santa’s crypto get-together hotel olympic, prague december 5, 2008 towards disclosing the private...

Santa’s Crypto Get-TogetherHotel Olympic, Prague

December 5, 2008

Towards Disclosingthe Private Key of an e-Passport

Martin Hlaváč and Tomáš RosaDepartment of Algebra, MFF UK in Prague

PPF banka a.s. and eBanka, a.s.

December 5, 2008, page 2

Agenda

Technology and platform overview

LF and HF bands interface

Unique ID transponders

Electronic passport Relay attack SCH attack on Active Authentication


Passive RF Chips Overview

Contact-less chips radio-classification LF range chips (100 to 150 kHz) HF range vicinity cards (13.56 MHz) HF range proximity cards (13.56 MHz) UHF range chips (800 MHz and higher)

Huge variety of designs Cards, keychains, stickers, implants, …

RFID – Radio Frequency Identification Viewed as a specific application of RF chips


LF and HF Band Physical Layer

Employs the behavior of so-called near field of the transmitter Classical wave not fully formed, yet Magnetic component takes care of the

energy transport Arrangement „terminal antenna – chip

antenna“ can be seen as a high frequency transformer


Talking with the Transponder

terminal RFID

transponder RFID

internal network

transponder field

terminal field


Ordinary Operational Distance

Frequency band Sub-class Typical sortTypical

deployment

OperationDistance(order)

LF(100 to 150 kHz)

- Memory card

Access system, immobilizer,

implant, loyalty card

cm

HF(13.56 MHz)

Vicinitycard

Memory cardAccess system,

skipass,loyalty card

cm to m

Proximity card

Contact-lesssmartcard

Access system, payment card,

e-passportcm

UHF(800 MHz – 1GHz)

- Memory card Stock control cm to m


When the Distance Matters

Attacking techniques and ranges for HF band according to ISO 14443

Method Distance

Active communication with the chip dozens of cm

Passive reception – chip and terminal units of m

Passive reception – terminal only dozens of m

Active communication with the terminal dozens of m


Active Attacks Reviewed

It is practically feasible to feed up a typical LF/HF chip at a distance of order of meters

The problem is, however, to hear the transponder’s response Increasing terminal’s field can significantly

decrease the SNR – Signal to Noise Ratio

Possible way for “write-only” attacks…


Terminal is Speaking (prox. HF)


Chip is Speaking (prox. HF)


Unique ID Transponders

Popular in access protection to buildings, offices, garages, etc.Examples: EM4x02, HID Isoprox II, Indala, etc.LF Band Serial memory with several dozens bits Sends repeatedly its identifier when in terminal’s

field No cryptographic protection

Security almost non-existing in many cases


LF Band Skimmer – Terminal Mode

Digital part

Transmitter

Receiver


LF Band Skimmer – Emulator Mode

Digital part

Load modulator

Carrier sensing


Contactless Smartcard

Important sub-class of RFID transponders

Function-wise and security-wise in par with classical (contact) smartcards

Platform – proximity card (13.56 MHz)


ISO 14443

Standardizes proximity cards Usual operational distance 10 cm

Sub-groups A, B Differ in communication protocol details

(modulation, coding, frames, semantics)

Transport platform for contactless smartcards


ISO 7816

Describes contact card communication interface contact(-less) card application protocol

Effort to unify the view of a smartcard regardless the communication interface Combination of ISO 14443 (communication) and ISO

7816 (application commands) From the point of view of ISO 7816 there is a new

communication protocol identified with T = CL (Contact-Less)

Application platform of contact(-less) smartcards


Contact or Contactless

Hierarchy of standards for contact and contact-less smartcards

Application layer ISO 7816-4 and higher

Transport layer

ISO 7816-3

ISO 14443-4

Link layerISO

14443A-3ISO

14443B-3

Physical layerISO

14443A-2ISO

14443B-2

Electromechanicalproperties

ISO 7816-1, 2 ISO 14443-1


Electronic Passport

Equipped with a contact-less smartcard chip

Compatible with ISO 14443 and ISO 7816

Application code: A0 00 00 02 47 10 01

Data files DG1 to DG15: related to the travel document

(DG1 – copy of machine readable zone (MRZ), DG2 – photo of the face, DG15 public key for active authentication)

EF.COM, EF.SOD, EF.DIR: service data


P5CD072


Security Mechanisms

Required by ICAO Passive authentication – digital signature of all data

files DG1, …, DG15

Required in EU members BAC – basic access control to data files and

selected functions (e.g. active authentication)

Optional Active authentication – challenge-response

authentication of the chip (e.g. used in Czech Republic, not in Germany)


Apparent Weaknesses of ICAO e-Passport

Detectability of passport presence Markers: presence of application A0 00 00 02 47 10

01, BAC protocol support, etc.

Brute force attack on BAC Apparently low main password entropy Listening to terminal is sufficient

Partial weaknesses of BAC and SM Detectability of passport with known password

(MRZ) SM does not protect the command headers and

status error answers


Relay Attack on Active Authentication

Passport asks to extend the answer time to 4949 ms. If not acknowledged or if shorter time

acknowledged, passport terminated the communication in our experiments Presumably, terminals on country borders have to accept

5s delay Passport responded within 1s during the

experiments Remaining 4 s can be used to relay the challenge

from the counterfeit to real passport and send back the response


Attack Illustration

initialization

file reading

AA challenge

S(WTX)

AA response

challenge relay

response relay

initialization

AA challenge

S(WTX)

AA response

terminal fakepassport

faketerminal

passport

RF channel 1 channel 2 RF channel 3


Side Channels

SCH is any unwanted information exchange between the cryptographic module and its surroundings

Physical principles of passive RF chips greatly facilitate existence of many SCH Electromagnetic field is a primary concern

September 7-12, 2008, page 25

Active Authentication I (CZ)

Terminal: Generates 8B random number V and sends it to

passportPassport: Generates 106B random number U Computes w = SHA-1( U || V ). Sets m = 6A || U || w || BC, (21022 < m < 21024) Computes s = md mod N, where (N, d) is private

RSA key of the passport Sends s to terminal


Active Authentication II (CZ)

Message m is chosen jointly by the passport and terminal, i.e. can not be conveniently chosen by neither side

Existing chosen-plaintext attacks (e.g. Schindler, Tomoeda) can not be employed


FAME-XE Exposure in the Field

Measurements by doc. Lórencz’s team,KP FEL ČVUT in Prague, april 2007

S M S S S S SM M M M

s = md mod N


Chinese Remainder Theorem (CRT)

private RSA operation md mod N is computed using CRT as follows

4x faster than simple exponentiation

use of secret p,q makes CRT more vulnerable


Montgomery exponentiation

exponentiationInput: c, p, d (=dn-1dn-2…d1d0)2)Output: x = cd mod p1. u cR mod p2. z u3. for i = n-2 to 04. z mont(z,z,p)5. if di == 1 then6. z mont(z,u,p)7. else8. z’ mont(z,u,p)9. endfor10. z mont(z,1,p)11. return z

multiplication (mont)

Input: x,y Zp

Output: w = xyR-1 mod p

1. w xy

2. t s(-p-1) mod R

3. g s + tp

4. w g/R

5. if w>p then

6. w w – p (final substitution)

7. return w

operations mod/div R=2512, i.e. it’s fast

leaks information about secret p in final substitution


Amount of Final Substitutions

we suspect the amount of FS leaks from the passport in EM channel

More higher-quality measurements are needed to support this hypothesis


FAME-XE Exposure in the Field

Measurements by doc. Lórencz’s team,KP FEL ČVUT in Prague, april 2007

S M S S S S SM M M M

s = md modN

If this hypothesis is correct the Active Authentication can be broken

function of p (unknown)


Outline of the attack

The relationship between the number of FS during the computation mc mod N

and the value miR mod p.

(Tomoeda, 2006)

# F

S (

kn

ow

n)

pre

cis

ion

in

bit

s

# FS

Experiments indicate some approximations are good enough.

app. 2%

lin. algebra approximations of secret q

HNP Problem

Given the approximations

where only unknown value is x

Find hidden number x

How? Theory of numbers, LLL algorithm.



Key Recovery

Construct lattice L(B) and approximation vector

Reduce its basis with LLL algorithm

Hope to find hidden vector and hidden number x

Experiments

Hardware setup: 16x Opteron 246

Measurements: 150 filtered from 7000

Time: app. 40 minutes

Result: private RSA key found



Conclusion

EM side channel on e-passport exists

New cryptanalytic technique using this side information is elaborated

Higher quality measurements needed

If our hypothesis is correct, AA can be broken, i.e. e-passport can be duplicated, in order of hours


Thank you for your attention …

Tomáš RosaeBanka, a.s.Department of Algebra MFF UK,[email protected]

Martin HlaváčDepartment of Algebra MFF UK,PPF banka, [email protected]

ni.cz


References1. ČSN ISO/IEC 14443-1..42. ČSN ISO/IEC 7816-3, 43. Development of a Logical Data Structure – LDS for Optional Capacity Expansion

Technologies, ICAO, ver. 1.7, 20044. Hancke, G.: A Practical Relay Attack on ISO 14443 Proximity Cards, IEEE Symposium on

Security and Privacy 20065. Heydt-Benjamin, T.-S., Bailey, D.-V., Fu, K., Juels, A., and O'Hare, T.: Vulnerabilities in

First-Generation RFID-Enabled Credit Cards, In Proc. of Eleventh International Conference on Financial Cryptography and Data Security, Lowlands, Scarborough, Trinidad/Tobago, February 2007

6. Kirschenbaum, I., Wool, A.: How to Build a Low-Cost, Extended-Range RFID Skimmer, USENIX 2006

7. Lee, Y.: Antenna Circuit Design for RFID Applications, AN 710, Microchip Tech. Inc., 20038. Lórencz, R., Buček, J. a Zahradnický, T.: osobní komunikace, 20079. MIFARE DESFire MF3 IC D40, Preliminary Short Form Specification v. 2.0, Philips

Semiconductors, September 200310. MIFARE MF1 IC S50, Rev 5.1, Philips Semiconductors, May 200511. Nohl, K, and Plötz, H.: MIFARE – Little Security, Despite Obscurity, 24th Chaos

Communication Congress, 2007, http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html

12. PKI for Machine Readable Travel Documents offering ICC Read-Only Access, IACO, ver. 1.1, 2004

13. Rašek, L.: Elektronické pasy – jak fungují, kopie internetových stránek z roku 200614. SmartMX – P5CD072 Secure Dual Interface PKI Smart Card Controller, Short Form

Specification v. 1.2, Philips Semiconductors, October 200415. Šiková, M.: Biometrie v osobních dokladech – cestovní doklady s biometrickými údaji,

Konference CARDS, Praha 13. září 2006

santa’s crypto get-together hotel olympic, prague december 5, 2008 towards disclosing the private...

Documents

mhzuhf range chips

mactive communication

communication interfa

mhzhf range proximity

payment card

cmpassive reception

khzhf range vicinity

hf band physical layeremploys