ICカード利用システムにおいて新たに顕現化した中間者攻撃とその対策

IC IC EMV EMV ICIC IC IC EMV IC EMV IC... E-mail: masataka.suzuki@boj.or.jp E-mail: katsuhisa.hirokawa@boj.or.jp E-mail: k-kobara@aist.go.jp //2012.7 107

1 IC EMV 1 EMV EMVCo IC 36% 10 IC 65% 1,540 2009 9 1 2 SEPA Single Euro Payments Area IC IC 3 EMV 4 EMV IC IC IC Man-in-the-Middle Attack IC IC 2007 IC IC Adida et al. [2006] Drimer and Murdoch [2007] 2010 2011 Murdoch et al. [2010] Rosa [2010] Barisani et al. [2011] EMVCo EMV IC 5 1 EMV 4.2 4 Book 1 4EMVCo [2008a, b, c, d] EMV Book 1, 1 2 EMVCo EMVCo American Express JCB MasterCard Visa EMVCo [2011a] 3SEPA IC IC 2010 81% POS ATM 96%European Payments Council [2011] 4 4.7 12% 5,600 IC ATM 14.5 79% 11.4 IC ATM 2010 3 2010 2010 7 8 1,963 65.5% IC 2010 5 Murdoch et al. [2010] EMVCo EMVCo [2010] Barisani et al. [2011] EMVCo IC 108 /2012.7

IC EMV IC 2 1 PIN: Personal Identification Number PIN 1 PIN PIN PIN Adida et al. [2006] ATM ATM ATM 2 PIN PIN EMV 3 4 5 2 EMV EMV EMV IC EMV... EMVCo [2011b] 109

1 IC 1 IC EMV IC IC EMV IC EMV VISA MasterCard JCB 6 IC IC EMV IC 1 IC IC IC PIN PIN ATM CAT 7 6 VISA VIS: Visa Integrated Circuit Card Specification Visa International [2001a, b] 7 CAT: Credit Authorization Terminal POS Point- Of-Sale 110 /2012.7

IC 2 IC EMV IC EMV EMV IC EMV 3 EMV EMV Card Authentication Cardholder Verification 8 AC: Application Cryptogram AC generation AC AC EMV IC 9 8 9 EMV 111

EMV AC 3 10 SDA: Static Data Authentication DDA: Dynamic Data Authentication AC CDA: Combined DDA/ Application Cryptogram generation AC AC AC AC AC EMV TSI: Transaction Status Information TVR: Terminal Verification ResultsTSI TVR EMV 2 10 EMV Book 3, 10.3 112 /2012.7

IC 2 CVM 1 PIN 3,000 2 3,000 3 PIN 3,000 3 CVM CVM: Cardholder Verification MethodCVM 2 CVM x 3 CVM CVM 1 EMV PIN PIN 11 11 PIN EMV 113

4 TSI TVR CVMR PIN PIN PIN PIN PIN 12 PIN PIN PIN PIN PIN Try Counter PIN 13 PIN PIN PIN PIN PIN PIN PIN PIN PIN PIN TSI TVR CVMR: CVM Results 4 IAD: Issuer Application DataEMV Book 3, Annex A1 AC AC AC EMV 12 13 PIN Try Counter 114 /2012.7

IC AC AC 3 AC AC AC 5 CID: Cryptogram Information Data CID 14 AC EMV AC AC AC 5 AC カード固有鍵 カード 端末 ネットワーク ホストシステム 3 セッション鍵の生成 2 カード内のデータ 1 端末内のデータ 6 カード固有鍵 セッション鍵 4AC 生成 5 カード内のデータ AC 7 セッション鍵の生成 8AC 検証 セッション鍵 合格 不合格 AC 14 115

15 AC EMV AC TVR TSI CVMR Book 2, 8.1.1 AC EMV AC AC PIN EMV AC PIN 3 EMV 2 1 EMV Adida et al. [2006] Murdoch et al. [2010] Barisani et al. [2011] 15 116 /2012.7

IC 6 1 1 1 3 2 PIN PIN PIN Murdoch et al. [2010] PIN PIN Barisani et al. [2011] Adida et al. [2006] 6 1 16 2 3 PIN 3 2 Barisani et al. [2011] PIN 3 3 Adida et al. [2006] PIN 3 4 2 PIN Murdoch et al. [2010] PIN PIN 16 117

PIN PIN AC PIN PIN 3 1 1 3 4 5 PIN PIN 6 CVMR 7IAD CVMR 6 7 EMV CVMR CVMR AC EMV EMV CVMR EMV Book 4, 12.1.1 12.1.2 IAD EMV AC AC IAD Book 2, 6.6.1 IAD IAD EMV Book 4, 12.1.1 12.1.2 PIN PIN 7 Step 1 Step 2 Step 3 PIN 118 /2012.7

