1. No category

Smart Card Security

Smart Cards & Security
Dr Jacques Fournier
Security Labs, Gemalto
[email protected]
Smart Cards & Security
What is a smart-card?
Smart-card Security: what’s at stake?
Smart-cards for securing information systems.
Smart-cards in a “convergent” world.
Smart Cards & Security
5-Jun-08
2
What is a smart-card?
Smart Cards & Security
5-Jun-08
3
A brief history
 « Une innovation française digne d’intérêt » by Roland
MORENO in 1974
ƒ 1979 : 1st card by MOTOROLA (Toulouse) for Bull CP8
– 1KBytes programmable memory.
– 6805 microprocessor core.
ƒ 1983 : First payphone memory cards.
ƒ 1984 : The « G.I.E Carte Bancaire » defines the « carte bleue » whose
prototype was proposed by BullCP8, leading to today’s carte bleue version
B0’.
ƒ 1984 – 1987 : ISO-7816 specification of the smart-card.
ƒ 1996 -… : Java Card Forum
– 1998: JavaCard 2.0
– 2008: JavaCard 3.0 is standardised
Smart Cards & Security
5-Jun-08
4
Main “security” properties
A password is
not an object
 It’s an object
ƒ Cannot be freely and instantaneously duplicated and transmitted
ƒ Cannot be ubiquitous
All PC’s are identical out of the factory
A PC can be formatted
 It’s personalized
ƒ Can be security linked to a owner
ƒ Usually through biometry and/or secret sharing
 It’s portable
ƒ Can have different form-factors
A phone cannot
be twisted
 It’s intelligent
A key doesn’t
know who is
using it
ƒ The card makes security decisions before delivering a service
– E.g. : user/host/server authentication, access control, application related policies (transaction
amount, DRM, …), logging, remote access, …
 It’s secured
ƒ Even with PHYSICAL means an attacker should not by-pass the security policy
ƒ This is the tamper resistance property
Smart Cards & Security
5-Jun-08
5
)
…
,
S
Smart Card Module
E
D
s
,
e
)
Data Bus
r
S
u
E h…
t
A
a
c
e K,
)
t
i
l
F
…
g
,
P
y
,
(
t
g
Microprocessor
i
q
r
n
r
i
e
o
u
r
d
Vcc
s
f
l
Ground
c esCPU V,
e
e
i
h
c
(
EEPROM /
Vpp S
Reset
s
o
(
s
ROM
r
r
p
s
FLASH
o
o ns ion
Clock
I/O
c
t
e
o
c
t
s
yp ical rote
r
• C hys al p
c
i
P
s
• hy
Address Bus
•P
Microcontact
RAM
Microchip
Micromodule
Smart Cards & Security
5-Jun-08
6
Communications
 “Layered” transmission protocol
ƒ Application level : Application Protocol Data Unit [ APDU]
ƒ Transport: T=0, T=1, T=14
 Contact card:
ƒ Standard protocol : T=0, T=1, T=14
– One communication channel: serial line
– Max 114 kbps
ƒ New protocol selected for advanced smartcard: USB - FS
– Two contacts for communication
 Contactless card:
ƒ Standard protocol : T=CL, class A, B
ƒ Sony proprietary : FeLiCa
ƒ NXP (Philips) proprietary : NFC
 NFC module with SWP connection to smartcard…
Smart Cards & Security
5-Jun-08
7
Combi product : dual interface
ISO contact
Contact
Interface
Security Logic
& Sensors
ROM
EEPROM
Mifare
Appli
Antenna
Smart Cards & Security
5-Jun-08
Contactless
Interface
Unit
Microprocessor
CryptoProcessor
(TDES, RSA, …)
RAM
8
NFC
 NFC : An important trend…
ƒ Already adopted by different key
players (Philips, Sony, Nokia,
Samsung, Motorola, LG, VISA,
MasterCard…)
ƒ Card emulation requires direct
link between NFC IC and smart
card IC
ƒ NFC forum will work in 2005 on
this direct link
Battery
BaseBand
Reader,
Peer to Peer
mode
NFC
 SWP is the protocol link between
the NFC module and the
smartcard
Smart Cards & Security
5-Jun-08
UICC
Card
Emulation
mode
9
USB MultiMedia SIM
C1
VCC
C5
POWER
Legac
y
GND
C2
RST
C6
SWP
Optional
CT
C3
ContactLess
C7
TS 102.221
CLK
I/O
C8
C4
D+
Smart Cards & Security
5-Jun-08
Legac
y
D-
USB IC
USB
Optional
10
Open Card OS
A revolution:
The opportunity of loading new applications after the
issuance.
