The Long and Winding Path to Secure Implementation of GlobalPlatform - - PowerPoint PPT Presentation

the long and winding path to secure implementation of
SMART_READER_LITE
LIVE PREVIEW

The Long and Winding Path to Secure Implementation of GlobalPlatform - - PowerPoint PPT Presentation

Mar 20, 2023 208 likes •683 views

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida Braga Pierre-Alain Fouque Mohamed Sabt TCHES 2020 1 Overview Context Deterministic RSA Padding Padding Oracle Key Reuse Secure

slide-1
SLIDE 1

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10

Daniel De Almeida Braga Pierre-Alain Fouque Mohamed Sabt TCHES 2020

1

slide-2
SLIDE 2

Overview

  • Context
  • Deterministic RSA Padding
  • Padding Oracle
  • Key Reuse
  • Secure Implementation
  • Conclusion

2

slide-3
SLIDE 3

Context

slide-4
SLIDE 4

The smart card world

3

slide-5
SLIDE 5

The smart card world

3

slide-6
SLIDE 6

SCP (Secure Communication Protocol)

APDU req APDU resp 4

slide-7
SLIDE 7

SCP (Secure Communication Protocol)

APDU req APDU resp APDU req APDU resp 4

slide-8
SLIDE 8

SCP (Secure Communication Protocol)

SCP SCP

SCP SCP

TLS TLS 4

slide-9
SLIDE 9

SCP (Secure Communication Protocol)

SCP SCP

SCP SCP

TLS TLS

  • Establish a secure session between a card and an Off-Card Entity
  • 2-steps protocol: Key Exchange + Communication

4

slide-10
SLIDE 10

SCP (Secure Communication Protocol)

SCP SCP

SCP SCP

TLS TLS

  • Establish a secure session between a card and an Off-Card Entity
  • 2-steps protocol: Key Exchange + Communication
  • SCP10 relies on a Public Key Infrastructure:
  • Both the card and off-card entity have a key pair
  • They use each other public key to encrypt/verify messages

4

slide-11
SLIDE 11

Key Exchange Modes

Card OCE Manage Security Environment Applet Selection

(a) Key Transport mode

5

slide-12
SLIDE 12

Key Exchange Modes

Card OCE Certificate exchange Manage Security Environment Applet Selection

(a) Key Transport mode

5

slide-13
SLIDE 13

Key Exchange Modes

Card OCE Perform Security Operation (dec) Certificate exchange Manage Security Environment Applet Selection

(a) Key Transport mode

5

slide-14
SLIDE 14

Key Exchange Modes

Card OCE External authentication Get challenge Perform Security Operation (dec) Certificate exchange Manage Security Environment Applet Selection

(a) Key Transport mode

5

slide-15
SLIDE 15

Key Exchange Modes

Card OCE Internal authentication External authentication Get challenge Perform Security Operation (dec) Certificate exchange Manage Security Environment Applet Selection

(a) Key Transport mode

5

slide-16
SLIDE 16

Key Exchange Modes

Card OCE Internal authentication External authentication Get challenge Perform Security Operation (dec) Certificate exchange Manage Security Environment Applet Selection

(a) Key Transport mode

Card OCE Internal authentication External authentication Get challenge Perform Security Operation (dec) Certificate exchange Manage Security Environment Applet Selection Key derivation Key derivation

(b) Key Agreement mode

5

slide-17
SLIDE 17

Our contributions

Our contributions:

  • 1. Abuse blurs and flaws in the RSA encryption in Key Transport
  • 2. Recovered session keys by two independent means
  • In less than a second with the first attack
  • In an average of 2h30 for the second
  • 3. Exploit a design flaw to forge a certificate, signed by the card
  • 4. Implement a (semi-)compliant version of SCP10 as an applet
  • 5. Propose a secure implementation, with an estimation of the corresponding
  • verhead

6

slide-18
SLIDE 18

Our contributions

Our contributions:

  • 1. Abuse blurs and flaws in the RSA encryption in Key Transport
  • 2. Recovered session keys by two independent means
  • In less than a second with the first attack
  • In an average of 2h30 for the second
  • 3. Exploit a design flaw to forge a certificate, signed by the card
  • 4. Implement a (semi-)compliant version of SCP10 as an applet
  • 5. Propose a secure implementation, with an estimation of the corresponding
  • verhead

