EMV UNPREDICTABLE NUMBER

One of the topics of the IEEE Symposium on Security and Privacy held in May 2014 in San Jose (California, USA) was devoted to the problem of forming an Unpredictable Number (UN) on terminals that support the EMV standard.

The problem of the non-unique value of UN has previously been highlighted in the MasterCard – Global Operations Bulletin No. 5, 1 May 2012 and EMVCo – Specification Bulletin No. 103, First Edition April 2012. In tests conducted by various groups, such as NIST Special Pubolcation 800-22 or a group of researchers from the University of Cambridge, it turned out that the UN value generated by the terminals is not always unique. In the Bulletin of the EMV Specification Update Bulletin 50 (2006) highlighted:
“Ideally the Unpredictable Number generated by a terminal should be truly unpredictable even given access to all previous such numbers generated by the terminal and it should be infeasible for an attacker to control the next Unpredictable Number that the terminal generates.” In the EMV specification v4.3 Book 4 is specified:
“The Unpredictable Number could be generated by a dedicated hardware random number generator or could, for example, be a function of previous Application Cryptograms, the terminal Transaction Sequence Counter and other variable data (for example, date/time). In the second example the function could be a hash function or more preferably a keyed encipherment function.”

Violation of UN uniqueness is contrary to the EMV standard, but how big are the risks? UN is used by the terminal to verify the authenticity of the card. Even if we assume that the attacker uses a copy of the chip card, then in order to take advantage of the “opened” opportunities, the following is necessary:

      1. 1) know the algorithm for generating UN on a specific device;

According to EMV requirements:

        1. a) The terminal for calculating UN must use some unique internal value P, which should lead, in turn, to the uniqueness of the calculated UN. At the same time, it is strictly necessary that it is impossible to calculate the incoming parameters for its calculation by UN.
        1. b) Some unique internal value of P for calculating UN can never be open. To calculate UN, along with the P value, we recommend using Application Cryptogram, Issuer Authentication Data, Authorization Code, Date/time, and, if possible, an internal random number generator.
        1. c) Initially, the P value on the new terminal should be unique, and it is better if a random number generator is used for this.
        1. d) Restarting the terminal should not restore the original P value as it was for the new terminal, but should restore the P value before restarting the terminal.

The terminal software must meet these requirements.

      1. 2) be aware of the cryptographic algorithm for calculating the Application Cryptogram;

This algorithm is open source. The cryptographic strength of the algorithm is based on the key length and the assumption that it will take a very significant amount of time to find the key.

    1. 3) pass the Application Cryptogram verification on the issuer’s side.

 

If the attacker can not experience problems with the first two points, then a successful check on the issuer’s side will actually mean compromising the issuer’s keys. It is believed that the EMV standard guarantees the security of the card keys and prevents unauthorized access to them.

The EMV standard recommends using an internal random number generator for calculating UN, for example, based on internal date/time values, and not accessible from the outside.

What solutions can be found for the identified problem? They should be divided into recommendations for acquirers and issuers.

Acquirers should make sure that their terminals use software that does not have the described problem of generating a non-unique UN value. To do this, terminal software vendors must ensure that they follow the recommendations of the National of Standards and Technology SP800-90A (Recommendations for Random Number Generation Using Deterministic Random Bit Generators) and ISO/IEC 18031 (Random bit generation).

For the issuer, the main danger is represented by offline operations carried out on terminals, when the verification of the issuer’s cryptogram does not occur immediately online, but after some time. In these cases, if the cryptogram is not AAC, there is a risk of the issuer receiving an offline-approved transaction. To protect against fraudulent transactions, issuers should check the TC values obtained in the clearing files. Thus, the issuer’s protection will be based on the assumption that the malefactor, without having the correct issuer keys and having only the UN generation algorithm at his disposal, will not be able to form the correct issuer cryptogram, and this will be revealed by the issuer when checking the cryptogram from the clearing file.

In conclusion, it should be noted that the attackers ‘ knowledge of the algorithm for calculating UN on individual terminals is undoubtedly an unpleasant discovery for the EMV standard, but at the same time it is not critical, because the EMV standard provides multi-stage protection against fraudulent operations, for which it was actually developed. Nevertheless, both acquirers and issuers should pay close attention to the problem of the UN to exclude it, because such information can be very interesting to attackers from the point of view of its practical application.