Smartc

La Carte Puce
Nicolas T. Courtois 1, ex. 2

1 - University College of London, UK
2 = [Axalto+Gemplus]
Smart Cards
Scope and References
2 Nicolas T. Courtois 2006-2009

Smart Cards
What are Smart Cards ?

The eternal tension in the industry:
competition cooperation.
1. huge set of standards:

public bodies: ISO/IEC, ETSI, etc.
10s of intra-industry standard bodies such as
GlobalPlatform, TCG
2. many industrial/commercial/
trade/security secrets
Smart Cards
Books About Smart Cards

1) Security Engineering [Cambridge]
by Ross Anderson
MUCH larger scope, may selectively read
Chapters 3-5,10,11,16, 22,26 etc.
2) Smart Card Handbook [Germany, 2002]

by Wolfgang Rankl and Wolfgang Effing
3) Smart Card Applications [Germany, 2007]

by Wolfgang Rankl
4) LATEST BOOK [RHUL, 2008]

Smart Cards, Tokens, Security and Applications
by Keith Mayes and Konstantinos Markantonakis (Editors)

Smart Cards
Remark
What do we learn from these books:
A lot of things [1000s of pages].
But still many things are missing:
Full specs of products?
Full specs of chips?
Details of advanced security countermeasures?
Secret crypto algorithms + padding
Details of authentication protocols
Some little tricks that make big difference
The industry cultivates a lot of secrecy(!).
But at the same they publish 100s of papers they have
1000s of patents, and runs 10s of standard bodies Many things
are not that secret. Just obscure.

Smart Cards
Motivation in a Nutshell

Smart Cards
Key Remark
Software CANNOT be protected by software.

Smart Cards
Main Function of a Smart Card =

= to be a secure hardware device.
USB interface ISO, [USB], [RF]
ISO, [USB,RF
RF]
RF
SIM card form factor

USB Token form factor credit card form factor
1. intelligent (Smart): the card
handles computations (e.g. crypto)
manages data (OS, file system, access rights)
takes informed security decisions (block itself !)
2. Hopefully unbreakable:
nobody can know/modify what is inside.

Smart Cards
The Loophole

Smart Cards
Magnetic Stripe Cards [since 60s]
Which one is counterfeit ?
Chip cards: much harder to read,

much harder to counterfeit.
Smart Cards
Recall:
Two sorts of technologies:
A) Those that are effective if deployed at 20%:
Examples:
1. virus detection (as opposed to removal / fighting the viruses), 99 %
2.
2. email
email // hard
hard disk
disk encryption,
encryption, 20
20 %
%
3.
3. making
making thethe entry/authentication
entry/authentication harder,
harder, as
as an
an option
option for
for the
the use
user,
r, 20%
20%
B) Those that are totally ineffective even at 99%:

Examples:
1.
1. virus
virus removal,
removal,
2.
2. buggy
buggy antianti--virus:
virus: your
your anti
anti--virus
virus has
has just
just restarted
restarted due
due to
to an
an internal
internal
error
error

3.
3. wewe click
click YES
YES for
for 11 %% of
of the
the security
security alerts
alerts out
out of
of fatigue
fatigue
certificates
certificates are
are frequently
frequently invalid
invalid
itit invalidates
invalidates the the 99
99 %% of
of the
the time
time we
we did
did prevent
prevent the
the intrusion
intrusion
we
we lost
lost our
our time
time
4.
4. ifif some
some ATMsATMs still
still accept
accept aa blank
blank magmag--stripe
stripe only
only cards,
cards, the
the whole
whole
purpose
purpose of of chips
chips onon bank
bank cards
cards is is nearly
nearly defeated
defeated

Smart Cards
Magnetic Stripe Bank Cards - Loophole:
As long as some merchants accept them, they

will be fraud
In France:
Since the introduction of smart cards:
Fraud decreased 10 times
in 10 years.
Smart Cards
Philosophy / Model
for Security of Smart Cards

Smart Cards
Why Smart Cards Are Good

Or are they?
The classical model for smart card security

[Schneier and Schostack 1999]
is about
Splitting the security perimeter:
One entity cannot breach the other peoples security?
Hardware barriers that cannot be breached by software, slight
Motto: Software cannot protect software.
Physical control of the card, problem..
By the user, if it is in my pocket, it is not being hacked
And trusting the entities involved
Companies/people involved in this business can compromise its security (backdoors etc!)

Smart Cards
Slight Problem - Example:
The secrecy of the product spec can be:

An extra security layer,
if hackers need 3 months more to get it,
this can be worth millions of dollars in revenue
A source of unexpected and critical security vulnerabilities
that by the fact of being hidden
gives an utterly false sense of security.

Smart Cards
History

Smart Cards
Short Plastic Card History

1878 US fiction writer Bellamy: In 2000 everybody will be paying
by a credit card (!). Cf. Edward Bellamy Looking Backward, 2000 to 1887.
1914-1940 Metal credit cards in the US, forbidden

forbidden during
during WW2
WW2
1950 Invention of plastic money (PVC): Frank McNamara@Diners Club
[NY, USA] issues first universal plastic [charge] credit cards .
1967 First cash machines [DeLaRue] with punch cards.
1967 France: first magnetic stripe card for access control.
1972 [UK] First on-line ATM with magnetic stripe cards.

Smart Cards
History - Chip Cards

1960s
1. French science-fiction book La nuit de temps by
Ren Barjavel:
A portable object/jewel that opens doors.
2. Plastic credit cards were standardized and used
since the 50s [plastic money].
1970s: 1+2 = Embedding electronic components in

credit cards: Many patents in USA, Germany,
Japan and then France.

Smart Cards
Historical Patents

Smart Cards
Smart Card Odyssey

Two Key Patents:
Roland Moreno [France]:
chip card [1974]
security limitations [1975]
Michel Ugon, Bull CP8:
microprocessor card [1977]
10 years ago, half of chip cards in the world

were French. Wider adoption around 2000.
Smart Cards
First Smart Card - Bull CP8

Around 1980,
2 chips,
CPU+RAM,
not very secure!
CP8 = Circuit Programmable 8 bits,

Carte Puce 8 bits

Smart Cards
SPOM, October 1981 - Bull CP8

Patented
NMOS 3,5 ,
42 K Transistors,
RAM: 36 bytes (!),
ROM: 1,6 Kbytes,
EPROM: 1 Kbyte

Smart Cards
History of Electronic Bank Cards - in 1984:

Schlumberger pilot in Lyon, France:
a simple wired logic card
Bull CP8 pilot in Blois, France:

a microprocessor card
Gemplus
The banks adopted the Bull CP8 solution,

the fore-father of current smart bank cards (EMV).
100% in France in 1992.
100% in the world around 2010 ?
=> Close the loophole.
Smart Cards
Vocabulary, Typology, Features

Smart Cards
Vocabulary
magnetic stripe card carte piste magntique
IC= Integrated Circuit puce, circuit intgr

ICC, chip card : carte puce :
memory card carte mmoire
wired logic card c. logique cble
smart card carte microprocesseur
[+crypto co-processeur]

Smart Cards
More Vocabulary
card reader, CAD (Card lecteur carte

Acceptance Device)
BO card [1985-2004] carte bancaire franaise

EMV card [1996-2020?] nouveau standard
Smart Cards
Types of cards
memory/wired logic microprocessor
0 CPU 1 CPU
2 CPU 1-2 CPU
micropr.+crypto contactless
Source: Gartner, 2005
Smart Cards
Memory/Wired Logic Card
Primitive
NVM non-
volatile memory
(E2PROM, Flash
memory)
simple function
e.g. prepay card
Smart Cards
Smart Card
Microcontroller =
CPU+memory
Universal, Turing
machine, software
driven
flexibility
security features
[Hardware DES]
Smart Cards
Crypto-processor IC Cards
Additional crypto-
processor for RSA
or elliptic curves
Hardware security
counter-measures

Smart Cards
Contact-less Smart Card
with RF transceiver
0.1 s transaction
much less energy
even less computing
power

Smart Cards
Memory on Smart Cards

ROM (hard mask: C/Assembly, contains OS,
secure file access, I/O, libraries[crypto!], JVM)
= 100 - 300 Kbytes now
RAM = 4-16 K now
(expensive, first Bull CP8 card had 36 bytes)
NVM: (soft mask, compiled C, more libraries)

EPROM: 1980s, high voltage needed to erase it
E2PROM: 8-64 Kbytes, 1000 times slower
to write than RAM
recently 128-256 K GSM SIM.
New trend: Flash memory:
Much cheaper, dense and shrinkable process.
Random read, harder to manage,
hard to re-write and very slow to erase.
Spansion 2006: 1 Giga in a SIM card!
Smart Cards
Memory R/Erase Memory

Exists in Certain Memory Cards
In E2PROM,the transition from 0->1 is VERY
VERY slow. 1000 times slower
But this is a security feature!
Read-Erase Memory (cannot 0->1):

Smart Cards
Life Cycle of a Smart Card [ISO 10202-1]

Manufacturing: [e.g. Infineon, Gemalto]
ROM <= hard mask, remove test functionality
Initialize: [e.g. Gemalto, Card Issuer]
E2PROM <= soft mask, completing O.S. install
Personalize: [Card Issuer]
Init apps
E2PROM <= data, keys etc. for an individual user!
Use it: [e.g. ATM]
issue commands (APDUs)
Death: [e.g. local bank]
invalidate the chip / destroy the card.

