我试图弄清楚 EMV 标准化建议使用哪种加密方式来通过 NFC 传输支付信息。我浏览了规范,但找不到有关此主题的任何提示。我知道虽然卡制造商在他们的卡上提供了一些加密技术,但部分已经被泄露了。有人知道,如果它完全加密(我希望如此),如果是,使用哪种技术?
问问题
3710 次
2 回答
8
The communication between the card and the contactless reader is not encrypted. You can easily eavesdrop and record the exchanged APDUs, I do it almost daily using a contactless spy (the Fime SmartSpy one).
But recording the dialog is not enough to clone the card. You will get access to some information (ex : the card number, the track2 equivalent data), but :
- you will miss information required to create a magnetic stripe card
- you won't have the CVV (number written behind the card) required to make online purchases.
- You also won't be able to "replay" the transaction because the transaction data includes two unpredictable numbers generated by the terminal and the card, which are unique to each transaction and signed by the card.
The private key/certificate used by the card to sign the transaction is never transmitted during the transaction and cannot be accessed. That's this private key/certificate which is protected and encrypted on the card (I don't know the details of the security mechanisms).
The cards whose security has been compromised are some basic MiFare cards. These cards are not used for payment applications.
于 2014-03-28T20:56:21.383 回答
4
简单的答案:EMV 交易未通过 NFC 加密。
更具体地说,典型的非接触式 EMV 事务是这样工作的(非常简化,涉及更多命令,但这应该足以让您大致了解一下):
- 选择 EMV 支付应用程序。
- 读取卡片数据。卡片数据以明文形式传输。
- 以明文形式向卡发送交易数据(授权金额、交易日期/时间……)。
- 卡根据其密钥(即加密技术)在交易中生成数字签名。
- 终端和/或后端通过交易数据验证卡的数字签名。
顺便提一句。您引用的论文(“MiFare Classic 和 Oyster 卡中 Crypto-1 流密码的代数攻击”)与 EMV 支付卡完全无关。这篇论文是关于 MIFARE Classic 卡的弱点。与 EMV 支付卡不同,MIFARE Classic 卡是简单的非接触式存储卡,具有一些加密和身份验证逻辑。
于 2014-03-28T20:53:56.263 回答