APPLYING SMART CARDS FOR SECURITY CRITICAL MOBILE APPLICATIONS - PowerPoint PPT Presentation

APPLYING SMART CARDS FOR SECURITY CRITICAL MOBILE APPLICATIONS Michael Hölzl Institut of Networks and Security, JKU Linz PhD defense 2 nd of March 2018 14:15-15:45, Science Park 3 – Room S3 218

MOTIVATION  Trend towards security and privacy-sensitive services on mobile devices  28% smart phone users already used mobile payment in 2015 (USA) (Source: 03-2016 Consumers and Mobile Financial Services)  Mobile banking already exceeds online banking in many countries (Source: 11-2016 Customer Loyalty in Retail Banking: Global Edition 2016)  Governmental mobile eIDs (e.g. Estonia, Belgium, Austria, Moldova) 2

MOTIVATION  Mobile device threats  Malware attacks  Although small infection rate (~0.28% on Android in 2014), attacks have been increasing lately (Source: 2014 [Truong et al.]; 2016 [Nokia]; 2017 [Symantec Threat Report])  Lost & stolen devices  Risks  Data breach  Identity theft  Money loss  Data manipulation  Privacy loss  etc. Data breach types in financial sector (Source: 2016 [bitglass Financial Services Breach Report]) 3

PROTECTING DATA ON MOBILE DEVICES  Possible approach: everything online  Security critical operations on trusted servers  New security and privacy concerns  e.g. single point of failure  Our approach: Secure software through tamper resistant hardware!  E.g. smart cards, TPMs, NFC secure element (SE)  Protect data against  Unauthorized access  Manipulation  Goal: Open Ecosystem for apps to access tamper resistant hardware 4

OPEN ECOSYSTEM FOR TAMPER RESISTANT HARDWARE  Practicability Limits  Limited storage space and memory (range within kB up to few MB)  Security concerns  Data transfer in the range of kB/s  e.g. UICC SE with 3,31 kB/s , microSD SE with 329 B/s [1]  Computational performance [20] SHA2-256 AES128 Secure Random (256B) encrypt (256B) (256B) NXP J3A080 69.32 ms 21.41 ms 21.64 ms NXP JCOP21 22.39 ms 11.65 ms 33.77 ms v2.4.2R3 G+D Smartcafe 39.07 ms 21.7 ms 18.03 ms 6.0 80K JavaCOS A22 39.76 ms 3.61 ms 12.18 ms OnePlus One 17 µs 52 µs 78 µs (Android phone) 5

OPEN ECOSYSTEM FOR TAMPER RESISTANT HARDWARE  Goals  Applet management for security-critical applications For example Dmitrienko et al. [18] or Ekberg et al. [19]   Allow access to safeguarding features of hardware See available iOS and Android APIs   Protect against physical and malware attacks  Protect access and communication path to applets  Ensure authenticity of the platform and applications accessing hardware  Practicability (+user-friendliness) of application despite limited memory and processing power 6

OPEN ECOSYSTEM FOR TAMPER RESISTANT HARDWARE  Research questions 1) How to bridge the gap between the requirement for hardware (such as smart cards) being as simple as possible from a security point of view and extensibility towards arbitrary applications executed on it? 2) What are the computational limitations of integrated smart cards on mobile platforms and what are techniques to address these limitations in the design and the implementation of an application? 3) How can a smart card on a mobile device be used to ensure code integrity and authenticity of executed code while preserving the user's freedom to choose their software? 4) How can complex applications , such as biometric match-on-card authentication or privacy-preserving electronic identities, be implemented on smart cards and still remain practical ? 7

OPEN ECOSYSTEM FOR TAMPER RESISTANT HARDWARE  Proof of concept, performance evaluation and analysis [1] “Requirements Analysis for an Open Ecosystem for Embedded Tamper Resistant Hardware on Mobile Device”. In: MoMM2013. ACM, Dec. 2013.  Customizable secure boot on mobile devices [2] “A Practical Hardware-Assisted Approach to Customize Trusted Boot for Mobile Devices”. In: ISC 2014. Vol. 8783. Lecture Notes in Computer Science. Springer, Oct. 2014.  Efficient password-authenticated secure channel protocol [3] “Mobile Application to Java Card Applet Communication using a Password-authenticated Secure Channel”. In: MoMM2014. ACM, Dec. 2014. [4] “A password-authenticated secure channel for App to Java Card applet communication” IJPCC, 11.4 (2015).  Biometric match-on-card authentication [5] “Mobile Gait Match-on-Card Authentication from Acceleration Data with Offline-Simplified Models”. In: MoMM2016. ACM, Nov. 2016. [6] “Mobile Match-on-Card Authentication Using Offline-Simplified Models with Gait and Face Biometrics”. IEEE Transactions on Mobile Computing (2018).  Practicability for security-critical mobile applications [7] “Real-World Identification: Towards a Privacy-Aware Mobile eID for Physical and Offline Verification”. In: MoMM 2016. ACM, Nov. 2016 [8] “An Extensible and Privacy-preserving Mobile eID System for Real-world Identification and Offline Verification”. In: IFIP Summer School on Privacy and Identity Management (Pre-proceedings). 2017 [9] “Real-world Identification for an Extensible and Privacy-preserving Mobile eID”. In: Privacy and Identity Management. Springer International Publishing, 2017 [10] “Bridging the Gap in Privacy-Preserving Revocation: Practical and Scalable Revocation for a Privacy-Aware Mobile eID”. In: SAC 2018. ACM, 2018. 8

Practicability for security-critical mobile applications [7] Michael Hölzl, M. Roland, and R. Mayrhofer: “Real-World Identification: Towards a Privacy-Aware Mobile eID for Physical and Offline Verification”. In: Proceedings of the 14th International Conference on Advances in Mobile Computing and Multimedia (MoMM 2016). ACM. ACM, Nov. 2016, pp. 280–283. [8] Michael Hölzl, M. Roland, and R. Mayrhofer: “An Extensible and Privacy-preserving Mobile eID System for Real-world Identification and Offline Verification”. In: The Smart World Revolution - 12th International IFIP Summer School on Privacy and Identity Management (Pre-proceedings). 2017 [9] Michael Hölzl, M. Roland, and R. Mayrhofer: “Real-world Identification for an Extensible and Privacy- preserving Mobile eID”. In: Privacy and Identity Management. The Smart World Revolution - 12th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International IFIP Summer School. Ispra, Italy: Springer International Publishing, 2017 [10] Michael Hölzl, M. Roland, O. Mir, and R. Mayrhofer: “Bridging the Gap in Privacy-Preserving Revocation: Practical and Scalable Revocation for a Privacy-Aware Mobile eID”. In: Proceedings of SAC 2018: Symposium on Applied Computing. In press. Pau, France: ACM, 2018. Research Questions How can real-world identification of a privacy-preserving mobile eID be realized in offline as well as power-off settings? How can an eID be used for many services in a privacy-preserving manner? How can eID revocation be handled in a privacy-preserving manner? How can an eID system scale for large populations? 9

A SECURITY CRITICAL MOBILE APPLICATION  Privacy-preserving mobile eIDs  e.g. only verify age of identity holder ID number: ID number: 123456789 123456789 Surname: Surname: EINSTEIN EINSTEIN Givenname: Givenname: Albert Albert Date of Birth: Sex: Date of Birth: Sex: 1879-03-14 M 1879-03-14 M > 16 years Place of Birth: Place of Birth: GENUINE GENUINE Ulm, Germany Ulm, Germany Citizenship: Citizenship: USA, Switzerland USA, Switzerland Signature: Signature: 10

REQUIREMENTS Functional Mobility  Real-world identification  Offline  One-to-many  Power-off  Revocation  Scalability Security Privacy  Key confidentiality  Unlinkability  Unforgeability  User control  Communication protection  Privacy-preserving attribute  State-of-the-art cryptography queries 11

IDENTITY REVOCATION  Usual approach: revocation list  Problem: for privacy no unique ID can be provided  Additional challenges: 1. Additional computation effort 2. Limited storage size on tamper resistant hardware 3. Items on the revocation list might loose anonymity 4. Could weaken unlinkability 5. Growing revocation list 12

PSEUDO-RANDOM REVOCATION TOKENS  Generation of a revocation token by prover and revocation manager  Token consists of  Secret  Public revocation token How to proof the validity of these public tokens? 13

NEW APPROACH: DISPOSABLE DYNAMIC ACCUMULATORS  Accumulator  Arbitrary set of values are combined into one short value  This value does not grow in size  A witness is used to verify if an element is a member of that set  Dynamic Accumulator  Allows to dynamically add and delete elements  Based on the standard RSA function  The witness has all but one element  Deleting can be done with the knowledge of the factorization of N = p ⋅ q 14

NEW APPROACH: DISPOSABLE DYNAMIC ACCUMULATORS  Disposable dynamic accumulator (DDA)  Let be an RSA modulus, where p,q are strong primes N = p ⋅ q  Given the set  Generate DDA by computing the modular inverses  Note: elements of the set need to be relatively prime to and φ ( N ) should be hashed before accumulated  We define the function for that 15

NEW APPROACH: DISPOSABLE DYNAMIC ACCUMULATORS  Disposable dynamic accumulator (DDA)  Witness for an element is computed with such that  A verifier can validate the membership of an element by checking 16

VERIFICATION PROTOCOL 17

EVALUATION 18