Innovation and Collaboration with Mcard

Peter HoneymanCenter for Information Technology Integration

University of MichiganAnn Arbor

A little bit about CITI

Center for Information Technology Integration– Founded in 1986 as part of Information

Technology Division– Now in CIO office

Research and development “skunkworks” Advance UMich info tech environment,

transfer results to University, government, industry

Externally funded

CITI staff

Faculty and staff scientists Researchers and programmers Graduate and undergraduateand undergraduate

students

CITI core competencies

Middleware lab Enterprise-scale info tech integration

– Distributed file systems– Mobile computing– High-speed networking– Integrated security

Proposal writingProposal writing

Smartcards: a pragmatic approach

Secrets in a smartcard remain safe even if hardware / software is compromised

Integrate smartcard with infrastructure Build on what we have

– Use existing infrastructure (UMCE)»UNIX filesystem; mail, web servers»Kerberos»NT (PAM + GINA)

– Use open standards (IETF, ISO)– Add secure hardware: smartcard

Experimental software

Primary targets: – OpenBSD– Linux– AIX– NT– PalmPilot– JavaCard

T=0, T=1

Innovation: Outline

Smartcard Filesystem Smartcard Integration with

Kerberos Secure Bootstrap with Smartcard IP on Smartcard

Smartcard filesystem ISO-7816

– Standard smartcard interface– Message framing protocol (too primitive

to be usable)– Many vendor dependencies

Smartcard programming toolkits– IBM MFC, Microsoft PC/SC, OpenCard

framework, EMV’96, PKCS#11, …– Smartcard-specific everything: language,

API, toolkit, library, application, etc. – Hassle learning toolkit after toolkit– API dependencies

SCFS goals and policies

Integrate a smartcard with UNIX – VFS: UNIX filesystem API

Take advantage of UNIX environment– Allows sophisticated UNIX commands– Access through symlinks

Any ISO-7816 smartcard Easy integration with applications

– Netscape cookies– PGP private keyring– Kerberos tickets– SSH private key

Application to SSH

citi% mount_scfs /dev/scfs0 /smartcardciti% ln -s ~/.ssh/identity /smartcard/ss/idciti% ssh sin.citi.umich.eduEnter PIN:sin% logout

SCFS performance

Command total card overheadRead 8 28.9 28.2 0.7Read 128 190.2 189.4 0.8Write 8 63.4 62.7 0.7Write 128 1259.5 1258.9 0.7

all times in ms

read()call

finish readingsmartcard

read()return

start readingsmartcard

total

smartcard accessscfs overhead scfs overhead

SCFS problem areas

Order of remove Directories and metadata

Directory entry file

ISO-7816 does not have the right metadata– FID, file type, size

Required for ls, cat Hack: “.i” in every directory

Hack: ioctl()

Some ISO-7816-4 features do not fit the UNIX filesystem abstraction

creat(), mkdir() need size Crypto commands (authentication,

verify key, …) Issues with application loading

Comparing PC/SC and SCFS

PC/SC

SCFS: Application not modified

OS

Application

OS

Application

PC/SC: Application modified or created

OS

Application

OS

Application

SCFS

PC/SC and SCFS (cont’d) PC/SC supports more cards and readers SCFS can take advantage of it Work in progress

PC/SC

OS

Application

OS

Application

SCFS

SCFS wrap-up

Powerful, flexible API Overhead is small Useful as a low-level development tool

– ls, cd, pwd, make, etc. Secure storage for user profiles, web

cookies, Kerberos tickets, private keys, etc.

Smartcard/Kerberos integration

University of Michigan computing environment is protected by Kerberos– So are MIT, CMU, Stanford, Cornell, ...

Public key cryptography is not practical – (yet)

Kerberos security limitations:– Lacks external encryption device– Lacks secure key storage– Passwords vulnerable to dictionary

attack Smartcards can solve these problems

Decrypt

Need for encryption device

KerberosKDC

Key is exposed to user and workstationWorkstation may not be trustedSniffer, Trojan horse, virus ...

passwordticket

ticket

Need for secure storage

Keys stored on hard disk or in memory are vulnerable

Hard disks are not secure – Adversary with administrative rights can

access keys– Data in a hard disk may be backed up in

an unprotected mass storage device Memory is not secure

– Adversary can scan memory– Data in memory can be paged out to a

hard disk

Dictionary attack

Create a list of English words, names, etc.– Also Star Wars, German, Shakespeare, …– thx1138 is a vulnerable password! :-(

Derive keys from the words in the list Obtain a <plaintext, ciphertext> pair

– Kerberos gives up <plaintext, ciphertext> easily

Decrypt ciphertext with the derived key– If plaintext recovered, password is

exposed UMich: > 4,000 vulnerable accounts in

1997

Decrypt

Countermeasures - use a smartcard

Key is not exposed to user, workstation, or network No password

KerberosKDC

ticket

ticket

ticket

Implementation

STARCOS v. 2.1 from Giesecke & Devrient

Modify MIT Kerberos v5-1.0.5 client Kerberos server unmodified for

global interoperability– Well, almost …– des_cbc_crc method uses key as ivec – Modify server to allow des_cbc_md5

kinitstart

card reset

enddecryption

kinitfinish

startdecryption

0 0.06 0.34 1.32 1.54

Kerberos+smartcard performance

Ticket decrypt time: 1.26 sec.– Native STARCOS CBC– Two rounds– Obviates 27 round host CBC: 2.09 sec– Communication cost @ 9600 bps: ~ half

time in sec.

Smartcard Hall of Shame Cards we considered but were unable to use. Schlumberger CryptoFlex, MultiFlex

– Internal authentication command returns only the first 6 of the 8 bytes of encrypted data. The “full DES” internal authentication command is not available in the standard version of the card.

– Cyberflex Access addresses these issues IBM MFC

– Encrypts a random number challenge presented by SCT_CMD_AUTHENTICATE command.

Smartcard Hall of Shame (cont’d) MAOSCO Multos

– Encrypts with a fixed key. From the manual: "For security reasons," DES is used with a "known cryptographic key" (0x41AD8223A90BE2A1).

General Information Systems Oscar– DES key is XOR'ed with a random number. From

e-mail: “The keys are XOR'ed with a random number for security reasons.”

Gemplus GPK– Key size is limited to 40 bits.

Kerberos+smartcard wrap-up

Practical smartcard authentication method Addresses major weakness of Kerberos Fairly fast … room to improve

– Try other smartcards– Faster communication rate

Future work: – Store ticket on smartcard– Use PC/SC library for interoperability– Server ticket generation

Secure bootstrap with smartcard

Need to sign executable code for software integrity check

Hardware-based solutions– Secure Coprocessor, AEGIS– Secure, but hard to configure

Software-based solutions– Tripwire, Authenticode– But is OS trusted?

Code signing with smartcard

Use AEGIS to boot a specialized OS (boot OS)

Store MACs in a smartcard Check the kernel integrity (second

OS) with the smartcard Check integrity of important

applications (Kerberos KDC, databases, etc.) with the smartcard

IP on smartcard

Expand smartcard accessibility to the Internet

Network protocols on smartcard– Network service used unmodified -

same idea with SCFS– FTP, HTTP, E-mail, etc.

Smartcard as a mobile computer– Bring IP address with you

IP on smartcard plans

Phase 1 : IP on ISO-7816– Will be implemented on

Schlumberger CyberFlex– Limit communication style to host

request - smartcard reply Phase 2 : IP on bidirectional link

layer– Waiting for bare smartcard

Future directions

SCFS– Porting to other operating systems (Linux, NT)– Support more cards and readers (PC/SC?)

Kerberos– Store tickets in a smartcard– Support more cards and readers (PC/SC?)– Smartcard-based ticket generation on server

Just started– IP on smartcard– Code signing

Innovation wrap-up

For secure operating system– Authentication: Kerberos + smartcard– Integrity check: code signing with

smartcard For convenient use of smartcard

– Host - smartcard access: SCFS– Internet access: IP on smartcard

Collaboration

Partnerships with industry, government

Identify common objectives Develop near- and intermediate-

term solutions University is a “living laboratory”

of enterprise-scale issues

CITI/SchlumbergerProgram in Smartcard Technology

File system transparency Secure token storage Kerberos authentication Internet protocol Experimental fault analysis JavaCard formal verification JavaCard performance analysis SEM attack and defense

Mcard opportunities

CITI, ITD, FinOps, Medical Public key infrastructure Engage the creativity and energy

of the student body

Any questions?http://www.citi.umich.edu/