https://crocs.fi.muni.cz @CRoCS_MUNI
Petr Švenda svenda@fi.muni.cz @rngsec
Centre for Research on Cryptography and Security, Masaryk University
PV079: Cryptographic smartcards
and their applications
Cryptographic secure hardware
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Plan for today
1. Secure elements – Why we need them?
2. Applications – Where and how to use?
3. Smartcard programming – How to develop own application?
4. Interesting real-world examples
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
UNTRUSTED
VS.
TRUSTED
VS.
TRUSTWORTHY
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
• Untrusted system
– System itself explicitly unable to fulfill some security policy
– Additional layer of protection must be employed (encrypt before store, sign before send…)
– Not itself a bad property – system cannot fail us as we do not expect security guarantees
• Trusted system
– “…system that is relied upon to a specified extent to enforce a specified security policy. As
such, a trusted system is one whose failure may break a specified security policy.” (TCSEC,
Orange Book)
– Component which harms our security if misfunction
• Trustworthy system
– “Computer system where software, hardware, and procedures are secure, available and
functional and adhere to security practices” (Black's Law Dict.)
– User have reasons to trust (e.g., was heavily tested and scrutinized)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
TRUSTED SECURE ELEMENT
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
What exactly can be secure element (SE)?
• Anything user is willing to trust for provision of security ☺
– Depends on definition of “trust” and definition of “element” and “secure”
– We will use narrower definition
• Trusted element is element (hardware, software or both) in the system
intended to increase security level w.r.t. situation without the presence of such
element
1. Paper cheque vs. payment card with magnetic stripe vs. card with chip (smartcard)
2. User authenticating with password vs. One-Time-Password generator
3. Feature phone vs. phone with secure enclave for keys
4. (Bank vs. bank with metal safe)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
What problems are secure elements addressing?
• What problems are secure elements addressing?
– Secure storage (keys and sensitive data)
– Protected secrets even if physically attacked (tamper resistant)
– Secure (cryptographic) computational device (signature, authentication)
– Hardware root of trust (initial check of boot sequence)
– Unspoofable logging
– Enforcement of specific policy (PIN before sign, four eyes policy…)
– Easy to carry, easy to embed into another device, low battery usage
• Which of these can’t be solved with laptop or cell phone?
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
INTRO TO SMART CARDS
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Basic types of (smart) cards
1. Contactless “barcode”
– Fixed identification string (RFID, < 5 cents)
2. Simple memory cards (magnetic stripe, RFID)
– Small write memory (< 1KB) for data, (~10 cents)
3. Memory cards with PIN protection
– Memory (< 5KB), simple protection logic (<$1)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Basic types of (smart) cards (2)
4. Cryptographic smart cards
– Support for (real) cryptographic algorithms
– Mifare Classic ($1), Mifare DESFire ($3)
5. User-programmable cryptographic smart cards
– JavaCard, .NET card, MULTOS cards ($2-$30)
– Chip manufacturers: NXP, Infineon, Gemalto, G&D, Oberthur, STM, Atmel,
Samsung...
6. Secure environment (enclave) inside more complex CPUs
– ARM TrustZone, Intel SGX…
PV079 - Cryptographic smartcards
We will mainly focus on
categories 4 and 5
https://crocs.fi.muni.cz @CRoCS_MUNI
Cryptographic smart cards
• SC is quite powerful device
– 8-32 bit processor @ 5-50MHz
– persistent memory 32-200+kB (EEPROM)
– volatile fast RAM, usually <<10kB
– truly random generator
– cryptographic coprocessor (3DES,AES,RSA-2048,ECC...)
• ~9.3 billion units shipped in 2021 (EUROSMART)
– mostly smart cards, telco, payment and loyalty...
– ~3 billion contactless (EUROSMART)
• For environments where attacker has physical access
– NIST FIPS140-2 standard, security Level 4
– Common Criteria EAL4-6+
PV079 - Cryptographic smartcards
EEPROM
CPU
CRYPTO
SRAM
ROM
RNG
Credit Wikimedia Commons
https://crocs.fi.muni.cz @CRoCS_MUNI
Primary markets for smartcards
PV079 - Cryptographic smartcards
Telco
Payment
https://www.eurosmart.com/eurosmarts-secure-elements-market-analysis-and-forecasts/
https://www.eurosmart.com/2021-secure-elements-global-market-and-2022-estimates/
https://crocs.fi.muni.cz @CRoCS_MUNI
• Many possible forms
– ISO 7816 standard
– SIM size, USB dongles, Java rings, implants…
• Contact(-less), hybrid/dual interface
– contact physical interface
– contact-less interface (NFC phone can communicate!)
