presentation source

Download Report

Transcript presentation source 

Practical Security With Smartcards
Peter Honeyman
CITI
University of Michigan
Ann Arbor
Smartcards: a pragmatic approach
 Build
on what we have
– Use existing infrastructure (UMCE)
» UNIX filesystem; mail, web servers
» Kerberos
» NT GINA
– Use open standards (IETF, ISO)
– Add secure hardware: smartcard
 Integrate smartcard with infrastructure
 Secrets in a smartcard remain safe even
if hardware / software is compromised
Experimental approach
 Home-brew
software, hardware
Experimental software
screset(fd, atr, ep);
scopen(ttyn, flags, ep);
scfdopen(fd, flags, ep);
scclose(fd);
scread(fd, cla, ins, p1, p2, p3, buf, sw1p, sw2p);
scwrite(fd, cla, ins, p1, p2, p3, buf, sw1p, sw2p);
scgetc(fd, cp, ms);
scputc(fd, ic);
scdsr(fd);
scdtr(fd, cmd);
void scsleep(ms);
Experimental software (cont’d)
 Primary
–
–
–
–
–
–
targets:
OpenBSD
Linux
AIX
NT
PalmPilot
JavaCard
 T=0,
T=1
Experimental hardware
Experimental hardware (cont’d)
Experimental Hardware (cont’d)
Smartcard integration with
Kerberos
 University
of Michigan computing
environment is protected by Kerberos
– So are MIT, CMU, Stanford, Cornell, ...
 Public
– (yet)
key cryptography is not practical
 Kerberos
security limitations:
– Lacks external encryption device
– Lacks secure key storage
– Passwords vulnerable to dictionary attack
 Smartcards
can solve these problems
Need for encryption device
Kerberos
KDC
ticket
password
ticket
Decrypt
Key is exposed to user and workstation
Workstation may not be trusted
Workstation storage is vulnerable
Need for secure hardware
 Keys
stored on hard disk or in memory
are vulnerable
 Hard disks are not secure
– Adversary with administrative rights can
access keys
– Data in a hard disk may be backed up in an
unprotected mass storage device
 Memory
is not secure
– Adversary can scan memory
– Data in memory can be paged out to a hard
disk
Dictionary attack
 Create
etc.
a list of English words, names,
– Also Star Wars, German, Shakespeare, …
– thx1138 is a vulnerable password! :-(
 Derive keys from the words in the list
 Obtain a <plaintext, ciphertext> pair
– Kerberos gives up <plaintext, ciphertext>
easily
 Decrypt
ciphertext with the derived key
– If plaintext recovered, password is exposed
 UMich:
1997
> 4,000 vulnerable accounts in
Countermeasures - use a
smartcard
Kerberos
KDC
ticket
ticket
Decrypt
 Key
ticket
is not exposed to user, workstation,
or network
 No password
Implementation
 STARCOS
v. 2.1 from Giesecke &
Devrient
 Modify MIT Kerberos v5-1.0.5 client
 Kerberos server unmodified for
global interoperability
– Well, almost …
– des_cbc_crc method uses key as ivec
– Modify server to allow des_cbc_md5
Kerberos+smartcard performance
kinit
start
card
reset
0
0.06
 Ticket
–
–
–
–
start
decryption
0.34
end
decryption
time in sec.
decrypt time: 1.26 sec.
1.32
Native STARCOS CBC
Two rounds
Obviates 27 round host ECB: 2.09 sec
Communication cost @ 9600 bps: ~ half
kinit
finish
1.54
Kerberos+smartcard conclusion
 Practical smartcard authentication method
 Addresses major weakness of Kerberos
 Fairly fast … room to improve
 Future work: store ticket on smartcard
Smartcard filesystem (SCFS)
 ISO-7816
– Standard smartcard interface
– Primitive message framing protocol
» Too primitive to be useful
– Many vendor dependencies
 Smartcard
programming toolkits
– IBM MFC, Microsoft PC/SC, OpenCard
framework, EMV’96, PKCS#11, JavaCard …
– Smartcard-specific everything: language,
API, toolkit, library, application, etc.
– Hassle learning toolkit after toolkit
– API dependencies
SCFS goals and policies
 Integrate
a smartcard with UNIX
– VFS: UNIX filesystem API
 Take
advantage of UNIX environment
– Allows sophisticated UNIX commands
– Access through symlinks
 Any ISO-7816 smartcard
 Easy integration with applications
–
–
–
–
Netscape cookies
PGP private keyring
Kerberos tickets
SSH private key
Application to SSH
citi% mount_scfs /dev/scfs0 /smartcard
citi% ln -s ~/.ssh/identity /smartcard/ss/id
citi% ssh sin.citi.umich.edu
Enter PIN:
sin% logout
SCFS design
 Kernel
VFS assisted by user process
application
scfsd
smartcard
user
kernel
VFS
XFS
VFS handles application requests
scfsd translates requests to ISO7816 APDUs
No caching
SCFS implementation
xfs_mount()
Send reset to smartcard
Choose smartcard type from configuration
table based on ATR
Mount the scfs filesystem
xfs_read()
Translate FID into ISO-7816 name
Select the file
Send “read” APDU
Copy data to user space (uiomove)
SCFS performance
total
read()
call
start reading
smartcard
finish reading
smartcard
read()
return
smartcard access
scfs overhead
Command
Read
8
Read 128
Write 8
Write 128
scfs overhead
total
28.9
190.2
63.4
1259.5
card
28.2
189.4
62.7
1258.9
all times in ms
overhead
0.7
0.8
0.7
0.7
SCFS conclusion
 Flexible API
 Overhead is small
 Useful as a low-level
development tool
– ls, cd, pwd, make, etc.
 Secure
storage for user profiles, web
cookies, Kerberos tickets, private keys,
etc.
 Problems
– Readdir is broken in ISO-7816
– Must preconfigure for each card
– File length is troublesome
Future directions
 Smartcard
filesystem
– Complete missing vnodeops
– Porting to other operating systems
 Authentication
– Secure Kerberos ticket generation
– Smartcard public key integration
 IP
for smartcard
– honey.mcard.umich.edu
– Secure network storage, service provider