RVS Seminar Deployment and Performance Analysis of JavaCards in a Heterogenous Environment Carolin Latze University of Berne
Table of contents > Introduction Smartcards > Deployment Overview Linux Windows JavaCard Applet Client Application > Measurements Scenarios Comparison Communication Protocol > Conclusion 2
Smartcards > Provide dual factor authentication > Storage of additional keys > Consist of a CPU, ROM, RAM, I/O unit and EEPROM > Transmission protocol: Application Protocol Data Units (APDUs) over Transmission Protocol Data Units (TPDUs) Command APDU: CLA INS P1 P2 Lc Data Le Response APDU: Data SW1 SW2 3
Smartcards by Schlumberger > Cryptoflex Cards Minimal fs Standart set of commands RSA, DES, T-DES, SHA-1 > Cyberflex Access e- gate32k Programmable using JavaCard RSA, DES, T-DES, SHA-1 > Compliant to ISO7816 which is the standard for SmartCards 4
Overview Client App Middleware Applet Client Machine Smartcard 5
Deployment under Linux > MuscleCard Framework Middleware to communicate and work with the card > Completely open source > Works fine with Cryptoflex Cards and older Cyberflex Cards Client App Middleware Applet 6
Deployment under Windows > SDK provided by Schlumberger > Can be used as client to test an applet > Provides libraries to communicate with the card Client App Middleware Applet 7
JavaCard > Subset of Java -> no garbage collection!!! > A JavaCard Applet has to implement the following functions: install(), select(), process() > Additional requirements: Specification of the CLA and INS Bytes: final static byte MY_PROJECT_CLA = (byte)0x90; final byte PIN_CHECK = (byte)0x10; final byte RSA = (byte)0x20; final byte DES3 = (byte)0x30; final byte DES = (byte)0x40; final byte SHA = (byte)0x50; final byte SIGN_TEXT = (byte)0xa0; Client App Middleware Applet 8
JavaCard Applet Control Flow Select APDU APD U 0x9000 (3) (7) process() (10) JCRE (6) true (5) select (1) install() Applet (8) works (4) looks for the AID (2) register() DB (9) returns control Client App Middleware Applet 9
Our JavaCard Applet > Provides the following cryptographic functions: RSA using a 1024 bit key DES T-DES SHA-1 Verify method of SHA-1 had to be implemented by ourselfes Message signing and ciphering using SHA-1 and RSA Client App Middleware Applet 10
Client Application > We decided to implement the client in Java Easiest way Speed is negligible > Required functions are provided by the slb.iop library Client App Middleware Applet 11
Measurements - Scenarios > Scenario 1 (DES, T-DES): 8 Bytes long input (randomly generated) 50 times encoding and decoding > Scenario 2 (RSA, SHA-1): Encoding: Different input lengths (50 times each) Decoding: Valid input required Middleware expects the number of bytes in the response APDU 12
Measurements - Encodings 550 500 450 Time needed in ms 400 350 300 250 200 150 100 50 DES T-DES RSA SHA-1 Message 0 0 3 6 9 12 15 18 21 24 27 30 33 36 Number of Repetition 39 42 45 48 Algorithm Mean Value (ms) Deviation (ms) DES 59.02 16.14 T-DES 49.8 19.78 Message 478.02 6.8 RSA 417.14 6.62 SHA-1 70.44 10.1 13
Measurements - Decodings 1500 1400 1300 1200 Time needed in ms 1100 1000 900 800 700 600 500 400 DES T-DES RSA SHA-1 Message 300 200 100 0 0 3 6 9 12 15 18 21 24 27 30 33 36 Number of Repetition 39 42 45 48 Algorithm Mean Value (ms) Deviation (ms) DES 47.42 6.39 T-DES 47.4 7.77 Message 1430.42 9.29 RSA 91.72 7.57 SHA-1 741.82 7.14 14
Measurements Communication Protocol 375 350 325 300 Time needed in ms 275 250 225 200 175 150 125 100 Sending and Receiving an APDU Resetting the card 75 50 25 0 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 Number of Repetition 15
Measurements Stress Test > Stress Test: 1) RSA (9*50 + 50) times 2) DES 100 times 3) T-DES 100 times 4) SHA-1 (9*50 + 46) times => ERROR 5) Message 9*50 times => ERROR => Reset is needed after each type of ciphering! 16
Conclusions > Issues: Bad documentation Meaningless error messages (6F00) Required memory has to be allocated before usage Different number representations Platform dependent Not compliant to the newest JavaCard specifications 17
Questions Thanks for your attention ;-) 18