SIM Card Strong

SIM Card:
A Security Stronghold
in Networked ME
Mobile Equipment
1
2
Nicolas T. Courtois 1, ex. 2

- University College of London, UK
= [Axalto+Gemplus]
SIM Card and Security
Roadmap (1)
Smart Cards:
History, Philosophy
Industrial standards
ISO 7816-X smart cards =>
=> GSM 11.11 =>
=> 3GPP specs
Nicolas T. Courtois, WMNC Gdansk, 11/09/09
Roadmap (2)
Functionality and Application to GSM

File system,
Commands,
Access control,
GSM: - business perspective
GSM: - security perspective
Encryption / Authentication
A demo of vulnerability of
certain Eastern European cards.
3
Some History / Business / Economics

Considerations
Where to Learn About Security?

From the Military????
Yes if we want to learn about mistakes
But actually we can learn much more from successful business
people [example: Bill Gates].
They are the modern equivalent of the medieval knights
Remember how Poland

conquered the Malbork castle
from the Teutonic Knights?
In 1457 bought it for 190 K florins.
Polish budget was 70 K / year.
Military: impossible to take.

Or
Or just
just too
too costly
costly
New Technology Business Gurus

First of all, even professional business gurus and top
managers are rather totally unable to anticipate how things
can develop with new technology business
Example: SMS
Predecessor: NMT-Text: first used in Russia, Bulgaria and
Poland, neglected in Nordic countries.
Many GSM operators started by offering this service for
free.
Never thought that SMS could earn them 1/10th of revenue it is
generating today
Moreover business considerations are very hard to separate

from the pure technology considerations.
We need to cover them.
6
GSM A Child of the Common EU Market (!)

GSM was started by France and Germany. Later Italy, UK and many other
countries joined
At that time we are talking about a cartel of state monopolists (telcos)
interested in sharing the huge cost of developing this new technology.
Effort was estimated as 10 x price of going to the moon.
Developed in Europe, and Europe alone. US systems lagging far behind
One should NOT think that anybody wanted to share their national market too..
BUT .. very importantly,

the EU commission has endorsed this project as early as in 1984 and
substantially helped to fund it too. Not without an agenda:
the GSM phones (April 1992) were the FIRST telecommunication
equipments for which it was NOT necessary to ask for homologation in
each individual country.
Before, the markets for telecom equipment were strictly national, heavily
regulated with barriers for entry and some degree of incompatibility
Creation in 1989 of ETSI = European Tel. Standards Institute

7
GSM A Monopoly Breaker?

So GSM, explicitly and from the start was
breaking the national telecom monopolies on hardware equipment (!).
It became clear that sooner or later, there will be only a few big industry
players manufacturing the phones.
Frankly, France [and UK, Italy, Germany], probably though that they would benefit
from this situation
Nobody have thought at the time that this industry will travel north (Sweden and
Finland!!!!) and finally east (China).
However, it was necessary to protect the income (for phone calls) of

national telecom operators. This remained still possible for a long time.
The business model is of national licenses (as for TV channels).
So each EU country could still protect their market.
Only big players can apply: the investment is incredibly huge.
Even bigger than running a TV station Many operators had a terrible debt
burden for up to 10 years
Key Questions:
If the phone is manufactured in a strange country (say Finland,
or China)
Q: How do we make sure that the client will pay the bill ?
Remember we are talking about a very major industry, worth
hundreds of billions of $$.
This is not a small problem:
Take another industry: computer game consoles.
The game manufacturer does NOT want his game to
pirated. Yet the console manufacturer sees his sales go to
the roof on the very day hackers found the way to
circumvent the copy protection. As a result, piracy is strong,
about 21 % for console games [source: Macrovision], and
much higher in emerging countries
9
Fact:
The fathers of GSM have adopted
a right business model and
security technologies that NEVER
were really pirated
No SIM card clones
for any major operator so far (!).
How this became possible?

It is precisely the object of this talk.
10
Adoption Barriers
The model had the right mix of very strong
forces and incentives acting in opposite
direction:
1) Subsidizing the phone and charging a lot
for communications abolished adoption
barriers: giving the phone for free or 1
like the French did with Minitel before, and
this generated billions of revenue.
11
Temporary Monopoly System

Because of this subsidy, all (still national) telecom regulators
had to agree and allow that a user would be tied for the
phone for at least say 6,12,18 months. To pay back for the
free phone.
Traditional rules of consumer protection were bent.
This created market conditions in which most people, for sure,

would be trapped into
spending MUCH more than they would want to spend, but

also
want to switch to competition in exchange of a new phone,

that obviously had to be much better so that people would
want to switch.
=> A virtuous circle of innovation.
12
****Two Markets
Phones:
Free market, perfectly competitive, high pressure
on prices, economies of scale, industry
concentrationlosers and winners.
Phone calls / subscription:
State-allocated pseudo-monopolies on each
territory? Yes:
13
market shares dont change that much with time

prices dont change that much either year after year
Encryption and Authentication in GSM

Encryption:
Done by the phone. Voice privacy.
Governments: would like to break the encryption of each

phone
Authentication:
Done by the SIM card. Billing.
Was never such a problem w.r.t. governments services

and national exportation / authorization laws that always
allowed authentication to be MUCH stronger than
encryption.
14
GSM Encryption: weak design
Ross Anderson reported in 1994 that there was a big

dispute among NATO countries whether GSM should be
strong [Germanys wish] or not.
The French design [not so secure] won.
Fatal flow in the spec shown by Biham et al. at Crypto

2003.
15
Redundant data is encrypted => allows ciphertext-only attacks.
But there is extra complexity here (extra flaws / better

protection, depending on country and operator), as will be
explained later.
The Genius in the Box

The model of the SIM card:
Two devices:
Perfect functional separation.
Very good for security.
Perfect separation of business interests, creating several

totally disjoint markets.
The telco cannot easily exclude people from using another phone
compatible with GSM specs
=> more competition on features and innovation.
16
The phone manufacturer can only lock people in for a limited time,
through SIM locks.
The Genius in the Box

Very nice both money and security-wise:
The SIM card does not NEED TO TRUST the phone,

nor its (foreign) manufacturer.
The phone does not NEED TO KNOW what security

mechanism the card using, for example what (secret)
crypto algorithm it is using
17
Security Advantages
The phone CANNOT breach the security of SIM card (in the
sense of authentication and making free calls).
Impossible.
BUT, both sides can in fact breach the confidentiality

(hidden flaws) as it was later found out
Or have better security / competitive advantage.
Remember: Crypto algorithms are:
A sensitive area of exclusive national/corporate expertise,

and strict export regulations (mostly abolished c. 2000).
Some countries spend much more on crypto research
than other.
A major source of inimitability for business today: make

sure that one product will not be copied.
Always a major defense against hackers
18
Entering the World of Secrets
19
What are Smart Cards ?

The eternal tension in the industry:
competition cooperation.
1. huge set of standards:
public bodies: ISO/IEC, ETSI, etc.

10s of intra-industry standard bodies such as
GlobalPlatform, TCG
2. many industrial/commercial/
trade/security secrets
20
Books About Smart Cards
1)
Smart Card Handbook [Germany, 2002]
2)
Smart Card Applications [Germany, 2007]
3)
by Wolfgang Rankl
LATEST BOOK [RHUL, 2008]

Smart Cards, Tokens, Security and Applications
21
by Wolfgang Rankl and Wolfgang Effing
by Keith Mayes and Konstantinos Markantonakis (Editors)
Motivation in a Nutshell
22
Key Remark
Software CANNOT be protected by software.
23
Main Function of a Smart Card =

= to be a secure hardware device.
USB interface
ISO, [USB], [RF]

ISO, [USB,RF
RF]
RF
SIM card form factor

USB Token form factor
credit card form factor
1. intelligent (Smart): the card
handles computations (e.g. crypto)

manages data (OS, file system, access rights)
takes informed security decisions (block itself !)
2. Hopefully unbreakable:
nobody can know/modify what is inside.
24
Philosophy / Model
for Security of Smart Cards
25
Why Smart Cards Are Good

Or are they?
The classical model for smart card security

[Schneier and Schostack 1999]
is about
Splitting the security perimeter:
Hardware barriers that cannot be breached by software,
slight
problem..
By the user, if it is in my pocket, it is not being hacked
And trusting the entities involved
26
Motto: Software cannot protect software.
Physical control of the card,
One entity cannot breach the other peoples security?
Companies/people involved in this business can compromise its security (backdoors etc!)
Slight Problem - Example:

The secrecy of the product spec can be:
An extra security layer,
A source of unexpected and critical security vulnerabilities
27
if hackers need 3 months more to get it,

this can be worth millions of dollars in revenue
that by the fact of being hidden
gives an utterly false sense of security.
History
28
Short Plastic Card History

1878 US fiction writer Bellamy: In 2000 everybody will be paying
by a credit card (!). Cf. Edward Bellamy Looking Backward, 2000 to 1887.
1914-1940 Metal credit cards in the US, forbidden
forbidden during
during WW2
WW2
1950 Invention of plastic money (PVC): Frank McNamara@Diners Club
[NY, USA] issues first universal plastic [charge] credit cards .
1967 First cash machines [DeLaRue] with punch cards.
1967 France: first magnetic stripe card for access control.
1972 [UK] First on-line ATM with magnetic stripe cards.
29
History - Chip Cards

1960s
1. French science-fiction book La nuit de temps by
Ren Barjavel:
A portable object/jewel that opens doors.
2. Plastic credit cards were standardized and used
since the 50s [plastic money].
1970s: 1+2 = Embedding electronic components in
credit cards: Many patents in USA, Germany,
Japan and then France.
30
Historical Patents
31
Smart Card Odyssey

Two Key Patents:
Roland Moreno [France]:
chip card [1974]
security limitations [1975]
Michel Ugon, Bull CP8:

microprocessor card [1977]
10 years ago, half of chip cards in the world

were French. Wider adoption around 2000.
32
First Smart Card - Bull CP8

Around 1980,
2 chips,
CPU+RAM,
not very secure!
CP8 = Circuit Programmable 8 bits,

Carte Puce 8 bits
33
SPOM, October 1981 - Bull CP8

Patented
NMOS 3,5 ,
42 K Transistors,
RAM: 36 bytes (!),
ROM: 1,6 Kbytes,
EPROM: 1 Kbyte
34
History of Electronic Bank Cards - in 1984:

Schlumberger pilot in Lyon, France:
a simple wired logic card
Bull CP8 pilot in Blois, France:
a microprocessor card
Gemplus
The banks adopted the Bull CP8 solution,

the fore-father of current smart bank cards (EMV).
100% in France in 1992.
100% in the world around 2010 ?
=> Close the loophole.
35
Vocabulary, Typology, Features
36
Vocabulary
magnetic stripe card carte piste magntique
IC= Integrated Circuit
ICC, chip card :
memory card
wired logic card
smart card
37
puce, circuit intgr

carte puce :
carte mmoire
c. logique cble
carte microprocesseur
[+crypto co-processeur]
More Vocabulary
card reader, CAD (Card lecteur carte
Acceptance Device)
BO card [1985-2004] carte bancaire franaise

EMV card [1996-2020?] nouveau standard
38
Types of cards
memory/wired logic
microprocessor
0 CPU
1 CPU
2 CPU
1-2 CPU
micropr.+crypto
39
Source: Gartner, 2005
contactless
Memory/Wired Logic Card
Primitive
NVM nonvolatile memory
(E2PROM, Flash
memory)
simple function
e.g. prepay card
40
Smart Card
Microcontroller =
CPU+memory
Universal, Turing
machine, software
driven
flexibility
security features
[Hardware DES]
41
Crypto-processor IC Cards
Additional cryptoprocessor for RSA

or elliptic curves
Hardware security
counter-measures
42
Contact-less Smart Card

with RF transceiver
0.1 s transaction
much less energy
even less computing
power
43
Memory on Smart Cards

ROM (hard mask: C/Assembly, contains OS,
secure file access, I/O, libraries[crypto!], JVM)
= 100 - 300 Kbytes now
RAM
= 4-16 K now
(expensive, first Bull CP8 card had 36 bytes)
NVM: (soft mask, compiled C, more libraries)

EPROM: 1980s, high voltage needed to erase it
1000 times slower
E2PROM: 8-64 Kbytes,
to write than RAM
recently 128-256 K GSM SIM.
New trend: Flash memory:
44
Much cheaper, dense and shrinkable process.

Random read, harder to manage,
hard to re-write and very slow to erase.
Spansion 2006: 1 Giga in a SIM card!
Life Cycle of a Smart Card [ISO 10202-1]

Manufacturing: [e.g. Infineon, Gemalto]
ROM <= hard mask, remove test functionality
Initialize: [e.g. Gemalto, Card Issuer]

E2PROM <= soft mask, completing O.S. install
Personalize: [Card Issuer]

Init apps
E2PROM <= data, keys etc. for an individual user!
Use it: [e.g. ATM]

issue commands (APDUs)
Death: [e.g. local bank]

invalidate the chip / destroy the card.
45
****Perso Process
46
Functionalities of Chip/Smart Cards
47
*Advantages of Smart Card
48
storage capacity
security functionalities
multiple functions
user acceptability, effective packaging
successful business model
Crypto Functionalities of a Smart Card (1)

Cardholder verification by the card.
Check PIN or biometric data.
Typically necessary to activate the crypto
capabilities of the card.
Key generation, its secure storage, safe

usage and (why not) erasure.
Encrypt data (public and secret key)
emails, files, etc e.g. PGP PKI badge
secure messaging
49
Crypto Functionalities of a Smart Card (2)

Authentication from weaker to stronger:
Integrity checks (CRC, or better: cryptographic hash).
Origin checks (storing a static signature)
Dynamic Challenge-Reply card authentication (proof of
identity, should be a Zero-knowledge mechanism).
Dynamic authentication of any data with a 3-DES
cryptogram or a MAC (symmetric-key signatures).
Dynamic authentication of any data with a real (=publickey) digital signature.
Provides authenticity and non-repudiation of every individual action
taken in a complex protocol !
Also verification: the authenticity of a terminal / external

word.
50
Smart Card Applications
51
Some Applications of a Smart Card

PayTV - Broadcast Encryption and Traitor Tracing.
First PayTV Card: Philips+Bull, 1980-81
Storing private data (emails, passwords etc)

First phone cards with a chip: [1983 Schlumberger
Tlcarte, France], [1984 G&D Telekarte, Germany],
Remark: wired logic, contact placement later changed
GSM / 3G phones
First SIM card: Gemplus 1989, MANY billions sold since
Electronic passport, ID
PKI, Belgium by Axalto.
Biometry. All passports in October 2005 !
52
More Applications of a Smart Card

Bank Cards [since 1984, Bull CP8]
Home Banking, Internet Shopping
PC access, corporate badge, secure email
PGP
Electronic purse, parking: [1996-] Proton[Be],
Geldkarte, later integrated with bank cards
First student card [restaurant, library, etc.]
First in 1988, Italy, Bull CP8
53
Smart Cards Market
54
**Actors and Value Chain
55
***2007 Market Segments

[source: eurosmart.com]
Source: Gartner, 2005
56
Industrial Standards [1]:

=> Cards
57
What is a Smart Card ?

