Beruflich Dokumente
Kultur Dokumente
2. many industrial/commercial/
trade/security secrets
3 Nicolas T. Courtois 2006-2009
Smart Cards
Remark
What do we learn from these books:
A lot of things [1000s of pages].
But still many things are missing:
Full specs of products?
Full specs of chips?
Details of advanced security countermeasures?
Secret crypto algorithms + padding
Details of authentication protocols
Some little tricks that make big difference
The industry cultivates a lot of secrecy(!).
But at the same they publish 100s of papers they have
1000s of patents, and runs 10s of standard bodies Many things
are not that secret. Just obscure.
Motivation in a Nutshell
Key Remark
Software CANNOT be protected by software.
The Loophole
Recall:
Two sorts of technologies:
A) Those that are effective if deployed at 20%:
Examples:
1. virus detection (as opposed to removal / fighting the viruses), 99 %
2.
2. email
email // hard
hard disk
disk encryption,
encryption, 20
20 %
%
3.
3. making
making thethe entry/authentication
entry/authentication harder,
harder, as
as an
an option
option for
for the
the use
user,
r, 20%
20%
In France:
Since the introduction of smart cards:
Fraud decreased 10 times
in 10 years.
12 Nicolas T. Courtois 2006-2009
Smart Cards
Philosophy / Model
for Security of Smart Cards
History
Historical Patents
Vocabulary
More Vocabulary
Types of cards
memory/wired logic microprocessor
0 CPU 1 CPU
micropr.+crypto contactless
Source: Gartner, 2005
27 Nicolas T. Courtois 2006-2009
Smart Cards
Primitive
NVM non-
volatile memory
(E2PROM, Flash
memory)
simple function
e.g. prepay card
28 Nicolas T. Courtois 2006-2009
Smart Cards
Smart Card
Microcontroller =
CPU+memory
Universal, Turing
machine, software
driven
flexibility
security features
[Hardware DES]
29 Nicolas T. Courtois 2006-2009
Smart Cards
Crypto-processor IC Cards
Additional crypto-
processor for RSA
or elliptic curves
Hardware security
counter-measures
with RF transceiver
0.1 s transaction
much less energy
even less computing
power
****Perso Process
storage capacity
security functionalities
multiple functions
user acceptability, effective packaging
successful business model
Axalto 23%
20% Gemplus
G&D 13%
9% OCS
Orga 5%
4% Incard
Others 26%
Market Growth
In Volume: in M units shipped
In Value: in M
ISO 7816-1
Size matters! Like a credit card.
ISO 7816-1
Physical Characteristics:
operating temperature, humidity, etc
Manufacturing
Bare Connectors
Die Bonding
Connections with gold wire (20 m)
Encartage
Embed in a mm card.
Encapsulation
Embed in a mm card.(Encartage Fr)
Plastic Matters
ISO 7816-2
Contacts
1.7 x 2 mm
[changed in 1990]
ISO 7816-2
=> Freedom
Contact Quality
Friction force readers scratch the cards
[contacts frottants]
Power Matters
Summary:
Bank card: 5 V, 50 mA
GSM SIM class C card (the latest): 4 mA
Even much less for contact-less cards !!!
(power supplied by an alternative magnetic field)
Power Matters
Summary:
Several 1000 x less power than an Intel CPU
Low surface ( 25 mm2)
Lower density (0.09 m
vs. 0.065 SOI process for recent CPUs)
ISO 7816-3
CLK:
transition time < Max( 0,5 s, 9% x period T)
at 1 during 40 % - 60 % of time.
The card security should block if short
impulses !
Clock speed:
First cards [1996]: 3.579545 MHz
(still@begin)
67 Nicolas T. Courtois 2006-2009
Smart Cards
ETU
ISO 7816-3
Defines the ATR: answer to reset. Up to 33 bytes.
Must happen at 400 40,000 clocks after RST.
