It is hard not to get excited about the theoretical possibilities of quantum computing. At the leading edge of human endeavours, it has the potential to fundamentally revolutionise how we address and solve complex problems. With aspirations and ambitions comes uncertainty and threats. EMVCo is taking very seriously the threat of quantum computers undermining the security of RSA (Rivest, Shamir and Adleman) and ECC (Elliptic-Curve Cryptography) and is exploring future mitigation strategies.
In this EMV® Insight Post, we ask Michael Ward, EMVCo Security Working Group Chair, what threat quantum computing poses to EMV Chip and what the technical body is doing to address this.
Firstly, what part of a payment transaction does EMV Chip technology secure?
EMV Chip technology secures the data exchange between the payment device, such as a plastic card, smartphone or wearable, and the payment terminal and issuing bank. It does this by integrating security features into the EMV transaction, such as cardholder verification and card authentication.
To maintain the integrity of the payment process, the payment device and transaction data are also authenticated. The merchant terminal and issuing bank cryptographically authenticate the payment device and its data by verifying cryptographic signatures that have been generated by the payment device. In EMV these signatures are often referred to as ‘cryptograms’.
What threat does quantum computing present to EMV technology today?
It is important to note that we don’t expect quantum computing to start posing a threat to the EMV infrastructure until at least 2040. While there is a lot of hype, and varying timelines, no one actually knows when quantum computing will become a reality, and currently no quantum attacks exist.
Harvest Now Decrypt Later, which aims to steal encrypted data today in the view that it can be decrypted and used for malicious purposes in the future, has driven a requirement in some industries and governments to deploy quantum resistant cryptography. This, however, does not apply to EMV Chip transactions, as chip authentication does not require long-term data confidentiality.
Can you explain further the role of EMV cryptograms?
During a transaction the cardholder’s payment device responds to an unpredictable number from the terminal to create two types of cryptograms:
- An online cryptogram (symmetric cryptography) is used in most payment scenarios for remote authentication and verified by the card issuer. It is based on either Triple DES cryptography (Data Encryption Standard) or AES cryptography (Advanced Encryption Standard).
- An offline cryptogram (public key cryptography) is used for local authentication and verified by the terminal. The payment device uses its private key to authenticate itself and the transaction data to the terminal and this avoids the payment device and terminal having to share secret keys. A transit network is a prominent example of where this is needed, as often terminals can be without online real-time connectivity, and they need to support mass turnstile throughput at peak times so speed is essential. In this payment scenario, EMV supports the use of ECC and RSA cryptography.
In summary the EMV Chip cryptograms support the universal payment business requirement of ‘source authentication’, ‘message authentication’ and ‘non-repudiation’ underpinning a customer’s payment instruction to the bank.
Are both cryptograms potentially vulnerable to quantum threats?
No, online cryptograms use symmetric cryptography, which is resistant to quantum attacks. AES is a quantum resistant symmetric cipher that has been included in EMV Specifications since 2010 and effectively future proofs EMV against quantum attacks as explained in our published position paper. Furthermore, the legacy EMV symmetric cipher 2-key Triple DES in popular use today does enjoy a significant security margin against any potential quantum attack, albeit with a smaller margin than AES, and its use with session keys renders negligible other conjectured attacks.
In contrast, offline cryptograms use public key cryptography such as ECC and RSA that is vulnerable to a potential quantum attack, should quantum computing materialise. Until certain milestones in quantum computing have been achieved, it is complex to determine the approaching speed of the threat that we need to protect against.
This industry position follows research undertaken by the U.S National Institute of Standards and Technology (NIST), the authority leading the standardisation response to the quantum threat to cryptography, as well as studies by other national bodies, independent academics and researchers.
While the timelines of quantum computing remain uncertain, what is EMVCo doing today to actively address future potential quantum threats?
A principle of EMV security policy is that of cryptography agility for contingency purposes. Based on this, EMVCo first published a paper on quantum in 2016 and has been actively monitoring and engaged with leading quantum computing and security academics, independent consultants, and a host of government bodies ever since. Our findings have been shared regularly with the EMV community at EMVCo’s Associate and User Meetings.
Our most recent paper ‘Quantum Computing and EMV Chip Cryptography’ is publicly available on the EMVCo website. It will be followed by two further papers which we are working on. The first is looking at quantum computing market requirements that are being released at a global and national level and their applicability to EMV technology. This will be followed by a paper which takes a deeper look at how to mitigate quantum attacks for offline transactions, for which we already have a number of proposals.
Finally, current work is focused on EMV Chip. What is the impact of quantum threats to card-based remote payments?
NIST has released quantum resistant algorithms to be integrated into the TLS (Transport Layer Security) protocols and EMVCo will in due course be able to include these algorithms for defending EMV e-commerce card transactions. This is the first step to protect against quantum attacks within this environment. As with all payment security, however, a layered approach is required to prevent malicious use of payment data, and EMVCo will monitor and evolve its offering to secure the payments environment accordingly.
by Arman Aygen
by Alan Mushing