Smart Card & E-passport

Transcription

1 Smart Card & E-passport Bingsheng Zhang 1,2 1 Cybernetica AS, Estonia 2 University of Tartu, Estonia MTAT applied crypto, 2009s

2 Table of content Introduction of Smart Cards Types of Smart Cards Magnetic Stripe Cards Chip Cards Contactless Smart Cards Types of Terminals Automatic Teller Machines (ATM) Point of Sales (POS) Contactless Terminals User Authentication PIN Generation Techniques PIN Verification Techniques Brief Introduction of Related Attacks Electronic Passports & ID Cards RFID

3 Smart Cards

4 Introduction of Smart Cards What are smart cards? A smart card: can participate in an automated electronic transaction, is used primarily to add security and is not easily forged or copied. Keith E. Mayes and Konstantinos Markantonakis, Royal Holloway, UK Store data securely Host or run a range of security algorithms and functions Intelligent (Smart): handles computations (e.g. crypto); manages data (e.g. OS, file system, access control); makes informed security decisions (e.g. block itself).

5 Introduction of Smart Cards Life Cycle of a Smart Card Manufacturing: [e.g. Infineon] ROM hard mask Initialize: [e.g. Gemalto] E 2 PROM soft mask Personalize: [Card Issuer] E 2 PROM data, keys etc. for an individual user! Use it: [e.g. ATM] issue commands (APDU) Death: [e.g. local bank] invalidate the chip/destroy the card

6 Introduction of Smart Cards Crypto Functionalities of Smart Cards 1 Cardholder verification by the card Check PIN or biometric data Not always done with crypto, but otherwise necessary to activate the crypto capabilities of the card Key generation, its secure storage, safe usage online bank Encrypt data (public and secret key) s, files, etc... e.g. PKI secure messaging

7 Introduction of Smart Cards Crypto Functionalities of Smart Cards 2 Authentication (from weaker to stronger): Integrity checks (CRC, or better: cryptographic hash) Origin checks (storing a static signature) Dynamic Challenge-Reply card authentication (proof of identity, should be a Zero-knowledge mechanism). Dynamic authentication of any data with a 3-DES cryptogram or a MAC (symmetric-key signatures) Dynamic authentication of any data with a public- key digital signature Provides authenticity and non-repudiation of every individual action taken in a complex protocol! Verification: the authenticity of a terminal/external word.

8 Introduction of Smart Cards Crypto Functionalities of Smart Cards 2 PayTV Broadcast Encryption and Traitor Tracing Storing private data (passwords etc...) Origin checks (storing a static signature) Phone cards GSM / 3G phones (SIM Card) Electronic passport, ID Bank Cards Home Banking, Internet Shopping Electronic purse, parking Student cards (restaurant, library, etc.) Building pass, Transport Tickets

9 Introduction of Smart Cards History Plastic Money 1950 Invention of plastic money (PVC): Frank Diners Club [NY] issues first universal plastic charge credit cards for businessmen and VIP travel and entertainment needs Franklin Nat. Bank [NY] introduced ChargeIt credit cards. Shops called the bank for approval if larger amount (first authorizations!) American Express launches their bank card accepted across the US Bank of America launches BankAmericard VISA. 1960s Banks started issuing revolving credit cards. Interbank MasterCharge MasterCard.

10 Introduction of Smart Cards History Payment Cards 1968 Invention of integrated circus card (ICC) [German] Similar ICC [Japan] Use ICC to replace cash in remote payment system [France] The first widely used smart cards in financial market were public pay phone cards [France].

11 Introduction of Smart Cards History ATMs 1967 First cash machines [DeLaRue] with punch cards. By Barclays Bank [UK] and Societe Marseillaise [France] First magnetic stripe card launched in France for access control Lloyds Bank Cashpoint [UK] is the first online ATM using plastic cards with a magnetic stripe. 1980s ATMs in the US 1980s Debit Cards introduced by banks.

12 Types of Smart Cards Magnetic Stripe Cards

13 Types of Smart Cards Insecure (Nicolas T. Courtois claims As long as some merchants accept them, they will be fraud... ) Someone thinks magnetic stripe card is not smart card because it can not satisfy the definition smart card is not easily forged or copied. No access control

14 Types of Smart Cards Track 1 ISO 7813: Track 1 can contain up to 76 alphanumeric data characters with a recording density of 210 BPI (bits per inch) and a character configuration of 7 bits per character. AAMVA standards: Track 1 can contain up to 82 alphanumeric data characters with a recording density of 210 BPI and a character configuration of 7 bits per character.