ATR = a series of bytes transmitted in order b8..b1:
TS
T0 [presence of TA1-TD1 and 0..15 historical bytes]
TA1
TB1
TC1
TD1: like T0, specifies the presence of extra objects
TA2
etc
ATR Structure
XOR checksum
72 Nicolas T. Courtois 2006-2009
Smart Cards
TS specifies:
TS [A+8+Z bits]:
specifies the relationship between A/Z and 0/1
Z=high voltage, A=low voltage
Direct convention [Germany], where A=0, Z=1:
TS = 3B; b1:b8= A(ZZAZZZAA)Z
Inverse convention [France], with A=1, Z=0:
TS = 3F; b8:b1= A(ZZAAZZZZ)Z
ISO 7816-3
Communication Protocols
Main two: synchronous, half/duplex
T=0 (byte-oriented, e.g. GSM SIM),
T=1 (block-oriented, e.g. bank cards)
T=14 (proprietary for German phone cards)
Recent developments:
T=2 (block-oriented, full duplex, cf. ISO 10536-4).
T=4, expansion of T=0
T=USB
T=CL
T=0 or T=1?
Remark:
T=0 (byte-oriented)
parity bits only
T=1 (block-oriented) is more modern.
More error detection too: parity +
each block also has a CRC.
ISO 7816-3
Baud rate:
1996: 9.6 K bit/sec default, @beginning.
Then: 115 K bits/sec
Decoded:
TS= 3B => direct encoding
T0= 89= 1000ll1001 => TD1 + 9 historical bytes
TD1= 40= 0010ll0000 => TC2 present and protocol is T=0
TC2= 14= 0001ll1110 => waiting time 14 * 100 ms
T1T9: 47ll47ll32ll34ll4Dll35ll32ll38ll30 =>
GG24M5520 (these are the 9 historical bytes, sort of unique ID of this SIM card)
ISO, [USB,RF
RF]
RF
ISO, [USB,RF
RF]
RF
Dimensions
Form Factors
key fob
Antenna
large loop antenna
ISO, USB, RF
Contactless Interface
Comparison
*Visual Security
***more details
***more details
Different on each card:
Remark:
There is no defense against an adversary that
has several millions of
Reverse Engineering
Open-source Closed-source
Industry: competition cooperation
Standards
Industrial/commercial/trade/security secrets
Kerckhoffs Principle
*Remark:
Smart Cards:
No obligation to disclose.
Yes (1,2,3):
1. Military:
layer the defences.
Yes (2):
2)
Basic economics:
these 3 extra months
(and not more )
Yes (3):
3)
Prevent the erosion of profitability
/ barriers for entry
for competitors /
inimitability
Reasons:
side channel attacks are HARD and COSTLY to
prevent when the algo is known
in some applications, for example Pay TV the
system is broken immediately when the
cryptographic algorithms are public.
*Silicon Hacking
Tarnovsky Lab
Only few thousands of dollars of equipment
More Expensive:
FIB device
(Focused Ion Beam, 0.5 M)
Canal+ Technologies Lab
FIB:
Example resolution: 10 nm
Classical applications: failure analysis of ICC
Can Do Anything?
Not so easy:
The IC has many layers (!)
Security is hidden in inner layers(!)
Can you do many operations reliably enough
to achieve your goal?
120 Nicolas T. Courtois 2006-2009
Smart Cards
Reverse Engineering
Hardware Defences
Hardware Countermeasures:
Functionality + Security
Hardware Countermeasures
Detection:
Detect under/over-clocking (stop
(stop the
the clock,
clock, read
read the
the
RAM)
RAM)
Intrusion Detection
Active Shield
Source:Infineon. Problem: back side attacks.
works!
Design Obfuscation
Restricted circulation of specs.
Non-standard instruction set.
Custom crypto algorithms.
ROM and busses in lower layers of silicon.
Only ion-implanted ROM is used, not visible with UV light.
Motivation:
Most Bank Cards have a PIN verification
function.
PIN
not encrypted except in some EMV DDA cards
Y/N
not authenticated except in EMV DDA cards
Solution?