Smart Cards
****Perso Process

Smart Cards
Functionalities of Chip/Smart Cards

Smart Cards
Advantages of Smart Card
storage capacity
security functionalities
multiple functions
user acceptability, effective packaging
successful business model

Smart Cards
Crypto Functionalities of a Smart Card (1)

Cardholder verification by the card.
Check PIN or biometric data.
Not always done with crypto, but otherwise
necessary to activate the crypto capabilities of
the card.
Key generation, its secure storage, safe
usage and (why not) erasure.
Encrypt data (public and secret key)
emails, files, etc e.g. PGP PKI badge
secure messaging
Smart Cards
Crypto Functionalities of a Smart Card (2)

Authentication from weaker to stronger:
Integrity checks (CRC, or better: cryptographic hash).
Origin checks (storing a static signature)
Dynamic Challenge-Replay card authentication (proof of
identity, should be a Zero-knowledge mechanism).
Dynamic authentication of any data with a 3-DES
cryptogram or a MAC (symmetric-key signatures).
Dynamic authentication of any data with a real (=public-
key) digital signature.
Provides authenticity and non-repudiation of every individual action
taken in a complex protocol !
Also verification: the authenticity of a terminal / external

word.
Smart Cards
Smart Card Applications

Smart Cards
Some Applications of a Smart Card

PayTV - Broadcast Encryption and Traitor Tracing.
First PayTV Card: Philips+Bull, 1980-81
Storing private data (emails, passwords etc)
First phone cards with a chip: [1983 Schlumberger
Tlcarte, France], [1984 G&D Telekarte, Germany],
Remark: wired logic, contact placement later changed
GSM / 3G phones
First SIM card: Gemplus 1989, MANY billions sold since
Electronic passport, ID
PKI, Belgium by Axalto.
Biometric passports: required since October 2005.
Smart Cards
More Applications of a Smart Card
Bank Cards [since 1984, Bull CP8]

Home Banking, Internet Shopping
PC access, corporate badge, secure email
PGP
Electronic purse, parking: [1996-] Proton[Be],
Geldkarte, later integrated with bank cards
First student card [restaurant, library, etc.]
First in 1988, Italy, Bull CP8
Smart Cards
Smart Cards Market

Smart Cards
**Actors and Value Chain

Smart Cards
2004 Market Shares [before merger]

Microprocessor cards Market
1,566 million units
Axalto 23%
20% Gemplus
G&D 13%
9% OCS
Orga 5%
4% Incard
Others 26%

Smart Cards
***2007 Market Segments

[source: eurosmart.com]

Smart Cards
Market Growth
In Volume: in M units shipped
In Value: in M

Smart Cards
Industrial Standards [1]:

=> Cards

Smart Cards
What is a Smart Card ?

Set of standards ISO.
cards with contacts:
ISO 7816-1..3
contact-less:
ISO 14443 (proximity <10 cm)
ISO 15693 (vicinity <1 m)
more
with and without contact:
ISO 7816-4..16

Smart Cards
ISO 7816-1
Size matters! Like a credit card.

Smart Cards
ISO 7816-1
Physical Characteristics:
operating temperature, humidity, etc
below are very severe requirements:
bending properties (the chip can break

torsion properties or take-off)
Consequences for the chip:
silicon surface 25 mm2, 0.3 mm depth

small computing power, not Pentium 4
Smart Cards
Manufacturing

Smart Cards
Bare Connectors
The chip will be glued to the contact.

Smart Cards
Die Bonding
Connections with gold wire (20 m)

Smart Cards
Encartage
Embed in a mm card.

Smart Cards
Encapsulation
Embed in a mm card.(Encartage Fr)

Smart Cards
Plastic Matters

Smart Cards
ISO 7816-2
Contacts
1.7 x 2 mm
[changed in 1990]
old AFNOR standard

Smart Cards
ISO 7816-2
=> Freedom

Smart Cards
Contact Quality
Friction force readers scratch the cards
[contacts frottants]
Landing contacts much better

[contacts atterrissants]

Smart Cards
ISO 7816-2 - Historical

C1 VCC (+) C5 GND (-)
C2 Reset C6 VPP for EPROM
C3 CLK C7 I/O (serial port a.k.a. ISO)
C4 ??? C8 - ???

Smart Cards
ISO 7816-2 Evolution@2005-2009

C1 VCC C5 GND
C2 RST C6 [SWP -> antenna]
C3 CLK C7 I/O
C4 [USB] C8 - [USB]
USB USB Samsung S-SIM

supports both+NAND+InterChip USB

Smart Cards
ISO 7816-3 and EMV/GSM

Voltage and current supplied [I~clock freq.]:
Class A: 5 V 10% / 60 mA @5 MHz [ex. 200 mA]
Class B: 3 V 10% / 50 mA @ 4 MHz
Class C: 1.8 V 10% / 30 mA @ 4 MHz
EMV bank cards: always 5V, 50 mA

GSM cards: class A-C max current respectively:
10 / 6 / 4 mA ONLY! (heat, phone battery life).

Smart Cards
Power Matters
Summary:

Bank card: 5 V, 50 mA
GSM SIM class C card (the latest): 4 mA

Even much less for contact-less cards !!!
(power supplied by an alternative magnetic field)
=>Very Low computing power !!!

In contrast: modern PC CPU up to 50 000 mA !

Smart Cards
Power Matters
Summary:
Several 1000 x less power than an Intel CPU
Low surface ( 25 mm2)
Lower density (0.09 m
vs. 0.065 SOI process for recent CPUs)
8 and 16-bit CPUs for very long time

32 bits CPU only since 2003-4

Smart Cards
****Electrical behavior of contacts

I/O:
Z=high- A=low, remains Z unless in transmission
CLK:
in/out capacity < 30 pF,
To switch on (no electricity until all are connected):

RST low, VCC high, no VPP, I/O = Z, CLK = 15 MHz
To switch off:
RST low, CLK low, VPP inactive, I/O = A, VCC low

Smart Cards
ISO 7816-3
CLK:
transition time < Max( 0,5 s, 9% x period T)
at 1 during 40 % - 60 % of time.
The card security should block if short
impulses !
Clock speed:
First cards [1996]: 3.579545 MHz
(still@begin)
Smart Cards
Clock and Maximum Computing Power Avail.
Clock speed, NO co-processor:

1990: 3.5 MHz, RSA-512, 2 minutes
Clock speed with co-processor:

1996: 3.5 MHz, RSA-1024 in 500 ms
2000: 7 MHz, RSA-2048 in 500 ms
2004: 60-100 MHz, RSA-2048 in 50 ms
200-400 MHz today, RSA-2048 in 10 ms
Smart Cards
I/O - ISO 7816-3

Known as ISO interface of a card: simplified UART (serial port)
Transmission of bytes:
N specified by TC1 in ATR
Time duration of 1 bit =

1 Elementary Time Unit [etu]

Smart Cards
ETU
etu = duration of 1 bit, by default

1 etu = 372 / Clock frequency
Examples:
3.5712 MHz/372=9600 bit/s
3.5712 MHz/186=19200 bit/s
3.5712 MHz/93=38400 bit/s
3.5712 MHz/32=111600 bit/s

Smart Cards
ISO 7816-3
Defines the ATR: answer to reset. Up to 33 bytes.
Must happen at 400 40,000 clocks after RST.
ATR = a series of bytes transmitted in order b8..b1:
TS
T0 [presence of TA1-TD1 and 0..15 historical bytes]
TA1
TB1
TC1
TD1: like T0, specifies the presence of extra objects
TA2
etc

Smart Cards
ATR Structure
XOR checksum
Smart Cards
TS specifies:
TS [A+8+Z bits]:
specifies the relationship between A/Z and 0/1
Z=high voltage, A=low voltage
Direct convention [Germany], where A=0, Z=1:
TS = 3B; b1:b8= A(ZZAZZZAA)Z
Inverse convention [France], with A=1, Z=0:
TS = 3F; b8:b1= A(ZZAAZZZZ)Z

Smart Cards
ISO 7816-3 - Highlights
In particular ATR specifies the comm. capacities:

T=0 or T=1
half[/full] duplex
clock speed
baud rate

Smart Cards
ISO 7816-3
Communication Protocols
Main two: synchronous, half/duplex
T=0 (byte-oriented, e.g. GSM SIM),
T=1 (block-oriented, e.g. bank cards)
T=14 (proprietary for German phone cards)
Recent developments:
T=2 (block-oriented, full duplex, cf. ISO 10536-4).
T=4, expansion of T=0
T=USB

Smart Cards
T=CL
T=CL is used for talking to ISO 14443A/B

cards with APDUs translated by the reader
(totally hides the RF interface from the
programmer, the card seems to be a card
with contact!)

Smart Cards
T=0 or T=1?
Remark:
T=0 (byte-oriented)
parity bits only
T=1 (block-oriented) is more modern.
More error detection too: parity +
each block also has a CRC.

Smart Cards
ISO 7816-3
Baud rate:
1996: 9.6 K bit/sec default, @beginning.
Then: 115 K bits/sec
Outdated by Axalto patent: USB smart card:

First Axalto USB: 700 K bits/sec
Full-speed USB up to 12 Mbit/s [since 2005].
Not USB 2.0., it is just USB 1.0. full-speed.