– hybrid card – separate logics on single card
– dual interface – same chip accessible contact & c-less
• Card emulation (contactless)
1. Card emulation mode (physical in-phone secure element)
2. Host-based card emulation (without physical element)
• Apple/Google/Samsung… Pay
Smart cards forms
PV079 - Cryptographic smartcards
http://simcardsize.com/sim-card-sizes/ https://shop.cobo.com/products/cobo-vaultessential
https://www.infineon.com/ https://yubico.com
2.5mm
3mm
https://crocs.fi.muni.cz @CRoCS_MUNI
Smart card is highly protected device
• Intended for physically unprotected environment
– NIST FIPS140-2 standard, security Level 4
– Common Criteria EAL5+/6+…
• Tamper protection
– Tamper-evidence (visible if physically manipulated)
– Tamper-resistance (can withstand physical attack)
– Tamper-response (erase keys…)
• Protection against side-channel attacks (timing, power, EM)
• Periodic tests of TRNG functionality
• Approved crypto algorithms and key management
• Limited interface, smaller trusted computing base (than usual)
– http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
• Designed for security and certified != secure
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
BASIC MODES OF USAGE
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Secure element carries fixed information
• Fixed information ID transmitted, no secure channel
• Low-cost solution (nothing “smart” needed)
• Problem: Attacker can eavesdrop and clone chip
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Secure element as a secure carrier
• Key(s) stored on a card, loaded to a PC before
encryption/signing/authentication, then erased
• High speed usage of key possible (>>MB/sec)
• Attacker with an access to PC during operation will obtain the key
– key protected for transport, but not during the usage
• Secure element can be embedded into another device
– Into hardware wallet – stored seed loaded before use
– Card with keys plugged into larger Hardware Security Module (HSM)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Secure element as encryption/signing device
• PC just sends data for encryption/signing…
• Key never leaves the secure element
– personalized in secure environment
– protected during transport and usage
• Attacker must attack the secure element
– or wait until is inserted and PIN entered!
• Performance depends on the parameters of secure element
– Low speed encryption (~kB/sec) for smartcards
• low communication speed / limited card performance
– High speed for cryptographic accelerators (communication + fast HW)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Secure element as verification device
• Device with lower overall security embeds secure element for
sensitive tasks, invokes it via dedicated API
– E.g., secure element in mobile phones
• Sensitive data (keys, fingerprint, password) never leaves SE
– Limits exposure of sensitive data
• Attacker must attack secure element to extract secrets
– or redirect calling application to itself!
– How se fingerprint to check and response transmitted?
– Requires secure channel between components
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Secure element as root of trust (TPM)
• Secure boot process, remote attestation
• Secure element provides robust store with integrity
• Application can verify before pass control (measured boot)
• Computer can authenticate with remote entity…
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Secure element as computational device
• PC just sends input for application running on secure element
• Application code & keys never leave the secure element
– card can perform complicated programmable actions
– new code can be uploaded remotely
– can open secure channels to other entity
• secure server, trusted time service…
• PC act as a transparent relay only (no access to data)
• Attacker must attack secure element or initial input
– Or developer, supply chain…
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
For whom is SE trusted? Who is an attacker?
• Payment smart card
– for issuing bank
• SIM card
– for phone carriers
• Trusted Platform Module (TPM)
– for user as storage of Bitlocker keys, TE for
remote entity during attestation
• Trusted Execution Environment in
mobile/set-top box
– for issuer for confidentiality and integrity of
code handling stream decryption keys
• Hardware Security Module for TLS keys
– for web admin to protect server’s private key
PV079 - Cryptographic smartcards
• Energy meter
– for utility company to measure real consumption
• Tachograph
– for compliance control (limit driving time)
• AWS KMS, Azure KeyVault
– for user to protect keys against cloud operator (to
same extend)
https://crocs.fi.muni.cz @CRoCS_MUNI
Application domains changes in time
• Cheap yet relatively hard to attack despite physical access
– Sensitive data can be stored and used yet carried in pocket
– Protection against the end-user (SIM, satellite decoders…)
• But we now have smartphones!
– Payments via Apple Pay, Google Pay without physical smartcard
• Still uses VISA/Mastercard payment infrastructure
– Smartphones can make smartcards obsolete in large portion of previous usage domains!
• But smartphones are also quite too complex (=> bugs)
– Sensitive data / keys etc. on smartphone are more vulnerable
• New use-cases
– Trusted Platform Module (smartcard on the motherboard)
– FIDO2 U2F/WebAuthn tokens (improved authentication tokens, mostly solves URL phishing attack!)
