Smart Cards

Paul ContiHeather McCarthy

Jessica ReedBrian Zajick

April 19, 2000

Overview Basics Standards & Platforms Current Security Attacks Future Security

Smart Card Overview & Design

Jessica Reed

Overview

What is a Smart Card? Where are they used? What are they made of? How do they work?

What is a Smart Card? A card embedded with a computer

chip stores data transacts data between users

The data is associated with either value or information or both

Data is transacted via a reader (part of a computing system)

What is different about them? Provide stored value capabilities

ex. for multi-chain retailers - they can centrally locate and track data

Cards can carry personal account info. for users that can be accessed by a mouse click

cost reduced - data need not be stored at a central location

Restrict access to all but authorized user(s)

How are Smart Cards used? First used in Europe as a stored value tool

for pay phones - to reduce theft Today in US they are used for many

different things: library cards, credit cards, health care,

identification/access government applications (DMV and Electronic

Benefit Transfer) According to Dataquest, the worldwide

smart card market will grow to 4.7 Billion units and $6.8 Billion by 2002

Some basic security components PINS

normally stored in separate elementary files

Must be blocked and unaccessible Security Keys

First - Fabrication key (manufacturer key)

Replaced by - Personalisation key (KP) – Locked in by a personalisation lock (VPER)

Lifecyle of a Smart Card

Fabrication Phase Pre-personalisation Phase Personalisation Phase Utilisation Phase End-of-Life Phase

How they work – Physical Structure Physical Structure

Capability defined by integrated circuit chip – usually consists of microprocessor, ROM, RAM, & electrically erasable programmable read only memory (EEPROM)

How they work – File Structure Hierarchy of Data Files:

highest level - the Master File (MF), layers of Dedicated Files (DF) and one layer of Elementary File (EF)

How they work – File structure Data storage - like MS-DOS or UNIX

hierarchy: Master file = root Dedicated file = folder Elementary file = normal file

Ways that data is managed within the file system differ - depending on different operating systems

Smart Card access control system Files contain header with security info.

(accessing conditions, file status) Lock file - no access Access conditions – NOT hierarchical

ALW - always, no restrictions CHV1, CHV2 - card holder verification

needed ADM - Administrative use only NEV - Never, no access allowed

Smart Card Standards & Platforms

Brian Zajick

Overview Java Card OpenCard Framework MULTOS PC/SC Summary/Segway

Java Card Smart Card capable of running Java

programs It is not:

Miniature personal computer Simply a stripped-down version of the

JDK Compatible with ISO 7816 Parts 1-7

and/or EMV Before use must go through pre-

personalisation & personalisation.

Java CardApplet Development Kits

GemXpresso, Cyberflex, GalactIC, Odyssey

OpenCard Framework To use card, must be able to open and

read Based on Java Card Architecture OpenCard is an API that defines several

of these interfaces Can start a Java card agent whenever

the card is inserted Can then communicate with applications

on card during session

OpenCard Framework

OpenCard consists of four Java packages with the prefix opencard: 1. application – provide hgh level API2. io – provide high level API3. agent – abstracts the functionality of the smart card through the

CardAgent4. terminal – abstracts the card terminals

OpenCard Framework

MULTOS A high security architecture

Apps needing high security can reside next to apps needing low security

Co-residence of multiple, inter-operable, platform independent applications

Dynamic remote loading and deletion of applications over the lifetime of a card Achieved using the language MEL (MULTOS

Executable Language)

MULTOS

PC/SC Architecture designed to ensure the

following work together even if made by different manufacturers: smart cards smart card readers computers

Differs from OpenCard because it offers API interoperability rather than uniform API

Designed for Windows environment with development in Visual C++

PC/SCCore Members

Summary/Segway All these systems provide a

solution to any Smart Card need None of these systems are 100%

secure How can things go wrong?

Current Defense Mechanisms

Part I

Heather McCarthy

Types of Attacks Non-Invasive

forcing or tricking the microcontroller to operate in an unintended manner

Invasive tampering with the chip to more directly

access embedded components Protocol

taking advantage of weakness in commonly employed protocols

Non-Invasive Defense Also known as Logical To defend against power probing, use an

on-chip oscillator and a capacitor/diode network to generate 12V from 5V supply

Incorporate environmental change sensors detect when values go out of acceptable range

low clock frequency - single stepping attacks under / over voltage detection - fast signal reset

Non-Invasive Defense

Glitch attacks affects only some transistors in a chip Systematic output loops search for

instructions and keys Solution: Avoid single point of failure

instructions S/W: Make sure multiple criteria must be

met before granting access H/W: Use an independent internal clock

generator that is only PLL synchronized with the external reference frequency

Non-Invasive Defense Pin management

Stored in EEPROM PIN counter decremented when incorrect

pin used to access files. At 0, PIN blocked Unblock PIN needed to use pin again.

