SIM Card: A Security Stronghold in Networked ME · A Security Stronghold in Networked ME. SIM Card...

Nicolas T. Courtois 1, ex. 2

1 - University College of London, UK2 = [Axalto+Gemplus]

Mobile Equipment

SIM Card: A Security Stronghold

in Networked ME

SIM Card and Security

2 Nicolas T. Courtois, WMNC Gdansk, 11/09/09

Roadmap (1)

Smart Cards:• History, Philosophy• Industrial standards

– ISO 7816-X smart cards => => GSM 11.11 =>

=> 3GPP specs



Roadmap (2)

• Functionality and Application to GSM– File system, – Commands, – Access control,– GSM: - business perspective– GSM: - security perspective

• Encryption / Authentication– A demo of vulnerability of

certain Eastern European cards.



Some History / Business / Economics Considerations



Where to Learn About Security?From the Military????• Yes if we want to learn about mistakes…But actually we can learn much more from successful business

people [example: Bill Gates]. – They are the modern equivalent of the medieval knights…

Remember how Poland conquered the Malbork castle from the Teutonic Knights?– In 1457 bought it for 190 K florins.

• Polish budget was 70 K / year.

– Military: impossible to take. ••• Or just too costlyOr just too costlyOr just too costly………



New Technology Business Gurus…First of all, even professional business “gurus” and top

managers are rather totally unable to anticipate how things can develop with new technology business…

Example: SMS• Predecessor: NMT-Text: first used in Russia, Bulgaria and

Poland, neglected in Nordic countries.• Many GSM operators started by offering this service for

free. – Never thought that SMS could earn them 1/10th of revenue it is

generating today…

Moreover business considerations are very hard to separate Moreover business considerations are very hard to separate Moreover business considerations are very hard to separate from the pure technology considerations. from the pure technology considerations. from the pure technology considerations. We need to cover them.We need to cover them.We need to cover them.



GSM – A Child of the Common EU Market (!)GSM was started by France and Germany. Later Italy, UK and many other

countries joined…– At that time we are talking about a “cartel” of state monopolists (telcos)

interested in sharing the huge cost of developing this new technology. • Effort was estimated as 10 x price of going to the moon.• Developed in Europe, and Europe alone. US systems lagging far behind…• One should NOT think that anybody wanted to share their national market too..

BUT .. very importantly, the EU commission has endorsed this project as early as in 1984 and substantially helped to fund it too. Not without an agenda:

⇒ the GSM phones (April 1992) were the FIRST telecommunication equipments for which it was NOT necessary to ask for homologation in each individual country. ⇒ Before, the markets for telecom equipment were strictly national, heavily

regulated with barriers for entry and some degree of incompatibility…

⇒ Creation in 1989 of ETSI = European Tel. Standards Institute



GSM – A Monopoly Breaker?So GSM, explicitly and from the start was

breaking the national telecom monopolies on hardware equipment (!). – It became clear that sooner or later, there will be only a few big industry

players manufacturing the phones. • Frankly, France [and UK, Italy, Germany], probably though that they would benefit

from this situation…

• Nobody have thought at the time that this industry will travel north (Sweden… and Finland!!!!) and finally east (China).

However, it was necessary to protect the income (for phone calls) of national telecom operators. This remained still possible for a long time.

• The business model is of national licenses (as for TV channels). – So each EU country could still protect their market. – Only big players can apply: the investment is incredibly huge.

Even bigger than running a TV station… Many operators had a terrible debt burden for up to 10 years…



Key Questions:If the phone is manufactured in a strange country (say Finland,

or China…)Q: How do we make sure that the client will pay the bill ?• Remember we are talking about a very major industry, worth

hundreds of billions of $$.

This is not a small problem: Take another industry: computer game consoles. • The game manufacturer does NOT want his game to

pirated. Yet the console manufacturer sees his sales go to the roof on the very day hackers found the way to circumvent the copy protection. As a result, piracy is strong, about 21 % for console games [source: Macrovision], and much higher in emerging countries…



Fact:

The fathers of GSM have adopted • a right business model and • security technologies that NEVER

were really pirated…– No SIM card clones

for any major operator so far (!).

How this became possible? It is precisely the object of this talk.



Adoption Barriers

The model had the right mix of very strong forces and incentives acting in opposite direction:

1) Subsidizing the phone and charging a lot for communications abolished adoption barriers: giving the phone for free or 1 €…like the French did with like the French did with like the French did with Minitel Minitel Minitel before, and before, and before, and this generated billions of revenue. this generated billions of revenue. this generated billions of revenue.



“Temporary Monopoly” SystemBecause of this subsidy, all (still national) telecom regulators

had to agree and allow that a user would be tied for the phone for at least say 6,12,18 months. To pay back for the “free phone”.

• Traditional rules of consumer protection were bent.

This created market conditions in which most people, for sure, would be trapped into

• spending MUCH more than they would want to spend, but also

• want to switch to competition in exchange of a new phone, that obviously had to be much better so that people would want to switch.

=> A virtuous circle of innovation.



****Two MarketsPhones:• Free market, perfectly competitive, high pressure

on prices, economies of scale, industry concentration…losers and winners.

Phone calls / subscription:• State-allocated pseudo-monopolies on each

territory? Yes:– market shares don’t change that much with time…– prices don’t change that much either year after year…



Encryption and Authentication in GSMEncryption: • Done by the phone. Voice privacy.• Governments: would like to break the encryption of each

phone…

Authentication: • Done by the SIM card. Billing. • Was never such a problem w.r.t. governments services

and national exportation / authorization laws that always allowed authentication to be MUCH stronger than encryption.



GSM Encryption: weak design• Ross Anderson reported in 1994 that there was a big

dispute among NATO countries whether GSM should be strong [Germany’s wish] or not.

– The French design [not so secure] won.

• Fatal flow in the spec shown by Biham et al. at Crypto 2003.

• Redundant data is encrypted => allows ciphertext-only attacks.

• But there is extra complexity here (extra flaws / better protection, depending on country and operator), as will be explained later.



The Genius in the BoxThe model of the SIM card:Two devices: • Perfect functional separation.

– Very good for security.

• Perfect separation of business interests, creating several totally disjoint markets.

– The telco cannot easily exclude people from using another phone compatible with GSM specs

=> more competition on features and innovation.

– The phone manufacturer can only lock people in for a limited time, through SIM locks.



The Genius in the BoxVery nice both money and security-wise: • The SIM card does not NEED TO TRUST the phone,

nor its (foreign) manufacturer.• The phone does not NEED TO KNOW what security

mechanism the card using, for example what (secret) crypto algorithm it is using…



Security AdvantagesThe phone CANNOT breach the security of SIM card (in the

sense of authentication and making free calls). Impossible.

• BUT, both sides can in fact breach the confidentiality (hidden flaws) as it was later found out…

– Or have better security / competitive advantage.

Remember: Crypto algorithms are: • A sensitive area of exclusive national/corporate expertise,

and strict export regulations (mostly abolished c. 2000). Some countries spend much more on crypto research than other.

• A major source of inimitability for business today: make sure that one product will not be copied.

• Always a major defense against hackers…



Entering the World of Secrets



What are Smart Cards ?The eternal tension in the industry:

competition � cooperation.

1. huge set of standards:• public bodies: ISO/IEC, ETSI, etc.• 10s of intra-industry standard bodies such as

GlobalPlatform, TCG

2. many industrial/commercial/trade/security secrets



Books About Smart Cards

1) Smart Card Handbook [Germany, 2002]• by Wolfgang Rankl and Wolfgang Effing

2) Smart Card Applications [Germany, 2007]• by Wolfgang Rankl

3) LATEST BOOK [RHUL, 2008]Smart Cards, Tokens, Security and Applications

• by Keith Mayes and Konstantinos Markantonakis (Editors)



Motivation in a Nutshell



Key RemarkSoftware CANNOT be protected by software.



Main Function of a Smart Card = = to be “a secure hardware device”.

1. ”intelligent” (Smart): the card – handles computations (e.g. crypto)– manages data (OS, file system, access rights)– takes informed security decisions (…block itself !)

2. Hopefully ”unbreakable”: nobody can know/modify what is inside.

USB interface ISO, [USB], [RF]

ISO, [USB,RFRFRF]

USB Token form factorSIM card form factor

credit card form factor



Philosophy / Model for Security of Smart Cards



Why Smart Cards Are Good

Or are they?

The classical model for smart card security[Schneier and Schostack 1999]

is about • Splitting the security perimeter:

• One entity cannot breach the other people’s security?

• Hardware barriers that cannot be breached by software,• Motto: Software cannot protect software.

• Physical control of the card, • By the user, if it is in my pocket, it is not being hacked…

• And trusting the entities involved…• Companies/people involved in this business can compromise it’s security (backdoors etc!)

slightproblem..



“Slight Problem” - Example:

The secrecy of the product spec can be:• An extra security layer,

– if hackers need 3 months more to get it, this can be worth millions of dollars in revenue…

• A source of unexpected and critical security vulnerabilities – that by the fact of being hidden

gives an utterly false sense of security.



History



Short Plastic Card History1878 US fiction writer Bellamy: In 2000 everybody will be paying

by a credit card (!). Cf. Edward Bellamy “Looking Backward, 2000 to 1887”.

1914-1940 Metal credit cards in the US, forbidden during WW2forbidden during WW2forbidden during WW21950 Invention of plastic money (PVC): Frank McNamara@Diners Club

[NY, USA] issues first universal plastic [charge] credit cards .

1967 First cash machines [DeLaRue] with punch cards.

1967 France: first magnetic stripe card for access control.

1972 [UK] First on-line ATM with magnetic stripe cards.



History - Chip Cards1960s1. French science-fiction book “La nuit de temps” by

René Barjavel: A portable object/jewel that opens doors.

2. Plastic credit cards were standardized and used since the 50s [plastic money].

1970s: 1+2 = Embedding electronic components in credit cards: Many patents in USA, Germany, Japan and then France.



Historical Patents



Smart Card Odyssey

Two Key Patents:• Roland Moreno [France]:

– chip card [1974]– security limitations [1975]

• Michel Ugon, Bull CP8: – microprocessor card [1977]

10 years ago, half of chip cards in the world were French. Wider adoption around 2000.



First Smart Card - Bull CP8

Around 1980, 2 chips, CPU+RAM, not very secure!

CP8 = Circuit Programmable 8 bits, CP8 = Circuit Programmable 8 bits, CP8 = Circuit Programmable 8 bits, Carte Carte Carte ààà Puce 8 bitsPuce 8 bitsPuce 8 bits



SPOM, October 1981 - Bull CP8

Patented• NMOS 3,5 µ, • 42 K Transistors,• RAM: 36 bytes (!), • ROM: 1,6 Kbytes, • EPROM: 1 Kbyte



History of Electronic Bank Cards - in 1984:Schlumberger pilot in Lyon, France: • a simple wired logic card

Bull CP8 pilot in Blois, France: • a microprocessor card

The banks adopted the Bull CP8 solution, the fore-father of current smart bank cards (EMV).

100% in France in 1992. 100% in the world around 2010 ?

=> Close the loophole.

Gemplus



Vocabulary, Typology, Features



Vocabulary

magnetic stripe card

IC= Integrated CircuitICC, chip card :• memory card

• wired logic card• smart card

carte à piste magnétique

puce, circuit intégrécarte à puce :• carte à mémoire• c. à logique câblée• carte à microprocesseur[+crypto co-processeur]



More Vocabulary

card reader, CAD (Card Acceptance Device)

BO’ card [1985-2004]EMV card [1996-2020?]

lecteur carte

carte bancaire françaisenouveau standard



Types of cards

memory/wired logic microprocessor

micropr.+crypto contactless

Source: Gartner, 2005

0 CPU

2 CPU

1 CPU

1-2 CPU



Memory/Wired Logic CardMemory/Wired Logic Card

• Primitive• NVM – non-

volatile memory(E2PROM, Flash

memory)• simple function• e.g. prepay card



Smart CardSmart Card

• Microcontroller = CPU+memory

• Universal, Turing machine, software driven

• flexibility• security features• [Hardware DES]



CryptoCrypto--processor IC Cardsprocessor IC Cards

• Additional crypto-processor for RSA or elliptic curves

• Hardware security counter-measures



ContactContact--less Smart Cardless Smart Card

• with RF transceiver• 0.1 s transaction

– much less energy– even less computing

power



Memory on Smart Cards• ROM (‘hard mask’: C/Assembly, contains OS,

secure file access, I/O, libraries[crypto!], JVM) = 100 - 300 Kbytes now

• RAM = 4-16 K now(expensive, first Bull CP8 card had 36 bytes)

• NVM: (‘soft mask’, compiled C, more libraries…)– EPROM: 1980s, high voltage needed to erase it– E2PROM: 8-64 Kbytes,

recently 128-256 K GSM SIM.– New trend: Flash memory:

• Much cheaper, dense and shrinkable process.• Random read, harder to manage,

hard to re-write and very slow to erase.• Spansion 2006: 1 Giga in a SIM card!

≈≈≈≈≈≈≈≈10001000 times slower times slower to writeto write than RAMthan RAM



Life Cycle of a Smart Card [ISO 10202-1]• Manufacturing: [e.g. Infineon, Gemalto]

– ROM <= ‘hard mask’, remove test functionality

• Initialize: [e.g. Gemalto, Card Issuer]– E2PROM <= ‘soft mask’, completing O.S. install

• Personalize: [Card Issuer]– Init apps– E2PROM <= data, keys etc. for an individual user!

• Use it: [e.g. ATM]– issue commands (APDUs)

• Death: [e.g. local bank]– invalidate the chip / destroy the card.



****Perso Process



Functionalities of Chip/Smart Cards



*Advantages of Smart Card

• storage capacity• security functionalities• multiple functions• user acceptability, effective packaging• successful business model



Crypto Functionalities of a Smart Card (1)

• Cardholder verification by the card. – Check PIN or biometric data.– Typically necessary to activate the crypto

capabilities of the card.

• Key generation, its secure storage, safe “usage” and (why not) erasure.

• Encrypt data (public and secret key)– emails, files, etc… e.g. PGP PKI badge– secure messaging



Crypto Functionalities of a Smart Card (2)Authentication – from weaker to stronger:• Integrity checks (CRC, or better: cryptographic hash).• Origin checks (storing a static signature)• Dynamic Challenge-Reply card authentication (proof of

identity, should be a Zero-knowledge mechanism).• Dynamic authentication of any data with a 3-DES

cryptogram or a MAC (symmetric-key signatures).• Dynamic authentication of any data with a “real” (=public-

key) digital signature. – Provides authenticity and non-repudiation of every individual action

taken in a complex protocol !

• Also verification: the authenticity of a terminal / external word.



Smart Card Applications



Some Applications of a Smart Card

• PayTV - Broadcast Encryption and Traitor Tracing.– First PayTV Card: Philips+Bull, 1980-81

• Storing private data (emails, passwords etc…)• First phone cards with a chip: [1983 Schlumberger

Télécarte, France], [1984 G&D Telekarte, Germany], Remark: wired logic, contact placement later changed

• GSM / 3G phones – First SIM card: Gemplus 1989, MANY billions sold since

• Electronic passport, ID– PKI, Belgium by Axalto.– Biometry. All passports in October 2005 !



