Symmetric mutual authentication
The principle of mutual authentication is based on dual unilateral authentication. In principle, two successive unilateral authentications could also be used, one for each of the communicating parties, in order to achieve mutual authentication.However, since the communications overhead must be kept as low as possible to minimize the time required by the process, a procedure that interleaves the two unilateral authentication processes has been defined. This also increases the security of the procedure, since it is much more difficult for an attacker to intervene in the communications process. Before the terminal can compute the card-specific authentication key from the card number, it first needs the card number. After the terminal has received this number, it computes the specific authentication key for this card. It then requests a random number from the card, and at the same time it generates a random number itself. The terminal then swaps the two random numbers and concatenates them, after which it encrypts the resulting number using the authentication key. Finally, it sends the resulting ciphertext to the card. The objective of reversing the random numbers is to allow the challenge and response to be distinguished from each other.

The card can decrypt the received block and check whether the random number it previously sent to the terminal matches the number it received in return. If this is the case, the smart card knows that the terminal possesses the secret key. This authenticates the terminal with respect to the card. Next, the smart card swaps the two random numbers, encrypts the resulting number using the secret key and sends the resulting ciphertext block back to the terminal. The terminal decrypts the received block and compares the random number it previously sent to the card with the one it has received in return. If they match, the smart card has been authenticated with respect to the terminal. This completes the mutual authentication process, and the terminal and the smart card both know that the other is trustworthy. To minimize the communications time, the smart card can return the random number together with its card number. This is particularly attractive when mutual authentication takes place between a smart card and a background system. In this case, the card is directly addressed by the background system, with the terminal being ‘transparent’. The data transmission rate in such situations is often very low, so the communications process must be streamlined as much as possible. In order to illustrate the considerable amount of time required for a mutual authentication compared with a unilateral authentication, we can again make a sample calculation. The basic assumptions are the same as for the calculation of the time required for unilateral authentication (see Table 4.21). The results are shown in Tables 4.22 (for software implementations) and 4.23 (for hardware implementations). As can be seen, mutual authentication takes nearly three times as long as unilateral authentication.

Static asymmetric authentication
Only a few smart card microcontrollers have arithmetic processing units that can be used to execute the RSA algorithm. This is mainly because such capability would take up additional space on the chip, which would increase its price. However, the fact that a supplementary asymmetric authentication procedure would offer increased protection, since it requires an attacker to break two cryptographic algorithms instead of only one, often makes its use attractive. The problem presented by the absence of a suitable arithmetic processing unit on the card can be dealt with by the expedient of using static authentication of the card by the terminal. This only requires verification within the terminal, and an additional security module in the terminal does not significantly increase its overall cost. This solution is thus much more economical than the use of special smart card microcontrollers. In addition, this procedure is mush faster, since only one asymmetric encryption is required, as opposed to two in the case of dynamic asymmetric authentication. The price of this compromise is reduced security of the authentication procedure. With a static procedure, there is naturally no protection against replaying previous data. This is why it is used only as a supplementary verification of the authenticity of the card, which has already been verified using a dynamic symmetric procedure.
The procedure works essentially as follows. When each smart card is personalized, cardspecific information is entered into the card. This can for example be a card number, as well as the name and address of the cardholder. This information does not change during the lifetime of the card. As part of the personalization of the card, the digital signature of this information is computed using a secret key. This key is used globally in the system. When the card is used at a terminal, the terminal reads the signature and the signed data from a file in the card. The terminal has the public key, which is valid for all cards in the system, and it can use this key to encrypt the signature it has read and then compare the result with the data it has read from the card. If these two values match, the card has been authenticated by the terminal.

The procedure illustrated in Figure 4.49, in addition to lacking protection against replaying data, has yet another drawback, which is that a global key is used to generate and verify the signature. Although the key in the terminal does not need to be protected, since it is public, global keys (which are the same for all cards) should fundamentally not be used in a large system. If such a key is broken, or if it becomes known for any other reason, authentication is rendered worthless in the entire system. This means that it is necessary to introduce cardspecific key pairs for static authentication. However, this presents a problem with the memory capacity of the terminals, since each terminal must hold all available public keys for signature verification. Even in a medium-sized system, such as one with one million smart cards, this would require each terminal to have 128 MB of memory for key storage, assuming 1024-bit RSA keys. This would increase the price of the terminals to a level that would not be acceptable to system operators. When symmetric methods are used, it is quite easy to derive the card-specific keys from a master key.14 This is not possible with asymmetric methods, due to the way the keys are generated. Consequently, a different approach is taken when card-specific keys are required. The public key for the verification of the signature is stored in the card, along with the signature. In the system of the previous example, the amount of memory needed to store the public keys is still 128 MB, but this is now distributed in 128-byte packets over one million cards. The terminal thus reads the public key from a file in the smart card and can then use it to verify the signature. This avoids the problem of having to store all the public keys of the system in every terminal. However, an attacker could nowgenerate a key pair and use these keys to sign the information in a counterfeit card. The terminal would read the public key and conclude that the card was genuine. A refinement of the procedure just described is therefore required. This consists of signing the combination of the public key and the card-specific key stored in each card, using a global secret key. This signature is then stored in each card. The terminal now works as follows. It first reads the public and card-specific keys from the card and then tests the authenticity of the card-specific key using the global public key. If the card-specific key is authentic, the terminal then reads the actual data and verifies them using the public key stored in the smart card. This procedure is shown in Figure 4.50. These two procedures are already used in some systems, and they will certainly be used increasingly in the coming years. However, as soon as the inclusion of an arithmetic processing unit for asymmetric cryptographic algorithms does not significantly increase the price of a smart card microcontroller, these two procedures will lose a lot of their significance. Their biggest disadvantage is the absence of protection against replaying data from earlier sessions. Although this can be partially compensated by the use of various tricks, such as reusing signed data in subsequent symmetric cryptographic algorithms, it is still not possible to match the level of protection provided by dynamic authentication procedures.