[Cryptography] cryptography Digest, Vol 121, Issue 4

Wes Kussmaul Wes at ReliableID.com
Sun May 7 12:28:43 EDT 2023 

On 5/7/23 12:00, cryptography-request at metzdowd.com wrote:
> Send cryptography mailing list submissions to
> 	cryptography at metzdowd.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.metzdowd.com/mailman/listinfo/cryptography
> or, via email, send a message with subject or body 'help' to
> 	cryptography-request at metzdowd.com
>
> You can reach the person managing the list at
> 	cryptography-owner at metzdowd.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cryptography digest..."
>
>
> Today's Topics:
>
>     1. Cryptography buzzword spotted in mundane life, and I don't
>        know what it means (Kent Borg)
>     2. Re: Cryptography buzzword spotted in mundane life, and I
>        don't know what it means (John Levine)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 6 May 2023 11:04:52 -0700
> From: Kent Borg <kentborg at borg.org>
> To: Cryptography List <cryptography at metzdowd.com>
> Subject: [Cryptography] Cryptography buzzword spotted in mundane life,
> 	and I don't know what it means
> Message-ID: <0e317cc2-fc5f-8c4b-485c-9f2a60c69b12 at borg.org>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> I just bought groceries at a Bristol Farms store, in Pasadena. I paid
> with a credit card chip transaction.
>
> And I noticed something on the receipt I've never seen before, near the
> bottom is this stuff:
>
>      ACCT: AMERICAN EXPRESS 151.14
>      (timestamp with some extra digits and spaces off the end)
>      AID: A000000? (ending in a good number of non-zero digits I'm too
>      lazy to try to copy)
>      TVR: 0800008000
>      TSI: E800
>      TRANSACTION TYPE: 00
>      APPLICATION ISSUER DATA: (13 hex digits)
>      APPLICATION CRYPTOGRAM: (14 hex digits)
>      CVM: 5E0300
>      POS Entry Mode: 05
>      Host Return Code 000
>
> The "application cryptogram" is what caught my eye?a message from credit
> card chip, its answer to some challenge?
>
>
> -kb, the Kent who was part of the big "Shopify 20% Off!" layoff event
> this week, and so could use a job, BTW.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20230506/18eb9e61/attachment-0001.htm>
>
> ------------------------------
>
> Message: 2
> Date: 6 May 2023 21:07:47 -0400
> From: "John Levine" <johnl at iecc.com>
> To: cryptography at metzdowd.com
> Cc: kentborg at borg.org
> Subject: Re: [Cryptography] Cryptography buzzword spotted in mundane
> 	life, and I don't know what it means
> Message-ID: <20230507045946.AB588D017B1A at ary.qy>
> Content-Type: text/plain; charset=utf-8
>
> It appears that Kent Borg <kentborg at borg.org> said:
>> The "application cryptogram" is what caught my eye?a message from credit
>> card chip, its answer to some challenge?
> It's a hash that the issuer can verify. Each EMV card has a unique
> secret stored in its chip known to its card issuer. The cryptogram
> depends on the shared secret and transaction details, so it prevents
> replay attacks that you get with static info from a magstripe. Dunno
> what the point is of printing it on the receipt.
>
> This sort of explains it:
>
> https://medium.com/@DEEPTHIMALLIDI/emv-cryptogram-arqc-explained-1fe2fed4440b
>
> R's,
> John
>

Allow me to guess the answer to

"Dunno what the point is of printing it on the receipt."

It's to get people to think about the proper role of cryptography, that 
it's more than websites that start with https:// and their site 
certificates signed by anyone who can convince the browser makers that 
they're a "certification authority."

Silibandia understands that popular understanding of digital signatures, 
ID certificates with measurable ID reliability, etc. are a threat to 
their business model of owning, and controlling the use of, the 
individual's PII and so they don't want this stuff to become understood 
by consumers.

This use of "Application Cryptogram" on register receipts is one small 
step to counter that.

Hats off to Bristol Farms!

Wes Kussmaul

More information about the cryptography mailing list