More Applications of a Smart Card

• Bank Cards [since 1984, Bull CP8]• Home Banking, Internet Shopping• PC access, corporate badge, secure email

PGP• Electronic purse, parking: [1996-] Proton[Be],

Geldkarte, later integrated with bank cards• First student card [restaurant, library, etc.]

– First in 1988, Italy, Bull CP8



Smart Cards Market



**Actors and Value Chain



***2007 Market Segments

Source: Gartner, 2005

[source: eurosmart.com]



Industrial Standards [1]:=> Cards



What is a Smart Card ?

Set of standards ISO.• cards with contacts:

– ISO 7816-1..16

• contact-less [later]:––– ISO 14443 AISO 14443 AISO 14443 A---..C [Oyster]..C [Oyster]..C [Oyster]

––– ISO 15693 [NFC]ISO 15693 [NFC]ISO 15693 [NFC]

––– ISO 18000 [RFID]ISO 18000 [RFID]ISO 18000 [RFID]



ISO 7816-1

Size matters! Like a credit card.



ISO 7816-1

Physical Characteristics:• Operating temperature, humidity, etc…

» below are very severe requirements:

• bending properties (the chip can break• torsion properties or take-off)

» Consequences for the chip:

• silicon surface ≤ 25 mm2, ≤ 0.3 mm depth• small computing power, not Pentium 4…



Manufacturing



Die bonding

• The chip is glued to the contact.

• Connections with gold wire (20 µm)



Encartage

• Embed in a ¾ mm card.



Plastic Matters



ISO 7816-2

Contacts1.7 x 2 mm

[changed in 1990]

old AFNOR standard



ISO 7816-2=> Freedom



Contact Quality

• “Friction force” readers scratch the cards [contacts frottants]

• Landing contacts – much better [contacts atterrissants]



ISO 7816-2 - Historical

C1 – VCC (+) C5 – GND (-)C2 – Reset C6 – VPP for EPROMC3 – CLK C7 – I/O (serial port a.k.a. ISO)C4 – ??? C8 - ???



ISO 7816-2 – Evolution@2005-2009

C1 – VCC C5 – GNDC2 – RST C6 – [SWP/antenna?]C3 – CLK C7 – I/OC4 – [USB] C8 - [USB]

USB USB Samsung S-SIMsupports both+NAND+InterChip USB



ISO 7816-3 and EMV/GSMVoltage and current supplied [I~clock freq.]:

• Class A: 5 V ±10% / 60 mA @5 MHz [ex. 200 mA]

• Class B: 3 V ±10% / 50 mA @ 4 MHz• Class C: 1.8 V ±10% / 30 mA @ 4 MHz

• EMV bank cards: always 5V, 50 mA• GSM cards: class A-C max current respectively:

10 / 6 / 4 mA ONLY! (heat, phone battery life).



Power MattersSummary: • …• Bank card: 5 V, 50 mA• GSM SIM class C card (the latest): 4 mA• …• Even much less for contact-less cards !!!

(power supplied by an alternative magnetic field)

=>Very Low computing power !!! In contrast: modern PC CPU – up to 50 000 mA !



Power MattersSummary: • Several 1000 x less power than an Intel CPU…

• Low surface (≤ 25 mm2)• Lower density (0.09 µm

vs. 0.065 µ SOI process for recent CPUs)

• 8 and 16-bit CPUs for very long time• 32 bits CPU only since 2003-4



ISO 7816-3

CLK: • transition time < Max( 0,5 µs, 9% x period T)• at 1 during 40 % - 60 % of time.

– The card security should block if short impulses !

Clock speed:• First cards [1996]: 3.579545 MHz

(still@begin)



Clock and Maximum Computing Power Avail.

Clock speed, NO co-processor:• 1990: 3.5 MHz, RSA-512, 2 minutes

Clock speed with co-processor:• 1996: 3.5 MHz, RSA-1024 in 500 ms• 2000: 7 MHz, RSA-2048 in 500 ms• 2004: 60-100 MHz, RSA-2048 in 50 ms • 200-400 MHz today, RSA-2048 in 10 ms



I/O - ISO 7816-3Known as “ISO interface” of a card: simplified UART (serial port)Transmission of bytes:

Time duration of 1 bit = 1 Elementary Time Unit [etu]

N specified by TC1 in ATR



ETU

etu = duration of 1 bit, by default 1 etu = 372 / Clock frequency Examples:• 3.5712 MHz/372=9600 bit/s• 3.5712 MHz/186=19200 bit/s• 3.5712 MHz/93=38400 bit/s• 3.5712 MHz/32=111600 bit/s



ISO 7816-3Defines the ATR: answer to reset. Up to 33 bytes.

Must happen at 400 … 40,000 clocks after RST. ATR = a series of bytes transmitted in order b8..b1:• TS • T0 [presence of TA1-TD1 and 0..15 historical bytes]

– TA1– TB1 – TC1– TD1: like T0, specifies the presence of extra objects…

• TA2• etc…



ATR Structure

XOR checksum



TS specifies:TS [A+8+Z bits]: specifies the relationship between A/Z and 0/1 Z=high voltage, A=low voltage• Direct convention [Germany], where A=0, Z=1:

TS = ‘3B’; b1:b8= A(ZZAZZZAA)Z• Inverse convention [France], with A=1, Z=0:

TS = ‘3F’; b8:b1= A(ZZAAZZZZ)Z



ISO 7816-3 - Highlights

In particular ATR specifies the comm. capacities: • T=0 or T=1• half[/full] duplex• clock speed• baud rate



ISO 7816-3Communication Protocols Main two: synchronous, half/duplex

– T=0 (byte-oriented, e.g. GSM SIM), – T=1 (block-oriented, e.g. bank cards)

––– T=14 (proprietary for German phone cards)T=14 (proprietary for German phone cards)T=14 (proprietary for German phone cards)Recent developments: • T=2 (block-oriented, full duplex, cf. ISO 10536-4).

••• T=4, expansion of T=0T=4, expansion of T=0T=4, expansion of T=0

••• T=USBT=USBT=USB



T=CL

• T=CL is used for talking to ISO 14443A/B cards with APDUs translated by the reader (totally hides the RF interface from the programmer, the card seems to be a card with contact!)



T=0 or T=1?

Remark: – T=0 (byte-oriented)

• parity bits only

– T=1 (block-oriented) is ‘more modern’. • More error detection too: parity +

each block also has a CRC.



ISO 7816-3

Baud rate:• 1996: 9.6 K bit/sec default, @beginning.• Then: 115 K bits/sec

• Outdated by Axalto patent: USB smart card: – First Axalto USB: 700 K bits/sec– Full-speed USB – up to 12 Mbit/s [since 2005].

• Not USB 2.0., it is just USB 1.0. full-speed.



