The authentic mode procedure
The authentic mode procedure guarantees authentic transmission of APDUs, which means that the APDUs are protected against manipulation during transmission. The recipient of an APDU, which means a command or a response, can determine whether it has been altered during transmission. This makes it impossible for an attacker to modify data within an APDU without this being noticed by the recipient. The fact that this procedure is being used is indicated by a bit in the class byte, so that the recipient can act accordingly and check the received APDU for authenticity. The actual APDUs are sent in plaintext and are not encrypted. The transmitted data are thus still public, and with suitable manipulation of the transmission channel they could be intercepted and evaluated by an attacker. This is not necessarily a disadvantage, since with respect to privacy legislation it is better not to send confidential data via a public channel. In addition, the card user is at least theoretically allowed the possibility of seeing what data are exchanged between his or her smart card and the terminal. In principle, any block encryption algorithm can be used to compute the cryptographic checksum. For practical reasons, we assume that DES is used with a fixed 8-byte block length. The individual data objects must therefore be ‘filled out’ to an integer multiple of eight bytes, which is known as padding. In this process, data objects that are already an integer multiple of eight bytes are nevertheless extended by one block. After padding, the cryptographic checksum (CCS) of the entire APDU is computed using the DES algorithm in CBC mode. This 8-byte checksum is appended directly to the APDU as a TLV-coded data object, with the four least significant bytes omitted. All padding bytes are deleted after the checksum has been computed. The modified APDU is then sent via the interface. This procedure extends the length of the APDU by eight bytes, which only marginally reduces the transmission rate if normal transmission block sizes are used.

The data objects for the control structures can also explicitly identify the algorithm and padding method that are used. Here again we assume for the sake of simplicity that the smart card and the terminal implicitly know all the parameters of the secure messaging system being used. When the protected APDU arrives at the recipient, the latter again pads it to an integer multiple of eight bytes and then computes its own MAC for the APDU. By comparing the MAC it has generated with the MAC generated by the sender, the recipient can determine whether the APDU has been altered during the transmission. A prerequisite for computing a cryptographic checksum is a secret DES key that is known to both parties. If this key were not secret, an attacker would be able to break the authentic mode communication procedure by intercepting an APDU, modifying it as desired and computing a
new ‘correct’ MAC. After this, he would only have to replace the original MAC with the new one and send the newly created APDU on its way. In order to better protect the keys used to generate theMAC against attacks based on known plaintext–ciphertext pairs, dynamic keys are normally used. These are generated by encrypting a random number that has been previously exchanged between the terminal and the card. A secret key known to both parties is used for this encryption. The additional steps that are needed for the transmission and reception of an APDU that is protected by the authentic mode procedure naturally reduce the effective data transmission rate. On average, a good approximation is to assume that the rate will be half of that for unprotected plaintext.

The combined mode procedure
Compared with the authentic mode procedure, the combined mode procedure represents the next higher level of security. The data section of the APDU is no longer transmitted as plaintext, but instead in an encrypted form. The procedure is an extension of the authentic mode procedure. In the combined mode procedure, as in the authentic mode procedure, the data objects to be protected with a cryptographic checksum are first padded to an integer multiple of eight bytes and then encrypted using the DES in CBC mode. The header is excluded from this process, as required for compatibility with the T = 0 protocol. (If it is desired to encrypt the header

Securing Data Transmissions 431
as well, so that the command being sent the card is unrecognizable, the T = 0 ENVELOPE command must be used.) One bit in the class byte indicates the use of secure messaging. The data are transmitted across the interface after they have been encrypted. Since the recipient knows the secret key that was used for encryption, it can decrypt the APDU. The recipient then checks the correctness of decryption by recomputing the appended cryptographic checksum in the same level of the transmission layer. When this procedure is used, an attacker eavesdropping on the I/O line cannot discover which data are exchanged between the card and the terminal in the command and response. It is also not possible to replace one of the encrypted blocks within the APDU, since the blocks are linked to each other by using the DES in CBC mode. Any replacement would be immediately noticed by the recipient. With regard to the cryptographic algorithm, the comments made in the description of the authentic mode procedure apply here as well. In principle, any block encryption algorithm can be used. The keys should be dynamic, as with the authentic mode procedure, which means that session-specific derived key should be used for every session. With regard to the security benefits, general usage of the combined mode procedure for all APDUs can be recommended. However, increased security is accompanied by a considerable reduction of the effective transmission rate. A good approximation for the difference in the transmission rates for unprotected APDUs and those protected using the combined mode procedure is a factor of four. The speed difference between the authentic mode and combined mode procedures thus amounts to a factor of two. It is therefore necessary to carefully examine each case, in order to determine which data should be transmitted in such a secure but timeconsuming fashion.