public transport payment security - umass amherst · 2009. 3. 4. · security consultant help...
TRANSCRIPT
![Page 1: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/1.jpg)
Karsten Nohl
Source: New Yorker
![Page 2: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/2.jpg)
Who I am
Researcher at the University of Virginia
PhD work proposed solutions forRFID privacy
Hacker
Find and publicize security hazards in large systems
▪ Past year: OpenSSL bug, DNS poisoning, Mifare security
Security consultant
Help companies understand threats and implement best-practice security
Karsten Nohl – Hardware Security for Payment 2
![Page 3: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/3.jpg)
Exec Summary
Security is usually hard and often expensive
Not having security inevitably causes problems that are always even harder and more expensive
When designing security, prepare for failure
Goal should be low risk of large damage, but not perfect security
Hence, even Mifare Classic-based systems can be made “secure enough”
Karsten Nohl – Hardware Security for Payment 3
![Page 4: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/4.jpg)
4Karsten Nohl – Hardware Security for Payment
![Page 5: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/5.jpg)
Radio Frequency IDentification Tiny computer chips Passively Powered
Karsten Nohl – Hardware Security for Payment 5
![Page 6: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/6.jpg)
Karsten Nohl – Hardware Security for Payment 6
Cryptographic cipher
Cryptographic cipher Challenge-
response protocol
![Page 7: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/7.jpg)
7
ID
R
Enc(R)
Encryption under shared
secret key
Randomnumber
Karsten Nohl – Hardware Security for Payment
![Page 8: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/8.jpg)
8
Emulation
Cryptographic Attacks:•Brute Force, TMTO•Algebraic Attacks
Replay
Proxy Attack
ID
R
Enc(R)
Weak keystorage
Karsten Nohl – Hardware Security for Payment
![Page 9: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/9.jpg)
Contact-less “smart” card 2 Billion cards sold
Very popular in public transport
▪ ~ 85% market share
▪ Rio de Janeiro, São Paulo, Madrid, Valencia, Oslo, Sydney, Hamilton, Delhi, Nanjing, Shanghai, Taipei, Kuala Lumpur, Atlanta, St. Paul, Houston, Los Angles, Bangkok, Netherlands, London, Boston, ...
Popular for access control (industry, government)
▪ Security “patch”: Armed guards (NL)
Karsten Nohl – Hardware Security for Payment 9
![Page 10: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/10.jpg)
Mifare Classic Break
Mifare cards uses proprietary Crypto-1 algorithm Never publicly reviewed for 20+ years
Algorithm reverse-engineered by UVa and CCC in 2007 Immediately found to be weak
Feb/Mar: Reports find Crypto-1 to be strong enough for a few more years Reports are corrected after UVa
releases more details about attacks April: Dutch researchers publicly
hack Oyster system Details published in October
after law suit
Karsten Nohl – Hardware Security for Payment 10
![Page 11: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/11.jpg)
Once strong cryptography is used, key storage becomes weakest link
More ubiquitous systems typically have more copies of the secret keys in accessible places
Karsten Nohl – Hardware Security for Payment 11
Security protocols
Cryptographic functions
Key storage
![Page 12: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/12.jpg)
Hardware Security Modules (HSM)
Used in ATMs (cash machine), few smart card readers
Use proprietary encryption
Hence, can be broken
▪ Usually high effort (> $100.000)
Secure Access Modules (SAM) are much easier to break
Credit card / smart card readers
Karsten Nohl – Hardware Security for Payment 12
![Page 13: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/13.jpg)
Karsten Nohl – Hardware Security for Payment 13
Everything needed to disclose key is found on chip
Finding secret algorithms might be costly
HSM ID
Encrypted keyProprietary Decryption
Master key Card ID, sector, …
AES / 3DES
Card keyHardware Security Module (HSM)
![Page 14: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/14.jpg)
Public key cryptography can mitigate security problems
Karsten Nohl – Hardware Security for Payment 14
Scalable through certificate chains Protected from all likely attacks Surprisingly inexpensive
(Card public key)system private key
(Transaction)card private key
RFID ticket
Paymentterminal
Extract and verify card pk using system public key
Extract and verify using card pk
Terminal only stores a publicly known key
![Page 15: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/15.jpg)
Public key crypto is already used for transport micropayments
Successful implementation of public-key RFID payment system: “VDV Kernapplikation”
Roll-out since 2006 in Germany 3 million users and quickly growing Interoperable across 75 operators
(eventually 500+ operators) Most likely secure enough:
RSA public keys, EAL5+, … Total system cost:
<1 Euro per card and yearKarsten Nohl – Hardware Security for Payment 15
![Page 16: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/16.jpg)
Best-Practice Security
Guidelines learned from past hacks include:
1. Prepare for security breaks, no measure is perfect
▪ Need: redundancy, “layering”
▪ Need: migration plan
2. Use standardized security
▪ Never rely on your own security “inventions”
3. Manage risks through threat modeling
▪ Find acceptable balance between potential losses and cost of security
Karsten Nohl – Hardware Security for Payment 16
![Page 17: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/17.jpg)
Proprietary encryption is insecure
Key storage is the next weakest link
“Secure enough” is possible and even affordable
17
1
2
3
Karsten Nohl – Hardware Security for Payment
![Page 18: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/18.jpg)
The Way Ahead
For secure RFID, we need:
Publicly reviewed standards
▪ Yes, this means “one-size-fits-all”, but requirements are generic
Comprehensive threat modeling
▪ Threat = risk × damage
User engagement, opt-out
▪ Never force technology onto users
▪ Inform about risks
Karsten Nohl – Hardware Security for Payment 18
![Page 20: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/20.jpg)
20Karsten Nohl – Hardware Security for Payment
![Page 21: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/21.jpg)
NFC (=RFID + cell phone) is the next hype
Dave Birch: “customers like NFC (a lot)“
21Picture Source: Collin Mulliner
“Most systems are deployed with insufficient security.”
