Cryptographic Protocols and Smart Cards - Nicolas Courtois · Cryptographic Protocols and Smart...

Cryptographic Protocolsand Smart Cards

Nicolas T. Courtois 1, ex. 2

1 - University College of London, UK2 = [Axalto+Gemplus]

Crypto Protocols and Smart Cards

Outline• Smart Cards• Crypto Protocols • Confidentiality• Integrity, Authenticity• Entity Authentication

2 Nicolas T. Courtois 2006-2009

• Entity Authentication• GSM SIM cards and authentication• Oyster card• Public Key Authentication• Bank cards• Electronic Passports


Scope and References


Scope and References


Applied Cryptography:

Learn principles of cryptographic and security engineering.

How things are done in practice? A mix of


• Crypto protocols– with crypto algorithms viewed as black boxes.

• Hardware devices: – smart cards, RFID, etc…


Cryptography at UCL

1. COMPGA03 Introduction to Cryptography=> Basic Crypto Techniques

2. *COMPGA04 Advanced Cryptography=> Provable Security and Advanced


=> Provable Security and Advanced Crypto Constructions

3. *COMPGA12 Applied Cryptography=> How Security Problems in the Industry

are Solved with Help of Cryptography


What is a Smart Card ?

Set of standards ISO.• cards with contacts:

––– ISO 7816ISO 7816ISO 7816---1..161..161..16

• contact-less


––– ISO 14443 AISO 14443 AISO 14443 A---..C [Oyster]..C [Oyster]..C [Oyster]––– ISO 15693 [NFC]ISO 15693 [NFC]ISO 15693 [NFC]––– ISO 18000 [RFID]ISO 18000 [RFID]ISO 18000 [RFID]


Books About Smart Cards

1) Security Engineering [Cambridge]• by Ross Anderson• MUCH larger scope, may selectively read

Chapters 3-5,10,11,16, 22,26 etc.

2)2)2) Smart Card Handbook [Germany, 2002]Smart Card Handbook [Germany, 2002]Smart Card Handbook [Germany, 2002]••• by Wolfgang Rankl and Wolfgang Effingby Wolfgang Rankl and Wolfgang Effingby Wolfgang Rankl and Wolfgang Effing


••• by Wolfgang Rankl and Wolfgang Effingby Wolfgang Rankl and Wolfgang Effingby Wolfgang Rankl and Wolfgang Effing

3)3)3) Smart Card Applications [Germany, 2007]Smart Card Applications [Germany, 2007]Smart Card Applications [Germany, 2007]••• by Wolfgang Ranklby Wolfgang Ranklby Wolfgang Rankl

4)4)4) LATEST BOOK [RHUL, 2008]LATEST BOOK [RHUL, 2008]LATEST BOOK [RHUL, 2008]Smart Cards, Tokens, Security and ApplicationsSmart Cards, Tokens, Security and ApplicationsSmart Cards, Tokens, Security and Applications

••• by Keith Mayes and Konstantinos Markantonakis (Editors)by Keith Mayes and Konstantinos Markantonakis (Editors)by Keith Mayes and Konstantinos Markantonakis (Editors)


Philosophy


Philosophy


Security:

Protecting Assets from Threats


Protecting Assets from Threats

asset holder


Main Goals:

• Confidentiality• Integrity• Authenticity Accountability


• AuthenticityAvailability

Accountability


Magic Formulas…

or “Security Mantras”:• repeat after me: C.I.A. C.I.A.In fact we have no silver bullet.

on the contrary:


on the contrary:Security is about trade-offs. Conflicting engineering criteria…. Conflicting requirements… Overcoming human,

technology and market failures.insecure rubbish!


Least Privilege [or Limitation] Principle

[Saltzer and Schroeder 1975]

Every entity should be able to access only such information and resources that are necessary to its legitimate purpose.



Proportionality Principle

Maximize security???

Maximize “utility”


Maximize “utility” while limiting risk

to an acceptable level within reasonable cost…» all about economics…


Defence in Depth Principle

Military: layer the defences.



Example

Steal Private Signature Key

user control


spec secrecy

authenticate terminal

PIN check

crypto implementation


Goals


Goals


Security

Protecting Assets from ThreatsProtecting Assets from ThreatsProtecting Assets from Threats


Protecting Assets from ThreatsProtecting Assets from ThreatsProtecting Assets from Threats

asset asset asset holderholderholder


Security EngineeringDefinition: [Ross Anderson]

building systems to remain dependable


to remain dependable in face of malice, error or mischance.


Key RemarkSoftware CANNOT be protected by software.



Main Function of a Smart Card = = to be “a secure hardware device”.

1. ”intelligent” (Smart): the card

USB interface ISO, [USB], [RF]

ISO, [USB,RFRFRF]

USB Token form factorSIM card form factor

credit card form factor


1. ”intelligent” (Smart): the card – handles computations (e.g. crypto)– manages data (OS, file system, access rights)– takes informed security decisions (…block itself !)

2. Hopefully ”unbreakable”: nobody can know/modify what is inside.


Magnetic Stripe Cards [since 60s]

Which one is counterfeit ?


Chip cards: much harder to read, much harder to counterfeit.


History


History


Short Plastic Card History1878 US fiction writer Bellamy: In 2000 everybody will be paying

by a credit card (!). Cf. Edward Bellamy “Looking Backward, 2000 to 1887”.

1914-1940 Metal credit cards in the US, forbidden during WW2forbidden during WW2forbidden during WW21950 Invention of plastic money (PVC): Frank McNamara@Diners Club Frank McNamara@Diners Club Frank McNamara@Diners Club

[NY, USA] issues first universal plastic [charge] credit cards . [NY, USA] issues first universal plastic [charge] credit cards . [NY, USA] issues first universal plastic [charge] credit cards .


1967 First cash machines [DeLaRue] with punch cards. 1967 First cash machines [DeLaRue] with punch cards. 1967 First cash machines [DeLaRue] with punch cards.

1967 France: first magnetic stripe card for access control.1967 France: first magnetic stripe card for access control.1967 France: first magnetic stripe card for access control.

1972 [UK] First on-line ATM with magnetic stripe cards.


History - Chip Cards1960s1. French science-fiction book “La nuit de temps” by

René Barjavel: A portable object/jewel that opens doors.