Smart Cards
Example of GSM SIM ATR

3B894014474732344D35323830
Decoded:
TS= 3B => direct encoding
T0= 89= 1000ll1001 => TD1 + 9 historical bytes
TD1= 40= 0010ll0000 => TC2 present and protocol is T=0
TC2= 14= 0001ll1110 => waiting time 14 * 100 ms
T1T9: 47ll47ll32ll34ll4Dll35ll32ll38ll30 =>
GG24M5520 (these are the 9 historical bytes, sort of unique ID of this SIM card)

Smart Cards
ATR - More Examples

"3B8F8001804F0CA000000306030001000000006A"
=> "Philips MIFARE Standard 1 K and London Oyster card
3B6500009C02020702"
=> US Department of Defense Common Access Card,
Axalto Cyberflex Access 32K V2, Sun Microsystems employee card
"3B898001006404150102009000EE"
=> "German e-Passport April 2007",
"3B6D00000031C071D66438D00300849000"
=> HSBC MasterCard
"3F6525082204689000"
=> "France Telecom card
"3F65250052096A9000"
=> "French carte Vitale",
"3BEF00FF8131FE4565631104010280000F274000030100E1"
=> German Postbank Geldkarte",
"3FFF9500FF918171A04700444E415350303131205265764230423A"
=> "NagraVision card for StarHub Digital Cable DVB-C Singapore",

Smart Cards
Industrial Standards [1B]:

=> Other Form Factors

Smart Cards
Form Factors and Interfaces

ISO, [USB,RF
RF]
RF

USB Token form factor a.k.a. ID-000 credit card form factor, a.k.a. ID-1
ISO, [USB,RF
RF]
RF
ISO, [USB,RF
RF]
RF
VISA-mini a.k.a. ID-00 3FF - [telecom, not widely used]

Smart Cards
Dimensions

Smart Cards
Industrial Standards [1C]:

=> Contact-less

Smart Cards
Contactless Smart Cards

cards with contacts:
ISO 7816-1..3
contact-less:
ISO 14443 A-..C [Oyster, e-Passport]
ISO 15693 [NFC]
ISO 18000 [tiny RFIDs]
other

Smart Cards
Two Types of Contactless Communication

Capacity (electrical field)
Standardized, not widely used
Needs the reader and the card to
close and geometrically aligned.
RF = electromagnetic waves
Much better:
it is not true that an Oyster card would not be able
to communicate if >5 cm from the reader,
but it will typically not have enough power
(drawn from the magnetic field).

Smart Cards
Form Factors
key fob

Smart Cards
Antenna
large loop antenna

Smart Cards
Embedding the Antenna

Must be a LARGE coil
SIM card: must be external

(NFC enabled
mobile phone)

Smart Cards
Double/Triple Interface Cards

ISO, RF
ISO, USB, RF
E.g. corporate badge

Functionalities:
Enter doors,
PC log-in,
PGP decrypt and sign
Adopted worldwide, e.g. U.S. Army
Smart Cards
Contactless Interface
ISO 14443 (Oyster, e-Passport)

ISO 15693 (NFC)
ISO 18000 (tiny RFIDs)

Smart Cards
Comparison

Smart Cards
****Pros and Cons of Different RFID Technologies
UHF 860 - 915 - MHz (EPC)

Pros: large range, simple antenna
design, cheap,
Cons: bad penetration of water and
organic fabric
100-135 kHz, ISO 11784/85
Pros: penetrates water and organic
fabric, relatively insensitive to metallic
objects
Cons: low transmission speed, wire coil
antenna, cannot be printed
13.56 MHz, ISO 15693, ISO 14443A,B
Pros: faster communication (26 kBit/s),
Cons: high absorption by metallic
environment, few cm range, or a large
antenna needed

Smart Cards
****Some Products on the Market
UHF 860 - 915 MHz (EPC)

UCode HSL/EPC,
EM 4222/4223,
EM 4442/4444
100-135 kHz, ISO 11784/85
HITAG,
HID Prox,
EM 4102/01,...
13.56 MHz, ISO 15693, ISO 14443A,B
MIFARE,
LEGIC,
iCode,
HID iClass,...

Smart Cards
*Visual Security

Smart Cards
Secure Printing [Source: Oberthur]

Smart Cards
***more details

Smart Cards
***more details
Different on each card:

Smart Cards
Low-Level and Physical Security

Smart Cards
Main Function of a Smart Cards =

= to be a secure hardware device.
ISO, [USB]

USB Token form factor credit card form factor
1. intelligent (Smart): the card
handles computations (e.g. crypto)
manages data (OS, file system, access rights)
takes informed security decisions (block itself !)
2. Hopefully unbreakable:
nobody can know/modify what is inside.

Smart Cards
Remark:
There is no defense against an adversary that
has several millions of

Smart Cards
Removing the Chip

Smart Cards
Making the Chip Harder to Extract:
Oberthur Potting claims:

improves durability [harder to break]
any attempt to remove the module from the card would
result in totally destroying it

Smart Cards
Reverse Engineering

Smart Cards
Open-source Closed-source
Industry: competition cooperation
Standards
Industrial/commercial/trade/security secrets

Smart Cards
*Open Source vs. Closed Source

Smart Cards
Kerckhoffs Principle
Dutch cryptologist, wrote his book in French.
In June 2006 Dutch researchers De Gans et all, have

published several cloning attacks on MiFare
Classic chips [London Oyster card + 200 M other].
[first cloning attack: Courtois, Nohl and ONeil, April

2008].

Smart Cards
Kerckhoffs principle: [1883]
The system must remain

secure should it fall in
enemy hands

Smart Cards
*Remark:
Smart Cards:
They are already in enemy hands
- even more for RFID

Smart Cards
Kerckhoffs principle: [1883]
Most of the time: incorrectly understood.

Utopia. Who can force companies to publish their specs???
No obligation to disclose.
Security when disclosed.

Better security when not disclosed???

Smart Cards
Yes (1,2,3):
1. Military:
layer the defences.

Smart Cards
Yes (2):
2)
Basic economics:
these 3 extra months
(and not more )
are simply worth a

a lot of money.

Smart Cards
Yes (3):
3)
Prevent the erosion of profitability
/ barriers for entry
for competitors /
inimitability

Smart Cards
Kerckhoffs principle is kind of WRONG

in the world of smart cards
Reasons:
side channel attacks are HARD and COSTLY to
prevent when the algo is known
in some applications, for example Pay TV the
system is broken immediately when the
cryptographic algorithms are public.

Smart Cards
*Silicon Hacking

Smart Cards
Tarnovsky Lab
Only few thousands of dollars of equipment

Smart Cards
Tarnovsky (and Other Professional Chip Hackers)
Few thousands of dollars of equipment

Surface polishing
HydroBromic acid to eat away the passivation layers
A microscope for pictures:
the successive layers of silicon are revealed with acids and
lasers
Doping guns to cut/add traces to a working IC
Stinger: bypassing the protections with long microscopic needles.

Smart Cards
More Expensive:
Atomic Force Microscope

(20 K - 1 M)
FIB device
(Focused Ion Beam, 0.5 M)
Canal+ Technologies Lab

Smart Cards
FIB:
Example resolution: 10 nm
Classical applications: failure analysis of ICC
But also: circuit modification:

Local material removal:
cutting metal lines, milling, gas enhanced
etching
Local rebuilding/rewiring of the device
new metal interconnects
new insulating layers
Fine tuning of analog components:
decrease/increase R or C
Reading (electron image)
Art: writing on the nm scale:
Smart Cards
Can Do Anything?
In theory a FIB does anything.

Including read/write memory?
But only in theory.
Not so easy:
The IC has many layers (!)
Security is hidden in inner layers(!)
Can you do many operations reliably enough
to achieve your goal?
Smart Cards
Reverse Engineering

Smart Cards
Clear and Present Danger:
Reverse engineering is NOT that hard.

No no need for a FIB device
(Focused Ion Beam, 0.5 M).
A few thousand dollars microscope will suffice.

Smart Cards
Reverse Engineering MiFare [Nohl, Plotz, 2007]

Smart Cards
Hardware Defences

Smart Cards
Hardware Countermeasures:
Make the life of the hacker much harder.
Financial sector requirements:

attacks should cost more than
say 25 K$ per card

Smart Cards
Functionality + Security

Smart Cards
Hardware Countermeasures
Detection:
Detect under/over-clocking (stop
(stop the
the clock,
clock, read
read the
the
RAM)
RAM)
Random instructions, and Random Wait

States [e.g. Infineon SLE66].
Detect low/high voltage [<2.3 V or >6.3 V].
Glitch/spike detect
Detect UVs, light, alpha particles, high/low
temp etc.
Smart Cards
Intrusion Detection

Smart Cards
More Hardware Countermeasures

1. Shield/coating.
Detect if passivation layer was removed.
R/C measurements.
2. Metallic layer:
screens for charges/radiation.
Needed and monitored:
R/C measurements.
3. Active shields=detect tampering with.
Mesh of wires: prevents probing, attacks with a laser
cutter, etc.
4. Detection + Destruction???
Smart Cards
Active Shield
Source:Infineon. Problem: back side attacks.

Smart Cards
**Intrusion Detection on PEDs (Pin Entry Device)

Anderson et al.
UCAM-CL-TR-711
2/2008
this way
not this way
works!

