https://crocs.fi.muni.cz @CRoCS_MUNI
Petr Švenda svenda@fi.muni.cz @rngsec
Centre for Research on Cryptography and Security, Masaryk University
PV079: Cryptographic smartcards
and their applications
Cryptographic secure hardware
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Overview
• Smartcards – introduction
• Applications – where to use?
• Smartcard programming
• Side-channel attacks
– power analysis
– reverse engineering
– timing attacks
https://crocs.fi.muni.cz @CRoCS_MUNI
INTRO TO SMART CARDS
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Basic types of (smart) cards
1. Contactless “barcode”
– Fixed identification string (RFID, < 5 cents)
2. Simple memory cards (magnetic stripe, RFID)
– Small write memory (< 1KB) for data, (~10 cents)
3. Memory cards with PIN protection
– Memory (< 5KB), simple protection logic (<$1)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Basic types of (smart) cards (2)
4. Cryptographic smart cards
– Support for (real) cryptographic algorithms
– Mifare Classic ($1), Mifare DESFire ($3)
5. User-programmable cryptographic smart cards
– JavaCard, .NET card, MULTOS cards ($2-$30)
– Chip manufacturers: NXP, Infineon, Gemalto, G&D, Oberthur, STM, Atmel,
Samsung...
6. Secure environment (enclave) inside more complex CPUs
– ARM TrustZone, Intel SGX…
PV079 - Cryptographic smartcards
We will mainly focus on
categories 4 and 5
https://crocs.fi.muni.cz @CRoCS_MUNI
Cryptographic smart cards
• SC is quite powerful device
– 8-32 bit processor @ 5-50MHz
– persistent memory 32-200+kB (EEPROM)
– volatile fast RAM, usually <<10kB
– truly random generator
– cryptographic coprocessor (3DES,AES,RSA-2048,ECC...)
• ~10 billion units shipped in 2019 (EUROSMART)
– mostly smart cards, telco, payment and loyalty...
– ~1.5 billion contactless (EUROSMART)
• For environments where attacker have physical access
– NIST FIPS140-2 standard, security Level 4
– Common Criteria EAL4+/5+
PV079 - Cryptographic smartcards
EEPROM
CPU
CRYPTO
SRAM
ROM
RNG
Credit Wikimedia Commons
https://crocs.fi.muni.cz @CRoCS_MUNI
Primary markets for smartcards
PV079 - Cryptographic smartcards
https://www.eurosmart.com/eurosmarts-secure-elements-market-analysis-and-forecasts/
Telco
Payment
https://crocs.fi.muni.cz @CRoCS_MUNI
• Many possible forms
– ISO 7816 standard
– SIM size, USB dongles, Java rings…
• Contact(-less), hybrid/dual interface
– contact physical interface
– contact-less interface (NFC phone can communicate!)
– hybrid card – separate logics on single card
– dual interface – same chip accessible contact & c-less
• Card emulation (contactless)
1. Card emulation mode (physical in-phone secure element)
2. Host-based card emulation (without physical element)
• Apple Pay, Google Pay
Smart cards forms
PV079 - Cryptographic smartcards
http://simcardsize.com/sim-card-sizes/ https://shop.cobo.com/products/cobo-vaultessential
https://www.infineon.com/ https://yubico.com
https://crocs.fi.muni.cz @CRoCS_MUNI
Contact vs. contactless, powerless vs. battery-powered
• Contact cards (ISO7816-2)
– I/O data line, voltage and GND line
– clock line, reset lines
• Contactless cards
– ISO/IEC 14443 type A/B, radio at 13.56 MHz (NFC)
– Chip powered by current induced on antenna by reader
– Reader → chip communication - relatively easy
– Chip → reader – dedicated circuits are charged, more power consumed, fluctuation
detected by reader
– Multiple cards per single reader possible
• Additional battery possible
– Higher cost, need to charge, but longer distance and faster communication (Bluetooth LE)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Smart card is highly protected device
• Intended for physically unprotected environment
– NIST FIPS140-2 standard, security Level 4
– Common Criteria EAL5+/6+…
• Tamper protection
– Tamper-evidence (visible if physically manipulated)
– Tamper-resistance (can withstand physical attack)
– Tamper-response (erase keys…)
• Protection against side-channel attacks (timing, power, EM)
• Periodic tests of TRNG functionality
• Approved crypto algorithms and key management
• Limited interface, smaller trusted computing base (than usual)
– http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
• Designed for security and certified != secure
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
What the smartcards can be used for?
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
What problem is cryptographic smartcard solving?
• What problem is cryptographic smartcard solving?
– Secure storage (keys and sensitive data)
– Protected secrets even if physically attacked (tamper resistant)
– Secure (cryptographic) computational device (signature, authentication)
– Hardware root of trust (initial check of boot sequence)
– Unspoofable logging
– Enforcement of specific policy (PIN before sign, four eyes policy)
– Easy to carry, easy to embed into another device, low battery usage
• Which of these can’t be solved with laptop or mobile phone?
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Applications
• SIM modules
– key storage, session key derivation
– GSM banking
– PIN protection
• Bank payment card
– cryptographic checksum on payment bill
– offline PIN verification
– contactless small payments
• Secure system authentication
– Windows credential provider, Linux PAM modules
– password storage only, challenge-response protocols
– door access cards – mostly memory cards only
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Application (cont.)
• Electronic identity cards (ePassports, eIDs)
– contactless cards with Machine Readable Zone (MRZ)
– secure messaging between reader and passport
– active authentication - challenge-response with on-card key
• Multimedia distribution
– Digital Rights Management (decryption keys, licenses)
– pre-paid satellite TV (decryption keys)
• Secure storage and encryption/signing device
– Cryptocurrency hardware wallets…
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Application domains changes in time
• Cheap yet relatively hard to attack despite physical access
– Sensitive data can be stored and used yet carried in pocket
– Protection against the end-user (SIM, satellite decoders…)
• But we now have smartphones!
– Payments via Apple Pay, Google Pay without physical smartcard
• Still uses VISA/Mastercard payment infrastructure
– Smartphones can make smartcards obsolete in large portion of previous usage domains!
• But smartphones are also quite too complex (=> bugs)
– Sensitive data / keys etc. on smartphone are more vulnerable
• New use-cases
– Trusted Platform Module (smartcard on the motherboard)
– FIDO U2F tokens (improved authentication tokens)
– Cryptocurrency hardware wallets (smartcard with trusted display)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
MODES OF USAGE
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Smart card carries fixed information
• Fixed information ID transmitted, no secure channel
• Low-cost solution (nothing “smart” needed)
• Problem: Attacker can eavesdrop and clone chip
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Smart card as a secure carrier
• Key(s) stored on a card, loaded to a PC before
encryption/signing/authentication, then erased
• High speed usage of key possible (>>MB/sec)
• Attacker with an access to PC during operation will obtain the key
– key protected for transport, but not during the usage
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Smart card as encryption/signing device
• PC just sends data for encryption/signing…
• Key never leaves the card
– personalized in secure environment
– protected during transport and usage
• Attacker must attack the smart card
– or wait until card is inserted and PIN entered!
• Low speed encryption (~kB/sec)
– low communication speed / limited card performance
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Smart card as computational device
• PC just sends input for application on smart card
• Application code & keys never leave the card
– card can perform complicated programmable actions
– new code can be uploaded remotely
– can open secure channels to other entity
• secure server, trusted time service…
• PC act as a transparent relay only (no access to data)
• Attacker must attack smart card or initial input
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Smart card as root of trust (TPM)
• Secure boot process, remote attestation
• Smart card provides robust store with integrity
• Application can verify before pass control (measured boot)
• Computer can authenticate with remote entity…
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
TPM : provided security functions
1. “Measured” boot with remote attestation
– Provide signed log of what executed on platform (PCR)
2. Storage of keys (disk encryption, private keys…)
– Can be additionally password protected
3. Binding and Sealing of data
– Encryption key wrapped by concrete TPM’s public key
4. Platform integrity
– Software will not start if current PCR value is not right
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
• High-speed, multi-tenant (120 cards)
• Robust against bugs, backdoors
Myst: secure multiparty signatures
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz/papers/mpc_ccs17
https://crocs.fi.muni.cz @CRoCS_MUNI
SmartHSM for multiparty (120 smartcards, 3 cards/quorum)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz/papers/mpc_ccs17
…
120 cards => 40 quorums
=> 300+ decryptions / second
=> 80+ signatures / second
https://crocs.fi.muni.cz @CRoCS_MUNI
SMARTCARD ALGORITHMS AND
PERFORMANCE
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Common algorithms
• Basic - cryptographic co-processor
– Truly random data generator
– 3DES, AES128/256, (national algorithms)
– MD5, SHA1, SHA-2 256/512
– RSA (up to 2048b common, 4096 possible)
– ECC (up to 256b common, 521b possible)
– Diffie-Hellman key exchange (DH/ECDSA)
• Custom code running in secure environment
– E.g., HMAC, OTP code, re-encryption
– Might be significantly slower (e.g., SW AES 50x slower)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Cryptographic operations
• Supported algorithms (JCAlgTester, 100+ cards)
– https://github.com/crocs-muni/JCAlgTest
– https://www.fi.muni.cz/~xsvenda/jcsupport.html
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
What is the typical performance?
• Hardware differ significantly
– Clock multiplier, memory speed, crypto coprocessor…
• Typical speed of operation is:
– Milliseconds (RNG, symmetric crypto, hash)
– Tens of milliseconds (transfer data in/out)
– Hundreds of millisecond (asymmetric crypto)
– Seconds (RSA keypair generation)
• Operation may consists from multiple steps
– Transmit data, prepare key, prepare engine, encrypt
• → additional performance penalty
– Usability rule of thumb: operation shall finish in 1-1.5sec
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Performance tables for common cards
• Visit http://www.fi.muni.cz/~xsvenda/jcalgtest/
PV079 - Cryptographic smartcards
http://www.fi.muni.cz/~xsvenda/jcalgtest/
https://crocs.fi.muni.cz @CRoCS_MUNI
Performance with variable data lengths
PV079 - Cryptographic smartcards
http://www.fi.muni.cz/~xsvenda/jcalgtest/
Limited memory and resources
may cause non-linear dependency
on a processed data length
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Smartcards programming and use from programs
https://crocs.fi.muni.cz @CRoCS_MUNI
Big picture – terminal/reader and card
PV079 - Cryptographic smartcards
What principles and standards are used?
Merchant payment
Digital signature
https://crocs.fi.muni.cz @CRoCS_MUNI
Big picture - components
PV079 - Cryptographic smartcards
User application
Card OS
Card application
Card I/O manager
contact(less)
transmission
OS smart card API
smart card reader
• User application
– Merchant terminal GUI
– Banking transfer GUI
– Browser TLS
– …
• Card application
– EMV applet for payments
– SIM applet for GSM
– OpenPGP applet for PGP
– U2F applet for FIDO authentication
– …
https://crocs.fi.muni.cz @CRoCS_MUNI
How to develop on-card application?
JavaCard development process 6. Write user Java app
(javax.smartcardio.*)
1. Extends
javacard.framework.Applet
2. Compile Java→*.class
(Java 1.3 binary format)
3. Convert *.class→*.jar/cap
(JavaCard Convertor)
4. Upload *.jar/cap
→ smart card (GlobalPlatformPro)
5. Install applet
(GlobalPlatformPro)
7. Use applet on
smart card (APDU)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Pains for users/developers
• Closed-source, IP-heavy, NDA-based industry
• Primary users for manufactures/vendors are large customers
– No interest in small / niche users (< 100k units)
– Important API proprietary and/or not accessible (ARM TrustZone,
proprietary JC packages, detailed specs…)
– Supply chain issues (resellers, difficult to securely obtain card)
• What is open or available
– Open API for applets (JavaCard API)
– Open-source development toolchain for JavaCard
– Common Criteria and FIPS140-2 certificates (but details omitted)
– Results of reverse engineering
PV079 - Cryptographic smartcards
Telco
Payment
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Smartcard security
⚫Invasive attacks
⚫Semi-invasive attacks
⚫Side-channel attacks
⚫Logical attacks
X
https://crocs.fi.muni.cz @CRoCS_MUNI
Attacks against smartcards
• “Secure hardware” != absolutely unbreakable hardware
– Always depends on attacker motivation, knowledge, resources…
• The goal of security design is to increase the difficulty of attack
– Higher than the value of data protected
– Some attack harder to perform than other (equipment, time, knowledge, physical vs. remote access… )
– Security is process (design, test, fix, repeat)
• Invasive attacks – physical dismantling of chip
– E.g., read keys directly from physical memory
• Semi-invasive attacks – partial dismantling, chip still works
– E.g., expose communication bus, read data by microprobe
• Side-channel attacks – unintended leakage of physical device
– correlated with the secret data processed (keys)
– E.g., power consumption analysis, timing attack
• Logical attacks - exploits logical flaw in code running inside chip
PV079 - Cryptographic smartcards
Focus of this
lecture
https://crocs.fi.muni.cz @CRoCS_MUNI
Discussion – attacking smartcard-based solutions
• Scenario: attack Brno transport ticket card
– Contactless communication, pre-registered EMV-based card
• Scenario: attack Bitcoin hardware wallet
