Monday, February 3, 2020

EMV and Post-Quantum Crypto

Post-Quantum Crypto


Post-Quantum crypto refers to a class of cryptographic algorithms and methods that are deemed to resist Quantum Computing attacks.

Quantum computing uses quantum physics and works differently from “traditional” digital computers. Two quantum algorithms: Shor's Algorithm and Grover’s algorithm allow performing powerful quantum attacks against, respectively, asymmetric and symmetric cryptographic algorithms, which are widely used in the industry. RSA, 3-DES or AES, for instance, are considered to be vulnerable to quantum computing.


Shor’s algorithm is considered to be a real threat for algorithms with security based on the difficulty of factoring numbers into primes, such as RSA for instance.

For now, Quantum computers are still at an early stage of prototypes but it is difficult to predict how fast an operational quantum computer could be built. Therefore, post-quantum crypto algorithms are currently developed - in a ‘prophylactic’ way - to answer future threats from quantum computing.

These post-quantum algorithms are being actively developed and are usually based on complex and difficult mathematical challenges. As an example, NIST released the first set of such candidates.

EMV




EMV is the leading international system for payment smartcard. The EMV initiative was taken by Europay, MasterCard, and Visa (hence the ‘EMV’ term) in the 1990s with the goal to replace magnetic cards by smartcards.

Because it was designed and started in the ’90s, EMV still relies heavily on symmetric cryptography and especially on triple-DES.

In EMV (contact cards) the following algorithms - and only them - are approved:

  • Triple DES ( 8-byte block cipher );
  • AES ( 16-byte block cipher );
  • RSA;
  • SHA-1.
EMV still considers AES as a “newer” algorithm and uses much more Triple-DES than AES for symmetric encryption.

Additionally, EMV is painfully migrating to ECC algorithms (estimated time to completion is 2030) despite NSA’s recommendations to stop using the elliptic curves algorithms.


The NSA’s recommendations may not be inspired by the fears of a Quantum computer been built but rather by flaws discovered in the ECC algorithms or some small advances in solving the elliptic curve discrete logarithm problem (ECDLP), yet the EMV consortium issued on September 2016, a security position statement named “NSA Statement on Post Quantum Cryptography and Suite B” where the strategy of the EMV consortium regarding AES and ECC is clarified.


EMV uses three different card authentication mechanisms: SDA, DDA, and CDA. SDA is considered to be largely unsecured and generally should not be used so practically only DDA and CDA are to be considered here.


All these authentication mechanisms are using signature schemes. Since RSA is the only asymmetric algorithm available in EMV until ECC appears, this means that EMV card authentication schemes are - theoretically - vulnerable to a quantum computer.


A quantum computer could therefore potentially break a DDA or CDA algorithm.

EMV and Post-Quantum crypto



If a quantum computer could be built, it could potentially break the encryption in EMV, allowing to find the private keys of any card and therefore allowing to fully clone EMV cards.

EMV cards cannot be cloned like magnetic-stripe credit or debit cards because the private keys, which are used to authenticate the cards, are stored and protected into the smartcard’s crypto-processor.

EMV operates also a liability shift. In other terms the issuing bank will pay for the fraud, because EMV is not supposed to be vulnerable to any attack and especially EMV payment cards cannot be cloned.

If Quantum computers are developed and produced in the near future by - let us say - a ‘rogue’ country with enough funding and technological abilities, this may imply the worldwide cloning of EMV cards and could create very important financial losses for banks.


The risk has to be mitigated: EMV still uses as well massively symmetric cryptography (Triple-DES and AES) and, until a new quantum algorithm is found, such cryptography should resist in a better way to quantum computing.


EMV is not exactly crypto-agile even if the EMV norms are often “high-levels”. EMV does not specify directly which algorithm should be used so, theoretically, a post-Quantum signature scheme such as CRYSTALS-DILITHIUM could be used to perform CDA authentication for example but this would involve several important changes in EMV personalization norms, EMV card applets and custom EMV cryptographic schemes.


EMV also works with the Global Platform (GP) system, which is totally “high-level” and essentially crypto-agile. The GP Secure Messaging, key exchanges etc…could be theoretically converted to post-Quantum cryptographic algorithms without touching the Global platform specifications.


In terms of the banking industry a migration of EMV to post-Quantum algorithms does not seem currently possible. EMV is still ‘only’ in the slow process of migrating to ECC.


It is always difficult to apprehend how fast a technology can be developed.

Unfortunately (for the actual cryptography), Quantum computing may develop itself exponentially in such a way that even the most pessimistic predictions about the date when such computers would be built, could be much too ‘optimistic’ and at the same time new quantum algorithms could amplify that threat.

EMV and Crypto-agility



A solution exists. It is called crypto-agility. Crypto-agility allows existing platform to move from one cryptographic algorithm to another without changing their systems which could, then, move to post-quantum crypto algorithms, when the time has come, without being modified.

Banks using EMV should start to consider crypto-agility for their projects, and they also should check how efficiently this simple and elegant solution can counter, for instance, the threat of quantum computers.

Of course there is no way to know how the EMV consortium will apprehend the need to use Post-Quantum cryptography and changing the EMV norm in that direction would be a huge task requiring lots of energy . But there are “super-EMV” norms such as the SECCOS norm issued by the german ZKA. SECCOS could become crypto-agile with the idea of making post-quantum crypto payment cards in Germany for example. This idea could also be implemented by the French “Groupement des Cartes Bancaires” (GIE cartes bancaires) or the British “CHIP and PIN”.


Finally, there are multiple scenarios where banks can, from their own initiative, add crypto-agile systems inside their EMV infrastructure without the EMV norm be explicitly crypto-agile. For instance a middleware system can equip both EMV payment cards and EMV terminals (ATMs, EFT terminals etc…). These middleware systems could add an extra-layer of encryption to the EMV flow, using crypto-agility.



In conclusion, EMV isn’t crypto-agile and cannot for the moment deal with the threat created by Quantum Computing. Nevertheless, it is possible for cooperating banks to implement additional systems which will protect their EMV infrastructures. Such additional equipment can be installed inside bank cards and bank terminals managed by cooperating banks or within personalization systems for instance.

No comments:

Post a Comment