Example of GSM SIM ATR‘3B894014474732344D35323830’

Decoded:TS= ‘3B’ => direct encodingT0= ’89’= ‘1000’ll’1001’ => TD1 + 9 historical bytes

TD1= ’40’= ‘0010’ll’0000’ => TC2 present and protocol is T=0TC2= ’14’= ‘0001’ll’1110’ => waiting time 14 * 100 msT1…T9: ’47’ll’47’ll’32’ll’34’ll’4D’ll’35’ll’32’ll’38’ll’30’ =>

“GG24M5520” (these are the 9 historical bytes, sort of unique ID of this SIM card)



ATR - More Examples"3B8F8001804F0CA000000306030001000000006A"

=> "Philips MIFARE Standard 1 K and London Oyster card””3B6500009C02020702"

=> “US Department of Defense Common Access Card,Axalto Cyberflex Access 32K V2, Sun Microsystems employee card”

"3B898001006404150102009000EE" => "German e-Passport April 2007",

"3B6D00000031C071D66438D00300849000" => HSBC MasterCard

"3F6525082204689000"

=> "France Telecom card“"3F65250052096A9000"

=> "French carte Vitale", "3BEF00FF8131FE4565631104010280000F274000030100E1"

=> “German Postbank Geldkarte","3FFF9500FF918171A04700444E415350303131205265764230423A"

=> "NagraVision card for StarHub Digital Cable DVB-C Singapore",



Industrial Standards [1B]:=> Other Form Factors



Form Factors and InterfacesUSB interface ISO, [USB], [RF]

ISO, [USB,RFRFRF]


a.k.a. ID-000 credit card form factor, a.k.a. ID-1

3FF - [telecom, not widely used]

ISO, [USB,RFRFRF]

VISA-mini a.k.a. ID-00

ISO, [USB,RFRFRF]



Dimensions



Industrial Standards [1C]:=> Contact-less



ComparisonComparison



AntennaAntenna

large loop antenna



Embedding the AntennaEmbedding the Antenna• Must be a LARGE coil

• SIM card: must be external (“NFC enabled mobile phone”)



Double/Triple Interface Cards

E.g. corporate badge– Functionalities:

• Enter doors, • PC log-in, • PGP decrypt and sign

– Adopted worldwide, e.g. U.S. Army

ISO, USB, RF

ISO, RF



Low-Level and Physical Security



Main Function of a Main Function of a Main Function of a Smart Cards ==== to be = to be = to be “““a a a secure hardware devicehardware devicehardware device”””...

1.1.1. ”””intelligentintelligentintelligent””” (Smart): the card (Smart): the card (Smart): the card ––– handles computations (e.g. crypto)handles computations (e.g. crypto)handles computations (e.g. crypto)––– manages data (OS, file system, access rights)manages data (OS, file system, access rights)manages data (OS, file system, access rights)––– takes informed security decisions (takes informed security decisions (takes informed security decisions (………block itself !)block itself !)block itself !)

2. Hopefully ”unbreakable” : nobody can know/modify what is inside.

USB interface ISO, [USB], [RF]

ISO, [USB]


credit card form factor



Remark:

There is no defense against an adversary that has several millions of €…



Removing the Chip



Some Firms Make it Harder:

Oberthur Potting™ claims:• improves durability [harder to break] • any attempt to remove the module from the

card would result in totally destroying it



Reverse Engineering



Open-source � Closed-source

Industry: competition � cooperation

Standards

�

Industrial/commercial/trade/security secrets



*Open Source vs. Closed Source



Kerckhoffs Principle

Dutch cryptologist, wrote his book in French.

In June 2006 Dutch researchers De Gans et all, have published several cloning attacks on MiFare Classic chips [London Oyster card + 200 M other].

[first cloning attack: Courtois, Nohl and O’Neil, April 2008].



Kerckhoffs principle: [1883]

“The system must remain secure should it fall in enemy hands …”



*Remark:

Smart Cards:

They are already in ‘enemy’ hands

- even more for RFID…



Kerckhoffs’ principle: [1883]

Most of the time: incorrectly understood.

No obligation to disclose.

• Security when disclosed.• Better security when not disclosed???



Yes (1,2,3):

1. Military: layer the defences.



Yes (2):

2) Basic economics:

these 3 extra months(and not more �)

are simply worth a a lot of money.



Yes (3):

3) Prevent the erosion of profitability

/ barriers for entry for competitors / “inimitability”



Kerckhoffs principle is kind of WRONG in the world of smart cards

Reasons: • side channel attacks are HARD and COSTLY to

prevent when the algo is known• in some applications, for example Pay TV the

system is broken immediately when the cryptographic algorithms are public.



*Silicon Hacking



Tarnovsky Lab

Only few thousands of dollars of equipment



Tarnovsky (and Other Professional Chip Hackers)

Few thousands of dollars of equipment• Surface polishing• HydroBromic acid to eat away the passivation layers• A microscope for pictures:

– the successive layers of silicon are revealed with acids and lasers

• Doping guns to cut/add traces to a working IC• Stinger: bypassing the protections with long microscopic needles.



More Expensive:

• Atomic Force Microscope(20 K€ - 1 M€)

• FIB device (Focused Ion Beam, 0.5 M€)Canal+ Technologies Lab



FIB:Example resolution: 10 nm Classical applications: failure analysis of ICC

But also: circuit modification:• Local material removal:

– cutting metal lines, milling, gas enhanced etching

• Local rebuilding/rewiring of the device– new metal interconnects

– new insulating layers

• Fine tuning of analog components: decrease/increase R or C…

• Reading (electron image)• Art: writing on the nm scale:



Clear and Present Danger

Reverse engineering is NOT that hard.

No no need for a FIB device (Focused Ion Beam, 0.5 M€).

A few thousand dollars microscope will suffice.



Reverse Engineering MiFare [Nohl, Plotz, 2007]



Hardware Defences



Hardware Countermeasures:

Make the life of the hacker much harder.

Financial sector requirements:• attacks should cost more than

say 25 K$ per card…



Functionality + Security



Hardware Countermeasures

Detection:• Detect under/over-clocking (stop the clock, read the (stop the clock, read the (stop the clock, read the

RAM)RAM)RAM)

• Random instructions, and Random Wait States [e.g. Infineon SLE66].

• Detect low/high voltage [<2.3 V or >6.3 V].• Glitch/spike detect• Detect UVs, light, alpha particles, high/low

temp etc.



Intrusion Detection



More Hardware Countermeasures

• Shield/coating. – Detect if “passivation layer” was removed.

• R/C measurements.

• Metallic layer: screens for charges/radiation.– Needed and monitored:

• R/C measurements.

• Active shields=detect tampering with.– Mesh of wires: prevents probing, attacks with a

laser cutter, etc.– Chemical traps: SiShell [Axalto patent].



Active Shield

Source:Infineon. Problem: back side attacks.Problem: back side attacks.Problem: back side attacks.



**Intrusion Detection on PEDs (Pin Entry Device)

Anderson et al. UCAM-CL-TR-711

2/2008this way

not this way…

works!



Design Obfuscation• Restricted circulation of specs.• Non-standard instruction set. • Custom crypto algorithms.• ROM and busses in lower layers of silicon.

– Only “ion-implanted ROM” is used, not visible with UV light.

• Scrambling the data busses.– in each chip different lines, on certain chips the busses location changes during the execution of the code.

• Dummy structures in silicon.• Duplication• Symmetry -> same power consumption.• Memory Obfuscation:

– Encrypt the memory addresses.– Encrypt the memory data.



Robustness and RedundancyGoals:• Avoid perturbation at logical level:

– Control bits, error correcting– Dual logic, also protects against power attacks.

• Detect perturbation at the OS and software level and block the card…– Data checksums, – Redo DES twice, – Etc..

Security of file system and OS: later.



More and Higher-Level Security Countermeasures



Motivation:

Most Bank Cards have a PIN verification function.

PIN

Y/Nnot authenticated except in EMV DDA cards

not encrypted except in some EMV DDA cards



Critical Bits and Pieces

• Example: PIN verification.• Can be implemented in asynchronous logic

[dedicated transistors/gates]– much lower power consumption, – in a lower layer and much harder to localize– require a dedicated hardware attack as apposed

to a generic attack on CPU registers, busses, loading to memory, etc..



