Past & Future Issues in Smartcard Industry

Transcription

1 Past & Future Issues in Smartcard Industry Ecrypt 2 Summer School Guillaume Dabosville Oberthur Technologies

2 Oberthur Technologies the group its divisions payment, mobile, transport and digital TV markets identity documents (e-passport, driving license, health, etc) design and printing of banknotes and passports ink staining technology Oberthur Technologies 2

3 Oberthur Technologies the group its revenues Oberthur Technologies 3

4 Oberthur Technologies the group the crypto team crypto & security team secure primitives certif practical evaluation CC-ready Oberthur Technologies 4

5 Oberthur Technologies smartcard industry the main use cases payment, mobile, transport and digital TV markets identity documents (e-passport, driving license, health, etc) design and printing of banknotes and passports ink staining technology Oberthur Technologies 5

6 agenda 1. from card to smart card short history nowadays why is it smart 2. payment industry issues in card authentication static data authentication - SDA dynamic data authentication DDA 3. mobile industry issues in radio control access 2G networks 3G networks 4. identity industry standardization body description security needs BAC / SAC / PACE 5. future issues 6. conclusion Oberthur Technologies 6

7 the card industry a short history appears in the 70 s in several countries (France, Germany, Japan, USA) several patents argue the ownership first uses prepaid card (memory only) credit cards (µ processor) Oberthur Technologies 7

8 the card industry nowadays plastic card ISO 7816 compliant card dimensions physical constraints (flexibilty, etc) positioning of the contacts communication protocols internal architecture of IC Oberthur Technologies 8

9 the card industry nowadays Oberthur Technologies 9

10 the smart card why is it smart? From Collins dictionary: smart ~ { brilliant, ingenious, intelligent, chic, elegant } + many words I do not understand brilliant / intelligent: DES, 3DES, AES, RSA (up to 2048 bits), ECC ingenious: virtual money lower risk of money theft, lower cost for cash management (transfer funds) chic / elegant secure Oberthur Technologies 10

11 the smart card how much is it smart? lost & stolen fraud Oberthur Technologies 11

12 the smart card how much is it smart? counterfeit fraud Oberthur Technologies 12

13 agenda 1. from card to smart card short history nowadays why is it smart 2. payment industry issues in card authentication static data authentication - SDA dynamic data authentication DDA 3. mobile industry issues in radio control access 2G networks 3G networks 4. identity industry standardization body description security needs BAC / SAC / PACE 5. future issues 6. conclusion Oberthur Technologies 13

14 payment industry the setting Issuer Acquirer Infrastructure cardholder merchant Oberthur Technologies 14

15 payment industry issues in a payment transaction card authentication is it a valid card? card authentication is it the cardholder? ask for and check PIN cardholder verification Generate AC transaction data Transaction Certificate transaction Oberthur Technologies 15

16 agenda 1. from card to smart card short history nowadays why is it smart 2. payment industry issues in card authentication static data authentication - SDA dynamic data authentication DDA 3. mobile industry issues in radio control access 2G networks 3G networks 4. identity industry standardization body description security needs BAC / SAC / PACE 5. future issues 6. conclusion Oberthur Technologies 16

17 payment industry static authentication - PKI Issuer CA Acquirer (PK I, SK I ) (PK CA, SK CA ) (PK CA ) Signed by Signed by Card Data PK I Cert CA (PK I ) Sign SKI (Card Data) Cert CA (PK I ) + Sign SKI (Card Data) PK CA Oberthur Technologies 17

18 payment industry static authentication security analysis used in B0 (1989) EMV (1995) as Static Data Authentication (SDA) subject to replay attacks (because it is static) mass attack subject to the yescard attack implemented by Serge Humpich in 1997 Sign SK is an RSA signature with a 96digit modulus n factorisation of n=p.q is feasible since 1991 [Lenstra91] can forge new cards with correct static signature pointing to non-existing accounts counterfeits cards always answer YES regardless of the entered PIN code last RSA factorisation: a 768bit modulus Oberthur Technologies 18

19 agenda 1. from card to smart card short history nowadays why is it smart 2. payment industry issues in card authentication static data authentication - SDA dynamic data authentication DDA 3. mobile industry issues in radio control access 2G networks 3G networks 4. identity industry standardization body description security needs BAC / SAC / PACE 5. future issues 6. conclusion Oberthur Technologies 19

