© Oberthur Technologies
Past & Future Issues in Smartcard Industry
Ecrypt 2 Summer School
Guillaume Dabosville
© Oberthur Technologies 2Security Solutions for a Changing World
Oberthur Technologiesthe group – its divisions
� payment, mobile, transport and digital TV markets
� identity documents (e-passport, driving license, health, etc)
� design and printing of banknotes and passports
� ink staining technology
© Oberthur Technologies 3Security Solutions for a Changing World
Oberthur Technologiesthe group – its revenues
© Oberthur Technologies 4Security Solutions for a Changing World
Oberthur Technologiesthe group – the crypto team
crypto & security team
secure primitives
practical evaluation CC-ready
certif
© Oberthur Technologies 5Security Solutions for a Changing World
Oberthur Technologiessmartcard industry – the main use cases
� payment , mobile , transport and digital TV markets
� identity documents (e-passport, driving license, health, etc)
� design and printing of banknotes and passports
� ink staining technology
© Oberthur Technologies 6Security Solutions for a Changing World © Oberthur Technologies
agenda
1. from card to smart card� short history� nowadays� why is it smart
2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA
3. mobile industry� issues in radio control access� 2G networks� 3G networks
4. identity industry� standardization body� description � security needs� BAC / SAC / PACE
5. future issues6. conclusion
© Oberthur Technologies
© Oberthur Technologies 7Security Solutions for a Changing World
the card industrya short history
� appears in the 70’s in several countries (France, G ermany, Japan, USA)� several patents argue the ownership� first uses
� prepaid card (memory only)� credit cards (µ processor)
© Oberthur Technologies 8Security Solutions for a Changing World
the card industrynowadays
plastic card ISO 7816 compliant
� card dimensions
� physical constraints (flexibilty, etc)
� positioning of the contacts
� communication protocols
� internal architecture of IC
© Oberthur Technologies 9Security Solutions for a Changing World
the card industrynowadays
© Oberthur Technologies 10Security Solutions for a Changing World
the smart card why is it smart?
From Collins dictionary: smart ~ { brilliant, ingen ious, intelligent, chic, elegant…}+ many words I do not understand
� brilliant / intelligent: � DES, 3DES, AES, RSA (up to 2048 bits), ECC
� ingenious: virtual money� lower risk of money theft, � lower cost for cash management (transfer funds)
� chic / elegant
� secure
© Oberthur Technologies 11Security Solutions for a Changing World
the smart card how much is it smart? – lost & stolen fraud
© Oberthur Technologies
© Oberthur Technologies 12Security Solutions for a Changing World
the smart card how much is it smart? – counterfeit fraud
© Oberthur Technologies
© Oberthur Technologies 13Security Solutions for a Changing World © Oberthur Technologies
agenda
1. from card to smart card� short history� nowadays� why is it smart
2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA
3. mobile industry� issues in radio control access� 2G networks� 3G networks
4. identity industry� standardization body� description � security needs� BAC / SAC / PACE
5. future issues6. conclusion
© Oberthur Technologies
© Oberthur Technologies 14Security Solutions for a Changing World
payment industrythe setting
Issuer Acquirer
Infrastructure
merchantcardholder
© Oberthur Technologies 15Security Solutions for a Changing World © Oberthur Technologies
payment industryissues in a payment transaction
is it a valid card?card authentication
is it the cardholder? ask for and check PIN
cardauthentication
transaction
transaction dataGenerate AC
Transaction Certificate
cardholderverification
© Oberthur Technologies 16Security Solutions for a Changing World © Oberthur Technologies
agenda
1. from card to smart card� short history� nowadays� why is it smart
2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA
3. mobile industry� issues in radio control access� 2G networks� 3G networks
4. identity industry� standardization body� description � security needs� BAC / SAC / PACE
5. future issues6. conclusion
© Oberthur Technologies
© Oberthur Technologies 17Security Solutions for a Changing World © Oberthur Technologies
payment industrystatic authentication - PKI
CertCA(PKI) + SignSKI(Card Data)
Issuer CA Acquirer
� CertCA(PKI)
� SignSKI(Card Data)
PKI
(PKI, SKI) (PKCA, SKCA) (PKCA)
Signed by
Card Data
Signed by
|||||
|||||
PKCA
© Oberthur Technologies 18Security Solutions for a Changing World © Oberthur Technologies
payment industrystatic authentication – security analysis
� used in� B0’ (1989)� EMV (1995) as Static Data Authentication (SDA)
� subject to replay attacks (because it is static)
� mass attack
� subject to the yescard attack� implemented by Serge Humpich in 1997� SignSK is an RSA signature with a 96digit
modulus n� factorisation of n=p.q is feasible since 1991
[Lenstra91] � can forge new cards with correct static signature� pointing to non-existing accounts
� counterfeits cards always answer YES regardless of the entered PIN code
� last RSA factorisation: a 768bit modulus
© Oberthur Technologies 19Security Solutions for a Changing World © Oberthur Technologies
agenda
1. from card to smart card� short history� nowadays� why is it smart
2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA
3. mobile industry� issues in radio control access� 2G networks� 3G networks
4. identity industry� standardization body� description � security needs� BAC / SAC / PACE
5. future issues6. conclusion
© Oberthur Technologies
© Oberthur Technologies 20Security Solutions for a Changing World
payment industrydynamic authentication - PKI
© Oberthur Technologies
Issuer CA Acquirer
� PKICC, SKICC,
�CertI(PKICC), CertCA(PKI)
PKI
(PKI, SKI) (PKCA, SKCA) (PKCA)
Signed by
Card Data
Signed by
|||||
PKCA
PKICC
TD: Term Data
CertI(PKICC), CertCA(PKI), SigSig SignSKICC(Card Data,TD)
|||||
© Oberthur Technologies 21Security Solutions for a Changing World
payment industrydynamic authentication – security analysis
� thwarts replay attacks thanks to challenge-response
� mass attack no longer relevant
© Oberthur Technologies
© Oberthur Technologies 22Security Solutions for a Changing World © Oberthur Technologies
agenda
1. from card to smart card� short history� nowadays� why is it smart
2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA
3. mobile industry� issues in radio control access� 2G networks� 3G networks
4. identity industry� standardization body� description � security needs� BAC / SAC / PACE
5. future issues6. conclusion
© Oberthur Technologies
© Oberthur Technologies 23Security Solutions for a Changing World
mobile industryissues in radio control access
PIN codeSIM theft
temporary identity and cipheringtracing
mutual authenticationciphering
phone-taping by simulating a false BSS [Man-in-the-middle]
cipheringphone-taping on the radio link [passive]
integrity of routing datahijacking the connection
user authenticationusurpation of identity
countermeasuresthreats
BSSBTS BSC
mobileSIM Home NetworkAuC/HLR
Visited NetworkMSC/VLR
© Oberthur Technologies 24Security Solutions for a Changing World © Oberthur Technologies
agenda
1. from card to smart card� short history� nowadays� why is it smart
2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA
3. mobile industry� issues in radio control access� 2G networks� 3G networks
4. identity industry� standardization body� description � security needs� BAC / SAC / PACE
5. future issues6. conclusion
© Oberthur Technologies
© Oberthur Technologies 25Security Solutions for a Changing World
Home NetworkAuC/HLR
mobile industry2G network (GSM) - description
TMSI TMSI
RAND
TMSI
RAND RAND
Ki
A3/A8 verify SRESSRESSRES
Kc
A5
voice
A5
voice
RAND
A3/A8
Ki
ciphered voice
RAND SRES Kc
SRES
Kc
BSSBTS BSC
mobileSIM Visited NetworkMSC/VLR
TMSI
© Oberthur Technologies 26Security Solutions for a Changing World
mobile industry2G network – security analysis
� ciphering is an option (activated by network decisi on only) � no mutual authentication (only the user towards the network)
� risk of phone-taping supported by a man-in-the-middle attack
� no integrity check (may raise problems with regard to signalling messages)
� ciphering stops at the BTS� no in-depth ciphering
� some implementations of A3/A8 and A5 algorithms are considered to be not at the state-of-the-art (COMP128 and A5/1, A5/2)
false BTS genuine BTS
Ki Ki’
© Oberthur Technologies 27Security Solutions for a Changing World © Oberthur Technologies
agenda
1. from card to smart card� short history� nowadays� why is it smart
2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA
3. mobile industry� issues in radio control access� 2G networks� 3G networks
4. identity industry� standardization body� description � security needs� BAC / SAC / PACE
5. future issues6. conclusion
© Oberthur Technologies
© Oberthur Technologies 28Security Solutions for a Changing World
mobile industry3G network (UMTS) - description
© Oberthur Technologies
TMSI TMSI
RAND, AUTN
TMSI
RAND, AUTN RAND, AUTN
K
f1-f5RESRES
CK
f8
voice
f8
RAND
f1-f5
K
ciphered voice, mac
RAND
CK, IK
f9IK
f9IK
voice,macmac
verify mac
verify RESRES
BSSBTS BSC
mobileSIM Home NetworkAuC/HLR
Visited NetworkMSC/VLR
CK
RES
CKIKverify
AUTN
AUTN
© Oberthur Technologies 29Security Solutions for a Changing World
mobile industry3G network – security analysis
� ciphering along the whole radio subsystem
� still activated by network decision only, but� the “no ciphering” order is authenticated
� integrity mechanism to protect signalling informati on
� mutual authentication of SIM and AuC
© Oberthur Technologies 30Security Solutions for a Changing World © Oberthur Technologies
agenda
1. from card to smart card� short history� nowadays� why is it smart
2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA
3. mobile industry� issues in radio control access� 2G networks� 3G networks
4. identity industry� standardization body� description � security needs� BAC / SAC / PACE
5. future issues6. conclusion
© Oberthur Technologies
© Oberthur Technologies 31Security Solutions for a Changing World
identity industrye-passport standardization
� ICAO: International Civil Aviation Organization
� international regulation authority
� harmonization of travelling documents
� provides a common framework for passports all over the world
� open standards for Governments and suppliers
� mandatory: identification data + integrity + authentication
� optional: biometry + other protection mechanisms
© Oberthur Technologies 32Security Solutions for a Changing World
identity industrydescription
� printed identifying data (eg owner’s picture)� printed machine readable data (MRZ, CAN)� visual security features (eg holograms)
� contactless chip in the paperback� chip contains all identifying data� chip optionally contains biometrical data
like fingerprints
MRZ
© Oberthur Technologies 33Security Solutions for a Changing World
identity industrysecurity needs
� contactless technologies bring on new issues� invasion of privacy
since a malicious reader can interact with the chip without the knowledge of the owner
� passport must be open to access the identity of the holder
� content should be protected by an access control po licy� Basic Access Control� Supplemental Access Control� Extended Access Control
� use the MRZ
© Oberthur Technologies 34Security Solutions for a Changing World © Oberthur Technologies
agenda
1. from card to smart card� short history� nowadays� why is it smart
2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA
3. mobile industry� issues in radio control access� 2G networks� 3G networks
4. identity industry� standardization body� description � security needs� BAC / SAC / PACE
5. future issues6. conclusion
© Oberthur Technologies
© Oberthur Technologies 35Security Solutions for a Changing World
identity industryBasic Access Control
read the MRZ opticallyderive K
K
choose rIS, KIS
choose rCHIP, KCHIP
eIS = EK(rIS, rCHIP, KIS)
rCHIP
rIS’, rCHIP’, KIS’ =DK(eIS)
check rCHIP’ = rCHIP
eCHIP=EK(rCHIP, rIS’, KCHIP) check rIS’ = rIS
eIS
eCHIP
CHIP IS
© Oberthur Technologies 36Security Solutions for a Changing World
identity industryBAC - security analysis
� recovery process1. eavesdrop one BAC session2. guess/recover through social network ”MRZ-information” (ex: Date of birth, passport date of
expiry, passport number)3. derive the ciphering key (KDF is public)4. decipher eIS and check for meaningful data thanks to rCHIP
5. go to step 2 until MRZ is found.
� MRZ entropy is very low:� US ≈ 53 bits, Spain and Italy ≈ 51 bits, France ≈ 52 bits� even less since field are not independent (date of expiry and passport number...)� to be compared to entropy requirements: 80 bits up to 2010, 112bits then.
BAC is weak to offline brute force attack
© Oberthur Technologies 37Security Solutions for a Changing World
identity industryBAC - security analysis
� addendum to the standard to improve access control
� alternative to the BAC in ICAO standard� SAC
� based on the protocol� Password Authenticated Connection Establishment (PACE)
� fixes the default of BAC
© Oberthur Technologies 38Security Solutions for a Changing World
identity industryPACE
� establishes Secure Channel between chip and IS� uses strong session keys independent of the strengt h of the password π� requires public key cryptography� can take as a password either
� the MRZ (ICAO required)� the CAN (ICAO optional)� a PIN
� resists to o ffline attacks� protects Privacy
© Oberthur Technologies 39Security Solutions for a Changing World
identity industryPACE
SPA-resistant
© Oberthur Technologies 40Security Solutions for a Changing World © Oberthur Technologies
agenda
1. from card to smart card� short history� nowadays� why is it smart
2. payment industry� issues in card authentication� static data authentication - SDA� dynamic data authentication – DDA
3. mobile industry� issues in radio control access� 2G networks� 3G networks
4. identity industry� standardization body� description � security needs� BAC / SAC / PACE
5. future issues6. conclusion
© Oberthur Technologies
© Oberthur Technologies 41Security Solutions for a Changing World
future issuesfraud in FR – transaction vs. fraud progress
© Oberthur Technologies
© Oberthur Technologies 42Security Solutions for a Changing World
future issuesfraud in FR – detailed fraud
© Oberthur Technologies
© Oberthur Technologies 43Security Solutions for a Changing World
the issue at stakepayment on the internet
© Oberthur Technologies 44Security Solutions for a Changing World
the issue at stakeconvergence
© Oberthur Technologies 45Security Solutions for a Changing World
the issue at stakeRSA
� government recommendations/requirements on RSA key- size for long term crypto
� RSA key cannot be used anymore for governmental app lications (passports)� ECC is the backup plan of RSA� what is the backup plan of ECC?
51215424256>> 2040
25632481282009 to 2040
22424321122009 to 2030
1921776962009 to 2020
160124880Short term
Elliptic-curve cryptosystems
(eg. ECDH, ECDSA)
Factorization and discrete-log
cryptosystems (eg.RSA, DH, DSA)
Symmetric cryptosystems
Protection period
© Oberthur Technologies 46Security Solutions for a Changing World
conclusion
� past issues� authenticate a customer and a device to access a network for a service
– remote payment: cardholder + credit card– mobile phone: subscriber + handset
� e-passport: control the access to the identity of the citizen to provide privacy
� future issues / new trends� payment in not trusted environments (PC, smartphones)
� backup plan in case of a breakthrough in cryptanalysis of ECC
� smartcards helped to solve past issues� can help to solve next issues
� using new form factors ? µSD, USB stick � new owners? the end-user?
© Oberthur Technologies
Thank you
Ecrypt 2 Summer School