attacking globalplatform scp02 compliant smart cards
play

Attacking GlobalPlatform SCP02-compliant Smart Cards Using a Padding - PowerPoint PPT Presentation

Apr 12, 2023 •301 likes •646 views

Attacking GlobalPlatform SCP02-compliant Smart Cards Using a Padding Oracle Attack Gildas Avoine 1 , 2 Loc Ferreira 3 , 1 Univ Rennes, INSA Rennes, CNRS, IRISA, France Institut Universitaire de France Orange Labs, Applied Cryptography Group,

  1. Attacking GlobalPlatform SCP02-compliant Smart Cards Using a Padding Oracle Attack Gildas Avoine 1 , 2 Loïc Ferreira 3 , 1 Univ Rennes, INSA Rennes, CNRS, IRISA, France Institut Universitaire de France Orange Labs, Applied Cryptography Group, Caen, France September 12, 2018 CHES 2018 SCP02 September 12, 2018 1 / 19

  2. Outline 1. Description of SCP02 2. Padding oracle attack 3. Experimental results 4. Conclusion CHES 2018 SCP02 September 12, 2018 2 / 19

  3. SCP02 Introduction Context Security protocol promoted by GlobalPlatform (association that aims at promoting standard, interoperable mechanisms related to the chip technology) Element of a set of security protocols: SCP03, SCP80, SCP81, etc. Likely the most widely used SCP protocol Cryptographic functions Based on DES/3DES (encryption and MAC; cf. [ISO9797-1] and [ISO10116]) Purpose Secure channel between an “ off card entity ” and a card Different security levels: integrity, confidentiality, both Remote card management (e.g., applet upload into an UICC/SIM card) CHES 2018 SCP02 September 12, 2018 3 / 19

  4. SCP02 Command encryption � �� � HDR PLAINTEXT PAD MAC PLAINTEXT PAD ENC � �� � Kenc Kcmac ENC MAC IV ENC = 00 8 IV MAC HDR’ CIPHERTEXT TAG CHES 2018 SCP02 September 12, 2018 4 / 19

  5. SCP02 Command decryption Kcmac 3 MAC IV MAC TAG’ � �� � HDR PLAINTEXT PAD MAC 80 00 ··· 00 2 PLAINTEXT PAD ENC � �� � Kenc 1 DEC IV ENC = 00 8 HDR’ CIPHERTEXT TAG CHES 2018 SCP02 September 12, 2018 5 / 19

  6. CBC mode Encryption B 1 ⊕ ··· ( c 6 ⊕ b 6 ) ··· ENC C 0 C 1 ··· b 7 ⊕ ··· ( c 7 ⊕ b 7 ) ENC ··· c 7 C 1 CHES 2018 SCP02 September 12, 2018 6 / 19

  7. CBC mode Decryption C 0 C 1 DEC ··· ( c 6 ⊕ b 6 ) ··· ⊕ B 1 ··· c 7 C 1 DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· c 7 ⊕ ( c 7 ⊕ b 7 ) CHES 2018 SCP02 September 12, 2018 7 / 19

  8. CBC mode Malleability c 7 ⊕ g ··· c 7 C 1 DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· b 7 CHES 2018 SCP02 September 12, 2018 8 / 19

  9. CBC mode Malleability c 7 ⊕ g ··· ✚ c 7 C 1 ❩ ✚ ❩ DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· ( b 7 ⊕ g ) CHES 2018 SCP02 September 12, 2018 8 / 19

  10. CBC mode Malleability c 7 ⊕ g ··· ✚ c 7 C 1 ❩ ✚ ❩ DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· ( b 7 ⊕ g ) [ ··· plaintext ··· ∥ 80 ] CHES 2018 SCP02 September 12, 2018 8 / 19

  11. CBC mode Malleability c 7 ⊕ g ··· ✚ c 7 C 1 ❩ ✚ ❩ DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· ( b 7 ⊕ g ) [ ··· plaintext ··· ∥ 80 ] g = 13 ⇒ ⇒ invalid padding CHES 2018 SCP02 September 12, 2018 8 / 19