However, we did not: × Attack real cards (no implementation in the wild) × Try to exploit weakness in the symmetric encryption

6

slide-19
SLIDE 19

Our Threat Model

Our attackers can: Initiate an SCP10 session with a card Intercept, read and modify plaintext message transmitted between a legitimate Off-Card Entity and the card Measure the time needed by the card to respond They cannot: × Have physical access to the card × Break the cryptographic primitives

7

slide-20
SLIDE 20

Deterministic RSA Padding

slide-21
SLIDE 21

Perform Security Operation

Perform Security Operation APDU:

M: params

  • 3 bytes

|| CRT

  • [22,42] bytes

[|| CRT ...]

8

slide-22
SLIDE 22

Perform Security Operation

Perform Security Operation APDU:

M: params

  • 3 bytes

|| CRT

  • [22,42] bytes

[|| CRT ...] CRT: header

  • [6,8] fixed bytes

|| key

  • [16,24] bytes

[|| 91 08 iv

  • 8 bytes

]

8

slide-23
SLIDE 23

Perform Security Operation

Perform Security Operation APDU:

M: params

  • 3 bytes

|| CRT

  • [22,42] bytes

[|| CRT ...] CRT: header

  • [6,8] fixed bytes

|| key

  • [16,24] bytes

[|| 91 08 iv

  • 8 bytes

] EM: 0002 || FF..FF || 00

  • 128−len(M)−3 bytes

|| M → Hybrid padding (mixing EME and EMSA)

8

slide-24
SLIDE 24

Perform Security Operation

Perform Security Operation APDU:

M: params

  • 3 bytes

|| CRT

  • [22,42] bytes

[|| CRT ...] CRT: header

  • [6,8] fixed bytes

|| key

  • [16,24] bytes

[|| 91 08 iv

  • 8 bytes

] EM: 0002 || FF..FF || 00

  • 128−len(M)−3 bytes

|| M → Hybrid padding (mixing EME and EMSA) ⇒ Only few unknown bytes (compared to the modulus size)

8

slide-25
SLIDE 25

Coppersmith’s Low Exponent Attack

Recover the message if the unknown part is small enough: we need x ≤ n

1 e 1

9

slide-26
SLIDE 26

Coppersmith’s Low Exponent Attack

Recover the message if the unknown part is small enough: we need x ≤ n

1 e

Assuming the card is using:

  • A 1024 bits modulus
  • A small public exponent1(e = 3)

1European Payments Council. Guidelines on cryptographic algorithms usage and key management. epc342-08,

2018 9

slide-27
SLIDE 27

Coppersmith’s Low Exponent Attack

Recover the message if the unknown part is small enough: we need x ≤ n

1 e

Assuming the card is using:

  • A 1024 bits modulus
  • A small public exponent1(e = 3)

We can recover up to

  • log2(n

1 3 )

  • = 341 bits (≈ 42 bytes)
  • An encryption key: 16-24 unknown bytes
  • An integrity key (with IV): 26-34 unknown bytes

1European Payments Council. Guidelines on cryptographic algorithms usage and key management. epc342-08,

2018 9

slide-28
SLIDE 28

In practice...

  • Recover the message in 0.35s on average for a 128 bits key

⇒ on-the-fly attack possible

  • Passive interception only
  • Only works for Key Transport

10

slide-29
SLIDE 29

In practice...

  • Recover the message in 0.35s on average for a 128 bits key

⇒ on-the-fly attack possible

  • Passive interception only
  • Only works for Key Transport

⇒ Need a big enough public exponent, or random padding

10

slide-30
SLIDE 30

In practice...

  • Recover the message in 0.35s on average for a 128 bits key

⇒ on-the-fly attack possible

  • Passive interception only
  • Only works for Key Transport

⇒ Need a big enough public exponent, or random padding

Bigger RSA modulus makes the attack easier ”Classic” PKCS#1v1.5 padding may not be a valid solution...