3 Open OS for Smart Card:
ƒ Windows for Smart Card (dead)
ƒ Multos
ƒ Java Card
ƒ .NET
Smart Cards & Security
5-Jun-08
11
The Java Family
J2ME
JC API
Language
Java subset
VM
JCVM
J2EE
P4
...
P3
CDC
J2SE
API
CDC API
CLDC API
JAVA Card 3
API
Java
KVM
JVM
JAVA Card 2
Smart Cards & Security
5-Jun-08
12
Author: [email protected]
API
P2
...
CLDC
MIDP
Java Card
Smart-Card Security: what’s at stake?
Smart Cards & Security
5-Jun-08
13
Security: The survival circle
Smart Cards & Security
5-Jun-08
14
Risk Management of the security chain
PROTOCOLS
Risk Assessment
SMART CARD
Risk Assessment
Smart Cards & Security
5-Jun-08
15
Risk Management Evolution
Pay TV (Mobile-TV)
Hacking is part of the Landscape
Banking Cards
Cost of
Fraud
Business
Optimum
Cost of
Security
Mature Certification Process
Security as a Barrier
Traditional SIM cards
Run GSM algorithm
OTA access
Security
Smart Cards & Security
5-Jun-08
16
Smart Card Trends: the recent evolutions
40
Fault attack
crisis
35
25
Fault attack
threat identified
20
15
Slide courtesy of Olivier Benoit
work load increase in %
30
Side-Channel
crisis
10
5
0
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
time scale
Smart Cards & Security
5-Jun-08
17
Threat classification - Summary
Observation
Non
Non Invasive
Invasive
Modification
Invasive
Invasive
Power
Power Analysis
Analysis
Permanent
Permanent
I/O
I/O Glitches
Glitches
Light/laser
Light/laser
Electro-magnetic
Electro-magnetic
Physical
attack
Transient
Transient
Radio-Frequency
Radio-Frequency
Electro-Magnetic
Electro-Magnetic
Physical
Physical Probing
Probing
UV
UV
F.I.B
F.I.B
Laser-Cutter
Laser-Cutter
Side Channel Analysis
Fault Attack
Formatting
Formatting String
String
Software
attack
Type
Type Confusion
Confusion
Cross-Site
Cross-Site scripting
scripting
Buffer
Buffer Overflow
Overflow
SQL
SQL Injection
Injection
Smart Cards & Security
5-Jun-08
18
Attacking smart-cards
Invasive Attacks






Deposit probe pads on a bus
… or through conductive grid
Expose hardwired ROM links
Disconnect sensors, RNG…
Connect tracks
Cut tracks
Fault Generation
Apply combinations of
environmental conditions
 Vcc, Clock,
 Temperature, UV
 Light, Laser, …
Side Channel Attacks
key
input error
1
… and bypass protections or infer secrets
Smart Cards & Security
5-Jun-08
Monitor analog signals on all
interfaces and analyze:
 Time
 Power
 Electromagnetic Radiation, ...
¨
-+
input output
19
ROM Reverse Engineering
 Chip delayering (chemical etching)
ƒ Depends on the ROM technology
Tools
Low cost
chemical products €
Mid cost
Plasma etcher 100K€
Parallel polishing 20K€
+
Microscopes 30K€ - 200K€
1 1 1 0 0
Smart Cards & Security
5-Jun-08
20
Signal probing
Tools
Probe station 30K€
Smart Cards & Security
5-Jun-08
Results
21
Chip modification example (using an FIB)
Smart Cards & Security
5-Jun-08
22
Adding a wire (using an FIB)
Smart Cards & Security
5-Jun-08
23
Cutting a wire (using an FIB)
Smart Cards & Security
5-Jun-08
24
Chip protection
EEPROM
Blocks can be easily identified
No shield
No glue logic
Buses clearly visible
Smart Cards & Security
5-Jun-08
ROM
RAM




U
CPU C
E
S
N
I
E
R





Shield
Glue logic
No Buses visible
Memories and buses encryption
Sensors
25
Side Channel Attacks (via power measurements)
 Measure the circuit's processing time and current consumption
to infer what is going on inside it.