  12. CBC mode Malleability c 7 ⊕ g ··· ✚ c 7 C 1 ❩ ✚ ❩ DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· ( b 7 ⊕ g ) [ ··· plaintext ··· ∥ 80 ] g = 13 ⇒ ⇒ invalid padding g = 14 ⇒ ⇒ invalid padding CHES 2018 SCP02 September 12, 2018 8 / 19

  13. CBC mode Malleability c 7 ⊕ g ··· ✚ c 7 C 1 ❩ ✚ ❩ DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· ( b 7 ⊕ g ) [ ··· plaintext ··· ∥ 80 ] g = 13 ⇒ ⇒ invalid padding g = 14 ⇒ ⇒ invalid padding g = 15 ⇒ ⇒ invalid padding CHES 2018 SCP02 September 12, 2018 8 / 19

  14. CBC mode Malleability c 7 ⊕ g ··· ✚ c 7 C 1 ❩ ✚ ❩ DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· ( b 7 ⊕ g ) [ ··· plaintext ··· ∥ 80 ] g = 13 ⇒ ⇒ invalid padding g = 14 ⇒ ⇒ invalid padding g = 15 ⇒ ⇒ invalid padding g = 16 ⇒ ⇒ invalid padding CHES 2018 SCP02 September 12, 2018 8 / 19

  15. CBC mode Malleability c 7 ⊕ g ··· ✚ c 7 C 1 ❩ ✚ ❩ DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· ( b 7 ⊕ g ) [ ··· plaintext ··· ∥ 80 ] g = 13 ⇒ ⇒ invalid padding g = 14 ⇒ ⇒ invalid padding g = 15 ⇒ ⇒ invalid padding g = 16 ⇒ ⇒ invalid padding g = 17 ⇒ ⇒ valid padding CHES 2018 SCP02 September 12, 2018 8 / 19

  16. CBC mode Malleability c 7 ⊕ g ··· ✚ c 7 C 1 ❩ ✚ ❩ DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· ( b 7 ⊕ g ) [ ··· plaintext ··· ∥ 80 ] g = 13 ⇒ b 7 ⊕ g = 76 ⇒ invalid padding g = 14 ⇒ b 7 ⊕ g = 77 ⇒ invalid padding g = 15 ⇒ b 7 ⊕ g = 78 ⇒ invalid padding g = 16 ⇒ b 7 ⊕ g = 79 ⇒ invalid padding g = 17 ⇒ b 7 ⊕ g = 80 ⇒ valid padding ⇒ b 7 = g ⊕ 80 = 97 CHES 2018 SCP02 September 12, 2018 8 / 19

  17. CBC mode Malleability c 7 ⊕ g ··· ✚ c 7 C 1 ❩ ✚ ❩ DEC ··· ( c 7 ⊕ b 7 ) ⊕ ··· ( b 7 ⊕ g ) [ ··· plaintext ··· ∥ 80 ] g = 13 ⇒ b 7 ⊕ g = 76 ⇒ invalid padding g = 14 ⇒ b 7 ⊕ g = 77 ⇒ invalid padding g = 15 ⇒ b 7 ⊕ g = 78 ⇒ invalid padding g = 16 ⇒ b 7 ⊕ g = 79 ⇒ invalid padding g = 17 ⇒ b 7 ⊕ g = 80 ⇒ valid padding ⇒ b 7 = g ⊕ 80 = 97 The validity of padding data indicates whether b 7 can be found or not. Technique called “padding oracle attack” due to Vaudenay in 2002 [V02]. CHES 2018 SCP02 September 12, 2018 8 / 19

  18. Building the padding oracle How to know if the padding data is valid or invalid (after decryption)? 1. decryption 1. decryption 2. padding data: invalid 2. padding data: valid ❍ ✟ 3. ✟ ❍ MAC 3. MAC CHES 2018 SCP02 September 12, 2018 9 / 19

  19. Building the padding oracle How to know if the padding data is valid or invalid (after decryption)? 1. decryption 1. decryption 2. padding data: invalid 2. padding data: valid ❍ ✟ 3. ✟ ❍ MAC 3. MAC Error message ERR_DEC ERR_MAC (e.g., WTLS [V02]) CHES 2018 SCP02 September 12, 2018 9 / 19

