smart cards
DESCRIPTION
Smart Cards. Paul Conti Heather McCarthy Jessica Reed Brian Zajick April 19, 2000. Overview. Basics Standards & Platforms Current Security Attacks Future Security. Smart Card Overview & Design. Jessica Reed. Overview. What is a Smart Card? Where are they used? - PowerPoint PPT PresentationTRANSCRIPT
What is a Smart Card? A card embedded with a computer
chip stores data transacts data between users
The data is associated with either value or information or both
Data is transacted via a reader (part of a computing system)
What is different about them? Provide stored value capabilities
ex. for multi-chain retailers - they can centrally locate and track data
Cards can carry personal account info. for users that can be accessed by a mouse click
cost reduced - data need not be stored at a central location
Restrict access to all but authorized user(s)
How are Smart Cards used? First used in Europe as a stored value tool
for pay phones - to reduce theft Today in US they are used for many
different things: library cards, credit cards, health care,
identification/access government applications (DMV and Electronic
Benefit Transfer) According to Dataquest, the worldwide
smart card market will grow to 4.7 Billion units and $6.8 Billion by 2002
Some basic security components PINS
normally stored in separate elementary files
Must be blocked and unaccessible Security Keys
First - Fabrication key (manufacturer key)
Replaced by - Personalisation key (KP) – Locked in by a personalisation lock (VPER)
Lifecyle of a Smart Card
Fabrication Phase Pre-personalisation Phase Personalisation Phase Utilisation Phase End-of-Life Phase
How they work – Physical Structure Physical Structure
Capability defined by integrated circuit chip – usually consists of microprocessor, ROM, RAM, & electrically erasable programmable read only memory (EEPROM)
How they work – File Structure Hierarchy of Data Files:
highest level - the Master File (MF), layers of Dedicated Files (DF) and one layer of Elementary File (EF)
How they work – File structure Data storage - like MS-DOS or UNIX
hierarchy: Master file = root Dedicated file = folder Elementary file = normal file
Ways that data is managed within the file system differ - depending on different operating systems
Smart Card access control system Files contain header with security info.
(accessing conditions, file status) Lock file - no access Access conditions – NOT hierarchical
ALW - always, no restrictions CHV1, CHV2 - card holder verification
needed ADM - Administrative use only NEV - Never, no access allowed
Java Card Smart Card capable of running Java
programs It is not:
Miniature personal computer Simply a stripped-down version of the
JDK Compatible with ISO 7816 Parts 1-7
and/or EMV Before use must go through pre-
personalisation & personalisation.
OpenCard Framework To use card, must be able to open and
read Based on Java Card Architecture OpenCard is an API that defines several
of these interfaces Can start a Java card agent whenever
the card is inserted Can then communicate with applications
on card during session
OpenCard Framework
OpenCard consists of four Java packages with the prefix opencard: 1. application – provide hgh level API2. io – provide high level API3. agent – abstracts the functionality of the smart card through the
CardAgent4. terminal – abstracts the card terminals
MULTOS A high security architecture
Apps needing high security can reside next to apps needing low security
Co-residence of multiple, inter-operable, platform independent applications
Dynamic remote loading and deletion of applications over the lifetime of a card Achieved using the language MEL (MULTOS
Executable Language)
PC/SC Architecture designed to ensure the
following work together even if made by different manufacturers: smart cards smart card readers computers
Differs from OpenCard because it offers API interoperability rather than uniform API
Designed for Windows environment with development in Visual C++
Summary/Segway All these systems provide a
solution to any Smart Card need None of these systems are 100%
secure How can things go wrong?
Types of Attacks Non-Invasive
forcing or tricking the microcontroller to operate in an unintended manner
Invasive tampering with the chip to more directly
access embedded components Protocol
taking advantage of weakness in commonly employed protocols
Non-Invasive Defense Also known as Logical To defend against power probing, use an
on-chip oscillator and a capacitor/diode network to generate 12V from 5V supply
Incorporate environmental change sensors detect when values go out of acceptable range
low clock frequency - single stepping attacks under / over voltage detection - fast signal reset
Non-Invasive Defense
Glitch attacks affects only some transistors in a chip Systematic output loops search for
instructions and keys Solution: Avoid single point of failure
instructions S/W: Make sure multiple criteria must be
met before granting access H/W: Use an independent internal clock
generator that is only PLL synchronized with the external reference frequency
Non-Invasive Defense Pin management
Stored in EEPROM PIN counter decremented when incorrect
pin used to access files. At 0, PIN blocked Unblock PIN needed to use pin again.
