P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg PV204 Security technologies Cryptographic smartcards, attacks against two-factor Petr Švenda svenda@fi.muni.cz @rngsec Centre for Research on Cryptography and Security, Masaryk University P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Smart cards •Lecture: –PC/SC communication framework, APDU –Basic platforms – JavaCard & .net card & MULTOS, comparison –Secure channel protocol (authentication, session keys, APDU protection), SCP –Attacks against two-factor authentication •Lab –Creating secure channel protocol –Communicating with smart cards • – | PV204 Smartcards 12.3.2019 2 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Mind path for lecture •Smart cards are typical example of secure element ® what smart card can be ® what smart card is capable of •How to communicate with cards –Contact (ISO7816-2) / contactless (ISO/IEC 14443) –Low level transmission (T=0/T=1, ISO 7816-4) –Logical packets (APDU) –Standardized API on card (OpenPlatform, PIV, OpenPGP, ePassport) –Standardized API on host (PC/SC, PKCS#11/15) –Secure channel with card (OpenPlatform SCP’03, BAC, EAC) •What are cards capable of – supported algorithms, speed •What sc can be used for –Digital signatures – generate and use private key (+ attacks), key encryption on card –Two-factor authentication, access control (challenge-response protocol) (+attacks) –Secure environment (code protection, trusted element - tokenization) (+attacks) – • • | PV204 Smartcards 12.3.2019 3 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Check-in activity: how to stay awake •Any idea what we can do, prepare, try… to help us stay awake? •(5 minutes) • 1. • • • | PV204 Smartcards 12.3.2019 4 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Overview 1.What smart cards are? 2.What smart cards are capable of? 3.How to manage smart cards? 4.Lightweight secure channel protocols 5.Two-factor authentication and some attacks | PV204 Smartcards 12.3.2019 5 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI WHAT A SMART CARD IS? •Smart card basics | PV204 Smartcards 12.3.2019 6 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Basic types of (smart) cards 1.Contactless “barcode” –Fixed identification string (RFID, < 5 cents) 2.Simple memory cards (magnetic stripe, RFID) –Small write memory (< 1KB) for data, (~10 cents) 3.Memory cards with PIN protection –Memory (< 5KB), simple protection logic (<$1) – | PV204 Smartcards 12.3.2019 rfid 7 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Basic types of (smart) cards (2) 4.Cryptographic smart cards –Support for (real) cryptographic algorithms –Mifare Classic ($1), Mifare DESFire ($3) 5.User-programmable cryptographic smart cards –JavaCard, .NET card, MULTOS cards ($2-$30) •Chip manufacturers: NXP, Infineon, Gemalto, G&D, Oberthur, STM, Atmel, Samsung... • | PV204 Smartcards 12.3.2019 We will mainly focus on these two categories D:\Documents\Obrázky\cryptojavacard.png 8 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Cryptographic smart cards •SC is quite powerful device –8-32 bit processor @ 5-50MHz –persistent memory 32-100s kB (EEPROM) –volatile fast RAM, usually <<20kB –truly random generator, cryptographic coprocessor (3DES, AES, RSA-2048...) •~10 billion units shipped in 2018 (EUROSMART) –mostly smart cards, telco, payment and loyalty... –~1.5 billion contactless (EUROSMART) •Intended for physically unprotected environment –NIST FIPS140-2 standard, security Level 4 –Common Criteria EAL4+/5+ – – 9 | PV204 Smartcards 12.3.2019 ActualGoldChip EEPROM CPU CRYPTO RNG chip P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI 10 | PV204 Smartcards 12.3.2019 http://www.eurosmart.com/facts-figures.html Telco Payment P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI hybridcard_2 Smart cards forms •Many possible forms –ISO 7816 standard –SIM size, USB dongles, Java rings… •Contact(-less), hybrid/dual interface –contact physical interface –contact-less interface –hybrid card – separate logics on single card –dual interface – same chip accessible contact & c-less | PV204 Smartcards 12.3.2019 JavaRing 8300-ACOS2-8K iKey_image 11 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Contact vs. contactless •Contact cards (ISO7816-2) –I/O data line, voltage and GND line –clock line, reset lines •Contactless cards –ISO/IEC 14443 type A/B, radio at 13.56 MHz –Chip powered by current induced on antenna by reader –Reader ® chip communication - relatively easy –Chip ® reader – dedicated circuits are