Abstract
The Generic Authentication Architecture (GAA) is a standardised extension to the mobile telephony security infrastructures that supports the provision of security services to network applications. We have proposed a generalised version of GAA which enables almost any pre-existing infrastructure to be used as the basis for the provision of generic security services, and have examined a GAA instantiation supported by Trusted Computing. In this paper we study another instantiation of GAA, this time building on the widely deployed EMV security infrastructure. This enables the existing EMV infrastructure to be used as the basis of a general-purpose authenticated key establishment service in a simple and uniform way, and also provides an opportunity for EMV-aware third parties to provide novel security services. We also discuss possible applications and issues of privacy and trust.
Keywords
This work was partially sponsored by the National Natural Science Foundation of China under Grant (No. U1135004 and 61170080), the Guangdong Province Universities and Colleges Pearl River Scholar Funded Scheme (2011), the Guangzhou Metropolitan Science and Technology Planning Project (No. 2011J4300028), the Fundamental Research Funds for the Central Universities (No. 2009ZZ0035 and 2011ZG0015), the Guangdong Provincial Natural Science Foundation (No. 9351064101000003) and the High-level Talents Project of Guangdong Institutions of Higher Education (2012).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
3G AMERICAS: Identity Management Overview of Standards & Technologies for Mobile and Fixed Internet (2009)
3rd Generation Partnership Project (3GPP): Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS). Technical Specification TS 33.222, Version 9.1.0 (2009)
3rd Generation Partnership Project (3GPP): Identity management and 3GPP security interworking; Identity management and Generic Authentication Architecture (GAA) interworking. Technical Report TS 33.924, Version 9.1.0 (2009)
3rd Generation Partnership Project (3GPP): Technical Specification Group Services and Systems Aspects, Generic Authentication Architecture (GAA), Generic Bootstrapping Architecture. Technical Specification TS 33.220, Version 9.2.0 (2009)
Chen, C., Laitinen, P., Asokan, N., Mitchell, C.: Leveraging GAA for one-time password authentication from an untrusted computer (submitted)
Chen, C., Mitchell, C.J., Tang, S.: Building General Purpose Security Services on Trusted Computing. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 16–31. Springer, Heidelberg (2012)
Chen, C., Mitchell, C., Tang, S.: Ubiquitous One-Time Password Service Using the Generic Authentication Architecture. Mobile Networks and Applications (to appear), http://rd.springer.com/article/10.1007/s11036-011-0329-z
Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)
EMV: EMV Integrated Circuit Card Specifications for Payment Systems Version 4.2—Book 1: Application Independent ICC to Terminal Interface Requirements (June 2008)
EMV: EMV Integrated Circuit Card Specifications for Payment Systems Version 4.2—Book 2: Security and Key Management (June 2008)
EMV: EMV Integrated Circuit Card Specifications for Payment Systems Version 4.2—Book 3: Application Specification (June 2008)
EMV: EMV Integrated Circuit Card Specifications for Payment Systems Version 4.2—Book 4: Cardholder, Attendant, and Acquirer Interface Requirements (June 2008)
Eronen, P., Tschofenig, H.: Pre-shared key ciphersuites for transport layer security (TLS). Internet Engineering Task Force, RFC 4279 (Informational) (December 2005)
Holtmanns, S., Niemi, V., Ginzboorg, P., Laitinen, P., Asokan, N.: Cellular Authentication for Mobile and Internet Services. John Wiley and Sons (2008)
International Organization for Standardization, Genève, Switzerland: ISO/IEC 9798-4:1999, Information technology—Security techniques—Entity authentication—Part 4: Mechanisms using a cryptographic check function (1999)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. Internet Engineering Task Force, RFC 2104 (Informational) (February 1997)
Pashalidis, A., Mitchell, C.J.: Single Sign-On Using Trusted Platforms. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 54–68. Springer, Heidelberg (2003)
Pashalidis, A., Mitchell, C.J.: Using GSM/UMTS for single-sign on. In: Proceedings of SympoTIC 2003, Joint IST Workshop on Mobile Future and Symposium on Trends in Communications, pp. 146–152. IEEE Press (2003)
Pashalidis, A., Mitchell, C.J.: Using EMV Cards for Single Sign-On. In: Katsikas, S.K., Gritzalis, S., López, J. (eds.) EuroPKI 2004. LNCS, vol. 3093, pp. 205–217. Springer, Heidelberg (2004)
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th USENIX Security Symposium, pp. 17–32. USENIX Association (2005)
Urienand, P.: Introducing TLS-PSK authentication for EMV devices. In: Proceedings of CTS 2010, International Symposium on Collaborative Technologies and Systems, pp. 371–377. IEEE Press (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Chen, C., Tang, S., Mitchell, C.J. (2013). Building General-Purpose Security Services on EMV Payment Cards. In: Keromytis, A.D., Di Pietro, R. (eds) Security and Privacy in Communication Networks. SecureComm 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 106. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36883-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-36883-7_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36882-0
Online ISBN: 978-3-642-36883-7
eBook Packages: Computer ScienceComputer Science (R0)