Protocol/Software Countermeasures
Typically, the chaining of commands is
strictly controlled. Each command can be
issued only once, and in a certain order.
Assured by a finite state machine.
Example: dont accept commands in clear-text
once secure messaging is established.
The spec should not allow buffer overflows.
Example:
Eric Poll [Nijmegen] Attacks on e-passports.
Send various ISO commands, observe the error messages:
Clone Attacks
Threats (1.)
Assume that we have all the data. Clone the card?
1. Card Emulation on a card defenses:
unique ID, cards that can be personalized not available =>
requires a special re-programmable card,
or a pirate emulator
-speed, +size, +cost, etc.
Threats (2.):
Assume that we have all the data. Clone the card?
1. Card Emulation on a card ???
2. Card Emulation on a PC!
Economics Aspects
Security Management -
the Development Process
Testing
White-box tests are prohibited, no debugging commands
must be left in the hard-mask and soft-mask.
Tests must be black-box tests and test suites include
scanning for hidden [debugging] commands.
Segregation of Duties
Never one developer works alone on an
application.
he knows only some parts of the spec (partial
secrecy, need to know).
Some critical security mechanisms can be
distributed: part in hard mask(ROM), part in
soft mask, harder to know both
the chip manufacturer does NOT have the full
spec either.
File System
ISO 7816-6
Specifies how to encode different data
elements as BER-TLV objects,
For example:
Name of the credit card holder
Expiration date
Etc.
ISO 7816-4
File names FID:
2 bytes
example: 3F 00
ISO 7816-4
MF: Master File
(root directory 3F00)
Elementary Files
EF: Elementary Files
Not all files are visible for applications(!)
Internal EF: card private files, card O.S. only can
see them
Working EF: data accessible to applications that
communicate with the external world.
First byte:
'3F': Master File;
'7F': 1st level Dedicated File
'5F': 2nd level Dedicated File
'2F': Elementary File under the Master File
'6F': Elementary File under a 1st level Dedicated File
'4F': Elementary File under 2nd level Dedicated File
like RAM, or a
string of bytes
records, with specific instructions and applications
Record 1
2 types of records: Record 2
Body .
.
Linear Fixed file
Record n
Like a list
Structure of a linear fixed file
Header
Record n-1
Body Record n Oldest record
Record 1 Last updated record
Record 2
.
.
Record n-2
Variants
There are MANY methods to address a file with SELECT FILE:
by 2 bytes FID (for MF, DF and EF)
0_ A4 00
By DF name or AID (for DF only or an application)
0_ A4 04
0_ A4 02
by absolute path from MF
0_ A4 08
by a relative path from current DF
0_ A4 09
Switch
Switch to
to higher
higher level
level DF?
DF? (equiv
(equiv to
to ../
../ in
in PC
PC OS)
OS)
another
another DFDF when
when partial
partial AID
AID is
is transferred?
transferred?
GSM card
SELECT FILE length + FID == file identifier on 2 bytes
empty params. 6F 07 = IMSI file of this SIM card
2. Example of a SELECT FILE with AID and no FCI (widely used for
accessing files AND applications by their unique identifier):
Command: 00 A4 02 00 05 [AID]
ISO command
SELECT FILE specific params. length + AID, if no ambiguity, a prefix
of a valid AID can also be accepted
178 Nicolas T. Courtois 2006-2009
Smart Cards
Status of EF Files
Examples of FCI
Not 100% compatible, depends on products
6F 07 80 02 00 58 82 01 01 90 00
EF with transparent structure, file size: 88 (0x0058)
Can
Can be
be decoded
decoded according
according to
to GSM
GSM spec:
spec:
Byte
Byte 14:
14: The
The most
most significant
significant bits
bits of
of is
is 00 ifif an
an only
only ifif PIN1
PIN1 is
is disabled.
disabled.
Byte
Byte 19
19 == is
is the
the "CHV1
"CHV1 status
status..
