, using the offline PIN-code verification method and the entered PIN-code value turned out to be incorrect, then the terminology “verification procedure failed” is used.
Issuer authentication is a similar example. If the terminal fails to send an authorization request to the issuer, or if the issuer has not generated a cryptogram response, the issuer authentication cannot be performed and is said to have been unsuccessful. If the cryptogram was delivered to the card and its verification by the card showed that the cryptogram was incorrect, then they say that the issuer's authentication failed.
Finally, we note that the book will use the well-known term "transaction" for banking professionals. This term refers to an operation performed using a plastic card. Examples of a transaction - a cashless purchase operation using a card, cash withdrawal from ATMs, etc. Sometimes, along with this term, the book uses its synonym - the term "operation". Therefore, if the book says "processing an operation", it means that we are talking about performing a transaction using a card.
This publication is intended for professionals in the field of information technology and banking services.
According to the estimates of the European association Eurosmart, in 2008 the leading manufacturers of chips for microprocessor cards (Infineon, Renesas Technology, STMicroelectonics, NXP Semiconductors, Samsung, Atmel, etc.) produced more than five billion smart cards. Before the latest global financial crisis, smart card sales were growing at a rate of 15% per year.
The capabilities of smart cards are also growing. Today, 0.13 and 0.18 micron design standards are often used for their manufacture. Microprocessors created in accordance with such design standards can have a RAM size of 4-8 KB, a non-volatile rewritable EEPROM memory size of up to 64-128 KB, use 32-bit central processors of a microcircuit operating at a clock frequency of up to 33-66 MHz.
The new characteristics of the card, in turn, allow the use of new technologies. The set of functions that ensure the safety of operations performed with the use of smart cards is expanded, and the characteristics of the communication subsystem of the card are improved. The smart card is gradually establishing itself as a secure general-purpose hardware and software platform, becoming an integral part of a variety of information systems. At the same time, the security of computing and the mobility of a smart card (the ability to carry the card with you, for example, in a pocket of clothes) remain its main advantages over alternative computing means.
The most important condition for the mass distribution of smart cards is the availability of standards that determine their characteristics and functionality. Today the ISO / IEC 7816 standard is the basic standard for all types of cards produced. It is of a general nature, defining the requirements for the electrical and mechanical parameters of the card, communication protocols, file structure, data elements, and the smart card command system. Therefore, in certain areas of human activity, specialized standards appear that clarify the ISO / IEC 7816 standard for specific applications. An example of such a refinement of the ISO / IEC 7816 standard in the field of cashless payments is the EMV specifications, which are described in a significant part of this book.
The purpose of this book is to give the reader a general, systematic understanding of the microprocessor cards used in banking. It can be viewed as a guide to the four voluminous books of the EMV standard and the specifications of payment systems created on their basis. The book provides a first insight into the open operating systems used in microprocessor cards, as well as the universal GlobalPlatform, which is used for secure remote downloading, installation, extradition of applications and their configuration after the card is issued. The role of the GlobalPlatform is constantly growing. Today it is given an important place not only for downloading applications to bank microprocessor cards, but also in mobile payments and other applications.
Finally, an entire chapter of the book is devoted to describing the current state of affairs in the field of contactless bank payments.
The book contains a systematic description of the EMV standard. The emphasis is placed on its most important aspects, the subtleties and implementation features of the underlying methods and algorithms are revealed. It analyzes the impact of migration on microprocessor cards on the security of card transactions and on the bank's processing system, offers recommendations on the technology for choosing solutions for bank migration to microprocessor cards.
The first chapter provides an overview of card technology. It tells about the architecture of the payment system, its participants, the distribution of functions and responsibilities between them. Provides information on the main international standards used for cards with magnetic stripe and microprocessor cards, on the inter-host data exchange standard underlying the interfaces of banking processing centers with all known payment systems.
A significant place in the first chapter is occupied by the problem of the security of operations performed with the use of magnetic stripe cards. The classification of the existing types of fraud is presented. It describes the main means of combating card fraud available in the framework of magnetic stripe cards.
The second chapter provides general information on microprocessor cards. It tells about the architecture of the microcircuit, its main elements and their characteristics, the production process of microprocessor cards. A general description of the communication protocols used in chip cards, the card initialization process at the beginning of a payment transaction is given. In addition, it provides an introduction to the Java Card and MULTOS multi-application operating systems, as well as the GlobalPlatform, which provides secure loading, installation and uninstallation of card applications.
In the second chapter, considerable attention is paid to the physical security of a microprocessor card, various types of physical attacks and ways to counter them. The chapter ends with a description of the general trends in the development of microprocessor cards.
The third chapter describes the basics of building the logical architecture of microprocessor cards. A detailed understanding of the file structure of the card, the commands used, the algorithms for authenticating the card, ensuring the integrity and confidentiality of information exchange between the card and the issuer, algorithms for calculating applied cryptograms, which are proof of the fact of the operation and the result of its completion, are given. When describing the functions of the EMV standard card application, explanations are given that allow you to understand in detail the operation of the algorithms and protocols by which these functions are implemented. The description is based on the latest version of the EMV 4.2 standard.