IC 7 PIN Step 1 Step2 PIN Step 6 AC PIN Step 4 PINPIN Step 3 PIN PIN Step 5 PIN PIN Step 4 PIN PIN PIN Step 5 TSI PIN CVMR PIN PIN Step 6 AC Murdoch et al. [2010] Rosa [2010] Murdoch et al. [2010] Murdoch et al. [2010] 8 17 17 BBC [2010] 119

8 PIN Murdoch et al. [2010] Figure 4 PIN Murdoch et al. [2010] Rosa [2010] PIN PIN PIN PIN Try Counter 3 PIN PIN Rosa [2010] CID CID 3 Barisani et al. [2011] PIN Barisani et al. [2011] PIN PIN 1 PIN 2 1 PIN 2 120 /2012.7

IC 1 PIN PIN PIN PIN PIN 1 Barisani et al. [2011] PIN PIN 3 1 1 3 4 8 9 PIN 10 PIN PIN 2 PIN PIN Barisani et al. [2011] PIN PIN 2 1 1 9 Step 1 Step 2 CVM CVM PIN CVM PIN Step 3 CVM Step 3 CVM 121

9 Barisani et al. [2011] PIN 1 Step 1 Step 2 CVM CVM Step 3 Step 4 PIN PIN PIN 1PIN PIN AC PIN 2PIN PIN AC PIN PIN PIN Step 4 CVM PIN PIN PIN Step 4 PIN 1 Barisani et al. [2011] Step 4 PIN PIN 18 2 1 PIN PIN PIN AC 18 CVM PIN 122 /2012.7

IC 2 PIN Step 2 PIN PIN CVM PIN CVM PIN PIN AC PIN 2 PIN PIN 19 PIN 4 Adida et al. [2006] PIN Adida et al. [2006] PIN 1 2 1 2 2 1 20 PIN PIN PIN PIN 21 19 PIN PIN 20 EMV 21 Murdoch et al. [2010] PIN PIN 5 4 PIN 123

Adida et al. [2006] PIN Adida et al. [2006] PIN 3 1 1 3 11 12 PIN PIN Adida et al. [2006] PIN Adida et al. [2006] PIN 10 Step 1 1 Step 2 22 2 2 Step 3 2 10 Adida et al. [2006] PIN 1 2 Step 1 Step 2 Step 3 PIN Step 4 PIN PIN PIN PIN PIN PIN PIN Step 5 AC(2) 2 22 1 124 /2012.7

IC Step 4 PIN PIN 2 PIN PIN PIN PIN 2 PIN PIN 2 PIN 2 PIN Step 5 2 AC Drimer and Murdoch [2007] 4 PIN Barisani et al. [2011] PIN Adida et al. [2006] PIN 1 3 PIN PIN PIN Adida et al. [2006] PIN a 125

11 41 PIN42 PIN Barisani et al. [2011] 43 Adida et al. [2006] 44 b 23 c 24 Barisani et al. [2011] PIN PIN Barisani et al. [2011] PIN 1 11 2 PIN PIN Murdoch [2009] Murdoch et al. [2010] CDA AC EMV PIN 23 8 24 8 2009 126 /2012.7

IC PIN PIN PIN EMV CVMR 2 3. IAD PIN 25 EMV IAD IAD CVMR IAD IAD IAD CVMR IAD IAD AC AC 12 12 PIN 42. AC42. CDA CID CID CDA 25 VISA VIS Visa International [2001a] Appendix A.1 CCD Common Core Definition Book 3, Annex C7.3 *** *CCD EMV EMVCo [2008a, b, c, d]emv CPA (Common Payment Application) EMVCo [2005] ** VIS CCD IAD CVR: Cardholder Verification Results CVR 127

CVMR CVMR IAD CVMR 26 CVMR CVMR 27 EMV a b CVMR CDA CDA AC AC AC 4 2. AC IAD CVMR AC 26 DDOL: Dynamic Data Authentication Data Object List CVMR DDOL CVMR 27 CVMR CVMR 128 /2012.7

IC IAD CVMR 28 CID CID IAD CVMR AC IAD CID AC 27 IAD CVMR AC IAD CVMR AC AC IAD CVMR CID 1 CDA CID EMV CDA AC EMV CID PIN AC 13 AC CDA 3 Barisani et al. [2011] PIN Barisani et al. [2011] PIN PIN PIN PIN Barisani et al. [2011] PIN PIN PIN 28 AC CDA CDOL: Card Risk Management Data Object List AC CDA CVMR CDOL CVMR 129

13 AC CDA CVMR AC IAD CVMR AC IAD CVMR CID CDA AC IAD CVMR 14 Barisani et al. [2011] PIN PIN PIN 43. PIN PIN 43. PIN 43. PIN PIN 14 CVM PIN a bc PIN 130 /2012.7

