https://crocs.fi.muni.cz @CRoCS_MUNI Petr Švenda svenda@fi.muni.cz @rngsec Centre for Research on Cryptography and Security, Masaryk University PV079: Cryptographic smartcards and their applications Cryptographic secure hardware https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards Overview • Smartcards – introduction • Applications – where to use? • Smartcard programming • Side-channel attacks – power analysis – reverse engineering – timing attacks https://crocs.fi.muni.cz @CRoCS_MUNI INTRO TO SMART CARDS PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Basic types of (smart) cards 1. Contactless “barcode” – Fixed identification string (RFID, < 5 cents) 2. Simple memory cards (magnetic stripe, RFID) – Small write memory (< 1KB) for data, (~10 cents) 3. Memory cards with PIN protection – Memory (< 5KB), simple protection logic (<$1) PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Basic types of (smart) cards (2) 4. Cryptographic smart cards – Support for (real) cryptographic algorithms – Mifare Classic ($1), Mifare DESFire ($3) 5. User-programmable cryptographic smart cards – JavaCard, .NET card, MULTOS cards ($2-$30) – Chip manufacturers: NXP, Infineon, Gemalto, G&D, Oberthur, STM, Atmel, Samsung... 6. Secure environment (enclave) inside more complex CPUs – ARM TrustZone, Intel SGX… PV079 - Cryptographic smartcards We will mainly focus on categories 4 and 5 https://crocs.fi.muni.cz @CRoCS_MUNI Cryptographic smart cards • SC is quite powerful device – 8-32 bit processor @ 5-50MHz – persistent memory 32-200+kB (EEPROM) – volatile fast RAM, usually <<10kB – truly random generator – cryptographic coprocessor (3DES,AES,RSA-2048,ECC...) • ~10 billion units shipped in 2019 (EUROSMART) – mostly smart cards, telco, payment and loyalty... – ~1.5 billion contactless (EUROSMART) • For environments where attacker have physical access – NIST FIPS140-2 standard, security Level 4 – Common Criteria EAL4+/5+ PV079 - Cryptographic smartcards EEPROM CPU CRYPTO SRAM ROM RNG Credit Wikimedia Commons https://crocs.fi.muni.cz @CRoCS_MUNI Primary markets for smartcards PV079 - Cryptographic smartcards https://www.eurosmart.com/eurosmarts-secure-elements-market-analysis-and-forecasts/ Telco Payment https://crocs.fi.muni.cz @CRoCS_MUNI • Many possible forms – ISO 7816 standard – SIM size, USB dongles, Java rings… • Contact(-less), hybrid/dual interface – contact physical interface – contact-less interface (NFC phone can communicate!) – hybrid card – separate logics on single card – dual interface – same chip accessible contact & c-less • Card emulation (contactless) 1. Card emulation mode (physical in-phone secure element) 2. Host-based card emulation (without physical element) • Apple Pay, Google Pay Smart cards forms PV079 - Cryptographic smartcards http://simcardsize.com/sim-card-sizes/ https://shop.cobo.com/products/cobo-vaultessential https://www.infineon.com/ https://yubico.com https://crocs.fi.muni.cz @CRoCS_MUNI Contact vs. contactless, powerless vs. battery-powered • Contact cards (ISO7816-2) – I/O data line, voltage and GND line – clock line, reset lines • Contactless cards – ISO/IEC 14443 type A/B, radio at 13.56 MHz (NFC) – Chip powered by current induced on antenna by reader – Reader → chip communication - relatively easy – Chip → reader – dedicated circuits are charged, more power consumed, fluctuation detected by reader – Multiple cards per single reader possible • Additional battery possible – Higher cost, need to charge, but longer distance and faster communication (Bluetooth LE) PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Smart card is highly protected device • Intended for physically unprotected environment – NIST FIPS140-2 standard, security Level 4 – Common Criteria EAL5+/6+… • Tamper protection – Tamper-evidence (visible if physically manipulated) – Tamper-resistance (can withstand physical attack) – Tamper-response (erase keys…) • Protection against side-channel attacks (timing, power, EM) • Periodic tests of TRNG functionality • Approved crypto algorithms and key management • Limited interface, smaller trusted computing base (than usual) – http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm • Designed for security and certified != secure PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI What the smartcards can be used for? PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI What problem is cryptographic smartcard solving? • What problem is cryptographic smartcard solving? – Secure storage (keys and sensitive data) – Protected secrets even if physically attacked (tamper resistant) – Secure (cryptographic) computational