Building general-purpose security services on EMV payment cards

Abstract

The Generic Authentication Architecture (GAA) is a standardised extension to the mobile telephony security infrastructures that supports the provision of security services to network applications. We have proposed a generalised version of GAA which enables almost any pre-existing infrastructure to be used as the basis for the provision of generic security services, and have examined a GAA instantiation supported by Trusted Computing. In this paper we study another instantiation of GAA, this time building on the widely deployed EMV security infrastructure. This enables the existing EMV infrastructure to be used as the basis of a general-purpose authenticated key establishment service in a simple and uniform way, and also provides an opportunity for EMV-aware third parties to provide novel security services. We also discuss possible applications and issues of privacy and trust. © 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering.