![Page 1: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/1.jpg)
Cryptanalysis of GlobalPlatform Secure Channel Protocols
Mohamed Sabt and Jacques TraoréSSR 2016December 5, 2016
3rd International Conference on Research in Security Standardisation
![Page 2: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/2.jpg)
2
Outline
Context
GlobalPlatform
Secure Channel Protocols
Theoretical attacks against SCP02
SCP03 security results
Conclusion
![Page 3: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/3.jpg)
3
Introduction
![Page 4: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/4.jpg)
4
Context
17.7 billion secure elements (SEs) are based on GP Card SpecificationsThat is 41% of all SEs shipped since 2010
![Page 5: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/5.jpg)
5
120+ GlobalPlatform members
![Page 6: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/6.jpg)
6
GP Architecture
![Page 7: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/7.jpg)
7
Secure Content Management
![Page 8: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/8.jpg)
8
Secure Channel Protocols (SCPs)
![Page 9: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/9.jpg)
9
Secure Channel Protocols (SCPs)
![Page 10: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/10.jpg)
10
Secure Channel Protocol ‘2’
![Page 11: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/11.jpg)
11
Description
SCP02 relies on the « Encrypt-and-MAC » method
![Page 12: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/12.jpg)
12
Description
![Page 13: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/13.jpg)
13
Security Flaw
SCP02 uses CBC-mode with a fixed IV
The SCP02 encryption scheme is deterministic and clearly not IND-CPA secure
It is vulnerable to a classical plaintext-recovery attack (for plaintext messages with small entropy, e.g., PIN):
1. let 𝐶𝐶 = ℰ𝑘𝑘_SCP02(𝑚𝑚) be the targeted ciphertext2. The adversary 𝐴𝐴 randomly chooses a message 𝑚𝑚’ among the set of
possible values for 𝑚𝑚’3. Ask the challenger to encrypt 𝑚𝑚’in order to obtain 𝐶𝐶𝐶 = ℰ𝑘𝑘_SCP02(𝑚𝑚’)4. If 𝐶𝐶’ = 𝐶𝐶 then 𝐴𝐴 has correctly guessed 𝑚𝑚 =𝑚𝑚𝐶.
![Page 14: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/14.jpg)
14
Plaintext Recovery Against GP compliant Smart Cards
![Page 15: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/15.jpg)
15
Discussion About Feasibility of This Attack
![Page 16: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/16.jpg)
16
Secure Channel Protocol ‘3’
![Page 17: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/17.jpg)
17
Description of SCP03
SCP03 relies on the « Encrypt-then-MAC » method
![Page 18: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/18.jpg)
18
Formal Construction
An unusual MAC construction is used in the Encrypt-then-MAC method: only part of the MAC is included with the ciphertext
![Page 19: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/19.jpg)
19
Security Analysis
![Page 20: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/20.jpg)
20
Mass SurveillanceAlgorithm-Substitution Attacks (ASA)
![Page 21: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/21.jpg)
21
ASA OverviewNo Algorithm Substitution
![Page 22: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/22.jpg)
22
ASA OverviewAlgorithm Substitution
![Page 23: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/23.jpg)
23
Defeating ASA
![Page 24: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/24.jpg)
24
Conclusion GP secure channel protocols are widely used
we have presented security results – positive and negative- on two Global Platform SCP
Bad news
– SCP 02 is vulnerable to a simple plaintext recovery attack Good news
– SCP 03 provides strong security guarantees: resistance to replay, out -of-order delivery and algorithm substitution attacks
– our proof guarantees that SCP03 cannot undetectably contain hidden backdoors allowing mass surveillance
– This is, to the best of our knowledge, the first formal security analysis on SCP03
– creation of the GP ‘Crypto Sub-Task Force’
We advocate the deprecation of SCP02 as soon as possible and the switch over to SCP03
![Page 25: Cryptanalysis of GlobalPlatform Secure Channel … of GlobalPlatform Secure Channel Protocols Mohamed Sabt and Jacques Traoré SSR 2016. December 5, 2016 . 3rd International Conference](https://reader034.vdocument.in/reader034/viewer/2022042611/5ae17b4d7f8b9ab4688ebf07/html5/thumbnails/25.jpg)
Questions?