PIN code – Simple Hacker Attack [1992]

• Enter the PIN with a home terminal.• “Listen to” card radiation/power consumption to

detect early in time that it was wrong.• Switch the voltage off very quickly.

Countermeasure [used in all bank cards]:• Increment the ratification counter first• Check the PIN• The decrement it(!).



Timing Attack on PINs

[old, worked before c. 1990]• Bad programming: compare PIN digits one

after one, if first is incorrect, abort! • Good programming: write a program such

that the execution time is constant.



PINs and Keys – Storage in RAM

• E2PROM of the smart card: assume addresses and data are encrypted.

Attack 1: read it (assume it’s possible)• Solution 1: store h(PIN)?

– Attack 2: dictionary attack.

• Solution 2A: store R, h(PIN,UID,R)• Solution 2B: store R, E_K(PIN,R)

where K is a key specific to this card only



Protocol/Software Countermeasures

• Typically, the chaining of commands is strictly controlled. Each command can be issued only once, and in a certain order. – Assured by a finite state machine.– Example: don’t accept commands in clear-text

once secure messaging is established.

• The spec should not allow buffer overflows.



***Example: Conformity Test

The test verifies the enforcement of Secure Messaging:

Afterwards the chip denies to send data in an unencrypted way and answers with 6X XX (error).

Not enough: make sure that the same error code is sent in the same situation!



Example:

Eric Poll [Nijmegen] Attacks on e-passports.Send various ISO commands, observe the error messages:



Clone Attacks



More Hardware Countermeasures

• Unique serial number– Written in WORM (Write Once Read Many)

a.k.a. OTP (One Time Programmable). – Example: Oyster card UID=32 bits – Benefits are:⇒ clone harder to make⇒ can blacklist all similar cards⇒ card-dependent memory encryption and

hashing



Threats (1.)Assume that we have all the data. Clone the card? 1. Card Emulation on a card – defenses:

• unique ID, cards that can be personalized not available => • requires a special re-programmable card,

• or a pirate emulator

-speed, +size, +cost, etc.



Threats (2.):Assume that we have all the data. Clone the card? 1. Card Emulation on a card ???2. Card Emulation on a PC!



Threat 3. Relay AttackLow-tech, always works!

No Need to Break Anything !!!



Economics Aspects



*Cost of Some Attacks [source: RFI Global]



*Cost of Fault Attacks [source: ST]



Security Management -the Development Process



Secure Hardware Dev. Management[In smart cards] one design criterion differs from the criteria used

for standard chips but is nonetheless very important is that absolutely no undocumented mechanisms or functions must be present in the chip ('that's note a bug, that's a feature').

Since they are not documented, they can be unintentionally overlooked during the hardware evaluation and possibly be used later for attacks.

The use of such undocumented features is thus strictly prohibited[...]

[pages 518-519 in the Smart Card handbook by Wolfgang Rankl and Wolfgang Effing, 1088 pages, Wiley, absolute reference in the industry]



Testing• White-box tests are prohibited, no debugging commands

must be left in the hard-mask and soft-mask. • Tests must be black-box tests and test suites include

scanning for hidden [debugging] commands.



Application Development ManagementGoals:• Avoid backdoors, Trojans, covert channels, bugs

etc.• Kleptography: techniques to leak keys to the

attacker, • form of perfect crime.

Means:• Segregation of duties.• Monitoring.



Segregation of Duties

• Never one developer works alone on an application.

• he knows only some parts of the spec (partial secrecy, “need to know”).

• Some critical security mechanisms can be distributed: part in hard mask(ROM), part in soft mask, harder to know both…– the chip manufacturer does NOT have the full

spec either.



Monitoring / Checks and Balances• Internal quality and security audits within each company.• The entire source code is frequently inspected by an

independent company: – government agency [DCSSI in France] or – an evaluation (or hacker) lab [such as CEA-LETI]

• mandated and paid by the customer [to avoid conflicts of interests].

• Some countries have a process to evaluate these labs (they have to prove that they can break smart cards as well as other people do).

• External security audits (auditor from the customer: large bank).



File System



Data in smart cardsThink about sequences of bytes.BER-TLV conventions [ISO 8825]

T – Tag, for example “90” in hex.L – 1 or 3 bytes. Let L[0] be the first byte

MSB(L[0])=0, L[0] = length 0-127,MSB(L[0])=1, L[1-2] = length 0..65535

V – value, a string bytes.

TLV objects can be nested !



ISO 7816-6

Specifies how to encode different data elements as BER-TLV objects,

For example:• Name of the credit card holder• Expiration date• Etc.



ISO 7816-4

File names FID: • 2 bytes• example: ‘3F 00’

Short file names (SFID): – 5 bits, 1..30, used as

a parameter in certain commands



ISO 7816-4

• MF: Master File(root directory “3F00”)

• DF: Dedicated Files(directories+some data)

• EF: Elementary Files(data files)



Elementary Files

EF: Elementary FilesNot all files are visible for applications(!)

– Internal EF: card private files, card O.S. only can see them

– Working EF: data accessible to applications that communicate with the external world.



Example: GSM Card [incomplete picture](cf. 3GPP TS 51.011

standard)



Some Directories in a GSM CardImportant directories:

• root directory : 3F 00

• DFGSM = 7F 20

• DFTELECOM = 7F 10.

First byte: • '3F': Master File;

• '7F': 1st level Dedicated File

• '5F': 2nd level Dedicated File

• '2F': Elementary File under the Master File

• '6F': Elementary File under a 1st level Dedicated File

• '4F': Elementary File under 2nd level Dedicated File



ISO 7816-4 – Files (EFs)

4 types

like RAM, or a string of bytes

“records”, with specific instructions and applications…



2 Types of Fixed-Size Entry Records

2 types of records:

• Linear Fixed file– Like a list

• Cyclic Fixed file: – Motivation:

• fixed E2PROM size, scarcity

– Applications: • Bank card history

– e.g.150 last transactions

• all SMS sent/received• etc..

Record 1

Record n

Record 2

.

.Body

Structure of a linear fixed file

Header

Record n-1

Record n-2

Record n

Record 1

Record 2..

Body

Last updated record

Structure of a cyclic file EN726-3

Oldest record

Header



GSM Card: Some Files Inside DFGSM• EFIMSI (6F07)• Le fichier EFLOCI (6F7E) contains TMSI, LAI etc.• EFLP(Language preference)• EFKc = Ciphering key Kc + sequence number• EFSST (6F38) = SIM service table = 1byte = [s1present, s1active, …]

= ‘services’ present/not active/not in this card, these are:– Service n°1 : disable user’s PIN == CHV1

– Service n°2 : Abbreviated Dialing Numbers (ADN)– Service n°3 : Fixed Dialing Numbers (FDN)– Service n°4 : Short Message Storage (SMS)

• EFACM = Accumulated Call Meter, in units• EFMSISDN = the subscriber’s MSISDN.• etc..

present inDFTELECOM



Some Files Inside DFTELECOMThis directory is protected by PIN(!)

• EFADN(6F3A) your short phone directory (10 entries),• EFFDN(6F3B) your phone directory• EFSMS(6F3C) all the SMS received and sent, cyclic file

Record n-1

Record n-2

Record n

Record 1

Record 2..

Body

Last updated record

Structure of a cyclic file EN726-3

Oldest record

Header



File Access and Access Conditions



Accessing Files: SELECT FILE – FCI/90 00General philosophy: Almost always one must select a file before any operation on it… (MF is

selected at the start)• SELECT FILE + params• Response: either:

– 90 00

– FCI = File Control Info = status of the file selected, • exact spec [attributes and their encoding]: depends on the smart card, e.g. GSM.

