santa’s crypto get-together hotel olympic, prague december 5, 2008 towards disclosing the private...
TRANSCRIPT
Santa’s Crypto Get-TogetherHotel Olympic, Prague
December 5, 2008
Towards Disclosingthe Private Key of an e-Passport
Martin Hlaváč and Tomáš RosaDepartment of Algebra, MFF UK in Prague
PPF banka a.s. and eBanka, a.s.
December 5, 2008, page 2
Agenda
Technology and platform overview
LF and HF bands interface
Unique ID transponders
Electronic passport Relay attack SCH attack on Active Authentication
December 5, 2008, page 3
Passive RF Chips Overview
Contact-less chips radio-classification LF range chips (100 to 150 kHz) HF range vicinity cards (13.56 MHz) HF range proximity cards (13.56 MHz) UHF range chips (800 MHz and higher)
Huge variety of designs Cards, keychains, stickers, implants, …
RFID – Radio Frequency Identification Viewed as a specific application of RF chips
December 5, 2008, page 4
LF and HF Band Physical Layer
Employs the behavior of so-called near field of the transmitter Classical wave not fully formed, yet Magnetic component takes care of the
energy transport Arrangement „terminal antenna – chip
antenna“ can be seen as a high frequency transformer
December 5, 2008, page 5
Talking with the Transponder
terminal RFID
transponder RFID
internal network
transponder field
terminal field
December 5, 2008, page 6
Ordinary Operational Distance
Frequency band Sub-class Typical sortTypical
deployment
OperationDistance(order)
LF(100 to 150 kHz)
- Memory card
Access system, immobilizer,
implant, loyalty card
cm
HF(13.56 MHz)
Vicinitycard
Memory cardAccess system,
skipass,loyalty card
cm to m
Proximity card
Contact-lesssmartcard
Access system, payment card,
e-passportcm
UHF(800 MHz – 1GHz)
- Memory card Stock control cm to m
December 5, 2008, page 7
When the Distance Matters
Attacking techniques and ranges for HF band according to ISO 14443
Method Distance
Active communication with the chip dozens of cm
Passive reception – chip and terminal units of m
Passive reception – terminal only dozens of m
Active communication with the terminal dozens of m
December 5, 2008, page 8
Active Attacks Reviewed
It is practically feasible to feed up a typical LF/HF chip at a distance of order of meters
The problem is, however, to hear the transponder’s response Increasing terminal’s field can significantly
decrease the SNR – Signal to Noise Ratio
Possible way for “write-only” attacks…
December 5, 2008, page 9
Terminal is Speaking (prox. HF)
December 5, 2008, page 10
Chip is Speaking (prox. HF)
December 5, 2008, page 11
Unique ID Transponders
Popular in access protection to buildings, offices, garages, etc.Examples: EM4x02, HID Isoprox II, Indala, etc.LF Band Serial memory with several dozens bits Sends repeatedly its identifier when in terminal’s
field No cryptographic protection
Security almost non-existing in many cases
December 5, 2008, page 12
LF Band Skimmer – Terminal Mode
Digital part
Transmitter
Receiver
December 5, 2008, page 13
LF Band Skimmer – Emulator Mode
Digital part
Load modulator
Carrier sensing
December 5, 2008, page 14
Contactless Smartcard
Important sub-class of RFID transponders
Function-wise and security-wise in par with classical (contact) smartcards
Platform – proximity card (13.56 MHz)
December 5, 2008, page 15
ISO 14443
Standardizes proximity cards Usual operational distance 10 cm
Sub-groups A, B Differ in communication protocol details
(modulation, coding, frames, semantics)
Transport platform for contactless smartcards
December 5, 2008, page 16
ISO 7816
Describes contact card communication interface contact(-less) card application protocol
Effort to unify the view of a smartcard regardless the communication interface Combination of ISO 14443 (communication) and ISO
7816 (application commands) From the point of view of ISO 7816 there is a new
communication protocol identified with T = CL (Contact-Less)
Application platform of contact(-less) smartcards
December 5, 2008, page 17
Contact or Contactless
Hierarchy of standards for contact and contact-less smartcards
Application layer ISO 7816-4 and higher
Transport layer
ISO 7816-3
ISO 14443-4
Link layerISO
14443A-3ISO
14443B-3
Physical layerISO
14443A-2ISO
14443B-2
Electromechanicalproperties
ISO 7816-1, 2 ISO 14443-1
