D.6 SDA mechanisms

D.6.1 MAC-based SDA mechanism

In the case of magnetic stripe cards, the issuer computes during the personalization stage a static authenticator ( Static_Auth _i ), which is stored on the magnetic stripe. This value is computed as a MAC on financial data that is specific to the card, financial_data _i , with a secret key SK _i unique for each card (i.e., Static_Auth _i = MAC ( SK _i )[ financial_data _i ]). The issuer computes SK _i applying a MAC on the PAN of the card PAN _i , parameterized with the master key MK of the issuer (i.e., SK _i = MAC ( MK )[ PAN _i ]).

During a transaction performed at a terminal, the static authenticator Static_Auth _i captured from the magnetic stripe of the card is sent in the authorization request to the issuer. Based on the information in the authorization request, the issuer recomputes the Static_Auth _i according to the same algorithm as that used during personalization. The issuer compares the received Static_Auth _i against the recomputed Static_Auth _i , and if the verification passes , the information of the card is accepted as authentic .

The Static_Auth _i does not prevent counterfeiting, since a successful attacker that has cloned the content of a magnetic stripe card has also obtained the Static_Auth _i , which is a precomputed value that remains unchanged for all transactions.

D.6.2 Signature-based SDA mechanism

In the case of chip cards, the issuer computes a digital signature during the personalization stage, referred to as the static authenticator Static_Auth _i , on the financial data stored in the card, financial_data _i . This signature is produced with the private signing key KS _ISS of the issuer (i.e., Static_Auth _i = Sign ( KS _ISS )[ financial_data _i ]). Since only the issuer is able to generate this signature and the verification of the signature is passed only if the content of the financial data did not change, the authenticity and integrity of the data stored in the chip card is guaranteed (see Section D.3). Both the financial data and the static authenticator are stored in the tamper-resistant EEPROM of the chip card. The use of a digital signature has the advantage that it can be checked by anyone having the public verification key KV _ISS of the issuer.

If one assumes that the terminal has an authentic copy of KV _ISS , then the terminal can check off-line the authenticity of the chip card (i.e., Verify ( KV _ISS )[ Static_Auth _i , financial_data _i ]?= True ). This is the case when there is a business agreement between the acquirer managing the terminal and the card issuer, such that the authentic copy of KV _ISS is stored in the tamperresistant EEPROM of the terminal. In an interoperable environment, where there is no business relationship between the acquirer and issuer, the public verification keys of issuers are not stored in the terminal. Rather, the key KV _ISS is stored in the EEPROM of the chip card, since the personalization stage, together with a certificate released by a certification authority on this key, Cert _ KV _ISS = Cert ( KS _CA )[ KV _ISS ], which establishes its authenticity. The card association can play the role of the CA. The only business constraint is that both the acquirer (which manages the terminal) and the issuer (which is responsible for the card) are members of this card association. The acquirer has to make provisions that an authentic copy of the public verification key of the CA, denoted KV _CA , is loaded in all the terminals.

In order to authenticate to the terminal, the chip card retrieves from its EEPROM the certificate Cert _ KV _ISS = Cert ( KS _CA )[ KV _ISS ], the static authenticator Static_Auth _i , and the financial data financial_data _i of the chip card and sends them to the terminal. After reception , the terminal uses KV _CA and verifies the certificate Cert_KV _ISS (i.e., Verify ( KV _CA )[Cert_ KV _ISS ,KV _ISS ]?= True ). If the certificate is authentic, the terminal recovers the public verification key of the issuer KV _ISS . Using this key, the terminal verifies the correctness of the static authenticator and assesses the authenticity of the financial data stored in the chip card.

Since in the protocol described above there is no time variant pattern that can counter a replay attack, card counterfeiting cannot be prevented if an attacker wiretaps the interface between the chip card and the terminal.