Physical Security Pieter.Harte@utwente.nl

Overview Smart cards RFIDs Attacks (Semi)-Natural tags Conclusions IIS

Smart Cards

Smart cards Broken! 53.98 mm 85.6 mm 0.76 mm [And96] R. J. Anderson and M. G. Kuhn. Tamper resistance - A cautionary note. In 2nd Int. Usenix Workshop on Electronic Commerce, pages 1-11, Oakland, California, Nov 1996. USENIX Association. http://www.usenix.org/publications/library/proceedings/ec96/kuhn.html IIS

What makes the card smart? CPU (8, 16, 32 bit) Memory (RAM, ROM, EEPROM, Flash) I/O channel (Contact/Contact less) Cryptographic co-processor On card devices (Fingerprint, display) Standards (ISO 7816, GSM, EMV, VOP) IIS

Main security features Symmetric crypto Asymmetric crypto relatively slow Hardware random number generator Hardware tamper resistance X-tal clock vulnerable Life cycle management Cryptographic coprocessor, but costly Radio, Light, Sound, other Radiation Wire mesh, bus scrambling MEMS on board clock Fuses blown after manufacture IIS

Communication ISO 7816-4: 9600 bps : slow USB : bulky Bluetooth: power Biometrics: slow 2KB template sent in 1.5 seconds, verification takes 0.5 seconds www.fingerchip.com IIS

Displays Plastic, glass Emissive, non-emissive Refresh, bi-stable Segment, dot-matrix Problems: connections, yield, power, thickness, price! Bi-stable erase when bending 1998: 80x16 dot matrix 120 pin driver 96 pin display https://nidsecurity.com/products/306series.pdf 75$ http://www.nidsecurity.com/microsite/mastercard/products/ [Pra01] D. Praca and C. Barral. From smart cards to smart objects: the road to new smart technologies. Computer Networks, 36(4):381-389, Jul 2001. http://dx.doi.org/10.1016/S1389-1286(01)00161-X IIS

Clock & Power Clock Xtal 0.6 mm MEMS (0.002% acc.) Battery Thickness power density when to recharge Clock to time stamp transactions, freshness in protocols, enforce use for limited periods of time etc Battery 16 cm2 15 mAh Lithium 15 mW/cm2 Carbon Maganese 0.15 mW/cm2 0.7 mm thickness http://www.powerpaper.cn/indexb8cb.html?categoryId=43875 IIS

Photo: Philips Semiconductors Integration is hard Display Button 32-bit CPU Large memory Battery Comms >> 25mm2  Photo: Philips Semiconductors Early prototype IIS

RFID

What is an RFID tag? Antenna + small chip in ambient field Passive, replies to queries only Can be used for almost anything Supply Chain Management & Checkout (Wallmart, Benetton) Homeland security User convenience Access to buildings Nokia 6131 NFC NFC is too slow, must take less than 0.5 s for good passenger flow reason: the hamndling is done by the SIM card for security http://nfctimes.com/news/london-oyster-card-chief-nfc-not-ready-fast-paced-fare-payment IIS

Passport application IIS

Privacy issues Sniffing Data collection in proximity (skimming) Correlate data from different tags Counter measures Shield antenna in passport with tinfoil Encrypt the template with MRZ data Reduce transmit range Light controlled on/off switch Long and short range interface Time delayed transmit of sensitive info Watch this video Long range interface can be disabled, e.g. at POS terminal, but the short range interface might still be enabled ,e.g. by water, for example to tell the washing machine about your clothes. In the shop fast readout, this interface can be disabled when leaving the shop, then a slow readout is ok for the owner to interact with the product, but does not help the attacker too much [Bir07] N. Bird, C. Conrado, J. Guajardo, S. Maubach, G. Jan Schrijen, B. Skorić, A. M. H. Tombeur, P. Thueringer, and P. Tuyls. ALGSICS - combining physics and cryptography to enhance security and privacy in RFID systems. In F. Stajano, C. Meadows, S. Capkun, and T. Moore, editors, 4th European Workshop on Security and Privacy in Ad-hoc and Sensor Networks (ESAS), volume LNCS 4572, pages 187-202, Cambridge, UK, Jul 2007. Springer. http://dx.doi.org/10.1007/978-3-540-73275-4_14 IIS

Attacks [Wit02] M. Witteman. Advances in smartcard security. Information Security Bulletin, pages 11-22, Jul 2002. http://www.riscure.com/fileadmin/images/Docs/ISB0707MW.pdf