• STATUS command (C0 F2) - GSM specific: – allows to know (to avoid confusion) what file was selected with the last

SELECT command.



VariantsThere are MANY methods to address a file with SELECT FILE:• by 2 bytes FID (for MF, DF and EF)

– 0_ A4 00 …• By DF name or AID (for DF only or an application)

– 0_ A4 04 …– 0_ A4 02 …

• by absolute path from MF– 0_ A4 08 …

• by a relative path from current DF– 0_ A4 09 …

••• Switch to higher level DF? (equiv to ../ in PC OS)Switch to higher level DF? (equiv to ../ in PC OS)Switch to higher level DF? (equiv to ../ in PC OS)

••• ……… another DF when partial AID is transferred?another DF when partial AID is transferred?another DF when partial AID is transferred?



Examples: SELECT FILE1. Example of a SELECT FILE with FID and FCI, for a GSM card:

• Command: A0 A4 00 00 02 6F 07

• Response: This command returns the FCI.

2. Example of a SELECT FILE with AID and no FCI (widely used for accessing files AND applications by their unique identifier):

• Command: 00 A4 02 00 05 [AID]

empty params.SELECT FILE

GSM cardlength + FID == file identifier on 2 bytes‘6F 07’ = IMSI file of this SIM card

specific params.SELECT FILEISO command

length + AID, if no ambiguity, a prefix of a valid AID can also be accepted



FCI and Access Conditions for EF files



Status of EF Files

SELECT FILE command for an EF file =>returns:

1. an error command:• 62 83 – file deactivated• 64 00 – execution error

• 6A 81 – function not supported• 6A 82 – file not found• etc..

OR2. an FCI (File Control Information) + 90 00(each EF file in a card has specified access conditions):



FCI (File Control Information) for EF files

May contain (examples, mostly optional)• “80”+2 bytes: size of the file• “82” + 2 bytes: file descriptors, e.g.

– shareable/not – type of file: DF/working EF/internal EF– EF structure

• “83” + 2: file identifier.• “84” + 1-16: DF name.• “86” + security attributes (proprietary coding).• etc..



*FCI Attributes [contd.]• “86” + security attributes (proprietary coding).Files can be:• WORM (Write Once, Read Many time)

– implemented in hardware or software

• EDC (Error Detection Code)• atomic write access

– Security: must written entirely or not at all (!!!)

• multiple storage attribute– for frequently used files in the card, ‘wear-level’ usage of E2PROM

• data transfer selection attribute– on dual-contact cards, to make file accessible only via contact or

contact-less interface



Examples of FCINot 100% compatible, depends on products…• 6F 07 80 02 00 58 82 01 01 90 00

– EF with transparent structure, file size: 88 (0x0058)

Example of GSM FCI (22 bytes = 0x16):• 00 00 00 01 7F 20 02 00 00 00 00 00 09 91 00 11 08 00 83 8A 83 8A

Can be decoded according to GSM spec: Can be decoded according to GSM spec: Can be decoded according to GSM spec: ••• ………••• Byte 14: The most significant bits of is 0 if an only if PIN1 isByte 14: The most significant bits of is 0 if an only if PIN1 isByte 14: The most significant bits of is 0 if an only if PIN1 is disabled.disabled.disabled.••• ………••• Byte 19 = is the "CHV1 statusByte 19 = is the "CHV1 statusByte 19 = is the "CHV1 status“““. . .

––– Typically the value of this byte is '83' where 8 means that the Typically the value of this byte is '83' where 8 means that the Typically the value of this byte is '83' where 8 means that the PIN1 has been PIN1 has been PIN1 has been initialized, and that there are 3 cardholder verification attempinitialized, and that there are 3 cardholder verification attempinitialized, and that there are 3 cardholder verification attempts left for this ts left for this ts left for this PIN.PIN.PIN.



Files Security Status



Security of Files in Directories“Security status” of a file results from the sequence of commands

performed (e.g. authentication of entities) and their results. It can be:• Global: may be modified after a completion of a certain authentication

command (or other secure functionality), • Examples (studied later):

» VERIFY + PIN, » GET CHALLENGE + EXTERNAL AUTHENTICATE)» only if the commands are embedded inside SECURE MESSAGING channel (normal APDUs

with encryption AND authentication with a MAC)

• a secret key/value stored in the MF is used to perform this cryptographic command.

• File-specific, • then the key/PIN used is stored in the same DF.

• File-specific (EF).• Command-specific and ephemeral.

Example:



Security of Files in DirectoriesExample: Access conditions for a given file

+ given access mode (e.g. WRITE):

• PRO: An external command can write a file if the MAC of this command is valid. • AUT: File accessible R/W if the terminal authentication have been done before.• CHV: This file can be read if the user have entered the Pin and if it was correct.

••• CHV2: The same with the second PIN (exists in GSM).CHV2: The same with the second PIN (exists in GSM).CHV2: The same with the second PIN (exists in GSM).

••• ADM: requires the admin code number (up to 14 exist in GSM, TelcADM: requires the admin code number (up to 14 exist in GSM, TelcADM: requires the admin code number (up to 14 exist in GSM, Telcooo’’’s access)s access)s access)• NEV (access to some files can be disabled forever)

• ALW (always), public access (at least in this mode, e.g. READ).• Other conditions may exist in a specific card…



Security and Access to Files:

Example [root directory]:



MACs = “Secret-Key Signatures”

MAC algorithm

m

sk(secret key)

MAC algorithm

sk(secret key)

σ

(m,σ)

yes/no

forgery



*Example – how a card will enter mode PRO:Terminal Card

ASK RANDOMcommand

Challengegeneration

(T)DEScalculation

Challenge

PRO key

Cryptogram

PRO command

OK?

Compare thecryptograms

Delete flag randompresent

Data + cryptogram

EF key

PRO Key

Challenge

PRO mode OK

Bad Authentication

N

Y

(T)DEScalculation

Data tosent

Data

Receivedbytes

Data

ReceivedCryptogram

Decreaseratification counter

Reset ratificationcounter if needed



*Example – entering mode AUT:

Terminal Card

ASK RANDOMcommand

Challengegeneration

(T)DEScalculationAUT mode

Challenge

TerminalKey

(T)DEScalculationAUT mode

Certificate

EXTERNALAUTHENTICATE

command

Compare thecryptograms

Delete flag randompresent

Cryptogram

EF keyKey number

+Cryptogram

Card Key

Receivedbytes

Keynumber

OK?

Authenticationsuccessful

Bad Authentication

N

Y

Decreaseratification counter

Reset ratificationcounter if needed



Commands (APDUs)



Commands - ISO 7816-4APDU = Application Protocol Data Unit

Master-slave principle. Half-duplex. • The card never starts anything.



ISO 7816-4APDU = Application Protocol Data Unit

CLA = 1 byte, identifies the applicationINS = 1 byte, instruction codeLc = size of data, 1 or 3 bytes

Le = size of the expected answer, 1-3 bytes.



CLA byte and ‘Logical Channels’

CLA is 1 byte that:

• identifies the application – so remains constant (though 1 application can have several ‘channels’),

• is an indication to what extent the command and the response complies with ISO 7816-4– Examples: ‘0X’ standard ISO, ‘A0’ in GSM,

‘80’ e-purse EN1546-3, ‘BC’ old EMV bank cards, ‘80’ and ‘84’: EMV bank cards ‘8X’: proprietary commands

CLA=‘0X’, 48X’ and ‘9X’, ‘AX’ use so called ‘logical channels’: • Let X=b4b3b2b1

– b4 b3 indicate if Secure Messaging is used and if the command header is also authenticated

– b1 b2 indicate the number of logical channel 0..3• Application: concurrent communication with multiple applications (or concurrent

execution of multiple tasks). Example: mobile phone talking to phone book another application [can be Java] stored on the SIM card.