Smart Cards

4. Detection + Destruction???
Chemical traps: SiShell [Axalto patent].

Smart Cards
**** Related Example

UK Military Laptop LT-450 (Termite)
A laptop + hardware crypto module
secret algo!
secret key
Has tamper switches:
the key and the algo will be deleted
Manual destruction:
press two buttons at the same time
mechanism works also
when PC is switched off
and does not need the
battery

Smart Cards
***Example Closer to Smart Cards

2006

Smart Cards
Design Obfuscation
Restricted circulation of specs.
Non-standard instruction set.
Custom crypto algorithms.
ROM and busses in lower layers of silicon.
Only ion-implanted ROM is used, not visible with UV light.
Scrambling the data busses.

in each chip different lines, on certain chips the busses location changes during the execution of the code.
Dummy structures in silicon.

Duplication
Symmetry -> same power consumption.
Memory Obfuscation:
Encrypt the memory addresses.
Encrypt the memory data.
Smart Cards
Robustness and Redundancy

Goals:
Avoid perturbation at logical level:
Control bits, error correcting
Dual logic, also protects against power attacks.
Detect perturbation at the OS and software level
and block the card
Data checksums,
Redo DES twice,
Etc..
Security of file system and OS: later.

Smart Cards
More and Higher-Level

Security Countermeasures

Smart Cards
Motivation:
Most Bank Cards have a PIN verification
function.
PIN
not encrypted except in some EMV DDA cards
Y/N
not authenticated except in EMV DDA cards

Smart Cards
Critical Bits and Pieces

Example: PIN verification.
Can be implemented in asynchronous logic
[dedicated transistors/gates]
much lower power consumption,
in a lower layer and much harder to localize
requires a dedicated hardware attack
as apposed to a generic attack on CPU registers,
busses, loading to memory, etc..

Smart Cards
PIN code Simple Hacker Attack [1992]

Enter the PIN with a home terminal.
Listen to card radiation/power consumption to
detect early in time that it was wrong.
Switch the voltage off very quickly.
Solution?

Smart Cards
PIN code Simple Hacker Attack [1992]

Enter the PIN with a home terminal.
Listen to card radiation/power consumption to
detect early in time that it was wrong.
Switch the voltage off very quickly.
Countermeasure [used in all bank cards]:

Increment the ratification counter first
Check the PIN
The decrement it(!).
Smart Cards
Increment First? Slight Problem
this could not be done, the first French bank

card B0 had no NVM!
They used an array of 480 bits,
where at each PIN verification attempt, a bit
would be irreversibly changed (E PROM).
after 480 (right or wrong) attempts, the card
would stop working
also they had a limited history 768 bytes, 4 bytes
per transaction, 2 transactions/week.
Smart Cards
Timing Attack on PINs
[old, worked before c. 1990]

Bad programming: compare PIN digits one
after one, if first is incorrect, abort!
Good programming: write a program such
that the execution time is constant.

Smart Cards
PINs and Keys Storage in RAM

E2PROM of the smart card: assume
addresses and data are encrypted.
Attack 1: read it (assume its possible)
Solution 1: store h(PIN)?
Attack 2: dictionary attack.
Solution 2A: store R, h(PIN,UID,R)
Solution 2B: store R, E_K(PIN,R)
where K is a key specific to this card only

Smart Cards
Protocol/Software Countermeasures
Typically, the chaining of commands is
strictly controlled. Each command can be
issued only once, and in a certain order.
Assured by a finite state machine.
Example: dont accept commands in clear-text
once secure messaging is established.
The spec should not allow buffer overflows.

Smart Cards
***Example: Conformity Test

The test verifies the enforcement of Secure
Messaging:
Afterwards the chip denies to send data in an
unencrypted way and answers with 6X XX
(error).
Not enough: make sure that the same error

code is sent in the same situation!

Smart Cards
Example:
Eric Poll [Nijmegen] Attacks on e-passports.
Send various ISO commands, observe the error messages:

Smart Cards
Clone Attacks

Smart Cards

Unique serial number
Written in WORM (Write Once Read Many)
a.k.a. OTP (One Time Programmable).
Example: Oyster card UID=32 bits
Benefits are:
clones harder to make
and can blacklist clones
tracing of each card
card-dependent memory encryption, hashing and RNG

Smart Cards
Threats (1.)
Assume that we have all the data. Clone the card?
1. Card Emulation on a card defenses:
unique ID, cards that can be personalized not available =>
requires a special re-programmable card,
or a pirate emulator
-speed, +size, +cost, etc.

Smart Cards
Threats (2.):
Assume that we have all the data. Clone the card?
1. Card Emulation on a card ???
2. Card Emulation on a PC!

Smart Cards
Threat 3. Relay Attack

Low-tech,
always No Need to Break
Anything !!!
works!

Smart Cards
Has Been Done

Smart Cards
Economics Aspects

Smart Cards
*Cost of Some Attacks [source: RFI Global]

Smart Cards
*Cost of Fault Attacks [source: ST]

Smart Cards
Security Management -
the Development Process

Smart Cards
Secure Hardware Dev. Management

[In smart cards] one design criterion differs from the criteria used
for standard chips but is nonetheless very important is that
absolutely no undocumented mechanisms or functions must
be present in the chip ('that's not a bug, that's a feature').
Since they are not documented, they can be unintentionally
overlooked during the hardware evaluation and possibly be
used later for attacks.
The use of such undocumented features is thus strictly prohibited
[...]
[pages 518-519 in the Smart Card handbook

by Wolfgang Rankl and Wolfgang Effing, 1088 pages, Wiley,
absolute reference in the industry]

Smart Cards
Testing
White-box tests are prohibited, no debugging commands
must be left in the hard-mask and soft-mask.
Tests must be black-box tests and test suites include
scanning for hidden [debugging] commands.

Smart Cards
Application Development Management

Goals:
Avoid backdoors, Trojans, covert channels, bugs
etc.
Kleptography: techniques to leak keys to the
attacker,
form of perfect crime.
Means:
Segregation of duties [Lipner 1982].
Monitoring.

Smart Cards
Segregation of Duties
Never one developer works alone on an
application.
he knows only some parts of the spec (partial
secrecy, need to know).
Some critical security mechanisms can be
distributed: part in hard mask(ROM), part in
soft mask, harder to know both
the chip manufacturer does NOT have the full
spec either.

Smart Cards
Monitoring / Checks and Balances

Internal quality and security audits within each company.
The entire source code is frequently inspected by an
independent company:
government agency [such as GCHQ] or
an evaluation (or hacker) lab [such as CEA-LETI]
mandated and paid by the customer [to avoid conflicts of interests].
Some countries have a process to evaluate these labs (they have to
prove that they can break smart cards as well as other people do).
External security audits (mandated by a customer: for
example a large bank).

Smart Cards
File System

Smart Cards
Data in smart cards

Think about sequences of bytes.
BER-TLV conventions [ISO 8825]
T Tag, for example 90 in hex.

L 1 or 3 bytes. Let L[0] be the first byte
MSB(L[0])=0, L[0] = length 0-127,
MSB(L[0])=1, L[1-2] = length 0..65535
V value, a string bytes.
TLV objects can be nested !

Smart Cards
ISO 7816-6
Specifies how to encode different data
elements as BER-TLV objects,
For example:
Name of the credit card holder
Expiration date
Etc.

Smart Cards
ISO 7816-4
File names FID:
2 bytes
example: 3F 00
Short file names (SFID):

5 bits, 1..30, used as
a parameter in certain
commands

Smart Cards
ISO 7816-4
MF: Master File
(root directory 3F00)
DF: Dedicated Files

(directories+some data)
EF: Elementary Files

(data files)

Smart Cards
Elementary Files
EF: Elementary Files
Not all files are visible for applications(!)
Internal EF: card private files, card O.S. only can
see them
Working EF: data accessible to applications that
communicate with the external world.

Smart Cards
Example: GSM Card [incomplete picture]

(cf. 3GPP TS 51.011
standard)

Smart Cards
Some Directories in a GSM Card

Important directories:
root directory : 3F 00
DFGSM = 7F 20
DFTELECOM = 7F 10.
First byte:
'3F': Master File;
'7F': 1st level Dedicated File
'5F': 2nd level Dedicated File
'2F': Elementary File under the Master File
'6F': Elementary File under a 1st level Dedicated File
'4F': Elementary File under 2nd level Dedicated File

Smart Cards
ISO 7816-4 Files (EFs)

4 types
like RAM, or a
string of bytes
records, with specific instructions and applications

Smart Cards
2 Types of Fixed-Size Entry Records

Header
Record 1
2 types of records: Record 2
Body .
.
Linear Fixed file
Record n
Like a list
Structure of a linear fixed file
Cyclic Fixed file:

Header
Motivation:
Record n-1
fixed E2PROM size, scarcity Body Record n Oldest record
Applications: Record 1 Last updated record
Bank card history Record 2

.
e.g.150 last transactions .
Record n-2
all SMS sent/received
etc.. Structure of a cyclic file EN726-3
Smart Cards
GSM Card: Some Files Inside DFGSM

EFIMSI (6F07)
Le fichier EFLOCI (6F7E) contains TMSI, LAI etc.
EFLP(Language preference)
EFKc = Ciphering key Kc + sequence number
EFSST (6F38) = SIM service table = 1byte = [s1present, s1active, ]
= services present/not active/not in this card, these are:
Service n1 : disable users PIN == CHV1
Service n2 : Abbreviated Dialing Numbers (ADN)
Service n3 : Fixed Dialing Numbers (FDN) present in
Service n4 : Short Message Storage (SMS) DFTELECOM
EFACM = Accumulated Call Meter, in units
EFMSISDN = the subscribers MSISDN.
etc..