Counter decremented if incorrect unblock PIN is given. At 0, PIN can never be unblocked again = Irreversible blockage
Invasive Defense Also known as Physical Defense Passivation Layer
Silicon nitride or oxide coating that protects the chip from environmental influences and ion migration
Not easily removed, requires dry etching Optical sensor under an opaque
coating When light detected, chip stops
functioning
Invasive Defense Conformeal Glues
opaque, conductive, and strongly resist removal attempts
the underlying silicon is also damaged in the process
widely used by the US Military, but otherwise general not available
Invasive Defense Silicon features used to obscure
design Copy traps:
an element has been found that looks like a transistor, but really is only a connection between gate and source
3-input NORs only function as 2-input NORs
Invasive Defense Copy Traps:
use holes in isolating layers tricks done in the diffusion layer with ion
implantation unfortunately, these deceptions are
revealed using dry etching and Schottky technique
Introduce chip complexity Use non-standard cell libraries
Invasive Defense The Clipper Chip
fusible link system classified encryption algorithm component and
long term device key from an unclassified mask are fused AFTER fabrication
made of amorphous silicon - difficult to microscopy
surface of chip was “salted” with oscillators to defend against electromagnetic sensor attacks
discredited for a protocol flaw, not physical
Smart Card Life Cycle Security
Fabrication Phase Fabrication key
Pre-Personalization Phase Personalization key
Personalization Phase PIN, unblocking PIN, Utilization lock
Utilization Phase Access only through application policies
End-of-Life Phase Write/update disabled by OS, Read only
Smart Card Attacks Many different kinds of attack Range in price(<$50 - tens of
thousands) Range in skill level needed EEPROM, containing key material,
is one of the main targets because it can be affected by unusual temperatures and voltages
Smart Card Attacks Early Smart Card attacks focused
on pay-TV systems Signals that deactivated channels
were blocked by clamping or taping programming voltage contact on card
Cards were also installed that did not respond to certain signals
Non-Invasive attacks - DFA DFA – Differential Fault Analysis
uses glitches introduced to chip Unusual voltage changes
Increasing voltages to chip can clear the security bit, without erasing important memory
Slightly lower voltage attacked random number generator which produced almost all 1’s for cryptographic keys and nonces
Non-Invasive Attacks - DFA Power and clock variations
Affects the decoding and execution of individual instructions
Clock pulse shorter than normal or rapid transient of power affects chip transistors
CPU can be made to execute wrong instructions, or even ones not supported by card
Glitches can be used to manipulate program control and can cause change in access rights, divulging of passwords
Physical Attacks Lock bit on EEPROM(Containing PIN)
can be erased by focusing UV light on security lock cell.
Physically removing the chip is easy Cut plastic behind chip module with knife Nitric acid put on epoxy resin Wash acid away with acetone and silicon
surface is exposed
Physical Attacks Other methods
Expose chip to HNO3 vapor stream Ultrasonic vibration and laser cutter
microscopes
Advanced Attacks Reverse engineering
Etch away one layer of chip at a time Metal deposited on the chip acts as diode
and can be seen with an electronic beam. All layers fed to a PC where images can map
out the entire chip and examine more closely Also can look through chip from back with an
infra-red laser, where silicon is transparent. Laser created photocurrents which can reveal logic states and device operation
Advanced Attacks Active/Modifying attacks
Focus Ion Beam can cut new tracks or implant ions to change doping of an area of silicon
Can disconnect CPU from bus, leaving only EEPROM and CPU function to read EEPROM
Microprobing needle can then be used to read the contents of EEPROM
Active/Modifying Attack
Program counter is connected so that EEPROM memory locations are addressed in the order device is clocked
Advanced Attacks Attacks on chips with batteries
Batteries can cut off crucial components of chip
Some chips can reliably remember bit values for a few seconds when power is cut
With liquid nitrogen, attacker can keep this information stable for minutes to hours
Could disable alarm system and reapply power
Advanced Attacks - DPA Differential Power Analysis
Each operation on a Smart Card needs different amounts of power
Oscilloscope can detect power fluctuations and statistical inferences can be made to determine instructions.
Could be used to determine cryptographic keys or PINs
Advanced Attacks - DPA A-F : Pattern for
each operation Eight peaks
signifies part of an encryption process
Presence or absence of spikes between peaks indicate pieces of encryption key
Adv. Attacks – Chip Rewriting Can alter logic gates and single
bits with laser cutter microscope Attacking DES
Remove xor operation Reduce rounds by corrupting loop
variables or conditional jumps Compare erroneous results to true
results Odd-parity key attack
Latest Attack March 15 2000 Man in France broke the 320 bit 96
digit encryption on ATM card keys Created a “yes-card” which will be
accepted no matter what PIN is entered
Will cost millions to convert to 792 bit card
How do you protect from new attacks?
Advanced Defense Most common systems use either
security modules or Smart Card technology
Advanced designs consist of a composite package containing processor, memory, tamper detection circuitry and a battery
A well detailed example is the ABYSS coprocessor developed by IBM
IBM’s ABYSS Designers considered:
stannic oxide lines on glass piezo-electric sheets wire winding techniques
Designers chose: 4 layer wrapping of 40 gauge nichrome wire
surrounding the processor, battery, memory and sensor circuitry
embedded in a hard, opaque epoxy filled with silica
IBM’s ABYSS Results in a card that is harder to
mis-operate and more likely to crack under UV laser light
This is the future as circuit sizes and power consumption shrink
Advanced Defense Aggressive chemicals can be detected
by their low electrical resistance as long as a battery power supply is available
Power supply networks can be made from a variety of different conductive materials such that exposure to any chemical solvent will cause at least one component to fail
Self-Destruct!
Advanced Defense Suitable packaging thwarts
attackers because process is slow stripping one layer at a time manually short out protective wire
winding guided X-rays precise measurements of voltage
multiple times