3

I'd like to use a chip and pin credit card for authentication, that is to register a card into a system and then use it to log in (for demo/entertainment purposes only so bulletproof security isn't required).

I've had the idea of performing a fake transaction (that wouldn't be submitted to the bank obviously) to prove whether the user has the PIN code of the card, but how do I prove (cryptographically; I assume the data returned by the card on a successful transaction is somehow related to the card number and there's a way to check the authenticity of that) that the card is indeed that card that was registered previously instead of some other random card ?

Thanks.

1 Answers1

2

First, have a look at [this question].

Based on that question, my understanding of bank cards is that the chip card puts it's own accNumber+PIN into a signed message encrypted for the bank's server (probably with some challenge data from the POS to avoid replay attacks) and asks the Point-of-sale (POS) terminal to send this on its behalf. The POS terminal can't read the message, but can send it off to the bank. The bank validates the message, checks the signature, and compares it to the accNumber+PIN in it's database and returns a YES/NO to the POS terminal. (disclaimer: this is how I imagine it could work, I don't know if this is how it actually does work.)

There are other challenge-question-based approaches commonly used in the security industry (for example, for ID badges to get into your office building). They work as follows: when you hold the card up to the reader on the wall the chip card, the card reader, and the database have the following exchange:

  1. Chip Card to Reader: "I am John Smith and my public key is pub_key."
  2. Reader to Database: "Does pub_key belong to John Smith?"
  3. Database to Reader: "Yes."
  4. Reader to Chip Card: "To prove you have the matching private key, sign this message: rand_32bit_msg."
  5. Chip Card to Reader: enc_msg = encrypt(rand_32bit_msg, priv_key), "Here's enc_msg."
  6. Reader: does decrypt(enc_msg, pub_key) == rand_32bit_msg? "Ok, I believe you own the private key, in you come!"

Presumably you can buy a set of chip cards and readers from various manufacturers, but I have no idea if this is within the budget of a hobby project.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • And yes, I'm aware I'm digging up a fossil :P – Mike Ounsworth Apr 25 '15 at 13:45
  • I'm still here, though I agree I kinda lost interest about the smartcards and stuff, but I may get back to it once I have time and hopefully finish this proof of concept. As far as the cards and readers go, I use a standard PC/SC reader and implement card communication in software, so the reader's manufacturer doesn't change anything (it's just a dumb reader and not a POS terminal). –  Apr 29 '15 at 05:34