10

slide-31
SLIDE 31

Padding Oracle

slide-32
SLIDE 32

Bleichenbacher’s attack

Abusing Perform Security Operation:

  • Anybody can send this APDU (no authentication before)

Authentication via challenge Manage session / certificate verification Key Transport Perform Security Operation Response E x p l

  • i

t f

  • r

m a t

  • r

a c l e

11

slide-33
SLIDE 33

Bleichenbacher’s attack

Abusing Perform Security Operation:

  • Anybody can send this APDU (no authentication before)
  • 3 steps on card: decryption → verification → TLV parsing

Authentication via challenge Manage session / certificate verification Key Transport Perform Security Operation Response E x p l

  • i

t f

  • r

m a t

  • r

a c l e

11

slide-34
SLIDE 34

Bleichenbacher’s attack

Abusing Perform Security Operation:

  • Anybody can send this APDU (no authentication before)
  • 3 steps on card: decryption → verification → TLV parsing
  • Unique error code but no mention of constant time

Authentication via challenge Manage session / certificate verification Key Transport Perform Security Operation Response E x p l

  • i

t f

  • r

m a t

  • r

a c l e

11

slide-35
SLIDE 35

Bleichenbacher’s attack

Abusing Perform Security Operation:

  • Anybody can send this APDU (no authentication before)
  • 3 steps on card: decryption → verification → TLV parsing
  • Unique error code but no mention of constant time
  • Constant time verification is hard, even harder with TLV parsing

Authentication via challenge Manage session / certificate verification Key Transport Perform Security Operation Response E x p l

  • i

t f

  • r

m a t

  • r

a c l e

11

slide-36
SLIDE 36

In practice...

  • Attack possible with some additional analysis
  • Large number of query needed
  • Average: 28000 queries ≈ 2h30
  • Can be reduced by increasing brute force
  • No on-the-fly attack: message collection for future decryption

12

slide-37
SLIDE 37

In practice...

  • Attack possible with some additional analysis
  • Large number of query needed
  • Average: 28000 queries ≈ 2h30
  • Can be reduced by increasing brute force
  • No on-the-fly attack: message collection for future decryption

⇒ Need robust RSA padding (OAEP would solve both problems)

12

slide-38
SLIDE 38

Key Reuse

slide-39
SLIDE 39

RSA Key Reuse

Design flaw:

  • Same RSA key for Key Transport and Key Agreement
  • Same RSA key for confidentiality and authentication

⇒ Less storage, processing and complexity but no key isolation

13

slide-40
SLIDE 40

RSA Key Reuse

Design flaw:

  • Same RSA key for Key Transport and Key Agreement
  • Same RSA key for confidentiality and authentication

⇒ Less storage, processing and complexity but no key isolation Consequences:

  • Valid signature forgery using Bleichenbacher’s attack
  • On average 74838 queries ≈ 7h
  • Certificate forgery, signed by the card ⇒ card impersonation in all future sessions
  • In case of shared CA, a single forgery may allow impersonating on a large scale

13

slide-41
SLIDE 41

RSA Key Reuse

Design flaw:

  • Same RSA key for Key Transport and Key Agreement
  • Same RSA key for confidentiality and authentication

⇒ Less storage, processing and complexity but no key isolation Consequences:

  • Valid signature forgery using Bleichenbacher’s attack
  • On average 74838 queries ≈ 7h
  • Certificate forgery, signed by the card ⇒ card impersonation in all future sessions
  • In case of shared CA, a single forgery may allow impersonating on a large scale

⇒ Need key isolation

13

slide-42
SLIDE 42

Secure Implementation

slide-43
SLIDE 43

Major countermeasures

  • Key isolation
  • Significant overhead during certificate verification
  • No need to repeat it at each session
  • RSA-OAEP
  • Negligible overhead (≈ 0.01s)
  • Enforce public exponent e = 65537
  • Negligible overhead
  • Not mandatory when using OAEP

14

slide-44
SLIDE 44

Conclusion

slide-45
SLIDE 45

Sum-up

  • We tried to apply well known attack to the smart cards world
  • Successfully performed two attacks speculating on the implementation
  • We believe our assumption to be reasonable giving past attacks
  • Key isolation is not implementation dependent
  • Suggest mitigations:
  • Easy to add in the specification
  • Reasonable overhead
  • GlobalPlatform released a new standard version based on our recommendations

15

slide-46
SLIDE 46

Thank you for your attention !

16