keep your enemies close distance bounding against smart card relay attack
DESCRIPTION
Keep your enemies close distance bounding against smart card relay attack. Saar Drimer and Steven J. Murdoch. 컴퓨터면역 및 정보보안 담당교수님 : 박용수 교수님. 2008. 3. 31 이재준. Paper Information. Title : Keep your enemies close : distance bounding against smart card relay attack Authors : - PowerPoint PPT PresentationTRANSCRIPT
Keep your enemies closedistance bounding against smart card relay
attack
2008. 3. 31이재준
1
컴퓨터면역 및 정보보안담당교수님 : 박용수 교수님
Saar Drimer and Steven J. Murdoch
Paper Information
2
Title : Keep your enemies close : distance bounding against smart card relay attack
Authors : Saar Drimer and Steven J. Murdoch
Publish : 16 th USENIX Security Symposium Boston MA, USA, 6–10 August 2007
Contents of Table
Relay attacks on card payment Payment environment
Chip & PIN (EMV) process
The relay attack scenario
Prevent the attack
Distance bounding against smartcard relay attacks
Hancke-Kuhn protocol
Distance bounding process
Requirement
Conclusion3
Relay attacks on card payment
4
• Payment environmentChip & PIN (EMV)
is fully deployed in the UK since 2006, with banks making grand claims of security
Uses the EMV (Europay MasterCard Visa) protocol with ISO7816mechanical / electrical / basic interface.
Smartcard-based payment system
requires a correct 4 digit PIN input for authorizing transactions(both at ATMs and cash registers)
uses 3DES for Static Data Authentication(SDA); requires a symmetric key shared by bank and card.
Relay attacks on card payment
5
• Payment environmentA simplified smartcard transaction
bank
cardholder merchant
EMV(ISO 8716)
PIN
Cryptogram
result
On-line authorization
Relay attacks on card payment
6
• Chip & PIN (EMV) process
bank
cardholder merchant
challenge
The terminal sending random number, known as challenge
PIN
The customer then input their PIN into terminal and send and it sent to the card
Relay attacks on card payment
7
• Chip & PIN (EMV) process
bank
cardholder merchant
challenge
PIN
The card computes a cryptographic response which incorporates the challenge, whether the PIN was entered correctly.
response
This response sent back to the terminal which then gose on-line and sends the challenge and response to the bank, who will verify them. and also we can detect whether an old response is being replayed.
Challenge and response
Relay attacks on card payment
8
• Some potential scenarios of fraud which Chip & PIN
With out the correct PIN being entered, the card will not be produce correct response.
With out the card, a fraudster who observe PIN will find it difficult to produce a fake card.PIN
Attacker can use the card and PIN to produce valid response and use it as thought he is right owner. but the account holder will notice fraudulent transaction and canceling card.
PIN
If attacker knows the PIN (or persuades the customer to enter it) and gets temporary access to the card, the will produce collect response. However, this response cannot be used later.
Response
Response
Relay attacks on card payment
9
• The relay attack scenario
What is the relay attack?
Attacker’s goal
type of attack related to man-in-middle and replay attack.challenge-response data is forwarded by an attacker over a substantial distance via radio.
obtain goods or services by charging an unwitting victim
who thinks he or she is paying for something different,
at an attacker controlled terminal
Relay attacks on card payment
10
• The relay attack scenario
AliceDave
Alice is the innocent customer and Dave is an honest merchantBob is attacker he is now employed as a restaurant waiter.
and his accomplice Carol is waiting for Bob’s signal to participated in attack.
Bob Carol
Relay attacks on card payment
11
• The relay attack scenario
AliceDave
Alice is about to pay $20 for meal in a restaurant.
Bob Carol
Carol is notified via a radio link or SMS message to insert her specially modified card into the Dave’s shop’s reader. and then Carol get PIN from Bob.
Relay attacks on card payment
12
• The relay attack scenario
AliceDave
All ommunication from the Daves’s shop terminal will be through Carol’s card and Bod’s terminal to Alice’s card, and vice versa.
Bob Carol
Dave will see that the transaction has succeeded and will hand Carol get very expensive goods or service.