Smart Cards
Some Files Inside DFTELECOM

This directory is protected by PIN(!)
EFADN(6F3A) your short phone directory (10 entries),

EFFDN(6F3B) your phone directory
EFSMS(6F3C) all the SMS received and sent, cyclic file
Header
Record n-1
Body Record n Oldest record
Record 1 Last updated record
Record 2
.
.
Record n-2
Structure of a cyclic file EN726-3

Smart Cards
File Access and

Access Conditions

Smart Cards
Accessing Files: SELECT FILE FCI/90 00

General philosophy:
Almost always one must select a file before any operation on it (MF is
selected at the start)
SELECT FILE + params
Response: either:
90 00
FCI = File Control Info = status of the file selected,
exact spec [attributes and their encoding]: depends on the smart card, e.g. GSM.
STATUS command (C0 F2) - GSM specific:

allows to know (to avoid confusion) what file was selected with the last
SELECT command.

Smart Cards
Variants
There are MANY methods to address a file with SELECT FILE:
by 2 bytes FID (for MF, DF and EF)
0_ A4 00
By DF name or AID (for DF only or an application)
0_ A4 04
0_ A4 02
by absolute path from MF
0_ A4 08
by a relative path from current DF
0_ A4 09
Switch
Switch to
to higher
higher level
level DF?
DF? (equiv
(equiv to
to ../
../ in
in PC
PC OS)
OS)

another
another DFDF when
when partial
partial AID
AID is
is transferred?
transferred?

Smart Cards
Examples: SELECT FILE

1. Example of a SELECT FILE with FID and FCI, for a GSM card:
Command: C0 A4 00 00 02 6F 07
GSM card
SELECT FILE length + FID == file identifier on 2 bytes
empty params. 6F 07 = IMSI file of this SIM card
Response: This command returns the FCI.
2. Example of a SELECT FILE with AID and no FCI (widely used for
accessing files AND applications by their unique identifier):
Command: 00 A4 02 00 05 [AID]
ISO command
SELECT FILE specific params. length + AID, if no ambiguity, a prefix
of a valid AID can also be accepted
Smart Cards
FCI and Access Conditions for EF files

Smart Cards
Status of EF Files
SELECT FILE command for an EF file

=>returns:
1. an error command:
62 83 file deactivated
64 00 execution error
6A 81 function not supported
6A 82 file not found
etc..
OR
2. an FCI (File Control Information) + 90 00
(each EF file in a card has specified access conditions):

Smart Cards
FCI (File Control Information) for EF files

May contain (examples, mostly optional)
80+2 bytes: size of the file
82 + 2 bytes: file descriptors, e.g.
shareable/not
type of file: DF/working EF/internal EF
EF structure
83 + 2: file identifier.
84 + 1-16: DF name.
86 + security attributes (proprietary coding).
etc..
Smart Cards
*FCI Attributes [contd.]

86 + security attributes (proprietary coding).
Files can be:
WORM (Write Once, Read Many times)
implemented in hardware or software
EDC (Error Detection Code)
atomic write access
Security: must written entirely or not at all (!!!)
multiple storage attribute
for frequently used files in the card, wear-level usage of E2PROM
data transfer selection attribute
on dual-contact cards, to make file accessible only via contact or
contact-less interface

Smart Cards
Examples of FCI
Not 100% compatible, depends on products
6F 07 80 02 00 58 82 01 01 90 00
EF with transparent structure, file size: 88 (0x0058)
Example of GSM FCI (22 bytes = 0x16):

00 00 00 01 7F 20 02 00 00 00 00 00 09 91 00 11 08 00 83 8A 83 8A
Can
Can be
be decoded
decoded according
according to
to GSM
GSM spec:
spec:

Byte
Byte 14:
14: The
The most
most significant
significant bits
bits of
of is
is 00 ifif an
an only
only ifif PIN1
PIN1 is
is disabled.
disabled.

Byte
Byte 19
19 == is
is the
the "CHV1
"CHV1 status
status..
Typically
Typically the
the value
value of
of this
this byte
byte is
is '83'
'83' where
where 88 means
means that
that the
the PIN1
PIN1 has has been
been
initialized,
initialized, and
and that
that there
there are
are 33 cardholder
cardholder verification
verification attemp
attemptsts left
left for
for this
this
PIN.
PIN.
Smart Cards
Files Security Status

Smart Cards
Security of Files in Directories

Security status of a file results from the sequence of commands
performed (e.g. authentication of entities) and their results. It can be:
Global: may be modified after a completion of a certain authentication
command (or other secure functionality),
Examples (studied later):
VERIFY + PIN,
GET CHALLENGE + EXTERNAL AUTHENTICATE)
only if the commands are embedded inside SECURE MESSAGING channel (normal APDUs
with encryption AND authentication with a MAC)
a secret key/value stored in the MF is used to perform this cryptographic
command.
Directory-specific,
then the key/PIN used is stored in the same DF.
File-specific (EF).
Command-specific and ephemeral.
Example:

Smart Cards
Security of Files in Directories

Example: Access conditions for a given file or directory
+ given access mode (e.g. WRITE):
PRO: An external command can write a file if the MAC of this command is valid.
AUT: File accessible R/W if the terminal authentication have been done before.
CHV: This file can be read if the user have entered the Pin and if it was correct.
CHV2:
CHV2: The
The same
same with
with the
the second
second PIN
PIN (exists
(exists in
in GSM).
GSM).
ADM:
ADM: requires
requires the
the admin
admin code
code number
number (up
(up to
to 14
14 exist
exist in
in GSM,
GSM, Telc
Telcooss access)
access)
NEV (access to some files can be disabled forever)
ALW (always), public access (at least in this mode, e.g. READ).
Other conditions may exist in a specific card

Smart Cards
Security and Access to Files:

Example [root directory]:

Smart Cards
MACs = Secret-Key Signatures
m yes/no
(m,)
MAC MAC
algorithm algorithm
forgery
sk sk
(secret key) (secret key)

Smart Cards
MAC = secret key signature

Several methods: CBC-MAC, C-MAC, Retail-MAC, etc.
Based on symmetric encryption algorithms such as DES, AES.
ICV
this MAC C-MAC

guarantees the with chaining
order of ICV=last MAC
commands too!
(cannot add, cannot remove except at the end)

Smart Cards
MAC and IV
Important:
Never use a random IV in a MAC.
IV = 0 is a safe choice.
Or another constant.
Do use random IVs in encryption.
Exception to this rule:

In many smart card products MACS are chained:
ICV = last MAC computed by the card/reader, prevents changing the
order of commands or dropping commands etc.
together
together with
with random
random numbers
numbers (nonces)
(nonces) also
also prevents
prevents full
full reply
reply ooff aa full
full
transaction
transaction flow.
flow.

Smart Cards
*Example how a card will enter mode PRO:

Terminal Card
ASK RANDOM
command
Challenge
generation
Challenge
(T)DES Data to
PRO key calculation sent Challenge EF key
Cryptogram Data
PRO Key
Received (T)DES
PRO command Data + cryptogram Data
bytes calculation
Received
Cryptogram
Compare the
cryptograms
Delete flag random
present
OK
N
?
Decrease
ratification counter Y
Reset ratification
counter if needed
Bad Authentication
PRO mode OK

Smart Cards
*Example entering mode AUT:

Terminal Card
ASK RANDOM
command
Challenge
generation
Challenge
(T)DES
Terminal
calculation
Key AUT mode
Certificate
EF key
EXTERNAL Key number Key
AUTHENTICATE +
Received number
command Cryptogram bytes
Card Key
(T)DES
calculation
AUT mode
Cryptogram
Compare the
cryptograms
Delete flag random
present
OK
N
?
Decrease
ratification counter Y
Reset ratification
Bad Authentication counter if needed
Authentication
successful

Smart Cards
Commands (APDUs)

Smart Cards
Commands - ISO 7816-4

APDU = Application Protocol Data Unit
Master-slave principle. Half-duplex.

The card never starts anything.

Smart Cards
ISO 7816-4
APDU = Application Protocol Data Unit
CLA = 1 byte, identifies the application

INS = 1 byte, instruction code
Lc = size of data, 1 or 3 bytes
Le = size of the expected answer, 1 or 3 bytes.

Smart Cards
CLA byte and Logical Channels

CLA is 1 byte that:
identifies the application
so remains constant (though 1 application can have several channels),
is an indication to what extent the command and the response complies with
ISO 7816-4
Examples: 0X standard ISO, A0 in GSM,
80 e-purse EN1546-3, BC old EMV bank cards,
80 and 84: EMV bank cards 8X: proprietary commands
CLA=0X, 48X and 9X, AX use so called logical channels:
Let X=b4b3b2b1
b4 b3 indicate if Secure Messaging is used and if the command header is
also authenticated
b1 b2 indicate the number of logical channel 0..3
Application: concurrent communication with multiple applications (or concurrent
execution of multiple tasks). Example: mobile phone talking to phone book
another application [can be Java] stored on the SIM card.

