Entity authentication and key distribution
CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Key Agreement Protocols and Their Security Analysis
Proceedings of the 6th IMA International Conference on Cryptography and Coding
ACM Transactions on Information and System Security (TISSEC)
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
The TLS Handshake Protocol: A Modular Analysis
Journal of Cryptology
Authenticated key exchange secure against dictionary attacks
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Modular security proofs for key agreement protocols
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Tag size does matter: attacks and proofs for the TLS record protocol
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Security of symmetric encryption in the presence of ciphertext fragmentation
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Mining your Ps and Qs: detection of widespread weak keys in network devices
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Anonymity and one-way authentication in key exchange protocols
Designs, Codes and Cryptography
Hi-index | 0.00 |
With over 1.6 billion debit and credit cards in use worldwide, the EMV system (a.k.a. "Chip-and-PIN") has become one of the most important deployed cryptographic protocol suites. Recently, the EMV consortium has decided to upgrade the existing RSA based system with a new system relying on Elliptic Curve Cryptography (ECC). One of the central components of the new system is a protocol that enables a card to establish a secure channel with a card reader. In this paper we provide a security analysis of the proposed protocol, we propose minor changes/clarifications to the "Request for Comments" issued in Nov 2012, and demonstrate that the resulting protocol meets the intended security goals. The structure of the protocol is one commonly encountered in practice: first run a key-exchange to establish a shared key (which performs authentication and key confirmation), only then use the channel to exchange application messages. Although common in practice, this structure takes the protocol out of the reach of most standard security models for key-exchange. Unfortunately, the only models that can cope with the above structure suffer from some drawbacks that make them unsuitable for our analysis. Our second contribution is to provide new security models for channel establishment protocols. Our models have a more inclusive syntax, are quite general, deal with a realistic notion of authentication (one-sided authentication as required by EMV), and do not suffer from the drawbacks that we identify in prior models.