charged, more power consumed, fluctuation detected by reader –Multiple cards per single reader possible – – • | PV204 Smartcards 12.3.2019 12 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Smart cards are used for… •GSM SIM modules •Digital signatures •Bank payment card (EMV standard) •System authentication •Operations authorizations •ePassports •Multimedia distribution (DRM) •Secure storage and encryption device •… | PV204 Smartcards 12.3.2019 13 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Smart card is highly protected device •Intended for physically unprotected environment –NIST FIPS140-2 standard, security Level 4 –Common Criteria EAL4+/5+ •Tamper protection –Tamper-evidence (visible if physically manipulated) –Tamper-resistance (can withstand physical attack) –Tamper-response (erase keys…) •Protection against side-channel attacks (power,EM,fault) •Periodic tests of TRNG functionality •Approved crypto algorithms and key management •Limited interface, smaller trusted computing base (than usual) •http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm • | PV204 Smartcards 12.3.2019 14 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Main advantages of crypto smart cards •High-level of security (CC EAL5+, FIPS 140-2) •Fast cryptographic coprocessor •Programmable secure execution environment •Secure memory and storage •On-card asymmetric key generation •High-quality and very fast RNG •Secure remote card control | PV204 Smartcards 12.3.2019 15 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI SMARTCARDS USED IN WIDER SYSTEM • | PV204 Smartcards 12.3.2019 16 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Big picture – terminal/reader and card | PV204 Smartcards 12.3.2019 laptop What principles and standards are used? D:\Documents\Obrazky\question.png Merchant payment Digital signature 17 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Group activity: smartcard stack •(Imagine e.g., digital signature application with private key on smartcard) •Organize and glue floating items into smartcard stack •Use internet… (but don’t google for my slides from previous years J) •Annotate with own comment (what is the item about) •(15 minutes) • •Stack presented on the next slide, what you placed differently? •(5 minutes) • 1. • • • | PV204 Smartcards 12.3.2019 18 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI laptop | PV204 Smartcards 12.3.2019 19 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI | PV204 Smartcards 12.3.2019 C/C# WinSCard.h ISO7816-4 Browser (TLS client authentication) GPPro API: EMV CAP 20 ISO 14443 (T=CL) ISO7816-2,3 (T=0/1) GnuPG PKCS#11 OpenSC Python pyscard Java java.smartcardio.* SCardListReaders SCardTransmit API: PC/SC PC/SC-lite APDU OpenPGP API: GSM 11.11 Personal Identity Verification (PIV) ICAO 9303 GlobalPlatform .NET for smartcards MultOS JavaCard ISO7816-1 ISO7816-8 NIST FIPS140-2 13.56 MHz P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI laptop | PV204 Smartcards 12.3.2019 Libraries PKCS#11, OpenSC, JMRTD Smartcard control language API C/C# WinSCard.h, Java java.smartcardio.*, Python pyscard System smartcard interface: Windows’s PC/SC, Linux’s PC/SC-lite Manage readers and cards, Transmit ISO7816-4’s APDU Custom app with direct control PC application via library: browser TLS, PDF sign… PC application with direct control: GnuPG, GPShell API: EMV, GSM, PIV, OpenPGP, ICAO 9303 (BAC/EAC/SAC) OpenPlatform, ISO7816-4 cmds, custom APDU SC app programming: JavaCard, MultOS, .NET Readers Contact: ISO7816-2,3 (T=0/1) Contactless: ISO 14443 (T=CL) Card application 3 Card application 2 Card application 1 21 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Big picture - components •User application –Merchant terminal GUI –Banking transfer GUI –Browser TLS –… •Card application –EMV applet for payments –SIM applet for GSM –OpenPGP applet for PGP –… | PV204 Smartcards 12.3.2019 server blank_card User application Card OS Card application Card I/O manager contact(less) transmission OS smart card API smart card reader 22 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Main standards | PV204 Smartcards 12.3.2019 server blank_card User application Card OS Card application Card I/O manager contact(less) transmission OS smart card API smart card reader •ISO7816 1-4 –Card physical properties ISO7816-1 –Physical layer communication protocol ISO7816-2-3 –Data packet format (APDU) •PC/SC, PC/SCLite (host side) –Readers/cards management –Transmission of logical APDU packets –C/C# WinSCard.h, Java java.smartcardio.