Smart Cards
Command APDUs
Lc = size of data, 1 or 3 bytes

Le = size of the expected answer, 1-3 bytes.
4 cases

Smart Cards
C-APDU INS Examples

When CLA=0X
0E Erase Binary
20 Verify
70 Manage Channel
82 External Authenticate
84 Get Challenge
88 Internal Authenticate
A4 Select File
B0 Read Binary
B2 Read Record(s)
C0 Get Response
C2 Envelope
CA Get Data
D0 Write Binary
D2 Write Record
D6 Update Binary
DA Put Data
DC Update Record
E2 Append Record
Smart Cards
Response = R-APDU
Response structure:
SW1: 90=completed/
OK with warning/
error during exec/
checking error;
?NVM changed[63,65]
SW2: error number
90 00 = All OK
Smart Cards
IMPORTANT:
In many cases, and in all cases where the size
of the answer is not known in advance,
The response is NOT given,
the terminal must ask for it
(another C-APDU).
Example (for a bank card):

Smart Cards
5 Possible Cases:
Case 1: No input data/no output data
Case 2: No input data/Output size known in advance:
Case 3: No input data/Output size not known:

Smart Cards
Case 3: 2 x C-APDU, 2 x R-APDU:

Terminal Card
Command APDU
ACK = 9000
Data
wait for completion
2 status bytes
Request the Answer APDU
ACK = 9000
wait for completion
Data
2 status bytes
Smart Cards
[] 5 Possible Cases
Case 4: Input data/no output:
Case 5: Input data/Output size known or unknown:

Smart Cards
Standard Cross-Industry
Commands

Smart Cards
ISO 7816-4 Inter-industry Commands

For transparent linear files: *VERY SPECIAL:
2
as E PROM is 1000 times
READ BINARY slower to write than RAM,
and it is the change from
01 that is slow (requires
WRITE BINARY* erasing)
Thus the command WRITE
performs a logical AND
UPDATE BINARY = real WRITE withcontent!!!! the current file
ERASE BINARY
SEARCH BINARY

Smart Cards
Syntax: Read/Write
READ BINARY
UPDATE BINARY (overwrite=real write)

Smart Cards
ISO 7816-4 Inter-industry Commands

For records (2 types):
READ RECORD
WRITE RECORD
APPEND RECORD
UPDATE RECORD
SEEK
SEARCH RECORD

Smart Cards
ISO 7816-4 standard commands

For application-specific data objects.
GET DATA
PUT DATA

Smart Cards
Security Commands

Smart Cards
Authentication
R: deny R: allow
W: deny W: allow

Smart Cards
Cardholder Authentication
On-card PIN/Password verification.
PIN
not
not encrypted
encrypted except
except in
in some
some EMV
EMV DDA
DDA cards
cards
Y/N
not
not authenticated
authenticated except
except in
in EMV
EMV DDA
DDA cards
cards

Smart Cards
ISO 7816-4 Security Commands

Authentication
Card Holder => Card
VERIFY + password/CHV/PIN
BTW. CHV == Card Holder Verification == PIN
Example: 00 20 00 00 04 70 61 70 61
no L_e, no data in reply
expected, result will be visible
in two status bytes SW1SW2
authenticates the
CLA whole MF if b7=0,
PIN stored in MF
INS 4 bytes
password
must be 0
= papa)

Smart Cards
Challenge-Response a.k.a. Dynamic

Authentication Card=>External World
randomB
A B
A, MACK(randomB)
K K

Smart Cards
****Exists in GSM,
but a non-standard dedicated command
SIM card
challenge RAND
Ki Signed RESponse (SRES) Ki

A3 A3
are = ?
no L_e, no data in reply

expected, result will be visible
RUN GSM ALGORITHM in the status bytes = 0x9F Le
Example: A0 88 00 00 10 XX .XX
CLA INS 16 bytes random nonce
both 0

Smart Cards

Authentication
Card => Terminal
INTERNAL AUTHENTICATE + random challenge

algo nb. + key nb.
Produces a cryptogram/MAC, proves the identity of the
card.
Example: 00 88 00 00 04 A3 02 AF D1 04
the reply should be 4

digits/bytes too
authenticates the
CLA whole MF if b7=0,
key stored in MF
INS random challenge
on 4 digits
crypto algo nb.
Smart Cards

Challenge-Response Authentication:
Terminal => Card
GET CHALLENGE
EXTERNAL AUTHENTICATE
+ algo nb. + key nb. + cryptogram

Smart Cards
Example:
GET CHALLENGE
Example: 00 84 00 00 10
CLA LE = it expects 16
INS both are 0 digits random
EXTERNAL AUTHENTICATE
Example: 00 82 00 00 04 01 02 03 04
no data to recover in reply,
OK/not OK seen as 2 status
bytes.
authenticates the
whole MF if b7=0,
CLA key stored in MF
our cryptogram on
INS 4 bytes
crypto algo nb.

Smart Cards
Unilateral Authentication
Historically very popular.
Examples:
password -> login
OK
OK ifif we
we trust
trust the
the browser
browser ++ the
the DNS,
DNS,
or
or aa PK
PK certificate
certificate--based
based secure
secure tunnel
tunnel is
is needed.
needed.
SIM card -> GSM base station (fixed in 3G)
offline bank card transactions -> Point of Sale terminal
Problems:
login page spoofing etc.
false GSM base stations,
false ATMs,
Smart Cards
Uni-directional vs. Mutual Authentication K

K
statement1,
[interactive] proof1
statement2,
[interactive] proof2
Smart Cards
Mutual Authentication in One Piece
Mutual Authentication

Smart Cards

Mutual Authentication:
Terminal <=> Card
The sequence:
GET CHIP NUMBER
GET CHALLENGE
MUTUAL AUTHENTICATE + params

Smart Cards
Read/Write => Secure Read/Write, CLA=04

Smart Cards
Secure Messaging
[Mutual Authentication]
+
Shared Key Derivation
=> starting from now, all read/write commands & data are encrypted
223 Nicolas T. Courtois 2006-2009 encrypted

Smart Cards
Encapsulation of ISO 7816-4 Commands

Commands and answers contain another
embedded APDU command (or part of it):
GET RESPONSE for an embedded
command
ENVELOPE sent an encrypted APDU

Example: 00 C2 00 00 10
no data to recover in reply,
only 2 status bytes.
CLA some data,
INS both are 0 length = 16

Smart Cards
***Case Studies:
GSM

Smart Cards
Some More GSM Commands (CLA=A0)
CHV1=user PIN
CHV2=second PIN

Smart Cards
GSM Security GSM Operator

Authentication Center
precomputed triples:
(RAND,SRES,Kc)
SIM card
challenge RAND
Ki Signed RESponse (SRES) Ki

A3 A3
SRES SRES
A8 A8
Kc Kc
Fn Fn
are = ?
mi Encrypted Data mi
A5 A5
Mobile Equipment Base Station

Smart Cards
SIM Card Side
Triples RAND, SRES, Ki

are stored in BS
secret key
Data with redundancy: data block of 114 bits.

terrible mistake
Smart Cards
Running the Secret Algorithm (with secret key)

Both (key+algo)
remain secret
at all times.
Custom-made!

Smart Cards
Authentication Algorithms
Some operators used COMP128 v1, the default algorithm.
Very bad, there are several attacks
[Briceno,Goldberg,Wagner].
Some never published attacks existed only in a form of an
exe file, better than any published attack less queries to
the card!
Ive developed such attacks myself, they were never published
(sorry).
Gemplus patented and commercialized a strong key solution
Encryption Algorithms
In the phone.

Smart Cards
Embarrassing Discovery
What was discovered before [SDA-Berkeley 04/98].
Keys generated were not 64 bits.
10 bits fixed to 0 => 54 effective bits.
The limitation was implemented in both AuC (authentication
Centers) and in SIM cards.
Later most operators have, by now, increased the size of
their keys to 64 bits (also changing the algorithms or not).
It appears that the key is 64 bits starting from COMP 128 v3 and also
in most recent proprietary algorithms.
But one should check if they did!
Lets do it.

Smart Cards
Embarrassing Discovery
Keys generated by typical UK and French cards
(Ive checked many): 64 bits.
Key in Polish Orange card: 64 bits.
All Chinese cards checked: 64 bits.
But many keys are still 54 bits:

Examples Ive seen myself:
SIM I bought in Russia in 2007 (operator = MTC):
Estonian card, operator=simpel, 2009
Greek Vodafone SIM, 54 bits as well...
Smart Cards
Contactless Commands

Smart Cards
High-Level APDU
No difference, the reader translates the commands.
Example: MiFare Classic access:

Smart Cards
Low-Level Commands
Sent over the air.
Example:nfclib+ACR122
+MiFare Classic
> 26
< 0400
> 9320 UID
< CA1C46D141
> 9370CA1C46D141 (CRC)
< 08 (CRC)
> 6000(CRC)
< 24D2783A
> CF80E99F1AA2A1F1
>
Smart Cards
**Case Studies:
Oyster Card

Smart Cards
**Contact-less Authentication - History
IFF: Identify Friend or Foe (1942)
Challenge-
-Response
problem: relay attacks

Smart Cards
**Mutual Authentication + Secure Messaging
card ID 32 bits
tag random 32 bits
encr. rdr random + rdr resp. 2x32 bits
tag resp. 32 bits
=> starting from now,

all read/write commands data is sent encrypted

Smart Cards
Best Attack:
**Facts
Multiple Differential Attack by Courtois,
in SECRYPT 2009.
card-only attack,
300 queries to the card,
very fast!!!
but precise timing needed.
Can be combine with Nested Authentication attack by
the Dutch Nijmegen group.
Then the whole card can be cloned in 10 seconds.

