Speaker: Gaven Watson (University of Bristol, UK)
Gaven Watson is a former student of Royal Holloway having completed his PhD in 2010 under the supervision of Kenny Paterson. After leaving RHUL he held a Postdoc position at the University of Calgary in Canada, before returning to the UK in January 2012 to join the crypto group at the University of Bristol.
Title: An Analysis of the EMV Channel Establishment Protocol
Abstract:With over 1.6 billion debit and credit cards in use worldwide, the EMV system (a.k.a. “Chip-and-PIN”) has become one of the most important deployed cryptographic protocol suites. Recently, the EMV consortium has decided to upgrade the existing RSA-based system with a new system relying on Elliptic Curve Cryptography (ECC). One of the central components of the new system is a protocol that enables a card to establish a secure channel with a card reader. In this talk I will present a security analysis of the proposed protocol, propose minor changes/clarifications to the “Request for Comments” issued in Nov 2012, and demonstrate that the resulting protocol meets the intended security goals.
The structure of the protocol is one commonly encountered in practice: first run a key-exchange to establish a shared key (which performs authentication and key confirmation), only then use the channel to exchange application messages. Although common in practice, this structure takes the protocol out of the reach of most standard security models for key-exchange. Unfortunately, the only models that can cope with the above structure suffer from some drawbacks that make them unsuitable for our analysis. Our second contribution is to provide new security models for channel establishment protocols. Our models have a more inclusive syntax, are quite general, deal with a realistic notion of authentication (one-sided authentication as required by EMV), and do not suffer from the drawbacks that we identify in prior models.