Typically
Typically the
the value
value of
of this
this byte
byte is
is '83'
'83' where
where 88 means
means that
that the
the PIN1
PIN1 has has been
been
initialized,
initialized, and
and that
that there
there are
are 33 cardholder
cardholder verification
verification attemp
attemptsts left
left for
for this
this
PIN.
PIN.
183 Nicolas T. Courtois 2006-2009
Smart Cards
Example:
m yes/no
(m,)
MAC MAC
algorithm algorithm
forgery
sk sk
(secret key) (secret key)
ICV
MAC and IV
Important:
Never use a random IV in a MAC.
IV = 0 is a safe choice.
Or another constant.
Do use random IVs in encryption.
ASK RANDOM
command
Challenge
generation
Challenge
(T)DES Data to
PRO key calculation sent Challenge EF key
Cryptogram Data
PRO Key
Received (T)DES
PRO command Data + cryptogram Data
bytes calculation
Received
Cryptogram
Compare the
cryptograms
Delete flag random
present
OK
N
?
Decrease
ratification counter Y
Reset ratification
counter if needed
Bad Authentication
PRO mode OK
ASK RANDOM
command
Challenge
generation
Challenge
(T)DES
Terminal
calculation
Key AUT mode
Certificate
EF key
EXTERNAL Key number Key
AUTHENTICATE +
Received number
command Cryptogram bytes
Card Key
(T)DES
calculation
AUT mode
Cryptogram
Compare the
cryptograms
Delete flag random
present
OK
N
?
Decrease
ratification counter Y
Reset ratification
Bad Authentication counter if needed
Authentication
successful
Commands (APDUs)
ISO 7816-4
APDU = Application Protocol Data Unit
Command APDUs
4 cases
Response = R-APDU
Response structure:
SW1: 90=completed/
OK with warning/
error during exec/
checking error;
?NVM changed[63,65]
SW2: error number
90 00 = All OK
199 Nicolas T. Courtois 2006-2009
Smart Cards
IMPORTANT:
In many cases, and in all cases where the size
of the answer is not known in advance,
The response is NOT given,
the terminal must ask for it
(another C-APDU).
Example (for a bank card):
5 Possible Cases:
Case 1: No input data/no output data
Data
2 status bytes
202 Nicolas T. Courtois 2006-2009
Smart Cards
[] 5 Possible Cases
Standard Cross-Industry
Commands
ERASE BINARY
SEARCH BINARY
Syntax: Read/Write
READ BINARY
Security Commands
Authentication
R: deny R: allow
W: deny W: allow
Cardholder Authentication
On-card PIN/Password verification.
PIN
not
not encrypted
encrypted except
except in
in some
some EMV
EMV DDA
DDA cards
cards
Y/N
not
not authenticated
authenticated except
except in
in EMV
EMV DDA
DDA cards
cards
VERIFY + password/CHV/PIN
BTW. CHV == Card Holder Verification == PIN
Example: 00 20 00 00 04 70 61 70 61
no L_e, no data in reply
expected, result will be visible
in two status bytes SW1SW2
authenticates the
CLA whole MF if b7=0,
PIN stored in MF
INS 4 bytes
password
must be 0
= papa)
randomB
A B
A, MACK(randomB)
K K
****Exists in GSM,
but a non-standard dedicated command
SIM card
challenge RAND
are = ?
Example: A0 88 00 00 10 XX .XX
CLA INS 16 bytes random nonce
both 0
GET CHALLENGE
EXTERNAL AUTHENTICATE
+ algo nb. + key nb. + cryptogram
Example:
GET CHALLENGE
Example: 00 84 00 00 10
CLA LE = it expects 16
INS both are 0 digits random
EXTERNAL AUTHENTICATE
Example: 00 82 00 00 04 01 02 03 04
no data to recover in reply,
OK/not OK seen as 2 status
bytes.
authenticates the
whole MF if b7=0,
CLA key stored in MF
our cryptogram on
INS 4 bytes
crypto algo nb.
Unilateral Authentication
Historically very popular.