Relay attacks on card payment
13
• Prevent the attack Merchants(Dave) can try to identify fake cards by taking them from customers, checking the counterfeit detection features. such as hologram and embossing.Merchants(Dave) can try to confirm that account number on the receipt matches the one on the card.
Banks could deploy measures to detect such relay attacks. This measure will allow terminal to measure how far away the genuine card is. This design so-called distance bounding protocol.
Distance bounding against smartcard relay attacks
14
• Concept
The terminal measure the time it takes to communication with card.
Speed of the light > Speed of informationThe maximum distance between card and terminal can be calculated.
This will modification to both the cards and terminals.
The terminal measure the time
Distance bounding against smartcard relay attacks
15
• Distance bounding process
verifier prover
- Distance bouning gives the terminal (verifier) assurance that the card (prover) is within a maximal distance by repeating multi single-bit challenge-response exchanges and assuming signals travel at the speed of light.
- Based on the Hancke-Kuhn protocol
Dmax = c td
Distance bounding against smartcard relay attacks
16
• Hancke-Kuhn protocolVerifier ( RFID reader )
Secret key KPseudorandom function h
Prover ( RFID token )Secret key K , nonce Np
Pseudorandom function hNv
Np
Generate nonce Nv
Calaculate h(K,Nv,Np),Split result into Rº||R¹ andPlace in to shift registers :
Generate random bitsC1,….,Ck
C1 =0
112 CR
C2 =0
122 CR
Cn= 0
112 CR
Calaculate h(K,Nv,Np),Split result into Rº||R¹
… …
Time-critical phase
Distance bounding against smartcard relay attacks
17
• Hancke-Kuhn protocol
The power-supply carrier wave emitted by reader establishes a common time base for synchronizing the pulse communication of both parties.
Distance bounding against smartcard relay attacks
18
• Hancke-Kuhn protocol
The token samples its wideband input at time tr
after zero crossing of the carrier wave, to read a challenge bit Ci Reader must adjust its transmission delay tt ≈ tr such that its pulse arrives exactly at that time
Distance bounding against smartcard relay attacks
19
• Hancke-Kuhn protocol
The token responds with after short, nearly constant switching delay td
iCiR
Distance bounding against smartcard relay attacks
20
• Hancke-Kuhn protocol
The reader must adjust delay td until it receives the correct response, and can then deduce the distance d=c(ts-tt-td)/2
Distance bounding against smartcard relay attacks
21
• Distance bounding process
verifier prover
The protocol starts with a mutual exchange of nonces.
Distance bounding against smartcard relay attacks
22
• Distance bounding process
verifier prover
MACs are computed under shared key.
Verifier loads a shift register with random bits.
prover splits MAC into two shift register.
MACK {Nv,Np}
MACK {Nv,Np}
challenge bits
response bits
shift register 0
Shift register 1
split
Distance bounding against smartcard relay attacks
23
• Distance bounding process
verifier prover
single-bit challenge-response pairs are exchanged.
MACK {Nv,Np}
MACK {Nv,Np}
challenge bits
response bits
shift register 0
shift register 1
splitSingle-bit challenge
Single-bit response
Response bit is the next bit from the shift register corresponding to the challenge bit’s content;
Response bit is deleted at prover and stored at verifier.
Distance bounding against smartcard relay attacks
24
• Distance bounding process
verifier prover
MACK {Nv,Np}
MACK {Nv,Np}
challenge bits
response bits
shift register 0
Shift register 1
splitSingle-bit challenge
Single-bit response
verifyresult
The verifier checks that the response are correct and concludes, based on its timing settings, the maximum distance the prover is away.
Distance bounding against smartcard relay attacks
25
• Requirements
Distance bounding support needs to added to EMV specs.
Terminals need to operate at higher frequencies,plus shift register and control circuitry.
cards added with shift registers and controlre-issued with public-key (CDA/DDA)
Conclusion
26
Developed the first implementation of distance bounding defence against these relay attack and showed it to be the most robust solution.
This solution designed to be appealing for adoption in the next generation of smartcards by tailoring the design to the EMV framework.