  20. Building the padding oracle How to know if the padding data is valid or invalid (after decryption)? 1. decryption 1. decryption 2. padding data: invalid 2. padding data: valid ❍ ✟ 3. ✟ ❍ MAC 3. MAC Error message ERR_DEC ERR_MAC (e.g., WTLS [V02]) Computation time time ↘ time ↗ (e.g., TLS 1.0 [CHVV03]) CHES 2018 SCP02 September 12, 2018 9 / 19

  21. Practical experiments The smart card sends always a response (status word). Invalid padding data or invalid MAC ⇒ same error code CHES 2018 SCP02 September 12, 2018 10 / 19

  22. Practical experiments The smart card sends always a response (status word). Invalid padding data or invalid MAC ⇒ same error code valid padding 200 invalid padding 150 Number of samples 100 50 0 32 33 34 35 36 Time (ms) The card response time reflects the card computation time ⇒ suitable padding oracle CHES 2018 SCP02 September 12, 2018 10 / 19

  23. Practical experiments 80 valid padding invalid padding 300 60 Number of samples Number of samples 200 40 100 20 0 0 31 32 33 34 35 20 40 60 80 100 Time (ms) Time (ms) 150 120 100 100 80 Number of samples Number of samples 60 50 40 20 0 0 14 16 18 20 22 24 26 28 45 50 55 60 65 Time (ms) Time (ms) CHES 2018 SCP02 September 12, 2018 11 / 19

  24. Practical experiments Experimental setting: card connected to a card reader (4 card readers, wired and wireless) 10 smart cards from 6 card manufacturers SIM cards, generic Java cards Experiment: find a 16-byte secret key sent to the smart card in an encrypted SCP02 command 300 experiments/card ⇒ 100 % success Practical complexity ∈ [ 127 . 75 , 133 . 38 ] close to best average case (128) Time to find 16 bytes: 2.7 mn to 11.4 mn (variable response time from the smart card) CHES 2018 SCP02 September 12, 2018 12 / 19

  25. Practical experiments Experimental setting: card connected to a card reader (4 card readers, wired and wireless) 10 smart cards from 6 card manufacturers SIM cards, generic Java cards Experiment: find a 16-byte secret key sent to the smart card in an encrypted SCP02 command 300 experiments/card ⇒ 100 % success Practical complexity ∈ [ 127 . 75 , 133 . 38 ] close to best average case (128) Time to find 16 bytes: 2.7 mn to 11.4 mn (variable response time from the smart card) ⇒ Padding oracle attack is applicable against SCP02. CHES 2018 SCP02 September 12, 2018 12 / 19

  26. Practical experiments Experimental setting: card connected to a card reader (4 card readers, wired and wireless) 10 smart cards from 6 card manufacturers SIM cards, generic Java cards Experiment: find a 16-byte secret key sent to the smart card in an encrypted SCP02 command 300 experiments/card ⇒ 100 % success Practical complexity ∈ [ 127 . 75 , 133 . 38 ] close to best average case (128) Time to find 16 bytes: 2.7 mn to 11.4 mn (variable response time from the smart card) ⇒ Padding oracle attack is applicable against SCP02. ⇒ Among all the deployed smart cards (including 6 billion SIM cards), how many may be impacted? CHES 2018 SCP02 September 12, 2018 12 / 19

  27. Attack scenario Possible real-life scenario: upload of an applet embedding a secret key (e.g., transportation, banking) into the UICC/SIM card. 1. The victim downloads from a popular store an infected application into his smartphone. The application embeds a Trojan (e.g., Tordow [K16], Dvmap [U17]). 2. The Trojan gets access to the memory space of the legitimate application (through privileges escalation). 3. The Trojan can apply the attack: it reads, and modifies the encrypted SCP02 commands received by the legitimate application. 4. The Trojan repeatedly triggers the installation/deinstallation of the applet ⇒ the secret key is repeatedly sent through (new) SCP02 channels. CHES 2018 SCP02 September 12, 2018 13 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Smart Cards Carrying certificates around How do you use your [digital] identity? Install your