Set of standards ISO.
cards with contacts:
ISO 7816-1..16
contact-less [later]:
ISO 14443 A-..C [Oyster]
ISO 15693 [NFC]
ISO 18000 [RFID]
58
ISO 7816-1
Size matters! Like a credit card.
59
ISO 7816-1
Physical Characteristics:
Operating temperature, humidity, etc
below are very severe requirements:
bending properties
torsion properties
(the chip can break

or take-off)
Consequences for the chip:
silicon surface 25 mm2, 0.3 mm depth

small computing power, not Pentium 4
60
Manufacturing
61
Die bonding
The chip is glued to the contact.
Connections with gold wire (20 m)
62
Encartage
Embed in a mm card.
63
Encartage
Embed in a mm card.
64
Plastic Matters
65
ISO 7816-2
Contacts
1.7 x 2 mm
[changed in 1990]
old AFNOR standard
66
ISO 7816-2
=> Freedom
67
Contact Quality
Friction force readers scratch the cards
[contacts frottants]
Landing contacts much better

[contacts atterrissants]
68
ISO 7816-2 - Historical

C1 VCC (+) C5 GND (-)
C2 Reset
C6 VPP for EPROM
C3 CLK
C7 I/O (serial port a.k.a. ISO)
C4 ???
C8 - ???
69
ISO 7816-2 Evolution@2005-2009

C1 VCC
C5 GND
C2 RST
C6 [SWP/antenna?]
C3 CLK
C7 I/O
C4 [USB]
C8 - [USB]
USB
70
USB
Samsung S-SIM
supports both+NAND+InterChip USB
ISO 7816-3 and EMV/GSM

Voltage and current supplied [I~clock freq.]:
Class A: 5 V 10% / 60 mA @5 MHz [ex. 200 mA]
Class B: 3 V 10% / 50 mA @ 4 MHz
Class C: 1.8 V 10% / 30 mA @ 4 MHz
EMV bank cards: always 5V, 50 mA
GSM cards: class A-C max current respectively:
10 / 6 / 4 mA ONLY! (heat, phone battery life).
71
Power Matters
Summary:

Bank card: 5 V, 50 mA
GSM SIM class C card (the latest): 4 mA

Even much less for contact-less cards !!!
(power supplied by an alternative magnetic field)
=>Very Low computing power !!!
In contrast: modern PC CPU up to 50 000 mA !
72
Power Matters
Summary:
Several 1000 x less power than an Intel CPU
Low surface ( 25 mm2)
Lower density (0.09 m

vs. 0.065 SOI process for recent CPUs)
8 and 16-bit CPUs for very long time

32 bits CPU only since 2003-4
73
ISO 7816-3
CLK:
transition time < Max( 0,5 s, 9% x period T)
at 1 during 40 % - 60 % of time.
The card security should block if short
impulses !
Clock speed:
First cards [1996]: 3.579545 MHz
(still@begin)
74
Clock and Maximum Computing Power Avail.

Clock speed,
1990: 3.5 MHz,
NO co-processor:
RSA-512, 2 minutes
Clock speed
1996: 3.5 MHz,
2000: 7 MHz,
2004: 60-100 MHz,
200-400 MHz today,
with co-processor:
RSA-1024 in 500 ms
RSA-2048 in 500 ms
RSA-2048 in 50 ms
RSA-2048 in 10 ms
75
I/O - ISO 7816-3

Known as ISO interface of a card: simplified UART (serial port)
Transmission of bytes:
N specified by TC1 in ATR
Time duration of 1 bit =

1 Elementary Time Unit [etu]
76
ETU
etu = duration of 1 bit, by default

1 etu = 372 / Clock frequency
Examples:
77
3.5712 MHz/372=9600 bit/s

3.5712 MHz/186=19200 bit/s
3.5712 MHz/93=38400 bit/s
3.5712 MHz/32=111600 bit/s
ISO 7816-3
Defines the ATR: answer to reset. Up to 33 bytes.
Must happen at 400 40,000 clocks after RST.
ATR = a series of bytes transmitted in order b8..b1:
TS
T0 [presence of TA1-TD1 and 0..15 historical bytes]
TA1
TB1
TC1
TD1: like T0, specifies the presence of extra objects
TA2
etc
78
ATR Structure
XOR checksum
79
TS specifies:
TS [A+8+Z bits]:
specifies the relationship between A/Z and 0/1
Z=high voltage, A=low voltage
Direct convention [Germany], where A=0, Z=1:
TS = 3B; b1:b8= A(ZZAZZZAA)Z
Inverse convention [France], with A=1, Z=0:
TS = 3F; b8:b1= A(ZZAAZZZZ)Z
80
ISO 7816-3 - Highlights

In particular ATR specifies the comm. capacities:
T=0 or T=1
half[/full] duplex
clock speed
baud rate
81
ISO 7816-3
Communication Protocols
Main two: synchronous, half/duplex
T=0 (byte-oriented, e.g. GSM SIM),
T=1 (block-oriented, e.g. bank cards)
T=14 (proprietary for German phone cards)
Recent developments:
T=2 (block-oriented, full duplex, cf. ISO 10536-4).
T=4, expansion of T=0
T=USB
82
T=CL
T=CL is used for talking to ISO 14443A/B
cards with APDUs translated by the reader
(totally hides the RF interface from the
programmer, the card seems to be a card
with contact!)
83
T=0 or T=1?
Remark:
T=0 (byte-oriented)
parity bits only
T=1 (block-oriented) is more modern.

More error detection too: parity +
each block also has a CRC.
84
ISO 7816-3
Baud rate:
1996: 9.6 K bit/sec default, @beginning.
Then: 115 K bits/sec
Outdated by Axalto patent: USB smart card:
First Axalto USB: 700 K bits/sec
Full-speed USB up to 12 Mbit/s [since 2005].
Not USB 2.0., it is just USB 1.0. full-speed.
85
Example of GSM SIM ATR

3B894014474732344D35323830
Decoded:
TS= 3B => direct encoding
T0= 89= 1000ll1001 => TD1 + 9 historical bytes
TD1= 40= 0010ll0000 => TC2 present and protocol is T=0
TC2= 14= 0001ll1110 => waiting time 14 * 100 ms
T1T9: 47ll47ll32ll34ll4Dll35ll32ll38ll30 =>
GG24M5520 (these are the 9 historical bytes, sort of unique ID of this SIM card)
86
ATR - More Examples

"3B8F8001804F0CA000000306030001000000006A"
=> "Philips MIFARE Standard 1 K and London Oyster card
3B6500009C02020702"
=> US Department of Defense Common Access Card,
Axalto Cyberflex Access 32K V2, Sun Microsystems employee card
"3B898001006404150102009000EE"
=> "German e-Passport April 2007",
"3B6D00000031C071D66438D00300849000"
=> HSBC MasterCard
"3F6525082204689000"
=> "France Telecom card
"3F65250052096A9000"
=> "French carte Vitale",
"3BEF00FF8131FE4565631104010280000F274000030100E1"
=> German Postbank Geldkarte",
"3FFF9500FF918171A04700444E415350303131205265764230423A"
=> "NagraVision card for StarHub Digital Cable DVB-C Singapore",
87
Industrial Standards [1B]:

