Transcript Smart Cards

Smart Cards
Paul Conti
Heather McCarthy
Jessica Reed
Brian Zajick
April 19, 2000
Overview





Basics
Standards & Platforms
Current Security
Attacks
Future Security
Smart Card Overview &
Design
Jessica Reed
Overview




What is a Smart Card?
Where are they used?
What are they made of?
How do they work?
What is a Smart Card?

A card embedded with a computer chip




stores data
transacts data between users
The data is associated with either value
or information or both
Data is transacted via a reader (part of
a computing system)
What is different about them?

Provide stored value capabilities




ex. for multi-chain retailers - they can centrally
locate and track data
Cards can carry personal account info. for users
that can be accessed by a mouse click
cost reduced - data need not be stored at a
central location
Restrict access to all but authorized user(s)
How are Smart Cards used?


First used in Europe as a stored value tool for
pay phones - to reduce theft
Today in US they are used for many different
things:



library cards, credit cards, health care,
identification/access
government applications (DMV and Electronic
Benefit Transfer)
According to Dataquest, the worldwide smart
card market will grow to 4.7 Billion units and
$6.8 Billion by 2002
Some basic security
components

PINS



normally stored in separate elementary
files
Must be blocked and unaccessible
Security Keys


First - Fabrication key (manufacturer key)
Replaced by - Personalisation key (KP) –

Locked in by a personalisation lock (VPER)
Lifecyle of a
Smart Card





Fabrication Phase
Pre-personalisation Phase
Personalisation Phase
Utilisation Phase
End-of-Life Phase
How they work – Physical
Structure

Physical Structure

Capability defined by integrated circuit chip
– usually consists of microprocessor, ROM,
RAM, & electrically erasable programmable
read only memory (EEPROM)
How they work – File
Structure

Hierarchy of Data Files:

highest level - the Master File (MF), layers of Dedicated Files
(DF) and one layer of Elementary File (EF)
How they work – File structure

Data storage - like MS-DOS or UNIX
hierarchy:




Master file = root
Dedicated file = folder
Elementary file = normal file
Ways that data is managed within the
file system differ - depending on
different operating systems
Smart Card access control
system



Files contain header with security info.
(accessing conditions, file status)
Lock file - no access
Access conditions – NOT hierarchical




ALW - always, no restrictions
CHV1, CHV2 - card holder verification needed
ADM - Administrative use only
NEV - Never, no access allowed
Smart Card Standards &
Platforms
Brian Zajick
Overview





Java Card
OpenCard Framework
MULTOS
PC/SC
Summary/Segway
Java Card


Smart Card capable of running Java
programs
It is not:




Miniature personal computer
Simply a stripped-down version of the JDK
Compatible with ISO 7816 Parts 1-7
and/or EMV
Before use must go through prepersonalisation & personalisation.
Java Card
Applet Development Kits
GemXpresso, Cyberflex, GalactIC, Odyssey
OpenCard Framework





To use card, must be able to open and read
Based on Java Card Architecture
OpenCard is an API that defines several of
these interfaces
Can start a Java card agent whenever the
card is inserted
Can then communicate with applications on
card during session
OpenCard Framework
OpenCard consists of four Java packages with the prefix opencard:
1. application – provide hgh level API
2. io – provide high level API
3. agent – abstracts the functionality of the smart card through the
CardAgent
4. terminal – abstracts the card terminals
OpenCard Framework
MULTOS

A high security architecture



Apps needing high security can reside next to
apps needing low security
Co-residence of multiple, inter-operable,
platform independent applications
Dynamic remote loading and deletion of
applications over the lifetime of a card

Achieved using the language MEL (MULTOS
Executable Language)
MULTOS
PC/SC

Architecture designed to ensure the following
work together even if made by different
manufacturers:





smart cards
smart card readers
computers
Differs from OpenCard because it offers API
interoperability rather than uniform API
Designed for Windows environment with
development in Visual C++
PC/SC
Core Members
Summary/Segway



All these systems provide a solution to
any Smart Card need
None of these systems are 100%
secure
How can things go wrong?
Current Defense Mechanisms
Part I
Heather McCarthy
Types of Attacks

Non-Invasive


Invasive


forcing or tricking the microcontroller to operate in
an unintended manner
tampering with the chip to more directly access
embedded components
Protocol

taking advantage of weakness in commonly
employed protocols
Non-Invasive Defense



Also known as Logical
To defend against power probing, use an onchip oscillator and a capacitor/diode network
to generate 12V from 5V supply
Incorporate environmental change sensors

detect when values go out of acceptable range


low clock frequency - single stepping attacks
under / over voltage detection - fast signal reset
Non-Invasive Defense

Glitch attacks affects only some transistors in
a chip


Systematic output loops search for instructions
and keys
Solution: Avoid single point of failure
instructions


S/W: Make sure multiple criteria must be met
before granting access
H/W: Use an independent internal clock generator
that is only PLL synchronized with the external
reference frequency
Non-Invasive Defense

Pin management



Stored in EEPROM
PIN counter decremented when incorrect
pin used to access files. At 0, PIN blocked
Unblock PIN needed to use pin again.
Counter decremented if incorrect unblock
PIN is given. At 0, PIN can never be
unblocked again = Irreversible blockage
Invasive Defense


Also known as Physical Defense
Passivation Layer



Silicon nitride or oxide coating that protects
the chip from environmental influences and
ion migration
Not easily removed, requires dry etching
Optical sensor under an opaque coating

When light detected, chip stops functioning
Invasive Defense

Conformeal Glues



opaque, conductive, and strongly resist
removal attempts
the underlying silicon is also damaged in
the process
widely used by the US Military, but
otherwise general not available
Invasive Defense


Silicon features used to obscure design
Copy traps:


an element has been found that looks like
a transistor, but really is only a connection
between gate and source
3-input NORs only function as 2-input
NORs
Invasive Defense

Copy Traps:





use holes in isolating layers
tricks done in the diffusion layer with ion
implantation
unfortunately, these deceptions are revealed using
dry etching and Schottky technique
Introduce chip complexity
Use non-standard cell libraries
Invasive Defense

The Clipper Chip

fusible link system




classified encryption algorithm component and long term
device key from an unclassified mask are fused AFTER
fabrication
made of amorphous silicon - difficult to microscopy
surface of chip was “salted” with oscillators to
defend against electromagnetic sensor attacks
discredited for a protocol flaw, not physical
Smart Card Life Cycle Security

Fabrication Phase


Pre-Personalization Phase


PIN, unblocking PIN, Utilization lock
Utilization Phase


Personalization key
Personalization Phase


Fabrication key
Access only through application policies
End-of-Life Phase

Write/update disabled by OS, Read only
Component Accessibility During
the Smart Card Life Cycle
Smart Card Attacks
Paul Conti
Smart Card Attacks




Many different kinds of attack
Range in price(<$50 - tens of
thousands)
Range in skill level needed
EEPROM, containing key material, is
one of the main targets because it can
be affected by unusual temperatures
and voltages
Smart Card Attacks

Early Smart Card attacks focused on
pay-TV systems


Signals that deactivated channels were
blocked by clamping or taping
programming voltage contact on card
Cards were also installed that did not
respond to certain signals
Non-Invasive attacks - DFA


DFA – Differential Fault Analysis uses
glitches introduced to chip
Unusual voltage changes


Increasing voltages to chip can clear the
security bit, without erasing important
memory
Slightly lower voltage attacked random
number generator which produced almost
all 1’s for cryptographic keys and nonces
Non-Invasive Attacks - DFA

Power and clock variations
 Affects the decoding and execution of individual
instructions
 Clock pulse shorter than normal or rapid transient
of power affects chip transistors
 CPU can be made to execute wrong instructions,
or even ones not supported by card
 Glitches can be used to manipulate program
control and can cause change in access rights,
divulging of passwords
Physical Attacks


