Transcript Smartcards
Smartcards & RFID
Erik Poll
Digital Security
Radboud University Nijmegen
1
1900's technology
2
2000's technology
3
Overview
•
•
•
What are smartcards & RFID ?
Why use them?
Possibilities and limitations
–
•
hardware, software, communication protocols
Attacks on security
4
What is a smartcard?
5
What is a smartcard?
• Tamper-resistant computer, embedded in piece of
plastic, with limited resources
• capable of securely
– storing information
– processing information
(This is what makes a smartcard smart; stupid cards can
store but not process data)
6
Smartcard form factors
• traditional credit-card
sized plastic card
– ISO 7816
• mobile phone SIM
– cut-down in size
• contactless cards
– aka proximity card
or RFID
transponder/tag
– also possible: dual
interface
• iButton
7
Smartcard example uses
• banking cards
– bank or credit card, electronic purse
• telephone card for use in public phone booths
• GSM SIM
• pay TV
• public transport
– eg London Oyster card
• health cards
• passports and other e-id cards
• access cards
– to control access to buildings, computer networks,
laptops,...
8
Magnetic stripe cards
• Older mag-stripe card can only store information,
without read/write protection, and cannot process
it.
9
Anything suspicious?
10
Skimming
11
Skimming
12
Skimming
13
Skimming
14
Smartcard vs mag-stripe cards
• Smartcard cannot easily be copied or altered,
unlike a mag-stripe card
• Skimming is big criminal business
– copying (aka cloning) mag-stripe cards and observing PIN
codes is easy...
• Still, credit card companies in US are sticking to mag-stripe,
and in Europe they are only slowly moving to smartcards
– apparently, it is secure enough for them to make a profit
15
smartcard essentials
16
Smartcard contacts
External power supply and external clock
On a SIM card the clock can be stopped to safe power
17
Smartcard contacts
Vpp is higher voltage than Vcc needed for writing EEPROM
• no longer used because of security problem
– painting over this contact prevents changes to EEPROM
18
Smart vs stupid smartcards
Big range in capabilities of smartcards.
Rough division:
• Memory cards (stupid)
– provide a file system
– possibly with some access control, or, simpler still,
destructive (irreversible) writes as in old payphone-cards
– functionality hardwired in ROM
• Microprocessor cards (very smart)
– contain CPU
• possibly also crypto co-processor
– programmable
• program burnt into ROM, or stored in EEPROM
19
Smartcard hardware
• CPU – 8 to 32 bits
• memory
– RAM
– ROM
(for some program code)
– EEPROM/Flash/... (“hard disk”, for code and data)
Modern cards may have 1K RAM, 16K ROM, 64K EEPROM
• limited I/O: just a serial port
• possibly: crypto co-processor, random number
generator
20
Communication
•
(ISO 7816)
All subsequent communication via APDUs
– Application Protocol Data Units
which are just byte sequences in particular format
•
Master-Slave mode, with terminal master:
1. Terminal sends command APDU
2. Card replies with response APDU
etc, etc ....
–
Smartcard cannot initiate any actions:
–
on phones the phone polls the SIM periodically
21
Command & response APDU
CLA INS P1 P2 Lc
•
•
•
•
•
...Data ....
Le
CLA class byte
INS instruction byte
P1,P2 parameters
Lc length of data block
Data Lc bytes of data
Response ... SW1
• Response
SW2
Lc bytes of data
• SW1, SW2 2 byte status word
22
Smartcard software
• (Microprocessor) smartcard contains very simple
operating system, capable of executing programs
• Programs can be written in
– proprietary machine code language, or
– higher level language, notably Java Card
Most new SIMs are now Java Cards.
23
old vs new smartcards
• one program (applet)
• written in machine
code, specific to chip
• burnt into ROM or
• applet written in high-level
language (eg Java Card)
• compiled into bytecode
• stored in EEPROM
• interpreted on card
uploaded once to
EEPROM
• multi-application: several
applets on one card
• post-issuance: adding or
deleting applets after it's
issued
24
Multi-application cards
• multi-application vision: everyone carrying just one
card, with all their smartcard applications
• This is not going to happen. Problems include:
– trust: bank won't allow untrusted applet code
on their cards, despite any VM+ firewall
security guarantees
– marketing: who gets to put their logo on the
plastic?