2. Plastic credit cards were standardized and used


2. Plastic credit cards were standardized and used since the 50s [plastic money].

1970s: 1+2 = Embedding electronic components in credit cards: Many patents in USA, Germany, Japan and then France.


Smart Card Odyssey

Two Key Patents:• Roland Moreno [France]:

– chip card [1974]– security limitations [1975]


• Michel Ugon, Bull CP8: – microprocessor card [1977]

10 years ago, half of chip cards in the world were French. Wider adoption around 2000.


SPOM, October 1981 - Bull CP8

Patented• NMOS 3,5 µ, • 42 K Transistors,• RAM: 36 bytes (!),


• RAM: 36 bytes (!), • ROM: 1,6 Kbytes, • EPROM: 1 Kbyte


History of Electronic Bank Cards - in 1984:Schlumberger pilot in Lyon, France: • a simple wired logic card

Bull CP8 pilot in Blois, France: • a microprocessor card

Gemplus


• a microprocessor card

The banks adopted the Bull CP8 solution, the fore-father of current smart bank cards (EMV).

100% in France in 1992. 100% in the world around 2010 ?

=> Close the loophole.

Gemplus


Vocabulary, Typology, Features


Vocabulary, Typology, Features


Vocabulary

magnetic stripe card

IC= Integrated CircuitICC, chip card :

carte à piste magnétique

puce, circuit intégrécarte à puce :


ICC, chip card :• memory card

• wired logic card• smart card

carte à puce :• carte à mémoire• c. à logique câblée• carte à microprocesseur[+crypto co-processeur]


More Vocabulary

card reader, CAD (Card Acceptance Device)

lecteur carte


BO’ card [1985-2004]EMV card [1996-2020?]

carte bancaire françaisenouveau standard


Types of cards

memory/wired logic microprocessor

0 CPU 1 CPU


micropr.+crypto contactless

Source: Gartner, 2005

2 CPU 1-2 CPU


Memory/Wired Logic CardMemory/Wired Logic Card

• Primitive• NVM – non-

volatile memory


volatile memory(E2PROM, Flash

memory)• simple function• e.g. prepay card


Smart CardSmart Card

• Microcontroller = CPU+memory

• Universal, Turing machine, software


machine, software driven

• flexibility• security features• [Hardware DES]


CryptoCrypto--processor IC Cardsprocessor IC Cards

• Additional crypto-processor for RSA or elliptic curves


curves• Hardware security

counter-measures


ContactContact--less Smart Cardless Smart Card

• with RF transceiver• 0.1 s transaction

– much less energy– even less computing


– even less computing power


Memory on Smart Cards• ROM (‘hard mask’: C/Assembly, contains OS,

secure file access, I/O, libraries[crypto!], JVM) = 100 - 300 Kbytes now

• RAM = 4-16 K now(expensive, first Bull CP8 card had 36 bytes)

• NVM: (‘soft mask’, compiled C, more libraries…)


• NVM: (‘soft mask’, compiled C, more libraries…)– EPROM: 1980s, high voltage needed to erase it– E2PROM: 8-64 Kbytes,

recently 128-256 K GSM SIM.– New trend: Flash memory:

• Much cheaper, dense and shrinkable process.• Random read, harder to manage,

hard to re-write and very slow to erase.• Spansion 2006: 1 Giga in a SIM card!

≈≈≈≈≈≈≈≈10001000 times slower times slower to writeto write than RAMthan RAM


Life Cycle of a Smart Card [ISO 10202-1]• Manufacturing: [e.g. Infineon, Gemalto]

– ROM <= ‘hard mask’, remove test functionality

• Initialize: [e.g. Gemalto, Card Issuer]– E2PROM <= ‘soft mask’, completing O.S. install

• Personalize: [Card Issuer]


– Init apps– E2PROM <= data, keys etc. for an individual user!

• Use it: [e.g. ATM]– issue commands (APDUs)

• Death: [e.g. local bank]– invalidate the chip / destroy the card.


Functionalities of Chip/Smart Cards


Functionalities of Chip/Smart Cards


Advantages of Smart Card

• storage capacity• security functionalities• multiple functions


• user acceptability, effective packaging• successful business model


Crypto Functionalities of a Smart Card (1)

• Cardholder verification by the card. – Check PIN or biometric data.– Not always done with crypto, but otherwise

necessary to activate the crypto capabilities of the card.


the card.

• Key generation, its secure storage, safe “usage” and (why not) erasure.

• Encrypt data (public and secret key)– emails, files, etc… e.g. PGP PKI badge– secure messaging, like VPN


Crypto Functionalities of a Smart Card (2)Authentication – from weaker to stronger:• Integrity checks (CRC, or better: cryptographic hash).• Origin checks (storing a static signature)• Dynamic Challenge-Reply card authentication (proof of

identity, should be a Zero-knowledge mechanism).• Dynamic authentication of any data with a 3-DES


• Dynamic authentication of any data with a 3-DES cryptogram or a MAC (symmetric-key signatures).

• Dynamic authentication of any data with a “real” (=public-key) digital signature. – Provides authenticity and non-repudiation of every individual action

taken in a complex protocol !

• Also verification: the authenticity of a terminal / external word.


Smart Card Applications


Smart Card Applications


Some Applications of a Smart Card

• PayTV - Broadcast Encryption and Traitor Tracing.– First PayTV Card: Philips+Bull, 1980-81

• Storing private data (emails, passwords etc…)• First phone cards with a chip: [1983 Schlumberger


• First phone cards with a chip: [1983 Schlumberger Télécarte, France], [1984 G&D Telekarte, Germany],

Remark: wired logic, contact placement later changed

• GSM / 3G phones – First SIM card: Gemplus 1989, MANY billions sold since

• Electronic passport, ID– PKI, Belgium by Axalto.– Biometric passports: required since October 2005.


More Applications of a Smart Card

• Bank Cards [since 1984, Bull CP8]• Home Banking, Internet Shopping• PC access, corporate badge, secure email

PGP


PGP• Electronic purse, parking: [1996-] Proton[Be],

Geldkarte, later integrated with bank cards• First student card [restaurant, library, etc.]

– First in 1988, Italy, Bull CP8


Part 2

Modern


Modern Cryptography


What is Cryptography ?