Examples:
password -> login
OK
OK ifif we
we trust
trust the
the browser
browser ++ the
the DNS,
DNS,
or
or aa PK
PK certificate
certificate--based
based secure
secure tunnel
tunnel is
is needed.
needed.
SIM card -> GSM base station (fixed in 3G)
offline bank card transactions -> Point of Sale terminal
Problems:
login page spoofing etc.
false GSM base stations,
false ATMs,
218 Nicolas T. Courtois 2006-2009
Smart Cards
statement1,
[interactive] proof1
statement2,
[interactive] proof2
219 Nicolas T. Courtois 2006-2009
Smart Cards
Mutual Authentication
The sequence:
GET CHIP NUMBER
GET CHALLENGE
MUTUAL AUTHENTICATE + params
Secure Messaging
[Mutual Authentication]
+
Shared Key Derivation
=> starting from now, all read/write commands & data are encrypted
***Case Studies:
GSM
CHV1=user PIN
CHV2=second PIN
SRES SRES
A8 A8
Kc Kc
Fn Fn
are = ?
mi Encrypted Data mi
A5 A5
secret key
Authentication Algorithms
Some operators used COMP128 v1, the default algorithm.
Very bad, there are several attacks
[Briceno,Goldberg,Wagner].
Some never published attacks existed only in a form of an
exe file, better than any published attack less queries to
the card!
Ive developed such attacks myself, they were never published
(sorry).
Gemplus patented and commercialized a strong key solution
Encryption Algorithms
In the phone.
Embarrassing Discovery
What was discovered before [SDA-Berkeley 04/98].
Keys generated were not 64 bits.
10 bits fixed to 0 => 54 effective bits.
The limitation was implemented in both AuC (authentication
Centers) and in SIM cards.
Later most operators have, by now, increased the size of
their keys to 64 bits (also changing the algorithms or not).
It appears that the key is 64 bits starting from COMP 128 v3 and also
in most recent proprietary algorithms.
But one should check if they did!
Lets do it.
Embarrassing Discovery
Keys generated by typical UK and French cards
(Ive checked many): 64 bits.
Key in Polish Orange card: 64 bits.
All Chinese cards checked: 64 bits.
Contactless Commands
High-Level APDU
No difference, the reader translates the commands.
Example: MiFare Classic access:
Low-Level Commands
Sent over the air.
Example:nfclib+ACR122
+MiFare Classic
> 26
< 0400
> 9320 UID
< CA1C46D141
> 9370CA1C46D141 (CRC)
< 08 (CRC)
> 6000(CRC)
< 24D2783A
> CF80E99F1AA2A1F1
>
235 Nicolas T. Courtois 2006-2009
Smart Cards
**Case Studies:
Oyster Card
Challenge-
-Response
card ID 32 bits
Best Attack:
**Facts
Multiple Differential Attack by Courtois,
in SECRYPT 2009.
card-only attack,
300 queries to the card,
very fast!!!
but precise timing needed.
Can be combine with Nested Authentication attack by
the Dutch Nijmegen group.
Then the whole card can be cloned in 10 seconds.
ISO 7816-5
Specifies AIDs (Application IDentifier)
16 bytes (128 bits)
[RID(5)+PIX(0..11)]
RID: Registered Application Provider
PIX: Proprietary Identifier Extension
ISO command
specific params.
length + AID, "1PAY.SYS.DDF01"
SELECT FILE
Response: 90 00 if all OK
ISO 7816-7
APDU for accessing a database stored on a
smart card(!).
Defines
SCQL = Smart Card Query Language
IS0 7816-8..10
More inter-industry commands to manage
the security environment of the card, for
example during the personalization phase
(before the card is issued to the user!!!)
Standards
RSA Security PKCS #11: Application Programming
Interface (API), called Cryptoki, to access devices which
hold cryptographic information and perform cryptographic
functions.
used e.g. in Netscape / Mozilla / cryptlib etc.
Standards
RSA Security PKCS #15: storage and
management of crypto/security objects, keys
and their attributes in smart cards
Standards
PC/SC: communication between Ms
Windows and smart card readers
[developed in 1997]
Standards
JavaCard [later].
OCF [OpenCard Framework]: a Java-based set of APIs for smart
cards
JavaCard 2.2
Banking Standards
EMV: international bank card specs
Visa Open Platform: security management of
multi-application cards
Main Standards:
Calypso
[France, Belgium]
MiFare
[UK, Holland,
Poland]
Felica [Hong Kong,
Japan, India]
264 Nicolas T. Courtois 2006-2009
Smart Cards
JavaCard
Write Once, Run Anywhere
Recent History
Oct 25, 2010 - Gemalto has filed a patent
infringement lawsuit in the US against
Google, HTC, Motorola, and Samsung for
mechanisms implemented in the Android OS
From press release:
Gemaltos patented technologies are
fundamental to running software, developed in a
high level programming language such as
Java, on a resource constrained device,
Motivation
Portable code, hardware-independent
Time to market: add new applications
to the card at any moment!
Easier to develop
Open platform,
=> specs of smart card chip are usually confidential(!!)
Third party applications => much more security needed!!!
Hide the smart card OS and resources from the developer [not
trusted]
Java language has inherently better security
Much of current application insecurity comes from C language
[exceptions, printf, goto, buffer overflow etc..]
Provide built-in security for developers
Cons: slow + expensive
268 Nicolas T. Courtois 2006-2009
Smart Cards
History
JavaCard - Types
Types
JavaCard - Limitations
Language Features Dynamic class loading, security manager
(java.lang.SecurityManager), threads, object cloning, and
certain aspects of package access control are not supported.
Types There is no support for char, double, float, and long, or for
multidimensional arrays. Support for int is optional.
Classes and Interfaces The Java core API classes and interfaces (java.io, java.lang,
java.util) are unsupported except for Object and Throwable,
and most methods of Object and Throwable are not available.
Exceptions Some Exception and Error subclasses are omitted because the
exceptions and errors they encapsulate cannot arise in the
Java Card platform.
JavaCard.lang
JavaCard.framework
JavaCard.security
JavaCardx.crypto
Exceptions Various Java Card VM exception classes are defined: APDUException, CardException,
CardRuntimeException, ISOException, PINException, SystemException,
TransactionException, UserException.
276 Nicolas T. Courtois 2006-2009
Smart Cards
javacard.security
Interfaces Generic base interfaces:
Key, PrivateKey, PublicKey, and SecretKey, and subinterfaces that represent
various types of security keys and algorithms: AESKey, DESKey, DSAKey,
DSAPrivateKey, DSAPublicKey, ECKey, ECPrivateKey, ECPublicKey,
RSAPrivateCrtKey, RSAPrivateKey, RSAPublicKey
javacardx.crypto
Interfaces Non-standard and proprietary crypto
OR
crypto subject to export controls!
KeyEncryption, Cipher
Classes
Exceptions
Communication
Special subset of APDUs [ISO 7816-3..4] are used.
Applet Isolation
JCRE can act as a firewall
Applet Execution
The applet is identified by a unique identifier
AIM.
The terminal selects/deselects the applet at
any moment.
The APDUs are redirected to the applet
currently selected.
Applet Security
Applets [bytecode] are
CHECKED [if they dont spy
on other applets!!]
Should be signed with a digital
signature
[white-list principle(Nokia),
as opposed to black list
(Microsoft)]
Terminals
USB
Before were on serial portNow all USB.
Since about 2000 they use the [Microsoft
compatible] standard API/interface called
PC/SC.
PC Card
Keyboards
Cherry etc.
Contact-less
Open source:
Open-PCD
[Germany]
291 Nicolas T. Courtois 2006-2009
Smart Cards
Banking Terminals
Home Banking
Biometric
Futuristic
UK pilot 2008
Conclusion
Future:
PKI enabler:
fair security: e.g. everyone can verify the
authenticity of a bank transaction.
99.9 % unused potential.