+
input
¨
Smart Cards & Security
5-Jun-08
output
ž
26
Simple Power Analysis
 SPA uses implementation related patterns
 SPA strategy
ƒ
ƒ
ƒ
ƒ
algorithm knowledge
reverse engineering phase (signature location)
representation tuning (height of view, zoom, visualisation)
playing with implementation assumptions...
 SPA is always specific due to
ƒ the algorithm implementation
ƒ the applicative constraints
ƒ the chip’s technology (electrical properties)
 Counter-measures
ƒ Sample card access restriction
ƒ Algorithmic solution
– Square and multiply always
– …
Smart Cards & Security
5-Jun-08
27
SPA attack on RSA
2
E
C
6
9
1
5
B
F
9
4
A
0010 1 1 10 1 100 0 1 10 100 1000 1 0 10 1 10 1 1 1 1 1 1 100 10 100 10 10
Key value : 2E C6 91 5B F9 4A
Smart Cards & Security
5-Jun-08
28
Differential Power Analysis
 Published on the web by Paul
KOCHER (1998)
ƒ Big noise in the cryptographic community
ƒ Big fear in the smartcard industry !
 Powerful & generic Power Attack
ƒ Statistical & signal processing
 Advantages
ƒ
ƒ
ƒ
ƒ
ƒ
Very efficient
Target independent
Can be automated
Does not require expensive hardware
Efficient countermeasures exist
 Still need to get hold of the card
ƒ Known random messages
ƒ Targetting a known algorithm
ƒ Running on a single smartcard
 Attack performed in 2 steps
ƒ Acquisition phase : on-line with the
smartcard
ƒ Analysis phase : off-line on a PC
(hypothesis testing)
Smart Cards & Security
5-Jun-08
29
Reverse engineering using DPA
 Use DPA to locate when predictible things occur
 Example : locate an algo trace by targetting its output (ciphertext
transfer to RAM, ciphertext is given)
Consumption curve
Hardware algo is before
DPA curves
Bit of the 1st byte
Smart Cards & Security
5-Jun-08
Bit of the last byte
30
Hypothesis testing (guess)
 Example : AES 128 bits key = 16 bytes Ki (i = 1 to 16)
ƒ Test 256 guesses per Ki with 256 DPA
ƒ 128 key bits disclosed with 16 x 256 = 4096 DPA ( << 2128 !)
ƒ With chosen messages 256 DPA suffice for the whole key !
Ki
x
Selection bit
-
n
W0 1
A79C36...
Mn
fdgcxv
B688EE...
DPA
M1
M0
Average
Smart Cards & Security
5-Jun-08
31
DPA on most crypto algorithms
 Other SK algorithms
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
AES
3-DES
Comp 128
Hash MAC
modular arithmetics (modulo 256, 257)
proprietary (GSM)
 RSA modular exponentiation
ƒ No key schedule => prediction more difficult
ƒ The key is not entirely handled from the beginning, but progressively
introduced
ƒ Prediction by time slices : next bit inference requires the previous bit to
be broken
Smart Cards & Security
5-Jun-08
32
Counter-measures against DPA
 Applicative counter-measures : make message free
randomization impossible !