IC TVR EMV a c EMV TVR Book 3, 10.5 c TVR PIN PIN PIN 29 PIN PIN PIN PIN PIN 30 PIN Barisani et al. [2011] PIN PIN 1 PIN CVM 29 Terminal Capabilities Book 4, Annex A2 30 PIN EMV PIN Issuer Script ProcessingPIN Change/Unblock 131

31 32 Barisani et al. [2011] PIN PIN PIN PIN 4 Adida et al. [2006] PIN Adida et al. [2006] PIN.... 1 2... 31 PIN CVM PIN PIN 32 CVM 132 /2012.7

IC Drimer and Murdoch [2007] 1 Adida et al. [2006] PIN Man-in-the-Middle Defense Anderson and Bond [2006] Drimer and Murdoch [2007] Choudary [2010] 33 PC 34 33 LED 34 PC PC PC 133

1 2 2 Drimer and Murdoch [2007].... 5 4 12 ATM 3 45 6 1 a b c 15 2 ATM ATM ATM PIN 5, 9, 10 PIN Barisani et al. 134 /2012.7

IC 15 PIN PIN Barisani et al. [2011] Adida et al. [2006] 1 2 3 4 8 11 6 CVMR IAD CVMR 7 PIN 5 PIN1 9 PIN PIN 10 2 * PIN 12 PIN PIN * PIN PIN [2011] PIN Adida et al. [2006] PIN 11 135

16 CDA PIN PIN Barisani et al. [2011] Adida et al. [2006] 3 16 PIN CDA Barisani et al. [2011] PIN Adida et al. [2006] PIN 4 4 136 /2012.7

IC 5 EMV AC CVM 35 Barisani et al. [2011] PIN CVM EMV CVM 36 IC 6 Barisani et al. [2011] PIN PIN PIN PIN PIN 6 IC 3 3 IC 35 CDA AC 36 CVM EMV Book 3, 10.5 137

Murdoch et al. [2010] EMV 3 138 /2012.7

IC 28 2 2009 143 181 21 70 No.310 2010 IC 2010 Adida, Ben, Mike Bond, Jolyon Clulow, Amerson Lin, Steven Murdoch, and Ron Rivest, Phish and Chips (Traditional and New Recipes for Attacking EMV), Cambridge Security Protocols Workshop, 2006. Anderson, Ross, and Mike Bond, The Man-in-the-Middle Defence, Cambridge Security Protocols Workshop, 2006. Barisani, Andrea, Daniele Bianco, Adam Laurie, and Zac Franken, Chip & PIN is definitely broken, CanSecWest, 2011. BBC, Flaws in chip and pin bank card security identified, 11 February 2010 http:// news.bbc.co.uk/2/hi/science/nature/8511710.stm 2012.4.20. Choudary, Omar S., The Smart Card Detective: a hand-held EMV interceptor, Master Thesis, University of Cambridge, 2010. Drimer, Saar, and Steven J. Murdoch, Keep your enemies close: distance bounding against smartcard relay attacks, USENIX Security Symposium, 2007. EMVCo, Common Payment Application Specification, EMV Integrated Circuit Card Specifications for Payment Systems, Version 1.0, 2005., Book 1 Application Independent ICC to Terminal Interface Requirements, EMV Integrated Circuit Card Specifications for Payment Systems, Version 4.2, EMVCo, 2008a., Book 2 Security and Key Management, EMV Integrated Circuit Card Specifications for Payment Systems, Version 4.2, EMVCo, 2008b., Book 3 Application Specification, EMV Integrated Circuit Card Specifications for Payment Systems, Version 4.2, EMVCo, 2008c., Book 4 Cardholder, Attendant, and Acquirer Interface Requirements, EMV Integrated Circuit Card Specifications for Payment Systems, Version 4.2, EMVCo, 2008d., Response from EMVCo to the Cambridge University Report on Chip and PIN vulnerabilities, 2010., A Guide to EMV, 2011a., Response from EMVCo to the Inverse Path Paper Chip and PIN is Definitely 139

Broken March 2011, 2011b. European Payments Council, SEPA for cards: tracking EMV roll-out, EPC Newsletter, Issue 10, 2011. Murdoch, Steven J., Defending against wedge attacks in Chip and PIN, Light Blue Touchpaper, August 25th 2009 http://www.lightbluetouchpaper.org/2009/08/25/ defending-against-wedge-attacks/ 2012.4.20., Saar Drimer, Ross Anderson, and Mike Bond, Chip and PIN is Broken, 2010 IEEE Symposium on Security and Privacy, 2010. Rosa, Tomas, On the Chip & PIN Broken Attack-Experience Gained in Raiffeisenbank, 2010. Visa International, Visa Integrated Circuit Card Specification (VIS) Card Specification version 1.4.0, Visa Public, 2001a., Visa Integrated Circuit Card Specification (VIS) Terminal Specification version 1.4.0, Visa Public, 2001b. 140 /2012.7