Smartcardsand RFIDIPA Security CourseLejla Batina & Erik PollDigital SecurityUniversity of Nijmegen1

Overview example uses (security) functionality smartcard technicalities RFID technicalities attacks

Smartcard & RFID uses3

Example smartcard & RFID uses bank cards SIMs in mobile phone public transport– eg OV chipkaart in NL identity documents– modern passports and national ID cardscontain (contactless) chip access cards– to control access to buildings, computer networks, laptops,.– eg Rijkspas for government personnel– eg UZI pas for medical personnel to access EPD– pay TV4

(Security) functionality5

Differences? Commonalities?With respect to functionality or security6

Differences & Commonalities all provide data storage for reading and/or writing but secured to different degrees & in different ways– different aims of securing: confidentiality integrity/authenticity– different ways of securing integrity by physical characteristics vs digital signatures access control (eg PIN code, password, crypto protocol)possible on smartcard, not on a magstripe7

Differences? Commonalities?8

Smartcard vs other computers No fundamental difference ! Btw, smartcards outnumber normal computers such as PCs and laptopsSmartcard is restricted in its possibilities smartcard does not only offer data storage but alsoprocessing powerHow, for example?Smartcard can offer security that PC cannot What, for example? eg you cannot remove the hard drive9

Smartcard technicalities10

What is a smartcard? Tamper-resistant computer, on a single chip, embeddedin piece of plastic, with very limited resources– aka chip card or integrated circuit card (ICC) capable of “securely”– storing data– processing data This processing capability is what makes a smartcardsmart; stupid cards can store but not process NB processing capabilities vary a lot.11

What does “securely” mean? Functionality (software) and data on the card cannot be“messed with” The smartcard can implement access control to restrictaccess to data or functionality, eg– deny possibility to read or write some data– only allowing it after entering password or PIN code– only allowing it after performing some security protocol The smartcard can implement cryptographic checks toensure confidentiality or integrity, eg– encrypt / sign data it provides– decrypt / check signatures on data it receives12

Form factors for smartcards traditional credit-card sizedplastic card– ISO 7816 mobile phone SIM– cut-down in size contactless cards– aka proximity card or RFIDtransponder/tag– also possible: dualinterface iButton USB token13

3 types of functionality1. stupid card just reports some dataeg card shouts out a (unique) serial number on start-up2. stupid smartcard aka memory cardprovides configurable file system with access controlby means of PIN code/passwords or crypto keysor even simpler: irreversible writes3. smart smartcard aka microprocessor cardprovides programmable CPU that can implement anyfunctionalityeg complicated security protocolsWhat type of attacks can 2 & 3 withstand that 1 can't?14

Typical use of smartcard for authenticationprivatekey KCPUchallenge cresponseencK(c) If card can perform encryption, then private key K never leavesthe card This scheme can also be used for non-repudiation, ie signing. The issuer does not have to trust the network, the terminal, orcard holder15

Smartcard hardware CPU (usually 8 or 16, but now also 32 bit) possibly also– crypto co-processor & random number generator (RNG) memory: volatile RAM and persistent ROM & EEPROM– EEPROM serves as the smartcard's hard disk no power, no clock!A modern card may have 512 bytes RAM, 16K ROM, 64K EEPROM andoperate at 13.5 MHzImportant reason for low capabilities: cost!Also, keeping smartcard simple means we can have high confidence;you don’t want Windows 7 as operating system on a smartcard16

Contact cards(ISO 7816-2)External power supply and external clock Originally 5 V, now also 3V or 1.8V Vpp - higher voltage for writing EEPROM - no longer usedas it introduces a serious security weakness17

Multi-application & post-issuanceOld-fashioned smartcards contain one program, that can neverbe changedModern smartcard platforms are multi-application, ie allow multiple, independentprograms (aka applets) to be installed on one cardallow post-issuance download: applications to be added (orremoved) after the card has been issued to the card holderOf course, this is tightly controlled - by digital signaturesExamples of such platforms: JavaCard and MULTOSApplication management using the GlobalPlatform standard18

Multi-application cards Multi-application vision: everyone carrying one card, with alltheir smartcard applications This is not going to happen. Problems:– trustbanks won't allow untrusted programs of others on theircards; or allow their programs to be seen by others– marketingwho gets to put their logo on the plastic? Still, multi-application is useful for development & cardmanagament by a single vendor– eg used to add services to SIMs that are out in the field19