ƒ Fix some message bytes
ƒ Constrain the variable bytes (ex : transaction counter)
 Decorrelate power curves from data
ƒ by hardware : current scramblers (additive noise)
ƒ by software : data whitening
 Desynchronise the N traces (curves misalignment)
ƒ
ƒ
ƒ
ƒ
software random delays
software random orders (ex : SBoxes in random order)
hardware wait states (dummy cycles randomly added by the CPU)
hardware unstable internal clock (phase shift)
 Special design techniques like asynchronous circuits…
Smart Cards & Security
5-Jun-08
33
Electromagnetic Power Analysis
Probe
ROM
EEPROM
EEPROM
5.5 mm
ROM
RAM
CPU
CRYPTO
4.5 mm
Smart Cards & Security
5-Jun-08
34
EMA Attacks
 Advantage of EMA versus PA
ƒ Local information more “data
correlated”
ƒ EMA bypasses current smoothers
ƒ EMA goes through HW
countermeasures: shields,
randomized logic
 Drawbacks
ƒ Experimentally more complicated
ƒ Geometrical scanning can be
tedious
ƒ Low level and noisy signals
(decapsulation required)
Smart Cards & Security
5-Jun-08
 Counter-measures
ƒ Software (crypto routines) :
– coding techniques
– same as anti DPA/SPA (data
whitening…)
ƒ Hardware (chip designers) :
– confine the radiation (metal layer)
– blur the radiation (e-g by an
active emitting grid)
– reduce the radiation (technology
trends to shrinking)
– cancel the radiation (dual logic)
35
Synchronisation
Synchronisation
Fault Attacks
Fault
Fault injection
injection
-- Vcc/clock
Vcc/clock glitch
glitch
-- Flash
Flash
-- Laser
Laser Q-switch
Q-switch
-- Continuous
Continuous laser
laser
-- Electro
Electro Magnetic
Magnetic field
field
APDU
APDU
Command
Command
(ex:
(ex: GenerateAC)
GenerateAC)
80
80 AE
AE 40
40 00
00 1D
1D …
…
Multiple injection
F5
17
24
59
17 99
24 …
… 6A
59 -- 90
90 00
00
Same
or
Different
Same
or
Different
Card
Response
Card
Response
Card
Card Response
Response
Smart Cards & Security
5-Jun-08
Exploit the wrong
behaviour
36
Fault Injection

Fault injection parameters:
ƒ Pulse shape and characteristics (glitches, light, laser)
– Wavelength
– Window size
– Energy level
Fault injection localization in space
Fault injection localization in time
H
SW
Data
I/O
Side-channel
NVM
Prog
Smart Cards & Security
5-Jun-08
NVM
Prog
NVM
Prog
HW
DES
NVM
Prog
37
Fault Exploitation
L0
 Fault exploitation areas:
RSA
DES
AES
…
R2*
EPerm
K3
(E,S*)
(E*,S*)
a*
PPerm
L1
Goal: key recovery
PPerm
R1* ( g* )
L3*
EPerm
R3
EPerm
K2
K4
b*
L2*
ƒ Sensitive process
–
–
–
–
–
L2*
K1
ƒ Crypto (Differential Fault Attack: DFA)
–
–
–
–
R0
EPerm
(E*,S*)
(E,S*)
PPerm
PPerm
R2*
L4
R4
Load MPN & Ratif
in RAM
Access condition verification
Card state management
Authentication phase
PIN verification
…
Goal: bypass security
mechanism or force
code execution
Modify value while transfered
from EEP to RAM
Ratif < MPN ?
NO
PIN blocked
YES
Increment Ratif in
RAM
Reset Ratif value to 00 in RAM
Enable exhaustive search
Write new Ratif in
EEPROM
Modify test result or CPU
branching
Enable exhaustive search
Read 1 byte of SC in
EEP
Modify SC value while
transfered from
EEP to RAM
Enable succefull presentation
without knowing real SC
XOR with corresponding
byte of received SC, OR with
Flag, store in Flag
XOR Chk , store in Chk
(compute checksum
on the fly)
8 bytes loop
Finalise Chk
computation with SC
header
Chk = 00h ?
Modify test result or CPU
branching
Enable wrong Integrity or SC
presentation
NO
ERROR
Integrity
YES
Flag = 00h ?
NO
ERROR
Wrong Secret Code
YES
Smart Cards & Security
5-Jun-08
Update Authorisation
register in RAM
On presentation of known
SC1
grant rigth of SCx
Clear Ratification
38
Countermeasures
 Hardware
 Software
ƒ Redundancy - hardware implemented
twice with a comparison.