Smart Cards Carrying certificates around How do you use your [digital] identity? Install your

4/25/08 Smart Cards Carrying certificates around How do you use your [digital] identity? Install your certificate in browser On-computer keychain file Need there be more? 1 4/25/08 Smart cards Smart card Portable device

316 views • 4 slides
ISG Seminar Agenda for Lecture 3 rd November 2011 Evolution of smart cards/RFIDs From Smart

ISG Seminar Agenda for Lecture 3 rd November 2011 Evolution of smart cards/RFIDs From Smart

ISG Seminar Agenda for Lecture 3 rd November 2011 Evolution of smart cards/RFIDs From Smart Cards to NFC Smart Phone Attacks/countermeasures Security Near Field Communication (NFC) Keith Mayes NFC Security Elements

550 views • 8 slides
INOSSEM i nsti tut de recherche Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards

INOSSEM i nsti tut de recherche Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards

Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Vulnerability Analysis on Smart Cards using Fault Tree Guillaume Bouffard Bhagyalekshmy N Thampi Jean-Louis Lanet Smart Secure Devices (SSD) Team

705 views • 39 slides
Fault enabled viruses against smart cards 1 2 1 Samiya

Fault enabled viruses against smart cards 1 2 1 Samiya

Fault enabled viruses against smart cards 1 2 1 Samiya HAMADOUCHE , Jean-Louis LANET , Mohamed MEZGHICHE 1 LIMOSE Laboratory, University

898 views • 36 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Smart Cards Smart Cards a(s) a(s) Safety Critical Systems Safety Critical Systems Gemplus

Smart Cards Smart Cards a(s) a(s) Safety Critical Systems Safety Critical Systems Gemplus

Smart Cards Smart Cards a(s) a(s) Safety Critical Systems Safety Critical Systems Gemplus Labs Gemplus Labs Pierre.Paradinas Paradinas@ @gemplus gemplus.com .com Pierre. Agenda Agenda Smart Card Technologies Smart Card

358 views • 31 slides
Gaming & Smart Cards Smart Cards Empower Your Vision Gaming Industry Challenges Gaming

Gaming & Smart Cards Smart Cards Empower Your Vision Gaming Industry Challenges Gaming

Gaming & Gaming & Smart Cards Smart Cards Empower Your Vision Gaming Industry Challenges Gaming Industry Challenges Customer Experience Customer Experience Security and Privacy Security and Privacy Integration

544 views • 27 slides
National ID Cards National Smart Card Office (NSCO)

National ID Cards National Smart Card Office (NSCO)

National ID Cards National Smart Card Office (NSCO) www.sabteahval.ir/houshmand/ National Organization for Civil Tell: 60902701-2 Fax: 66736526 Registration(NOCR) Agenda 1. Traditional ID

370 views • 23 slides
In Healthcar In Healthcare CREATIVE OR NON-COMPLIANT? Laura Pietromica Customer Advisor &

In Healthcar In Healthcare CREATIVE OR NON-COMPLIANT? Laura Pietromica Customer Advisor &

Smar Smart De t Device Usa vice Usage ge In Healthcar In Healthcare CREATIVE OR NON-COMPLIANT? Laura Pietromica Customer Advisor & Consultant HIMSS Analytics Certified 11 August 2019 Creative AGENDA Non-Compliant Final

331 views • 20 slides
The Ins and Outs of Programming Cryptography in Smart Cards . . . and announcing the launch of

The Ins and Outs of Programming Cryptography in Smart Cards . . . and announcing the launch of

The Ins and Outs of Programming Cryptography in Smart Cards . . . and announcing the launch of OpenCard Pascal Paillier CryptoExperts Real World Crypto 2015 Jan 2015 Real World Crypto 2015 Jan 2015 What are Smart Cards? Real World

968 views • 51 slides
Distributed Systems On-computer keychain file Need there be more? Smart Cards, Biometrics,

Distributed Systems On-computer keychain file Need there be more? Smart Cards, Biometrics,

Carrying certificates around How do you use your [digital] identity? Install your certificate in browser Distributed Systems On-computer keychain file Need there be more? Smart Cards, Biometrics, & CAPTCHA Paul Krzyzanowski

