Professional Documents
Culture Documents
SIM Card Strong
SIM Card Strong
A Security Stronghold
in Networked ME
Mobile Equipment
1
2
Roadmap (1)
Smart Cards:
History, Philosophy
Industrial standards
ISO 7816-X smart cards =>
=> GSM 11.11 =>
=> 3GPP specs
Roadmap (2)
Key Questions:
If the phone is manufactured in a strange country (say Finland,
or China)
Q: How do we make sure that the client will pay the bill ?
Remember we are talking about a very major industry, worth
hundreds of billions of $$.
This is not a small problem:
Take another industry: computer game consoles.
The game manufacturer does NOT want his game to
pirated. Yet the console manufacturer sees his sales go to
the roof on the very day hackers found the way to
circumvent the copy protection. As a result, piracy is strong,
about 21 % for console games [source: Macrovision], and
much higher in emerging countries
9
Fact:
The fathers of GSM have adopted
a right business model and
security technologies that NEVER
were really pirated
No SIM card clones
for any major operator so far (!).
Adoption Barriers
The model had the right mix of very strong
forces and incentives acting in opposite
direction:
1) Subsidizing the phone and charging a lot
for communications abolished adoption
barriers: giving the phone for free or 1
like the French did with Minitel before, and
this generated billions of revenue.
11
****Two Markets
Phones:
Free market, perfectly competitive, high pressure
on prices, economies of scale, industry
concentrationlosers and winners.
Phone calls / subscription:
State-allocated pseudo-monopolies on each
territory? Yes:
13
14
15
The telco cannot easily exclude people from using another phone
compatible with GSM specs
=> more competition on features and innovation.
16
The phone manufacturer can only lock people in for a limited time,
through SIM locks.
17
Security Advantages
The phone CANNOT breach the security of SIM card (in the
sense of authentication and making free calls).
Impossible.
19
2. many industrial/commercial/
trade/security secrets
20
1)
2)
3)
by Wolfgang Rankl
21
Motivation in a Nutshell
22
Key Remark
Software CANNOT be protected by software.
23
2. Hopefully unbreakable:
nobody can know/modify what is inside.
24
Philosophy / Model
for Security of Smart Cards
25
slight
problem..
26
Companies/people involved in this business can compromise its security (backdoors etc!)
27
History
28
29
Historical Patents
31
34
Gemplus
36
Vocabulary
magnetic stripe card carte piste magntique
IC= Integrated Circuit
ICC, chip card :
memory card
wired logic card
smart card
37
More Vocabulary
card reader, CAD (Card lecteur carte
Acceptance Device)
Types of cards
memory/wired logic
microprocessor
0 CPU
1 CPU
2 CPU
1-2 CPU
micropr.+crypto
39
contactless
Primitive
NVM nonvolatile memory
(E2PROM, Flash
memory)
simple function
e.g. prepay card
40
Smart Card
Microcontroller =
CPU+memory
Universal, Turing
machine, software
driven
flexibility
security features
[Hardware DES]
41
Crypto-processor IC Cards
42
43
44
****Perso Process
46
47
48
storage capacity
security functionalities
multiple functions
user acceptability, effective packaging
successful business model
51
GSM / 3G phones
First SIM card: Gemplus 1989, MANY billions sold since
Electronic passport, ID
PKI, Belgium by Axalto.
Biometry. All passports in October 2005 !
52
54
55
56
57
contact-less [later]:
ISO 14443 A-..C [Oyster]
ISO 15693 [NFC]
ISO 18000 [RFID]
58
ISO 7816-1
Size matters! Like a credit card.
59
ISO 7816-1
Physical Characteristics:
Operating temperature, humidity, etc
below are very severe requirements:
bending properties
torsion properties
Manufacturing
61
Die bonding
The chip is glued to the contact.
Connections with gold wire (20 m)
62
Encartage
Embed in a mm card.
63
Encartage
Embed in a mm card.
64
Plastic Matters
65
ISO 7816-2
Contacts
1.7 x 2 mm
[changed in 1990]
66
ISO 7816-2
=> Freedom
67
Contact Quality
Friction force readers scratch the cards
[contacts frottants]
68
69
USB
70
USB
Samsung S-SIM
supports both+NAND+InterChip USB
71
Power Matters
Summary:
Bank card: 5 V, 50 mA
GSM SIM class C card (the latest): 4 mA
Even much less for contact-less cards !!!