Counter decremented if incorrect unblock PIN is given. At 0, PIN can never be unblocked again = Irreversible blockage

Invasive Defense Also known as Physical Defense Passivation Layer

Silicon nitride or oxide coating that protects the chip from environmental influences and ion migration

Not easily removed, requires dry etching Optical sensor under an opaque

coating When light detected, chip stops

functioning

Invasive Defense Conformeal Glues

opaque, conductive, and strongly resist removal attempts

the underlying silicon is also damaged in the process

widely used by the US Military, but otherwise general not available

Invasive Defense Silicon features used to obscure

design Copy traps:

an element has been found that looks like a transistor, but really is only a connection between gate and source

3-input NORs only function as 2-input NORs

Invasive Defense Copy Traps:

use holes in isolating layers tricks done in the diffusion layer with ion

implantation unfortunately, these deceptions are

revealed using dry etching and Schottky technique

Introduce chip complexity Use non-standard cell libraries

Invasive Defense The Clipper Chip

fusible link system classified encryption algorithm component and

long term device key from an unclassified mask are fused AFTER fabrication

made of amorphous silicon - difficult to microscopy

surface of chip was “salted” with oscillators to defend against electromagnetic sensor attacks

discredited for a protocol flaw, not physical

Smart Card Life Cycle Security

Fabrication Phase Fabrication key

Pre-Personalization Phase Personalization key

Personalization Phase PIN, unblocking PIN, Utilization lock

Utilization Phase Access only through application policies

End-of-Life Phase Write/update disabled by OS, Read only

Component Accessibility During the Smart Card Life Cycle

Smart Card Attacks

Paul Conti

Smart Card Attacks Many different kinds of attack Range in price(<$50 - tens of

thousands) Range in skill level needed EEPROM, containing key material,

is one of the main targets because it can be affected by unusual temperatures and voltages

Smart Card Attacks Early Smart Card attacks focused

on pay-TV systems Signals that deactivated channels

were blocked by clamping or taping programming voltage contact on card

Cards were also installed that did not respond to certain signals

Non-Invasive attacks - DFA DFA – Differential Fault Analysis

uses glitches introduced to chip Unusual voltage changes

Increasing voltages to chip can clear the security bit, without erasing important memory

Slightly lower voltage attacked random number generator which produced almost all 1’s for cryptographic keys and nonces

Non-Invasive Attacks - DFA Power and clock variations

Affects the decoding and execution of individual instructions

Clock pulse shorter than normal or rapid transient of power affects chip transistors

CPU can be made to execute wrong instructions, or even ones not supported by card

Glitches can be used to manipulate program control and can cause change in access rights, divulging of passwords

Physical Attacks Lock bit on EEPROM(Containing PIN)

can be erased by focusing UV light on security lock cell.

Physically removing the chip is easy Cut plastic behind chip module with knife Nitric acid put on epoxy resin Wash acid away with acetone and silicon

surface is exposed

Physical Attacks Other methods

Expose chip to HNO3 vapor stream Ultrasonic vibration and laser cutter

microscopes

Compromised Chip

Advanced Attacks Reverse engineering

Etch away one layer of chip at a time Metal deposited on the chip acts as diode

and can be seen with an electronic beam. All layers fed to a PC where images can map

out the entire chip and examine more closely Also can look through chip from back with an

infra-red laser, where silicon is transparent. Laser created photocurrents which can reveal logic states and device operation

Advanced Attacks Active/Modifying attacks

Focus Ion Beam can cut new tracks or implant ions to change doping of an area of silicon

Can disconnect CPU from bus, leaving only EEPROM and CPU function to read EEPROM

Microprobing needle can then be used to read the contents of EEPROM

Active/Modifying Attack

Program counter is connected so that EEPROM memory locations are addressed in the order device is clocked

Advanced Attacks Attacks on chips with batteries

Batteries can cut off crucial components of chip

Some chips can reliably remember bit values for a few seconds when power is cut

With liquid nitrogen, attacker can keep this information stable for minutes to hours

Could disable alarm system and reapply power

Advanced Attacks - DPA Differential Power Analysis

Each operation on a Smart Card needs different amounts of power

Oscilloscope can detect power fluctuations and statistical inferences can be made to determine instructions.

Could be used to determine cryptographic keys or PINs

Advanced Attacks - DPA A-F : Pattern for

each operation Eight peaks

signifies part of an encryption process

Presence or absence of spikes between peaks indicate pieces of encryption key

Adv. Attacks – Chip Rewriting Can alter logic gates and single

bits with laser cutter microscope Attacking DES

Remove xor operation Reduce rounds by corrupting loop

variables or conditional jumps Compare erroneous results to true

results Odd-parity key attack

Latest Attack March 15 2000 Man in France broke the 320 bit 96

digit encryption on ATM card keys Created a “yes-card” which will be

accepted no matter what PIN is entered

Will cost millions to convert to 792 bit card

How do you protect from new attacks?

Advanced Defense Mechanisms

Part II

Heather McCarthy

Advanced Defense Most common systems use either

security modules or Smart Card technology

Advanced designs consist of a composite package containing processor, memory, tamper detection circuitry and a battery

A well detailed example is the ABYSS coprocessor developed by IBM

IBM’s ABYSS Designers considered:

stannic oxide lines on glass piezo-electric sheets wire winding techniques

Designers chose: 4 layer wrapping of 40 gauge nichrome wire

surrounding the processor, battery, memory and sensor circuitry

embedded in a hard, opaque epoxy filled with silica

IBM’s ABYSS Results in a card that is harder to

mis-operate and more likely to crack under UV laser light

This is the future as circuit sizes and power consumption shrink

Advanced Defense Aggressive chemicals can be detected

by their low electrical resistance as long as a battery power supply is available

Power supply networks can be made from a variety of different conductive materials such that exposure to any chemical solvent will cause at least one component to fail

Self-Destruct!

Advanced Defense Suitable packaging thwarts

attackers because process is slow stripping one layer at a time manually short out protective wire

winding guided X-rays precise measurements of voltage

multiple times

Ideal Defense Methods Avoid single point of failure PKI - reduced number of certification keys Ensure that penetration of one component

is not disastrous to the whole system fall-back: full reconciliation, intrusion detection

Must be rigorously subjected to hostile testing