December 5, 2008, page 18
Electronic Passport
Equipped with a contact-less smartcard chip
Compatible with ISO 14443 and ISO 7816
Application code: A0 00 00 02 47 10 01
Data files DG1 to DG15: related to the travel document
(DG1 – copy of machine readable zone (MRZ), DG2 – photo of the face, DG15 public key for active authentication)
EF.COM, EF.SOD, EF.DIR: service data
December 5, 2008, page 19
P5CD072
December 5, 2008, page 20
Security Mechanisms
Required by ICAO Passive authentication – digital signature of all data
files DG1, …, DG15
Required in EU members BAC – basic access control to data files and
selected functions (e.g. active authentication)
Optional Active authentication – challenge-response
authentication of the chip (e.g. used in Czech Republic, not in Germany)
December 5, 2008, page 21
Apparent Weaknesses of ICAO e-Passport
Detectability of passport presence Markers: presence of application A0 00 00 02 47 10
01, BAC protocol support, etc.
Brute force attack on BAC Apparently low main password entropy Listening to terminal is sufficient
Partial weaknesses of BAC and SM Detectability of passport with known password
(MRZ) SM does not protect the command headers and
status error answers
December 5, 2008, page 22
Relay Attack on Active Authentication
Passport asks to extend the answer time to 4949 ms. If not acknowledged or if shorter time
acknowledged, passport terminated the communication in our experiments Presumably, terminals on country borders have to accept
5s delay Passport responded within 1s during the
experiments Remaining 4 s can be used to relay the challenge
from the counterfeit to real passport and send back the response
December 5, 2008, page 23
Attack Illustration
initialization
file reading
AA challenge
S(WTX)
AA response
challenge relay
response relay
initialization
AA challenge
S(WTX)
AA response
terminal fakepassport
faketerminal
passport
RF channel 1 channel 2 RF channel 3
December 5, 2008, page 24
Side Channels
SCH is any unwanted information exchange between the cryptographic module and its surroundings
Physical principles of passive RF chips greatly facilitate existence of many SCH Electromagnetic field is a primary concern
September 7-12, 2008, page 25
Active Authentication I (CZ)
Terminal: Generates 8B random number V and sends it to
passportPassport: Generates 106B random number U Computes w = SHA-1( U || V ). Sets m = 6A || U || w || BC, (21022 < m < 21024) Computes s = md mod N, where (N, d) is private
RSA key of the passport Sends s to terminal
September 7-12, 2008, page 26
Active Authentication II (CZ)
Message m is chosen jointly by the passport and terminal, i.e. can not be conveniently chosen by neither side
Existing chosen-plaintext attacks (e.g. Schindler, Tomoeda) can not be employed
December 5, 2008, page 27
FAME-XE Exposure in the Field
Measurements by doc. Lórencz’s team,KP FEL ČVUT in Prague, april 2007
S M S S S S SM M M M
s = md mod N
December 5, 2008, page 28
Chinese Remainder Theorem (CRT)
private RSA operation md mod N is computed using CRT as follows
4x faster than simple exponentiation
use of secret p,q makes CRT more vulnerable
December 5, 2008, page 29
Montgomery exponentiation
exponentiationInput: c, p, d (=dn-1dn-2…d1d0)2)Output: x = cd mod p1. u cR mod p2. z u3. for i = n-2 to 04. z mont(z,z,p)5. if di == 1 then6. z mont(z,u,p)7. else8. z’ mont(z,u,p)9. endfor10. z mont(z,1,p)11. return z
multiplication (mont)
Input: x,y Zp
Output: w = xyR-1 mod p
1. w xy
2. t s(-p-1) mod R
3. g s + tp
4. w g/R
5. if w>p then
6. w w – p (final substitution)
7. return w
operations mod/div R=2512, i.e. it’s fast
leaks information about secret p in final substitution
December 5, 2008, page 30
Amount of Final Substitutions
we suspect the amount of FS leaks from the passport in EM channel
More higher-quality measurements are needed to support this hypothesis
September 7-12, 2008, page 13
FAME-XE Exposure in the Field
Measurements by doc. Lórencz’s team,KP FEL ČVUT in Prague, april 2007
S M S S S S SM M M M
s = md modN
If this hypothesis is correct the Active Authentication can be broken
function of p (unknown)
December 5, 2008, page 31
Outline of the attack
The relationship between the number of FS during the computation mc mod N
and the value miR mod p.