Command APDUs

Lc = size of data, 1 or 3 bytes

Le = size of the expected answer, 1-3 bytes.

4 cases



C-APDU INS ExamplesWhen CLA=0X0E2070828488A4B0B2C0C2CAD0D2D6DADCE2

Erase Binary Verify Manage Channel External AuthenticateGet Challenge Internal AuthenticateSelect File Read Binary Read Record(s) Get Response Envelope Get Data Write Binary Write Record Update Binary Put Data Update Record Append Record



Response = R-APDUResponse structure:

• SW1: 90=completed/OK with warning/error during exec/checking error;?NVM changed[63,65]

• SW2: error number

90 00 = All OK



IMPORTANT:In many cases, and in all cases where the size

of the answer is not known in advance,The response is NOT given,

the terminal must ask for it (another C-APDU).

Example (for a bank card):



5 Possible Cases:Case 1: No input data/no output data

Case 2: No input data/Output size known in advance:

Case 3: No input data/Output size not known:



Case 3: 2 x C-APDU, 2 x R-APDU:Card

ACK = 9000

2 status bytes

ACK = 9000

Data

2 status bytes

TerminalCommand APDU

Data

Request the Answer APDU

wait for completion

wait for completion



[…] 5 Possible Cases

Case 4: Input data/no output:

Case 5: Input data/Output size known or unknown:



ISO 7816-4 Inter-industry Commands

For transparent linear files: • READ BINARY• WRITE BINARY* • UPDATE BINARY = real WRITE• ERASE BINARY• SEARCH BINARY

**VERY SPECIAL:VERY SPECIAL:as Eas E22PROM isPROM is10001000times times slowerslowerto writeto write than RAM, than RAM, and it is the change from and it is the change from

00→→1 that is slow (requires 1 that is slow (requires erasing)erasing)

Thus the command WRITE Thus the command WRITE performs a logical AND performs a logical AND

with the current file with the current file content!!!!content!!!!



Syntax: Read/Write

• READ BINARY

• UPDATE BINARY (overwrite)



ISO 7816-4 Inter-industry CommandsFor records (2 types): • READ RECORD• WRITE RECORD• APPEND RECORD• UPDATE RECORD• APPEND RECORD• SEEK• SEARCH RECORD



ISO 7816-4 standard commands

For application-specific data objects.• GET DATA• PUT DATA



Security Commands



Read/Write => Secure Read/Write, CLA=04



ISO 7816-4 Security Commands

Authentication Card Holder => Card

• VERIFY + password/CHV/PINBTW. CHV == Card Holder Verification == PIN

• Example: 00 20 00 00 04 70 61 70 61

4 bytes password = ‘papa’)

no L_e, no data in reply expected, result will be visible in two status bytes SW1SW2

must be 0INS

CLA authenticates the whole MF if b7=0, PIN stored in MF




Authentication Card => Terminal

• INTERNAL AUTHENTICATE + random challenge algo nb. + key nb.– Produces a cryptogram/MAC, proves the identity of the

card.• Example: 00 88 00 00 04 A3 02 AF D1 04

crypto algo nb.

authenticates the whole MF if b7=0, key stored in MF

INS

CLA

random challenge on 4 digits

the reply should be 3 digits/bytes too




Challenge-Response Authentication:Terminal => Card

• GET CHALLENGE

• EXTERNAL AUTHENTICATE + algo nb. + key nb. + cryptogram



Example:

• GET CHALLENGE• Example: 00 84 00 00 10

• EXTERNAL AUTHENTICATE • Example: 00 82 00 00 04 01 02 03 04

crypto algo nb.

authenticates the whole MF if b7=0, key stored in MF

INSCLA

our cryptogram on 4 bytes

no data to recover in reply, OK/not OK seen as 2 status bytes.

LE = it expects 16 digits randomboth are 0INS

CLA




Mutual Authentication:Terminal <=> Card

The sequence:• GET CHIP NUMBER• GET CHALLENGE• MUTUAL AUTHENTICATE + params



Encapsulation of ISO 7816-4 Commands

Commands and answers contain another embedded APDU command (or part of it):

• GET RESPONSE for an embedded command

• ENVELOPE – sent an encrypted APDU• Example: 00 C2 00 00 10 ……………

some data, length 16both are 0INS

CLA

no data to recover in reply, only 2 status bytes.



Some More GSM Commands (CLA=‘A0’)

CHV1=user PINCHV2=second PIN



Concrete Example: Your Own GSM Card



Some Directories in a GSM CardImportant directories:

• root directory : 3F 00

• DFGSM

= 7F 20

• DFTELECOM = 7F 10.

First byte: • '3F': Master File;

• '7F': 1st level Dedicated File

• '5F': 2nd level Dedicated File

• '2F': Elementary File under the Master File

• '6F': Elementary File under a 1st level Dedicated File

• '4F': Elementary File under 2nd level Dedicated File



How To Access These in Practice?We use very basic open-source software

(and all it does to call function of Microsoft smart card API, which are implemented inside winscard.dll, included in every version of windows)

Spring Card tools: Quick install: http://www.springcard.com/download/usr/sdd4c0-ae.exeThis program installs 3 different working tools, we use C# Scriptor here.



Minimal GSM Phone Call:The VERY strict minimum… in fact thousands of

commands can be exchanged in modern phones…

1. Select the le DFGSM directory.2. Verify the PIN (not needed if PIN inactive).3. Run the GSM algorithm to obtain cryptographic

keys for the authentication and encryption during the current phone call.



Minimal GSM Phone Call:1. Select the le DFGSM directory.



SELECT FILE1. Example of a SELECT FILE with FID and FCI, for a GSM card:

• Command: A0 A4 00 00 02 7F 20

Response: This command returns the FCI.Well not quite. Done in 2 stages:

empty params.SELECT FILE

GSM cardlength + FID == file identifier on 2 bytes‘6F 07’ = IMSI file of this SIM card



Details:



Decoding This FCI

Example of GSM FCI (22 bytes = 0x16):• 00 00 00 01 7F 20 02 00 00 00 00 00 09 91 00 11 08 00 83 8A 83 8A

Can be decoded according to GSM spec: • …• Byte 14: The most significant bits of is 0 if an only if PIN1 is disabled.• …• Byte 19 = is the "CHV1 status“.

– Typically the value of this byte is '83' where 8 means that the PIN1 has been initialized, and that there are 3 cardholder verification attempts left for this PIN.



Verifying the PIN in GSM

Authentication Card Holder => Card

• VERIFY + CHV1• Example: A0 20 00 01 08 33 37 37 36 FF FF FF FF

8 bytes PIN in ASCII ‘3776’ +

FF FF FF FF

no L_e, no data in reply expected, result will be visible in two status bytes SW1SW2

must be 0INS

CLA=GSM

here b7=1



Answer Codes:

Card Holder => Card

VERIFY + CHV1A0 20 00 01 08 33 37 37 36 FF FF FF FF

Reply:9000 - the PIN is correct9802 - CHV is not initialized9808 - in contradiction with CHV status (inactive PIN!)9810 - in contradiction with invalidation status)9804 - unsuccessful CHV verification, at least 1 attempt left9840 - unsuccessful CHV verification,

no attempt left or this CHV is blocked now



Beware:

Danger:• After 3 presentations of an incorrect PIN (that can be in

different sessions, this counter is preserved in non-volatile memory) the card will be blocked (but can be unblocked with UNBLOCK CHV function).

