practical security with smartcards peter honeyman citi university of michigan ann arbor
TRANSCRIPT
Practical Security With Smartcards
Peter HoneymanCITIUniversity of MichiganAnn Arbor
Smartcards: a pragmatic approach
Build on what we have– Use existing infrastructure (UMCE)
»UNIX filesystem; mail, web servers»Kerberos»NT GINA
– Use open standards (IETF, ISO)– Add secure hardware: smartcard
Integrate smartcard with infrastructure Secrets in a smartcard remain safe
even if hardware / software is compromised
Experimental approach
Home-brew software, hardware
Experimental softwarescreset(fd, atr, ep);
scopen(ttyn, flags, ep);
scfdopen(fd, flags, ep);
scclose(fd);
scread(fd, cla, ins, p1, p2, p3, buf, sw1p, sw2p);
scwrite(fd, cla, ins, p1, p2, p3, buf, sw1p, sw2p);
scgetc(fd, cp, ms);
scputc(fd, ic);
scdsr(fd);
scdtr(fd, cmd);
void scsleep(ms);
Experimental software (cont’d)
Primary targets: – OpenBSD– Linux– AIX– NT– PalmPilot– JavaCard
T=0, T=1
Experimental hardware
Experimental hardware (cont’d)
Experimental Hardware (cont’d)
Smartcard integration with Kerberos
University of Michigan computing environment is protected by Kerberos– So are MIT, CMU, Stanford, Cornell, ...
Public key cryptography is not practical – (yet)
Kerberos security limitations:– Lacks external encryption device– Lacks secure key storage– Passwords vulnerable to dictionary
attack Smartcards can solve these problems
Decrypt
Need for encryption device
KerberosKDC
Key is exposed to user and workstationWorkstation may not be trustedWorkstation storage is vulnerable
passwordticket
ticket
Need for secure hardware
Keys stored on hard disk or in memory are vulnerable
Hard disks are not secure – Adversary with administrative rights can
access keys– Data in a hard disk may be backed up in
an unprotected mass storage device Memory is not secure
– Adversary can scan memory– Data in memory can be paged out to a
hard disk
Dictionary attack
Create a list of English words, names, etc.– Also Star Wars, German, Shakespeare, …– thx1138 is a vulnerable password! :-(
Derive keys from the words in the list Obtain a <plaintext, ciphertext> pair
– Kerberos gives up <plaintext, ciphertext> easily
Decrypt ciphertext with the derived key– If plaintext recovered, password is
exposed UMich: > 4,000 vulnerable accounts in
1997
Decrypt
Countermeasures - use a smartcard
Key is not exposed to user, workstation, or network No password
KerberosKDC
ticket
ticket
ticket
Implementation
STARCOS v. 2.1 from Giesecke & Devrient
Modify MIT Kerberos v5-1.0.5 client Kerberos server unmodified for
global interoperability– Well, almost …– des_cbc_crc method uses key as ivec – Modify server to allow des_cbc_md5
kinitstart
card reset
enddecryption
kinitfinish
startdecryption
0 0.06 0.34 1.32 1.54
Kerberos+smartcard performance
Ticket decrypt time: 1.26 sec.– Native STARCOS CBC– Two rounds– Obviates 27 round host ECB: 2.09 sec– Communication cost @ 9600 bps: ~ half
time in sec.
Kerberos+smartcard conclusion
Practical smartcard authentication method
Addresses major weakness of Kerberos Fairly fast … room to improve Future work: store ticket on smartcard
Smartcard filesystem (SCFS) ISO-7816
– Standard smartcard interface– Primitive message framing protocol
»Too primitive to be useful– Many vendor dependencies
Smartcard programming toolkits– IBM MFC, Microsoft PC/SC, OpenCard
framework, EMV’96, PKCS#11, JavaCard …
– Smartcard-specific everything: language, API, toolkit, library, application, etc.
– Hassle learning toolkit after toolkit– API dependencies
SCFS goals and policies
Integrate a smartcard with UNIX – VFS: UNIX filesystem API
Take advantage of UNIX environment– Allows sophisticated UNIX commands– Access through symlinks
Any ISO-7816 smartcard Easy integration with applications
– Netscape cookies– PGP private keyring– Kerberos tickets– SSH private key
Application to SSH
citi% mount_scfs /dev/scfs0 /smartcardciti% ln -s ~/.ssh/identity /smartcard/ss/idciti% ssh sin.citi.umich.eduEnter PIN:sin% logout
SCFS design
Kernel VFS assisted by user process
XFSVFS
application scfsd smartcard
VFS handles application requests scfsd translates requests to ISO-
7816 APDUs No caching
userkernel
SCFS implementationxfs_mount()
Send reset to smartcardChoose smartcard type from configuration table based on ATRMount the scfs filesystem
xfs_read() Translate FID into ISO-7816 nameSelect the fileSend “read” APDUCopy data to user space (uiomove)
SCFS performance
Command total card overheadRead 8 28.9 28.2 0.7Read 128 190.2 189.4 0.8Write 8 63.4 62.7 0.7Write 128 1259.5 1258.9 0.7
all times in ms
read()call
finish readingsmartcard
read()return
start readingsmartcard
total
smartcard accessscfs overhead scfs overhead
SCFS conclusion
Flexible API Overhead is small Useful as a low-level development tool
– ls, cd, pwd, make, etc. Secure storage for user profiles, web
cookies, Kerberos tickets, private keys, etc.
Problems– Readdir is broken in ISO-7816– Must preconfigure for each card– File length is troublesome
Future directions
Smartcard filesystem– Complete missing vnodeops– Porting to other operating systems
Authentication– Secure Kerberos ticket generation– Smartcard public key integration
IP for smartcard– honey.mcard.umich.edu– Secure network storage, service provider