(Tomoeda, 2006)
# F
S (
kn
ow
n)
pre
cis
ion
in
bit
s
# FS
Experiments indicate some approximations are good enough.
app. 2%
lin. algebra approximations of secret q
HNP Problem
Given the approximations
where only unknown value is x
Find hidden number x
How? Theory of numbers, LLL algorithm.
December 5, 2008, page 32
December 5, 2008, page 33
Key Recovery
Construct lattice L(B) and approximation vector
Reduce its basis with LLL algorithm
Hope to find hidden vector and hidden number x
Experiments
Hardware setup: 16x Opteron 246
Measurements: 150 filtered from 7000
Time: app. 40 minutes
Result: private RSA key found
December 5, 2008, page 34
December 5, 2008, page 35
Conclusion
EM side channel on e-passport exists
New cryptanalytic technique using this side information is elaborated
Higher quality measurements needed
If our hypothesis is correct, AA can be broken, i.e. e-passport can be duplicated, in order of hours
December 5, 2008, page 37
Thank you for your attention …
Tomáš RosaeBanka, a.s.Department of Algebra MFF UK,[email protected]
Martin HlaváčDepartment of Algebra MFF UK,PPF banka, [email protected]
ni.cz
December 5, 2008, page 38
References1. ČSN ISO/IEC 14443-1..42. ČSN ISO/IEC 7816-3, 43. Development of a Logical Data Structure – LDS for Optional Capacity Expansion
Technologies, ICAO, ver. 1.7, 20044. Hancke, G.: A Practical Relay Attack on ISO 14443 Proximity Cards, IEEE Symposium on
Security and Privacy 20065. Heydt-Benjamin, T.-S., Bailey, D.-V., Fu, K., Juels, A., and O'Hare, T.: Vulnerabilities in
First-Generation RFID-Enabled Credit Cards, In Proc. of Eleventh International Conference on Financial Cryptography and Data Security, Lowlands, Scarborough, Trinidad/Tobago, February 2007
6. Kirschenbaum, I., Wool, A.: How to Build a Low-Cost, Extended-Range RFID Skimmer, USENIX 2006
7. Lee, Y.: Antenna Circuit Design for RFID Applications, AN 710, Microchip Tech. Inc., 20038. Lórencz, R., Buček, J. a Zahradnický, T.: osobní komunikace, 20079. MIFARE DESFire MF3 IC D40, Preliminary Short Form Specification v. 2.0, Philips
Semiconductors, September 200310. MIFARE MF1 IC S50, Rev 5.1, Philips Semiconductors, May 200511. Nohl, K, and Plötz, H.: MIFARE – Little Security, Despite Obscurity, 24th Chaos
Communication Congress, 2007, http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html
12. PKI for Machine Readable Travel Documents offering ICC Read-Only Access, IACO, ver. 1.1, 2004
13. Rašek, L.: Elektronické pasy – jak fungují, kopie internetových stránek z roku 200614. SmartMX – P5CD072 Secure Dual Interface PKI Smart Card Controller, Short Form
Specification v. 1.2, Philips Semiconductors, October 200415. Šiková, M.: Biometrie v osobních dokladech – cestovní doklady s biometrickými údaji,
Konference CARDS, Praha 13. září 2006