The terminal problem! THE fundamental problem with smartcardsno trusted I/O between user and card no display no keyboard Why is this a problem? Is this a problem for card holder or card issuer?Solutions: Card with built-in display & keyboard Alternative: give people a reader20

RFID technicalities21

RFID RFID Radio-Frequency IDentification RFID devices are called tags or transponders “smartcard chip with an antenna” Often not so smart: RFID tags are often stupid cards (type 1&2) simplest tags only support data transfer from tag to readerPowerful RFID tags are also called contactless smartcards22

Many types of RFID tags with different read ranges & capabilities, operating atdifferent frequenciesMany just transmit a fixed code when activated: Animal identification RFID tags Item management - RFID bar codes (Global TAG) Container identification - with battery for large range Anti-theft systems - one bit of informationMore advanced cards include proximity cards (ISO14443) read range less than 10 cm eg MIFARE and contactless smartcards (such as e-passport)23

NFC Near Field Communication Implemented in mobile phones compatible with ISO14443 proximity cardsPhone can act as reader (active mode)or as a tag (passivemode)The next big thing in the mobile phones?A consortium of the large Dutch banks and telco's(Sixpack/TRAVIK) is developing an NFC paymentsolution (where payment applet is added on mobilephone SIM). First example of real multi-applicationcards?24

Pros & cons of contactless over contact? advantages ease of use no wear & tear of contacts on card and terminal less maintenance less susceptible to vandalismdisadvantages easier to eavesdrop on communication communication possible without owner's consent for replay, relay, or man-in-the-middle attacks (more on thatlater)RFID tags often have more limited capabilities to provide security eg amount of data, crypto25

passive vs active attacks on proximity cardspassive attacksactive attacks eavesdropping on communicationbetween card & reader possible from several meters unauthorised access to cardwithout owner's knowledge possible up to 25 cm activating RFID tagrequires powerful field! aka virtual pickpocketingvariant: relay attack(Scaremongering?) story about passport bombs -XXaqraF7pI26

Privacy RFID introduces obvious privacy risks RFID barcode may provide unique ID for an individual productSoS - Radboud University Nijmegen27

Anti-collision anti-collision protocol needed for terminal to select onecard to talk to, if several cards are in the field of areader for this, cards send out a number for the reader toidentify themThis anti-collision leaks information & may cause privacyconcerns eg test version of Dutch passport used a fixed number in the anticollision protocol. Real one uses random number Italian e-passport still have a fixed & unique number here28

Remaining e-passport problems Error messages of the e-passport reveal manufacturer– ie provide fingerprint

Different error response of e-passportsB0 means "read binary", and is only allowed after Basic Access ControlBelgian2 byte errorresponse6986meaningnot allowedDutch6982security status not satisfiedFrench6F00no precise diagnosisItalian6D00not supportedGerman6700wrong length255 other instructions to try,and we can try different parameters .30

This is more general problem:errors can leak informationAn Error Has Occurred.Error Message:System.Data.OleDb.OleDbException: Syntax error(missing operator) in query expression'username ''' and password TextErrorHandling (Int32 hr) tForSingleResult (tagDBPARAMS dbParams, Object&executeResult) at31

Error reportof our departmentonlinecourse schedules32

Smartcard attacks33

Classification of attacks cost– time– equipment– know-how tamper-evidence– ie can the card, card holder, or card issuer see a cardis being or has been messed with? impact for the organisation and business case for the attacker34

The attacker’s business caseie. the motivation for professional attacker!The hobbyist is after fame or publicity, the professional is after money!Which smartcard most interesting to “hack”?SIM, Chipknip, bank- or creditcard, pay TVHere by “hack” we mean access private keys on the chip to clone cardsMost interesting: PayTV, Chipknip?Least interesting: SIM card?35

Classification of attacksAn attacker can target1. organisation: eg. issuance & usage process2. cryptographic algorithms3. cryptographic protocolslogical attacks4. software, on smartcard or terminal-side5. the smartcard itself–eg. side-channel attacks or invasive attacks\36

Attacking the crypto Difficult for standard algorithms (DES, AES, RSA, ECC, )Homemade, proprietary cryptographic algorithms areroutinely broken, eg Crypto-1 used in MIFARE Classic COMP128 and A5/1 used in GSM Keeloq used for car keysgoogle for MIFAREon youtube37

Common problems with crypto keys.You can easily check that people use propercryptographic algorithms, but not that people useit properly Common problems: system integrators using the same key in all cards for one customer, or - worse - all their customers! worse still, using the default keys 75% of MIFARE applications was found to use defaultkeys or keys used in examples in documentation[Source: Lukas Grunwald, DEFCON14, 2007]A0A1A2A3A4A5 is an initial transport key of MIFARE tags.Googling for A0A1A2A3A4A5 produces links to documentation withother example keys to try!38

Attacking the protocols Replay attackrecord communication between card & terminal, and replay it Eg this works for disposable ov-card Man-in-the-Middle attackintercept and modify the communication– shim can be placed inside a terminal to do this Relay attackintercept communication and relay it to a different terminal Eg from hacked PIN terminal in mafia-operated shop to an ATM NB much harder to avoid than replay or MITM attacks! How does the terminal problem play a role here?39

Tools for protocol analysis40

Protocol implementation errors? Even if the protocol is secure, an implementation couldintroduce bugs. One way to find such bugsmodel-based testing More ambitious: formal verification ofthe software to prove compliance

Example protocol attacks: EMVEMV (EuroPay/Mastercard/Visa) is the (complicated!) internationalstandard for smartcards used in banking.Protocol worries so far1. cheaper EMV cards can still be cloned– the chip provides signed data to authenticate, and not a challengeresponse protocol (like disposable ov-chipkaart)1. in UK: card can be used without PIN (by fooling terminal into thinkinghardwritten signature is used)2. Newer cards use encryption to communicate PIN, but a shim can forcerollback to unencrypted PIN– We succesfully tried this , but Rabobank detects this in real time 42

Attacking the terminal (software) Lukas Greenwald managed to crash e-passport terminals bysending a malformed JPEG causing a buffer overflow in the graphics library Melanie Rieback (VU) mase a SQL injection virus in a RFID tag Smartcards and RFID tags should be treated as untrusted inputs until we have authenticated the card or the data that they provide43

Attacking the terminal (software): the ov-chipThe disposable ov-chipkaart (MIFARE Ultralight) has 6 bytesof one-time programmable (OTP) memory initially filled with 0’s; writing a 1 is an irreversible operationTwo bytes are used to invalidate tickets initially 00F0 set to F8FF to invalidate tagWe can still change an invalid tag so terminals will accept it asvalid; can you guess the flaw? flip the remaining 3 bits, so that it become FFFFThis flaw in terminals has since been fixed44

side channel attacks

Smartcard attacksSo far we discussed logical attacks (100 ) to exploit flaws in– crypto, security protocol, or the softwareOther possibilities Side channel attacks (5K )– passive: power or timing analysis– active: fault injection (glitching or laser attacks) Physical attacks (100K )– reverse engineering– probing, focussed ion beam, .These attacks may also be combined46

Invasive vs non-invasive Logical & side-channel attacks are non-invasive– violate tamper-resistance and tamper-evidence– can happen in a few minutes in mafia-operated shopor a tampered terminal Physical attacks are always invasive– tamper-evident, so only violate tamper-resistance– ie you destroy a few chips in the process– requires hours to weeks in laboratory47

Side-channel analysisexample side channel:pizza deliveries to the Pentagon48

Side-channel analysismonday eveningtuesday eveningWhat evening is the invasion taking place?49

Side-channel analysis Side-channel any other channel than the normal I/Ochannel that may be observed Possible side-channels:– power consumption– timing– electro-magnetic radiation– .Very powerful !50

Power consumption of a smartcardWhat is this card doing?51

This is a DES encryption!16 rounds, so probably DESWhat is the key?52

Power trace detail of RSA encryptionSource: presentation by Fred de Beer of Riscure at Safe-NL, June 200653

SPA: reading the key from this trace!Source: presentation by Fred de Beer of Riscure at Safe-NL, June 200654

Power Analysis Simple Power Analysis - SPA– analyse an individual power trace– to find out the algorithm used– to find the key length– worst case: to find the key Differential Power Analysis - DPA– statistically analyse many power traces to find out thekeyDPA has been the most serious threat to smartcards inthe past 10 years!This can also be combined with introducing faults, eg byshooting a laser55