*, Python pyscard •PKCS#11 –standardized interface on host side –card can be proprietary •GlobalPlatform –remote card management interface –secure installation of applications 23 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI | PV204 Smartcards 12.3.2019 server blank_card User application Card OS Card application Card I/O manager contact(less) transmission OS smart card API smart card reader Card’s programming platforms •MultOS –Multiple supported languages, native compilation –Often bank cards •JavaCard (details in 3rd lecture) –open programming platform from Sun –applets portable between cards •Microsoft .NET for smartcards –Similar to JavaCard, but C# –Applications portable between cards –Limited market penetration 24 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI apdu APDU (Application Protocol Data Unit) •APDU is basic logical communication datagram –header (5 bytes) and up to ~256 bytes of user data •Format specified in ISO7816-4 •Header/Data format –CLA – instruction class –INS – instruction number –P1, P2 – optional data –Lc – length of incoming data –Data – user data –Le – length of the expected output data •Some values of CLA/INS/P1/P2 standardized •Custom values used by application developer | PV204 Smartcards 12.3.2019 25 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI What values of APDU header are used? •Standardized values for selected application –Improves interoperability –https://web.archive.org/web/20180721010834/http://techmeonline.com/most-used-smart-card-commands-a pdu/ •Custom commands for proprietary application –Your own API 26 | PV204 Smartcards 12.3.2019 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Selected software components •PC/SC (MS API: SCardxx, Java: java.smartcardio.*) •PC/SCLite (implementation of PC/SC for Linux/MAC) •OpenSC – proxy component between proprietary tokens and PKCS#11 interface •SoftHSM – virtual PKCS#11-compliant card • | PV204 Smartcards 12.3.2019 27 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI SMARTCARD ALGORITHMS AND PERFORMANCE • | PV204 Smartcards 12.3.2019 28 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Common algorithms •Basic - cryptographic co-processor –Truly random data generator –3DES, AES128/256 –MD5, SHA1, SHA-2 256/512 –RSA (up to 2048b common, 4096 possible) –ECC (up to 192b common, 384b possible) –Diffie-Hellman key exchange (DH/ECDSA) •Custom code running in secure environment –E.g. HMAC, OTP code, re-encryption –Might be significantly slower (e.g., SW AES 50x slower) | PV204 Smartcards 12.3.2019 29 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Cryptographic operations •Supported algorithms (JCAlgTester, almost 90 cards) –https://github.com/crocs-muni/JCAlgTest –https://www.fi.muni.cz/~xsvenda/jcsupport.html – • – D:\Documents\Obrazky\algtest_algs.png | PV204 Smartcards 12.3.2019 30 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI What is the typical performance? •Hardware differ significantly –Clock multiplier, memory speed, crypto coprocessor… •Typical speed of operation is: –Milliseconds (RNG, symmetric crypto, hash) –Tens of milliseconds (transfer data in/out) –Hundreds of millisecond (asymmetric crypto) –Seconds (RSA keypair generation) •Operation may consists from multiple steps –Transmit data, prepare key, prepare engine, encrypt –® additional performance penalty | PV204 Smartcards 12.3.2019 31 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Performance tables for common cards •Visit https://jcalgtest.org • 32 | PV204 Smartcards 12.3.2019 https://jcalgtest.org Is faster always better? D:\Documents\Obrazky\question.png What influences the speed? P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Performance with variable data lengths • 33 | PV204 Smartcards 12.3.2019 Limited memory and resources may cause non-linear dependency on a processed data length https://jcalgtest.org P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrazky\numobjects2.png How many cryptographic engines? • | PV204 Smartcards 12.3.2019 34 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI SMART CARD MANAGEMENT • | PV204 Smartcards 12.3.2019 35 What functionality would require? D:\Documents\Obrazky\question.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Motivation •How to upload, install and remove applications? •Who should be allowed to upload/remove apps? •What if multiple mutually distrusting apps on card? •How to update application in already issued card? • •Need for cross-platform interoperable standard –Many manufactures and platform providers • | PV204 Smartcards 12.3.2019 36 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI GLOBALPLATFORM • | PV204 Smartcards 12.3.2019 37 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI GlobalPlatform •Specification of API for card administration –Upload/install/delete applications –Card lifecycle management –Card security management –Security mechanisms and protocols •Newest is GlobalPlatform Card Specification v2.3 –December 2015 –Previous versions also frequently used –http://www.globalplatform.org/specificationscard.asp – | PV204 Smartcards 12.3.2019 38 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI blank_card GlobalPlatform – main terms •Smart card life cycle –OP_READY, INITIALIZED (prepared for personalization) –SECURED (issued to user, use phase) –CARD_LOCKED (temporarily locked (attack), unlock to SECURED) –TERMINATED (logically destroyed) •Card Manager (CM) –Special card component responsible for administration and card system service functions (cannot be removed) •Security Domain (SD) –Logically separated area on card with own access control –Enforced by different authentication keys | PV204 Smartcards 12.3.2019 Security Domain 1 Security Domain 2 Card Manager D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Key-icon.png 39 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI blank_card Security Domain 1 Applet 2 Security Domain 2 Applet 1 Applet 3 Card Manager GlobalPlatform – main terms •Card Content (apps,data) Management –Content verification, loading, installation, removal •Security Management –Security Domain locking, Application locking –Card locking, Card termination –Application privilege usage, Security Domain privileges –Tracing and event logging •Command Dispatch –Application selection –(Optional) Logical channel management – | PV204 Smartcards 12.3.2019 40 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Smart card life cycles •The smart card passes various logical life cycle states between manufacture and final destruction •Life cycle states define which operations can be performed with the card •The card Life Cycle States OP_READY and INITIALIZED are intended for use during the Pre-Issuance phases of the card’s life. •The states SECURED, CARD_LOCKED and TERMINATED are intended for use during the Post-Issuance phase of the card although it is possible to terminate the card at any point during its life. | PV204 Smartcards 12.3.2019 41 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Smart card life cycles •OP_READY – card is ready for uploading of key diversification data, any application and issuer specific structures. •INITIALIZED – card is fully prepared but not yet issued to card holder. •SECURED – card is issued to card holder. Card management is possible only through Security domain (installation of signed applets etc.). •CARD_LOCKED – card is locked due to some security policy and no data management can be performed. Card can be locked by Security domain and later unlocked as well (switch back to SECURED state). •TERMINATED – card is logically “destroyed“ due to card expiration or detection of the severe security thread. | PV204 Smartcards 12.3.2019 42 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Global Platform APDU commands •DELETE – delete uniquely identifiable object (e.g. JavaCard applet) •STORE_DATA – upload content of single data object •GET_DATA - used to retrieve a single data object •SET_STATUS – set Life Cycle status •GET_STATUS – return Life Cycle status •INSTALL – initiate installation, typically (JavaCard) applet •LOAD – upload file from PC to smart card, e.g. JavaCard cap file •PUT_KEY – update value of specified key | PV204 Smartcards 12.3.2019 43 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Card Production Life Cycle (CPLC) •Manufacturing metadata •Dates (OS, chip) •Circuit serial number •(not mandatory) •GlobalPlatform APDU –80 CA 9F 7F 00 –gppro --info •ISO7816 APDU –00 CA 9F 7F 00 | PV204 Smartcards 12.3.2019 44 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI TWO FACTOR AUTHENTICATION • | PV204 Smartcards 12.3.2019 45 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Two-factor authentication •Two factors with tokens/smart cards –Token (smart card, phone) + Knowledge (PIN, Password) 1.Authorize transaction with card and PIN 2.Authenticate with password and SMS 3.Authenticate user with One-Time Password (OTP) generated on mobile phone (stored secret key) after screen unlock (pattern) 4.U2F token (password + token + button press) 5.… • How to attack two-factor? 1. | PV204 Smartcards 12.3.2019 D:\Documents\Obrazky\question.png 46 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Application uses PC/SC interface (SCardxx) | PV204 Smartcards 12.3.2019 User application winscard.dll reader driver USB driver APDU 47 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Where to log communication? | PV204 Smartcards 12.3.2019 User application winscard.dll reader driver USB driver APDU In-application logging Virtual reader SW USB sniffer HW USB sniffer In-card logger “Stub” winscard.dll logging 48 HW ISO7816 T=0/1 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI APDUPlay project (https://www.fi.muni.cz/~xsvenda/apduinspect.html) | PV204 Smartcards 12.3.2019 User application winscard.dll (stub) original.dll [begin] SCardTransmit (handle 0xEA010001)# apduCounter:0# totalBytesINCounter:1# transmitted:00 a4 04 00 0a a0 00 00 00 28 80 10 30 01 ff responseTime:31# SCardTransmit result:0x0# received:6a 81 SCardTransmit (handle 0xEA010001)# apduCounter:1# totalBytesINCounter:16# … based on ApduView utility (by Fernandes) 49 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI What can you do then… •Log all APDU send via SCardTransmit() •Log all SCardXXX function calls • • | PV204 Smartcards 12.3.2019 50 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Visualize logged APDU’s | PV204 Smartcards 12.3.2019 51 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI | PV204 Smartcards 12.3.2019 52 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI For attacking two-factor, logging is usually not enough •Manipulate incoming/outgoing APDUs –modify packet content (change receiver account number) –replay of previous packets (pay twice) –simulate presence of smart card –… • | PV204 Smartcards 12.3.2019 [RULE1] MATCH1=in=1;t=0;cla=00;ins=a4;p1=04; ACTION=in=0;data0=90 00;le=02; 00 a4 04 00 08 01 02 03 04 05 06 07 08 winscard.dll (stub) 90 00 53 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI German banking malware (2009) •Two-factor authorization of transactions (chipTAN/cardTAN) •Application code injection –modifies info about transaction and balance shown to user in browser –intercepts/modifies transaction data for signature by smart card –http://www.cio.com/article/2429854/infrastructure/german-police--two-factor-authentication-failing .html •The Fairy Tale of “What You See Is What You Sign” - Trojan Horse Attacks on Software for Digital Signatures (2001) –http://www.hanno-langweg.de/hanno/research/scits01p.pdf –Importance of physical PIN-pad and display of transaction amount independently • – 54 | PV204 Smartcards 12.3.2019 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI German banking malware | PV204 Smartcards 12.3.2019 User application winscard.dll reader driver USB driver APDU Code inject application 55 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI ZeuS smartcard support module •ZeuS Banking Trojan (2010, 2012) –Analysed by A. Matrosov, Group-IB and others –http://www.welivesecurity.com/2010/11/05/dr-zeus-the-bot-in-the-hat/ –http://www.secureworks.com/cyber-threat-intelligence/threats/zeus/ •Smart card controlled via PC/SC interface 56 | PV204 Smartcards 12.3.2019 D:\Documents\Obrázky\SmartCard\zeus-2.png D:\Documents\Obrázky\SmartCard\zeus-5.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI ZeuS smartcard support module | PV204 Smartcards 12.3.2019 User application winscard.dll reader driver USB driver APDU Malicious application Malicious app 57 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrázky\SmartCard\ranbyus.png Win32/Spy.Ranbyus •Analysed by A. Matrosov –http://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/ •Scans for available smart cards, info send to C&C –uses PC/SC SmartCard API for scan –later redirects communication on USB level (FabulaTech USB for RD installed) • 58 | PV204 Smartcards 12.3.2019 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Win32/Spy.Ranbyus | PV204 Smartcards 12.3.2019 User application winscard.dll reader driver USB driver APDU Malicious application Malicious app Remote USB redirection 59 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Skimmers, PoS hacks | PV204 Smartcards 12.3.2019 APDU D:\Documents\Obrázky\pos_terminal.jpg key_icon D:\Documents\Obrázky\Lock.png Manipulated PoS firmware: •Magnetic skimmer (+ send data over GSM) •MitM: chip®verified by signature D:\Documents\Obrázky\SmartCard\hybridcard_2.jpg 60 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI RECALL