20 payment industry dynamic authentication - PKI Issuer CA Acquirer (PK I, SK I ) (PK CA, SK CA ) (PK CA ) Signed by Signed by Card Data PK ICC PK I PK ICC, SK ICC, Cert I (PK ICC ), Cert CA (PK I ) TD: Term Data Sig Sign SKICC (Card Data,TD) Cert I (PK ICC ), Cert CA (PK I ), Sig PK CA Oberthur Technologies 20

21 payment industry dynamic authentication security analysis thwarts replay attacks thanks to challenge-response mass attack no longer relevant Oberthur Technologies 21

22 agenda 1. from card to smart card short history nowadays why is it smart 2. payment industry issues in card authentication static data authentication - SDA dynamic data authentication DDA 3. mobile industry issues in radio control access 2G networks 3G networks 4. identity industry standardization body description security needs BAC / SAC / PACE 5. future issues 6. conclusion Oberthur Technologies 22

23 mobile industry issues in radio control access SIM mobile BSS BTS BSC Visited Network MSC/VLR Home Network AuC/HLR usurpation of identity hijacking the connection phone-taping on the radio link [passive] phone-taping by simulating a false BSS [Man-in-the-middle] tracing SIM theft threats countermeasures user authentication integrity of routing data ciphering mutual authentication ciphering temporary identity and ciphering PIN code Oberthur Technologies 23

24 agenda 1. from card to smart card short history nowadays why is it smart 2. payment industry issues in card authentication static data authentication - SDA dynamic data authentication DDA 3. mobile industry issues in radio control access 2G networks 3G networks 4. identity industry standardization body description security needs BAC / SAC / PACE 5. future issues 6. conclusion Oberthur Technologies 24

25 mobile industry 2G network (GSM) - description SIM mobile BSS BTS BSC Visited Network MSC/VLR Home Network AuC/HLR K i K i TMSI TMSI TMSI TMSI RAND A3/A8 RAND RAND RAND RAND SRES Kc A3/A8 SRES Kc SRES SRES Kc verify SRES A5 A5 voice ciphered voice voice Oberthur Technologies 25

26 mobile industry 2G network security analysis ciphering is an option (activated by network decision only) no mutual authentication (only the user towards the network) risk of phone-taping supported by a man-in-the-middle attack false BTS genuine BTS K i K i no integrity check (may raise problems with regard to signalling messages) ciphering stops at the BTS no in-depth ciphering some implementations of A3/A8 and A5 algorithms are considered to be not at the state-of-the-art (COMP128 and A5/1, A5/2) Oberthur Technologies 26

27 agenda 1. from card to smart card short history nowadays why is it smart 2. payment industry issues in card authentication static data authentication - SDA dynamic data authentication DDA 3. mobile industry issues in radio control access 2G networks 3G networks 4. identity industry standardization body description security needs BAC / SAC / PACE 5. future issues 6. conclusion Oberthur Technologies 27

28 mobile industry 3G network (UMTS) - description SIM mobile BSS BTS BSC Visited Network MSC/VLR Home Network AuC/HLR K K TMSI TMSI TMSI RAND f1-f5 RAND, AUTN RAND, AUTN RAND, AUTN RAND AUTN verify AUTN f1-f5 RES CK voice IK f9 mac f8 RES ciphered voice, mac CK f8 IK RES CK, IK verify mac f9 voice,mac verify RES RES CK IK Oberthur Technologies 28

29 mobile industry 3G network security analysis ciphering along the whole radio subsystem still activated by network decision only, but the no ciphering order is authenticated integrity mechanism to protect signalling information mutual authentication of SIM and AuC Oberthur Technologies 29

30 agenda 1. from card to smart card short history nowadays why is it smart 2. payment industry issues in card authentication static data authentication - SDA dynamic data authentication DDA 3. mobile industry issues in radio control access 2G networks 3G networks 4. identity industry standardization body description security needs BAC / SAC / PACE 5. future issues 6. conclusion Oberthur Technologies 30

