Seite nur auf Englisch verfügbar
Display-TAN Card Personalisation (''seed perso'')
''Seed perso'' means in the context of security tokens the process of storing the secret seed/key on the token. The seed for a Display-TAN card consists of 160 bits.
The following seed perso concept for Display-TAN has the advantage that the bank's card-producer/-personaliser is not involved in the Display-TAN seed perso. This means that no extra machines or extra processes are needed at the bank's card-producer/-personaliser: the only change is that the usual input plastic cards are replaced by Display-TAN cards. In case the EMV chip is contactless and needs an NFC-antenna, the Display-TAN card is delivered with an additional NFC-antenna (same contact points, no connection to the Display-TAN parts).
The main idea is to let the bank customer trigger the final seed-perso process on his smartphone: When the bank customer during a banking session on his smartphone turns on the Display-TAN card the first time a bidirectional communication chain
Bank Server <--Internet--> Smartphone <--Bluetooth--> Card
is set up by the banking app on the bank customer's smartphone. A preliminary seed on the card allows to execute this final seed-perso in an encrypted way, end-to-end, i.e., Bank Server to Card.
The following diagram is showing the seed perso process.
More detailed, the suggested Display-TAN seed perso works the following way:
- The Display-TAN cards are produced in Taiwan. For each card, an individual preliminary 160 bit seed and a 128 bit key are randomly and independendly generated and stored on the card. The unique card ID (say a 12 digit number), its preliminary seed p and it preliminary key q are memorized as a triple <ID,p,q>.
- The cards are shipped to the bank's card producer/personaliser. In parallel, A CD containing a list of all triples <ID,p,q> of the cards contained in the package is send to the bank.
- The bank's card producer/personaliser takes the Display-TAN cards instead of blank cards, and handles the cards like before, including the mounting of the EMV-chip, card personalisation, etc., and possibly even the distribution of the cards to the bank customers.
- The bank receives the CD and stores the list of triples <ID,p,q>.
- The final seed-perso takes place when the bank customer uses the Display-TAN card the first time. In the background - preferably not visible to the bank customer - the following protocol between bank server and bank card takes places. The smartphone will just be an intermediate communication device: it only forwards the encrypted messages from/to the bank server (via Internet) to/from the bank card (via Bluetooth):
- The bank customer logs into his bank account on his smartphone app. Therefore, the bank server knows which bank account is dealt with. The bank server looks up whether the Display-TAN card of the customer is already finally personalised. In case it is not, the following sub-protocol starts in the background the moment the bank customer turns on his Display-TAN card:
- The bank server asks the card for its ID. The card receives the query and sends back its ID to the server.
- The bank server receives the ID and looks up in its list/table the preliminary key q for this ID. The bank server randomly produces a final 160-bit seed s and independendly an 128-bit final key k for that customer, and then AES128-encrypts the message "PERSO_SETSEED~s~k~ENDPERSO" with the prelimnary key q, and sends this encrypted message to the card.
- The card receives the message and AES128-decrypts it with the current key, i.e. the preliminary key q. It checks whether the decrypted message is of the form PERSO_SETSEED~s~k~ENDPERSO. If this is the case the card replaces the preliminary seed p by s and the preliminary key q by k. Finally it sends back to the server a notification that everything went fine and closes the perso interface once and for all.
- The bank server receives the notification and finally stores s as the final 160-bit Display-TAN seed and k as the final 128-bit key for this account.
- The seed perso is finished. Bank server and card proceed, for example with the Display-TAN-signing of the first money transfer the customer has entered.
The only way to compromise the seed perso is by (A) stealing the pre-seeds (in Taiwan, on the CD, at the bank server) and then (B) interfering into the key exchange process as a virus within the Internet or on the smartphone of the bank customer. Managing (A) or (B) is hard, managing both seems to be practically impossible. Note that even simple sabotage (= damage without use for the attacker) is not possible.
It may be an issue that a physical thief or a smartphone trojan may steal the online password and intialize another card which he/it received as a customer of the bank. In other words: the breach of the first factor allows a breach of the second factor - at least for a certain period of time. If this is considered a problem there is the following modification of the solution which prevents this attack: When the letters containing the new bank card are send to the customer, a random OTP for this card is provided within that letter. The personalization of the Display-TAN part of the card proceeds like described above but with the additional step that the bank customer enters this OTP into the smartphone. This extended solution prevents the attack described above. Its disadvantages are (1) the bank card personalizer has this additional step of generating the OTP (but it only requires a software change and does not affect the card production), and (2) the user is explicitly involved into the personalization process whereas without this OTP step the personalization could fully be hidden from him.
This Display-TAN seed perso concept was developed by B. Borchert and K. Reinhardt, Feb. 2016.