Chip Authentication Program

The CAP specification supports several authentication methods. The user first inserts their smartcard into the CAP reader and enables it by entering the PIN. A button is then pressed to select the transaction type. Most readers have 2 or 3 transaction types available to the user under a variety of names. Some known implementations are:

• Code/Identify: Without requiring any further input, the CAP reader interacts with the smartcard to produce a decimal one-time password, which can be used, for example, to log in to a banking website.
• Response: This mode implements challenge-response authentication, where the bank's website asks the customer to enter a "challenge" number into the CAP reader, and then copy the "response" number displayed by the CAP reader into the web site.
• Sign: This mode is an extension of the previous, where not only a random "challenge" value, but also crucial transaction details such as the transferred value, the currency, and recipient's account number have to be typed into the CAP reader.

The above noted transaction types are implemented using one of two modes. One of these modes has two forms in which it can operate, creating three distinct modes, though they are not named this way in the specification.

• Mode1: This is the mode for normal monetary transactions such as an online purchase through a merchant. The transaction value and currency may be included in the computation of the cryptogram. If the card does not require it or the terminal does not support it, then both amount and currency are set to zero during the computation.
• Mode2: This mode may be useful for authenticating a user in which no transaction is taking place, such as logging into an Internet banking system. The computation differs as there is no transaction data included, making these responses very easy to precompute or reuse.
• Mode2 with TDS: This mode may be used for more complicated transactions, such as a funds transfer between accounts. Multiple data fields pertaining to the transaction are concatenated and then hashed using the value that would result from a Mode2 operation as the key for the hashing algorithm. The resultant hash is used in place of the cryptogram calculated in a non-TDS Mode2 operation.

Mode1 sounds very much like a specific use of Mode2 with TDS (Transaction Data Signing), but there is a critical difference. In Mode1 operation, the transaction data (amount and currency type) are used in the cryptogram calculation in addition to all the values used in Mode2 without TDS, whereas Mode2 includes its transaction data in a successive step rather than including it in the cryptogram calculation step. If it were not for this difference, then all operations could be generalized as a single operation with varying optional transaction data.

In all three modes, the CAP reader asks the EMV card to output a data packet that confirms the cancellation of a fictitious EMV payment transaction, which involves the details entered by the user. This confirmation message contains a message authentication code (typically CBC-MAC/TDES) that is generated with the help of a card-specific secret key stored securely in the smartcard. Such cancellation messages pose no security risk to the regular EMV payment application, but can be cryptographically verified and are generated by an EMV card only after the correct PIN has been entered. It provided the CAP designers a way to create strong cryptographic evidence that a PIN-activated EMV card is present and has seen some given input data, without having to add any new software functions to already fielded EMV cards.

An EMV smartcard contains a (typically 16-bit) transaction counter that is increased by one with each payment or CAP transaction. The response displayed by a CAP reader essentially consists of a concatenation of the (typically 7) least-significant bits of the transaction counter, followed by selected bits from the message authentication code of the transaction abort message sent by the card, converted from a binary into a decimal number.

In the identify mode, the response depends only on the transaction counter value. In the response mode, it depends in addition on the entered challenge, and in signing mode it also depends on the entered transaction details.

The same on-card PIN retry counter is used as in EMV transactions. So just like at an ATM or POS terminal, entering an incorrect PIN three times in a row into a CAP reader will block the card.

The original CAP specification was designed to use normal EMV transactions, such that the CAP application could be deployed without updating the firmware of existing EMV cards if necessary. The preferred implementation uses a separate application for CAP transactions. The two applications may share certain data, such as PIN, while other data is not shared in instances where it is only applicable to one application (i.e. terminal risk management data for EMV) or advantages to have separate (i.e. transaction counter, so that EMV and CAP transactions increment separate counters which can be verified more accurately). The reader also carries implementation specific data, some of which may be overridden by values in the card. Therefore, CAP readers are generally not compatible with cards from differing issuing banks.

Cambridge University researchers Saar Drimer, Steven Murdoch, Ross Anderson conducted research ^[3] into the implementation of CAP, outlining a number of vulnerabilities in the protocol and the UK variant of both readers and cards. Numerous weaknesses were found.

• Nordea began using CAP in November 2007.^[4] The Nordea eCode solution is used by Nordea both for eBanking, eCommerce (3DS) and also with eID. The reader which has some more advanced function that extends CAP, makes Nordea's CAP implementations more secure against trojans and man-in-the-middle attacks. When used for eID, the user is able to file his "tax declaration" online, or any of provided eGoverment functions. The device is also equipped with a USB-port, that enable the bank to perform Sign-What-You-See for approval of sensitive transactions.

• APACS defined a CAP subset for use by UK banks.
• Barclays Bank began issuing CAP readers (which they call "PINsentry") in 2007 to customers who make an online payment to a new recipient.^[5][6] Their online-banking website uses the "identify" mode for login verification and the "sign" mode for transaction verification. The "respond" mode is not currently used. The PINsentry device is powered by four LR44 button cell batteries, which the manual claims will last from five to seven years. A version for vision-impaired users (with voice output) is available on request. The device is also now used in branches in order to replace traditional chip and pin devices in order to further prevent attempted fraud.
• Nationwide
• Co-operative Bank and Smile
• Royal Bank of Scotland (including NatWest)
• The CAP readers of Barclays, Nationwide, Co-operative Bank/Smile and RBS are all intercompatible.