Password Authenticated Key Agreement for Contactless Smart Cards - - PowerPoint PPT Presentation

▶

Jan 18, 2023 14 likes •175 views

Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann 2 , Sebastian Stappert 2 , Markus Ullmann 1 , Matthias Vgeler 2 1 Bundesamt fr Sicherheit in der Informationstechnik 2 NXP Semiconductors Outline

SLIDE 1

Password Authenticated Key Agreement for Contactless Smart Cards

Dennis Kügler1, Heike Neumann2, Sebastian Stappert2, Markus Ullmann1, Matthias Vögeler2

1 Bundesamt für Sicherheit in der Informationstechnik 2 NXP Semiconductors

SLIDE 2

Outline

 Security attacks concerning contactless smart cards  Security limitation of former solution  Password-based cryptographic protocols

 Features of password-based protocols  PACE  TC-AMP  Comparison PACE – TC-AMP

 Conclusion

SLIDE 3

Folie 3

Contactless Smart Card

contactless smart card (picc) radio frequency interface device (pcd) / ISO 14443 reader (optical character recognitation component)

Security Attacks

1. Unauthorized communication with the smart card
2. Eavesdropping of an existing pcd-picc communication

SLIDE 4

Folie 4

ePassport: BAC-Protocol

Inspection System Calculate Access Key K from

ptically read MRZ

Challenge rChip Choose rReader randomly Ciphertext EK(rReader,rChip,KReader) Choose key KReader Ciphertext EK(rChip,rReader,KChip) RF-Chip Choose rChip randomly Read MRZ optically Choose key KChip encrypt... decrypt... encrypt... decrypt... rChip correct? rReader correct?

 Limitations

 Entropy of the derived session key  BAC key is static

 Base ideas for contactless cards

 Two channels (optic channel, magnetic channel)  „Representation“ of former border control operation

SLIDE 5

Folie 5

Contactless Card Operation

 Smart card with contact interface

Card operation is only possible if the card is physically connected to the terminal

 Contactless card

We are locking for a mechanism which „represents“ this connection process for contactless smart cards => secure connection establishment between contactless smart card and terminal

SLIDE 6

Folie 6

Password Based Cryptographic Protocols

 Security Usage

 Client Server Authentication

 Approaches

 Encrypted Key Exchange (EKE), Bellovin and Merret

1992

 ...  TP-AMP, Taekyoung Kwon 2004

 Features

 Strong session key agreement  Implicit entity authentication based on a shared secret of

low entropy

SLIDE 7

Folie 7

Password Based Cryptographic Protocols (2)

 Secure connection establishment between smart card

and terminal

 Password Authenticated Connection Establishment

(PACE), 2006

 Terminal-Card-TP-AMP (TC-AMP), „simplified TP-AMP“,

2008

 Low entropy of the password

 e.g. 6 digits => 106 passwords  Adversary knows in principle the whole set of possible

passwords

SLIDE 8

Folie 8

Structure of PACE

1.Precondition: common elliptic curve E, base point G 2.Key derivation, selection of a random number s μ = h(π|1) mod n ← z = Encryption(μ, s) s = Decryption(μ, z) 3.Calculation of a random curve Point P (anonymous DH) 4.Mapping s → elliptic curve E G' = s * G + P 5.Calculation of a common secret curve point K anonymous DH using G' 6.Mutual Authentication of picc and pcd MAC(kMAC, PKpicc) → ← MAC(kMAC, PKpcd)

picc

643215

π

pcd

SLIDE 9

Folie 9

Security Requirements

 General Requirements

 Authentication of terminals  Strong session key agreement  Forward secrecy of the session keys

 Specific Requirements Concerning Password Based

Protocols

 Security against off-line dictionary attacks  Security against on-line dictionary attacks

 Type (1): can't abuse the protocol to eliminate passwords  Type (2): test at most one password per protocol run

SLIDE 10

Folie 10

Security of PACE

 Authentication of terminals

„secrecy of π“, knowing and using π

 Strong session key agreement

computational DH assumption

 Forward secrecy of the session keys

random calculation of curve point K

 Security against off-line dictionary attacks

if s is choosen randomly, z is also randomly (password-based encryption is a pseudorandam permutation)

 Security against on-line dictionary attacks  Type (1): can't abuse the protocol to eliminate passwords

s < 2m (m: Blocksize of the used blockcipher)

 Type (2): test at most one password per protocol run

SLIDE 11

Folie 11

Structure of TC-AMP

1.Precondition: common elliptic curve E, base point G 2.Key derivation, mapping π → elliptic curve E μ = h(0|π|0) mod n Γ0 = μ * G Γ1 = μ * G' (G' = l * G, l unknown) 3.Calculation of random curve points M = (x * G) + Γ1' (x random) → ← Q = y * Γ0 (y random) 4.Calculation of a common secret curve point A = B A = μ-1(x + Mx) * Q B = y (M+ Γ1+ (Mx G)) 5.Mutual authentication of picc and pcd h(3|Mx|Ax|Qx|3) → ← h(2|Mx|Bx|Qx|2)

picc

643215

π

pcd

SLIDE 12

Folie 12

Security of TC-AMP

 Authentication of terminals

„secrecy of π“, knowing and using π

 Strong session key agreement

intractability assumption of the discrete logarithm problem, cryptographic strength of the hash function

 Forward secrecy of the session keys

random calculation of curve point A = B

 Security against off-line dictionary attacks

M and Q are choosen randomly

 Security against on-line dictionary attacks  Type (1): can't abuse the protocol to eliminate passwords

injective Mapping π → Γ0

 Type (2): test at most one password per protocol run

SLIDE 13

Folie 13

Comparison PACE - TC-AMP

 EC mapping:

s → E π → E

 Mapping G, G':

G' = s * G + P G' = l * G (dynamic) (static)

 Authentication:

MAC-calculation Hash-generation

 Implementation:

5 APDUs 3 APDUs

 Performance:

945 ms 978 ms (SmartMX) PACE TC-AMP

SLIDE 14

Folie 14

PACE Performance

SLIDE 15

Folie 15

TC-AMP Performance