Past & Future Issues in Smartcard Industry...© Oberthur Technologies Past & Future Issues in...

© Oberthur Technologies

Past & Future Issues in Smartcard Industry

Ecrypt 2 Summer School

Guillaume Dabosville

© Oberthur Technologies 2Security Solutions for a Changing World

Oberthur Technologiesthe group – its divisions

� payment, mobile, transport and digital TV markets

� identity documents (e-passport, driving license, health, etc)

� design and printing of banknotes and passports

� ink staining technology


Oberthur Technologiesthe group – its revenues


Oberthur Technologiesthe group – the crypto team

crypto & security team

secure primitives

practical evaluation CC-ready

certif


Oberthur Technologiessmartcard industry – the main use cases

� payment , mobile , transport and digital TV markets

� identity documents (e-passport, driving license, health, etc)

� design and printing of banknotes and passports

� ink staining technology

© Oberthur Technologies 6Security Solutions for a Changing World © Oberthur Technologies

agenda

1. from card to smart card� short history� nowadays� why is it smart

2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA

3. mobile industry� issues in radio control access� 2G networks� 3G networks

4. identity industry� standardization body� description � security needs� BAC / SAC / PACE

5. future issues6. conclusion



the card industrya short history

� appears in the 70’s in several countries (France, G ermany, Japan, USA)� several patents argue the ownership� first uses

� prepaid card (memory only)� credit cards (µ processor)


the card industrynowadays

plastic card ISO 7816 compliant

� card dimensions

� physical constraints (flexibilty, etc)

� positioning of the contacts

� communication protocols

� internal architecture of IC


the card industrynowadays


the smart card why is it smart?

From Collins dictionary: smart ~ { brilliant, ingen ious, intelligent, chic, elegant…}+ many words I do not understand

� brilliant / intelligent: � DES, 3DES, AES, RSA (up to 2048 bits), ECC

� ingenious: virtual money� lower risk of money theft, � lower cost for cash management (transfer funds)

� chic / elegant

� secure


the smart card how much is it smart? – lost & stolen fraud



the smart card how much is it smart? – counterfeit fraud



agenda








payment industrythe setting

Issuer Acquirer

Infrastructure

merchantcardholder


payment industryissues in a payment transaction

is it a valid card?card authentication

is it the cardholder? ask for and check PIN

cardauthentication

transaction

transaction dataGenerate AC

Transaction Certificate

cardholderverification


agenda








payment industrystatic authentication - PKI

CertCA(PKI) + SignSKI(Card Data)

Issuer CA Acquirer

� CertCA(PKI)

� SignSKI(Card Data)

PKI

(PKI, SKI) (PKCA, SKCA) (PKCA)

Signed by

Card Data

Signed by

|||||

|||||

PKCA


payment industrystatic authentication – security analysis

� used in� B0’ (1989)� EMV (1995) as Static Data Authentication (SDA)

� subject to replay attacks (because it is static)

� mass attack

� subject to the yescard attack� implemented by Serge Humpich in 1997� SignSK is an RSA signature with a 96digit

modulus n� factorisation of n=p.q is feasible since 1991

[Lenstra91] � can forge new cards with correct static signature� pointing to non-existing accounts

� counterfeits cards always answer YES regardless of the entered PIN code

� last RSA factorisation: a 768bit modulus


agenda








payment industrydynamic authentication - PKI


Issuer CA Acquirer

� PKICC, SKICC,

�CertI(PKICC), CertCA(PKI)

PKI

(PKI, SKI) (PKCA, SKCA) (PKCA)

Signed by

Card Data

Signed by

|||||

PKCA

PKICC

TD: Term Data

CertI(PKICC), CertCA(PKI), SigSig SignSKICC(Card Data,TD)

|||||


payment industrydynamic authentication – security analysis

� thwarts replay attacks thanks to challenge-response

� mass attack no longer relevant



agenda








mobile industryissues in radio control access

PIN codeSIM theft

temporary identity and cipheringtracing

mutual authenticationciphering

phone-taping by simulating a false BSS [Man-in-the-middle]

cipheringphone-taping on the radio link [passive]

integrity of routing datahijacking the connection

user authenticationusurpation of identity

countermeasuresthreats

BSSBTS BSC

mobileSIM Home NetworkAuC/HLR

Visited NetworkMSC/VLR


agenda








Home NetworkAuC/HLR

mobile industry2G network (GSM) - description

TMSI TMSI

RAND

TMSI

RAND RAND

Ki

A3/A8 verify SRESSRESSRES

Kc

A5

voice

A5

voice

RAND

A3/A8

Ki

ciphered voice

RAND SRES Kc

SRES

Kc

BSSBTS BSC

mobileSIM Visited NetworkMSC/VLR

TMSI


mobile industry2G network – security analysis

� ciphering is an option (activated by network decisi on only) � no mutual authentication (only the user towards the network)

