Everything you always wanted to know about Smart Cards... Marc Witteman November 2001
Contents Secure communication –threats –objective of cryptography –cryptographic services, principles and algorithms Smart cards –concepts –applications –architecture Security –basic security features –attacks –counter measures
What are the threats ? disclosure Confidentiality:unauthorized disclosure of information modification Integrity:unauthorized modification of information use Authenticity:unauthorized use of service sender receiver
Objective of cryptography Giving trust in: –authenticity of message and/or sender –integrity of message –(sometimes) confidentiality of message by using an algorithm based on a secret shared between participants in a scheme.
Cryptographic principles based on: – key secrecy – strong algorithms – difficult to guess key from message/ciphertext pairs – sufficient key length (brute force) Kerckhoffs principle: –strength should reside in secrecy of key, –not in secrecy of algorithm
Classical systems: transposition (mixing character sequence) substitution (changing characters) poly-alphabetic substitution (Viginere, Hagelin) easily broken, using language statistics Cryptographic algorithms (1)
Cryptographic algorithms (2) Today two kinds of algorithms: repetitive permutations and substitutions of bits: –DES, 3-DES, IDEA, RC5, Blowfish … –secret key mathematical calculations –RSA, Rabin, ElGamal, zero-knowledge, elliptic curve… –public key
Smart card concepts A smart card: can store data (e.g. profiles, balances, personal data) provides cryptographic services (e.g. authentication, confidentiality, integrity) is a microcomputer is small and personal is a secure device 1234 5678 8910 Anne Doe
Smart card application areas Communication Entertainment Retail Transportation Health care Government E-commerce E-banking Education Office
Smart card applications (1) Retail –Sale of goods using Electronic Purses, Credit / Debit –Vending machines –Loyalty programs –Tags & smart labels Communication –GSM –Payphones Transportation –Public Traffic –Parking –Road Regulation (ERP) –Car Protection Entertainment –Pay-TV –Public event access control
Smart card applications (2) Healthcare –Insurance data –Personal data –Personal file Government –Identification –Passport –Driving license E-commerce –sale of information –sale of products –sale of tickets, reservations E-banking –access to accounts –to do transactions –shares
Fault injection on smart cards Change a value read from memory to another value by manipulating the supply power: Threshold of read value A power dip at the moment of reading a memory cell
Side channel attack counter measures Signal analysis –reduce processor signal by balancing or equalising the power and/or shielding the emission –add noise to the processor activity (both in time and amplitude) –eliminate timing relation with processed key and or data –variable ordering of processes –blinding of intermediate values with random values –retry counters –limited control and visibility of crypto input and output Signal insertion –use sensors for supply voltage, light and temperature –double implementation path (for verification) –check for runtime parameter validity
Conclusions Smart card technology is emerging, applications are everywhere Smart cards enhance service and security Perfect security does not exist, even not for smart cards Risk analysis is essential More info? Mailto: firstname.lastname@example.org
Your consent to our cookies if you continue to use this website.