• Much more than encrypting things.• Can achieve all kinds of security goals,

not only privacy.


not only privacy.


Goals of Cryptography

1. Confidentiality: privacy, privacy, privacy, anonymity or pseudonymity.anonymity or pseudonymity.anonymity or pseudonymity.

2. Authenticity, Integrity, Non-repudiation…


Integrity, Non-repudiation…3.3.3. Fair play and resistance to malicious Fair play and resistance to malicious Fair play and resistance to malicious

behaviours in multiparty protocols…behaviours in multiparty protocols…behaviours in multiparty protocols…4.4.4. Meta: Trust (or Accountability), Openness, Meta: Trust (or Accountability), Openness, Meta: Trust (or Accountability), Openness,

Governance, Compliance, Auditing, Governance, Compliance, Auditing, Governance, Compliance, Auditing, Alerting, Risk Assessment...Alerting, Risk Assessment...Alerting, Risk Assessment...


Means to Achieve These GoalsCryptographic Schemes / Cryptographic

Protocols: Necessary ingredients:

1. The best mathematics and 2. computer science on earth. 3. Review and constant scrutiny of hundreds of

independent experts.


independent experts.How to use these correctly: 4. people/programmers understanding “how to use it” 5. + appropriate software/hardware environment (e.g.

smart cards) 6. + “trusted infrastructure” (trusted companies).


Means and Tools to Achieve Security

MAIN TOOL in Cryptography / Security:


Security:The Secret

(or Secrecy)


Jacques Stern book:

La Sciencedu Secret


du Secret

(éditions Odile Jacob)


3 Stages



Trouble with Secrecy

• Secrecy is almost always imposed by business considerations.


• Secrecy has almost always led to shoddy security.


Evolution of Information Security

3 stages [Courtois] : 1.Protections that are

secret


secret2.Based on a secret key 3.Public key solutions.


First Stage – Security By Obscurity

The stone age of cryptography...Like hiding the key under the

doormat.Usually broken if you try long enough.


Usually broken if you try long enough. Hackers paradise: just give me

enough coffee…Unpredictable and catastrophic when

some information leaks out…


Second Stage – Secret Key Cryptography

Shared Key.

The key remains secret.


The key remains secret.Algorithm can be published !


Kerckhoffs principle: [1883]

“The system must remain secure should it fall in


secure should it fall in enemy hands …”


****Short History of CryptologyUntil 1977 all cryptographic algorithms were secret...

Until about 1945-60s all ciphers were broken...

Cryptanalysis with machines -> computers – increasing computing power

Statistical cryptanalysis: frequency and language -> DC, LC, GLC, BLC,


1939-45 70s 90s1900 2000s9th

commercial

cryptography

strong commercial cryptography

used by anyone

Algebraic Cryptanalysis

from art to higher mathematics… [Cocks, RSA, Public Key Cryptology]

DES

public



Appeared with perfecting Enigma… More and more computation, necessity to build machines called


build machines called “bombs”.

Computational Security: time+money.



Good Crypto: can publish the algorithm.

• In 1977 the American government publishes DES.


government publishes DES.• Before: good encryption

algorithms were highly classified weapons.


Proprietary Algorithms

• Maybe I can break it ? • No time, no motivation: many

“lousy” algorithms, few


“lousy” algorithms, few people able to break them…


Partial Solution…

• If one can break RSA-2048 bits, RSA Security offers

200 000 US$.• For ECC: Certicom offers


• For ECC: Certicom offers 725 000 US$.

• For AES: 0 $ is offered.The US government wants cryptologists to work for free…


Crypto Tools: here seen as black boxes.

ConfidentialityIntegrity


IntegrityAuthenticity


Confidentiality


Alice

Bob


Case Studies:PayTV



Pay TV


Crypto Protocols and Smart Cardsvideo

CW (10 sec.)

E_CW (video)

CW

videoDVB / CSA DVB / CSA

KC (1 mois) KC

F F

E_KC (CW)

Encrypted videowith ECM


EMM channel

KC (1 mois) KC

E_KU (KC)

FKU (10 ans..)

F KU

E2PROM


Public Key Encryption – Better

encryption algorithm

m

decryption algorithmc

m or invalid

Eve

c

r


pk(public key)

sk(private key)

key generation algorithm

past: setup phase


Data Authentication



Message Authenticity – GoalsDifferent security levels: 1. Correct transmission – no (random) transmission error. A malicious attacker

can always modify it. • Achieved with CRC and/or error correction/detection codes.

2. Integrity – no modification possible if the “tag/digest” is authentic. If we cannot guarantee the authenticity of the tag, a malicious attacker can still modify and re-compute the hash.

• Achieved with cryptographic hash functions (= MDC). (e.g. SHA-1).


• Achieved with cryptographic hash functions (= MDC). (e.g. SHA-1).

3. Authenticity – specific source. Authentified with some secret information (key). • Achieved with a MAC (= a hash function with a key = a secret-key signature).

4a. Non-repudiation – very strong requirement. Only one person/entity/device can produce this document.

• Achieved with Digital Signatures. The strongest method of message authentication.

4b. Public verify-ability. Everybody can be convinced of the authenticity (trust the bank ?).

• Achieved with Digital Signatures. The strongest method of message authentication.

Crypto Protocols and Smart CardsAuthenticity – Public Key

SignaturesCan be:


Public key:

•Real full-fledgedDigital Signatures.

Secret key:

•Not « real signatures » but MACs = Message Authentication Codes.


MACs = Message Authentication Codes = “Secret-Key Signatures”

MAC

m

MAC σ

(m,σ)

yes/no


algorithm

sk(secret key)

algorithm

sk(secret key)

σ

forgery


Digital Signatures (Public Key)

signing

m

verification σ

(m,σ)

yes/no


algorithm

sk(private key)

algorithm

pk(public key)

σ

forgery


Message Authenticity: Hash-then-Sign

A hash function (or hash algorithm) is a reproducible method of turning data (usually a message or a file) into a number suitable to be handled by a computer. These functions provide a way of creating a small digital "fingerprint" from any kind of data. The function chops

DigitalSignature

H(m)

m

σ


from any kind of data. The function chops and mixes (i.e., substitutes or transposes) the data to create the fingerprint, often called a hash value. The hash value is commonly represented as a short string of random-looking letters and numbers (Binary data written in hexadecimal notation).