25
Post-issuance download
• Downloading additional applets protected by
digital signatures
• Switched of on many cards for security reasons
• Enabled on SIMs it allows telco to install new
software on the SIM
26
Java Card
• dialect of Java for programming smartcards:
– superset of a subset of normal Java
• subset of Java (due to hardware constraints)
– no threads, doubles, strings, garbage collection,
and very restricted API
• with some extras (due to hardware peculiarities)
– communication via APDUs or RMI
– persistent & transient data in EEPROM &RAM
– transaction mechanism
27
applet
applet
applet
Java Card architecture
Java Card
Java Card API
Java
Card
platform
Virtual Machine
(mini OS)
smartcard hardware
28
applet
applet
applet
Java Card I/O with APDUs
Java Card platform
OS selects
applet
command
APDU,
Applet
sends
appletits
and incl.
invokes
applet
ID
response
APDU
executes
process
method
smartcard hardware
29
Pros of JavaCard
• vendor-independance
• easy to program
– higher-level language => smaller programs with
fewer bugs
– standard functionality (eg for PINs) provided
once by the API
• open standard
– no reliance on security-by-obscurity
– specs can be studied and criticised
30
Cons of JavaCard
• overhead of VM makes cards slow and requires
lots of memory => expensive
• ease of programming may be deceptive: non-experts
programming cards may make silly mistakes
– every idiot can program a JavaCard, not every idiot should
• trust: how secure is the whole JavaCard infrastructure
– complicated platform, and complexity <-> security
• blank programmable JavaCard easy for attacker to
experiment with
– security by obscurity may have its merits...
31
Java Card vs Java
Java Card applets are executed in a sandbox
• like applets in a web browser
But important differences:
• no bytecode verifier on most cards
– due to space required
• downloading applets controlled by digital
signatures instead
– plus bytecode verification, if card supports it
• sandbox more restrictive, and includes runtime
firewall between applets
32
applet
applet
applet
Java Card firewall
Java Card Runtime Environment
(JCRE = VM+API)
eg prevents access
to public fields of
other applets
or references to
objects belonging
to other applets
or JCRE
smartcard hardware
33
Java Card 3.0
• Releases up to Java Card 2.2.2 use traditional
smartcard communication model
– small byte array (APDU) sent back and forth to
applet on the card (using ISO 7816 standard)
• Java Card 3.0 (March 2008) introduces new
communication model:
– smartcard becomes a webserver with IP-stack etc
– applets become servlets
So you can talk http(s) to the smartcard
• Proclaimed goal:
easier development of SIM services
34
Why use smartcards?
What are the possibilities and limitations of
smartcards?
35
Why use smartcard?
SIM responsible for authentication to network
•telco doesn't trust phone, but trusts SIM
36
CIA and smartcards
• Confidentiality
– of data (crypto keys) on card
• Integrity
– of data and program code
• Authentication
– because (data on) card cannot be copied
• Non-repudiation
– because (data on) card cannot be copied
– also logging on the smartcard (and integrity of
this log)
37
Typical use of smartcard
crypto
key K
CPU
challenge c
response fK(c)
• key K never leaves the card
• Card issuer does not have to trust the network,
the terminal, or card holder
38
Example: logging on over a network
• Send password unencrypted over net (eg. rlogin)
Trust network, terminal, user
• Send password encrypted over net (eg. slogin)
Trust terminal, user
• Idem, but user, not terminal, does encryption
Trust user
• Using smartcard
Trust no-one, except the smartcard
(NB smartcard is controlled by card issuer, not
card holder!)
39
NB the problem with cryptography
Any use of crypto introduces problems:
1. key distribution
•
how do we generate & distribute keys?
2. key storage
•
where can we safely store keys?
3. en/decryption
•
who do we trust to perform en/decryption?
Smartcards can offer a solution
40
TCB and smartcards
• Smartcard typically part of the TCB (Trusted
Computing Base), ie. the trusted part of the
system
• NB “trusted” is a negative quality: it means “you
have to trust it” not “you can trust it”
– If any part of the TCB fails, security is broken
– TCB should be as small and reliable as possible
41
RFID
42
RFID tags
• RFID = Radio-Frequency IDentification
• RFID devices are called tags or transponders
• More powerful RFID tags can be called
(contactless) smartcards
• Inductive coupling is used for
– energy transfer to card
– transmission of clock signal
– data transfer
43
Types of RFID: different capabilities & ranges
animal identification
product identification
(like bar codes)
contactless smartcards
(possibly dual interface)
NFC mobile phones
44
contactless smartcard inside
chip
antenna
45
Different capabilities of RFID tags
• Simplest tags just broadcast fixed data (serial
number) when activated
– ie only communication from tag to reader
• Some tags provide basic file system,
with simple access control
– ie reading & writing, and communication both ways
• More advanced tags can do cryptographic
operations to protect data & encrypt
communication
• Most advanced tags are programmable
• Range can be a few mm, a few cm, a few feet or
several meters, depending on the type
46
Pros & cons wireless
• Advantage
– convenience
– faster
– contacts not subject to wear and tear
• Disadvantage
– eavesdropping
– virtual pickpocketing
47
NFC
48
Near Field Communication (NFC)
• Latest Nokia phones have NFC
• These can act as RFID tag
and as RFID reader
49
NFC
• Advantage of NFC phone over smartcard:
– (trusted?) display and keyboard
• Envisaged use
– payment applications
– RFID tags providing info to phone
• eg in information signs & billboards
50
Attacks on
smartcards & RFID tags
51
Smartcard are not 100% secure
• Growing range of attacks (and associated
countermeasures)
• Crucial question: is the risk acceptable?
