Smart Card Security How Can We Be So Sure?

Transcription

1 Smart Card Security How Can We Be So Sure? Ernst Bovelander TNO Centre for Evaluation of Instrumentation and Security Techniques PO Box GA Delft, The Netherlands 1. Introduction TNO is the Netherlands Organisation for Applied Scientific Research. Its primary tasks are to support trade and industry, the authorities and other groups of the community in technological innovation and to assist clients and sponsors in solving problems. TNO is a fully independent R&D organisation with a staff of approximately 4,000 and an annual turnover of more than US$ 500 million. The main features of TNO are: multidisciplinary, practice and market-oriented, independent, possessing unique knowledge and facilities, internationally oriented. TNO's research takes place at 15 institutes spread throughout the Netherlands. Nearly all scientific fields are covered by these institutes. The Centre for Evaluation of Instrumentation and Security Techniques (EIB) is part of the TNO Institute of Applied Physics (TPD). The security section of the Evaluation Centre is specialised in the evaluation of security related systems and products. The evaluations are ranging from intruder and fire alarm systems, assessing the possibilities of counterfeiting credit-cards and documents, to the study of optical security features like holograms. The evaluation of electronic payment systems and their components forms the main part of our security activities. This includes assessment of the security aspects of PIN Pads, single chip security modules and smart cards. Our projects are carried out for both financial institutions and manufacturers of EFT (Electronic Funds Transfer) equipment from all over the world. B. Preneel, V. Rijmen (Eds.): COSIC'97 Course, LNCS 1528, pp , Springer-Verlag Berlin Heidelberg 1998

2 Smart Card Security 333 The security aspects of more than 75 different smart card based security systems have been investigated by the Evaluation Centre. These investigations comprise of physical security aspects (the 'silicon'), logical security aspects (card operating systems) and organisational measures (e.g. transport, initialisation). 2. Security Evaluations Security functions of any system, including smart cards, revolve around the three basic security principles: integrity, confidentiality and availability. 2.1 Card and System Authentication The first line of defence in (smart) card authentication are the security features on the card itself. The most commonly used techniques used are photographs, signatures, iris print (rainbow print), pearl lustre ink, tactile laser engraving, holograms, kinegrams etc. These measures depend on human inspection. Additional security is provided by measures which link the plastic to the chip. In general optically readable security features, such as holographic barcodes, unique optical patterns, are used for this purpose. An additional reader is often required to read the optical pattern. The authentication of both the chip and the system is normally based on a shared secret, the cryptographic key. The quality of the authentication relies on the secrecy of the cryptographic keys. The security measures of the systems will therefore in general be focused on the protection of these cryptographic keys. 2.2 System Security The total security of a system depends on the implementation of three aspects: physical security measures (hardware), logical security measures (software), organisational measures. An adequate level of security can only be accomplished if these three aspects are combined in such a way that all possible weak aspects are covered. In general, weak aspects in the design of security product will emerge at the interfaces of physical, logical and organisational measures. A 100% secure product cannot be made. There will always be a way to break the system. A system is considered to be 'secure' if the chances of breaking the system and the consequences of this unauthorised access, e.g. compromising the cryptographic keys or the biometric template, are acceptable for the end-user.

3 334 Ernst Bovelander A security scheme of a system, based on secrecy of the security principles, is in general not acceptable for end-users. The security of a cryptographic algorithm must be based only on the secrecy of the key(s) and not on the secrecy of the algorithm (Kerckhoffs principle). A generic secure application module, see figure 1, will comprise the following elements: a physical barrier, e.g. a metal box, fraud sensors, to detect an attempt to fraud the system, an alarm circuitry; this circuitry must process the information from the fraud sensors and act appropriately, memory to store sensitive data, e.g. cryptographic keys, biometric template, software to define the functionality of the system. sensor sensor alarm circuit input output micro processor software memory Fig. 1 Generic Secure Application Module A smart card is a miniature of the conventional security module, but with a major difference: in general, a conventional security module is always powered and the security functions will therefore always be active, the smart card is most of the time not powered and will therefore not have active fraud detection measures. Furthermore, the memory of the smart card, in which the secret information is stored, much be non-volatile. Normally, EEPROM is used for this purpose.