Signature e.g. RSA-

PSS

H

>=160 bits

0-∞ bits

>=80 bits

098f6bcd4621d373cade4e832627b4


Signatures - Requirements

1. Authenticity – guarantees the document signed by…2. Non-repudiation – normally only possible with public-key

signatures.– Unless if we assume that we dispose of a tamper-resistant hardware (e.g. a smart

card) the non-repudiation can be achieved with a MAC based on AES !


3. Public verify-ability - normally only possible with public-key signatures.

– Unless there is a trusted third party (e.g. independent and trusted authority, an electronic notary service), then public verify-ability will be achieved with a MAC based on AES !

CONCLUSION; secret key signatures can work in practice… but are fundamentally either less secure or less practical (what if the notary stops responding, the smart card destroys itself because it thinks it is being attacked etc..).


Digital Signatures: Top of the Top:

• The strongest known form of Message Authentication:––– Integrity, and more:Integrity, and more:Integrity, and more:––– Authenticity, and more:Authenticity, and more:Authenticity, and more:


––– Authenticity, and more:Authenticity, and more:Authenticity, and more:––– Public Verifiability (Public Verifiability (Public Verifiability (≠≠≠ secret key signatures, secret key signatures, secret key signatures,

MACs), and more:MACs), and more:MACs), and more:––– NonNonNon---repudiation: I’m the only person that repudiation: I’m the only person that repudiation: I’m the only person that

can sign…can sign…can sign…


*Digital Signatures vs. Authentication• Strongest known form of Message

Authentication.• Allows also authentication of a

token/device/person (e.g. EMV DDA, US Passport):


– challenge –response (just sign the challenge)

• The reverse does not hold: – Not always possible to transform authentication

into signature. More costly in general !

Sym. encryption << P.K. authentication < signature


Multi-Party

Protocols


Protocols


Protocols

A security protocol is a sequence ofcommunications that two or more principalsundertake to securely achieve an objective.


Principals: people, organizations, governments, computers, USB devices, smart cards, concurrently running processes, etc…


Objective?No limits in how complex they are. Examples: • Secure Transmission of Data (encryption)• Anonymous Transmission of Data• Mutual Authentication (2x proof of identity).• Multiparty Computation: Jointly compute 1 function. Keep inputs private. E.g.

– Millionaires’ problem, – Electronic election – Auction with specific rules

hard only when there is no trusted third party


– Online casino• Complex systems that never stop running:

– run an online betting exchange – run a stock exchange– Payment systems – Pay TV systems

• Secret sharing (verifiable, resistant to cheating, access structures…).• Key Establishment.• Joint random generation (no one can make it non-random).• etc…

usually a trusted party (called a Dealer) only needed at the beginning ()


Securely?

Need for a formal definition:1. Objectives of the Attacker (win a certain game).2. Resources3. Access


However carefully designed, protocols have subtle flaws found 20 years later.

Types of attacks that the designer did neither intend nor imagine.


What If?

Many protocols have the following properties:• if all participants are honest, they work.• If participants are honest but curious,

they learn nothing• if one participant cheats,


• if one participant cheats, – it will be detected – not always possible to know who cheated

• It is usually always possible to disturb the protocol (denial of service)

– not always possible to know who’s fault it was


Overall Goal:

The protocol will either securely succeed or abort.

• moreover, if all participants are honest,


including honest but curious, the protocol should always succeed


The Dolev-Yao Model

Defines an attacker for all cryptographic protocols.

This attacker is powerful, but that’s precisely the point: protocols should be designed to resist this type of attacker, and be nevertheless secure.


nevertheless secure. Sets a sort of minimal standard for protocols.

They will be also secure when the attacker is less powerful.


The Dolev-Yao Model

Attacker = the Network• the attacker can read, modify, copy and create

his own messages. • In other words, the attacker has totally compromised the

ambient medium of communication (the network).

========== our minimum standard ==========


========== our minimum standard ==========

optional:• in addition, many protocols assume

that the attacker can corrupt some participants• at certain moments in time he can read or modify their private data• not all are corrupted,

– it wouldn’t make sense to still talk about security


Entity Authentication



PasswordsBad user: password systems fail...



Entity Authentication / Identification

A person/device can be authenticated by 1. Something that he/it knows.

• PIN, password, knowledge of an AES key, private RSA key etc..

2. Something that he/it has.


2. Something that he/it has.• Smart card, USB key, TPM module, and other

tamper-resistant hardware…

3. Something that he/it is.• Biometrics, unique physical characteristics (cf. snow

flake).


Multi-factor authentication:

To enter the office, one needs:1. A PIN.2. A smart card.We speak about 2-factor system.


We speak about 2-factor system.

High security systems (e.g. bank vault, military lab, etc.) requires to systematically and simultaneously use 3 factors

=> Good security.


Passwords = Static Authentication


Passwords = Static Authentication


Skimming Bank Cards



Can We Do Better?


Can We Do Better?


Beyond Passwords In the real world, passwords are • low entropy, • yet impossible to remember,• shared,• reused Hackers do


Hackers do • guess / crack them• intercept/record and replay

Can we defend against all these? • reset passwords frequently… check if strong• or move from static to dynamic schemes!


Dynamic Authentication



Dynamic vs. Static Authentication

Dynamic as opposed to static.

dynamic (authentication) systems:• One-Time Passwords (OTP),

– in any order, counter-based, frame number-based

• time based


• time based• random challenge-based• data-based == MAC• data+challenge based: : :

better, data can be the samebetter, data can be the samebetter, data can be the same


One Time and Better…


One Time and Better…


One-Time Passwords (OTP)Key properties:• The password is changed each time• The attacker cannot know it in advance,

– real-time MIM = Man In the Middle attacks remain possible

• The fraudulent authentication attempts are detected



One-Time Passwords in BankingA card with printed random numbers.

Problem: can be photocopied…– and the user still has it, naively thinking it is secure…



One-Time Passwords?Time-synchronized OTPRSA SecureID etc.Wrong:This is NOT a OTP scheme.

Though everybody calls it a OTP token…


It is no longer a OTP, it is nearly a challenge-response system, kind of half way.

Where challenge = time.• Except that the challenge is fixed for 30-60 s.