Smart Cards
Smart Card O.S.

Smart Cards
Modern Multi-Application O.S.

MULTOS
originally developed for e-purse Mondex [UK]
High level of security, EAL6 for some chips
Open Platform
promoted by Visa et al.
JavaCard
popular in GSM
banks never wanted 3rd party applications on their
cards problems: branding, ownership, risks
Windows for Smartcards
commercial fiasco, abandoned
Smart Cards
Further Smart Card Standards

Smart Cards
ISO 7816-5
Specifies AIDs (Application IDentifier)
16 bytes (128 bits)
[RID(5)+PIX(0..11)]
RID: Registered Application Provider
PIX: Proprietary Identifier Extension
Can uniquely identify one smart card application.

Also used to identify files in the smart card.
Simultaneous selection of an application and of a
directory of a card.
Smart Cards
*Accessing Files and Applications by AID: SELECT FILE

As for files, applications are selected by the same method with
an APDU XX A4 to select a file by its AID: Example:
00 A4 02 00 0E 31 50 41 59 2E 53 59 53 2E 44 44 46 30 31
ISO command
specific params.
length + AID, "1PAY.SYS.DDF01"
SELECT FILE
Response: 90 00 if all OK

Smart Cards
RID: Registered Application Provider

Administrative method to get a RID is described in ISO 7816-
5. Not all application provider RIDs are public. Examples:
A0 00 00 00 87
3GPP (3G USIM application)
A0 00 00 00 09
ETSI (e.g. GSM SIM with Java)
RID = D2 76 00 01 24
In OpenPGP cards.
A0 00 00 00 03
VISA EMV international cards
A0 00 00 00 04
MasterCard EMV cards
Etc..

Smart Cards
Examples of a Complete AID

31 50 41 59 2E 53 59 53 2E 44 44 46 30 31
which is "1PAY.SYS.DDF01" en ASCII, it contains a list of AIDs of
an EMV bank card
A0 00 00 00 42 10 10
Visa Credit EMV application, France
A0 00 00 00 03 10 10 printed on the
ticket
Visa Credit EMV application, international
A0 00 00 00 04 10 10
MasterCard EMV application, international
A0 00 00 00 69 00
is the French Mono e-purse application.

Smart Cards
ISO 7816-7
APDU for accessing a database stored on a
smart card(!).
Defines
SCQL = Smart Card Query Language

Smart Cards
IS0 7816-8..10
More inter-industry commands to manage
the security environment of the card, for
example during the personalization phase
(before the card is issued to the user!!!)

Smart Cards
ISO 7816-12 12/2005

USB on smart cards!
Two versions, still evolving
Bridge the connectivity gap between PCs
and smart cards!

Smart Cards

=> Crypto Standards

Smart Cards
Standards
RSA Security PKCS #11: Application Programming
Interface (API), called Cryptoki, to access devices which
hold cryptographic information and perform cryptographic
functions.
used e.g. in Netscape / Mozilla / cryptlib etc.

Smart Cards
Standards
RSA Security PKCS #15: storage and
management of crypto/security objects, keys
and their attributes in smart cards

Smart Cards
RSA Security PKCS #15 - Examples

Smart Cards

=> Applications, Protocols

Smart Cards
Standards
PC/SC: communication between Ms
Windows and smart card readers
[developed in 1997]
Microsoft Cryptographic API (CryptoAPI).

enables application developers to add cryptography and certificate management functionality to
their Win32 applications without knowing anything about the hardware configuration

Smart Cards
Smart Cards under Linux?

PC/SC works and has drivers under Linux too.
Libraries? check out

M.U.S.C.L.E. at www.linuxnet.com
OpenSC library
Etc

Smart Cards
Standards
JavaCard [later].
OCF [OpenCard Framework]: a Java-based set of APIs for smart
cards
JavaCard 2.2
ISO 15408: product evaluation

derived from the common criteria

Smart Cards
Banking Standards
EMV: international bank card specs
Visa Open Platform: security management of
multi-application cards
CEPS: Common Electronic Purse

Specification
EN 1546: Pan-European e-Purse
specification (very similar)

Smart Cards
Mobile Phone Card Standards

Smart Cards
***GSM Phones Card Standards

GSM 11-11: specifies the standard SIM-ME interface
GSM 11-14: more: SIM Application Toolkit
GSM 03.19: API JavaCardTM for programming SIM cards
GSM 03.40: how to implement Short Message Service
(SMS) in Point to Point (PP) mode
GSM 03.48: security mechanisms for the SIM card
application toolkit

Smart Cards
***3G Phone Card Standards

TS 51.011: specifies the 3G SIM-ME interface
ETSI TS 102 221: terminal-card physical and logical
characteristics
3GPP: 31.101 V4.0.0, 31.102 V4.0.0 (Release 99)- 3G
cards (W-CDMA)
3GPP2-C00-1999-1206-1208: specification of RUIM
modules for CDMA 2000

Smart Cards
3G Phone Security Standards

Principles, objectives and requirements
TS 33.120 Security principles and objectives
TS 21.133 Security threats and requirements
Architecture, mechanisms and crypto algorithms
TS 33.102 Security architecture
TS 33.103 Integration guidelines
TS 22.022 Personalization of mobile equipment
TS 33.105 Cryptographic algorithm requirements
TR 33.900 A guide to 3G security
TR 33.901 Criteria for cryptographic algorithm design process
TR 33.902 Formal analysis of the 3G authentication protocol
TR 33.908 General report on the design, specification and evaluation of
3GPP standard confidentiality and integrity algorithms
Document 1: f8 & f9
Document 2: KASUMI
Document 3,4: test data
Lawful interception
TS 33.106 Lawful interception requirements
TS 33.107 Lawful interception architecture and functions

Smart Cards
PKI / Digital Signatures Related to EU directive
ETSI TS 101 333: digital signature formats

ETSI TS 101 808: CA management specification
CEN/ISSS: European Directive for Digital signatures
CWA/prEN 14890: Interface for smart cards for D.S.

Smart Cards
Transport Card Standards
Main Standards:
Calypso
[France, Belgium]
MiFare
[UK, Holland,
Poland]
Felica [Hong Kong,
Japan, India]
Smart Cards
ITSO: used MiFare .. and withdraws [2009]

UK system and specs.
Compatible with both MiFare and Calypso.
MiFare Cards in ITSO system: 9.1 million [2008].

Now slowly withdrawing it:
1. ITSO licensed Members shall cease to issue MiFare
Classic cards after 31st December 2009.
2. ITSO shall not support any ITSO shell issued on a Mifare
Classic card after 31st December 2016.

Smart Cards
JavaCard
Write Once, Run Anywhere

Smart Cards
Recent History
Oct 25, 2010 - Gemalto has filed a patent
infringement lawsuit in the US against
Google, HTC, Motorola, and Samsung for
mechanisms implemented in the Android OS
From press release:
Gemaltos patented technologies are
fundamental to running software, developed in a
high level programming language such as
Java, on a resource constrained device,

Smart Cards
Motivation
Portable code, hardware-independent
Time to market: add new applications
to the card at any moment!
Easier to develop
Open platform,
=> specs of smart card chip are usually confidential(!!)
Third party applications => much more security needed!!!
Hide the smart card OS and resources from the developer [not
trusted]
Java language has inherently better security
Much of current application insecurity comes from C language
[exceptions, printf, goto, buffer overflow etc..]
Provide built-in security for developers
Cons: slow + expensive
Smart Cards
History
Java Card 1.0: Schlumberger. APIs only.

Later, Bull+Gemplus+Schlumberger formed
the Java Card Forum.
+ Sun Microsystems => develop Java Card
2.0.
Still a SMALL subset of JavaTM
Some 2 billion Java cards to date

(mainly in GSM)
Smart Cards
Working Principle [source: Sun website]

Smart Cards
The Java Card VM Specs

The Java Card Virtual Machine (JCVM): defines
a subset of the Java programming language
a Java-compatible VM for smart cards,
binary data representations and file formats,
the JCVM instruction set.

Smart Cards
JavaCard - Types
Types

Smart Cards
JavaCard - Limitations
Language Features Dynamic class loading, security manager
(java.lang.SecurityManager), threads, object cloning, and
certain aspects of package access control are not supported.
Keywords native, synchronized, transient, volatile, strictfp are not supported.
Types There is no support for char, double, float, and long, or for
multidimensional arrays. Support for int is optional.
Classes and Interfaces The Java core API classes and interfaces (java.io, java.lang,
java.util) are unsupported except for Object and Throwable,
and most methods of Object and Throwable are not available.
Exceptions Some Exception and Error subclasses are omitted because the
exceptions and errors they encapsulate cannot arise in the
Java Card platform.

Smart Cards
Card Java Resource Constraints

Packages A package can refer to up to 128 other packages
A fully qualified package name is limited to 255 bytes. Note that the
character size depends on the character encoding.
A package can have up to 255 classes.
Classes A class can directly or indirectly implement up to 15 interfaces.

