when an e-passport talks and it should not

ePassports EAC Conformity & Interoperability Tests, PragueSeptember 7-12, 2008

When an e-Passport Talksand it Should Not

Martin Hlaváč and Tomáš RosaDepartment of Algebra, MFF UK in PraguePPF banka a.s. and eBanka, a.s.

September 7-12, 2008, page 2

Outline

e-PassportActive AuthenticationElectro-Magnetic Side ChannelRSA with Chinese Remainder Theorem and Montgomery ExponentiationExtracting Private KeyConclusion


Electronic Passport

Equipped with a contact-less smartcard chipCompatible with ISO 14443 and ISO 7816Application code: A0 00 00 02 47 10 01Data files DG1 to DG15: related to the travel document

(DG1 – copy of machine readable zone (MRZ), DG2 – photo of the face, DG15 public key for active authentication)

EF.COM, EF.SOD, EF.DIR: service data


P5CD072


Talking with the Passport

terminal RFID

passportRFID

internal network

transponder field

terminal field


Security Mechanisms

Required by ICAO Passive authentication – digital signature of all

data files DG1, …, DG15

Required in EU members BAC – basic access control to data files and

selected functions (e.g. active authentication)

Optional Active authentication – challenge-response

authentication of the chip (e.g. used in Czech Republic, not in Germany)


Active Authentication I (CZ)

Terminal: Generates 8B random number V and sends

it to passportPassport: Generates 106B random number U Computes w = SHA-1( U || V ). Sets m = 6A || U || w || BC, (21022 < m < 21024) Computes s = md mod N, where (N, d) is

private RSA key of the passport Sends s to terminal


Active Authentication II (CZ)

Message m is chosen jointly by the passport and terminal, i.e. can not be conveniently chosen by neither sideExisting chosen-plaintext attacks can not be employed


FAME-XE Exposure in the Field

Measurements by doc. Lórencz’s team,KP FEL ČVUT in Prague, april 2007

S M S S S S SM M M M

s = md mod N


Chinese Remainder Theorem (CRT)

private RSA operation md mod N is computed using CRT as follows

sp = (mp)dp mod p

sq = (mq)dq mod q

s = ((sq-sp)pinv mod q)p + sp

4x faster than simple exponentiationuse of secret p,q makes CRT more vulnerable


Montgomery exponentiation

exponentiationInput: c, p, d (=dn-1dn-2…d1d0)2)Output: x = cd mod p1. u cR mod p2. z u3. for i = n-2 to 04. z mont(z,z,p)5. if di == 1 then6. z mont(z,u,p)7. else8. z’

mont(z,u,p)9. endfor10. z mont(z,1,p)11. return z

multiplication (mont) Input:x,y Zp

Output: w = xyR-1 mod p1. w xy2. t s(-p-1) mod R3. g s + tp4. w g/R5. if w>p then6. w w – p (final

substitution)7. return w

operations mod/div R=2512, i.e. it’s fastleaks information about secret p in final substitution


Amount of Final Substitutions

we suspect the amount of FS leaks from the passport in EM channelMore higher-quality measurements are needed to support this hypothesis


FAME-XE Exposure in the Field

Measurements by doc. Lórencz’s team,KP FEL ČVUT in Prague, april 2007

S M S S S S SM M M M

s = md mod N

If this hypothesis is correct the Active Authentication can be broken


Outline of the attack

The relationship between the number of FS during the

computation mc mod N and the value miR mod p.(Tomoeda, 2006)

function of p (unknown)

# F

S (

kn

ow

n)

Nnn

nnNkRqm iii

minmax

min

lin. algebra

approximations of secret q

pre

cis

ion

in

bit

s

# FS

Experiments indicate some approximations are good enough.

app. 2%


Key Recovery

Construct suitable latticeReduce its basis with LLL algorithmHope the hidden number q is revealed

Experiments:With 150 measurements filtered from app. 7000, the key is recovered in 40 minutes on 2GHz Opteron


Conclusion

EM side channel on e-passport existsNew cryptanalytic technique using this side information is elaboratedHigher quality measurements neededIf our hypothesis is correct, AA can be broken, i.e. e-passport can be duplicated, in order of hours


Thank you for your attention …

Tomáš RosaeBanka, a.s.Department of Algebra MFF UK,[email protected]

Martin HlaváčDepartment of Algebra MFF UK,PPF banka, [email protected]

ni.cz

when an e-passport talks and it should not

Documents