Window of opportunity: 30 s, second session possible connected from another location…


RSA SecureID is a 2-factor System


=> PC login…


Proprietary Symmetric Algorithm


(secret)


Another Example = OTP Mode

16-bit counter


CBC 3DES MAC

64-bit cryptogram

selected bits7+ lower bits

4+4 digits output


Challenge-Response Protocols

• Better, – the right answer to replay attacks.––– essential and indispensableessential and indispensableessential and indispensable



CC--R Authentication R Authentication -- HistoryHistory

IFF: Identify Friend or Foe (1942)

Challenge-


-Response

problem: relay attacksproblem: relay attacksproblem: relay attacks


Man In the Middle Man In the Middle ≥≥ Relay AttacksRelay Attacks


Mitigated by precise measure of timing.travel faster than speed of light travel faster than speed of light travel faster than speed of light

�� travel in time.travel in time.travel in time.

problem: relay attacksproblem: relay attacksproblem: relay attacks


Nonces and Time Stamps



Has Been Done…



Ross Anderson’s MITM Complete Setup



Noncesnonce = a number used once, counter/sequence number

• less secure

in the sense of challenge-response


random nonce = a random challenge = a random

Warning: frequently, a random nonce will be called just nonce, but what is meant is a random nonce.


Time vs. NonceTime can replace a random nonce, can simplify protocols, • between very slightly and a lot less secure,

• mainly depending on time granularity.

Dynamic, half way between static authentication and

challenge-response systems (the best).


challenge-response systems (the best).


Uni-directional


Authentication


Unilateral Authentication

statement,

my ID




statement,

my ID


[interactive] proof

preferably challenge-response



statement,

my ID


[interactive] proof

preferably challenge-response this is really

my ID




with Random Nonces


Unilateral with a Random Nonce

randomB

A B

KK


can also use a block or stream cipher, but always works as a MAC herecan also use a block or stream cipher, but always works as a MAC herecan also use a block or stream cipher, but always works as a MAC here

Q1: why the name of A is included? Q1: why the name of A is included? Q1: why the name of A is included? Q2: why the name of B is included? Q2: why the name of B is included? Q2: why the name of B is included?

Reflection attack: reuse when B authenticating to A Reflection attack: reuse when B authenticating to A Reflection attack: reuse when B authenticating to A concurrently without knowing the key.concurrently without knowing the key.concurrently without knowing the key.

A, MACK(randomB, B)


Case Studiesor How Is It Done?

(cf. also the UCL Smart Cards Lab)(cf. also the UCL Smart Cards Lab)(cf. also the UCL Smart Cards Lab)


(cf. also the UCL Smart Cards Lab)(cf. also the UCL Smart Cards Lab)(cf. also the UCL Smart Cards Lab)


Case Studies:PIN Sentry Again



C-R Mode

16-bit counter 4-digit challenge


CBC 3DES MAC

64-bit cryptogram

selected bits

4+4 digits output

7+ lower bits


Sign Mode

16-bit counter 4-digit challengeamount,currency,account nb

8 digits


CBC 3DES MAC

64-bit cryptogram

selected bits

4+4 digits output

7+ lower bits


Case Studies:GSM



GSM Security

A3

GSM OperatorAuthentication Center

A3Ki Ki

challenge RANDSIM card

Signed RESponse (SRES)

precomputed triples:(RAND,SRES,Kc)


Mobile Equipment

A8

A5

A8

A5

KcKc

mi Encrypted Data mi

SRESSRES

Fn Fnare = ?

Base Station


SIM Card Side

secret key

Triples RAND, SRES, Ki are stored in BS


Data with redundancy: terrible mistake…

data block of 114 bits.


Authentication in Practice

A3 A3Ki Ki

challenge RANDSIM card

Signed RESponse (SRES)

are = ?


• RUN GSM ALGORITHMExample: A0 88 00 00 10 XX …………….XX

16 bytes random nonce

no L_e, no data in reply expected, result will be visible in the status bytes = 0x9F Le

both 0INSCLA


Running the Secret Algorithm (with secret key)Custom crypto,

operator-dependent.



Embarrassing Discoveries

• Keys generated by typical UK and French cards (I’ve checked many): 64 bits.

• Key in Polish Orange card: 64 bits.• All Chinese cards checked: 64 bits.


• Card bought in Russia in 2007 (operator = “MTC”): – 54 bits only

• What about Estonia, member of the EU?– I went to Estonia last year (2009).– Bought a SIM card from “simpel”:

• The key also is restricted to 54 bits.– The weakest GSM keys in the EU… Also in Greece.


Unilateral vs. Mutual


Authentication


Unilateral AuthenticationHistorically very popular.Examples:• password -> login

––– OK if we trust the browser + the DNS, OK if we trust the browser + the DNS, OK if we trust the browser + the DNS, ••• or a PK certificateor a PK certificateor a PK certificate---based secure tunnel is needed.based secure tunnel is needed.based secure tunnel is needed.

• SIM card -> GSM base station (fixed in 3G)


• SIM card -> GSM base station (fixed in 3G)• offline bank card transactions -> Point of Sale terminal

Problems: • login page spoofing etc.• false GSM base stations, • false ATMs,


Uni-directional vs. Mutual Authentication

statement1,

K

K


[interactive] proof1

statement2,

[interactive] proof2


Asymmetry



AsymmetryNot good,

why one party should authenticate first? No reason.So in fact most of the time we have both

authentications interconnected together in one indivisible protocol.


Can the asymmetry be removed? ••• well can “almost” be removed, but we don’t really want to, more well can “almost” be removed, but we don’t really want to, more well can “almost” be removed, but we don’t really want to, more

about this later…about this later…about this later…


Who Goes First?Typically:• one device A first gives its ID first• another device B first sends a “cryptogram” that depends on this secret

key.

If one device is easier to capture for the attacker,it should NOT respond first anything related to the secret keys.


it should NOT respond first anything related to the secret keys.

This makes such devices unbreakable, • even by offline brute force attacks

– even if the attacker has infinite computing power

• more importantly, also very robust against by side channel attacksremains breakable by online brute force, but this is too slow to be handled in remains breakable by online brute force, but this is too slow to be handled in remains breakable by online brute force, but this is too slow to be handled in

practice.practice.practice.