215 views • 5 slides
Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com

Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com

Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com http://christian.amsuess.com/ 2010-05-06 Overview objective understand smart card communication based on sniffable communication hardware standard card

468 views • 20 slides
www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create

www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create

www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create dialogue on learning. RETHINK CARDS Use as a brainstorming tool to spark new ideas. ACT CARDS Use to transform insights into action. Licence to Dare

434 views • 24 slides
Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, Nicko van Someren September 16, 2013 Problems with non-randomness 2012

810 views • 32 slides
Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, Nicko van Someren 5 December 2013 Problems with non-randomness 2012

545 views • 50 slides
Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela

Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela

Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela E.Fourneret J.Jurjens P. Yousefi ARES 2011 OUTLINE Introduction Background UMLsec Model-based Testing Security in smart-card

356 views • 17 slides
CS 2112 Lab: Javadoc and Debugging CS 2112 Lab: Javadoc and Debugging Javadoc Overview Javadoc

CS 2112 Lab: Javadoc and Debugging CS 2112 Lab: Javadoc and Debugging Javadoc Overview Javadoc

CS 2112 Lab: Javadoc and Debugging CS 2112 Lab: Javadoc and Debugging Javadoc Overview Javadoc Overview Javadoc is a tool for creating html documentation The documentation is generated from comments It produces actual html web pages

401 views • 9 slides
Chapter 7, Object design is the process of adding details to the Object Design requirements

Chapter 7, Object design is the process of adding details to the Object Design requirements

Object Design Chapter 7, Object design is the process of adding details to the

532 views • 9 slides
Turbo Tester Reference Manual Version 02.10 Department of Computer Engineering Tallinn

Turbo Tester Reference Manual Version 02.10 Department of Computer Engineering Tallinn

Turbo Tester Reference Manual Version 02.10 Department of Computer Engineering Tallinn Technical University Estonia October 2002 Restrictions This version of Turbo Tester software (Software) is provided "as is" with no claims or

853 views • 49 slides
PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models

PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models

PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models Advisens Data Assets CYBER RISK MODELS Cyber Case Count over Time Cyber Cases Entered per Day Case Type Composition Total : 21,817 Distribution

967 views • 51 slides
Determinants of Pull Request Evaluation Latency on GitHub Yue Yu, Huaimin Wang, Vladimir

Determinants of Pull Request Evaluation Latency on GitHub Yue Yu, Huaimin Wang, Vladimir

MSR 2015, Florence, Italy Wait For It Determinants of Pull Request Evaluation Latency on GitHub Yue Yu, Huaimin Wang, Vladimir Filkov, Prem Devanbu, Bogdan Vasilescu GitHub workflow Personal Main branches / branch forks Lots of

511 views • 17 slides
Java ByteCode Manuel Oriol June 8th, 2006 Byte Code? The Java language is compiled into an

Java ByteCode Manuel Oriol June 8th, 2006 Byte Code? The Java language is compiled into an

Java ByteCode Manuel Oriol June 8th, 2006 Byte Code? The Java language is compiled into an intermediary form called byte code It ensures portability The byte code is a succession of instructions that manipulate a stack Each

723 views • 57 slides
http:/ /chromatichq.com @ChromaticHQ Code Standards: It's Okay to be Yourself, But Write Your

http:/ /chromatichq.com @ChromaticHQ Code Standards: It's Okay to be Yourself, But Write Your

http:/ /chromatichq.com @ChromaticHQ Code Standards: It's Okay to be Yourself, But Write Your Code Like Everyone Else Alanna Burke @aburke626 Twitter, Drupal.org DrupalCon Baltimore 2017 What are Coding Standards? standard / stand

1.66k views • 141 slides
Transfer Learning in NLP Helping Small Teams Account for Small Datasets Ryan Smith

Transfer Learning in NLP Helping Small Teams Account for Small Datasets Ryan Smith

Transfer Learning in NLP Helping Small Teams Account for Small Datasets Ryan Smith ryan@wootric.com Transfer Learning in NLP What well cover A look into a real problem involving NLP and Deep Learning A brief discussion of the

837 views • 36 slides

More recommend