Wikipedia

Chip Authentication Program

This is an old revision of this page, as edited by Jjasi (talk | contribs) at 08:50, 18 August 2008 (Users: rm circular link). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The Chip Authentication Program (CAP) is a MasterCard and Visa initiative and technical specification for using EMV banking smartcards for authenticating users and transactions in online and telephone banking. The CAP specification defines a handheld device ("CAP reader") with a smartcard slot, a decimal keypad, and a display capable of displaying at least 12 characters (e.g., starburst display). Banking customers who have been issued a CAP reader by their bank can insert their Chip and PIN (EMV) card into the CAP reader in order to participate in one of several supported authentication protocols. CAP is a form of two-factor authentication as both a smartcard and a valid PIN must be present for a transaction to succeed. Banks hope that the system will reduce the risk of unsuspecting customers entering their details into fraudulent websites after reading ‘phishing’ emails.[1]

A CAP reader

Operating principle

The CAP specification supports several authentication methods. The user first inserts their smartcard into the CAP reader and enables it by entering the PIN. A button is then pressed to select the transaction type:

  • Identify: Without requiring any further input, the CAP reader interacts with the smartcard to produce a decimal one-time password, which can be used, for example, to log in to a banking website.
  • Response: This mode implements challenge-response authentication, where the bank's website asks the customer to enter a "challenge" number into the CAP reader, and then copy the "response" number displayed by the CAP reader into the web site.
  • Sign: This mode is an extension of the previous, where not only a random "challenge" value, but also crucial transaction details such as the transferred value, the currency, and recipient's account number have to be typed into the CAP reader.

Protocol details

In all three modes, the CAP asks the EMV card to output a data packet that confirms the cancellation of a fictitious EMV payment transaction, which involves the details entered by the user. This confirmation message contains a message authentication code (typically CBC-MAC/TDES) that is generated with the help of a card-specific secret key stored securely in the smartcard. Such cancellation messages pose no security risk to the regular EMV payment application, but can be cryptographically verified and are only generated by an EMV card after its PIN has been entered. It provided the CAP designers a way to create strong cryptographic evidence that a PIN-activated EMV card is present and has seen some given input data, without having to add any new software functions to any already fielded EMV cards.

An EMV smartcard contains a (typically 16-bit) transaction counter that is increased by one with each payment or CAP transaction. The response displayed by a CAP device essentially consists of a concatenation of the (typically 7) least-significant bits of the transaction counter, followed by selected bits from the message authentication code of the transaction abort message sent by the card, converted from a binary into a decimal number.

In the identify mode, the response depends only on the transaction counter value. In the response mode, it depends in addition on the entered challenge, and in signing mode it also depends on the entered transaction details.

Since normal EMV transactions are used by the CAP reader, its use will be limited by the PIN retry counter built into the card. Just like at an ATM, entering an incorrect PIN three times in a row into a CAP reader will block the card.

Users

 
The Barclay PINsentry CAP device
  • APACS has defined a subset of the CAP specification for use by banks in the United Kingdom.
  • Barclays Bank began issuing CAP readers (which they call "PINsentry") to selected online-banking customers in the United Kingdom in 2007.[2][3] The 2008 version of the PINsentry device is powered by four LR44 button cell batteries, which the manual claims will last from five to seven years. The first PINsentry readers used recorded audio to guide the user when using the device, whereas the devices issued in 2008 simply use on-screen instructions.
  • Swedish bank Nordea began using CAP in November 2007. [4]

References

  1. ^ http://www.theregister.co.uk/2007/04/18/pinsentry/
  2. ^ "Barclays PINsentry".
  3. ^ Barclays to launch two-factor authentication, The Register, 2006-08-09.
  4. ^ New security solution | nordea.se, in Swedish.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Chip_Authentication_Program&oldid=232649405"