Smart card security Nora Dabbous Security Technologies Department.

Smart card security

Nora DabbousSecurity Technologies Department

2

The Smart Card...

• The smart card stores electronic data and programs in a protected file system

Protection by advanced security features Tamper resistance

• Several types of smart cards Contact

• Memory• Microprocessor

Contactless• Memory• Microprocessor

Smart card often means Smart card often means Microprocessor cardMicroprocessor card

3

Close-up view...

4

Memory Characteristics

•EEPROM (non volatile memory, write 100.000 times)

Up to 256K Bytes

Application data storage

•ROM (write once)

Up to 512 K Bytes

Software (Operating System) storage

•RAM (temporary)

Up to 5 K Bytes

Working memory

•Flash (non volatile memory)

Software patches or static application code & data

5

Contact Smart Cards

Communication through electrical Communication through electrical contactscontacts

6

Contactless Smart Cards

Communication over the airCommunication over the air

The Chip Operating System

File and directory management :

Create

Read Only

Add Information Only

Erase and Update

Access protected by secret codes :

Data files

Secret Code files

Cryptographic key files

8

HOSTHOST READERSREADERS CARDSCARDS

Application Players

9

Role of the Reader

Application Software

Reader Card

• The reader is the interface between the card and the application It serves as a translator It accepts the messages

• from the card and • from the application software

10

Hardware Security

11

Smart card attack : Physical Security

Smart card attacks : state of the art

12

Probing Data

• Used to know the data present on a bus• micro-probing

probe the bus with a needle

• e-beam probing probe the bus with an e-beam

Si

DATA BUS

SI

DATA BUS

e-beam

e -

detector

e -

e -

13

Circuit modification

• Connect or disconnect security mechanism disconnect security sensors RNG stuck at a fixed value

• Cut or Paste tracks

• Add probe pads make micro-probing of the buried layers possible

• Equipment

Laser FIB

Cut

Metalstrap

14

Fault Generation

• Vcc• Clock• Temperature• UV• Light• X-Rays• ...

Apply combinations of environmental Apply combinations of environmental conditions conditions

and bypass or infer secrets and bypass or infer secrets

input

key

error

15

Hardware Security Measures

• Security Sensors (VCC, Temp. Light, UV, Clock)

• Data scrambling

• Address scrambling

• Current scrambling

• Several Independent Metal Layers

• Submicron scale

• Deeply buried buses

• Glue Logic

16

Embedded Software Security

17

Process 1Process 2

Start

Decision

t2t1

end

Timing Attacks: Principles

True False

Everything performed unconditionally before the test

A test based on secret data is performedthat leads to a boolean decision

Depending on the boolean condition,the process may be long (t1) or short (t2)

Everything performed unconditionally after the test

18

Power Attacks

• ICC's Power Consumption leaks information about data processing

Power Consumption = f(secret key, data)• Deduce information about secret data and

processing empirical methods statistical treatment

• Monitor ICC's Power Consumption resistor oscilloscope post processing computer chip

19

Power Analysis Tools for contact cards

5V

20

Power Analysis Profiles

• Raw data, zoomed in

Time

Pow

er

1ms

Time

21

SPA attack on RSA

Test key value : 0F 00 F0 00 FF 00

1 1 1 1

0F 0 0 0 0

00

1 1 1 1 0 0

F0 0 0 0 0

00

0 0 0 0

00

1 1 1 1 1 1 1 1

FF

22

Key value : 2E C6 91 5B F9 4A

SPA attack on RSA

2

0010

E

1 1 10

C

1 100

6

0 1 10

9

100 1

1

000 1

5

0 10 1

B

10 1 1

F

1 1 1 1

9

100 1

4

0 100

A

10 10

23

• description :

choose a subset (subKi) of n bits of K

perform a statistical test for each possible value of a subK i

Choose the best guess

Iterate on all possible subKi's

Differential Power Analysis

2n-10 1 2

2

1 n

K

subKi

24

Differential Power Analysis• data processing for a value x of a subKi :

AverageD

x

n

lklkjlsdqfdgcxv

10

dfdsffb

M0

Mn

M1

-

25

Differential Power Analysis• Choosing the right guess

0 1 2n-1

26

Differential Power Analysis

wrong subKi

right subKi

27

• Add noise• Scramble power consumption or stabilize it• Randomize all sensitive data variables with a fresh mask for

every execution of an algorithm

• Randomize, randomize, randomize …

• Secret keys• Messages• Private exponents• Bases• Moduli

Countermeasures

28

Electromagnetic Analysis on RSA

• Tests require a de-capsulation of chip with semi invasive method.

• A scanning of surface is needed to find the « good » area where electromagnetic analysis is possible.

• The chip is powered by contact reader

29

Electromagnetic Analysis

One byte processedPower

Em1

Em2

One bit processed

Sq Mult

0 0 1 1 0 0 0 0

1 0 1 1 1 1 1 1

d=..30...

d=..bf...

30

Radio Frequency Analysis (Contactless Cards)

• Tests are non-invasive.

• A simple magnetic loop made with copper wire is needed.

• An image of the magnetic field, modified by the card’s consumption, is collected.

• The chip is powered by a contactless reader.

31

Equipment (1/2)

32

• There are many potential ways to attack a smart card

• But there are also many ways to counteract and efficiently protect your secrets

• Smart Cards are among the most secure embedded devices in the field today

• We try to keep it that way

Conclusion

33

Read-on

• W. Rankl, W. Effing, Smart Card Handbook, 2nd edition, John Wiley & Sons, 2000.

• K. Vedder, Smart Cards - Requirements, Properties, and Applications, in State of the Art in Applied Cryptography, pages 307-331, LNCS 1528, Springer-Verlag,1997.

34

Any more questions?

[email protected]