Equipment for side-channel analysis56

Attacks with fault injectionsFaults may be introduced as part of attacks card tears removing the card from the reader halfwayduring a transaction homework exercise: try this when charging or paying with yourchipknip! glitching temporarily dipping the power supply eg to prevent EEPROM write after trying a PIN code light attacks shoot at the chip with a laser to flip some bits.57

Physical/invasive attacks

Physical, invasive attacks Much more costly than logical or side channel attacks.– expensive equipment lots of time & expertise Also, you destroy a few chips in the process.Examples probing fibbing reading memory contents 59

First step: removing chip from smartcardusing heat & nitric acid[Source: Oliver Kömmerling, Marcus Kuhn]60

Optical reverse engineeringmicroscope images with different layers in differentcolours, before and after etching[Source: Oliver Kömmerling, Marcus Kuhn]61

Physical attack: probing Observe or change the data on the bus while the chip is to observe keyprobing with8 needlesProbing can be done using physical needles ( 0.35 micron) or electronbeam62

Probing countermeasures use smaller circuitry– reducing size makes many physical attacks harder hide the bus– glue logic, and bus on lower layers of chip scramble bus lines– attacker has to optically reverse engineering this encrypting bus protective sensor mesh layer– to prevent access to chip surface– trend: accessing to chip surface from the back63

Physical attack: probingFIB Focussed Ion Beamcan observe or modify chip by drilling holes cutting connections soldering new connectionsand creating new gateshole drilled inthe chip surfaceblown fuse64

Using FIB in probingFibbing can be used to add probe pads for linestoo thin or fragile forneedles surface buried lines– poking holes through upperlayers[Source: Sergei Skorobogatov]65

Physical attack: extracting ROM contentStaining canoptically revealthe bitsstored in ROM:dark squares are 1light squares are 0[Source: Brightsight]66

Physical attack: extracting RAM contentImage of RAM with voltage sensitive scanning electron microscope67

memory extraction countermeasures obfuscate chip layout scramble or encrypt memo sensors– low and high temperatures, light, clock frequency, voltage, – But external power supply is needed to react when intrusion isdetected– Sensors can be destroyed when power is off they must betested periodically in normal operation68


Why are smartcards everywhere? Cryptography provides a building block for securitysolutions, but also introduces security problems:1. key management & distribution2. who/what do we trust to store & use crypto keys?Smartcards provide a possible solution70

Conclusions Smartcards are a typical solution whenever more securitythan standard username/password login is needed.Smartcard security is not perfect! it should not be the weakest link, in a well-designedsystem.Smartcard is tamper-resistant and tamper-evident tocertain degrees, but not tamper-proofeven if smartcard security is broken, there may be goodmeasures for detection & reaction to limit impactThe terminal problem is a serious limitation More generally, we can secure connections between computers1000's of miles apart, but not the last 2 feet from the computer andits human user.71

Things can go wrong at many levels card itself, and the crypto, card configuration & protocols,,software terminals & terminal software organisational– issuance– usageincl. personnel, procedures, 72

Issuance as the weakest link? You can obtain a new SIM for an existing number, claiming yours isbroken or lost (or from a dodgy telecom provider, or insider?) Someone obtained a Dutch ID card with a picture of himself disguised asthe Joker from Batman

More organisational hassle Issuing smartcards may be the easy part.Rolling out terminal equipment, dealing with organisation & trainingpersonnel may be the hard part Eg for e-passports, introduced in the wake of 9/11:– few countries bother to read the chip on a regular basis– exchanging certificates (bilaterely via diplomatic post) is a big hassle– hardly any countries use fingerprint data is quality of fingerprints info good enough ? yet more certificate hassle, as terminal has to authenticate itselfto passport with a terminal certificate– do personnel trust the chip, and can they interpret errors?– was it just security theatre?– or was the real motivation Automated Border Control?

Humans are incapable of securely storing high-qualitycryptographic keys, and they have unacceptable speed andaccuracy when performing cryptographic operations.They are also large, expensive to maintain, difficult tomanage, and they pollute the environment. It is astonishingthat these devices continue to be manufactured anddeployed. But they are sufficently pervasive that we mustdesign our protocols around their limitations– Kaufman, Perlman, and Speciner75

card to talk to, if several cards are in the field of a reader for this, cards send out a number for the reader to identify them This anti-collision leaks information & may cause privacy concerns eg test version of Dutch passport used a fixed number in