smart card security analysis smart card security analysis marc witteman, tno
TRANSCRIPT
![Page 1: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/1.jpg)
Smart Card Smart Card security analysissecurity analysis
Marc Witteman, TNO
![Page 2: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/2.jpg)
Do we need smart Do we need smart card security?card security?
![Page 3: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/3.jpg)
What are the threats ?What are the threats ?
Confidentiality: unauthorized disclosuredisclosure of information
sender receiver
Integrity: unauthorized modificationmodification of information
Authenticity: unauthorized use of service
![Page 4: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/4.jpg)
What’s inside a smart card ?What’s inside a smart card ?
CPU
RAM
test logic
ROM
EEPROMserial i/ointerfaceserial i/ointerface
security logic
security logic
databus
![Page 5: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/5.jpg)
Smart card security evaluationsSmart card security evaluations
• logical analysis: software
• internal analysis: hardware
• side channel analysis: both hw and sw
![Page 6: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/6.jpg)
Logical analysisLogical analysis
CommunicationCommunication
• Functional testing
• Protocol analysis
• Code review
![Page 7: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/7.jpg)
InternalInternalAnalysisAnalysis
![Page 8: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/8.jpg)
Internal analysis toolsInternal analysis tools
• Etching tools
• Optical microscope
• Probe stations
• Laser cutters
• Scanning Electron Microscope
• Focussed Ion Beam System
• and more…….
![Page 9: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/9.jpg)
Reverse engineeringReverse engineering
![Page 10: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/10.jpg)
Staining of ion implant ROM arrayStaining of ion implant ROM array
![Page 11: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/11.jpg)
Sub micron probe stationSub micron probe station
![Page 12: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/12.jpg)
Probing with eight needlesProbing with eight needles
![Page 13: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/13.jpg)
FIB: fuse repairFIB: fuse repair
![Page 14: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/14.jpg)
Side channel analysisSide channel analysis
• Use of ‘hidden’ signals– timing
– power consumption
– electromagnetic emission
– etc..
• Insertion of signals– power glitches
– electromagnetic pulses
![Page 15: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/15.jpg)
Power consumption in clock cyclePower consumption in clock cycle
peak
slope
time
IIddqddq
area
shape
![Page 16: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/16.jpg)
Power consumption in routinesPower consumption in routines
![Page 17: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/17.jpg)
Power consumption in programsPower consumption in programs
![Page 18: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/18.jpg)
Timing attack on RSATiming attack on RSA
• RSA principle:– Key set e,d,n
– Encipherment: C = Me mod n
– Decipherment: M = Cd mod n
• RSA-implementation (binary exponentiation)– M := 1
– For i from t down to 0 do:• M := M * M
• If di = 1, then M := M*C
![Page 19: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/19.jpg)
Timing Attack on RSA (2)Timing Attack on RSA (2)
11 00 00 00 11 11 11
![Page 20: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/20.jpg)
Differential Power AnalysisDifferential Power Analysis• Assume power consumption relates to hamming weight of data
• Subtract traces with high and low hamming weight
• Resulting trace shows hamming weight and data manipulation
![Page 21: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/21.jpg)
Fault injection on smart cardsFault injection on smart cards
Change a value read from memory to another value by manipulating the supply power:
Threshold ofread value A power dip at the
moment of reading amemory cell
![Page 22: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/22.jpg)
Differential Fault Analysis on RSADifferential Fault Analysis on RSA
Efficient implementation splits exponentiation:
dp = d mod (p-1)
dq = d mod (q-1)
K = p-1 mod q
Mp = Cdp mod p
Mq = Cdq mod q
M = Cd mod n = ( ( (Mq - Mp)*K ) mod q ) * p + Mp
![Page 23: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/23.jpg)
DFA on CRTDFA on CRT
Inject a fault during CRT that corrupts Mq:
M’q is a corrupted result of Mq computation
M’ = ( ( (M’q - Mp)*K ) mod q ) * p + Mp
subtract M and M’:M - M’ = (((Mq - Mp)*K) mod q)*p - (((M’q - Mp)*K) mod q)*p
= (x1-x2)*p
compute Gcd( M-M’, n ) = Gcd( (x1-x2)*p, p*q ) = p
compute q = n / p
![Page 24: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/24.jpg)
ConclusionsConclusions
• Smart cards can be broken by advanced analysis techniques.
• Users of security systems should think about:– What is the value of our secrets?
– What are the risks (e.g. fraud, eavesdropping)
– What are the costs and benefits of fraud?
• Perfect security does not exist!
![Page 25: Smart Card security analysis Smart Card security analysis Marc Witteman, TNO](https://reader036.vdocuments.net/reader036/viewer/2022081512/55175070550346b1338b49db/html5/thumbnails/25.jpg)
For information:For information:
TNO Evaluation Centre
Marc Witteman
PO-Box 5013
2600 GA Delft, The Netherlands
Phone: +31 15 269 2375
Fax: +31 15 269 2111
E-mail: [email protected]
E-mail: [email protected]