15 Types of Smart Cards Track 2 Track 3 ISO 7813: Track 2 can contain up to 40 numeric data characters with a recording density of 75 BPI and a character configuration of 5 bits per character. AAMVA standards: Track 2 can contain up to 40 numeric data characters with a recording density of 75 BPI and a character configuration of 5 bits per character. ISO 7813: Track 3 can contain up to 107 numeric characters with a recording density of 210 BPI and a character configuration of 5 bits per character. AAMVA standards: Track 3 can contain up to 82 alphanumeric characters with a recording density of 210 BPI and a character configuration of 5 bits per character. AAMVA American Association of Motor Vehicle Administrators

16 Types of Smart Cards What is stored in the magnetic stripe of credit card? Could be PIN? No!

17 Types of Smart Cards

18 Types of Smart Cards SS: Start Sentinel and symbolized with the character % FC: Format Code (1 character) from alphabetic A to Z PAN: Primary Account Number (Maximum 19 digits) FS: Field Separator and usually uses character ˆ NAME: cardholders name (Maximum 26 characters) ADDITIONAL DATA: expiration data (YYMM) and service code (3 digits) DISCRETIONAL DATA: PVKI/PVV or Offset/CVV or CVC ES: End Sentinel character LRC: Longitudinal Redundancy Check (XOR all characters above)

19 Types of Smart Cards SS: Start Sentinel (HEX B) PAN: Primary Account Number (Maximum 19 digits) FS: Field Separator (HEX D) and usually uses character = ADDITIONAL DATA: expiration data (YYMM) and service code (3 digits) DISCRETIONAL DATA: PVKI/PVV or Offset/CVV or CVC ES: End Sentinel character? LRC: Longitudinal Redundancy Check (XOR all characters above)

20 Types of Smart Cards SS: Start Sentinel and symbolized with the character ; FC: Format Code (2 digits from 00 to 99) PAN: Primary Account Number (Maximum 19 digits) FS: Field Separator and usually uses character = ADDITIONAL DATA: expiration data (YYMM) and service code (3 digits) DISCRETIONAL DATA: PVKI/PVV or Offset/CVV or CVC ES: End Sentinel character (HEX F) LRC: Longitudinal Redundancy Check (XOR all characters above)

21 Types of Smart Cards Chip Cards

22 Types of Smart Cards

23 Types of Smart Cards Memory/wired logic Cards NVM: non-volatile memory(e 2 PROM, Flash memory) Simple function e.g. prepay card

24 Types of Smart Cards Smart Cards Microcontroller = CPU + memory Universal turing machine, software driven Flexibility Security features [Hardware DES]

25 Types of Smart Cards Crypto-processor IC Cards Additional crypto- processor for RSA or elliptic curves Hardware security counter-measures

26 Types of Smart Cards Contactless Smart Cards with RF transceiver 0.1s per transaction much less energy even less computing power

27 Types of Smart Cards Memory on Smart Cards ROM ( hard mask : C/Assembly, contains OS, secure file access, I/O, libraries[crypto!], JVM) Kbytes nowadays RAM (expensive) 4-16 Kbytes nowadays NVM ( soft mask, compiled C, more libraries) EPROM: 1980s,very hard to erase it E 2 PROM: 8-64 Kbytes, recently 128K, 256K GSM SIM. Flash memory (new trend) Much cheaper, dense and shrinkable process Random read, harder to manage, hard to rewrite and very slow to erase Spansion 2006: 1 Giga in a SIM card!

28 Types of Smart Cards Clock and Maximum Computing Power Year Clock speed Co-processor Time MHz No RSA-512, 2 mins MHz Yes RSA-1024, 500ms MHz Yes RSA-2048, 500ms MHz Yes RSA-2048, 50ms Today MHz Yes RSA-2048, 10ms

29 Types of Terminals Automatic Teller Machines

30 Types of Terminals In the 1980s, ATM network were widely used. Many banks encrypted data by software. Today, banks use Hardware Security Module (HSM), a temper-resistant cryptographic processor to support ATMs. After a customer entering his PIN, the account number, PIN and PVV will be encrypted with a terminal master key within the HSM of each ATM. The terminal master key is shared with its bank, and each bank connects to a switch provided by an organization, such as VISA. The security modules in these switches translate transactions.

31 Types of Terminals

32 Types of Terminals Point of Sales (POS)

33 Types of Terminals Four basic steps in a EMV POS transaction: Read application data: information from customer s bank card. Card authentication: the terminal uses the issuer s public key to verify the signature through Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Data Authentication (CDA). Cardholder verification: for Pin verification, encrypt PIN with issuer s public key, and send it to card. (signature verification) Transaction authorization: the terminal may select the transaction authorized offline or online. the terminal confirms that the card account has enough money for the transaction.

34 Types of Terminals

35 Types of Terminals Contactless Terminals

36 User Authentication User Authentication Something the user has (e.g. ID card, phone). Something the user knowns (e.g. password, PIN). Something the user is (e.g. signature, fingerprint or biometric). Question: how many people will have PIN collision on average?

37 User Authentication CVV2 of VISA CVC2 of MasterCard CID of American Express

38 User Authentication Static Data Authentication

39 User Authentication Dynamic Data Authentication

40 User Authentication IBM 3624 PIN Generation Algorithm Algorithm input parameters: 64 bits validation data (customer s account number or related customer s personal details, e.g. name) 64 bits decimalization table 4 bits assigned PIN length 128 bits PIN generation key

41 User Authentication IBM 3624 PIN Generation Algorithm EDE triple encrypt the validation data with 128 bits PIN generation key. Transform the ciphertext into decimal digits, using a decimalization table. The validation data is stored as ASCII character Customer s PIN will be selected by a certain length of the decimal replacement digits, according to the PIN length parameter.

42 User Authentication IBM 3624 PIN Generation Algorithm

43 User Authentication IBM 3624 PIN Offset Generation Algorithm

44 User Authentication German Banking Pool PIN Generation Algorithm Algorithm input parameters: 64 bits validation data (customer s account number or related customer s personal details, e.g. name) 64 bits decimalization table 128 bits PIN generation key

45 User Authentication German Banking Pool PIN Generation Algorithm

46 User Authentication IBM 3624 PIN Verification Algorithm Algorithm input parameters: 64 bits validation data (customer s account number or related customer s personal details, e.g. name) 64 bits decimalization table 4 bits PIN check length 128 bits PIN generation key Offset data Customer entered PIN

47 User Authentication IBM 3624 PIN Verification Algorithm

48 User Authentication German Banking Pool PIN Verification Algorithm Algorithm input parameters: 64 bits validation data (customer s account number or related customer s personal details, e.g. name) 64 bits decimalization table 128 bits PIN generation key Offset data Customer entered PIN

49 User Authentication German Banking Pool PIN Verification Algorithm

50 User Authentication VISA PIN Verification Value (PVV) 4 decimal digits stored in the magnetic stripe of bank card or in the main database of issuing bank. PVV is cryptographic signature of PIN. PVV is calculated from the account number and compare with the stored PVV in the card. In magnetic stripe, credit data is in track 1 and 2, including personal account number, expired date, PVV/Offset/CVV/PVKI/CVC... POS terminal card reader read data on track 2.

51 User Authentication VISA PVV Generation Algorithm Algorithm input parameters: 64 bits transformed security parameter (TSP) 128 bits PVV generation key

52 User Authentication VISA PVV Generation Algorithm

53 User Authentication VISA PVV Verification Algorithm Algorithm input parameters: 64 bits transformed security parameter (TSP) 16 bits referenced PVV 128 bits PVV verification key

54 User Authentication VISA PVV Verification Algorithm

55 Brief Introduction of Related Attacks Bank Card Skimming Attack

56 Brief Introduction of Related Attacks ATM Fraud Attack

57 Brief Introduction of Related Attacks ATM Keypad Frauds Attack

58 Brief Introduction of Related Attacks Cards Trapping Attack

59 Brief Introduction of Related Attacks Relay Attack

60 Brief Introduction of Related Attacks Relay Attack(2)

61 Brief Introduction of Related Attacks Other Attacks Chemical Attack Yes Card Test PIN (power off) Sidechannel Attacks

62 Electronic Passports & ID Cards Electronic Passports

63 Electronic Passports & ID Cards Chip integrated in the cover Main goal: store biometric data Machine Readable Zone (MRZ)

64 Electronic Passports & ID Cards Personal and biometric data (photo) protected by basic access control (BAC) Key = f(mrz) PA: Passive Authentication: PKI, all data authenticated by a mandatory static signature. Digital signatures with RSA, ECC or both. AA: challenge-response Active data Authentication Extra data (fingerprint, iris): Extended Access Control (EAC) mechanism

65 Electronic Passports & ID Cards

66 Electronic Passports & ID Cards

67 Electronic Passports & ID Cards European E-passport timeline

68 Electronic Passports & ID Cards

69 Electronic Passports & ID Cards ICAO International Civil Aviation Organization (ICAO) U.N. specialized agency, established in 1944 Aviation safety & security

70 Electronic Passports & ID Cards ICAO 9303 ICAO 9303, 6th Edition System, based on mainstream standards: ISO 7816-X ISO Entities: Issuer: state printing house, embassy, local authorities etc. Contact-less chip embedded in the cover. Terminal, called inspection system. Memory requirement: 32K E 2 PROM minimum. Typically K.

71 Electronic Passports & ID Cards Data in e-passports (Data Groups) DG1 Machine readable zone (MRZ) DG2 Biometric data: face DG3 Biometric data:fingerprints DG4 Biometric data: iris DG5 Picture of the holder as printed in the passport DG6 Reserved for future use DG7 Signature of the holder as printed in the passport DG8 Encoded security features - data features DG9 Encoded security features - structure features DG10 Encoded security features - substance features DG11 Additional personal details (address, phone) DG12 Additional document details (issue date, issued by) DG13 Optional data (anything) DG14 Data for securing secondary biometrics (EAC) DG15 Active Authentication public key info

72 Electronic Passports & ID Cards Access Control Basic Access Control (BAC) For facial image, and other data that is is possible to acquire from other sources (e.g. digital camera). Terminal has to have physical access to optically readable Machine Readable Zone (MRZ) of the passport. Extended Access Control (EAC), optional For fingerprints and other data that does not exist on passport for now. For verification by and authorized inspection system, that has to prove his identity to the passport.

73 Electronic Passports & ID Cards MRZ Coding Passport number (9 chars typically) Data of birth Expiration date 3 check digits (as CVV2 in bank cards)

74 Electronic Passports & ID Cards BAC Stage 1 MRZ SHA-1 truncated to 128 bits Then key derivation function following CWA

75 Electronic Passports & ID Cards BAC Stage 2 K = (K MAC,K ENC ) both are used in Authenticated Encryption (EA) EA = Encrypt + transmit a MAC E: A: 3-DES in CBC mode with K ENC FIPS 46-3, ISO , ISO (CBC-MAC, 3-DES, padding mode 2) DES + Retail MAC with K MAC FIPS 46-3, ISO 9797 (MAC algorithm 3, with output transformation 3, without truncation, block, cipher DES, zero IV 8 bytes, padding mode 2)

76 Electronic Passports & ID Cards BAC Stage 3 Used ISO symmetric key establishment mechanism A-chip B-terminal: random R A (64 bits) B-terminal A-chip: EA K (R B,R A,K B ) ( bits) A-chip check R? = R A A A-chip B-terminal: EA K (R A,R B,K A ) ( bits) B-terminal check R B? = R B Derived key: K AB = K A K B BAC Stage 4 Encrypt all the communications from now on (secure messaging)

77 Electronic Passports & ID Cards Signature Schemes and Key Sizes - PA Hash functions: SHA-1 and all SHA-256 RSA with PKCS#1 v1.5 padding (min bits for CSCA (Country Signing CA), 2048 bits for DS (Document Signer ) ). Hungary, France, Spain, Portugal, Italy: RSA SHA-1 Austria, Netherlands: RSA SHA-256 RSA with PSS padding (min bits for CSCA, 2048 for DS) Czech Republic, Norway, Denmark, Japan and Australia: all + SHA-256 DSA: not standardized for key lengths > 1024, not secure enough. ECDSA (min. 256 bits for CSCA, 244 bits for DS) Switzerland, Germany, Russia: SHA-1

78 Electronic Passports & ID Cards Signature Schemes and Key Sizes - AA AA is not widely deployed yet. ISO scheme 1, not proven secure, grey zone Czech Republic, Belgium, Austria DSA and ECDSA also permitted but not widely used for AA

79 Electronic Passports & ID Cards EAC Crypto Chip authentication: Diffie-Hellman (PKCS#3) 1024 or 1536 bit prime Elliptic Curve Diffie-Hellman (ISO 15946, BSI TR-03111) Mostly 224 bit curves, sometimes 256 or 384 bits. Terminal authentication: RSA keys bits, two signature schemes RSA PKCS#1 v1.5 + SHA-1 or SHA-256 (more popular, grey zone) RSA-PSS + SHA-1 or SHA-256 (provably secure) ECDSA-160/256 + SHA-1, SHA-224 or SHA-256

80 RFID RFID

81 RFID Mifare Claassic Cards The encryption used by the MIFARE Classic card uses a key that is only 48 bits long The MIFARE Classic 1K offers 1024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. They can be programmed for operations like reading, writing, increasing value blocks, etc.

82 RFID Mifare Claassic Cards Mifare Claassic Cards Data Layout

83 RFID ISO A ISO A authentication protocol

84 RFID Authentication Trace Step Sender Hex Comments 01 Reader 26 req type A 02 Tag answer req 03 Reader select 04 Tag c2 a8 2d f4 b3 uid, bcc 05 Reader c2 a8 2d f4 b3 ba a3 select (uid) 06 Tag 08 b6 dd mifare 1k 07 Reader a auth (block 30) 08 Tag c0 a4 n T 09 Reader 7d db 9b eb 5d 83 n R ks 1, a R ks 2 10 Tag 8b d a T ks 3 10 Tag a 5 ks 3 (failed)

85 RFID Crypto 1

86 RFID Demo Authentication protocol Property Public platform independent Near Field Communication (NFC) library (libnfc How to program on libnfc. Simple demo for fixing nonce, using ACR 122 reader and libnfc