Giter Club home page Giter Club logo

android-emv-key-test's Introduction

EMV-Card ROCA-Keytest

What's this?

This is a simple Android app, which reads (NFC-enabled) EMV banking cards via NFC, tries to extract the public RSA keys (ICC, issuer and card-scheme CA), and displays the data in hexdecimal form.

The keys are also checked for the ROCA vulnerability (see also the note below).

Update Nov 19, 2017: I've written also a posting on Google+ summarizing what I've done here: https://plus.google.com/+JohannesZweng/posts/bjPMWHT8k7r

Source details

If you want to see how the EMV public keys are recovered from certificates look into EMVKeyReader.java.

The check for the ROCA vulnerability is done in ROCACheck.java which is based on the code from the crocs-muni/roca github repository where credits for porting it to Java go to Martin Paljak.

Download APK:

A readily built APK file can be found in the release section (direct download link: EMV-Key-Test-1.0.0.apk).

Screenshot:

Screenshot

TODO / not working:

  • get a nice logo
  • Currently the ICC PIN Encipherment RSA key (if present) is not checked (mostly because I don't have a card with such a key for testing)
  • the hash within the ICC public key certificate is not checked for validity (currently I didn't implement full data verification of all static authentication data)

Notes regarding ROCA vulnerability and EMV:

I would expect that EMV RSA keys are NOT vulnerable to the ROCA attack, because as far as I understand the EMVCo documents the RSA keys used in payment cards are created externally and then loaded into the payment card during card personalization using well-defined procedures. So the RSA keys are not generated within the payment card.

The ROCA vulnerability only affects keys generated within certain Infineon chips (when the "RSA Library v1.02.013" was used).

So as far as I understand, EMV RSA keys should not be vulnerable to ROCA. But you can check your cards yourself with this app.

I built this app to learn more about EMV certificate chain verification and for fun. :-)

Credits

This app uses code from Julien Millau's EMV-NFC-Paycard-Enrollment library for parsing EMV cards. The library is included as source as I modified it a little bit to get the key-related data fields (which it didn't read by default).

android-emv-key-test's People

Contributors

johnzweng avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.