ƒ Better detectors
IT
Decision
Fault
Detected
Bloc 1
Reset
ƒ Execution redundancy
– repeating an algorithm
– executing the inverse algorithm
(ideal for RSA)
ƒ Checksums on data transfers
ƒ Randomised Execution
Result1
Réaction
Data
Comparison
Bloc 2
Smart Cards & Security
5-Jun-08
Result
Result 2
39
Attacks on contactless cards
 Some attacks available on the web
 Contactless cards face hard constraints:
ƒ Timing constraints (e.g. mass transit cards)
ƒ Power consumption constraints
 There is a trade-off between security and performance.
Smart Cards & Security
5-Jun-08
40
Attacks on contactless cards
 Attack on Texas Instrument product (DST)
Attacker 1
Attacker 2
Regular user
ƒ Sniffing & cracking the product
ƒ Use a fake product to start a car
ƒ Use a fake product to buy gasoline
 Security Issues in e passport
ƒ Clandestine scanning and tracking
ƒ Skimming and cloning: digital signatures on epassport allow the reader to verify that the data
came from the correct passport-issuing. However
this offer no defense against passport cloning.
ƒ Eavesdropping during legal use
ƒ Weakness in cryptography (BAC)
ƒ Improvment: Faraday cages, Larger keys for BAC,
variable value for UID, key diversification (but
problem of key management)
Wireless long distance link
 A Practical Relay Attack on ISO 14443
Proximity Cards
ƒ Relay attack demonstrated on mifare card.
ƒ No distance is mentionned.
ƒ The delay time is around 20 to 25 µs.
 RFID Skimmers
Smart Cards & Security
5-Jun-08
41
Logical Attacks
Buffer Overflow
A well-known technique to inject
malicious code
Test Protocols (JTAG…)
Trojan Horses
A malicious piece of code
hidden in a harmless and
attractive program such as a
game,
aimed at retrieving PIN Codes,
Keys,…
Smart Cards & Security
5-Jun-08
Bug exploitation…
Aggressive applets
Attack Open
Platforms
42
About Common Criteria
 CC is about security of IT products and systems
ƒ a method to evaluate security
ƒ a tool to design and implement securely
ƒ a help for consumers and users
 CC is not a book of recipes !
 Main similar methods
ƒ TCSEC
ƒ ITSEC
ƒ CTCSEC
CC
 Other kinds of methods
ƒ Methods related to risk analysis
ƒ Security of Information Systems: ISO 177799 ...
Smart Cards & Security
5-Jun-08
43
Smart-cards for securing information
systems
Smart Cards & Security
5-Jun-08
44
Applications
 Public phone cards (pre-paid),
 Cellular phone GSM cards,
 Banking cards,
 Health cards.
Smart Cards & Security
5-Jun-08
45
Applications
 Electronic purse,
 Transport,
 Security of information system,
 Identity, electronic passport
 Loyalty,
 Games,
 Physical access control.
Smart Cards & Security
5-Jun-08
46
USIM Security Features
 Authentication
ƒ user by the network
ƒ network by the user
 Confidentiality
ƒ User identity (IMSI, Location, services)
ƒ User voice & data
 Integrity
ƒ signalling data
Smart Cards & Security
5-Jun-08
47
Systems Using Smart Cards
 Smart cards can not interact directly with the card holder
 Smart cards are used in IT systems to store users credentials
for authentication, signature or ciphering
 Classical IT security concepts apply to these systems
ƒ Trusted path
ƒ Security policies
ƒ Trojan horses
Smart Cards & Security
5-Jun-08
48
PKI and Smart-Cards (1/3)
 Limitations of software-only
solutions
ƒ Certificates and private keys stored on a
“conventional” media => Not secure
ƒ Security: SC provide secure storage and
secure cryptographic computations..
ƒ Consumers are “tied” to their computer
=> Not Mobile
ƒ Mobility: The SC can be carried and be
used to connect through any computer.
ƒ Consumers have to manage their
certificate themselves => Not Simple
ƒ User-friendly: Just insert the card and
enter PIN.