Karsten Nohl – Hardware Security for Payment
![Page 22: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/22.jpg)
Jonathan Main, Chair of NFC Technical Committee:
“NFC Forum's role is not to define the [security] requirements [because] a mandatory ‘one-size-fits-all’ approach such as that advocated by Mr. Nohl is not viable.Many applications use smart card security […] specified in other consortia. On top of these many security measures, users [can] set their own security parameters and preferences.”
22Karsten Nohl – Hardware Security for Payment
![Page 23: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/23.jpg)
The void of standardized security leads to:
Development of new proprietary measures
Adoption of old, broken security
23
Protocols
Cryptography
Secret keys
Often broken protocols, i.e.: NFC credit cards
Mifare Classic encryption !!
Key storage in insecure SAMs !!!
Karsten Nohl – Hardware Security for Payment
![Page 24: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/24.jpg)
Spoof “unique” data of tags such as UID Done with RFID emulator (OpenPICC) or higher-
powered tag (SmartMX) Foundation
for other attackvectors
24Karsten Nohl – Hardware Security for Payment
![Page 25: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/25.jpg)
25
Attacker
Karsten Nohl – Hardware Security for Payment
![Page 26: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/26.jpg)
1. Overhear legitimate authentication2. Force same challenge, answer with same
response Requires predictable “random” numbers
26Karsten Nohl – Hardware Security for Payment
![Page 27: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/27.jpg)
27
RNG Mifare random numbers are completely predictable and well documented
Karsten Nohl – Hardware Security for Payment
![Page 28: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/28.jpg)
Recover secret key: Brute Force
Try all keys
TMTOs
Try all keys, efficiently
Algebraic Attacks w/ SAT solvers
Try all keys, smartly
28Karsten Nohl – Hardware Security for Payment
![Page 29: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/29.jpg)
Microcontroller Insecurity
![Page 30: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/30.jpg)
Infi
neo
n S
LE
66
, co
urt
esy
Fly
log
ic
Karsten Nohl – Hardware Security for Payment 30
![Page 31: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/31.jpg)
Infi
neo
n S
LE
66
, co
urt
esy
Fly
log
ic
Karsten Nohl – Hardware Security for Payment 31
![Page 32: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/32.jpg)
Karsten Nohl – Hardware Security for Payment 32Infineon SLE66 address/data bus, courtesy Flylogic
![Page 33: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/33.jpg)
Karsten Nohl – Hardware Security for Payment 33
Meshes can sometimes protect data, but not algorithms
“Last resort”: Hide security in secret algorithms.
![Page 34: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/34.jpg)
“Try all keys” Only possible for small keys
Mifare easy target:
Cipher complexity low, enables efficient FPGA implementation
FPGA cluster finds keyin 50 minutes!
34
Source: Pico Comp.
Karsten Nohl – Hardware Security for Payment
![Page 35: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/35.jpg)
Weak Authentication Protocol
48-Bit Stream Cipher
Weak Filter Function Weak Random Number
Generator
35
Time Memory Trade Offs
Brute Force (due to small key)
Key Probing
Algebraic Attacks
Replay Attacks(due to predictable random numbers)
Karsten Nohl – Hardware Security for Payment
![Page 36: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/36.jpg)
Secret keys can be stored:
Online:
▪ Keys only stored on central server
▪ Expensive setup, long response times
Semi-online:
▪ Devices receive keys at boot time
▪ Keys often stored in DRAM at runtime; bad idea!
Offline:
▪ Devices “securely” store key copy
Karsten Nohl – Hardware Security for Payment 36
![Page 37: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/37.jpg)
Secret keys should be
Different for every user
▪ Requires many different keys
Immediately accessible
▪ Requires small number of keys
Best practice: derive user keys from master key; store master key in „key vault“
Karsten Nohl – Hardware Security for Payment 37
![Page 38: Public Transport Payment Security - UMass Amherst · 2009. 3. 4. · Security consultant Help companies understand threats and implement ... Netherlands, London, Boston, ... Popular](https://reader036.vdocuments.us/reader036/viewer/2022071212/6024f6a1f89f745fb05044b8/html5/thumbnails/38.jpg)
„Secure“ Access Modules are standard micro-processors Low effort to
extract master keys
SAMs are becoming cheaper and less secure!
(cell phones are not any better)
Karsten Nohl – Hardware Security for Payment 38
Source: Flylogic