Current Keycard API and applet are mostly designed to be used between someone’s Keycard and his own mobile. They are not fully designed to support cases where one uses his Keycard with an app running on somebody else’s device.
Still we want to have Keycard API and applet ready to handle use cases where a Keycard is tapped with a Point Of Sales to purchase simply (most simple being a simple tap) goods with a wallet account protected by the Keycard.
The goal of this post is to share what’s at stake, brainstorm on the relevant use cases for PoS, so that we design the right evolution of Keycard protocol.
Some considerations about the of PoS role in security
What we call a PoS here is either:
- any mobile phone or tablet running an application that allows to sell stuff. This can be Status app with some PoS functionalities,
- a PoS terminal, which is a dedicated hardware to perform sales (with printer, more powerfull NFC etc.)
One important thing in Keycard security fundamentals is that the client side must be trusted. This comes from the fact that Keycard does not have buttons or a screen, and the client is thus used for:
- Keycard PIN entry
- Display transactions details (especially the amount)
Most POS terminals are Android based and are functionaly not more than a mobile phone, but being a dedicated hardware they can provide some authentification mechanism (software based or hardware based) so that Keycard can check the PoS it’s talking to is legit.
A generic PoS use case for Keycard
The most generic use case we can think of between a PoS and Keycard is the following one, breaked down into those simple steps:
1/ PoS forges a transaction for something to purchase
2/ PoS displays the amount of crypto of the purchase
3/ (Optional) user enters his Keycard PIN on the PoS
4/ User taps his card, the card sign the transaction with a key pair embedded on the keycard
5/ PoS acknowledges that the transaction has been signed and transmitted to the network, and is now waiting for approval
6/ When transaction is confirmed, PoS shows that the transaction is confirmed, and there happens the transfer of property
Impacts on Keycard protocol
The current secure channel mechanism of Keycard (current Keycard API is v2) uses a pairing code as a shared secret, at setup.
To enable the PoS use case described above we need to make the API and applet evolve to a v3 that handles the following:
- create a new secure channel mode that
- does not require a pairing code
- when in this mode no other commands can be performed by the client
- than PIN verification,
- and signing transaction with a fixed and given keypair in the keycard
- the following open questions are:
- do PoS transactions require a PIN or not ?
- If not how can I protect my Keycard from being stolen some crypto by just taping my Keycard through my pocket ?
- how many accounts the user can set-up for PoS transactions ?
- if several how are they set-up ?
- if there are PIN, are they different from the main PIN (non PoS mode), how are they set-up ?
Please note that the Keycard does only get a hash of the transactions, and thus cannot apply some logic like “if the amount is <x euros, then I do not need a PIN to sign the transaction”
What are the real world use cases that will come first?
To help decide with the open questions, could you share your ideas on how do you think Keycard will be used with PoS, for what usages ? for what type of transactions ? to buy what kind of goods?
Especially your real world ideas of when could a user turn his Status app into a PoS to make a transaction with someone else’s Keycard would be nice to hear!