APPLYING SMART CARDS FOR SECURITY CRITICAL MOBILE APPLICATIONS - - PowerPoint PPT Presentation

APPLYING SMART CARDS FOR SECURITY CRITICAL MOBILE APPLICATIONS

Michael Hölzl Institut of Networks and Security, JKU Linz PhD defense 2nd of March 2018 14:15-15:45, Science Park 3 – Room S3 218

2

MOTIVATION

 Trend towards security and privacy-sensitive services on

mobile devices

 28% smart phone users already used mobile payment in 2015 (USA)

(Source: 03-2016 Consumers and Mobile Financial Services)

 Mobile banking already exceeds online banking in many countries

(Source: 11-2016 Customer Loyalty in Retail Banking: Global Edition 2016)

 Governmental mobile eIDs (e.g. Estonia, Belgium, Austria, Moldova)

3

MOTIVATION

 Mobile device threats

 Malware attacks

 Although small infection rate (~0.28% on Android

in 2014), attacks have been increasing lately

(Source: 2014 [Truong et al.]; 2016 [Nokia]; 2017 [Symantec Threat Report])

 Lost & stolen devices

 Risks

 Data breach  Identity theft  Money loss  Data manipulation  Privacy loss  etc.

Data breach types in financial sector

(Source: 2016 [bitglass Financial Services Breach Report])

4

PROTECTING DATA ON MOBILE DEVICES

 Possible approach: everything online

 Security critical operations on trusted servers  New security and privacy concerns

 e.g. single point of failure

 Our approach: Secure software through

tamper resistant hardware!

 E.g. smart cards, TPMs, NFC secure

element (SE)

 Protect data against  Unauthorized access  Manipulation

 Goal: Open Ecosystem for apps to access tamper resistant hardware

5

OPEN ECOSYSTEM FOR TAMPER RESISTANT HARDWARE

 Practicability Limits

 Limited storage space and memory (range within kB up to few MB)  Security concerns  Data transfer in the range of kB/s

 e.g. UICC SE with 3,31 kB/s, microSD SE with 329 B/s [1]

 Computational performance [20]

SHA2-256 (256B) AES128 encrypt (256B) Secure Random (256B) NXP J3A080 69.32 ms 21.41 ms 21.64 ms NXP JCOP21 v2.4.2R3 22.39 ms 11.65 ms 33.77 ms G+D Smartcafe 6.0 80K 39.07 ms 21.7 ms 18.03 ms JavaCOS A22 39.76 ms 3.61 ms 12.18 ms OnePlus One (Android phone) 17 µs 52 µs 78 µs

6

OPEN ECOSYSTEM FOR TAMPER RESISTANT HARDWARE

 Goals

 Applet management for security-critical applications



For example Dmitrienko et al. [18] or Ekberg et al. [19]

 Allow access to safeguarding features of hardware



See available iOS and Android APIs

 Protect against physical and malware attacks  Protect access and communication path to applets  Ensure authenticity of the platform and applications

accessing hardware

 Practicability (+user-friendliness) of application

despite limited memory and processing power

7

OPEN ECOSYSTEM FOR TAMPER RESISTANT HARDWARE

 Research questions 1) How to bridge the gap between the requirement for hardware (such as smart cards) being as simple as possible from a security point of view and extensibility towards arbitrary applications executed on it? 2) What are the computational limitations of integrated smart cards on mobile platforms and what are techniques to address these limitations in the design and the implementation of an application? 3) How can a smart card on a mobile device be used to ensure code integrity and authenticity of executed code while preserving the user's freedom to choose their software? 4) How can complex applications, such as biometric match-on-card authentication or privacy-preserving electronic identities, be implemented on smart cards and still remain practical?

8

OPEN ECOSYSTEM FOR TAMPER RESISTANT HARDWARE

 Proof of concept, performance evaluation and analysis

[1] “Requirements Analysis for an Open Ecosystem for Embedded Tamper Resistant Hardware on Mobile Device”. In: MoMM2013. ACM, Dec. 2013.

 Customizable secure boot on mobile devices

[2] “A Practical Hardware-Assisted Approach to Customize Trusted Boot for Mobile Devices”. In: ISC 2014. Vol.

• 8783. Lecture Notes in Computer Science. Springer, Oct. 2014.

 Efficient password-authenticated secure channel protocol

[3] “Mobile Application to Java Card Applet Communication using a Password-authenticated Secure Channel”. In:

• MoMM2014. ACM, Dec. 2014.

[4] “A password-authenticated secure channel for App to Java Card applet communication” IJPCC, 11.4 (2015).

 Biometric match-on-card authentication

[5] “Mobile Gait Match-on-Card Authentication from Acceleration Data with Offline-Simplified Models”. In:

• MoMM2016. ACM, Nov. 2016.

[6] “Mobile Match-on-Card Authentication Using Offline-Simplified Models with Gait and Face Biometrics”. IEEE Transactions on Mobile Computing (2018).

 Practicability for security-critical mobile applications

[7] “Real-World Identification: Towards a Privacy-Aware Mobile eID for Physical and Offline Verification”. In: MoMM

• 2016. ACM, Nov. 2016

[8] “An Extensible and Privacy-preserving Mobile eID System for Real-world Identification and Offline Verification”. In: IFIP Summer School on Privacy and Identity Management (Pre-proceedings). 2017 [9] “Real-world Identification for an Extensible and Privacy-preserving Mobile eID”. In: Privacy and Identity

• Management. Springer International Publishing, 2017

[10] “Bridging the Gap in Privacy-Preserving Revocation: Practical and Scalable Revocation for a Privacy-Aware Mobile eID”. In: SAC 2018. ACM, 2018.

9

Practicability for security-critical mobile applications

[7] Michael Hölzl, M. Roland, and R. Mayrhofer: “Real-World Identification: Towards a Privacy-Aware Mobile eID for Physical and Offline Verification”. In: Proceedings of the 14th International Conference on Advances in Mobile Computing and Multimedia (MoMM 2016). ACM. ACM, Nov. 2016, pp. 280–283. [8] Michael Hölzl, M. Roland, and R. Mayrhofer: “An Extensible and Privacy-preserving Mobile eID System for Real-world Identification and Offline Verification”. In: The Smart World Revolution - 12th International IFIP Summer School on Privacy and Identity Management (Pre-proceedings). 2017 [9] Michael Hölzl, M. Roland, and R. Mayrhofer: “Real-world Identification for an Extensible and Privacy- preserving Mobile eID”. In: Privacy and Identity Management. The Smart World Revolution - 12th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International IFIP Summer School. Ispra, Italy: Springer International Publishing, 2017 [10] Michael Hölzl, M. Roland, O. Mir, and R. Mayrhofer: “Bridging the Gap in Privacy-Preserving Revocation: Practical and Scalable Revocation for a Privacy-Aware Mobile eID”. In: Proceedings of SAC 2018: Symposium on Applied Computing. In press. Pau, France: ACM, 2018. Research Questions How can real-world identification of a privacy-preserving mobile eID be realized in offline as well as power-off settings? How can an eID be used for many services in a privacy-preserving manner? How can eID revocation be handled in a privacy-preserving manner? How can an eID system scale for large populations?

10

A SECURITY CRITICAL MOBILE APPLICATION

Place of Birth:

Ulm, Germany

Citizenship:

USA, Switzerland

Signature: Givenname:

Albert

Surname:

EINSTEIN

Date of Birth:

1879-03-14

ID number:

123456789

Sex:

M

GENUINE

Place of Birth:

Ulm, Germany

Citizenship:

USA, Switzerland

Signature: Givenname:

Albert

Surname:

EINSTEIN

Date of Birth:

1879-03-14

ID number:

123456789

Sex:

M

GENUINE

> 16 years

 Privacy-preserving mobile eIDs

 e.g. only verify age of identity holder

11

REQUIREMENTS

Functional

 Real-world identification  One-to-many  Revocation

Security

 Key confidentiality  Unforgeability  Communication protection  State-of-the-art cryptography

Mobility

 Offline  Power-off  Scalability

Privacy

 Unlinkability  User control  Privacy-preserving attribute

queries

12

IDENTITY REVOCATION

 Usual approach: revocation list  Problem: for privacy no unique

ID can be provided

 Additional challenges:

• 1. Additional computation effort
• 2. Limited storage size on tamper

resistant hardware

• 3. Items on the revocation list might

loose anonymity

• 4. Could weaken unlinkability
• 5. Growing revocation list

13

PSEUDO-RANDOM REVOCATION TOKENS

 Generation of a revocation token by prover and revocation manager  Token consists of  Secret  Public revocation token

How to proof the validity of these public tokens?