• However if the PIN is correct, the counter for the number of CHV attempts will be reset to 3.



GSM Security

A3

Mobile Equipment

GSM OperatorAuthentication Center

A8

A5

A3

A8

A5

Ki Ki

challenge RAND

KcKc

mi Encrypted Data mi

SIM card

Signed RESponse (SRES)

SRESSRES

Fn Fnare = ?

precomputed triples:(RAND,SRES,Kc)

Base Station



SIM Card Side

secret key

Triples RAND, SRES, Ki are stored in BS

Data with redundancy: terrible mistake…

data block of 114 bits.



Running the Secret Algorithm (with secret key)

Both remain secret at all times.

Custom-made!



Authentication Algorithms

Some operators used COMP128 v1, the default algorithm.• Very bad, there are several attacks

[Briceno,Goldberg,Wagner].• Some never published attacks existed only in a form of an

exe file, better than any published attack – less queries to the card!– I’ve developed such attacks myself, they were never published

(sorry…).– Gemplus patented and commercialized a strong key solution

Encryption AlgorithmsIn the phone.



Embarrassing Discovery

What was discovered before [SDA-Berkeley 04/98].• Keys generated were not 64 bits.

– 10 bits fixed to 0 => 54 effective bits.

• The limitation was implemented in both AuC (authentication Centers) and in SIM cards.

• Later most operators have, by now, increased the size of their keys to 64 bits (also changing the algorithms or not). – It appears that the key is 64 bits starting from COMP 128 v3 and also

in most recent proprietary algorithms. – But one should check if they did!

Let’s do it.



Embarrassing Discovery

• Keys generated by typical UK and French cards (I’ve checked many): 64 bits.

• Key in Polish Orange card: 64 bits.• All Chinese cards checked: 64 bits.

• Card bought in Russia in 2007 (operator = “MTC”): – 54 bits only

• What about Estonia, member of the EU?– I went to Estonia this year (2009).– Bought a SIM card from “simpel”:

• The key also is restricted to 54 bits.– The weakest GSM keys in the EU…



Smart Card O.S.



Modern Multi-Application O.S.• MULTOS

– originally developed for e-purse Mondex [UK]– High level of security, EAL6 for some chips

• Open Platform – promoted by Visa et al.

• JavaCard• popular in GSM• banks never wanted 3rd party applications on their

cards… problems: branding, ownership, risks…

• Windows for Smartcards– commercial fiasco, abandoned



Further Smart Card Standards



ISO 7816-5Specifies AIDs (Application IDentifier)• 16 bytes (128 bits)

– [RID(5)+PIX(0..11)]– RID: Registered Application Provider– PIX: Proprietary Identifier Extension

• Can uniquely identify one smart card application. • Also used to identify files in the smart card.



*Accessing Files and Applications by AID: SELECT FILE

As for files, applications are selected by the same method with an APDU ‘XX A4 …’ to select a file by its AID: Example:

• 00 A4 02 00 0E 31 50 41 59 2E 53 59 53 2E 44 44 46 30 31

• Response: 90 00 if all OK…

specific params.

SELECT FILE

ISO command

length + AID, "1.PAY.SYS.DDF01"



RID: Registered Application ProviderExamples:• A0 00 00 00 87

– 3GPP (3G USIM application)

• A0 00 00 00 09– ETSI (e.g. GSM SIM with Java)



ISO 7816-12 – 12/2005

USB on smart cards!• Two versions, still evolving• Bridge the connectivity gap between PCs

and smart cards!



Standards

• PC/SC: communication between Ms Windows and smart card readers [developed in 1997]

• Microsoft Cryptographic API (CryptoAPI).– enables application developers to add cryptography and certificate management functionality to

their Win32 applications without knowing anything about the hardware configuration



Smart Cards under Linux?

PC/SC works and has drivers under Linux too.

Libraries? check out • M.U.S.C.L.E. at www.linuxnet.com• OpenSC library• Etc…



Standards• JavaCard [later].

– OCF [OpenCard Framework]: a Java-based set of APIs for smart cards

– JavaCard 2.2

• ISO 15408: product evaluation derived from the ‘common criteria’



Mobile Phone Card Standards



***GSM Phone Card Standards• GSM 11-11: specifies the standard SIM-ME interface• GSM 11-14: more: « SIM Application Toolkit »• GSM 03.19: API JavaCardTM for programming SIM cards• GSM 03.40: how to implement Short Message Service

(SMS) in Point to Point (PP) mode• GSM 03.48: security mechanisms for the SIM card

application toolkit



***3G Phone Card Standards• TS 51.011: specifies the 3G SIM-ME interface• ETSI TS 102 221: terminal-card physical and logical

characteristics• 3GPP: 31.101 V4.0.0, 31.102 V4.0.0 (Release 99)- 3G

cards (W-CDMA)• 3GPP2-C00-1999-1206-1208: specification of RUIM

modules for CDMA 2000



3G Phone Security StandardsPrinciples, objectives and requirements• TS 33.120 Security principles and objectives• TS 21.133 Security threats and requirementsArchitecture, mechanisms and crypto algorithms• TS 33.102 Security architecture• TS 33.103 Integration guidelines• TS 22.022 Personalization of mobile equipment• TS 33.105 Cryptographic algorithm requirements• TR 33.900 A guide to 3G security• TR 33.901 Criteria for cryptographic algorithm design process• TR 33.902 Formal analysis of the 3G authentication protocol• TR 33.908 General report on the design, specification and evaluation of3GPP standard confidentiality and integrity algorithms• Document 1: f8 & f9• Document 2: KASUMI• Document 3,4: test dataLawful interception• TS 33.106 Lawful interception requirements• TS 33.107 Lawful interception architecture and functions



JavaCardWrite Once, Run Anywhere™



Motivation• Portable code, hardware-independent• Time to market: add new applications

to the card at any moment! • Easier to develop• Open platform,

=> specs of smart card chip are usually confidential(!!)

• Third party applications => much more security needed!!!– Hide the smart card OS and resources from the developer [not

trusted]– Java language has inherently better security…

• Much of current application insecurity comes from C language [exceptions, printf, goto, buffer overflow etc..]

• Provide “built-in security” for developers• Cons: slow + expensive…



History

• Java Card 1.0: Schlumberger. APIs only. • Later, Bull+Gemplus+Schlumberger formed

the Java Card Forum. • + Sun Microsystems => develop Java Card

2.0.Still a SMALL subset of JavaTM

Some 2 billion Java cards to date(mainly in GSM…)



Working Principle [source: Sun website]



CommunicationSpecial subset of APDUs [ISO 7816-3..4] are used.



Conclusion



Future:

• Insecure software, hackers => One Cannot live without Smart Cards or some

other secure portable hardware device.» Bill Gates recognized it publicly in 2005…



Major Problems

• cost effectiveness• adoption of new technology

– which standards will win? – a very tricky game…



How Secure Are Smart Cards?

There is no better technology on this planet.

…Succeeding requires tamper-proof hardware. But• no security professional will speak of tamper-proof devices,

as opposed to tamper-resistant ones. • Security is a matter of economics, and not just technology.

[Steve Bellovin blog, 24/08/07]

SIM Card: A Security Stronghold in Networked ME · A Security Stronghold in Networked ME. SIM Card...

Documents

Transcript of SIM Card: A Security Stronghold in Networked ME · A Security Stronghold in Networked ME. SIM Card...