U2F HOW CAN YOU ATTACK U2F IF PC/SC LAYER IS CONTROLLED? • 61 | PV204 Smartcards 12.3.2019 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI FIDO U2F protocol 62 | PV204 Smartcards 12.3.2019 https://developers.yubico.com/U2F/Protocol_details/Overview.html P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI SECURE CHANNEL PROTOCOL (FOR SMARTCARDS) •How to authenticate and communicate securely? | PV204 Smartcards 12.3.2019 63 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI TLS handshake | PV204 Smartcards 12.3.2019 Credit: Cloudflare 64 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Why not to use TLS all the time? 1.Requires asymmetric cryptography –Unsuitable for slower devices 2.Requires long keys –Unsuitable for devices with small memory 3.Requires significant data overhead (~6.5KB) –http://netsekure.org/2010/03/tls-overhead/ 4.More lightweight protocols exist –RFID / smartcards / IoT… •Note: TLS can be fully implemented on smartcards (but slow) –https://github.com/gilb/smart_card_TLS • – | PV204 Smartcards 12.3.2019 65 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Secure channels – questions to ask •What attacker model is assumed? •Integrity protection? Encryption? Authentication? •One-side or mutual authentication? •What kind of cryptography is used? •What keys are required/pre-distributed? •Additional trust hierarchy required? •Is necessary to generate random numbers/keys? •What if keys are compromised? Forward secrecy? | PV204 Smartcards 12.3.2019 66 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • 67 | PV204 Smartcards 12.3.2019 •What attacker model is assumed? •Integrity protection? Encryption? Authentication? •One-side or mutual authentication? •What kind of cryptography is used? •What keys are required/pre-distributed? •Additional trust hierarchy required? •Is necessary to generate random numbers/keys? •What if keys are compromised? Forward secrecy? P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Common lightweight SCPs •OpenPlatform SCP’01,’02 (3DES-based) •OpenPlatform SCP‘10 (RSA-based) •OpenPlatform SCP’03 (AES-based) •ISO/IEC 7816-4 Secure Messaging •ePassports Basic Access Control (3DES-based) •ePassports Extended Access Control (3DES,RSA,DH,SHA1/2-based) • | PV204 Smartcards 12.3.2019 68 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Example: GlobalPlatform SCP’03 •Mutual authentication (based on symmetric crypto) •Session key derivation (based on long-term keys) –NIST SP 800-108 •Message (APDU) confidentiality and integrity MAC 1.INITIALIZE UPDATE –Random challenge, card’s computations 2.EXTERNAL AUTHENTICATE –Terminal response 3.Secure messaging 4. | PV204 Smartcards 12.3.2019 69 What are problems with usage of symmetric crypto? D:\Documents\Obrazky\question.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI | PV204 Smartcards 12.3.2019 Secure Channel Protocol '03‘, Card Specification v2.2 – Amendment D, GPC_SPE_014 70 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI | PV204 Smartcards 12.3.2019 Secure Channel Protocol '03‘, Card Specification v2.2 – Amendment D, GPC_SPE_014 71 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI ePassport protocols (ICAO 9303) •Significantly more complex trust model –Passport, Inspection terminal, Trusting countries, Distrusting countries –Multiple sensitivity levels (basic info / fingerprint / iris) –Combination of symmetric and asymmetric cryptography •Basic Access Control (BAC) protocol –SCP-like protocol, static key is content from MRZ •Extended Access Control (EAC) protocol –Terminal authentication (RSA/ECDSA, SHA-1/2) –Chip authentication (DH/ECDSA key) –PACE protocol to establish session keys •Active Authentication (AA) protocol – | PV204 Smartcards 12.3.2019 72 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Mandatory reading •When Organized Crime Applies Academic Results –A Forensic Analysis of an In-Card Listening Device –https://eprint.iacr.org/2015/963.pdf • •Which academic attacks is of concern? •What system is targeted? •How is attack carried out? Is it protocol flaw? •What can prevent this attack vector? | PV204 Smartcards 12.3.2019 73 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Conclusions •Smartcards are highly secure and capable modules –Programmable –Accessible (cost, API…) •Protocol stack between PC application and smartcard –PC/SC, APDU transfer, GlobalPlatform, JavaCard •Two-factor authentication is not silver bullet –But way better than password alone! • • | PV204 Smartcards 12.3.2019 question Questions 74