14

NEW APPROACH: DISPOSABLE DYNAMIC ACCUMULATORS

 Accumulator

 Arbitrary set of values are combined into one short value  This value does not grow in size  A witness is used to verify if an element is a member of that set  Dynamic Accumulator  Allows to dynamically add and delete elements  Based on the standard RSA function  The witness has all but one element  Deleting can be done with the knowledge of the factorization of N=p⋅q

15

NEW APPROACH: DISPOSABLE DYNAMIC ACCUMULATORS

 Disposable dynamic accumulator (DDA)

 Let be an RSA modulus, where p,q are strong primes  Given the set  Generate DDA by computing the modular inverses  Note: elements of the set need to be relatively prime to and

should be hashed before accumulated

 We define the function

for that N=p⋅q

φ(N)

16

NEW APPROACH: DISPOSABLE DYNAMIC ACCUMULATORS

 Disposable dynamic accumulator (DDA)

 Witness for an element is computed with

such that

 A verifier can validate the membership of an element by checking

17

VERIFICATION PROTOCOL

18

EVALUATION

19

NEW APPROACH: DISPOSABLE DYNAMIC ACCUMULATORS

 Advantages

 Verifier can assert that element has been accumulated by revocation

manager → Validity

 No user-specific accumulator required → Anonymity  No association to original disposable accumulator → Unlinkability  Efficient computation on constrained hardware and small storage space

required→ Practicability

20

OPEN ECOSYSTEM FOR TAMPER RESISTANT HARDWARE

 Proof of concept, performance evaluation and analysis

[1] “Requirements Analysis for an Open Ecosystem for Embedded Tamper Resistant Hardware on Mobile Device”. In: MoMM2013. ACM, Dec. 2013.

 Customizable secure boot on mobile devices

[2] “A Practical Hardware-Assisted Approach to Customize Trusted Boot for Mobile Devices”. In: ISC 2014. Vol.

• 8783. Lecture Notes in Computer Science. Springer, Oct. 2014.

 Efficient password-authenticated secure channel protocol

[3] “Mobile Application to Java Card Applet Communication using a Password-authenticated Secure Channel”. In:

• MoMM2014. ACM, Dec. 2014.

[4] “A password-authenticated secure channel for App to Java Card applet communication” IJPCC, 11.4 (2015).

 Biometric match-on-card authentication

[5] “Mobile Gait Match-on-Card Authentication from Acceleration Data with Offline-Simplified Models”. In:

• MoMM2016. ACM, Nov. 2016.

[6] “Mobile Match-on-Card Authentication Using Offline-Simplified Models with Gait and Face Biometrics”. IEEE Transactions on Mobile Computing (2018).

 Practicability for security-critical mobile applications

[7] “Real-World Identification: Towards a Privacy-Aware Mobile eID for Physical and Offline Verification”. In: MoMM

• 2016. ACM, Nov. 2016

[8] “An Extensible and Privacy-preserving Mobile eID System for Real-world Identification and Offline Verification”. In: IFIP Summer School on Privacy and Identity Management (Pre-proceedings). 2017 [9] “Real-world Identification for an Extensible and Privacy-preserving Mobile eID”. In: Privacy and Identity

• Management. Springer International Publishing, 2017

[10] “Bridging the Gap in Privacy-Preserving Revocation: Practical and Scalable Revocation for a Privacy-Aware Mobile eID”. In: SAC 2018. ACM, 2018.

21

CONCLUSION

 Tamper resistant hardware to

 improve security of mobile applications as well as platform  protect against unauthorized access and data manipulation  increase trustworthiness in mobile devices

 New techniques to overcome performance and security concerns

 Password-authenticated secure channel for app-to-applet communication  A customizable secure boot for mobile devices  Biometric match-on-card authentication  Novel mobile eID scheme

 Privacy-preserving, offline capable, scalable

 New efficient mechanisms for smart cards

 Disposable dynamic accumulator  Split computation protocol  Novel, practical revocation scheme for eIDs  Architecture and protocols for extensibility of eIDs

22

CONTRIBUTIONS

 Conference Publications

[1] Michael Hölzl, R. Mayrhofer, and M. Roland: “Requirements Analysis for an Open Ecosystem for Embedded Tamper Resistant Hardware on Mobile Device”. In: Proceedings of the 11th International Conference on Advances in Mobile Computing & Multimedia (MoMM2013). ACM, Dec. 2013, pp. 249–252. doi: 10.1145/2536853.2536947 [2] J. González, Michael Hölzl, P. Riedl, P. Bonnet, and R. Mayrhofer: “A Practical Hardware-Assisted Approach to Customize Trusted Boot for Mobile Devices”. In: Proc. Information Security Conference 2014 (ISC). Vol. 8783. Lecture Notes in Computer Science. Springer, Oct. 2014, pp. 542–554. doi: 10.1007/978-3-319-13257-0_35 [3] Michael Hölzl, E. Asnake, R. Mayrhofer, and M. Roland: “Mobile Application to Java Card Applet Communication using a Password-authenticated Secure Channel”. In: Proceedings of the 12th International Conference on Advances in Mobile Computing & Multimedia (MoMM2014). ACM, Dec. 2014, pp. 147–156. doi: 10.1145/2684103.2684128 [5] R. D. Findling, Michael Hölzl, and R. Mayrhofer: “Mobile Gait Match-on-Card Authentication from Acceleration Data with Offline-Simplified Models”. In: Proceedings of the 14th International Conference on Advances in Mobile Computing & Multimedia (MoMM2016). ACM, Nov. 2016, pp. 250–260. doi: 10.1145/3007120.3007132 [7] Michael Hölzl, M. Roland, and R. Mayrhofer: “Real-World Identification: Towards a Privacy-Aware Mobile eID for Physical and Offline Verification”. In: Proceedings of the 14th International Conference on Advances in Mobile Computing and Multimedia (MoMM 2016). ACM. ACM, Nov. 2016, pp. 280–283. doi: 10.1145/3007120.3007158

23

CONTRIBUTIONS

 Conference Publications (contd.)

[8] Michael Hölzl, M. Roland, and R. Mayrhofer: “An Extensible and Privacy-preserving Mobile eID System for Real-world Identification and Offline Verification”. In: The Smart World Revolution - 12th International IFIP Summer School on Privacy and Identity Management (Pre-proceedings). 2017 [9] Michael Hölzl, M. Roland, and R. Mayrhofer: “Real-world Identification for an Extensible and Privacy-preserving Mobile eID”. In: Privacy and Identity Management. The Smart World Revolution

• 12th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International IFIP Summer School. Ispra, Italy:

Springer International Publishing, 2017 [10]Michael Hölzl, M. Roland, O. Mir, and R. Mayrhofer: “Bridging the Gap in Privacy-Preserving Revocation: Practical and Scalable Revocation for a Privacy-Aware Mobile eID”. In: Proceedings of SAC 2018: Symposium on Applied Computing. In press. Pau, France: ACM, 2018. doi: 10.1145/3167132.3167303

 Journal Articles

[4] Michael Hölzl, E. Asnake, R. Mayrhofer, and M. Roland: “A password-authenticated secure channel for App to Java Card applet communication”. International Journal of Pervasive Computing and Communications (IJPCC) 11.4 (Nov. 2015), pp. 374–397. doi: 10.1108/IJPCC-09-2015-0032 [6] R. D. Findling, Michael Hölzl, and R. Mayrhofer: “Mobile Match-on-Card Authentication Using Offline-Simplified Models with Gait and Face Biometrics”. IEEE Transactions on Mobile Computing (2018).

24

CONTRIBUTIONS

 Open Source Libraries

 GPDroid: A Global Platform Management tool for Android.

 https://github.com/mobilesec/secure-element-gpdroid

 GPDroid for NFC smart cards

 https://github.com/mobilesec/secure-element-gpdroid-nfc

 Performance Tester for Android app-to-applet communication.

 https://github.com/mobilesec/secure-element-performancetester

 RIL implementation patches for secure element access

 https://usmile.at/blog/cyanogenmod-seek-uicc-s2-s3

 SRP protocol as Java Card Applet

 https://github.com/mobilesec/secure-channel-srp6a-applet

 SRP implementation for Android

 https://github.com/mobilesec/secure-channel-srp-android-lib

 Elliptic curve SRP (EC-SRP) for Java Card

 https://github.com/mobilesec/secure-channel-ec-srp-applet

 TPM2.0 Java Card applet

 https://github.com/mobilesec/tpm2-se-applet

JOHANNES KEPLER UNIVERSITÄT LINZ Altenberger Str. 69 4040 Linz, Österreich www.jku.at