Smart Cards & Security
5-Jun-08
 Added-value of smart-cards (or scbased solutions)
49
PKI and smart cards (3/4)
Software only solution
Sensitive operation
Uses private key
API
Application
Key generation
Key storage
Signature generation
Short message
decryption
Long message
encryption /
decryption
Smart Cards & Security
5-Jun-08
Uses public key
Uses one-time
session key
Short message
encryption
Signature
verification
50
PKI and smart cards (4/4)
Software with smart card solution
Sensitive operation
Application
Uses private key
Uses public key
Uses one-time
session key
Short message
encryption
Signature
verification
Long message
encryption /
decryption
Smart Cards & Security
5-Jun-08
Certificate
API
Key generation
Key storage
Short message
decryption
Signature
generation
51
CAUTION: Wrong Cryptographic Design!
 Short keys
ƒ Weak algorithms
ƒ Broken protocols
Smart Cards & Security
5-Jun-08
 Examples
ƒ French Credit Card
ƒ COMP128 for GSM
52
Smart-cards in a “convergent” world
Smart Cards & Security
5-Jun-08
53
MOBILE
CONTACTLESS
… Converging around the Telco world
MOBILE TV
solutions
solutions
SECURITY
MULTIMEDIA
solutions
CONVERGENCE
solutions
SIM-based
solutions in
new networks
Smart Cards & Security
5-Jun-08
54
Mobile NFC use-cases
Transport
Pass, Access,
Payment …..
SmartPoster
& TAG
Reading..
Card emulation mode
Working Mobile Off or
Battery Off
P2P data
exchange
Peer to Peer mode
Smart Cards & Security
5-Jun-08
55
Mobile TV: Mitigate broadcast security threats
 The security of a system must be adjusted according to the
level of threat and risk it faces.
 One to one service (Telecom & Banking)
ƒ
ƒ
ƒ
ƒ
Service delivered “on demand” for a particular user,
User authentication is key,
Hacking one card will impact only one single account,
Clone cards are detected by network means (black listed’ users).
 Broadcast TV
ƒ The encrypted content is always available “on-the-air”,
ƒ No means to detect fake cards or systems,
ƒ Breaking one card impacts the whole system
Unlike most hobbyist computer hacking, pirated pay-TV cards are
a lucrative business
Smart Cards & Security
5-Jun-08
56
Fault Attacks in Pay-TV?
ƒ Together with bug exploitation, Fault Attacks are used for
a while by Pay-TV hackers.
ƒ First Pay-TV cards were vulnerable to basic Fault attacks: glitches on Vcc line, single Fault
injection.
ƒ Fault attacks techniques are now well-known and the academic research is particularly active
in this field: FDTC – Fault Diagnosis and Tolerance in Cryptography – is held each year since
2004.
ƒ When combined with Side-Channel means, Fault Attacks techniques can be devastating,
even against “secure” implementations.
Smart Cards & Security
5-Jun-08
57
MultiMedia Use-cases
Boost services
revenues
Ease segmented
Offers deployment
Increase
subscribers' loyalty
Reduce Cost
Multimedia cards
& LiveServices
Increase direct
marketing efficiency
Smart Cards & Security
5-Jun-08
Drive usage
recurrence
58
Smart Card Web Server & Full Speed protocol
Operator’s Management Tools
Operator’s Analysis Tools
Operator’s Branding
Advertising
…
Handset
Management
Applications
Handset
Personnalisation
Applications
Handset
Applications
Applications
Smart Card Web Server techno
Smart Cards & Security
5-Jun-08
59
Convergence use-cases
4/ a software
suite
Smart Cards & Security
5-Jun-08
60
SIM authentication in new networks
Integrate SIM authentication in new networks (Wimax, LTE, IMS)
could provide many benefits to operators:
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Portability
Devices/Handsets are network agnostic.
Less customization on the handset side.
Ability to sell subscription apart from the device
For wireless operators already using smart cards, a significant advantage
is the ability to rely on the same authentication infrastructure, making
network deployment an easier and cost-effective option.
Support of multiple types of access network authentication and service
network authentication methods.
Smart Cards & Security
5-Jun-08
61
Thank You for Your Attention
Smart Cards & Security
5-Jun-08
62

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz