- Each card and ATM is given a public/private key pair.
- The public keys are signed by the bank's private key
- Every card also contains the bank's public key
When the card is inserted, the ATM asks for the card's public key
- The ATM then verifies that the card's public key was signed by the bank, using the bank's public key.
- The ATM then encrypts a block of random data with the card's public key, and asks the card to decrypt it.
- If the card successfully replies with the same random data, it has just proven that it has the private key that it claims to have
Then it's the card's turn to repeat the same process:
- It asks the ATM for its public key, verifies that it was signed by the bank, using the bank's public key.
- The card encrypts a block of data with the ATM's public key, asks the ATM to decrypt it
At this point, both the card and the ATM know that they are talking to the appropriate device. Each device can then generate a symmetrical key for that session, and encrypt it with the other device's public key, and use those keys for any further communication.