Smart Card APDU Analysis



Similar documents
Security Evaluation CLX.Sentinel

CYBERTRON NETWORK SOLUTIONS

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET

Introducing etoken. What is etoken?

Hacking for Fun and Profit

Token User Guide. Version 1.0/ July 2013

Moving to Multi-factor Authentication. Kevin Unthank

Protecting Your Organisation from Targeted Cyber Intrusion

FORBIDDEN - Ethical Hacking Workshop Duration

Internet Banking Attacks. Karel Miko, CISA DCIT, a.s. (Prague, Czech Republic)

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

Section 12 MUST BE COMPLETED BY: 4/22

Loophole+ with Ethical Hacking and Penetration Testing

Secure web transactions system

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Specific recommendations

Certified Ethical Hacker Exam Version Comparison. Version Comparison

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Windows Remote Access

The Key to Secure Online Financial Transactions

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Common Cyber Threats. Common cyber threats include:

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

APWG. (n.d.). Unifying the global response to cybecrime. Retrieved from

BLACKJACKING: SECURITY THREATS TO BLACKBERRY DEVICES, PDAS, AND CELL PHONES IN THE ENTERPRISE

Two Factor Authentication in SonicOS

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

Security Goals Services

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Web Plus Security Features and Recommendations

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Mobile Devices and Malicious Code Attack Prevention

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Blue Jeans Network Security Features

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

That Point of Sale is a PoS

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Using Remote Desktop Clients

Java Card. Smartcards. Demos. . p.1/30

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Practice test Domain-2 Security (Brought to you by RMRoberts.com)

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

TrustKey Tool User Manual

Building A Secure Microsoft Exchange Continuity Appliance

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Thick Client Application Security

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

SecureDoc Disk Encryption Cryptographic Engine

INFORMATION SECURITY TRAINING CATALOG (2015)

Detailed Description about course module wise:

Security aspects of e-tailing. Chapter 7

How To Secure Your System From Cyber Attacks

PrivyLink Cryptographic Key Server *

Embedded Java & Secure Element for high security in IoT systems

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

How CA Arcot Solutions Protect Against Internet Threats

Build Your Own Security Lab

Deploying Smart Cards in Your Enterprise

Ethical Hacking & Cyber Security Workshop

Avaya TM G700 Media Gateway Security. White Paper

TEFO STUDERUS HACKING 4 FUN & PROFIT

Avaya G700 Media Gateway Security - Issue 1.0

Endpoint Security VPN for Windows 32-bit/64-bit

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

INSTANT MESSAGING SECURITY

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate (Personal eid) WISeKey 2010 / Alinghi 2010 Smartcards

Java Card TM Open Platform for Smart Cards

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

RELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release corrections. ADYTON Release 2.12.

E-CERT C ONTROL M ANAGER

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Innovative Secure Boot System (SBS) with a smartcard.

Using Entrust certificates with VPN

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005

Network Incident Report

Workshop Designed & Powered by TCIL IT, Chandigarh

The Value of Physical Memory for Incident Response

Hacking Database for Owning your Data

Defending Against Data Beaches: Internal Controls for Cybersecurity

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Measurement and Analysis Introduction of ISO7816 (Smart Card)

Transcription:

Smart Card APDU Analysis Black Hat Briefings 2008 Las Vegas Ivan "e1" Buetler ivan.buetler@csnc.ch Compass Security AG - Switzerland Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Hypothesis::Statement SOFTWARE cannot protect SOFTWARE Page 2

Hypothesis::Situation Attacker Toolkit: Please choose your victim... Client Infrastructure Network Connectivity Server Infrastructure Victim 1: E-Mail Contamination Visits to malicious Web Sites Second Channel Attacks Victim 2: Phishing, Pharming DNS Spoofing Network Interception Victim 3: Web 2.0 Hacking Cross Site Scripting... Malicious Web Sites Page 3

Hypothesis::Situation E-Mail Malicious Web Site Attacker Toolkit: Please enter the attacking strategy... Client Infrastructure Most promising target -> Client Computer Network Connectivity Server Infrastructure Page 4

Hypothesis::Situation Client Infection Approaches E-Mails Malicious Web Sites Rogue Access Points (drive-by-injection) Exploitation of internet enabled client software Malicious U3, USB stick Malicious CD-Rom... [many infection strategies as you know] SOFTWARE cannot protect SOFTWARE Client Security Defense Strategies Latest patches / Update services Firewall / Personal Firewall Anti-Virus protection Spyware protection Device Locking Suite Hard disk encryption Pentest Experience: Success rate in client exploitation = 95% Page 5

Hypothesis::Conclusion We need Secure Devices - Tamper Proof Trusted Minicomputers Page 6

Hypothesis::Conclusion Secure devices provide... Authentication Encryption Signatures Secure devices are... Tamper Proof Virus/Trojan resistant Page 7

Smart Card::Life Cycle Smart Card Life Cycle Page 8

Smart Card::Life Cycle Producer -> Company -> User SmartCard Producer MyBank John Doe Personalize() Initialize() sw + policy Page 9

Smart Card::Life Cycle::Initialize() MyBank::Unitialized Smart Card Smart Card needs to be initialized before usage! Initialization means: a) PIN policy b) PUK policy c) Key generation d) MasterKeySet... and more...see next page Page 10

Smart Card::Life Cycle::Initialize() Page 11

Smart Card::Life Cycle::Initialize() During Initialization... Applets are configured (policy) Applets are loaded from computer to Smart Card Applets are instantiated on Smart Card Cardlet Development.java Java Compiler.class Java Card Converter.cap.ijc This is like initial software package on a Personal Computer The password for doing so must be known => Master Key Set!!! Page 12