� risk of phone-taping supported by a man-in-the-middle attack

� no integrity check (may raise problems with regard to signalling messages)

� ciphering stops at the BTS� no in-depth ciphering

� some implementations of A3/A8 and A5 algorithms are considered to be not at the state-of-the-art (COMP128 and A5/1, A5/2)

false BTS genuine BTS

Ki Ki’


agenda








mobile industry3G network (UMTS) - description


TMSI TMSI

RAND, AUTN

TMSI

RAND, AUTN RAND, AUTN

K

f1-f5RESRES

CK

f8

voice

f8

RAND

f1-f5

K

ciphered voice, mac

RAND

CK, IK

f9IK

f9IK

voice,macmac

verify mac

verify RESRES

BSSBTS BSC

mobileSIM Home NetworkAuC/HLR

Visited NetworkMSC/VLR

CK

RES

CKIKverify

AUTN

AUTN


mobile industry3G network – security analysis

� ciphering along the whole radio subsystem

� still activated by network decision only, but� the “no ciphering” order is authenticated

� integrity mechanism to protect signalling informati on

� mutual authentication of SIM and AuC


agenda








identity industrye-passport standardization

� ICAO: International Civil Aviation Organization

� international regulation authority

� harmonization of travelling documents

� provides a common framework for passports all over the world

� open standards for Governments and suppliers

� mandatory: identification data + integrity + authentication

� optional: biometry + other protection mechanisms


identity industrydescription

� printed identifying data (eg owner’s picture)� printed machine readable data (MRZ, CAN)� visual security features (eg holograms)

� contactless chip in the paperback� chip contains all identifying data� chip optionally contains biometrical data

like fingerprints

MRZ


identity industrysecurity needs

� contactless technologies bring on new issues� invasion of privacy

since a malicious reader can interact with the chip without the knowledge of the owner

� passport must be open to access the identity of the holder

� content should be protected by an access control po licy� Basic Access Control� Supplemental Access Control� Extended Access Control

� use the MRZ


agenda








identity industryBasic Access Control

read the MRZ opticallyderive K

K

choose rIS, KIS

choose rCHIP, KCHIP

eIS = EK(rIS, rCHIP, KIS)

rCHIP

rIS’, rCHIP’, KIS’ =DK(eIS)

check rCHIP’ = rCHIP

eCHIP=EK(rCHIP, rIS’, KCHIP) check rIS’ = rIS

eIS

eCHIP

CHIP IS


identity industryBAC - security analysis

� recovery process1. eavesdrop one BAC session2. guess/recover through social network ”MRZ-information” (ex: Date of birth, passport date of

expiry, passport number)3. derive the ciphering key (KDF is public)4. decipher eIS and check for meaningful data thanks to rCHIP

5. go to step 2 until MRZ is found.

� MRZ entropy is very low:� US ≈ 53 bits, Spain and Italy ≈ 51 bits, France ≈ 52 bits� even less since field are not independent (date of expiry and passport number...)� to be compared to entropy requirements: 80 bits up to 2010, 112bits then.

BAC is weak to offline brute force attack


identity industryBAC - security analysis

� addendum to the standard to improve access control

� alternative to the BAC in ICAO standard� SAC

� based on the protocol� Password Authenticated Connection Establishment (PACE)

� fixes the default of BAC


identity industryPACE

� establishes Secure Channel between chip and IS� uses strong session keys independent of the strengt h of the password π� requires public key cryptography� can take as a password either

� the MRZ (ICAO required)� the CAN (ICAO optional)� a PIN

� resists to o ffline attacks� protects Privacy


identity industryPACE

SPA-resistant


agenda








future issuesfraud in FR – transaction vs. fraud progress



future issuesfraud in FR – detailed fraud



the issue at stakepayment on the internet


the issue at stakeconvergence


the issue at stakeRSA

� government recommendations/requirements on RSA key- size for long term crypto

� RSA key cannot be used anymore for governmental app lications (passports)� ECC is the backup plan of RSA� what is the backup plan of ECC?

51215424256>> 2040

25632481282009 to 2040

22424321122009 to 2030

1921776962009 to 2020

160124880Short term

Elliptic-curve cryptosystems

(eg. ECDH, ECDSA)

Factorization and discrete-log

cryptosystems (eg.RSA, DH, DSA)

Symmetric cryptosystems

Protection period


conclusion

� past issues� authenticate a customer and a device to access a network for a service

– remote payment: cardholder + credit card– mobile phone: subscriber + handset

� e-passport: control the access to the identity of the citizen to provide privacy

� future issues / new trends� payment in not trusted environments (PC, smartphones)

� backup plan in case of a breakthrough in cryptanalysis of ECC

� smartcards helped to solve past issues� can help to solve next issues

� using new form factors ? µSD, USB stick � new owners? the end-user?


Thank you

Ecrypt 2 Summer School

Date post:	22-Sep-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Past & Future Issues in Smartcard Industry...© Oberthur Technologies Past & Future Issues in...

Documents