Attacks Operational Blackmail Burglary Bribery Technical Logical Physical Side channel Attackers I: Clever outsiders II: Knowledgeable insiders III: Funded Organisations IIS

Logical attacks The code is too complex Hidden commands Parameter poisoning & Buffer overflow Malicious or buggy applets Protocol problems (e.g. retransmit) Proprietary crypto Counter measures Structured design & code inspection Formal methods Testing Hidden commands: 65000 legal command codes Parameter poisoning: unexpected values; Buffer overflow: wrong length like on PCs Malicious, or erroneous applets, feature interaction Protocol problems (e.g. ask to re-transmit data that has not been sent yet…) Mifare classic IIS

Example: RFID virus There is a large amount of code Generic protocols and facilities Back end data bases So the usual attacks: Buffer overflow SQL injection “;shutdown--” Don’t trust data from RFID tag… Best paper award The backend is a regular data base & middle ware EPCglobal are adopting URI, DNS & XML for tags… DB is needed to store tag info, so the id of the tag has to pass through a search interface, which may have the usual bugs due to lack of parameter sanitation An RFID simulator is ideal for stressing the interface, it can create arbitrarily long messages [Rie06] M. R. Rieback, B. Crispo, and A. S. Tanenbaum. Is your cat infected with a computer virus? In 4th Annual IEEE Int. Conf. on Pervasive Computing and Communications (PerCom), pages 169-179, Pisa, Italy, Mar 2006. IEEE Computer Society. http://dx.doi.org/10.1109/PERCOM.2006.32 IIS

Physical attacks The circuitry is complex and vulnerable Chemicals & etching SEM Voltage contrast Probe stations Focused Ion Beam (FIB) to make probe pads Counter measures Reduced feature size (100nm) Multi layering Protective layers Sensors Bus scrambling SEM voltage contrast: beam of electrons hit target that emits secondary electrons, depending on voltage of conductors allow the engineer to see the bits of a live circuit Probe is small needle that can make connections to measure signals Smaller features make it more difficult to probe, beyond the reach of optical techniques Multi layering makes it more difficult to reach the circuit that you want to measure IIS

Low cost physical attacks Block EEPROM writes by isolating Vpp Rent focused Ion beam [And97d] R. J. Anderson and M. Kuhn. Low cost attacks on tamper resistant devices. In 5th Int. Workshop on Security Protocols, volume LNCS 1361, pages 125-136, Paris, France, Apr 1997. http://dx.doi.org/10.1007/BFb0028165 IIS

Side channel attacks Physical phenomena can be measured Power EM radiation (X-ray, light, sound) Time and changed Voltage (example later) Frequency (example later) Watch this video [Vua09] M. Vuagnoux and S. Pasini. Compromising electromagnetic emanations of wired andWireless keyboards. In 18th USENIX Security Symp., pages 1-16, Montreal, Canada, Aug 2009. USENIX Assoc. http://www.usenix.org/events/sec09/tech/full_papers/vuagnoux.pdf IIS

Timing attack Exponentiation by square and multiply for i = n − 2 downto 0 X = X2 if (d[i] == 1) then X = X*M Power trace shows bits 1 in the key IIS

Simple power analysis 16 rounds DES Rounds 2 & 3 1ms operation sampled at 5 MHz gives 5000 data points (fig below) Arrow on the left: one rotation of two 28 bit registers, arrows on the right: two rotations [Koc99] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In M. J. Wiener, editor, 19th Int. Conf. on Advances in Cryptology (CRYPTO), volume 1666 of LNCS, pages 388-397, Santa Barbara, California, Aug 1999. Springer. http://www.cryptography.com/resources/whitepapers/DPA.pdf IIS

Differential power attacks Difference in the third cycle due to difference in input value for encryption Assume that you can control the input to the circuit and that you flip a bit And assume that a 0 and a 1 draw different amounts of power Then the result is the difference between the power trace before and after the bit flip The difference may be hidden in the noise, but this can be amplified by repeating the experiments This is already revealing something about the algorithm and the keys. DPA is a sophisticated statistical technique It gets worse when you know that implementations typically use part of the key at different stages… IIS

