ISO-based Relay-Protected Contactless Payments

As you can see in here, we showed numerous man-in-the-middle attacks against on EMV payments based on relay attacks.

In “Practical EMV Relay Protection”, we also showed that relay protection at EMV level, as offered by Mastercard, could be more robust.

whereas the one by Visa can be bypassed with a mobile phone.

So, we set to create relay-protection mechanisms “living” at levels lower down the protocol stack, at protocols such ISO/IEC-14443 , which underpins contactelss EMV and all over RFID/NFC-based applications.

The essence.

In part 3 of ISO/IEC 14443, we added a command for any RFID reader and a card/device to exchange two random numbers, and the reader times time exchange. The exchanged nonces, the timing, and the capability to run such a feature are all sent to the application level (EMV) over the protocol-stack, and cryptographically signed as part of the application (e.g., in EMV, in the card's SDAD)

The Details.

One can see some technical details, at a glance here

The proposed protocol, called L1RP — Level-1 Relay Protection — builds on the idea of a timed nonce-exchange (borrowed from Mastercard Relay Resistance Protocol) but moves the timing check down to ISO 14443 Level 1.

Because Level 1 (ISO 14443) message exchanges have lower processing overhead, they yield more stable and shorter round-trip times than EMV-level (Level 3) exchanges. This makes the timing bounds more reliable, reducing false positives (legitimate cards) and false negatives (relayed cards) for relay detection.

We formally modelled L1RP using the Tamarin prover and proved that the protocol resists relay attacks: no downgrade to an unprotected fallback, and the nonce + timing binding is cryptographically tied into the EMV application authentication (e.g. SDAD), so a relay cannot trivially spoof or replay the exchanged L1 data.

We also implemented a prototype (using Proxmark hardware) and demonstrated that L1RP is “practical” — i.e. can work in real-world NFC/EMV hardware, without prohibitive delay.

Reception.

Our solution, called L1RP, accepted by Mastercard and EMVCo.

Because L1RP is designed at the ISO 14443 (hardware/transport) level, it was proposed for standardisation and is now being integrated in ISO/IEC 14443.

Further reading.

More can be read at ["Practical EMV Relay Protection"](https://ieeexplore.ieee.org/abstract/document/9833642) by Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu and Liqun Chen, published at 2022 IEEE Symposium on Security and Privacy (SP)