Example:Contactless smart cards: • Oyster Cards, • building passes, etc.

The card never answers anything related to the secret key before the reader first proves his identity


Thus the attacker can only break it if he has access to the legitimate terminal,

• must penetrate inside the building etc, • cannot just make a copy of card at home.It is like a key that can only be copied if the attacker has

access to both the key and the actual lock in the actual door.


AsymmetryCan the asymmetry be removed? • in theory no, not completely, • can be “almost” removed:

– more precisely the information leaked by the first entity to disclose anything can be very small (1 bit)


disclose anything can be very small (1 bit)• progressive disclosure… • then the protocol would be slow, tens of messages…

• in practice not removed at all, in fact this is used by designers of systems to their advantage…


Case Studies:Oyster Card



Mutual Authentication + Secure Messaging

tag random 32 bits

card ID 32 bits


=> starting from now, all read/write commands data is sent encrypted…

tag resp. 32 bits

encr. rdr random + rdr resp. 2x32 bits


Key


Establishment


Extension:In many cases the “in one piece” protocols go further:

they also include a key establishment part.

This is key is later used for channel encryption (secure messaging) of all further commands and data.


Key establishment is an independent question of great interest.

Plan: Plan: Plan: ••• study key establishment firststudy key establishment firststudy key establishment first••• see how this is combined with mutual authentication see how this is combined with mutual authentication see how this is combined with mutual authentication

encrypted


Secure Messaging:like VPN, Point to Point

DESK

encrypted still

Issuer bank


encryptedDESK

encrypted still


The NeedSecure messaging:

encrypt all exchanges (commands and data)

between Alice and Bob. Encrypted


Key establishment is kind of always needed, even if Alice and Bob already share a key.

Need for a session key (a short term key):


Why Short Term Keys?Need for a session key (a short term key): • limit key exposure,

– in many systems (e.g. GSM) session keys are pre-computed in advance by a more secure part of the system (!)

– Bank card master key never used with data chosen by the user (foil DPA).

• keys should be fresh in order to prevent reply of the messages from the last session => total session independence


the last session => total session independence• cryptanalysis: security of symmetric crypto degrades with usage,

=> limit amount of data that the attacker can dispose of.

• better to re-establish keys when needed, – avoid expensive storage of too many keys locally

• in PK case, it is in fact TOTALLY impossible to use PK crypto to encrypt quantities of data, just too slow, so a symmetric key is always needed.

– one method to get it is key establishment, studied here later.– second method is called hybrid encryption, e.g. in PGP / GNU PG.


Key EstablishmentThree types:• symmetric crypto + TTP • public key crypto + authentic[ated] channel ••• no crypto + noisy channels not covered hereno crypto + noisy channels not covered hereno crypto + noisy channels not covered here

?


encrypted


Key


Derivation


Symmetric Key DerivationAgain needed even if the key is already shared.

key diversification = key derivation, very widely used in the industry:

• bank cards• car locks

long-term shared key

K

IV / data


• car locks• contactless cards [e.g. Oyster]• built-in component in stream ciphers• etc.

EncryptK or Hash

session keyshort-lived


Cracking theOyster Card



Attacks with a [Genuine] Reader


a [Genuine] Reader


Key Recovery:

Brute ForceBrute ForceBrute Force••• About 4 years on 1 CPU. Minutes w. FPGA.About 4 years on 1 CPU. Minutes w. FPGA.About 4 years on 1 CPU. Minutes w. FPGA.

Nijmegen Attack


Nijmegen Attack• 0.05 seconds.

[de Koning Gans et al, Esorics 2008]

These are mild threats. Why?


Keystream Needed:

In Theory:Keystream Data => 0.05 seconds.

In practice: Very hard to get this data.


Very hard to get this data.

Small window of opportunity for the thief.


HoweverKnown attacks: Require to either • scan legitimate card reader

[that must already know the key!]• eavesdrop and record genuine

transactions


••• and also later: access to the card and also later: access to the card and also later: access to the card (<10 cm).(<10 cm).(<10 cm).

NOT very practical. Require to already penetrate

inside the building with equipment etc…


Interception - Another Slight Problem…

Regulation of Investigatory Powers Act RIPA [2000].

[…] “It shall be an offence for a person intentionally and without lawful authority


to intercept, at any place in the United Kingdom, any communicationin the course of its transmission “ […]


Card-Only Attacks


Card-Only Attacks


Card-Only Attacks

The real security question is:

Can I copy it, when I am sitting near the cardholder for a few


near the cardholder for a few minutes in the underground (contactless card queries).

Yes!


Card-Only Attacks

Danger is 24h/24:

Anybody that is sitting/standing next to you can steal your


next to you can steal your identity (or at least enter some very nice building…)


Card-Only AttacksInfeasible -> Possible?


Infeasible -> Possible?


Parity Attacks

Problem 1: The card does encrypt data with redundancy.

One should never do that.• more costly


• more costly• weaker

– and even weaker with a stream cipher: Ciphertext Only attack (weak)=>

gives (small weight) LINEAR equations on the keystream (very strong)


Compare to GSM

BTW:For the same reason it is currently easy to

eavesdrop to GSM communications.And sometimes make free calls…


And sometimes make free calls…Cf. [Biham-Barkan-Keller: Instant Ciphertext-

Only Cryptanalysis of GSM.. Crypto’03 and JoC’08]


Problem 2: A Bug in MiFare Classic

Discovered accidentally. • sometimes, under certain conditions, the card outputs a

mysterious 4 bits…


• given the fact that many RFID readers are not 100 % reliable, it is easy to overlook it


The Bug?

Or maybe a backdoor?• Stop pretending that everything happens by

accident.• We need to assume the worst scenario and


• We need to assume the worst scenario and examine the consequences:

– Smart can companies are in the position to embed backdoors in products and these will NOT be found for many many years…


Secure Product Development


Secure Product Development


Secure Hardware Dev. Management[In smart cards] one design criterion differs from the criteria used for

standard chips but is nonetheless very important is that absolutely no undocumented mechanisms or functions must be present in the chip ('that's note a bug, that's a feature').

Since they are not documented, they can be unintentionally overlooked during the hardware evaluation and possibly be used later for attacks.


later for attacks. The use of such undocumented features is thus strictly prohibited [...]

