public transport payment security - umass amherst · 2009. 3. 4. · security consultant help...
TRANSCRIPT
Karsten Nohl
Source: New Yorker
Who I am
Researcher at the University of Virginia
PhD work proposed solutions forRFID privacy
Hacker
Find and publicize security hazards in large systems
▪ Past year: OpenSSL bug, DNS poisoning, Mifare security
Security consultant
Help companies understand threats and implement best-practice security
Karsten Nohl – Hardware Security for Payment 2
Exec Summary
Security is usually hard and often expensive
Not having security inevitably causes problems that are always even harder and more expensive
When designing security, prepare for failure
Goal should be low risk of large damage, but not perfect security
Hence, even Mifare Classic-based systems can be made “secure enough”
Karsten Nohl – Hardware Security for Payment 3
4Karsten Nohl – Hardware Security for Payment
Radio Frequency IDentification Tiny computer chips Passively Powered
Karsten Nohl – Hardware Security for Payment 5
Karsten Nohl – Hardware Security for Payment 6
Cryptographic cipher
Cryptographic cipher Challenge-
response protocol
7
ID
R
Enc(R)
Encryption under shared
secret key
Randomnumber
Karsten Nohl – Hardware Security for Payment
8
Emulation
Cryptographic Attacks:•Brute Force, TMTO•Algebraic Attacks
Replay
Proxy Attack
ID
R
Enc(R)
Weak keystorage
Karsten Nohl – Hardware Security for Payment
Contact-less “smart” card 2 Billion cards sold
Very popular in public transport
▪ ~ 85% market share
▪ Rio de Janeiro, São Paulo, Madrid, Valencia, Oslo, Sydney, Hamilton, Delhi, Nanjing, Shanghai, Taipei, Kuala Lumpur, Atlanta, St. Paul, Houston, Los Angles, Bangkok, Netherlands, London, Boston, ...
Popular for access control (industry, government)
▪ Security “patch”: Armed guards (NL)
Karsten Nohl – Hardware Security for Payment 9
Mifare Classic Break
Mifare cards uses proprietary Crypto-1 algorithm Never publicly reviewed for 20+ years
Algorithm reverse-engineered by UVa and CCC in 2007 Immediately found to be weak
Feb/Mar: Reports find Crypto-1 to be strong enough for a few more years Reports are corrected after UVa
releases more details about attacks April: Dutch researchers publicly
hack Oyster system Details published in October
after law suit
Karsten Nohl – Hardware Security for Payment 10
Once strong cryptography is used, key storage becomes weakest link
More ubiquitous systems typically have more copies of the secret keys in accessible places
Karsten Nohl – Hardware Security for Payment 11
Security protocols
Cryptographic functions
Key storage
Hardware Security Modules (HSM)
Used in ATMs (cash machine), few smart card readers
Use proprietary encryption
Hence, can be broken
▪ Usually high effort (> $100.000)
Secure Access Modules (SAM) are much easier to break
Credit card / smart card readers
Karsten Nohl – Hardware Security for Payment 12
Karsten Nohl – Hardware Security for Payment 13
Everything needed to disclose key is found on chip
Finding secret algorithms might be costly
HSM ID
Encrypted keyProprietary Decryption
Master key Card ID, sector, …
AES / 3DES
Card keyHardware Security Module (HSM)
Public key cryptography can mitigate security problems
Karsten Nohl – Hardware Security for Payment 14
Scalable through certificate chains Protected from all likely attacks Surprisingly inexpensive
(Card public key)system private key
(Transaction)card private key
RFID ticket
Paymentterminal
Extract and verify card pk using system public key
Extract and verify using card pk
Terminal only stores a publicly known key
Public key crypto is already used for transport micropayments
Successful implementation of public-key RFID payment system: “VDV Kernapplikation”
Roll-out since 2006 in Germany 3 million users and quickly growing Interoperable across 75 operators
(eventually 500+ operators) Most likely secure enough:
RSA public keys, EAL5+, … Total system cost:
<1 Euro per card and yearKarsten Nohl – Hardware Security for Payment 15
Best-Practice Security
Guidelines learned from past hacks include:
1. Prepare for security breaks, no measure is perfect
▪ Need: redundancy, “layering”
▪ Need: migration plan
2. Use standardized security
▪ Never rely on your own security “inventions”
3. Manage risks through threat modeling
▪ Find acceptable balance between potential losses and cost of security
Karsten Nohl – Hardware Security for Payment 16
Proprietary encryption is insecure
Key storage is the next weakest link
“Secure enough” is possible and even affordable
17
1
2
3
Karsten Nohl – Hardware Security for Payment
The Way Ahead
For secure RFID, we need:
Publicly reviewed standards
▪ Yes, this means “one-size-fits-all”, but requirements are generic
Comprehensive threat modeling
▪ Threat = risk × damage
User engagement, opt-out
▪ Never force technology onto users
▪ Inform about risks
Karsten Nohl – Hardware Security for Payment 18
20Karsten Nohl – Hardware Security for Payment
NFC (=RFID + cell phone) is the next hype
Dave Birch: “customers like NFC (a lot)“
21Picture Source: Collin Mulliner
“Most systems are deployed with insufficient security.”