Lock bit on EEPROM(Containing PIN)
can be erased by focusing UV light on
security lock cell.
Physically removing the chip is easy



Cut plastic behind chip module with knife
Nitric acid put on epoxy resin
Wash acid away with acetone and silicon
surface is exposed
Physical Attacks

Other methods


Expose chip to HNO3 vapor stream
Ultrasonic vibration and laser cutter
microscopes
Compromised Chip
Advanced Attacks

Reverse engineering




Etch away one layer of chip at a time
Metal deposited on the chip acts as diode and can
be seen with an electronic beam.
All layers fed to a PC where images can map out
the entire chip and examine more closely
Also can look through chip from back with an
infra-red laser, where silicon is transparent. Laser
created photocurrents which can reveal logic
states and device operation
Advanced Attacks

Active/Modifying attacks



Focus Ion Beam can cut new tracks or
implant ions to change doping of an area
of silicon
Can disconnect CPU from bus, leaving only
EEPROM and CPU function to read
EEPROM
Microprobing needle can then be used to
read the contents of EEPROM
Active/Modifying Attack

Program counter is connected so that EEPROM
memory locations are addressed in the order device
is clocked
Advanced Attacks

Attacks on chips with batteries




Batteries can cut off crucial components of chip
Some chips can reliably remember bit values for a
few seconds when power is cut
With liquid nitrogen, attacker can keep this
information stable for minutes to hours
Could disable alarm system and reapply power
Advanced Attacks - DPA

Differential Power Analysis



Each operation on a Smart Card needs
different amounts of power
Oscilloscope can detect power fluctuations
and statistical inferences can be made to
determine instructions.
Could be used to determine cryptographic
keys or PINs
Advanced Attacks - DPA



A-F : Pattern for
each operation
Eight peaks signifies
part of an
encryption process
Presence or absence
of spikes between
peaks indicate
pieces of encryption
key
Adv. Attacks – Chip Rewriting


Can alter logic gates and single bits
with laser cutter microscope
Attacking DES




Remove xor operation
Reduce rounds by corrupting loop variables
or conditional jumps
Compare erroneous results to true results
Odd-parity key attack
Latest Attack





March 15 2000
Man in France broke the 320 bit 96 digit
encryption on ATM card keys
Created a “yes-card” which will be
accepted no matter what PIN is entered
Will cost millions to convert to 792 bit
card
How do you protect from new attacks?
Advanced Defense
Mechanisms
Part II
Heather McCarthy
Advanced Defense



Most common systems use either security
modules or Smart Card technology
Advanced designs consist of a composite
package containing processor, memory,
tamper detection circuitry and a battery
A well detailed example is the ABYSS
coprocessor developed by IBM
IBM’s ABYSS

Designers considered:




stannic oxide lines on glass
piezo-electric sheets
wire winding techniques
Designers chose:


4 layer wrapping of 40 gauge nichrome wire
surrounding the processor, battery, memory and
sensor circuitry
embedded in a hard, opaque epoxy filled with
silica
IBM’s ABYSS


Results in a card that is harder to misoperate and more likely to crack under
UV laser light
This is the future as circuit sizes and
power consumption shrink
Advanced Defense



Aggressive chemicals can be detected by
their low electrical resistance as long as a
battery power supply is available
Power supply networks can be made from a
variety of different conductive materials such
that exposure to any chemical solvent will
cause at least one component to fail
Self-Destruct!
Advanced Defense

Suitable packaging thwarts attackers
because process is slow




stripping one layer at a time
manually short out protective wire winding
guided X-rays
precise measurements of voltage multiple
times
Ideal Defense Methods



Avoid single point of failure
PKI - reduced number of certification keys
Ensure that penetration of one component is
not disastrous to the whole system


fall-back: full reconciliation, intrusion detection
Must be rigorously subjected to hostile testing