[pages 518-519 in the Smart Card handbook by Wolfgang Rankl and Wolfgang Effing, 1088 pages, Wiley, absolute reference in the industry]


Application Development ManagementGoals:• Avoid backdoors, Trojans, covert channels, bugs etc.• Kleptography: techniques to leak keys to the attacker,

• form of perfect crime.


There are various forms of leaking keys:• intentionality impossible to prove• intentionality provable

ONLY with source code


Application Development ManagementSolutions:

• Never one developer works alone on an application.


• One developer knows only some parts of the spec(!).


Application Development ManagementSolutions:

• Security audits– auditor from the customer: large bank, etc.


• Common Criteria evaluations:– The source code is inspected by an independent

company: government agency [e.g. GCHQ] or an evaluation lab [such as CEA-LETI] mandated and paid by the customer [to avoid conflicts of interests].


***Common Criteria Certificates

• CESG at GCHQ – Communications-Electronics Security Group at

Government Communications Headquarters

=> Common Criteria Scheme



EAL = Evaluation Assurance Level• EAL1: Functionally Tested

• no need disclose the design/sources to government agencies…

• EAL2: Structurally Tested• 6 months, 150 K$

• EAL3: Methodically Tested and Checked• EAL4: Methodically Designed, Tested, and Reviewed

commercia


• EAL4: Methodically Designed, Tested, and Reviewed– EAL4+: augmented requirements [better crypto!]– 24 months, 150 K$ - 2.5 M$ per product

– Ms. Windows 2000 was certified for an undisclosed amount

• EAL5: Semi-formally Designed and Tested• EAL6: Semi-formally Verified Design and Tested• EAL7: Formally Verified Design and Tested

al

military


Card-Only AttacksInfeasible -> Possible?


Infeasible -> Possible?


The “Bug”

Under certain (parity) conditions when we try to spoof the card with an invalid cryptogram, the card replies with 4 bits.


These 4 bits are the encrypted NACK command at a certain later moment in the keystream generation process.


AttacksBest Attack:

– Multiple Differential Attack by Courtois, in SECRYPT 2009.

• card-only attack, • 300 queries to the card,

– very fast!!!» but precise timing needed.


» but precise timing needed.

– Can be combine with Nested Authentication attack by the Dutch Nijmegen group.

Then the whole card can be cloned in 10 seconds.


third stage


third stage


Contemporary Cryptology

• Re-Birth of Cryptology: Invention of Public Key Cryptosystems [1970s].


• ONE CAN DO MUCH BETTER than encryption with a [shared] secret key !!!!

(which is not obvious)


Third Stage – Public Key Cryptography

No shared key, One private and

one public key.


one public key.Private key:

generated and stored securely…


Third Stage – Public Key Cryptography

Public key:can be distributed to many parties. Does not have to be public


Does not have to be public (but the system remains secure when it is).


Unilateral C-R Authentication


- PK Versions


Public Key – Based SchemesHere more possibilities exist.Two approaches. Alice has her private key SK(A).Two methods to demonstrate the knowledge of this key: • sign a message chosen by Bob.• decrypt a message encrypted by Bob with Alice’s public key.


How?


PK-Unilateral with PK Encryption

h(rB), B, EPK(A)(rB, B)A B

SKAPKA PKA


Q1: why we do have Q1: why we do have Q1: why we do have h(rh(rh(rBBB))) in the first message? A witness: in the first message? A witness: in the first message? A witness: ---CCA.CCA.CCA.Q2: why we do have Q2: why we do have Q2: why we do have BBB twice in the first message? twice in the first message? twice in the first message?

Vaguely compelling reasons: Guarantees good independence of Vaguely compelling reasons: Guarantees good independence of Vaguely compelling reasons: Guarantees good independence of different sessions. Bob’s identity is known and the person that produced different sessions. Bob’s identity is known and the person that produced different sessions. Bob’s identity is known and the person that produced the random is the only one that is able to know who B is. Alice checks if the random is the only one that is able to know who B is. Alice checks if the random is the only one that is able to know who B is. Alice checks if B=B before she replies. B=B before she replies. B=B before she replies.

rB


Same with PKI

h(rB), B, EPK(A)(rB, B)A B

SKAPKA PKCert

certAPKA


rB


Public Key – Based SchemesHere more possibilities than with time.Here more possibilities than with time.Here more possibilities than with time.Two approaches exist. Alice has her private key SK(A).Two approaches exist. Alice has her private key SK(A).Two approaches exist. Alice has her private key SK(A).Two methods to demonstrate the knowledge of this key:Two methods to demonstrate the knowledge of this key:Two methods to demonstrate the knowledge of this key:• decrypt a message encrypted by Bob with Alice’s public key.• sign a message chosen by Bob.


With PKI, second solution is more practical!(the first required one more message)(the first required one more message)(the first required one more message)


PK-Unilateral with Dig. Sign.

rB

A B

SKAPKA

PK

PKCert


Q1: why we don’t have A here? Unique key.Q2: why we have added here rA?

certA, rA, SSK(A)(rA, rB, B)

PKA


PK-Unilateral with Dig. Sign.

rB

A B

SKAPKA

PK

PKCert


Q1: why we don’t have A here? Unique key.Q2: why we have added here rA? Again CCA, prevent signing messages entirely chosen by a

potential attacker => not strictly needed if signature scheme is proven secure... => not strictly needed if signature scheme is proven secure... => not strictly needed if signature scheme is proven secure... + subtle reasons: allow audit/freshness even if Bob’s random numbers repeat.

certA, rA, SSK(A)(rA, rB, B)

PKA


Case Studies:Bank Cards



Security of Chip CardsSecurity varies depending on offline/online transactions

5 Protections:1. Visual: hologram, special font, UV, h. signature…

• CVV2 code also at the back (3-4 digits)

2. Cardholder verification with a PIN code, – Online verification – ATM withdrawals, magstripe only.


– Online verification – ATM withdrawals, magstripe only.– Offline POS - PIN verified by the card.

3. Static RSA signature, inside the chip (B0’:VS,VA, EMV:SDA functionality).

4. 3DES cryptogram generation by the chip. Authenticates individual transaction by a MAC (symmetric signature).