4 Smart Card Security 335 physical barrier i/o micro processor software memory Fig. 2 Generic smart card The Evaluation Centre has developed methods for the evaluation of security systems, including smart cards. The main goal of the investigations is to establish the level of security of the application. More practically, we find out how much effort it takes to reveal the secrets of the systems and what can be done with these secrets. Smart cards are an important part in modern security systems, where they often function as secure application modules. The security aspects of smart cards can be analysed internally and externally. 3. External Analysis In an external analysis we attempt to learn as much as possible of the functionality of a card by investigating the physical side effects of this functionality, such as noise, emission, power consumption, dataflow etc. These experiments are carried without opening the chip (black box approach). External analysis can be very threatening from an end-users point of view, as possible attacks revealed by this analysis can have a low realisation threshold. Examples of external attacks are the Kocher attack and the latest Bell-core attack. A lot of experience and creativity is essential to reveal secrets in the chip, if at all possible. The outcome of external analyses strongly depends on the application. In general, no direct information is gained from an external analysis, but what we learn may be used to develop new attack scenarios. 4. Internal Analysis The methods for an internal analysis require opening of the chip. For most smart cards this is not a problem. Several etching techniques, for opening the chip and preparing the chip surface have been developed by the Evaluation Centre. The most common techniques used for an internal analysis of smart cards are probing and SEM analysis.

5 336 Ernst Bovelander 4.1 Probing A sub-micron probe station, comprising a microscope and an optically stable platform with probe manipulators, is used for these investigations. The smallest probe needles have a tip radius of approximately 0.5 micron. Tracks on the chip surface with the same dimensions can be tapped. A maximum number of 10 probes can be placed on the chip, but this number is in practice strongly dependent on the chip design. Two methods of probing are generally used: active probing: inserting information, generally at the databus, e.g. to change the sequence of the program, passive probing: reading information, generally from the databus. 4.2 Scanning Electron Microscope Analysis A scanning electron microscope (SEM) can be used in various ways during the evaluation process. It is mostly used for surface analysis: e.g. for reverse engineering of chip structures. The SEM can also be used for visualisation of voltages on the chip surface (voltage contrast). With this technique, a thorough understanding of the functionality of the chip can be obtained. With a special technique (single beam voltage contrast), the SEM can be used for passive 'probing' on very small tracks (<0.25 micron). 4.3 Focused Ion Beam Systems New techniques for analysing integrated circuits are being developed constantly. One of these new developments is the Focused Ion Beam system (FIB). The FIB proves to be a very useful tool for the attack of integrated circuits. A FIB system has three main features: View mode It is possible to use the FIB system as a surface microscope like a Scanning Electron Microscope (SEM) Milling mode The FIB system can be used as a micro milling device. Depending on the use of special gases during etching, very small holes can be cut. Such holes can be made at very specific locations and with very great precision. This technique can be used to selectively remove material from the chip surface, such as the passivation layer.

6 Smart Card Security 337 Deposition mode When using specific gases together with the ion beam, metals can be deposited on the chip surface. Such metal objects can be used to create e.g. test bondpads for probe needles, or as new metal tracks. FIB systems are nowadays common in the semiconductor industry. The resolution of these systems is by far sufficient to modify all integrated circuits available on the market today and tomorrow. A major concern is the availability of these systems. All chip manufacturers use FIB systems for device modification during chip design and testing. Also, a large number of commercial service laboratories all over the world can be used for this kind of work. 5. Conclusions The security aspects in a design should not be viewed upon as an add-on feature. The security thinking must be fully incorporated in the design process and implemented in the production. Although 100% security can never be accomplished, it is possible to build very secure systems using smart cards. An adequate design and implementation of combined physical-, logical- and organisational security measures can result in a secure product. Most products that fail to fulfil their requirements have security flaws at the interface between physical, logical and organisational measures.