(power supplied by an alternative magnetic field)
=>Very Low computing power !!!
In contrast: modern PC CPU up to 50 000 mA !
72
Power Matters
Summary:
Several 1000 x less power than an Intel CPU
Low surface ( 25 mm2)
ISO 7816-3
CLK:
transition time < Max( 0,5 s, 9% x period T)
at 1 during 40 % - 60 % of time.
The card security should block if short
impulses !
Clock speed:
First cards [1996]: 3.579545 MHz
(still@begin)
74
NO co-processor:
RSA-512, 2 minutes
Clock speed
1996: 3.5 MHz,
2000: 7 MHz,
2004: 60-100 MHz,
200-400 MHz today,
with co-processor:
RSA-1024 in 500 ms
RSA-2048 in 500 ms
RSA-2048 in 50 ms
RSA-2048 in 10 ms
75
76
ETU
77
ISO 7816-3
Defines the ATR: answer to reset. Up to 33 bytes.
Must happen at 400 40,000 clocks after RST.
ATR = a series of bytes transmitted in order b8..b1:
TS
T0 [presence of TA1-TD1 and 0..15 historical bytes]
TA1
TB1
TC1
TD1: like T0, specifies the presence of extra objects
TA2
etc
78
ATR Structure
XOR checksum
79
TS specifies:
TS [A+8+Z bits]:
specifies the relationship between A/Z and 0/1
Z=high voltage, A=low voltage
Direct convention [Germany], where A=0, Z=1:
TS = 3B; b1:b8= A(ZZAZZZAA)Z
Inverse convention [France], with A=1, Z=0:
TS = 3F; b8:b1= A(ZZAAZZZZ)Z
80
81
ISO 7816-3
Communication Protocols
Main two: synchronous, half/duplex
T=0 (byte-oriented, e.g. GSM SIM),
T=1 (block-oriented, e.g. bank cards)
T=14 (proprietary for German phone cards)
Recent developments:
T=2 (block-oriented, full duplex, cf. ISO 10536-4).
T=4, expansion of T=0
T=USB
82
T=CL
T=CL is used for talking to ISO 14443A/B
cards with APDUs translated by the reader
(totally hides the RF interface from the
programmer, the card seems to be a card
with contact!)
83
T=0 or T=1?
Remark:
T=0 (byte-oriented)
parity bits only
84
ISO 7816-3
Baud rate:
1996: 9.6 K bit/sec default, @beginning.
Then: 115 K bits/sec
Outdated by Axalto patent: USB smart card:
First Axalto USB: 700 K bits/sec
Full-speed USB up to 12 Mbit/s [since 2005].
Not USB 2.0., it is just USB 1.0. full-speed.
85
86
87
88
ISO, [USB,RF
RF]
RF
89
Dimensions
90
91
Comparison
92
Antenna
large loop antenna
93
ISO, USB, RF
96
2. Hopefully unbreakable:
nobody can know/modify what is inside.
97
Remark:
There is no defense against an adversary that
has several millions of
98
99
Reverse Engineering
101
Open-source Closed-source
Industry: competition cooperation
Standards
Industrial/commercial/trade/security secrets
102
103
Kerckhoffs Principle
Dutch cryptologist, wrote his book in French.
In June 2006 Dutch researchers De Gans et all, have
published several cloning attacks on MiFare
Classic chips [London Oyster card + 200 M other].
[first cloning attack: Courtois, Nohl and ONeil, April
2008].
104
105
*Remark:
Smart Cards:
They are already in enemy hands
- even more for RFID
106
No obligation to disclose.
Security when disclosed.
Better security when not disclosed???
107
Yes (1,2,3):
1. Military:
layer the defences.
108
Yes (2):
2)
Basic economics:
these 3 extra months
(and not more )
Yes (3):
3)
Prevent the erosion of profitability
/ barriers for entry
for competitors /
inimitability
110
111
*Silicon Hacking
112
Tarnovsky Lab
Only few thousands of dollars of equipment
113
114
More Expensive:
115
FIB:
Example resolution: 10 nm
Classical applications: failure analysis of ICC
But also: circuit modification:
Local material removal:
cutting metal lines, milling, gas enhanced
etching
116
117
118
Hardware Defences
119
Hardware Countermeasures:
Functionality + Security
121
Hardware Countermeasures
Detection:
Detect under/over-clocking (stop
(stop the
the clock,
clock, read
read the
the
RAM)
RAM)
Intrusion Detection
123
Active Shield
Source:Infineon. Problem: back side attacks.
125
works!
126
Design Obfuscation
in each chip different lines, on certain chips the busses location changes during the execution of the code.
127
129
Motivation:
Most Bank Cards have a PIN verification
function.
PIN
not encrypted except in some EMV DDA cards
Y/N
not authenticated except in EMV DDA cards
130
131
133
Protocol/Software Countermeasures
Typically, the chaining of commands is
strictly controlled. Each command can be
issued only once, and in a certain order.
Assured by a finite state machine.
Example: dont accept commands in clear-text
once secure messaging is established.
135
Example:
Eric Poll [Nijmegen] Attacks on e-passports.
Send various ISO commands, observe the error messages:
137
Clone Attacks
138
Threats (1.)
Assume that we have all the data. Clone the card?
1.
Card Emulation on a card defenses:
140
Threats (2.):
Assume that we have all the data. Clone the card?
1.
Card Emulation on a card ???
2.
Card Emulation on a PC!
141
Low-tech,
always
works!
142
No Need to Break
Anything !!!
Economics Aspects
143
144
145
146
147
Testing
White-box tests are prohibited, no debugging commands
must be left in the hard-mask and soft-mask.
Tests must be black-box tests and test suites include
scanning for hidden [debugging] commands.
148
Segregation of Duties
Never one developer works alone on an
application.
he knows only some parts of the spec (partial
secrecy, need to know).
151
File System
152
ISO 7816-6
Specifies how to encode different data
elements as BER-TLV objects,
For example:
Name of the credit card holder
Expiration date
Etc.
154
ISO 7816-4
File names FID:
2 bytes
example: 3F 00
Short file names (SFID):
5 bits, 1..30, used as
a parameter in certain
commands
155
ISO 7816-4
MF: Master File
(root directory 3F00)
DF: Dedicated Files
(directories+some data)
EF: Elementary Files
(data files)
156
Elementary Files
EF: Elementary Files
Not all files are visible for applications(!)
Internal EF: card private files, card O.S. only can
see them
Working EF: data accessible to applications that
communicate with the external world.
157
158
159
like RAM, or a
string of bytes
160
2 types of records:
Record 2
Body
.
.
Record n
Like a list
Header
Record n-1
Body
Applications:
Bank card history
e.g.150 last transactions
161
Record n
Oldest record
Record 1
Record 2
.
.
Record n-2
Structure of a cyclic file EN726-3
EFIMSI (6F07)
Le fichier EFLOCI (6F7E) contains TMSI, LAI etc.
EFLP(Language preference)
EFKc = Ciphering key Kc + sequence number
EFSST (6F38) = SIM service table = 1byte = [s1present, s1active, ]
= services present/not active/not in this card, these are:
162
present in
DFTELECOM
Header
Record n-1
Body
Record n
Oldest record
Record 1
Record 2
.
.
Record n-2
Structure of a cyclic file EN726-3
163
164
165
Variants
There are MANY methods to address a file with SELECT FILE:
by 2 bytes FID (for MF, DF and EF)
0_ A4 00
By DF name or AID (for DF only or an application)
0_ A4 04
0_ A4 02
by absolute path from MF
0_ A4 08
by a relative path from current DF
0_ A4 09
Switch
Switch to
to higher
higher level
level DF?
DF? (equiv
(equiv to
to ../
../ in
in PC
PC OS)
OS)
another
another DF
DF when
when partial
partial AID
AID is
is transferred?
transferred?
166
empty params.
2. Example of a SELECT FILE with AID and no FCI (widely used for
accessing files AND applications by their unique identifier):
Command: 00 A4 02 00 05 [AID]
ISO command
SELECT FILE
167
specific params.
168
Status of EF Files
SELECT FILE command for an EF file
=>returns:
1. an error command:
62 83 file deactivated
64 00 execution error
6A 81 function not supported
6A 82 file not found
etc..
OR
2. an FCI (File Control Information) + 90 00
(each EF file in a card has specified access conditions):
169
170
83 + 2: file identifier.
84 + 1-16: DF name.
86 + security attributes (proprietary coding).
etc..
Nicolas T. Courtois, WMNC Gdansk, 11/09/09
Examples of FCI
Not 100% compatible, depends on products
6F 07 80 02 00 58 82 01 01 90 00
EF with transparent structure, file size: 88 (0x0058)
Byte
Byte 14:
14: The
The most
most significant
significant bits
bits of
of is
is 00 ifif an
an only
only ifif PIN1
PIN1 is
is disabled.
disabled.
Byte
Byte 19
19 == is
is the
the "CHV1
"CHV1 status
status..
Typically
Typically the
the value
value of
of this
this byte
byte is
is '83'
'83' where
where 88 means
means that
that the
the PIN1
PIN1 has
has been
been
initialized,
initialized, and
and that
that there
there are
are 33 cardholder
cardholder verification
verification attemp
attempts
ts left
left for
for this
this
PIN.
PIN.
172
173
File-specific,
then the key/PIN used is stored in the same DF.
File-specific (EF).
Command-specific and ephemeral.
Example:
174
175
176
MAC
algorithm
yes/no
(m,)
MAC
algorithm
forgery
177
sk
sk
(secret key)
(secret key)
Card
ASK RANDOM
command
Challenge
generation
Challenge
PRO key
(T)DES
calculation
Cryptogram
Data to
sent
Challenge
EF key
Data
PRO Key
PRO command
Data + cryptogram
Received
bytes
Data
Received
Cryptogram
(T)DES
calculation
Compare the
cryptograms
Delete flag random
present
Decrease
ratification counter
OK
?
Y
Reset ratification
counter if needed
Bad Authentication
PRO mode OK
178
Card
ASK RANDOM
command
Challenge
generation
Challenge
Terminal
Key
(T)DES
calculation
AUT mode
Certificate
EXTERNAL
AUTHENTICATE
command
Key number
+
Cryptogram
EF key
Key
number
Received
bytes
Card Key
Cryptogram
Compare the
cryptograms
Delete flag random
present
Decrease
ratification counter
Bad Authentication
OK
?
Reset ratification
counter if needed
Authentication
successful
179
(T)DES
calculation
AUT mode
Commands (APDUs)
180
181
ISO 7816-4
APDU = Application Protocol Data Unit
183
Command APDUs
184
185
Erase Binary
Verify
Manage Channel
External Authenticate
Get Challenge
Internal Authenticate
Select File
Read Binary
Read Record(s)
Get Response
Envelope
Get Data
Write Binary
Write Record
Update Binary
Put Data
Update Record
Append Record
Nicolas T. Courtois, WMNC Gdansk, 11/09/09
Response = R-APDU
Response structure:
SW1: 90=completed/
OK with warning/
error during exec/
checking error;
?NVM changed[63,65]
SW2: error number
90 00 = All OK
186
IMPORTANT:
In many cases, and in all cases where the size
of the answer is not known in advance,
The response is NOT given,
the terminal must ask for it
(another C-APDU).
Example (for a bank card):
187
5 Possible Cases:
Case 1: No input data/no output data
188
Data
2 status bytes
189
[] 5 Possible Cases
Case 4: Input data/no output:
190
191
Syntax: Read/Write
READ BINARY
192
193
194
Security Commands
195
196
VERIFY + password/CHV/PIN
BTW. CHV == Card Holder Verification == PIN
Example: 00 20 00 00 04 70 61 70 61
no L_e, no data in reply
expected, result will be visible
in two status bytes SW1SW2
CLA
INS
authenticates the
whole MF if b7=0,
PIN stored in MF
must be 0
197
4 bytes
password
= papa)
CLA
INS
198
random challenge
on 4 digits
GET CHALLENGE
EXTERNAL AUTHENTICATE
+ algo nb. + key nb. + cryptogram
199
Example:
GET CHALLENGE
Example: 00 84 00 00 10
CLA
INS
both are 0
LE = it expects 16
digits random
EXTERNAL AUTHENTICATE
Example: 00 82 00 00 04 01 02 03 04
no data to recover in reply,
OK/not OK seen as 2 status
bytes.
authenticates the
whole MF if b7=0,
key stored in MF
CLA
INS
200
our cryptogram on
4 bytes
The sequence:
GET CHIP NUMBER
GET CHALLENGE
MUTUAL AUTHENTICATE + params
201
CLA
INS
202
both are 0
some data,
length 16
CHV1=user PIN
CHV2=second PIN
203
Concrete Example:
Your Own GSM Card
204
205
206
207
208
SELECT FILE
1. Example of a SELECT FILE with FID and FCI, for a GSM card:
Command: A0 A4 00 00 02 7F 20
GSM card
SELECT FILE
empty params.
Response:
This command returns the FCI.
Well not quite. Done in 2 stages:
209
Details:
210
211
VERIFY + CHV1
Example: A0 20 00 01 08 33 37 37 36 FF FF FF FF
CLA
=GSM
here b7=1
INS
must be 0
212
8 bytes PIN
in ASCII
3776 +
FF FF FF FF
Answer Codes:
Card Holder => Card
VERIFY + CHV1
A0 20 00 01 08 33 37 37 36 FF FF FF FF
Reply:
9000 - the PIN is correct
9802 - CHV is not initialized
9808 - in contradiction with CHV status (inactive PIN!)
9810 - in contradiction with invalidation status)
9804 - unsuccessful CHV verification, at least 1 attempt left
9840 - unsuccessful CHV verification,
no attempt left or this CHV is blocked now
213
Beware:
Danger:
After 3 presentations of an incorrect PIN (that can be in
different sessions, this counter is preserved in non-volatile
memory) the card will be blocked (but can be unblocked
with UNBLOCK CHV function).
However if the PIN is correct, the counter for the number of
CHV attempts will be reset to 3.
214
GSM Security
GSM Operator
Authentication Center
precomputed triples:
(RAND,SRES,Kc)
SIM card
Ki
challenge RAND
Signed RESponse (SRES)
A3
A3
SRES
SRES
A8
Fn
mi
A8
Kc
Kc
A5
Encrypted Data
Mobile Equipment
215
Ki
are = ?
Base Station
A5
Fn
mi
secret key
216
217
Authentication Algorithms
Some operators used COMP128 v1, the default algorithm.
Very bad, there are several attacks
[Briceno,Goldberg,Wagner].
Some never published attacks existed only in a form of an
exe file, better than any published attack less queries to
the card!
Ive developed such attacks myself, they were never published
(sorry).
Gemplus patented and commercialized a strong key solution
Encryption Algorithms
In the phone.
218
Embarrassing Discovery
What was discovered before [SDA-Berkeley 04/98].
Keys generated were not 64 bits.
10 bits fixed to 0 => 54 effective bits.
219
Embarrassing Discovery
220
221
Open Platform
promoted by Visa et al.
JavaCard
popular in GSM
banks never wanted 3rd party applications on their
cards problems: branding, ownership, risks
223
ISO 7816-5
Specifies AIDs (Application IDentifier)
16 bytes (128 bits)
[RID(5)+PIX(0..11)]
RID: Registered Application Provider
PIX: Proprietary Identifier Extension
224
specific params.
SELECT FILE
Response: 90 00 if all OK
225
A0 00 00 00 09
ETSI (e.g. GSM SIM with Java)
226
227
Standards
PC/SC: communication between Ms
Windows and smart card readers
[developed in 1997]
Microsoft Cryptographic API (CryptoAPI).
228
229
Standards
JavaCard [later].
OCF [OpenCard Framework]: a Java-based set of APIs for smart
cards
JavaCard 2.2
230
231
232
233
Document 1: f8 & f9
Document 2: KASUMI
234
JavaCard
235
Motivation
Portable code, hardware-independent
Time to market: add new applications
to the card at any moment!
Easier to develop
Open platform,
=> specs of smart card chip are usually confidential(!!)
History
Java Card 1.0: Schlumberger. APIs only.
Later, Bull+Gemplus+Schlumberger formed
the Java Card Forum.
+ Sun Microsystems => develop Java Card
2.0.
Still a SMALL subset of JavaTM
Some 2 billion Java cards to date
(mainly in GSM)
237
238
Communication
Special subset of APDUs [ISO 7816-3..4] are used.
239
Conclusion
240
Future:
Insecure software, hackers =>
One Cannot live without Smart Cards or some
other secure portable hardware device.
Bill Gates recognized it publicly in 2005
241
Major Problems
cost effectiveness
adoption of new technology
which standards will win? a very tricky game
242
243