Karsten Nohl – Hardware Security for Payment
Jonathan Main, Chair of NFC Technical Committee:
“NFC Forum's role is not to define the [security] requirements [because] a mandatory ‘one-size-fits-all’ approach such as that advocated by Mr. Nohl is not viable.Many applications use smart card security […] specified in other consortia. On top of these many security measures, users [can] set their own security parameters and preferences.”
22Karsten Nohl – Hardware Security for Payment
The void of standardized security leads to:
Development of new proprietary measures
Adoption of old, broken security
23
Protocols
Cryptography
Secret keys
Often broken protocols, i.e.: NFC credit cards
Mifare Classic encryption !!
Key storage in insecure SAMs !!!
Karsten Nohl – Hardware Security for Payment
Spoof “unique” data of tags such as UID Done with RFID emulator (OpenPICC) or higher-
powered tag (SmartMX) Foundation
for other attackvectors
24Karsten Nohl – Hardware Security for Payment
25
Attacker
Karsten Nohl – Hardware Security for Payment
1. Overhear legitimate authentication2. Force same challenge, answer with same
response Requires predictable “random” numbers
26Karsten Nohl – Hardware Security for Payment
27
RNG Mifare random numbers are completely predictable and well documented
Karsten Nohl – Hardware Security for Payment
Recover secret key: Brute Force
Try all keys
TMTOs
Try all keys, efficiently
Algebraic Attacks w/ SAT solvers
Try all keys, smartly
28Karsten Nohl – Hardware Security for Payment
Microcontroller Insecurity
Infi
neo
n S
LE
66
, co
urt
esy
Fly
log
ic
Karsten Nohl – Hardware Security for Payment 30
Infi
neo
n S
LE
66
, co
urt
esy
Fly
log
ic
Karsten Nohl – Hardware Security for Payment 31
Karsten Nohl – Hardware Security for Payment 32Infineon SLE66 address/data bus, courtesy Flylogic
Karsten Nohl – Hardware Security for Payment 33
Meshes can sometimes protect data, but not algorithms
“Last resort”: Hide security in secret algorithms.
“Try all keys” Only possible for small keys
Mifare easy target:
Cipher complexity low, enables efficient FPGA implementation
FPGA cluster finds keyin 50 minutes!
34
Source: Pico Comp.
Karsten Nohl – Hardware Security for Payment
Weak Authentication Protocol
48-Bit Stream Cipher
Weak Filter Function Weak Random Number
Generator
35
Time Memory Trade Offs
Brute Force (due to small key)
Key Probing
Algebraic Attacks
Replay Attacks(due to predictable random numbers)
Karsten Nohl – Hardware Security for Payment
Secret keys can be stored:
Online:
▪ Keys only stored on central server
▪ Expensive setup, long response times
Semi-online:
▪ Devices receive keys at boot time
▪ Keys often stored in DRAM at runtime; bad idea!
Offline:
▪ Devices “securely” store key copy
Karsten Nohl – Hardware Security for Payment 36
Secret keys should be
Different for every user
▪ Requires many different keys
Immediately accessible
▪ Requires small number of keys
Best practice: derive user keys from master key; store master key in „key vault“
Karsten Nohl – Hardware Security for Payment 37
„Secure“ Access Modules are standard micro-processors Low effort to
extract master keys
SAMs are becoming cheaper and less secure!
(cell phones are not any better)
Karsten Nohl – Hardware Security for Payment 38
Source: Flylogic