Smart Card::Life Cycle::Personalize() Certificate Enrollment Generate Key on Card Generate CSR (certificate signing request) Send CSR to CA (certification authority) Receive Certificate from CA Store Certificate on Card Smart Card is then useable Authentication Encryption Signatures Personalize() Page 13

Smart Card::APDU Smart Card Communication APDU Page 14

Smart Card::APDU Application Protocol Data Unit Communication between CSP/PKCS#10 and Smart Card ISO 7816 Specification + Vendor extensions Host APDU Layer Physical Layer (serial, usb, bluetooth,...) Smart Card Reader Page 15

Smart Card::APDU::Architecture Architecture Page 16

Smart Card::APDU::Command APDU Command and Response Structure APDU Command Details Page 17

Smart Card::APDU::Response APDU Command and Response Structure APDU Response Details Page 18

Smart Card::APDU::Enter PIN Example: APDU Enter PIN APDU Command C0 20 00 01 08 3030303030303030 APDU Response 90 00 Page 19

Smart Card::APDU::Standards GSC-IS (Government Smart Card Interoperability Specification) ISO Standard (APDU) 7816-4: Organization, security and commands for interchange 7816-8: 8: Commands for security operations Goal of GSC-IS Interoperability requirements of the enterprise market EMV - CAP Europay/MasterCard/Visa - Chip Authentication Program GSM (Global System Mobile) GSM Standard Page 20

Smart Card::ATR::Answer to Reset ATR String: Unique Identification for Smart Cards ATR (Answer to Reset) returns unique number Unique number references to the appropriate DLL (registry key) Page 21

Smart Card::APDU::CSP ATR: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Smart Cards Service Provider: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Page 22

ATTACKING Smart Card SOLUTIONS Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Introduction::Smart Card Attacks Attacking Approaches Host Computer (Software) Transmission (Link Layer) Internal Smart Card (Physical, Side Channel Attacks, not covered here) Link Layer Internal Trojan Page 24

Hardware::Sniffing APDU Hardware APDU Sniffing Device The APDU sequences are not commonly known hidden secret disclosure ATM APDU analysis GSM APDU analysis Page 25

Hardware::Sniffing APDU Season2 Interface To the SC Reader Smart Card To the SC Reader RS232 Sniffing Port Page 26

Hardware::Sniffing APDU RS232 Sniffing Port Serial Port Monitor SC Reader Page 27

Software::Scanning APDU Commands Page 28

Software::APDU LiveDebugger Live Debugger DLL Proxy winscard.dll Analyzing any software that communicates with the Smart Card with winscard.dll Works with PKCS#10 or CSP enabled applications Live Debugger Features Command Modification Response Modification Logging Microsoft Crypto API CSP CSP Cryptographic Service Provider Cryptoki Pkcs#10 DLL from vendor Compass Monitoring: winscard.dll APDU Live Debugger Java Program winscard.ori Page 29

Software::APDU LiveDebugger APDU Live Debugger: APDU Inspection/Interception Live Debugging Command & Response Interception Page 30

APDU LiveDebugger Discovery! Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

APDU::LiveDebugger::Results APDU Control Sequences 80 XX XX XX Not encrypted (Axalto Commands) 84 XX XX XX Encrypted C0 XX XX XX Not encrypted 00 XX XX XX ISO Standard APDU APDU Instructions XX B0 XX XX Read XX D6 XX XX Write C0 D2 XX XX Generate keys on Smart Card C0 12 XX XX Generate keys on PC XX A4 XX XX Select Instance Page 32

APDU::LiveDebugger::Results C0 12: Generate Keys on Computer (not on Smart Card) First: Offcard key generation Then: Storing keys onto the Smart Card Page 33

APDU::LiveDebugger::Results C0 D2: Generate Keys on Card First: Oncard key generation Then: Smart Card generates keys on card Page 34

APDU::LiveDebugger::Results The flag Generate Keys on Card is not enforced This results in the following attack vector The CSP asks the card for oncard, or offcard key generation because the card itself knows the status The APDU interceptor responds: I am an offcard keygen Smart Card The CSP will then perform the generate key functions on the computer The CSP will send the CSR to the CA After all, the certificate and key material will be stored onto the Smart Card The hacker who did all the man in the middle stuff knows all the keying and certificate details! Trust is lost! Page 35

PoC Smart Card APDU Attack Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Smart Card Man-in-the-Middle Attack SmartCard Browser Certification Authority Object1 APDU Debugger CSP Proxy Object3 Object4 Attacker Host Client Cert Enrollment GenerateKey Status of Flag? Flag: Generate Key on Card?() GetFlag OnCard=Yes OffCard=Yes GenerateKeys Generate CSR CSR SendCSR Store to SmartCard Store to SmartCard Client Certificate Create Certificate Trust is Lost! Send details to Attacker Page 37

Smart Card Man-in-the-Middle Attack Conclusion The use of Smart Cards does not make you independent from the host computer in any case and situation! The flag Generate Keys on Card does still allow key material being stored onto the Smart Card. This demonstration was solely related to Smart Cards an end-user has. If the attacker has some sort of virus/trojan running where the Smart Cards are initialized, even more fraud can occur (MasterKeySet attacks, Rogue Applet Uploads,...) The PIN has been seen in plain-text within the memory segment of the Smart Card software. The PIN can be gathered without administrative privileges. By knowing the PIN, the Smart Card could be used behind the scenes without the users knowledge (signing, encryption). Page 38

Thank you! Questions? ivan.buetler@csnc.ch See you at the Swiss Cyber Storm II Switzerland - 2009 www.hacking-lab.com Page 39

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information