=> Other Form Factors
88
Form Factors and Interfaces

USB interface
ISO, [USB], [RF]

ISO, [USB,RF
RF]
RF

a.k.a. ID-000
credit card form factor, a.k.a. ID-1
RF]
ISO, [USB,RF
RF
ISO, [USB,RF
RF]
RF
VISA-mini a.k.a. ID-00
89
3FF - [telecom, not widely used]
Dimensions
90
Industrial Standards [1C]:

=> Contact-less
91
Comparison
92
Antenna
large loop antenna
93
Embedding the Antenna

Must be a LARGE coil
SIM card: must be external

(NFC enabled
mobile phone)
94
Double/Triple Interface Cards

ISO, RF
ISO, USB, RF
E.g. corporate badge

Functionalities:
Enter doors,
PC log-in,
PGP decrypt and sign
Adopted worldwide, e.g. U.S. Army

95
Low-Level and Physical Security
96
Main Function of a Smart Cards =

= to be a secure hardware device.
USB interface
ISO, [USB], [RF]

ISO, [USB]

credit card form factor
1. intelligent (Smart): the card
handles computations (e.g. crypto)

manages data (OS, file system, access rights)
takes informed security decisions (block itself !)
2. Hopefully unbreakable:
nobody can know/modify what is inside.
97
Remark:
There is no defense against an adversary that
has several millions of
98
Removing the Chip
99
Some Firms Make it Harder:
Oberthur Potting claims:

improves durability [harder to break]
any attempt to remove the module from the
card would result in totally destroying it
100
Reverse Engineering
101
Open-source Closed-source
Industry: competition cooperation
Standards

Industrial/commercial/trade/security secrets
102
*Open Source vs. Closed Source
103
Kerckhoffs Principle
Dutch cryptologist, wrote his book in French.
In June 2006 Dutch researchers De Gans et all, have
published several cloning attacks on MiFare
Classic chips [London Oyster card + 200 M other].
[first cloning attack: Courtois, Nohl and ONeil, April
2008].
104
Kerckhoffs principle: [1883]
The system must remain

secure should it fall in
enemy hands
105
*Remark:
Smart Cards:
They are already in enemy hands
- even more for RFID
106
Kerckhoffs principle: [1883]

Most of the time: incorrectly understood.
No obligation to disclose.
Security when disclosed.
Better security when not disclosed???
107
Yes (1,2,3):
1. Military:
layer the defences.
108
Yes (2):
2)
Basic economics:
these 3 extra months
(and not more )
are simply worth a

a lot of money.
109
Yes (3):
3)
Prevent the erosion of profitability
/ barriers for entry
for competitors /
inimitability
110
Kerckhoffs principle is kind of WRONG

in the world of smart cards
Reasons:
side channel attacks are HARD and COSTLY to
prevent when the algo is known
in some applications, for example Pay TV the
system is broken immediately when the
cryptographic algorithms are public.
111
*Silicon Hacking
112
Tarnovsky Lab
Only few thousands of dollars of equipment
113
Tarnovsky (and Other Professional Chip Hackers)

Few thousands of dollars of equipment
Surface polishing
HydroBromic acid to eat away the passivation layers
A microscope for pictures:
the successive layers of silicon are revealed with acids and
lasers
Doping guns to cut/add traces to a working IC
Stinger: bypassing the protections with long microscopic needles.
114
More Expensive:
Atomic Force Microscope

(20 K - 1 M)
FIB device
(Focused Ion Beam, 0.5 M)
Canal+ Technologies Lab
115
FIB:
Example resolution: 10 nm
Classical applications: failure analysis of ICC
But also: circuit modification:
Local material removal:
cutting metal lines, milling, gas enhanced
etching
Local rebuilding/rewiring of the device

new metal interconnects
new insulating layers
Fine tuning of analog components:

decrease/increase R or C
Reading (electron image)
Art: writing on the nm scale:
116
Clear and Present Danger

Reverse engineering is NOT that hard.
No no need for a FIB device
(Focused Ion Beam, 0.5 M).
A few thousand dollars microscope will suffice.
117
Reverse Engineering MiFare [Nohl, Plotz, 2007]
118
Hardware Defences
119
Hardware Countermeasures:
Make the life of the hacker much harder.

Financial sector requirements:
attacks should cost more than
say 25 K$ per card
120
Functionality + Security
121
Hardware Countermeasures
Detection:
Detect under/over-clocking (stop
(stop the
the clock,
clock, read
read the
the
RAM)
RAM)
Random instructions, and Random Wait

States [e.g. Infineon SLE66].
Detect low/high voltage [<2.3 V or >6.3 V].
Glitch/spike detect
Detect UVs, light, alpha particles, high/low
temp etc.
122
Intrusion Detection
123
More Hardware Countermeasures

Shield/coating.
Detect if passivation layer was removed.
R/C measurements.
Metallic layer: screens for charges/radiation.

Needed and monitored:
R/C measurements.
Active shields=detect tampering with.

Mesh of wires: prevents probing, attacks with a
laser cutter, etc.
Chemical traps: SiShell [Axalto patent].
124
Active Shield
Source:Infineon. Problem: back side attacks.
125
**Intrusion Detection on PEDs (Pin Entry Device)

Anderson et al.
UCAM-CL-TR-711
2/2008
this way
not this way
works!
126
Design Obfuscation
Restricted circulation of specs.

Non-standard instruction set.
Custom crypto algorithms.
ROM and busses in lower layers of silicon.
Only ion-implanted ROM is used, not visible with UV light.
Scrambling the data busses.
in each chip different lines, on certain chips the busses location changes during the execution of the code.
Dummy structures in silicon.

Duplication
Symmetry -> same power consumption.
Memory Obfuscation:
Encrypt the memory addresses.
Encrypt the memory data.
127
Robustness and Redundancy

Goals:
Avoid perturbation at logical level:
Control bits, error correcting
Dual logic, also protects against power attacks.
Detect perturbation at the OS and software level

and block the card
Data checksums,
Redo DES twice,
Etc..
Security of file system and OS: later.

128
More and Higher-Level

Security Countermeasures
129
Motivation:
Most Bank Cards have a PIN verification
function.
PIN
not encrypted except in some EMV DDA cards
Y/N
not authenticated except in EMV DDA cards
130
Critical Bits and Pieces

Example: PIN verification.
Can be implemented in asynchronous logic
[dedicated transistors/gates]
much lower power consumption,
in a lower layer and much harder to localize
require a dedicated hardware attack as apposed
to a generic attack on CPU registers, busses,
loading to memory, etc..
131
PIN code Simple Hacker Attack [1992]

Enter the PIN with a home terminal.
Listen to card radiation/power consumption to
detect early in time that it was wrong.
Switch the voltage off very quickly.
Countermeasure [used in all bank cards]:
Increment the ratification counter first
Check the PIN
The decrement it(!).
132
Timing Attack on PINs

[old, worked before c. 1990]
Bad programming: compare PIN digits one
after one, if first is incorrect, abort!
Good programming: write a program such
that the execution time is constant.
133
PINs and Keys Storage in RAM

E2PROM of the smart card: assume
addresses and data are encrypted.
Attack 1: read it (assume its possible)
Solution 1: store h(PIN)?
Attack 2: dictionary attack.
Solution 2A: store R, h(PIN,UID,R)

Solution 2B: store R, E_K(PIN,R)
where K is a key specific to this card only
134
Protocol/Software Countermeasures
Typically, the chaining of commands is
strictly controlled. Each command can be
issued only once, and in a certain order.
Assured by a finite state machine.
Example: dont accept commands in clear-text
once secure messaging is established.
The spec should not allow buffer overflows.
135
***Example: Conformity Test