31 identity industry e-passport standardization ICAO: International Civil Aviation Organization international regulation authority harmonization of travelling documents provides a common framework for passports all over the world open standards for Governments and suppliers mandatory: identification data + integrity + authentication optional: biometry + other protection mechanisms Oberthur Technologies 31

32 identity industry description printed identifying data (eg owner s picture) printed machine readable data (MRZ, CAN) visual security features (eg holograms) MRZ contactless chip in the paperback chip contains all identifying data chip optionally contains biometrical data like fingerprints Oberthur Technologies 32

33 identity industry security needs contactless technologies bring on new issues invasion of privacy since a malicious reader can interact with the chip without the knowledge of the owner passport must be open to access the identity of the holder content should be protected by an access control policy Basic Access Control Supplemental Access Control Extended Access Control use the MRZ Oberthur Technologies 33

34 agenda 1. from card to smart card short history nowadays why is it smart 2. payment industry issues in card authentication static data authentication - SDA dynamic data authentication DDA 3. mobile industry issues in radio control access 2G networks 3G networks 4. identity industry standardization body description security needs BAC / SAC / PACE 5. future issues 6. conclusion Oberthur Technologies 34

35 identity industry Basic Access Control K choose r CHIP, K CHIP CHIP r CHIP IS read the MRZ optically derive K r IS, r CHIP, K IS =D K (e IS ) e IS choose r IS, K IS e IS = E K (r IS, r CHIP, K IS ) check r CHIP = r CHIP e CHIP =E K (r CHIP, r IS, K CHIP ) e CHIP check r IS = r IS Oberthur Technologies 35

36 identity industry BAC - security analysis recovery process 1. eavesdrop one BAC session 2. guess/recover through social network MRZ-information (ex: Date of birth, passport date of expiry, passport number) 3. derive the ciphering key (KDF is public) 4. decipher e IS and check for meaningful data thanks to r CHIP 5. go to step 2 until MRZ is found. MRZ entropy is very low: US 53 bits, Spain and Italy 51 bits, France 52 bits even less since field are not independent (date of expiry and passport number...) to be compared to entropy requirements: 80 bits up to 2010, 112bits then. BAC is weak to offline brute force attack Oberthur Technologies 36

37 identity industry BAC - security analysis addendum to the standard to improve access control alternative to the BAC in ICAO standard SAC based on the protocol Password Authenticated Connection Establishment (PACE) fixes the default of BAC Oberthur Technologies 37

38 identity industry PACE establishes Secure Channel between chip and IS uses strong session keys independent of the strength of the password π requires public key cryptography can take as a password either the MRZ (ICAO required) the CAN (ICAO optional) a PIN resists to offline attacks protects Privacy Oberthur Technologies 38

39 identity industry PACE SPA-resistant Oberthur Technologies 39

40 agenda 1. from card to smart card short history nowadays why is it smart 2. payment industry issues in card authentication static data authentication - SDA dynamic data authentication DDA 3. mobile industry issues in radio control access 2G networks 3G networks 4. identity industry standardization body description security needs BAC / SAC / PACE 5. future issues 6. conclusion Oberthur Technologies 40

41 future issues fraud in FR transaction vs. fraud progress Oberthur Technologies 41

42 future issues fraud in FR detailed fraud Oberthur Technologies 42

43 the issue at stake payment on the internet Oberthur Technologies 43

44 the issue at stake convergence Oberthur Technologies 44

45 the issue at stake RSA government recommendations/requirements on RSA key-size for long term crypto Protection period Symmetric cryptosystems Factorization and discrete-log cryptosystems (eg.rsa, DH, DSA) Elliptic-curve cryptosystems (eg. ECDH, ECDSA) Short term to to to >> RSA key cannot be used anymore for governmental applications (passports) ECC is the backup plan of RSA what is the backup plan of ECC? Oberthur Technologies 45

46 conclusion past issues authenticate a customer and a device to access a network for a service remote payment: cardholder + credit card mobile phone: subscriber + handset e-passport: control the access to the identity of the citizen to provide privacy future issues / new trends payment in not trusted environments (PC, smartphones) backup plan in case of a breakthrough in cryptanalysis of ECC smartcards helped to solve past issues can help to solve next issues using new form factors? µsd, USB stick new owners? the end-user? Oberthur Technologies 46

47 Thank you Ecrypt 2 Summer School Oberthur Technologies