Security Position Statement: EMV® 1st Generation Card Cryptography

EMV-SWG-NH36r3 EMVCo Position Statement on EMV® 1st Generation Card Cryptography 21st February 2019 Introduction The cryptographic algorithms defined for EMV 1st generation (EMV Integrated Circuit Card Specifications for Payment Systems) were originally designed over 20 years ago. EMVCo is of the firm view that these algorithms can provide sufficient security for EMV transactions. However EMVCo is aware that the world has moved on and so takes this opportunity to explain the basis for the on-going use of these legacy algorithms and key lengths. EMVCo also observes that these algorithms and key lengths are covered by industry, national and international security standards and these standards may include negative assessments which however are not specific to EMV transactions (for example NIST publications especially address parties dealing with the US federal government). Finally we note that EMVCo has newer state-of-the-art cryptography in the 2nd Gen and 3DS2.0 specifications. 2-key Triple DES Despite the EMV 1st generation specifications having included support for AES since 2011, the principal symmetric cryptography still used for EMV-based transactions is 2-key Triple DES. This is used for card and transaction authentication by the issuer and where supported may also be used for protecting script messages such as unblocking the card or changing the reference PIN stored in the card (although this is rarely performed). EMV specifies that cryptograms generated in these processes do not use the card master key directly but instead use a transaction session key derived from the card master key. The best attack known on 2-key Triple DES is where an attacker has access to 2t plaintext-ciphertext pairs and then with effort 2120-t they will be able to find one of the keys used (so long as the key was used more than once). For further information see the paper  C. Mitchell, On the security of 2-key Triple DES arXiv:1602.06229v1 [cs.CR], This kind of attack is not a significant concern for EMV transactions due to the use of session keys. Note that NIST has deprecated 2-key Triple DES on the basis that it provides 80-bit security when an attacker has access to a million million plaintext-ciphertext pairs, however as noted in the introduction EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2019 EMVCo, LLC. All rights reserved. EMV-SWG-NH36r3 this NIST policy is not justified for the EMV use case especially considering that for EMV chip transactions this amount of data (roughly all EMV transactions for a whole year) cannot be collected and a 280 effort to reveal one of the session keys is unrealistic. The MAC algorithm used with 2-key Triple DES is Algorithm 3 from ISO/IEC 9797-1 (which was known as the ANSI retail MAC before standardization in ISO) and research papers have identified side-channel attacks that exploit its design. However these kinds of attack are not a significant concern for EMV because EMV specifies the use of session keys, but also because the attack requires prolonged physical access to the card and EMV cards are security-evaluated to be secure against side-channel attacks and can be configured to shut-down before sufficient side-channel information could be gathered. RSA EMV specifies the use of RSA for card authentication by the terminal and for encrypting the cardholder PIN between the PED and card. RSA is used in a card-side PKI with a Payment System key pair used for certifying Issuer keys which in turn certify card keys. Regarding parameters:  The maximum key length required to be supported by EMV terminals is 1984-bits. Currently EMVCo recommends to EMV Payment Systems that 1408-bit Payment System Public Keys expire 31Dec2024 and that 1984-bit Payment System Public Keys have an anticipated life to at least 31Dec2028. Issuer keys are of a similar size.  In its recently published Issuer and Application Security Guidelines, EMVCo advises that the minimum recommended card key length for a card expiring after 2022 is 1152 bits.  EMV only supports two RSA exponent values e=3 and e=65537 (216+1), and both values are considered to be secure for EMV. Note that EMV includes countermeasures against the known attacks on the generic use of low-exponent RSA. Both the signature algorithm (ISO/IEC 9796 Method 1) and the encryption algorithm (RSA transform but with special padding) are old (indeed they pre-date methods such as PSS and OAEP) but are still considered secure. SHA-1 EMV specifies the use of SHA-1 as part of the RSA signature algorithm. Outside of EMV the use of SHA1 has now been widely deprecated due to the long-known possibility to craft inputs that have the same hash and thus SHA-1 does not provide collision-resistance. However since the structure and use of EMV certificates and signatures prevents the crafting of inputs, the continued use of SHA-1 in this context is considered acceptable. EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2019 EMVCo, LLC. All rights reserved.