– Private key derived, then used to sign transaction (inputs, outputs, amounts)
• Scenario: attack contactless EMV payment card
– Pay at merchant terminal
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Application attacks
• Focus on logical attacks possible by “malware”
– No physical access to target card is assumed, remote attacks
– Man-in-the middle attacks
– Redirection of traffic, remote smart card access
• Target applications
– Banking app (login, transaction authorization)
– Resources protected by two-factor authentication (VPNs…)
– DRM applications (user is attacker)
– Citizen ID cards (ID theft)
– …
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Where to log/manipulate communication?
PV079 - Cryptographic smartcards
User application
PC/SC(winscard.dll)
reader driver
USB driver
APDU
Code inject application
Virtual reader, change/inject new driver
SW USB sniffer
HW USB sniffer
In-card logger
Load malicious dll (stub)
Malicious reader firmware
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Power analysis
• External power supply - no battery on SC
• Power consumption depends on actual ops/data
• Voltage variation measured using digital oscilloscope and small
resistor
• Real threat – and not only for smart cards
– Mifare DESfire
– KeeLoq
– Xilinx bitstream
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Power analysis – basic setup
Smart card
Smart card
reader
Inverse card
connector
Oscilloscope
Resistor
20-80 ohm
Probe
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Simple power analysis
• Direct processing of single power trace
– operations => reverse engineering
– data => additional information about secret keys
• hamming weight of separate bytes of key (256-> 238)
• Averaging over multiple traces to reduce noise
• Exact implementation must be known
– position of instruction
– obtained by reverse engineering
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Reverse engineering – operation level
• Semi-automatic recognition of operations
– from typical power consumption patterns
– database of corresponding operation and pattern
• Often easier than obtain processed data
https://crocs.fi.muni.cz @CRoCS_MUNI
Timing (side-channel leakage) attack
PV079 - Cryptographic smartcards
+ → 57ms
+ → 52ms
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Timing analysis
• Length of operation depends on processed data
– due to speed optimization (limited resources)
– due to un-aware algorithm design
– e.g. Montgomery ladder
• Timings obtained from power trace
https://crocs.fi.muni.cz @CRoCS_MUNI
vulnerability (10/2019)
• Length of ECDSA nonce leaked
– shorter nonce => shorter signature time
• Enough to extract whole ECC private key in 20-30 min
• Athena IDProtect smartcard (EAL 4+), Libgcrypt, SunEC/OpenJDK/Oracle JDK…
PV079 - Cryptographic smartcards
https://minerva.crocs.fi.muni.cz/
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Differential power analysis
• Powerful attack on secret values
– e.g. encryption keys
• Multiple power traces with key usage
– 103-105 traces with known I/O data
– KEY  KNOWN_DATA
• Key is guessed byte-per-byte
– correct guess reveals correlation with traces
– all possible values of single byte tried (256)
– traces divided into 2 groups
– groups are averaged
– averaged signals are compared
– significant peaks if correct
• No need to know exact implementation
– big advantage
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Conclusions
• SC massively deployed (20*109), mainly w.r.t. security
– wide range of usage (banking, SIM, access control)
– secure storage (encryption/signature keys)
• on-card asymmetric key generation!
– secure code execution
– interesting protocols involving smart cards
• Limited memory (102 kB) and CPU power (8-32b,5-50MHz)
– Low-cost small computer designed specifically for security
– crypto operation accelerated by co-processors
• Still can be attacked
– typically need for special knowledge and/or equipment
– still far more secure than standard PC
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards