smart card – smart card authentication process


Giant disclaimer that this varies greatly by card manufacturer. This answer is out of my reach and I hope someone can give a better one with a little research.

The basic type of contactless card only provides your identification number, for example, via RFID. The reader searches for that in a database. This is obviously vulnerable to cloning.

This varies by manufacturer, but the basic idea is that the card has an RSA or ECDSA public key (or certificate) and a private key. The reader will search your public key (or certificate) in the database to find out who you are, and then challenge the card to demonstrate that you have the corresponding private key. Conceptually, the reader will create a random string (called a nonce) and ask the card to digitally sign it with its private key.

This type of card is designed to avoid cloning: the card will never release your private key and requires very advanced reverse engineering to extract it almost literally down to the transistor level. You can read about side channel crypto attacks.

They also prevent write and replay attacks because the reader will create a new random sequence every time, and the signature produced by the card must match.

I'm pretty confused with the EMV specification, but understand that it is similar to PKI smart cards, but with some additional complexity to handle a PIN, and that you don't necessarily trust the point of sale terminal that the card is interacting with.