7.8 Design criteria for CVM


7.8 Design criteria for CVM

This section outlines the impact on the ICC architecture of the following CVM: enciphered PIN verified on-line, plaintext PIN verification performed by ICC, and enciphered PIN verification performed by ICC. We analyze the computational and EEPROM requirements for each of these CVM(s), which could impact on the ICC price, and consequently on the choice of a CVM for an EMV ¢ card application. We also present principles concerning the definition by the issuer of a CVM List in the card application, depending on the type of financial service and the type of payment product (debit or credit).

7.8.1 Enciphered PIN verified on-line

The ICC is not involved in the implementation of an "Enciphered PIN verified on-line" CVM. It is the IH that verifies the correctness of the PIN introduced by the cardholder at the terminal. The secure keyboard of the terminal encrypts the PIN, and the corresponding cryptogram is included in the authorization message sent on-line to the issuer. In order to support this CVM, the acquirer has to guarantee two conditions:

  1. The on-line connection of the terminal to the AH, and through the payment system network to the IH;

  2. The management of the cryptographic material for transporting the PIN cryptogram along the path between the terminal and the AH and from this host to the corresponding node allocated to the acquirer in the payment system's network.

If the CVM fails, the issuer is the one that decides the response code sent back to the terminal in the authorization response message, and the management of the remaining PIN trails of the cardholder. The PIN Try Counter in the ICC is not modified, either in case of failure or in case of success.

The cardholder should not be aware whether a PIN is validated on-line or off-line or whether the ICC or the magnetic stripe technology is used for this validation. Therefore, the issuer should make the necessary provisions to guarantee that the same PIN applies for the same application regardless of the type of environment and the type of technology used to perform a transaction for a certain financial service.

7.8.2 Plaintext/enciphered PIN verification by ICC

In case the card application adopts as the CVM either the "plaintext PIN verification performed by ICC" or "enciphered PIN verification performed by ICC", the issuer must implement the following functionality in the card:

  • The VERIFY command is mandatory for implementation in the ICC.

  • The management of the PIN Try Counter (PTC), consisting of several actions:

    • Each consecutive unsuccessful trial of the PIN must decrease the value of the PTC.

    • Reaching the threshold of 0 for the PTC must block the PIN and the card will answer the VERIFY command with an error code.

    • The reset of the PTC to the value indicated by the parameter PIN try limit (which usually has a value of 3) can be explicitly performed by the issuer during an on-line transaction via an issuer script, when PTC = 0, or through a successful verification of the PIN before PTC = 0.

  • In case "enciphered PIN verification performed by ICC" is implemented as CVM, the VERIFY command transports the RSA envelope containing the enciphered PIN. The terminal computes this envelope with the public key contained in the ICC PIN Encipherment Public Key Certificate. This certificate is produced with the issuer private key. The corresponding public key of the issuer can be retrieved from the issuer public key certificate, produced by the CA. Consequently, the ICC must store both these certificates in the publicly readable application elementary files listed in the AFL.

The operating system of the ICC must enforce an appropriate access control mechanism such that it must be impossible to access the reference PIN from outside the ICC, unless the tamper-resistance of the chip is broken.

7.8.3 Requirements for the implementation of various CVM

Table 7.2 compares the resources needed by the ICC to support enciphered PIN verified on-line, plaintext PIN verification performed by ICC, and enciphered PIN verification performed by ICC, in terms of network resources, computational power, and EEPROM space. The computational power and the EEPROM space have an impact on the ICC price.

Table 7.2: Resources Needed for the CVM Support
 

Network Resources

Computational Power

EEPROM Needs

Enciphered PIN verified on-line

Network connection to the issuer, with symmetric key management.

None

None

Plaintext PIN verification performed by ICC

None

None

Space for the PIN block (8 bytes)

Enciphered PIN verification performed by ICC

None

The possibility of performing RSA operations with a cryptographic coprocessor

The byte length of two RSA modulus (256 bytes for a bit length of the modulus of 1,024 bits)
Space for the PIN block (8 bytes)

It is important to note that if the "enciphered PIN verification performed by ICC" CVM is implemented in a card already implementing off-line static CAM, then that card has to provide supplementary EEPROM space only for the storage of the ICC PIN Encipherment Public Key Certificate. The certificate of the CA on the public key of the issuer is the same as that for the offline static CAM. In this case, however, the ICC has to have a cryptographic coprocessor in its architecture for decrypting the RSA envelopes transporting the enciphered PIN.

If an ICC card accepts off-line dynamic CAM and if the RSA primitive is suitably chosen , then the same ICC key pair for performing digital signatures within DDA can be used for decrypting RSA envelopes containing the PIN. In this case no supplementary EEPROM space is needed for the "enciphered PIN verification performed by ICC" CVM. Otherwise, the EEPROM space has to be supplemented with the length N I of the RSA modulus used to generate the ICC PIN Encipherment Public Key Certificate. Usually, an ICC implementing off-line dynamic CAM also implements the "enciphered PIN verification performed by ICC" CVM. This CVM guarantees the protection of the PIN's confidentiality on the interface between the terminal and the ICC.

Note that the "plaintext PIN verification performed by ICC" CVM is sensitive to eavesdropping attacks, even when the terminal is equipped with a secure keyboard, since the PIN leaves the terminal in clear. The task of the attacker is to tap in to the communication between the ICC and the terminal. In practice, however, this threat is difficult to mount, unless a terminal is appropriately modified to allow the attacker to insert a logger on the communication interface between the ICC and the terminal, without this modification being visible.

7.8.4 Criteria for the definition of the CVM List

The issuer considers several criteria when defining the CVM List in the card.

  • The type of financial service for which the application is issued;

  • The type of card application product and its eventual affiliation to a certain brand, which has its own recommendations regarding the list of acceptable CVM;

  • The technological possibilities of the chip in terms of computing power and EEPROM space.

Considering the criteria listed above, the definition of the CVM List may take into account the guidelines contained in Table 7.3.

Table 7.3: Guidelines for the CVM List Definition

Card Product

Financial Service

List of Possible CVM

ATM ”only debit card

ATM

Enciphered PIN verified on-line ”mandatory
Plaintext PIN verification performed by ICC ”optional (ICC without computation power)
Enciphered PIN verification performed by ICC ”optional (ICC needs an RSA coprocessor)

Debit

ATM, POS

Enciphered PIN verified on-line ”mandatory
Plaintext PIN verification performed by ICC ”mandatory
Enciphered PIN verification performed by ICC ”optional.

Credit

POS

Plaintext PIN verification performed by ICC ”mandatory
Enciphered PIN verification performed by ICC ”optional
Hand signature ”mandatory for backwards compatibility with existing products and certain legislation
No CVM ”mandatory