The test verifies the enforcement of Secure
Messaging:
Afterwards the chip denies to send data in an
unencrypted way and answers with 6X XX
(error).
Not enough: make sure that the same error
code is sent in the same situation!
136
Example:
Eric Poll [Nijmegen] Attacks on e-passports.
Send various ISO commands, observe the error messages:
137
Clone Attacks
138
More Hardware Countermeasures

Unique serial number
Written in WORM (Write Once Read Many)
a.k.a. OTP (One Time Programmable).
Example: Oyster card UID=32 bits
Benefits are:
clone harder to make
can blacklist all similar cards
card-dependent memory encryption and
hashing
139
Threats (1.)
Assume that we have all the data. Clone the card?
1.
Card Emulation on a card defenses:
unique ID, cards that can be personalized not available =>
requires a special re-programmable card,

or a pirate emulator
-speed, +size, +cost, etc.
140
Threats (2.):
Assume that we have all the data. Clone the card?
1.
Card Emulation on a card ???
2.
Card Emulation on a PC!
141
Low-tech,
always
works!
142
Threat 3. Relay Attack
No Need to Break
Anything !!!
Economics Aspects
143
*Cost of Some Attacks [source: RFI Global]
144
*Cost of Fault Attacks [source: ST]
145
Security Management the Development Process
146
Secure Hardware Dev. Management

[In smart cards] one design criterion differs from the criteria used
for standard chips but is nonetheless very important is that
absolutely no undocumented mechanisms or functions must
be present in the chip ('that's note a bug, that's a feature').
Since they are not documented, they can be unintentionally
overlooked during the hardware evaluation and possibly be
used later for attacks.
The use of such undocumented features is thus strictly prohibited
[...]
[pages 518-519 in the Smart Card handbook
by Wolfgang Rankl and Wolfgang Effing, 1088 pages, Wiley,
absolute reference in the industry]
147
Testing
White-box tests are prohibited, no debugging commands
must be left in the hard-mask and soft-mask.
Tests must be black-box tests and test suites include
scanning for hidden [debugging] commands.
148
Application Development Management

Goals:
Avoid backdoors, Trojans, covert channels, bugs
etc.
Kleptography: techniques to leak keys to the
attacker,
form of perfect crime.
Means:
Segregation of duties.
Monitoring.
149
Segregation of Duties
Never one developer works alone on an
application.
he knows only some parts of the spec (partial
secrecy, need to know).
Some critical security mechanisms can be

distributed: part in hard mask(ROM), part in
soft mask, harder to know both
the chip manufacturer does NOT have the full
spec either.
150
Monitoring / Checks and Balances

Internal quality and security audits within each company.
The entire source code is frequently inspected by an
independent company:
government agency [DCSSI in France] or
an evaluation (or hacker) lab [such as CEA-LETI]
mandated and paid by the customer [to avoid conflicts of interests].
Some countries have a process to evaluate these labs (they have to
prove that they can break smart cards as well as other people do).
External security audits (auditor from the customer: large

bank).
151
File System
152
Data in smart cards

Think about sequences of bytes.
BER-TLV conventions [ISO 8825]
T Tag, for example 90 in hex.
L 1 or 3 bytes. Let L[0] be the first byte
MSB(L[0])=0,
MSB(L[0])=1,
L[0] = length 0-127,

L[1-2] = length 0..65535
V value, a string bytes.
TLV objects can be nested !

153
ISO 7816-6
Specifies how to encode different data
elements as BER-TLV objects,
For example:
Name of the credit card holder
Expiration date
Etc.
154
ISO 7816-4
File names FID:
2 bytes
example: 3F 00
Short file names (SFID):
5 bits, 1..30, used as
a parameter in certain
commands
155
ISO 7816-4
MF: Master File
(root directory 3F00)
DF: Dedicated Files
(directories+some data)
EF: Elementary Files
(data files)
156
Elementary Files
EF: Elementary Files
Not all files are visible for applications(!)
Internal EF: card private files, card O.S. only can
see them
Working EF: data accessible to applications that
communicate with the external world.
157
Example: GSM Card [incomplete picture]

(cf. 3GPP TS 51.011
standard)
158
Some Directories in a GSM Card

Important directories:
root directory : 3F 00
DFGSM = 7F 20
DFTELECOM = 7F 10.
First byte:
'3F': Master File;
'7F': 1st level Dedicated File
'5F': 2nd level Dedicated File
'2F': Elementary File under the Master File
'6F': Elementary File under a 1st level Dedicated File
'4F': Elementary File under 2nd level Dedicated File
159
ISO 7816-4 Files (EFs)

4 types
like RAM, or a
string of bytes
160
records, with specific instructions and applications
2 Types of Fixed-Size Entry Records

Header
Record 1
2 types of records:
Record 2
Body
.
.
Linear Fixed file
Record n
Like a list
Structure of a linear fixed file
Cyclic Fixed file:

Motivation:
fixed E2PROM size, scarcity
Header
Record n-1
Body
Applications:
Bank card history
e.g.150 last transactions
161
all SMS sent/received

etc..
Record n
Oldest record
Record 1
Last updated record
Record 2
.
.
Record n-2
Structure of a cyclic file EN726-3
GSM Card: Some Files Inside DFGSM
EFIMSI (6F07)
Le fichier EFLOCI (6F7E) contains TMSI, LAI etc.
EFLP(Language preference)
EFKc = Ciphering key Kc + sequence number
EFSST (6F38) = SIM service table = 1byte = [s1present, s1active, ]
= services present/not active/not in this card, these are:
162
Service n1 : disable users PIN == CHV1

Service n2 : Abbreviated Dialing Numbers (ADN)
Service n3 : Fixed Dialing Numbers (FDN)
Service n4 : Short Message Storage (SMS)
EFACM = Accumulated Call Meter, in units

EFMSISDN = the subscribers MSISDN.
etc..
present in
DFTELECOM
Some Files Inside DFTELECOM

This directory is protected by PIN(!)
EFADN(6F3A) your short phone directory (10 entries),

EFFDN(6F3B) your phone directory
EFSMS(6F3C) all the SMS received and sent, cyclic file
Header
Record n-1
Body
Record n
Oldest record
Record 1
Last updated record
Record 2
.
.
Record n-2
Structure of a cyclic file EN726-3
163
File Access and

Access Conditions
164
Accessing Files: SELECT FILE FCI/90 00

General philosophy:
Almost always one must select a file before any operation on it (MF is
selected at the start)
SELECT FILE + params
Response: either:
90 00
FCI = File Control Info = status of the file selected,
exact spec [attributes and their encoding]: depends on the smart card, e.g. GSM.
STATUS command (C0 F2) - GSM specific:

allows to know (to avoid confusion) what file was selected with the last
SELECT command.
165
Variants
There are MANY methods to address a file with SELECT FILE:
by 2 bytes FID (for MF, DF and EF)
0_ A4 00
By DF name or AID (for DF only or an application)
0_ A4 04
0_ A4 02
by absolute path from MF
0_ A4 08
by a relative path from current DF
0_ A4 09
Switch
Switch to
to higher
higher level
level DF?
DF? (equiv
(equiv to
to ../
../ in
in PC
PC OS)
OS)

another
another DF
DF when
when partial
partial AID
AID is
is transferred?
transferred?
166
Examples: SELECT FILE

1. Example of a SELECT FILE with FID and FCI, for a GSM card:
Command: A0 A4 00 00 02 6F 07
GSM card
SELECT FILE
empty params.
length + FID == file identifier on 2 bytes