Active attacks : Power Dip vcc A power Dip at the Moment of reading a memory cell Reading threshold Stored value of logical zero gnd read a 0 as a 1 Protection measure Check VCC & raise an alarm if it drops Problem: Fast transients during start-up may raise false alarms A power dip pushes the threshold down further than the stored value, hence the comparison will turn a 0 out as a one… Suppose that the bit holds the output of a PIN verification, where 0 means wrong PIN… IIS

Active attacks : Clock Glitch Dump all of the memory Replace 5MHz pulse by 4 pulses of 20MHz: b = answer_address a = answer_length If (a == 0) goto 8 transmit(*b) b=b+1 a=a-1 goto 3 If the glitch causes the decrement instruction to behave as NOP, then the whole memory can be dumped Glitch here [And97d] R. J. Anderson and M. Kuhn. Low cost attacks on tamper resistant devices. In 5th Int. Workshop on Security Protocols, volume LNCS 1361, pages 125-136, Paris, France, Apr 1997. http://dx.doi.org/10.1007/BFb0028165 IIS

Countermeasures Hardware Lower power signals Increase noise levels Introduce timing noise Software Parallelism Introduce random delays Constant time execution Blinding intermediate values IIS

Countermeasures Make attacks harder but not impossible Hard to get right Expensive to implement IIS

Out of the box thinking The humble Capacitor Emanates acoustic signals Sensitive to shocks and vibration C  A / d IIS

Listen to a PC multiplying Freeze 1500 μF capacitor MUL instructions, freeze 0 – 48 khz, loops can happen at any frequency http://people.csail.mit.edu/tromer/acoustic/ IIS

Shaking a smart card.... IIS

Attackers business case Attack Class Equipment Cost Succ. Rate Devel. Time Exec. Time Logical PC, card reader 1-10K Low Wks Mins Physical PC, Probe Station, SEM, FIB,Microscope, Chemistry Lab 100K-1M High Mnths Days Side Channel PC, Oscilloscope, Function Gen. 10K-100K Med. Hours Rental! IIS

Design guidelines Define the level of security needed Perform a risk analysis Consider the attackers business case Use the right technologies Build in fraud management Design recovery and fall-back Consider the overall system IIS

IBM 4758 Crypto Coprocessor Rolls Royce of secure devices Tamper sensing barrier Keys move in the RAM Temperature & X-ray sensor Solid aluminium case & epoxy potting low pass filter on power supply Used in ATMs Hacked! [Cla03b] R. Clayton and M. Bond. Experience using a Low-Cost FPGA design to crack DES keys. In 4th Int. Workshop on Cryptographic Hardware and Embedded Systems (CHES), volume LNCS 2523, pages 877-883, Redwood Shores, California, 2003. Springer. http://dx.doi.org/10.1007/3-540-36400-5_42 IIS

(Semi) Natural tags

Finger printing Run a laser over paper and measure intensity of scattered light 1mm 2degree tolerance! Crumple, wet, dry, iron, scribble, still works [Buc05] J. D. R. Buchanan, R. P. Cowburn, A.-V. Jausovec, D. Petit, P. Seem, G. Xiong, D. Atkinson, K. Fenton, D. A. Allwood, and M. T. Bryan. Forgery: 'fingerprinting' documents and packaging. Nature, 436(7050):475, Jul 2005. http://dx.doi.org/10.1038/436475a IIS

Philips Coating PUF [Sko08] B. Škorić, G.-J. Schrijen, W. Ophey, R. Wolters, N. Verhaegh, and J. van Geloven. Experimental hardware for coating PUFs and optical PUFs. In P. Tuyls, B. Škorić, and T. Kevenaar, editors, Security with Noisy Data - On Private Biometrics, Secure Key Storage and Anti-Counterfeiting, pages 255-268. Springer London, 2008. http://dx.doi.org/10.1007/978-1-84628-984-2_15 IIS

MEMS particles 1x1x12 m particles, shapes Church and school roof, power line grease/gel Jewellery fluid Spray vandals/thiefs Smart water Watch this video [Kay92] P. H. Kaye, F. Micheli, M. Tracey, E. Hirst, and A. M. Gundlach. The production of precision silicon micromachined non-spherical particles for aerosol studies. Journal of Aerosol Science, 23(Suppl 1):201-204, 1992. http://dx.doi.org/10.1016/0021-8502(92)90384-8 http://www.redwebsecurity.com/ IIS

Conclusions Affordable tamper resistance technology exists Getting it right is difficult Out of the box thinking required IIS