(CAI with B0’, ARQC with EMV)

5. NVM stores all transactions for about the last 3 months…+ EMV: cards are updated online, so that clones can be detected also in this way…


Cardholder / PIN

On-card PIN verification function.

PIN

not encrypted except in some EMV DDA cards


Y/Nnot authenticated except in EMV DDA cards


Humpich Attack 1A (harder)

YES CARD: needed: all data of a stolen card• copy to a programmable card• NO NEED TO KNOW THE PIN• Works in offline terminals


• Works in offline terminals

PIN

Random PIN

YES!not authenticated


Humpich Attack 1B (easier)

Connect between the card and the reader, change NO -> YES

PIN

Random PIN


Random PIN

YESnot authenticated

NOnot authenticated


Conclusion

The “Yes” MUST BE digitally signed.

Time to use it. • Current cards (DDA chips) are powerful


• Current cards (DDA chips) are powerful enough to allow this.– Banks were extremely negligent in not making it

obligatory so far.


Security of Individual Bank Transactions

Each transactions is certified by the card by a MAC (Message Authentication Code), a “secret key signature” of the transaction.



Secure + AuthenticatedMessaging

3DESK

private+authentic


encrypt + MAC 3DESK

private+authentic

cannot decrypt: goodQ: can it check the MAC???


Beyond CryptogramsProblem: the MAC, a “secret key signature” of

the transaction can only be checked in the with a real-time connection to the Issuer bank.


Needed: public key signature:• Everyone can verify• Non-repudiation: even the bank cannot forge

this certificate.• Now exists: in the EMV specifications.


3. EMV: Really “Smart” Bank CardsReason 1: Autonomy


Reason 1: Autonomy


EMV: much smarter than B0’

B0’: the terminal controls all. The card is here mainly to answer to commands.

EMV: cards are intelligent and autonomous,


EMV: cards are intelligent and autonomous, knows what it does , takes informed security decisions: ⇒The card can accept or reject a transaction based on a complex set of rules and controls !


3. EMV: Really “Smart” Bank CardsReason 2: PK crypto !


Reason 2: PK crypto !


What France could not do…In the 80s and the 90s it was impossible to implement

a public-key signature algorithm an a smart card. RSA: 2 minutes….. Even recently 0.5 sec.

At Bull CP8, Jacques Patarin, Louis Goubin and


At Bull CP8, Jacques Patarin, Louis Goubin and Nicolas Courtois spent 10 years trying to find a much “cheaper” PK scheme.

Output: Sflash [broken in 2006 by Shamir et al].


What France … the time did.

Beginning of 90s: RSA - 2 minutes.

In 2009 it is possible to compute an RSA signature in 10 ms on a middle range smart


card.

Maturity.


EMV specificationsEMVCo = Europay, MasterCard, VISA.

Specs developed in 1996-2001.


Specs developed in 1996-2001. • Very flexible and very complex, 1M options…• All this complexity is useful.• Cryptographic point of view:

Incorrect until December 2001.


EMV Overviewoptimistic version with DDA used


2 private keys, Pin Encryption key can be different3DES ICC Master Key

I

ATC = Application Transaction CounterSAD = Static Authentication Data = PAN +Exp + …


EMVTransaction



Case Studies:e-Passports



Electronic Passports Today

• Chip integrated in the cover– Main goals: store biometric data [US congress]– Machine Readable Zone (MRZ)

• Personal and biometric data (photo) – protected by basic assess control (BAC)

Key = f(MRZ)


– PA: Passive Authentication: PKI, all data authenticated by a mandatory static signature, • Digital Signatures with RSA/DH, ECC or both

• More advanced security mechanisms [new] – Challenge-response Active data Authentication (AA)– Extra data [fingerprints]:

• Access only by “authorized border authorities”• Extended Access Control (EAC) mechanism

(optional)

All EU passports >2009


Basic Access Control [BAC]

Encryption keys derived from MRZ

optical


optical

encrypted and authenticated

f


BAC

Meant to protect against:• unauthorised R/W access to data• eavesdropping• altering the communication


• altering the communication

encrypted and authenticated


Passive/Static Data Authentication = PA

Signed once for all.


data, signature


PAProtects against forgery (create a new British citizen)

but still NOT against copy == passport cloning!


data, signature


AA = Active AuthenticationProtects against cloning. More expensive. Optional.More expensive. Optional.More expensive. Optional.

PK certificate ∈ DG15signed by the government

PKCert


proof of knowledge of private key

random


Extending Access Controlnow mutual


data authenticated

right access authenticated


Expected Learning Outcomes


Expected Learning Outcomes


(Maybe) Bad Answer Good Answer• relying on secrecy, secret spec, stage 1• Stage 2, symmetric solutions, MAC• Confidentiality and Privacy• Maximize security, Weakest Link,

Technology Push, Free Market• Software security• Static authentication, skimming• Unilateral

•Minimize the secrecy requirements•3. public key solutions, Digital Signatures•Integrity, Authenticity, Availability•Security=tradeoffs, managing costs and risks, Defense in Depth, Enforcing Limitations•Hardware, Smart Cards, tokens, RFID?•Dynamic, challenge-response•Bi-directional


• Unilateral• 1 factor, password + PIN

•Bi-directional•2 factor authentication, Card + PIN•User control


Conclusion


Conclusion


Future:

• Cannot live without Smart Cards or some other secure portable hardware device.– Bill Gates recognized it publicly in 2005…


• PKI enabler: – fair security: e.g. everyone can verify the

authenticity of a bank transaction.– 99.9 % unused potential.


How Secure Are Smart Cards?

A necessity: there is no better technology on earth !

…Succeeding requires tamper-proof hardware. But• no security professional will speak of tamper-proof devices,

as opposed to tamper-resistant ones.


• Security is a matter of economics, and not just technology.– How much will your attacker spend to defeat your security? – Are you protecting something valuable enough that your enemy will resort to the three

B's: burglary, bribery or blackmail?

• Protecting against determined adversaries is very hard; it's rarely wise to bet your business on it.”…

[Steve Bellovin blog, 24/08/07]

Date post:	06-May-2019
Category:	Documents
Upload:	lynguyet
View:	213 times
Download:	0 times

Cryptographic Protocols and Smart Cards - Nicolas Courtois · Cryptographic Protocols and Smart...

Documents