device (signature, authentication) – Hardware root of trust (initial check of boot sequence) – Unspoofable logging – Enforcement of specific policy (PIN before sign, four eyes policy) – Easy to carry, easy to embed into another device, low battery usage • Which of these can’t be solved with laptop or mobile phone? PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Applications • SIM modules – key storage, session key derivation – GSM banking – PIN protection • Bank payment card – cryptographic checksum on payment bill – offline PIN verification – contactless small payments • Secure system authentication – Windows credential provider, Linux PAM modules – password storage only, challenge-response protocols – door access cards – mostly memory cards only PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Application (cont.) • Electronic identity cards (ePassports, eIDs) – contactless cards with Machine Readable Zone (MRZ) – secure messaging between reader and passport – active authentication - challenge-response with on-card key • Multimedia distribution – Digital Rights Management (decryption keys, licenses) – pre-paid satellite TV (decryption keys) • Secure storage and encryption/signing device – Cryptocurrency hardware wallets… PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Application domains changes in time • Cheap yet relatively hard to attack despite physical access – Sensitive data can be stored and used yet carried in pocket – Protection against the end-user (SIM, satellite decoders…) • But we now have smartphones! – Payments via Apple Pay, Google Pay without physical smartcard • Still uses VISA/Mastercard payment infrastructure – Smartphones can make smartcards obsolete in large portion of previous usage domains! • But smartphones are also quite too complex (=> bugs) – Sensitive data / keys etc. on smartphone are more vulnerable • New use-cases – Trusted Platform Module (smartcard on the motherboard) – FIDO U2F tokens (improved authentication tokens) – Cryptocurrency hardware wallets (smartcard with trusted display) PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI MODES OF USAGE PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Smart card carries fixed information • Fixed information ID transmitted, no secure channel • Low-cost solution (nothing “smart” needed) • Problem: Attacker can eavesdrop and clone chip PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Smart card as a secure carrier • Key(s) stored on a card, loaded to a PC before encryption/signing/authentication, then erased • High speed usage of key possible (>>MB/sec) • Attacker with an access to PC during operation will obtain the key – key protected for transport, but not during the usage PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Smart card as encryption/signing device • PC just sends data for encryption/signing… • Key never leaves the card – personalized in secure environment – protected during transport and usage • Attacker must attack the smart card – or wait until card is inserted and PIN entered! • Low speed encryption (~kB/sec) – low communication speed / limited card performance PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Smart card as computational device • PC just sends input for application on smart card • Application code & keys never leave the card – card can perform complicated programmable actions – new code can be uploaded remotely – can open secure channels to other entity • secure server, trusted time service… • PC act as a transparent relay only (no access to data) • Attacker must attack smart card or initial input PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Smart card as root of trust (TPM) • Secure boot process, remote attestation • Smart card provides robust store with integrity • Application can verify before pass control (measured boot) • Computer can authenticate with remote entity… PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI TPM : provided security functions 1. “Measured” boot with remote attestation – Provide signed log of what executed on platform (PCR) 2. Storage of keys (disk encryption, private keys…) – Can be additionally password protected 3. Binding and Sealing of data – Encryption key wrapped by concrete TPM’s public key 4. Platform integrity – Software will not start if current PCR value is not right PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI • High-speed, multi-tenant (120 cards) • Robust against bugs, backdoors Myst: secure multiparty signatures PV079 - Cryptographic smartcards https://crocs.fi.muni.cz/papers/mpc_ccs17 https://crocs.fi.muni.cz @CRoCS_MUNI SmartHSM for multiparty (120 smartcards, 3 cards/quorum) PV079 - Cryptographic smartcards https://crocs.fi.muni.cz/papers/mpc_ccs17 … 120 cards => 40 quorums => 300+ decryptions / second => 80+ signatures / second https://crocs.fi.muni.cz @CRoCS_MUNI SMARTCARD ALGORITHMS AND PERFORMANCE PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Common algorithms • Basic - cryptographic co-processor – Truly random data generator – 3DES, AES128/256, (national algorithms) – MD5, SHA1, SHA-2 256/512 – RSA (up to 2048b common, 4096 possible) – ECC (up to 256b common, 521b possible) – Diffie-Hellman key exchange (DH/ECDSA) • Custom code running in secure environment – E.g., HMAC, OTP code, re-encryption – Might be significantly slower (e.g., SW AES 50x slower) PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Cryptographic operations • Supported algorithms (JCAlgTester, 100+ cards) – https://github.com/crocs-muni/JCAlgTest – https://www.fi.muni.cz/~xsvenda/jcsupport.html PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI What is the typical performance? • Hardware differ significantly – Clock multiplier, memory speed, crypto coprocessor… • Typical speed of operation is: – Milliseconds (RNG, symmetric crypto, hash) – Tens of milliseconds (transfer data in/out) – Hundreds of millisecond (asymmetric crypto) – Seconds (RSA keypair generation) • Operation may consists from multiple steps – Transmit data, prepare key, prepare engine, encrypt • → additional performance penalty – Usability rule of thumb: operation shall finish in 1-1.5sec PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Performance tables for common cards • Visit http://www.fi.muni.cz/~xsvenda/jcalgtest/ PV079 - Cryptographic smartcards http://www.fi.muni.cz/~xsvenda/jcalgtest/ https://crocs.fi.muni.cz @CRoCS_MUNI Performance with variable data lengths PV079 - Cryptographic smartcards http://www.fi.muni.cz/~xsvenda/jcalgtest/ Limited memory and resources may cause non-linear dependency on a processed data length https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards Smartcards programming and use from programs https://crocs.fi.muni.cz @CRoCS_MUNI Big picture – terminal/reader and card PV079 - Cryptographic smartcards What principles and standards are used? Merchant payment Digital signature https://crocs.fi.muni.cz @CRoCS_MUNI Big picture - components PV079 - Cryptographic smartcards User application Card OS Card application Card I/O manager contact(less) transmission OS smart card API smart card reader • User application – Merchant terminal GUI – Banking transfer GUI – Browser TLS – … • Card application – EMV applet for payments – SIM applet for GSM – OpenPGP applet for PGP – U2F applet for FIDO authentication – … https://crocs.fi.muni.cz @CRoCS_MUNI How to develop on-card application? JavaCard development process 6. Write user Java app (javax.smartcardio.*) 1. Extends javacard.framework.Applet 2. Compile Java→*.class (Java 1.3 binary format) 3. Convert *.class→*.jar/cap (JavaCard Convertor) 4. Upload *.jar/cap → smart card (GlobalPlatformPro) 5. Install applet (GlobalPlatformPro) 7. Use applet on smart card (APDU) PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Pains for users/developers • Closed-source, IP-heavy, NDA-based industry • Primary users for manufactures/vendors are large customers – No interest in small / niche users (< 100k units) – Important API proprietary and/or not accessible (ARM TrustZone, proprietary JC packages, detailed specs…) – Supply chain issues (resellers, difficult to securely obtain card) • What is open or available – Open API for applets (JavaCard API) – Open-source development toolchain for JavaCard – Common Criteria and FIPS140-2 certificates (but details omitted) – Results of reverse engineering PV079 - Cryptographic smartcards Telco Payment https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards Smartcard security ⚫Invasive attacks ⚫Semi-invasive attacks ⚫Side-channel attacks ⚫Logical attacks X https://crocs.fi.muni.cz @CRoCS_MUNI Attacks against smartcards • “Secure hardware” != absolutely unbreakable hardware – Always depends on attacker motivation, knowledge, resources… • The goal of security design is to increase the difficulty of attack – Higher than the value of data protected – Some attack harder to perform than other (equipment, time, knowledge, physical vs. remote access… ) – Security is process (design, test, fix, repeat) • Invasive attacks – physical dismantling of chip – E.g., read keys directly from physical memory • Semi-invasive attacks – partial dismantling, chip still works – E.g., expose communication bus, read data by microprobe • Side-channel attacks – unintended leakage of physical device – correlated with the secret data processed (keys) – E.g., power consumption analysis, timing attack • Logical attacks - exploits logical flaw in code running inside chip PV079 - Cryptographic smartcards Focus of this lecture https://crocs.fi.muni.cz @CRoCS_MUNI Discussion – attacking smartcard-based solutions • Scenario: attack Brno transport ticket card – Contactless communication, pre-registered EMV-based card • Scenario: attack Bitcoin hardware wallet – Private key derived, then used to sign transaction (inputs, outputs, amounts) • Scenario: attack contactless EMV payment card – Pay at merchant terminal PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Application attacks • Focus on logical attacks possible by “malware” – No physical access to target card is assumed, remote attacks – Man-in-the middle attacks – Redirection of traffic, remote smart card access • Target applications – Banking app (login, transaction authorization) – Resources protected by two-factor authentication (VPNs…) – DRM applications (user is attacker) – Citizen ID cards (ID theft) – … PV079 - Cryptographic smartcards https://crocs.fi.muni.cz @CRoCS_MUNI Where to log/manipulate communication? PV079 - Cryptographic smartcards User application PC/SC(winscard.dll) reader driver USB driver APDU Code inject application Virtual reader, change/inject new driver SW USB sniffer HW USB sniffer In-card logger Load malicious dll (stub) Malicious reader firmware https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards Power analysis • External power supply - no battery on SC • Power consumption depends on actual ops/data • Voltage variation measured using digital oscilloscope and small resistor • Real threat – and not only for smart cards – Mifare DESfire – KeeLoq – Xilinx bitstream https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards Power analysis – basic setup Smart card Smart card reader Inverse card connector Oscilloscope Resistor 20-80 ohm Probe https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards Simple power analysis • Direct processing of single power trace – operations => reverse engineering – data => additional information about secret keys • hamming weight of separate bytes of key (256-> 238) • Averaging over multiple traces to reduce noise • Exact implementation must be known – position of instruction – obtained by reverse engineering https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards Reverse engineering – operation level • Semi-automatic recognition of operations – from typical power consumption patterns – database of corresponding operation and pattern • Often easier than obtain processed data https://crocs.fi.muni.cz @CRoCS_MUNI Timing (side-channel leakage) attack PV079 - Cryptographic smartcards + → 57ms + → 52ms https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards Timing analysis • Length of operation depends on processed data – due to speed optimization (limited resources) – due to un-aware algorithm design – e.g. Montgomery ladder • Timings obtained from power trace https://crocs.fi.muni.cz @CRoCS_MUNI vulnerability (10/2019) • Length of ECDSA nonce leaked – shorter nonce => shorter signature time • Enough to extract whole ECC private key in 20-30 min • Athena IDProtect smartcard (EAL 4+), Libgcrypt, SunEC/OpenJDK/Oracle JDK… PV079 - Cryptographic smartcards https://minerva.crocs.fi.muni.cz/ https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards Differential power analysis • Powerful attack on secret values – e.g. encryption keys • Multiple power traces with key usage – 103-105 traces with known I/O data – KEY  KNOWN_DATA • Key is guessed byte-per-byte – correct guess reveals correlation with traces – all possible values of single byte tried (256) – traces divided into 2 groups – groups are averaged – averaged signals are compared – significant peaks if correct • No need to know exact implementation – big advantage https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards Conclusions • SC massively deployed (20*109), mainly w.r.t. security – wide range of usage (banking, SIM, access control) – secure storage (encryption/signature keys) • on-card asymmetric key generation! – secure code execution – interesting protocols involving smart cards • Limited memory (102 kB) and CPU power (8-32b,5-50MHz) – Low-cost small computer designed specifically for security – crypto operation accelerated by co-processors • Still can be attacked – typically need for special knowledge and/or equipment – still far more secure than standard PC https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards