Smart card security Nora Dabbous Security Technologies Department
2 The Smart Card... The smart card stores electronic data and programs in a protected file system Protection by advanced security features Tamper resistance Several types of smart cards Contact Memory Microprocessor Contactless Memory Microprocessor Smart card often means Microprocessor card
3 Close-up view...
4 Memory Characteristics EEPROM (non volatile memory, write times) Up to 256K Bytes Application data storage ROM (write once) Up to 512 K Bytes Software (Operating System) storage RAM (temporary) Up to 5 K Bytes Working memory Flash (non volatile memory) Software patches or static application code & data
5 Contact Smart Cards Communication through electrical contacts
6 Contactless Smart Cards Communication over the air
The Chip Operating System File and directory management : Create Read Only Add Information Only Erase and Update Access protected by secret codes : Data files Secret Code files Cryptographic key files
8 HOSTREADERSCARDS Application Players
9 Role of the Reader Application Software Reader Card The reader is the interface between the card and the application It serves as a translator It accepts the messages from the card and from the application software
10 Hardware Security
11 Smart card attack : Physical Security Smart card attacks : state of the art
12 Probing Data Used to know the data present on a bus micro-probing probe the bus with a needle e-beam probing probe the bus with an e-beam Si DATA BUS SI DATA BUS e-beam e - detector e -
13 Circuit modification Connect or disconnect security mechanism disconnect security sensors RNG stuck at a fixed value Cut or Paste tracks Add probe pads make micro-probing of the buried layers possible Equipment Laser FIB Cut Metal strap
14 Fault Generation Vcc Clock Temperature UV Light X-Rays... Apply combinations of environmental conditions and bypass or infer secrets input key error
15 Hardware Security Measures Security Sensors (VCC, Temp. Light, UV, Clock) Data scrambling Address scrambling Current scrambling Several Independent Metal Layers Submicron scale Deeply buried buses Glue Logic
16 Embedded Software Security
17 Timing Attacks: Principles TrueFalse Everything performed unconditionally before the test A test based on secret data is performed that leads to a boolean decision Depending on the boolean condition, the process may be long (t1) or short (t2) Everything performed unconditionally after the test
18 Power Attacks ICC's Power Consumption leaks information about data processing Power Consumption = f(secret key, data) Deduce information about secret data and processing empirical methods statistical treatment Monitor ICC's Power Consumption resistor oscilloscope post processing computer chip
19 Power Analysis Tools for contact cards 5V
20 Power Analysis Profiles Raw data, zoomed in Time Power 1m s Time
21 SPA attack on RSA Test key value : 0F 00 F0 00 FF F F FF
22 Key value : 2E C6 91 5B F9 4A SPA attack on RSA E C B F A 10 10
23 description : choose a subset (subK i ) of n bits of K perform a statistical test for each possible value of a subK i Choose the best guess Iterate on all possible subK i 's Differential Power Analysis 2 n n K subK i
24 Differential Power Analysis data processing for a value x of a subK i : Average D x n lklkjlsdq fdgcxv 1 0 dfdsffb M0M0 MnMn M1M1 -
25 Differential Power Analysis Choosing the right guess 012 n -1
26 Differential Power Analysis wrong subK i right subK i
27 Add noise Scramble power consumption or stabilize it Randomize all sensitive data variables with a fresh mask for every execution of an algorithm Randomize, randomize, randomize … Secret keys Messages Private exponents Bases Moduli Countermeasures
28 Electromagnetic Analysis on RSA Tests require a de-capsulation of chip with semi invasive method. A scanning of surface is needed to find the « good » area where electromagnetic analysis is possible. The chip is powered by contact reader
29 Electromagnetic Analysis One byte processed Power Em1 Em2 One bit processed SqMult d= d=..bf...
30 Radio Frequency Analysis (Contactless Cards) Tests are non-invasive. A simple magnetic loop made with copper wire is needed. An image of the magnetic field, modified by the card’s consumption, is collected. The chip is powered by a contactless reader.
31 Equipment (1/2)
32 There are many potential ways to attack a smart card But there are also many ways to counteract and efficiently protect your secrets Smart Cards are among the most secure embedded devices in the field today We try to keep it that way Conclusion
33 Read-on W. Rankl, W. Effing, Smart Card Handbook, 2nd edition, John Wiley & Sons, K. Vedder, Smart Cards - Requirements, Properties, and Applications, in State of the Art in Applied Cryptography, pages , LNCS 1528, Springer-Verlag,1997.
34 Any more questions?