Physical Security Pieter.Harte@utwente.nl Overview Smart cards RFIDs Attacks (Semi)-Natural tags Conclusions 2 IIS Smart Cards Smart cards Broken! 53.98 mm 85.6 mm 0.76 mm [And96] R. J. Anderson and M. G. Kuhn. Tamper resistance - A cautionary note. In 2nd Int. Usenix Workshop on Electronic Commerce, pages 1-11, Oakland, California, Nov 1996. USENIX Association. http://www.usenix.org/publications/library/proceedings/ec96/kuhn.html IIS 4 What makes the card smart? CPU (8, 16, 32 bit) Memory (RAM, ROM, EEPROM, Flash) I/O channel (Contact/Contact less) Cryptographic co-processor On card devices (Fingerprint, display) Standards (ISO 7816, GSM, EMV, VOP) 5 IIS Main security features Symmetric crypto Asymmetric crypto relatively slow Hardware random number generator Hardware tamper resistance X-tal clock vulnerable Life cycle management 6 IIS Communication ISO 7816-4: 9600 bps : slow USB : bulky Bluetooth: power Biometrics: slow www.fingerchip.com 7 IIS Displays Plastic, glass Emissive, non-emissive Refresh, bi-stable Segment, dot-matrix Problems: connections, yield, power, thickness, price! [Pra01] D. Praca and C. Barral. From smart cards to smart objects: the road to new smart technologies. Computer IIS Networks, 36(4):381-389, Jul 2001. http://dx.doi.org/10.1016/S1389-1286(01)00161-X 8 Clock & Power Clock » Xtal 0.6 mm » MEMS (0.002% acc.) Battery » Thickness » power density » when to recharge 9 IIS Integration is hard Display Button 32-bit CPU Large memory Battery Comms >> 25mm2 10 IIS Photo: Philips Semiconductors RFID What is an RFID tag? Antenna + small chip in ambient field Passive, replies to queries only Can be used for almost anything » Supply Chain Management & Checkout (Wallmart, Benetton) » Homeland security Nokia 6131 NFC » User convenience » Access to buildings 12 IIS Passport application 13 IIS Privacy issues Sniffing » Data collection in proximity (skimming) » Correlate data from different tags Watch this video Counter measures » » » » » » Shield antenna in passport with tinfoil Encrypt the template with MRZ data Reduce transmit range Light controlled on/off switch Long and short range interface Time delayed transmit of sensitive info [Bir07] N. Bird, C. Conrado, J. Guajardo, S. Maubach, G. Jan Schrijen, B. Skorić, A. M. H. Tombeur, P. Thueringer, and P. Tuyls. ALGSICS - combining physics and cryptography to enhance security and privacy in RFID systems. In F. Stajano, C. Meadows, S. Capkun, and T. Moore, editors, 4th European Workshop on Security and Privacy in Ad-hoc and Sensor Networks (ESAS), volume LNCS 4572, pages 187-202, Cambridge, IIS UK, Jul 2007. Springer. http://dx.doi.org/10.1007/978-3-540-73275-4_14 14 Attacks [Wit02] M. Witteman. Advances in smartcard security. Information Security Bulletin, pages 1122, Jul 2002. http://www.riscure.com/fileadmin/images/Docs/ISB0707MW.pdf Attacks Operational » Blackmail » Burglary » Bribery Technical » Logical » Physical » Side channel Attackers » I: Clever outsiders » II: Knowledgeable insiders » III: Funded Organisations 16 IIS Logical attacks The code is too complex » Hidden commands » Parameter poisoning & Buffer overflow » Malicious or buggy applets » Protocol problems (e.g. retransmit) » Proprietary crypto Counter measures » Structured design & code inspection » Formal methods » Testing 17 IIS Example: RFID virus There is a large amount of code Generic protocols and facilities Back end data bases So the usual attacks: » Buffer overflow » SQL injection “;shutdown--” Best paper award Don’t trust data from RFID tag… [Rie06] M. R. Rieback, B. Crispo, and A. S. Tanenbaum. Is your cat infected with a computer virus? In 4th Annual IEEE Int. Conf. on Pervasive Computing and Communications (PerCom), pages 169-179, Pisa, Italy, Mar IIS IEEE Computer Society. http://dx.doi.org/10.1109/PERCOM.2006.32 18 2006. Physical attacks The circuitry is complex and vulnerable » Chemicals & etching » SEM Voltage contrast » Probe stations » Focused Ion Beam (FIB) to make probe pads Counter measures » Reduced feature size (100nm) » Multi layering » Protective layers » Sensors » Bus scrambling 19 IIS Low cost physical attacks Block EEPROM writes by isolating Vpp Rent focused Ion beam [And97d] R. J. Anderson and M. Kuhn. Low cost attacks on tamper resistant devices. In 5th Int. Workshop on Security Protocols, volume LNCS 1361, pages 125-136, Paris, France, Apr 1997. http://dx.doi.org/10.1007/BFb0028165 IIS 20 Side channel attacks Physical phenomena can be measured » Power Watch this video » EM radiation (X-ray, light, sound) » Time and changed » Voltage (example later) » Frequency (example later) [Vua09] M. Vuagnoux and S. Pasini. Compromising electromagnetic emanations of wired andWireless keyboards. In 18th USENIX Security Symp., pages 1-16, Montreal, Canada, Aug 2009. USENIX Assoc. http://www.usenix.org/events/sec09/tech/full_papers/vuagnoux.pdf IIS 21 Timing attack Exponentiation by square and multiply » for i = n − 2 downto 0 » X = X2 » if (d[i] == 1) then » X = X*M Power trace shows bits 1 in the key 22 IIS Simple power analysis 16 rounds DES Rounds 2 & 3 [Koc99] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In M. J. Wiener, editor, 19th Int. Conf. on Advances in Cryptology (CRYPTO), volume 1666 of LNCS, pages 388-397, Santa Barbara, California, Aug IIS 23 Springer. 1999. http://www.cryptography.com/resources/whitepapers/DPA.pdf Differential power attacks Difference in the third cycle due to difference in input value for encryption 24 IIS Active attacks : Power Dip Reading threshold vcc Stored value of logical zero A power Dip at the Moment of reading a memory cell gnd read a 0 as a 1 Protection measure » Check VCC & raise an alarm if it drops » Problem: Fast transients during start-up may raise false alarms 25 IIS Active attacks : Clock Glitch Dump all of the memory Replace 5MHz pulse by 4 pulses of 20MHz: 1. b = answer_address 2. a = answer_length 3. If (a == 0) goto 8 4. transmit(*b) 5. b=b+1 6. a=a-1 Glitch here 7. goto 3 [And97d] R. J. Anderson and M. Kuhn. Low cost attacks on tamper resistant devices. In 5th Int. Workshop on Security Protocols, volume LNCS 1361, pages 125-136, Paris, France, Apr 1997. http://dx.doi.org/10.1007/BFb0028165 IIS 26 Countermeasures Hardware » Lower power signals » Increase noise levels » Introduce timing noise Software » Parallelism » Introduce random delays » Constant time execution » Blinding intermediate values 27 IIS Countermeasures Make attacks harder but not impossible Hard to get right Expensive to implement 28 IIS Out of the box thinking The humble Capacitor » Emanates acoustic signals » Sensitive to shocks and vibration » CA/d 29 IIS Listen to a PC multiplying Freeze 1500 μF capacitor http://people.csail.mit.edu/tromer/acoustic/ IIS 30 Shaking a smart card.... 31 IIS Attackers business case Attack Class Equipment Cost Succ. Rate Devel. Time Exec. Time Logical PC, card reader 1-10K Low Wks Mins Physical PC, Probe Station, 100KSEM, 1M FIB,Microscope, Chemistry Lab High Mnths Days Side Channel PC, Oscilloscope, Function Gen. Med. Mnths Hours 10K100K Rental! 32 IIS Design guidelines Define the level of security needed Perform a risk analysis Consider the attackers business case Use the right technologies Build in fraud management Design recovery and fall-back Consider the overall system 33 IIS IBM 4758 Crypto Coprocessor Rolls Royce of secure devices Tamper sensing barrier Keys move in the RAM Temperature & X-ray sensor Solid aluminium case & epoxy potting low pass filter on power supply Used in ATMs Hacked! [Cla03b] R. Clayton and M. Bond. Experience using a Low-Cost FPGA design to crack DES keys. In 4th Int. Workshop on Cryptographic Hardware and Embedded Systems (CHES), volume LNCS 2523, pages 877-883, Redwood IISShores, California, 2003. Springer. http://dx.doi.org/10.1007/3-540-36400-5_42 34 (Semi) Natural tags Finger printing [Buc05] J. D. R. Buchanan, R. P. Cowburn, A.-V. Jausovec, D. Petit, P. Seem, G. Xiong, D. Atkinson, K. Fenton, D. A. Allwood, and M. T. Bryan. Forgery: 'fingerprinting' documents and packaging. Nature, 436(7050):475, Jul 2005. http://dx.doi.org/10.1038/436475a IIS 36 Philips Coating PUF [Sko08] B. Škorić, G.-J. Schrijen, W. Ophey, R. Wolters, N. Verhaegh, and J. van Geloven. Experimental hardware for coating PUFs and optical PUFs. In P. Tuyls, B. Škorić, and T. Kevenaar, editors, Security with Noisy Data - On Private Biometrics, Secure Key Storage and Anti-Counterfeiting, pages 255-268. Springer London, 2008. http://dx.doi.org/10.1007/978-1-84628-984-2_15 IIS 37 MEMS particles 1x1x12 m particles, shapes Church and school roof, power line grease/gel Watch this video Jewellery fluid Spray vandals/thiefs Smart water [Kay92] P. H. Kaye, F. Micheli, M. Tracey, E. Hirst, and A. M. Gundlach. The production of precision silicon micromachined non-spherical particles for aerosol studies. Journal of Aerosol Science, 23(Suppl 1):201-204, 1992. http://dx.doi.org/10.1016/0021-8502(92)90384-8 http://www.redwebsecurity.com/ 38 Conclusions Affordable tamper resistance technology exists Getting it right is difficult Out of the box thinking required 39 IIS