– are the costs of an attack larger than the
potential financial gain for the attacker?
• Threats depend on application
– eg. cloning more interesting for PayTV than
GSM SIMs
52
Logical & protocol attacks
Find & exploit bug in software or security protocol
• Possible weaknesses
–
–
–
–
–
silly programming error in card or terminal
hidden commands (eg for initialisation)
buffer overflows, eg to read past end of file
badly configured file access privileges
weaknesses in crypto-protocol
• eg replay attacks
• Little equipment needed, but change of success low
53
Logical & protocol attacks
Equipment
• card reader
• PC
• maybe also a
programmable
JavaCard
54
Eavesdropping on card-terminal communication
55
Eavesdropping on contactless card
56
replay attack
• eavesdrop on communication
communication
57
replay attack
• eavesdrop on communication
communication
and make an emulator that mimics this
58
replay attack works on disposable
Dutch public transport card!
gate cannot distinguish
real card and emulator
59
challenge-response
• Better cards use challenge-response
mechanism to prevent replays
random challenge n
n
encryptKEY{n}
60
Mifare Classic
• > 1 billion sold
– eg London metro Oyster card, Dutch public transport card,
Radboud university access cards,....
• uses proprietary crypto algorithm CRYPTO1
– with 42 bit keys
• very weak crypto broked by Digital Security group
– key to retrieved in seconds
– Details http://www.ru.nl/ds/research/rfid/
– or google YouTube for MIFARE
• Kerckhoffs principle: security of system should be based on
secrecy of the key only, not on secrecy of the crypto
algorithm!
61
More specialised hardware attacks
62
Countermeasures
• Used well-researched crypto & security protocols
• Write qualitity software
–
–
–
–
Testing
Formal verification
Perform code reviews to spot software problems
Improve OS, APIs, programming languages to make
software bugs less likely
– Open research area !!
63
Side-channel attacks
• Side-channel = any other channel than the normal
I/O channel that may be observed
• Possible side-channels:
– power consumption
– timing
– electro magnetic radiation
– ....
• A side-channel might leak information
64
Power consumption of a smartcard
65
This is probably a DES encryption!
66
Differential Power Analysis (DPA)
Deduce information from power consumption
Simple power analysis (SPA) or Differential Power
Analysis (DPA)
Countermeasures
in software
– careful coding of crypto-algorithms
– redundancy in data representation
• in hardware
– add clock jitter or other noise
– dual rail logic
67
Power glitching
• precisely timed dip in power supply to
induce fault, eg
– prevent an EEPROM write
• eg to PIN counter
– read all memory cells as containing zero
• eg of crypto-key
– attack crypto-algorithms
attacks may leak info about keys
(DFA-Differential Fault Analysis)
68
Active side-channel attacks
• Other side channels:
–
–
–
–
clock frequency
temparature/heat
light or X-rays
EM radiation
• Countermeasures:
– hardware: sensors to detect changes in voltage,
etc.
– software: double-checking results of
computations
69
Physical (or invasive) attacks
• reverse engineer and tamper with the
physical chip
• first step: getting access to chip’s surface
– remove chip from the smartcard
– use chemical to remove expoxy resin and the
top metal/silicon layers of the chip
70
Removing chip from smartcard
71
Etched smartcard with chip exposed
72
Tools for physical attacks
• Microscope
– optical or scanning electron microscope (SEM)
• Focused Ion Beam (FIB)
– not only observe, but also make changes:
removing or adding wires, insulators,...
• Probe station
– to probe wires on the chip
73
Probing
74
75
Probing
76
Probing
• Observe data on the chip in operation
• Typically: tap data on bus
– by putting needle on bus wires
• Probing can be done using
– physical needles (>0.35 micron) or
– electron beam
77
Using Focused Ion Beam in probing
Fibbing can be used to
• add probe pads for
lines too thin or
fragile for needles
• surface buried lines
78
Multiple layers on chip
The same gate
before and after
etching to remove
top layer
79
Using Focused Ion Beam (fibbing)
• all chips contain
circuitry to check
chip after production
• after testing, test
logic is disabled by
blowing a fuse
• FIB can restore test
logic
80
ROM memory content extraction
81
RAM voltage contrast SEM
82
Smartcards attacks - future
• Ongoing arms race between smartcard
manufacturers and attackers
• Physical attacks becoming harder, due to
improved countermeasures and smaller
circuitry
• But increasing complexity of software on
smartcard may introduce new logical
attacks
83
Smartcard attacks - conclusions
• Smartcards is not tamper-proof, as
witnessed by
– logical attacks
– side-channel attacks: DPA, glitching
– physical attacks
• Smartcards are tamper-resistant and
tamper-evident, to a degree
84