The fourth chapter describes in detail and in detail the main stages of the transaction processing process, starting with the choice of technology used to execute the transaction, and ending with the description of the Issuer Script Processing procedures and the generation of an application cryptogram.
The fifth chapter is devoted to the procedures for personalizing microprocessor cards. A description of the life cycle of a microprocessor card and the main elements of the EMV Card Personalization Specification is given.
The sixth chapter examines the impact of the migration of microprocessor cards on the bank's system. Possible formulations of the migration problem, the choice of methods for card authentication and verification of its holder are discussed in detail, requirements for the payment terminal are given. Attention is paid to the issue of compatibility of terminal and card applications.
The analysis of the real security of operations with microprocessor cards in today's payment infrastructure and how the use of microprocessor cards allows you to fight the main types of card fraud is presented. The issues of key management, the choice of the hardware and software platform of the microprocessor card and the configuration of its application, the impact of migration on the bank's processing system are also covered.
The seventh chapter is devoted to contactless cards. It discusses the reasons why payment systems and banks are interested in contactless cards, details the physical principles underlying contactless card technology, ISO 14443 standards, EMV Contactless Communication Protocol, EMV Entry Point Specification, MasterCard PayPass standards and VISA Contactless. The chapter ends with a description of the NFC protocol and methods of implementing contactless payments using cell phones. At the same time, various models of using the GlobalPlatform platform for downloading a payment application to a SIM / UICC card of a cell phone are considered.
The eighth chapter contains a comparison of the most well-known EMV applications - M / Chip, VSDC, CPA - in terms of their functionality, transactional security, and implementation features.
Accepting Kozma Prutkov's thesis about the impossibility of grasping the immense, the author limited himself to a detailed presentation in the book of only the EMV standard, periodically dwelling on the features of its implementation in the specifications of leading payment systems. Chapter 8 only summarizes the implementation features of the EMV standard in VSDC, M / Chip 4 and CPA applications. There is no detailed description of the listed applications in the book. At the same time, the reader can be confident that once they understand the basics of EMV smart cards and the information in Chapter 8, they will have no difficulty in mastering the application specifications for smart cards from leading payment systems.
The book includes two appendices. Appendix A summarizes the mathematical foundations of cryptography. The definitions of the basic concepts of algebra (groups, rings, fields) are given and the most important results underlying cryptography are presented. These results are presented at an elementary level accessible to the reader who does not have a university mathematical education. Thus, armed with the necessary perseverance, each reader will be able to understand the "device" of cryptographic algorithms used in the EMV standard, at a level that allows him to independently assess the cryptographic strength of the information protection methods used in the EMV standard, as well as the time required to implement these methods with using various hardware and software.
Appendix B includes the basic concepts used in cryptography, a brief overview of symmetric and asymmetric encryption algorithms, a description of the approach to assessing the cryptographic strength of encryption algorithms.
Many names have been invented for smart cards - smart card, chip card, microprocessor card, and they will be used periodically throughout this book. In this case, the terms "smart card" and "chip card" are used for all types of cards that use a microcircuit for processing operations. Microprocessor cards are smart cards, the microchip of which contains a processor capable of performing various types of calculations. Thus, a microprocessor card is capable of independently making decisions programmed on it by its issuer without contacting the issuer.
In the book, along with translations into Russian of terms used in the standard, their English counterparts are used. This is done so that the reader can confidently find these terms in the specifications of EMV and payment systems. In addition, many of these terms have already become elements of card slang, and specialists in the field of plastic cards often use them in English.
When describing the various procedures used in the processing of a transaction performed using a card, the terms “procedure failed” and “procedure was unsuccessful” are used. The difference between the terms is significant. The fact that "the procedure was unsuccessful" means that during the processing of the operation there were no conditions under which the procedure could be executed. When they say that “the procedure has failed,” it means that the procedure was performed and ended with a negative result.
Let us illustrate the above with the example of the cardholder verification procedure. If, during the processing of the transaction, none of the conditions for the verification of the cardholder were implemented, then they say that the verification procedure was unsuccessful (for example, the terminal analyzed all the conditions specified by the issuer for verification of the cardholder, but the conditions were not met, and as a result, the verification was not carried out) ... If the cardholder was verified, for example, using the offline PIN-code verification method and the entered PIN-code value turned out to be incorrect, then the terminology “verification procedure failed” is used.
Issuer authentication is a similar example. If the terminal fails to send an authorization request to the issuer, or if the issuer has not generated a cryptogram response, the issuer authentication cannot be performed and is said to have been unsuccessful. If the cryptogram was delivered to the card and its verification by the card showed that the cryptogram was incorrect, then they say that the issuer's authentication failed.
Finally, we note that the book will use the well-known term "transaction" for banking professionals. This term refers to an operation performed using a plastic card. Examples of a transaction - a cashless purchase operation using a card, cash withdrawal from ATMs, etc. Sometimes, along with this term, the book uses its synonym - the term "operation". Therefore, if the book says "processing an operation", it means that we are talking about performing a transaction using a card.
This publication is intended for professionals in the field of information technology and banking services.