APPLYING SMART CARDS FOR SECURITY CRITICAL MOBILE APPLICATIONS

Michael Hölzl

hoelzl@ins.jku.at https://michaelhoelzl.eu Twitter: @mihoelzl Keybase: @hoelzl PGP: 32AF F62F EBF3 30D4 5F40 5478 BB0C D2F4 9C27 CCCC

26

OTHER CONTRIBUTIONS

 Scientific Publications

[11] Michael Hölzl, R. Neumeier, and G. Ostermayer: “Analysis of Compass Sensor Accuracy on Several Mobile Devices in an Industrial Environment”. In: Second International Workshop on Mobile Computing Platforms and Technologies (MCPT 2013), colocated with Eurocast 2013. Springer Berlin / Heidelberg. Las Palmas, Gran Canaria: Springer Berlin / Heidelberg, 2013, pp. 381–389 [12] Michael Hölzl and C. Schaffer: “An Adaptive and Book-Oriented Mobile Touch Screen User Interface Concept for Novice Senior Users”. In: Proceedings of the 11th International Conference

• n Advances in Mobile Computing & Multimedia (MoMM2013). ACM, Dec. 2013, pp. 576–584.

[13] Michael Hölzl, R. Neumeier, and G. Ostermayer: “Localization in an industrial environment: a case study on the difficulties for positioning in a harsh environment”. International Journal of Distributed Sensor Networks 11.8 (2015). doi: 10.1155/2015/567976 [14] G. Schoiber, R. Mayrhofer, and Michael Hölzl: “DAMN - A Debugging and Manipulation Tool for Android Applications”. In: Proceedings of the 14th International Conference on Advances in Mobile Computing and Multimedia (MoMM 2016). ACM. ACM, Nov. 2016, pp. 40–44. [15] F. K. Carvalho Ota, M. Roland, Michael Hölzl, R. Mayrhofer, and A. Manacero: “Protecting Touch: Authenticated App-To-Server Channels for Mobile Devices Using NFC Tags”. Information 8.3 (2017)

 Technical Reports

[16]M. Roland and Michael Hölzl: Evaluation of Contactless Smartcard Antennas. Computing Research Repository (CoRR), arXiv:1507.06427 [cs.CR]. June 2015. url: http://arxiv.org/abs/1507.06427 [17]M. Roland and Michael Hölzl: Open Mobile API: Accessing the UICC on Android Devices. Computing Research Repository (CoRR), arXiv:1601.03027 [cs.CR]. Jan. 2016. url: http://arxiv.org/abs/1601.03027

27

REFERENCES

[18] A. Dmitrienko, S. Heuser, T. D. Nguyen, M. d. S. Ramos, A. Rein, and A.-R. Sadeghi: “Market-Driven

Code Provisioning to Mobile Secure Hardware”. In: Financial Cryptography and Data Security. Vol.

• 8975. LNCS. Springer, Berlin, Heidelberg, Jan. 2015. doi: 10.1007/978-3-662-47854-7_23.

[19] J. E. Ekberg, K. Kostiainen, and N. Asokan: “The Untapped Potential of Trusted Execution

Environments on Mobile Devices”. IEEE Security & Privacy 12.4 (July 2014), pp. 29–37. doi: 10.1109/MSP.2014.38.

[20] Centre for Research on Cryptography and Security: JCAlgTest - Comparative table. Nov. 2017. url:

https://www.fi.muni.cz/~xsvenda/jcalgtest/comparative-table.html

28

CREDITS

 Pictures

 Nexus 5 by Google Android, wikimedia.org  Atdrivinglicencefront by Austrian Government, wikimedia.org  Entry Ticket, Admit One by Karen Arnold, publicdomainpictures.net  Keychain by dos72, pixabay.com  Österreichischer Reisepass by Rep. Österreich, wikimedia.org  Money Wallet by Andrew-Art, pixabay.com  Security board chip computer by OpenClipart-Vecotrs, pixabay.com