An interface can inherit from up to 14 interfaces.
A package can have up to 256 static methods if it contains applets
(an applet package), or 255 if it doesn't (a library package).
A class can implement up to 128 public or protected instance
methods, and up to 128 with package visibility.

Smart Cards
Java Card - Standard Libs
JavaCard.lang
JavaCard.framework
JavaCard.security
JavaCardx.crypto

Smart Cards
Added [Java Card 2.2] = javacard.framework

Interfaces ISO7816 defines constants related to ISO 7816-3 and ISO 7816-4.
MultiSelectable identifies applets that can support concurrent selections.
PIN represents a personal identification number used for security (authentication) purposes.
Shareable identifies a shared object. Objects that must be available through the applet firewall
must implement this interface.
Classes AID defines an ISO7816-5-conforming Application sIdentifier associated with an application

provider; a mandatory attribute of an applet.
APDU defines an ISO7816-4-conforming Application Protocol Data Unit, which is the
communication format used between the applet (on-card) and the host application (off-
card).
Applet defines a Java Card application. All applets must extend this abstract class.
JCSystem provides methods to control the applet life-cycle, resource and transaction
management, and inter-applet object sharing and object deletion.
OwnerPIN is an implementation of the PIN interface.
Util provides utility methods for manipulation of arrays and shorts, including arrayCompare(),
arrayCopy(), arrayCopyNonAtomic(), arrayFillNonAtomic(), getShort(), makeShort(),
setShort().
Exceptions Various Java Card VM exception classes are defined: APDUException, CardException,
CardRuntimeException, ISOException, PINException, SystemException,
TransactionException, UserException.
Smart Cards
javacard.security
Interfaces Generic base interfaces:
Key, PrivateKey, PublicKey, and SecretKey, and subinterfaces that represent
various types of security keys and algorithms: AESKey, DESKey, DSAKey,
DSAPrivateKey, DSAPublicKey, ECKey, ECPrivateKey, ECPublicKey,
RSAPrivateCrtKey, RSAPrivateKey, RSAPublicKey
Classes Checksum: abstract base class for CRC algorithms

KeyAgreement: base class for key-agreement algorithms
KeyBuilder: key-object factory
KeyPair: a container to hold a pair of keys, one private, one public
MessageDigest: base class for hashing algorithms
RandomData: base class for random-number generatorss
Signature: base abstract class for signature algorithms
Exceptions CryptoException: encryption-related exceptions such as unsupported algorithm or

uninitialized key.

Smart Cards
**Crypto Algorithms in Javacard 2.2

AES: Advanced Encryption Standard (NIST FIPS-197)
SEED Algorithm Specification : KISA - Korea Information Security Agency
SHA-1 (NIST FIPS 180-1), SHA-256,SHA-384,SHA-512 (NIST FIPS 180-2)
MD5 defined by RSA DSI in RFC 1321
RIPEMD-160 defined in ISO/IEC 10118-3:1998
DSA (NIST FIPS 186)
DES (NIST in FIPS 46-1 and 46-2)
RSA: The Rivest, Shamir and Adleman Asymmetric Cipher algorithm
ECDSA: Elliptic Curve Digital Signature Algorithm
ECDH: Elliptic Curve Diffie-Hellman algorithm
HMAC: Keyed-Hashing for Message Authentication (RFC-2104)

Smart Cards
javacardx.crypto
Interfaces Non-standard and proprietary crypto
OR
crypto subject to export controls!
KeyEncryption, Cipher
Classes
Exceptions

Smart Cards
Java Card Runtime Environment (JCRE)

The JCRE consists of the Java Card VM, the Java Card Framework and APIs, and some
extension APIs.

Smart Cards
Communication
Special subset of APDUs [ISO 7816-3..4] are used.

Smart Cards
Applet Isolation
JCRE can act as a firewall

Smart Cards
Applet Structure and Execution

Smart Cards
Applet Execution
The applet is identified by a unique identifier
AIM.
The terminal selects/deselects the applet at
any moment.
The APDUs are redirected to the applet
currently selected.

Smart Cards
Applet Security
Applets [bytecode] are
CHECKED [if they dont spy
on other applets!!]
Should be signed with a digital
signature
[white-list principle(Nokia),
as opposed to black list
(Microsoft)]

Smart Cards
Java Card 3.0.

March 2008
Multi-threading
Garbage Collector
Multi-dimensional Arrays
TCP/IP
Servlets

Smart Cards
Terminals

Smart Cards
USB
Before were on serial portNow all USB.
Since about 2000 they use the [Microsoft
compatible] standard API/interface called
PC/SC.

Smart Cards
PC Card

Smart Cards
Keyboards
Cherry etc.

Smart Cards
Contact-less
Open source:
Open-PCD
[Germany]
Smart Cards
Banking Terminals

Smart Cards
Home Banking

Smart Cards
Contact-less Bank Cards

Very recent

Smart Cards
Biometric

Smart Cards
Futuristic
UK pilot 2008

Smart Cards
Conclusion

Smart Cards
Future:
Cannot live without Smart Cards or some

other secure portable hardware device.
Bill Gates recognized it publicly in 2005
PKI enabler:
fair security: e.g. everyone can verify the
authenticity of a bank transaction.
99.9 % unused potential.

Smart Cards
Some Difficulties Worldwide
Major concern - COST EFFECTIVENESS

Security is of public interest, conflict of
interest - some market players think about
their security, not of their customers and like
fraud make profit selling insurance
Bad press:
Unbreakable ? Not.
But there is no better technology on this planet.

Smart Cards
**How Secure Are Smart Cards?

A necessity: there is no better technology on earth !
Succeeding requires tamper-proof hardware. But
no security professional will speak of tamper-proof devices,
as opposed to tamper-resistant ones.
Security is a matter of economics, and not just technology.
How much will your attacker spend to defeat your security?
Are you protecting something valuable enough that your enemy will resort to the three
B's: burglary, bribery or blackmail?
Protecting against determined adversaries is very hard; it's rarely wise to bet
your business on it.
[Steve Bellovin blog, 24/08/07]

Smart Cards
Future of Smart Cards

New silicon technologies 0.065 m SOI for more
storage and security, lower power consumption
Multithread, DMA, MMU.
New memory technologies:
In 2005: NOR-flash 1 Megabyte
1 Gigabyte in a SIM ! with NAND-Flash. Spansion.
On-die support for RF, TCP/IP, WiFi, Bluetooth,
etc. USB full speed Axalto product + patents
12 Mbits/sec ! The future standard in GSM handsets?
Enhanced security with biometrics (3 factors).
More crypto: AES, Elliptic Curves etc...

Smartc

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Smartc

Hochgeladen von

Copyright:

Verfügbare Formate

La Carte Puce

Nicolas T. Courtois 1, ex. 2

Scope and References

2 Nicolas T. Courtois 2006-2009

What are Smart Cards ?

1. huge set of standards:

Books About Smart Cards

2) Smart Card Handbook [Germany, 2002]

3) Smart Card Applications [Germany, 2007]

4) LATEST BOOK [RHUL, 2008]

4 Nicolas T. Courtois 2006-2009

5 Nicolas T. Courtois 2006-2009

6 Nicolas T. Courtois 2006-2009

7 Nicolas T. Courtois 2006-2009

Main Function of a Smart Card =

SIM card form factor

8 Nicolas T. Courtois 2006-2009

9 Nicolas T. Courtois 2006-2009

Magnetic Stripe Cards [since 60s]

Which one is counterfeit ?

Chip cards: much harder to read,

B) Those that are totally ineffective even at 99%:

11 Nicolas T. Courtois 2006-2009

Magnetic Stripe Bank Cards - Loophole:

As long as some merchants accept them, they

13 Nicolas T. Courtois 2006-2009

Why Smart Cards Are Good

The classical model for smart card security

14 Nicolas T. Courtois 2006-2009

Slight Problem - Example:

The secrecy of the product spec can be:

15 Nicolas T. Courtois 2006-2009

16 Nicolas T. Courtois 2006-2009

Short Plastic Card History

1914-1940 Metal credit cards in the US, forbidden

1967 First cash machines [DeLaRue] with punch cards.

1967 France: first magnetic stripe card for access control.

1972 [UK] First on-line ATM with magnetic stripe cards.

17 Nicolas T. Courtois 2006-2009

History - Chip Cards

1970s: 1+2 = Embedding electronic components in

18 Nicolas T. Courtois 2006-2009

19 Nicolas T. Courtois 2006-2009

Smart Card Odyssey

10 years ago, half of chip cards in the world

First Smart Card - Bull CP8

CP8 = Circuit Programmable 8 bits,

21 Nicolas T. Courtois 2006-2009

SPOM, October 1981 - Bull CP8

22 Nicolas T. Courtois 2006-2009

History of Electronic Bank Cards - in 1984:

Bull CP8 pilot in Blois, France:

The banks adopted the Bull CP8 solution,

Vocabulary, Typology, Features

24 Nicolas T. Courtois 2006-2009

magnetic stripe card carte piste magntique

IC= Integrated Circuit puce, circuit intgr

25 Nicolas T. Courtois 2006-2009

card reader, CAD (Card lecteur carte

BO card [1985-2004] carte bancaire franaise

2 CPU 1-2 CPU

Memory/Wired Logic Card

30 Nicolas T. Courtois 2006-2009