6F 07 = IMSI file of this SIM card
Response: This command returns the FCI.
2. Example of a SELECT FILE with AID and no FCI (widely used for
accessing files AND applications by their unique identifier):
Command: 00 A4 02 00 05 [AID]
ISO command
SELECT FILE
167
specific params.
length + AID, if no ambiguity, a prefix

of a valid AID can also be accepted
FCI and Access Conditions for EF files
168
Status of EF Files
SELECT FILE command for an EF file
=>returns:
1. an error command:
62 83 file deactivated
64 00 execution error
6A 81 function not supported
6A 82 file not found
etc..
OR
2. an FCI (File Control Information) + 90 00
(each EF file in a card has specified access conditions):
169
FCI (File Control Information) for EF files

May contain (examples, mostly optional)
80+2 bytes: size of the file
82 + 2 bytes: file descriptors, e.g.
shareable/not
type of file: DF/working EF/internal EF
EF structure
170
83 + 2: file identifier.
84 + 1-16: DF name.
86 + security attributes (proprietary coding).
etc..
*FCI Attributes [contd.]

86 + security attributes (proprietary coding).
Files can be:
WORM (Write Once, Read Many time)
implemented in hardware or software
EDC (Error Detection Code)

atomic write access
Security: must written entirely or not at all (!!!)
multiple storage attribute

for frequently used files in the card, wear-level usage of E2PROM
data transfer selection attribute

on dual-contact cards, to make file accessible only via contact or
contact-less interface
171
Examples of FCI
Not 100% compatible, depends on products
6F 07 80 02 00 58 82 01 01 90 00
EF with transparent structure, file size: 88 (0x0058)
Example of GSM FCI (22 bytes = 0x16):

00 00 00 01 7F 20 02 00 00 00 00 00 09 91 00 11 08 00 83 8A 83 8A
Can
Can be
be decoded
decoded according
according to
to GSM
GSM spec:
spec:

Byte
Byte 14:
14: The
The most
most significant
significant bits
bits of
of is
is 00 ifif an
an only
only ifif PIN1
PIN1 is
is disabled.
disabled.

Byte
Byte 19
19 == is
is the
the "CHV1
"CHV1 status
status..
Typically
Typically the
the value
value of
of this
this byte
byte is
is '83'
'83' where
where 88 means
means that
that the
the PIN1
PIN1 has
has been
been
initialized,
initialized, and
and that
that there
there are
are 33 cardholder
cardholder verification
verification attemp
attempts
ts left
left for
for this
this
PIN.
PIN.
172
Files Security Status
173
Security of Files in Directories

Security status of a file results from the sequence of commands
performed (e.g. authentication of entities) and their results. It can be:
Global: may be modified after a completion of a certain authentication
command (or other secure functionality),
Examples (studied later):
VERIFY + PIN,
GET CHALLENGE + EXTERNAL AUTHENTICATE)
only if the commands are embedded inside SECURE MESSAGING channel (normal APDUs
with encryption AND authentication with a MAC)
a secret key/value stored in the MF is used to perform this cryptographic

command.
File-specific,
then the key/PIN used is stored in the same DF.
File-specific (EF).
Command-specific and ephemeral.
Example:
174
Security of Files in Directories

Example: Access conditions for a given file
+ given access mode (e.g. WRITE):
PRO: An external command can write a file if the MAC of this command is valid.
AUT: File accessible R/W if the terminal authentication have been done before.
CHV: This file can be read if the user have entered the Pin and if it was correct.
CHV2:
CHV2: The
The same
same with
with the
the second
second PIN
PIN (exists
(exists in
in GSM).
GSM).
ADM:
ADM: requires
requires the
the admin
admin code
code number
number (up
(up to
to 14
14 exist
exist in
in GSM,
GSM, Telc
Telcooss access)
access)
NEV (access to some files can be disabled forever)
ALW (always), public access (at least in this mode, e.g. READ).
Other conditions may exist in a specific card
175
Security and Access to Files:

Example [root directory]:
176
MACs = Secret-Key Signatures

m
MAC
algorithm
yes/no
(m,)
MAC
algorithm
forgery
177
sk
sk
(secret key)
(secret key)
*Example how a card will enter mode PRO:

Terminal
Card
ASK RANDOM
command
Challenge
generation
Challenge
PRO key
(T)DES
calculation
Cryptogram
Data to
sent
Challenge
EF key
Data
PRO Key
PRO command
Data + cryptogram
Received
bytes
Data
Received
Cryptogram
(T)DES
calculation
Compare the
cryptograms
Delete flag random
present
Decrease
ratification counter
OK
?
Y
Reset ratification
counter if needed
Bad Authentication
PRO mode OK
178
*Example entering mode AUT:

Terminal
Card
ASK RANDOM
command
Challenge
generation
Challenge
Terminal
Key
(T)DES
calculation
AUT mode
Certificate
EXTERNAL
AUTHENTICATE
command
Key number
+
Cryptogram
EF key
Key
number
Received
bytes
Card Key
Cryptogram
Compare the
cryptograms
Delete flag random
present
Decrease
ratification counter
Bad Authentication
OK
?
Reset ratification
counter if needed
Authentication
successful
179
(T)DES
calculation
AUT mode
Commands (APDUs)
180
Commands - ISO 7816-4

APDU = Application Protocol Data Unit
Master-slave principle. Half-duplex.
The card never starts anything.
181
ISO 7816-4
APDU = Application Protocol Data Unit
CLA = 1 byte, identifies the application

INS = 1 byte, instruction code
Lc = size of data, 1 or 3 bytes
Le = size of the expected answer, 1-3 bytes.
182
CLA byte and Logical Channels

CLA is 1 byte that:
identifies the application
so remains constant (though 1 application can have several channels),
is an indication to what extent the command and the response complies with
ISO 7816-4
Examples: 0X standard ISO, A0 in GSM,
80 e-purse EN1546-3, BC old EMV bank cards,
80 and 84: EMV bank cards 8X: proprietary commands
CLA=0X, 48X and 9X, AX use so called logical channels:
Let X=b4b3b2b1
b4 b3 indicate if Secure Messaging is used and if the command header is
also authenticated
b1 b2 indicate the number of logical channel 0..3
Application: concurrent communication with multiple applications (or concurrent
execution of multiple tasks). Example: mobile phone talking to phone book
another application [can be Java] stored on the SIM card.
183
Command APDUs
Lc = size of data, 1 or 3 bytes

Le = size of the expected answer, 1-3 bytes.
4 cases
184
C-APDU INS Examples

When CLA=0X
0E
20
70
82
84
88
A4
B0
B2
C0
C2
CA
D0
D2
D6
DA
DC
E2
185
Erase Binary
Verify
Manage Channel
External Authenticate
Get Challenge
Internal Authenticate
Select File
Read Binary
Read Record(s)
Get Response
Envelope
Get Data
Write Binary
Write Record
Update Binary
Put Data
Update Record
Append Record
Response = R-APDU
Response structure:
SW1: 90=completed/
OK with warning/
error during exec/
checking error;
?NVM changed[63,65]
SW2: error number
90 00 = All OK
186
IMPORTANT:
In many cases, and in all cases where the size
of the answer is not known in advance,
The response is NOT given,
the terminal must ask for it
(another C-APDU).
Example (for a bank card):
187
5 Possible Cases:
Case 1: No input data/no output data
Case 2: No input data/Output size known in advance:
Case 3: No input data/Output size not known:
188
Case 3: 2 x C-APDU, 2 x R-APDU:

Terminal
Card
Command APDU
ACK = 9000
Data
wait for completion
2 status bytes
Request the Answer APDU
ACK = 9000
wait for completion
Data
2 status bytes
189
[] 5 Possible Cases
Case 4: Input data/no output:
Case 5: Input data/Output size known or unknown:
190
ISO 7816-4 Inter-industry Commands

For transparent linear files:
*VERY SPECIAL:
as E PROM is 1000 times
slower to write than RAM,
READ BINARY
and it is the change from
01 that is slow (requires
erasing)
WRITE BINARY*
Thus the command WRITE
performs a logical AND
the current file
UPDATE BINARY = real WRITE withcontent!!!!
ERASE BINARY
SEARCH BINARY
2
191
Syntax: Read/Write
READ BINARY
UPDATE BINARY (overwrite)
192
ISO 7816-4 Inter-industry Commands

For records (2 types):
READ RECORD
WRITE RECORD
APPEND RECORD
UPDATE RECORD
APPEND RECORD
SEEK
SEARCH RECORD
193
ISO 7816-4 standard commands

For application-specific data objects.
GET DATA
PUT DATA
194
Security Commands
195
Read/Write => Secure Read/Write, CLA=04
196
ISO 7816-4 Security Commands

Authentication
Card Holder => Card
VERIFY + password/CHV/PIN
BTW. CHV == Card Holder Verification == PIN
Example: 00 20 00 00 04 70 61 70 61
no L_e, no data in reply
expected, result will be visible
in two status bytes SW1SW2
CLA
INS
authenticates the
whole MF if b7=0,
PIN stored in MF
must be 0
197
4 bytes
password
= papa)

Authentication
Card => Terminal
INTERNAL AUTHENTICATE + random challenge

algo nb. + key nb.
Produces a cryptogram/MAC, proves the identity of the
card.
Example: 00 88 00 00 04 A3 02 AF D1 04
the reply should be 3
digits/bytes too
authenticates the
whole MF if b7=0,
key stored in MF
CLA
INS
crypto algo nb.
198
random challenge
on 4 digits

Challenge-Response Authentication:
Terminal => Card
GET CHALLENGE
EXTERNAL AUTHENTICATE
+ algo nb. + key nb. + cryptogram
199
Example:
GET CHALLENGE
Example: 00 84 00 00 10
CLA
INS
both are 0
LE = it expects 16
digits random
EXTERNAL AUTHENTICATE
Example: 00 82 00 00 04 01 02 03 04
no data to recover in reply,
OK/not OK seen as 2 status
bytes.
authenticates the
whole MF if b7=0,
key stored in MF
CLA
INS
crypto algo nb.
200
our cryptogram on
4 bytes

Mutual Authentication:
Terminal <=> Card
The sequence:
GET CHIP NUMBER
GET CHALLENGE
MUTUAL AUTHENTICATE + params
201
Encapsulation of ISO 7816-4 Commands
Commands and answers contain another

embedded APDU command (or part of it):
GET RESPONSE for an embedded
command
ENVELOPE sent an encrypted APDU
Example: 00 C2 00 00 10
no data to recover in reply,
only 2 status bytes.
CLA
INS
202
both are 0
some data,
length 16
Some More GSM Commands (CLA=A0)
CHV1=user PIN
CHV2=second PIN
203
Concrete Example:
Your Own GSM Card
204
Some Directories in a GSM Card

Important directories:
root directory : 3F 00
DFGSM = 7F 20
DFTELECOM = 7F 10.
First byte:
'3F': Master File;
'7F': 1st level Dedicated File
'5F': 2nd level Dedicated File
'2F': Elementary File under the Master File
'6F': Elementary File under a 1st level Dedicated File
'4F': Elementary File under 2nd level Dedicated File
205
How To Access These in Practice?

We use very basic open-source software
(and all it does to call function of Microsoft smart
card API, which are implemented inside
winscard.dll, included in every version of windows)
Spring Card tools:
Quick install:
http://www.springcard.com/download/usr/sdd4c0-ae.exe
This program installs 3 different working tools,
we use C# Scriptor here.
206
Minimal GSM Phone Call:

The VERY strict minimum in fact thousands of
commands can be exchanged in modern
phones
1. Select the le DFGSM directory.
2. Verify the PIN (not needed if PIN inactive).
3. Run the GSM algorithm to obtain cryptographic
keys for the authentication and encryption during
the current phone call.
207
Minimal GSM Phone Call:

1. Select the le DFGSM directory.
208
SELECT FILE
1. Example of a SELECT FILE with FID and FCI, for a GSM card:
Command: A0 A4 00 00 02 7F 20
GSM card
SELECT FILE
empty params.
length + FID == file identifier on 2 bytes

6F 07 = IMSI file of this SIM card
Response:
This command returns the FCI.
Well not quite. Done in 2 stages:
209
Details:
210
Decoding This FCI

Example of GSM FCI (22 bytes = 0x16):
00 00 00 01 7F 20 02 00 00 00 00 00 09 91 00 11 08 00 83 8A 83 8A
Can be decoded according to GSM spec:

Byte 14: The most significant bits of is 0 if an only if PIN1 is disabled.

Byte 19 = is the "CHV1 status.
Typically the value of this byte is '83' where 8 means that the PIN1 has been
initialized, and that there are 3 cardholder verification attempts left for this
PIN.
211
Verifying the PIN in GSM

Authentication
Card Holder => Card
VERIFY + CHV1
Example: A0 20 00 01 08 33 37 37 36 FF FF FF FF
CLA
=GSM
here b7=1
INS
must be 0
212
no L_e, no data in reply

expected, result will be visible
in two status bytes SW1SW2
8 bytes PIN
in ASCII
3776 +
FF FF FF FF
Answer Codes:
Card Holder => Card
VERIFY + CHV1
A0 20 00 01 08 33 37 37 36 FF FF FF FF
Reply:
9000 - the PIN is correct
9802 - CHV is not initialized
9808 - in contradiction with CHV status (inactive PIN!)
9810 - in contradiction with invalidation status)
9804 - unsuccessful CHV verification, at least 1 attempt left
9840 - unsuccessful CHV verification,
no attempt left or this CHV is blocked now
213
Beware:
Danger:
After 3 presentations of an incorrect PIN (that can be in
different sessions, this counter is preserved in non-volatile
memory) the card will be blocked (but can be unblocked
with UNBLOCK CHV function).
However if the PIN is correct, the counter for the number of
CHV attempts will be reset to 3.
214
GSM Security
GSM Operator
Authentication Center
precomputed triples:
(RAND,SRES,Kc)
SIM card
Ki
challenge RAND
Signed RESponse (SRES)
A3
A3
SRES
SRES
A8
Fn
mi
A8
Kc
Kc
A5
Encrypted Data
Mobile Equipment
215
Ki
are = ?
Base Station
A5
Fn
mi
SIM Card Side

Triples RAND, SRES, Ki
are stored in BS
secret key
Data with redundancy:

terrible mistake
216
data block of 114 bits.
Running the Secret Algorithm (with secret key)

Both remain secret
at all times.
Custom-made!
217
Authentication Algorithms
Some operators used COMP128 v1, the default algorithm.
Very bad, there are several attacks
[Briceno,Goldberg,Wagner].
Some never published attacks existed only in a form of an
exe file, better than any published attack less queries to
the card!
Ive developed such attacks myself, they were never published
(sorry).
Gemplus patented and commercialized a strong key solution
Encryption Algorithms
In the phone.
218
Embarrassing Discovery
What was discovered before [SDA-Berkeley 04/98].
Keys generated were not 64 bits.
10 bits fixed to 0 => 54 effective bits.
The limitation was implemented in both AuC (authentication

Centers) and in SIM cards.
Later most operators have, by now, increased the size of
their keys to 64 bits (also changing the algorithms or not).
It appears that the key is 64 bits starting from COMP 128 v3 and also
in most recent proprietary algorithms.
But one should check if they did!
Lets do it.
219
Embarrassing Discovery
Keys generated by typical UK and French cards

(Ive checked many):
64 bits.
Key in Polish Orange card: 64 bits.
All Chinese cards checked: 64 bits.
Card bought in Russia in 2007 (operator = MTC):
54 bits only
What about Estonia, member of the EU?