– Cryptocurrency hardware wallets (smartcard with trusted display)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
SMARTCARD ALGORITHMS AND
PERFORMANCE
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Performance
• Performance is dependent on multiple factors
– Base clock speed, instruction set, caches, available RAM, parallelism, algorithm
implementation, communication speed…
• Difference between standard CPU and smartcard
– Low clock frequency (<50MHz), no parallelism
– Small RAM (need too offload data to slower memory)
• How is one supposed to run asymmetric cryptography fast enough?
– If base CPU is slow (50MHz) and memory small (<10kB)
• Answer: dedicated co-processors for particular operations (AES, RSA…)
– Faster and also more protected against side-channels
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Common algorithms
• Basic - cryptographic co-processor
– Truly random data generator
– 3DES, AES128/256, (national algorithms)
– MD5, SHA1, SHA-2 256/512
– RSA (up to 2048b common, 4096 possible)
– ECC (up to 256b common, 521b possible)
– Diffie-Hellman key exchange (DH/ECDSA)
• Custom code running in secure environment
– E.g., HMAC, OTP code, re-encryption
– Might be significantly slower (e.g., SW AES 50x slower)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
What is the typical performance?
• Hardware differ significantly
– Clock multiplier, memory speed, crypto coprocessor…
• Typical speed of operation is:
– Milliseconds (RNG, symmetric crypto, hash)
– Tens of milliseconds (transfer data in/out)
– Hundreds of millisecond (asymmetric crypto)
– Seconds (RSA keypair generation)
• Operation may consists from multiple steps
– Transmit data, prepare key, prepare engine, encrypt
• → additional performance penalty
– Usability rule of thumb: operation shall finish in 1-1.5sec
PV079 - Cryptographic smartcards
How we know?
Read from specs, from
certification reports, or
probe directly!
https://crocs.fi.muni.cz @CRoCS_MUNI
• JCAlgTest: Robust identification metadata for certified
smartcards, Petr Svenda, Rudolf Kvasnovsky, Imrich Nagy,
Antonin Dufka, 19th International Conference on Security and
Cryptography (SECRYPT’22), pp.597-604, INSTICC, 2022.
– https://crocs.fi.muni.cz/papers/jcalgtest_secrypt22
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Performance with variable data lengths
PV079 - Cryptographic smartcards
http://www.fi.muni.cz/~xsvenda/jcalgtest/
Limited memory and resources
may cause non-linear dependency
on a processed data length
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Smartcard programming, use from external programs
https://crocs.fi.muni.cz @CRoCS_MUNI
Big picture – terminal/reader and card
PV079 - Cryptographic smartcards
Merchant payment
Digital signature
https://crocs.fi.muni.cz @CRoCS_MUNI
Big picture - components
PV079 - Cryptographic smartcards
User application
Card OS
Card application
Card I/O manager
contact(less)
transmission
OS smart card API
smart card reader
• User application
– Merchant terminal GUI
– Banking transfer GUI
– Browser TLS
– …
• Card application
– EMV applet for payments
– SIM applet for GSM
– OpenPGP applet for PGP
– U2F applet for FIDO authentication
– …
https://crocs.fi.muni.cz @CRoCS_MUNI
How to develop on-card application?
JavaCard development process 6. Write user Java app
(javax.smartcardio.*)
1. Extends
javacard.framework.Applet
2. Compile Java→*.class
(Java 1.3 binary format)
3. Convert *.class→*.jar/cap
(JavaCard Convertor)
4. Upload *.jar/cap
→ smart card (GlobalPlatformPro)
5. Install applet
(GlobalPlatformPro)
7. Use applet on
smart card (APDU)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Pains for users/developers
• Closed-source, IP-heavy, NDA-based industry
• Primary users for manufactures/vendors are large customers
– Little interest in small / niche users (< 100k units)
– Important API proprietary and/or not accessible (ARM TrustZone,
proprietary JC packages, detailed specs…)
– Supply chain issues (resellers, difficult to securely obtain card)
• What is open and available
– Open API for applets (JavaCard API)
– Open-source development toolchain for JavaCard
– Common Criteria and FIPS140-2 certificates (but details omitted)
– Results of reverse engineering
PV079 - Cryptographic smartcards
Telco
Payment
https://crocs.fi.muni.cz @CRoCS_MUNI
How to analyze real-world usage of technology X?
1. Collect representative sample of users / projects (ideally “all”)
– E.g., all open-source JavaCard projects on GitHub
2. Establish significance of projects
– E.g., Number of developers/forks/stars, search trends on Google, sales stats…
3. Analyze projects for the level and style of use of technology X
– E.g., static code analysis of JavaCard keywords and constants
– Ideally trends in time if possible (e.g., code state in time via git commits)
• “The adoption rate of JavaCard features by certified products and
open-source projects”, L. Zaoral, A. Dufka, P.Svenda, CARDIS’23
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Certified smartcards and JavaCard-related projects
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
Activity of open-source JavaCard applets in time
PV079 - Cryptographic smartcards
• Is open-source ecosystem representative of the whole domain?
– Likely two orders of magnitude more developers in non-open source domain
– Proprietary applets with access to proprietary API may be different
https://crocs.fi.muni.cz @CRoCS_MUNI
INTERESTING REAL-WORLD EXAMPLES
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNI
FIDO2 tokens – current state
• FIDO alliance of major companies
• Original U2F protocol extended and moved under W3 as WebAuthn
– U2F → FIDO2 → WebAuthn
– https://www.w3.org/TR/webauthn/
• Large selection of tokens now available
– including open-hardware like SoloKey
• Android and iOS added systematic support for FIDO U2F since 2019
– Mobile phone acts as FIDO2 token, secure enclave used for storage and exec
56 PV204 Authentication and passwords
https://crocs.fi.muni.cz @CRoCS_MUNI
Single signature
PV079 - Cryptographic smartcards
Signature Signature SignatureSignature
Multiple signatures
Multiparty signature
Signature
Usable also for authentization and decryption
(more people, threshold k-of-n)
https://crocs.fi.muni.cz @CRoCS_MUNI
Real-world example: Smart-ID signature system
• Banks in Baltic states, >3M active users
• Qualified Signature Creation Device (QSCD) per Regulation No 910/2014
• Collaborative computation of signature using:
1. User’s mobile device (3072b RSA)
2. Smart-ID service provider (3072b RSA)
• Two-party RSA signatures, multiparty signature scheme 2-of-2
– Whole signature key never present at a single place
– Smart-ID service provider cannot alone compute the valid signature
• Resulting signature is 6144b RSA signature
– => compatible with existing systems
PV079 - Cryptographic smartcards
6k RSA
Signature
Sign 3k RSA Sign 3k RSA
https://crocs.fi.muni.cz @CRoCS_MUNI
• High-speed, multi-tenant (120 cards)
• Robust against bugs, backdoors
Myst: secure multiparty signatures
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz/papers/mpc_ccs17
https://crocs.fi.muni.cz @CRoCS_MUNI
SmartHSM for multiparty (120 smartcards, 3 cards/quorum)
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz/papers/mpc_ccs17
…
120 cards => 40 quorums
=> 300+ decryptions / second
=> 80+ signatures / second
https://crocs.fi.muni.cz @CRoCS_MUNI
Cryptocurrency hardware wallets
• Trezor One - first hardware wallet, Czech Republic (2013)
• Seed generated and stored inside, PIN to unlock wallet and sign
• Trezor One cryptographic operations executed on STM32 MCU
– Side-channel attacks on private key during the use (not really relevant attack)
– Fault-induction attack during PIN verification (~$200 device to bypass PIN)
• Ledger Nano S wallet – cryptographic smartcard + MCU + display
– seed stored and cryptographic operations executed inside secure element
– Side-channel and fault induction attacks very difficult to perform
• But secure element is proprietary – need for trust in its implementation
– Seed can be stolen / exfiltrated by bug or backdoor
PV079 - Cryptographic smartcards
Images by Trezor and Ledger
https://crocs.fi.muni.cz @CRoCS_MUNI
Open-source wallet with two different secure elements
• Idea: Split trust between multiple proprietary vendors
– Two secure elements manufactured by different vendors
– Seed split into three parts (shares): MCU, SE1, SE2
• Decreases required trust into a single SE vendor and its
supply chain
• Is the issue completely solved?
PV079 - Cryptographic smartcards
https://crocs.fi.muni.cz @CRoCS_MUNIPV079 - Cryptographic smartcards
Conclusions
• SC massively deployed (1x1010/year), mainly w.r.t. security
– wide range of usage (banking, SIM, access control)
– secure storage (encryption/signature keys)
• on-card asymmetric key generation!
– secure code execution
– interesting protocols involving smart cards (multiparty signing…)
• Limited memory (102 kB) and CPU power (8-32b,5-50MHz)
– Low-cost small computer designed specifically for security
– crypto operation accelerated by co-processors
• Can still be attacked (lecture of Lukasz Chmielewski)
– typically need for special knowledge and/or equipment
– still far more secure than standard PC