Appendix D: Security Mechanisms | Implementing Electronic Card Payment Systems (Artech House Computer Security Series)

Security services are implemented through security mechanisms. This appendix outlines some of the basic security mechanisms needed in the design of electronic payment systems: encryption, cryptographic hash functions, digital signatures, cardholder verification mechanisms, and SDA and DDA mechanisms.

D.1 Encryption

Encryption is the security mechanism that implements the confidentiality service. Encryption can be implemented in two categories of schemes. The first group contains symmetric or conventional cipher systems; the second group includes asymmetric or public key cipher systems. Figure D.1 presents a unified model for an encrypted channel, incorporating both symmetric and asymmetric systems [1].

Figure D.1: Unified model for symmetric and asymmetric encryption systems.

The goal of the sender is to transmit the plaintext P to the receiver such that even if an attacker is able to wiretap the channel the plaintext cannot be retrieved. The sender transforms the plaintext P into the cryptogram or ciphertext C , applying a mathematical transformation referred to as the encryption algorithm E , the specification of which is publicly known. An encryption key KE parameterizes the encryption algorithm. After receiving the cryptogram C , the receiver applies the decryption algorithm D , the specification of which is also publicly known. Similarly to the encryption algorithm, a decryption key KD , which is related to the encryption key KE , parameterizes the decryption algorithm. The relation established between KE and KD is different for symmetric than for asymmetric encryption systems. The key distribution center (KDC) generates and distributes the encryption/decryption key pairs ( KE , KD ) in the system. Secure channels have to be established for the distribution of these keys to both the sender and the receiver. The security requirements of the distribution channels, however, are different for the sender and receiver in case of symmetric and asymmetric cipher systems. The attacker has access to the specification of the encryption and decryption algorithms ( E , D ). The attacker can also capture the cryptogram C . There are some exceptions concerning the public availability of the algorithms. The most notable examples are the algorithms A3, A5, and A8 used by the security services implemented in the GSM network [2].

D.1.1 Symmetric encryption

In the case of symmetric ciphers, KE = KD = K . The distribution channels towards the sender and receiver have to provide both confidentiality and data authentication services. Knowledge of E, D , and C does not allow the attacker to derive P nor the key K .

A symmetric cipher ( E , D ) is the best-suited mechanism for implementing the confidentiality service on a communication channel connecting two entities that already share a common key.

The following example shows the use of symmetric encryption for implementing the secure updating of parameters in a chip card. This operation allows the issuer to update the parameters of an application running in a chip card even after the card is already issued to the cardholder and is now in its utilization stage. The sequence of commands sent by the issuer that performs the updating of parameters is sometimes called issuer scripts [3]. The issuer has stored in the card a special secret key that parameterizes a symmetric cipher, which is used to implement the secure messaging for confidentiality that protects against the eavesdropping of issuer scripts. This key is referred to as the issuer script key ( ISK ). Anytime a secret parameter is updated in the card, the issuer sends it encrypted with ISK from the issuer host through the payment network to the terminal where the card to be updated is inserted. Since only the card knows this key, the confidentiality of the cryptographic parameters sent through issuer scripts is protected.

D.1.2 Asymmetric encryption

In the case of asymmetric ciphers, KE is different from KD . The encryption key KE is made public by the KDC, and thus the distribution channel to the sender has to provide only data authentication (see Section D.4) and not confidentiality. The distribution channel towards the receiver has to provide both confidentiality and data authentication services. After receiving KD , the receiver has to make provisions for protecting the confidentiality of this key, which is therefore referred to as the private decryption key. On one hand, knowledge of E, D , and C does not allow the attacker to derive the plaintext P . On the other hand, knowledge of the public encryption key KE does not allow the attacker to derive the secret decryption key KD .

A well-known class of mathematical functions that achieves these features is the class of trapdoor one-way functions. A function E parameterized through KE is said to be one-way if giving the argument P and the parameter KE is easy to compute the image C = E ( KE )[ P ]. However, giving C is computationally unfeasible to obtain P = D ( KD )[ C ] without knowledge of the parameter KD , where D is the inverse function of E in the sense that P = D ( KD )[ E ( KE )[ P ]]. A one-way function is said to be a trapdoor if the computation of P is easily performed from C at the moment when the parameter KD is provided as a trapdoor information. A well-known trapdoor one-way function is the RSA function, as it will be presented in Appendix F.

The asymmetric ciphers are relatively slow when compared with the symmetric ciphers. This low performance is mainly due to the nature of the algorithms implementing trapdoor one-way functions, implying arithmetic computations with long integers with lengths greater than 300 digits. Contrarily, the algorithms specifying symmetric ciphers are based on Boolean functions, implying bit-wise operations more suited to the machine architecture running the algorithm. The performances of asymmetric algorithms can be improved through the use of a cryptographic coprocessor, which is a dedicated computational architecture specialized in the arithmetic with long integer numbers . This coprocessor, however, increases the cost of the devices, making asymmetric encryption more expensive when compared with the symmetric encryption.

An asymmetric cipher is the most suited mechanism for implementing the confidentiality service on a communication channel connecting two entities that have not exchanged keys on beforehand, and thus they cannot use symmetric cipher systems.

The length of a message to be encrypted using an asymmetric cipher is limited, usually by the length of the public encryption key (see Appendix F). Thus, encrypting a long message means the repeated use of the asymmetric algorithm, which certainly degrades the performance level of the system. Therefore, a session secret key is generated at random by the sender A and is encrypted with the public encryption key of the receiver B , namely KE _B , resulting in the cryptogram C = E ( KE _B )[ SSK ]. This process is sometimes referred to as a key transport mechanism or key wrapping. After receiving the cryptogram C , which is sometimes called a digital envelope, the receiver decrypts it to obtain the session secret key SSK (i.e., SSK = D ( KD _B )[C]). From now on, the sender can use the session secret key with a symmetric cipher ( E ² , D ² ) to encrypt bulk data C ² = E ² ( SSK )[ Bulk data ]. "Bulk data" is sometimes the term used for longer messages. Correspondingly, the receiver can use the transported SSK to decrypt the bulk encrypted data C ² (i.e., Bulk data = D ² ( SSK )[ C ² ]). The process is schematized in Figure D.2.

Figure D.2: Secret key wrapping.