P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg
PV204 Security technologies
Labs: Secure authentication and authorization
•Petr Švenda svenda@fi.muni.cz
•Faculty of Informatics, Masaryk University
D:\Documents\Obrázky\services_icon_full_bw5.jpg

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Laboratory
1.Uploading SimpleApplet into real smart card
–Process
–Authorization of upload request
–What to do be aware (blocking card etc.)
2.JavaCard implementation of HOTP/TOTP
–https://github.com/Yubico/ykneo-oath
–Uploading compiled applet, using desktop application
–Inspection of application code
•
2
| PV204 Security technologies - Labs

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
What is necessary - prerequisities
•Java SDK installed
–JAVA_HOME environment variable set
–JAVA_HOME = c:\Program Files\Java\jdk1.8.0_72\
•Apache Ant installed
–Path to ant binary set in PATH environment variable
–PATH += c:\Program Files (x86)\apache-maven-3.3.9\bin\
•Restart cmd console after setting these variables
3
| PV204 Security technologies - Labs

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Working with real card - compilation
•AppletPlayground (https://github.com/martinpaljak/AppletPlayground)
–Copy your source code into SimpleApplet folder
•Run ‘ant simpleapplet’ to compile and convert
–simpleapplet.cap is produced (binary for real card)
–
| PV204 Security technologies - Labs
4

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Working with real card - upload
•GlobalPlatformPro (http://github.com/martinpaljak/GlobalPlatformPro)
•Remove previous installation of applet
–If exists (use gp --list to obtain list of cards)
–gp -delete 010203040506 -deletedeps -verbose -all
•Upload applet to real card
–gp -install simpleapplet.cap --param 00 -verbose
•
•
•
| PV204 Security technologies - Labs
5

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Be aware – real card can be blocked
•Too many unsuccessful authentication requests
6
| PV204 Security technologies - Labs
>gp --list -debug
# Detected readers from SunPCSC
[*] Alcor Micro USB Smart Card Reader 0
SCardConnect("Alcor Micro USB Smart Card Reader 0", T=*) -> T=0, 3BF71800008031F
E45736674652D6E66C4
SCardBeginTransaction("Alcor Micro USB Smart Card Reader 0")
A>> T=0 (4+0000) 00A40400 00
A<< (0018+2) (56ms) 6F108408A000000003000000A5049F6501FF 9000
A>> T=0 (4+0008) 80500000 08 6265E168FB2639C1
A<< (0028+2) (118ms) 00003126960097543174010200103595AC1420213D2969EA8B8C41F3 90
00
openkms.gp.GPException: STRICT WARNING: Card cryptogram invalid!
Card: 3D2969EA8B8C41F3
Host: DB1E6E1E71958A15
!!! DO NOT RE-TRY THE SAME COMMAND/KEYS OR YOU MAY BRICK YOUR CARD !!!
        at openkms.gp.GlobalPlatform.printStrictWarning(GlobalPlatform.java:156)
        at openkms.gp.GlobalPlatform.openSecureChannel(GlobalPlatform.java:471)
        at openkms.gp.GPTool.main(GPTool.java:348)

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Be aware – real card can be blocked
•Don’t write script that executes many authentications at once (cycle, multiple commands)
•If unsuccessful one/two authentication is detected, then as for help, please!!!
7
| PV204 Security technologies - Labs

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
YUBIKEY OAUTH
•
8
| PV204 Security technologies - Labs

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Yubikey OATH applet
•Yubikey OATH applet
–https://github.com/Yubico/ykneo-oath/
–Already included in AppletPlayground
•Desktop OAUTH utility
–https://developers.yubico.com/yubioath-desktop/Releases/
•Change name of reader
–File ® Settings ® Card reader name
–Insert your reader name (use gp to obtain it)
•E.g.,Gemplus USB Key Smart Card Reader 0
•
9
| PV204 Security technologies - Labs

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Add new secret File ® Add
•Credential name: anything
•Secret key: key shared with verification server
–Base32 encoding (a-z0-9=)
–E.g., password=
•Try HOTP option (rfc4226)
•Try TOTP option (rfc6238)
•What difference you can see?
•What is advantage/disadvantage of TOTP to HOTP
10
| PV204 Security technologies - Labs

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Testing OATH applet
•YkneoOathTest project
•No main function, execution via unit tests
•Add JUnit library
–Libraries ® RClick ® JUnit 4.10
–YkneoOathTest should now compile
•Run test you wish
–Place breakpoint into target test
–RClick ® Debug focused test method for run
•Can you localize functions responsible for TOTP/HOTP computations?
•
11
| PV204 Security technologies - Labs

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Homework –bonus from last week
•Bonus (up to +5 points):
–implement bulk encryption with AES and on-card key
–Key is generated randomly (separate command)
–Data send in/out (APDU)
–Encrypted/decrypted by AES in CBC mode (enc/dec mode specified in P1 parameter)
–Measure speed you can achieve (compare with https://www.fi.muni.cz/~xsvenda/jcalgtest/)
–Which optimization had biggest speed impact?
•Submit before: 29.3. 6am (soft deadline for bonus part)
| PV204 Security technologies - Labs
12