Professional Documents
Culture Documents
Outline
What is Micropayment? Smart Card Types Smart Cards Components ATM Card Cryptography OpenCard Framework RFID Tags Card Security Threats Card Manufactures and Issuance
Octopus Mondex
Summary
88-590-02 E-Commerce, S. Erfani University of Windsor
What is Micropayment?
All payments less than U.S. $10 are considered micropayments.
Aim to replace cash Constitute electronic purses on integrated-circuit cards Smart cards, Memory cards
Recharging the electronic purse with minetary value requires the intervention of a financial institution. Commercial Offers of micropayment systems:
Octopus GeldKarte Chiper Mondex
October 17, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor
Smart Cards
Magnetic stripe
3 tracks, ~140 bytes, cost $0.20-0.75
Memory cards
1-4 KB memory, no processor, cost $1.00-2.50
E-Government
Banking
Mass Transit
Public Telephony
Mobile Telecommunications
W-LAN
Retail
Access control
October 17, 2012
Enterprise Security
88-590-02 E-Commerce, S. Erfani University of Windsor
Cash is inconvenient
not machine-readable humans carry limited amount risk of loss, theft
Field separator (1 char): ^ Name Field separator Expiration date (4 char): YYMM Proprietary fields, including Pin Verification Value (P V V)
October 17, 2012 88-590-02 E-Commerce, S. Erfani University of Windsor 8
10
Microprocessor
Contacts
Card (Upside-down)
Epoxy
Contacts (8)
11
12
13
14
15
16
17
record 1 number 2
3 4
n+1st record
READ gives the most recently written record Maximum number of records: 254 When maximum is reached, first record is overwritten Record length: 1 .. 254 bytes SOURCE: ANDREAS STEFFEN
October 17, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor
18
19
3DES
20
ACCOUNT NUMBER
MACHINE HAS BANK KEYS IN HARDWARE:
4-DIGIT PIN
PV V
3DES
PV V
COMPUTE P V V
October 17, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor
21
22
SOURCE: OPENCARD.ORG
October 17, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor
23
Group 6
THREATS FROM CARD APPS AND NEED TO SHARE RESOURCES
Group 3
ATTACKS USING CARDS NOT YET ISSUED, OLD CARDS, CLONES
Current
Group 1
DIRECT ATTACKS ON CHIP CIRCUITRY
October 17, 2012
Group 2
INDIRECT ATTACKS ON CHIP CIRCUITRY
SOURCE: GAMMA
24
MUL
(multiplication)
JMP
(jump)
power consumption
time
Source: Rankl and Effing, "Handbuch der Chipkarten", 2002
October 17, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor
25
SOURCE: cryptography.com
October 17, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor
26
Contactless Card
Communicates by radio
Power supplied by reader Data rate 106 Kb/sec Read 2.5 ms, write 9 ms 8 Kb EEPROM, unlimited read, 100,000 writes Effective range: 10 cm, signals encrypted Lifetime: 2 years (data retention 10 years) Two-way authentication, nonces, secret keys Anticollision mechanism for multiple cards Unique card serial number
SOURCE: GEMPLUS
October 17, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor
27
RFID Tags
IC Chip
28
Tag
Computer RFID Reader
SOURCE: PHILIPS
October 17, 2012
Euro Banknotes
European Central Bank planned to implant RFID tags in banknotes by 2005
Uses
Anti-counterfeiting Tracking money flows
30
Implementation Example 1
31
32
33
Implementation: Octopus
SONY RC-S833 CONTACTLESS SMART CARD SONY READER/WRITER
SOURCE: SONY
October 17, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor
34
35
SOURCE: MITSUBISHI
36
Octopus Clearing
37
Octopus Settlement
CONSOLIDATE DATA
SERVICE PROVIDER CENTRAL COMPUTERS (SPCC) MTR CENTRAL COMPUTER LOAD AGENT CENTRAL COMPUTER CENTRAL CLEARING HOUSE SYSTEM
VALIDATE DATA NET ACCOUNTING
DISTRIBUTE SOFTWARE
SETTLE MENT
MUTUAL
HSBC HEXAGON
OCTOPUS BANK
REGULAR ACCT BUFFER ACCT RESERVE ACCT
MTRS BANK
38
Octopus Expansion
Identity card Access control Hotel room key Credit card McDonalds Mobile phone Home readers
October 17, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor
39
Implementation: Mondex
Subsidiary of MasterCard Smart-card-based, stored-value card (SVC) NatWest (National Westminister Bank, UK) et al. Secret chip-to-chip transfer protocol Value is not in strings alone; must be on Mondex card Loaded through ATM
ATM does not know transfer protocol; connects with secure device at bank
40
Mondex Overview
41
Mondex security
Active and dormant security software
Security methods constantly changing ITSEC E6 level (military)
42
Summary
o Smart cards replace cash.
The applications are primarily in banking, mobile telephony, and pay TV.
o Wireless (contactless) cards enable new business models. o Smart card security is not perfect. o Several electronic purses were proposed and introduced for making micropayments. o OCF is a java-oriented integration of integrated-circuit cards with computers.
October 17, 2012
88-590-02 E-Commerce, S. Erfani University of Windsor
43
References
M. H. Sherif, Protocols for Secure Electronic Commerce. Boca Raton, FL: CRC Press LLC., 2004, Chapters 9 and 13. Electronic Payment Systems (20-763) Official Course Web http://euro.ecom.cmu.edu/program/courses/tcr763/2002pgh/cards7.ppt
44
45