I went to Estonia this year (2009).
Bought a SIM card from simpel:
The key also is restricted to 54 bits.
The weakest GSM keys in the EU
220
Smart Card O.S.
221
Modern Multi-Application O.S.

MULTOS
originally developed for e-purse Mondex [UK]
High level of security, EAL6 for some chips
Open Platform
promoted by Visa et al.
JavaCard
popular in GSM
banks never wanted 3rd party applications on their
cards problems: branding, ownership, risks
Windows for Smartcards

commercial fiasco, abandoned
222
Further Smart Card Standards
223
ISO 7816-5
Specifies AIDs (Application IDentifier)
16 bytes (128 bits)
[RID(5)+PIX(0..11)]
RID: Registered Application Provider
PIX: Proprietary Identifier Extension
Can uniquely identify one smart card application.

Also used to identify files in the smart card.
224
*Accessing Files and Applications by AID: SELECT FILE

As for files, applications are selected by the same method with
an APDU XX A4 to select a file by its AID: Example:
00 A4 02 00 0E 31 50 41 59 2E 53 59 53 2E 44 44 46 30 31
ISO command
specific params.
length + AID, "1.PAY.SYS.DDF01"
SELECT FILE
Response: 90 00 if all OK
225
RID: Registered Application Provider

Examples:
A0 00 00 00 87
3GPP (3G USIM application)
A0 00 00 00 09
ETSI (e.g. GSM SIM with Java)
226
ISO 7816-12 12/2005

USB on smart cards!
Two versions, still evolving
Bridge the connectivity gap between PCs
and smart cards!
227
Standards
PC/SC: communication between Ms
Windows and smart card readers
[developed in 1997]
Microsoft Cryptographic API (CryptoAPI).
228
enables application developers to add cryptography and certificate management functionality to

their Win32 applications without knowing anything about the hardware configuration
Smart Cards under Linux?

PC/SC works and has drivers under Linux too.
Libraries? check out
M.U.S.C.L.E. at www.linuxnet.com
OpenSC library
Etc
229
Standards
JavaCard [later].
OCF [OpenCard Framework]: a Java-based set of APIs for smart
cards
JavaCard 2.2
ISO 15408: product evaluation

derived from the common criteria
230
Mobile Phone Card Standards
231
***GSM Phone Card Standards
GSM 11-11: specifies the standard SIM-ME interface

GSM 11-14: more: SIM Application Toolkit
GSM 03.19: API JavaCardTM for programming SIM cards
GSM 03.40: how to implement Short Message Service
(SMS) in Point to Point (PP) mode
GSM 03.48: security mechanisms for the SIM card
application toolkit
232
***3G Phone Card Standards

TS 51.011: specifies the 3G SIM-ME interface
ETSI TS 102 221: terminal-card physical and logical
characteristics
3GPP: 31.101 V4.0.0, 31.102 V4.0.0 (Release 99)- 3G
cards (W-CDMA)
3GPP2-C00-1999-1206-1208: specification of RUIM
modules for CDMA 2000
233
3G Phone Security Standards

Principles, objectives and requirements
TS 33.120 Security principles and objectives
TS 21.133 Security threats and requirements

Architecture, mechanisms and crypto algorithms
TS 33.102 Security architecture
TS 33.103 Integration guidelines
TS 22.022 Personalization of mobile equipment
TS 33.105 Cryptographic algorithm requirements
TR 33.900 A guide to 3G security
TR 33.901 Criteria for cryptographic algorithm design process
TR 33.902 Formal analysis of the 3G authentication protocol
TR 33.908 General report on the design, specification and evaluation of

3GPP standard confidentiality and integrity algorithms
Document 1: f8 & f9
Document 2: KASUMI
Document 3,4: test data

Lawful interception
TS 33.106 Lawful interception requirements
TS 33.107 Lawful interception architecture and functions
234
JavaCard
Write Once, Run Anywhere
235
Motivation
Portable code, hardware-independent
Time to market: add new applications
to the card at any moment!
Easier to develop
Open platform,
=> specs of smart card chip are usually confidential(!!)
Third party applications => much more security needed!!!

Hide the smart card OS and resources from the developer [not
trusted]
Java language has inherently better security
Much of current application insecurity comes from C language
[exceptions, printf, goto, buffer overflow etc..]
Provide built-in security for developers

Cons: slow + expensive
236
History
Java Card 1.0: Schlumberger. APIs only.
Later, Bull+Gemplus+Schlumberger formed
the Java Card Forum.
+ Sun Microsystems => develop Java Card
2.0.
Still a SMALL subset of JavaTM
Some 2 billion Java cards to date
(mainly in GSM)
237
Working Principle [source: Sun website]
238
Communication
Special subset of APDUs [ISO 7816-3..4] are used.
239
Conclusion
240
Future:
Insecure software, hackers =>
One Cannot live without Smart Cards or some
other secure portable hardware device.
Bill Gates recognized it publicly in 2005
241
Major Problems
cost effectiveness
adoption of new technology
which standards will win? a very tricky game
242
How Secure Are Smart Cards?

There is no better technology on this planet.
Succeeding requires tamper-proof hardware. But
no security professional will speak of tamper-proof devices,
as opposed to tamper-resistant ones.
Security is a matter of economics, and not just technology.
[Steve Bellovin blog, 24/08/07]
243

SIM Card Strong

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SIM Card Strong

Uploaded by

Copyright:

Available Formats

SIM Card:

Nicolas T. Courtois 1, ex. 2

SIM Card and Security

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

Functionality and Application to GSM

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

Some History / Business / Economics

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

Where to Learn About Security?

Remember how Poland

Military: impossible to take.

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

New Technology Business Gurus

Moreover business considerations are very hard to separate

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

GSM A Child of the Common EU Market (!)

BUT .. very importantly,

Creation in 1989 of ETSI = European Tel. Standards Institute

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

GSM A Monopoly Breaker?

However, it was necessary to protect the income (for phone calls) of

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

How this became possible?

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

Temporary Monopoly System

Traditional rules of consumer protection were bent.

This created market conditions in which most people, for sure,

spending MUCH more than they would want to spend, but

want to switch to competition in exchange of a new phone,

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

market shares dont change that much with time

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

Encryption and Authentication in GSM

Done by the phone. Voice privacy.

Governments: would like to break the encryption of each

Done by the SIM card. Billing.

Was never such a problem w.r.t. governments services

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

GSM Encryption: weak design

Ross Anderson reported in 1994 that there was a big

The French design [not so secure] won.

Fatal flow in the spec shown by Biham et al. at Crypto

Redundant data is encrypted => allows ciphertext-only attacks.

But there is extra complexity here (extra flaws / better

Nicolas T. Courtois, WMNC Gdansk, 11/09/09

SIM Card and Security

The Genius in the Box

Perfect functional separation.