EMV Offline Data Authentication

December 11th, 2008

There is a lot of talk in the payment card industry at the moment about the potential to counterfeit an EMV chip card, and many misunderstandings. The susceptibility of an EMV chip card to be counterfeited depends quite simply on the strength of the offline data authentication that is supported by the card. The following is a brief description of EMV offline data authentication, and the difference in grades available.

What Is Offline Data Authentication?

One of the major benefits offered by EMV over magnetic stripe read cards is the ability to authenticate the card without the need to go on-line to the Issuer for authorisation. This capability is called offline data authentication.

There are essentially three flavours of off-line data authentication – Static Data Authentication (SDA), and Dynamic Data Authentication (DDA), and Combined Data Authentication (CDA). All three employ RSA (Rivest, Shamir, and Adleman) public key cryptography.

During a payment transaction, the chip card and the terminal agree to perform either SDA, DDA or CDA. Only one method of offline data authentication is performed for a particular transaction.

Static Data Authentication (SDA)

The purpose of SDA is to confirm that data placed onto the chip card by the issuer has not been manipulated or changed.

SDA does not require the chip card to be capable of public key cryptographic processing because there is a static cryptogram (called signed static application data) placed onto the chip at the time the card is produced. This cryptogram is generated using selected Issuer information from the chip and provides a way to ensure that this information is not changed after the card has been provided to the customer. During a payment transaction, the card provides the signed static application data to the terminal that then performs a public key authentication of the cryptogram. If this is successful, this means the card, and the information on the card, has not been altered since having been issued to the customer.

However, SDA does not protect against skimming the chip. It is possible for criminals to skim the chip card data, including the SDA cryptogram and write it to another chip card to create a counterfeit card that could successfully pass SDA. A counterfeit SDA card would only work in offline EMV environments (i.e. it would fail online authentication at the issuer host if the terminal processed an online EMV transaction), but it could be produced such that it always requests to stay offline, and always provides a positive response to a request to verify the offline PIN.

Dynamic Data Authentication (DDA)

DDA requires the chip card to be capable of public key cryptographic processing because it needs to be able to dynamically generate a unique cryptogram for each transaction. During a payment transaction, the chip card uses a private key to generate a one time cryptogram that is unique to the transaction for validation at the terminal. The terminal performs a public key authentication of the dynamic cryptogram, and if this is successful, this means the card, and the information on the card, has not been altered since being issued to the customer, and significantly – that the card is not a copy of the original chip card issued.

DDA is a stronger form of offline data authentication than SDA because it is not feasible to obtain the private key on a chip card by simply reading the card. DDA protects against skimming of the chip.

Combined Data Authentication (CDA)

EMV defines a variation of DDA, often referred to as combined data authentication (CDA). It is more correctly known as �Combined DDA with Application Cryptogram (AC) Generation�.

As with DDA, the chip card must be capable of RSA cryptographic processing. During a payment transaction, the first part of the processing for CDA is the same as standard DDA. However, at a later point in the EMV transaction (during card action analysis), the chip card generates a second dynamic signature which the terminal must verify using RSA cryptography. This is to confirm that the chip card that was authenticated using DDA, is the same card that is used to authorise the transaction.

CDA is designed to combat a sophisticated method of attack at the point of sale in which the attacker attempts to use a valid chip card to pass offline data authentication, but from then on during the payment, simulates card actions in order to obtain authorisation.

Why Do Banks Issue SDA Cards?

So why would a bank issue SDA cards at all, given that DDA protects against chip card skimming, and SDA does not? The reason comes down to one of cost. A chip card that is capable of performing public key cryptographic processing, and therefore capable of supporting DDA, is relatively more expensive than a chip card that is not capable of performing public key cryptographic processing, and thus only capable of supporting SDA. The cost of issuing chip cards is a significant factor in the business case for a bank. Current indications from the Australian market is that the difference in price between an SDA card and a DDA card is in the range of $0.50 – $1.00.

If you would like to provide feedback on this, or any previous blogs, you are welcome to email us at blog@cotignac.co.nz