Older cards indeed didn't have it for cost reasons, and online-only cards theoretically have no strict need for it even today, but practically, a symmetric-only card is a non-starter these days for several reasons. You won't be able to ride the Tube in London or Subway in NYC with a card that does not support it, for example.
Those systems all perform online auths at the gate, they don’t rely on offline transactions at all.
Asymmetric encryption is used to prove the identity of the card itself, I.e. prove it’s a real card owned by a real issuer. But it’s not used to sign the transaction itself.
Transaction cryptograms, the cryptographic blob that’s built using data like transaction amounts, method of customer authentication etc only use symmetric encryption. The produced cryptogram itself is then also signed using an asymmetric key, but the asymmetric and symmetric blobs are distinct entities and processes separately by the card network.
Now this is the really important, and completely non-obvious part. Only the symmetrically encrypted transaction cryptogram is sent over the card network to the issuer. All of the asymmetric parts are only used locally by the terminal for validation, then thrown away. So the data produced by the card that is actually stored and eventually sent to the issuer can’t be used for cryptographic non-repudiation, because there’s no mechanism for the merchant to prove using only the transaction cryptogram, and public keys, that a specific transaction was signed by a specific card issued by a specific issuer.
This may seem very strange from a technical perspective, but only because people think that the technical elements of card networks is what prevents fraud. In reality fraud, at least between network participants, is entirely prevented using legal contracts, escrow accounts, and the simple fact that the benefit of abusing the technical measures to commit fraud is simply not worth the consequences. Being a network participant requires you to put millions of dollars in escrow, and be a large enough company that you can realistically move millions of dollars in transactions everyday. Fraud between companies at that level is solved using very expensive lawyers, the technical measures only need to provide enough evidence of tampering to stand up in a court of law, where everyone is under oath, and at risk of personal repercussions for perjury. There is no need for them to be completely fool proof, it’s much easier to just depose the engineers who were ordered to circumvent the technical controls, under threat of prison time, than it is to get every network participant to adopt some complex cryptographic non-repudiation scheme to protect against scenarios that don’t actually occur in reality.
No, there's not enough time for online authorizations at transit turnstiles. They do the online auth as fast as possible, and if it does not go through they put the card on a denylist [1].
But since it would be possible to just make up random valid card numbers on the spot, they do enforce successful offline authentication – using asymmetric cryptography.
> Asymmetric encryption is used to prove the identity of the card itself, I.e. prove it’s a real card owned by a real issuer. But it’s not used to sign the transaction itself.
In CDA, it is used to sign the entire transaction.
> Only the symmetrically encrypted transaction cryptogram is sent over the card network to the issuer. All of the asymmetric parts are only used locally by the terminal for validation, then thrown away.
That's true, but doesn't change the fact that offline authentication is an integral part of EMV. Also, the "then thrown away" part could relatively straightforwardly be changed by the networks if ever necessary. The CDA output provides actual non-repudiation.
> This may seem very strange from a technical perspective, but only because people think that the technical elements of card networks is what prevents fraud.
I'd say it's just a historically grown legacy system, and it would have been too disruptive to retrofit asymmetric cryptograms into it (with its vastly larger cryptograms and every byte of transmission data coming at a premium).
If EMV were redesigned from scratch, it would 100% just use the CDA-style cryptogram for transaction approval as well.
> In reality fraud, at least between network participants, is entirely prevented using legal contracts, escrow accounts, and the simple fact that the benefit of abusing the technical measures to commit fraud is simply not worth the consequences.
On this part I'd agree. The most important factor here is that the type of fraud that could exploit this "symmetric/asymmetric gap" requires a malicious terminal or merchant.
That's not really a common threat scenario in EMV, since fraudulent merchants could already do many other things (such as e.g. tapping commuters' wallets using a concealed POS terminal for low-value payments), and becoming a fully trusted merchant has relatively high entry barriers as a result.
I do suspect that this could change, with EMV becoming more and more accessible for very small merchants using cheap mobile terminals or even regular contactless-capable smartphones. But as I've mentioned, it's not too hard to address these issues using policy.
[1] https://content.tfl.gov.uk/aac-20141217-part-1-item12-contac...
Yes you’re correct. Although as it happens there is a very easy way to get hold of randomly generated valid card numbers. Which is Apple Pay, and is a huge problem for TfL.
But again the asymmetric crypto here is just to validate the identity of the card, and to secure the communication between card and terminal. It doesn’t actually secure the transaction itself in any meaningful way.
> That's true, but doesn't change the fact that offline authentication is an integral part of EMV. Also, the "then thrown away" part could relatively straightforwardly be changed by the networks if ever necessary. The CDA output provides actual non-repudiation.
You ever been part of a network rule change of that magnitude before? I can tell you with some confidence there is nothing easy about. I’ve seen much smaller changes take decades to implement. Making rules change is easy, getting all the participants to implement the change, that’s an entirely different kettle of fish.
> I do suspect that this could change, with EMV becoming more and more accessible for very small merchants using cheap mobile terminals or even regular contactless-capable smartphones. But as I've mentioned, it's not too hard to address these issues using policy.
Nah I doubt it’ll change. There’s already policy level protections to protect against these cases. The standard chargeback process and the removal of merchants with high chargeback rates already prevents this behaviour. Malicious merchants already exist, but they defraud people mostly through social engineering, putting people in positions where they approve transactions they don’t want to, and make it extremely embarrassing for them the victims to report the crime. From the issuers perspective the only type of fraud where are our hands are completely tied, is the variety where customers refuse to admit they’ve been defrauded. Which does happen.
