smart card security nora dabbous security technologies department
TRANSCRIPT
Smart card security
Nora DabbousSecurity Technologies Department
2
The Smart Card...
• The smart card stores electronic data and programs in a protected file system
Protection by advanced security features Tamper resistance
• Several types of smart cards Contact
• Memory• Microprocessor
Contactless• Memory• Microprocessor
Smart card often means Smart card often means Microprocessor cardMicroprocessor card
3
Close-up view...
4
Memory Characteristics
•EEPROM (non volatile memory, write 100.000 times)
Up to 256K Bytes
Application data storage
•ROM (write once)
Up to 512 K Bytes
Software (Operating System) storage
•RAM (temporary)
Up to 5 K Bytes
Working memory
•Flash (non volatile memory)
Software patches or static application code & data
5
Contact Smart Cards
Communication through electrical Communication through electrical contactscontacts
6
Contactless Smart Cards
Communication over the airCommunication over the air
The Chip Operating System
File and directory management :
Create
Read Only
Add Information Only
Erase and Update
Access protected by secret codes :
Data files
Secret Code files
Cryptographic key files
8
HOSTHOST READERSREADERS CARDSCARDS
Application Players
9
Role of the Reader
Application Software
Reader Card
• The reader is the interface between the card and the application It serves as a translator It accepts the messages
• from the card and • from the application software
10
Hardware Security
11
Smart card attack : Physical Security
Smart card attacks : state of the art
12
Probing Data
• Used to know the data present on a bus• micro-probing
probe the bus with a needle
• e-beam probing probe the bus with an e-beam
Si
DATA BUS
SI
DATA BUS
e-beam
e -
detector
e -
e -
13
Circuit modification
• Connect or disconnect security mechanism disconnect security sensors RNG stuck at a fixed value
• Cut or Paste tracks
• Add probe pads make micro-probing of the buried layers possible
• Equipment
Laser FIB
Cut
Metalstrap
14
Fault Generation
• Vcc• Clock• Temperature• UV• Light• X-Rays• ...
Apply combinations of environmental Apply combinations of environmental conditions conditions
and bypass or infer secrets and bypass or infer secrets
input
key
error
15
Hardware Security Measures
• Security Sensors (VCC, Temp. Light, UV, Clock)
• Data scrambling
• Address scrambling
• Current scrambling
• Several Independent Metal Layers
• Submicron scale
• Deeply buried buses
• Glue Logic
16
Embedded Software Security
17
Process 1Process 2
Start
Decision
t2t1
end
Timing Attacks: Principles
True False
Everything performed unconditionally before the test
A test based on secret data is performedthat leads to a boolean decision
Depending on the boolean condition,the process may be long (t1) or short (t2)
Everything performed unconditionally after the test
18
Power Attacks
• ICC's Power Consumption leaks information about data processing
Power Consumption = f(secret key, data)• Deduce information about secret data and
processing empirical methods statistical treatment
• Monitor ICC's Power Consumption resistor oscilloscope post processing computer chip
19
Power Analysis Tools for contact cards
5V
20
Power Analysis Profiles
• Raw data, zoomed in
Time
Pow
er
1ms
Time
21
SPA attack on RSA
Test key value : 0F 00 F0 00 FF 00
1 1 1 1
0F 0 0 0 0
00
1 1 1 1 0 0
F0 0 0 0 0
00
0 0 0 0
00
1 1 1 1 1 1 1 1
FF
22
Key value : 2E C6 91 5B F9 4A
SPA attack on RSA
2
0010
E
1 1 10
C
1 100
6
0 1 10
9
100 1
1
000 1
5
0 10 1
B
10 1 1
F
1 1 1 1
9
100 1
4
0 100
A
10 10
23
• description :
choose a subset (subKi) of n bits of K
perform a statistical test for each possible value of a subK i
Choose the best guess
Iterate on all possible subKi's
Differential Power Analysis
2n-10 1 2
2
1 n
K
subKi
24
Differential Power Analysis• data processing for a value x of a subKi :
AverageD
x
n
lklkjlsdqfdgcxv
10
dfdsffb
M0
Mn
M1
-
25
Differential Power Analysis• Choosing the right guess
0 1 2n-1
26
Differential Power Analysis
wrong subKi
right subKi
27
• Add noise• Scramble power consumption or stabilize it• Randomize all sensitive data variables with a fresh mask for
every execution of an algorithm
• Randomize, randomize, randomize …
• Secret keys• Messages• Private exponents• Bases• Moduli
Countermeasures
28
Electromagnetic Analysis on RSA
• Tests require a de-capsulation of chip with semi invasive method.
• A scanning of surface is needed to find the « good » area where electromagnetic analysis is possible.
• The chip is powered by contact reader
29
Electromagnetic Analysis
One byte processedPower
Em1
Em2
One bit processed
Sq Mult
0 0 1 1 0 0 0 0
1 0 1 1 1 1 1 1
d=..30...
d=..bf...
30
Radio Frequency Analysis (Contactless Cards)
• Tests are non-invasive.
• A simple magnetic loop made with copper wire is needed.
• An image of the magnetic field, modified by the card’s consumption, is collected.
• The chip is powered by a contactless reader.
31
Equipment (1/2)
32
• There are many potential ways to attack a smart card
• But there are also many ways to counteract and efficiently protect your secrets
• Smart Cards are among the most secure embedded devices in the field today
• We try to keep it that way
Conclusion
33
Read-on
• W. Rankl, W. Effing, Smart Card Handbook, 2nd edition, John Wiley & Sons, 2000.
• K. Vedder, Smart Cards - Requirements, Properties, and Applications, in State of the Art in Applied Cryptography, pages 307-331, LNCS 1528, Springer-Verlag,1997.