380 likes | 560 Views
Towards Disclosing the Private Key of an e-Passport. Martin Hlaváč and Tomáš Rosa Department of Algebra, MFF UK in Prague PPF banka a.s. and eBanka, a.s. Agenda. Technology and platform overview LF and HF bands interface Unique ID transponders Electronic passport Relay attack
E N D
Towards Disclosingthe Private Key of an e-Passport Martin Hlaváč and Tomáš Rosa Department of Algebra, MFF UK in Prague PPF banka a.s. and eBanka, a.s.
Agenda • Technology and platform overview • LF and HF bands interface • Unique ID transponders • Electronic passport • Relay attack • SCH attack on Active Authentication
Passive RF Chips Overview • Contact-less chips radio-classification • LF range chips (100 to 150 kHz) • HF range vicinity cards (13.56 MHz) • HF range proximity cards (13.56 MHz) • UHF range chips (800 MHz and higher) • Huge variety of designs • Cards, keychains, stickers, implants, … • RFID – Radio Frequency Identification • Viewed as a specific application of RF chips
LF and HF Band Physical Layer • Employs the behavior of so-called near field of the transmitter • Classical wave not fully formed, yet • Magnetic component takes care of the energy transport • Arrangement „terminal antenna – chip antenna“ can be seen as a high frequency transformer
Talking with the Transponder transponder RFID terminal RFID internal network transponder field terminal field
When the Distance Matters • Attacking techniques and ranges for HF band according to ISO 14443
Active Attacks Reviewed • It is practically feasible to feed up a typical LF/HF chip at a distance of order of meters • The problem is, however, to hear the transponder’s response • Increasing terminal’s field can significantly decrease the SNR – Signal to Noise Ratio • Possible way for “write-only” attacks…
Unique ID Transponders • Popular in access protection to buildings, offices, garages, etc. • Examples: EM4x02, HID Isoprox II, Indala, etc. • LF Band • Serial memory with several dozens bits • Sends repeatedly its identifier when in terminal’s field • No cryptographic protection • Security almost non-existing in many cases
LF Band Skimmer – Terminal Mode Transmitter Receiver Digital part
LF Band Skimmer – Emulator Mode Load modulator Carrier sensing Digital part
Contactless Smartcard • Important sub-class of RFID transponders • Function-wise and security-wise in par with classical (contact) smartcards • Platform – proximity card (13.56 MHz)
ISO 14443 • Standardizes proximity cards • Usual operational distance 10 cm • Sub-groups A, B • Differ in communication protocol details (modulation, coding, frames, semantics) • Transport platform for contactless smartcards
ISO 7816 • Describes • contact card communication interface • contact(-less) card application protocol • Effort to unify the view of a smartcard regardless the communication interface • Combination of ISO 14443 (communication) and ISO 7816 (application commands) • From the point of view of ISO 7816 there is a new communication protocol identified with T = CL (Contact-Less) • Application platform of contact(-less) smartcards
Contact or Contactless • Hierarchy of standards for contact and contact-less smartcards
Electronic Passport • Equipped with a contact-less smartcard chip • Compatible with ISO 14443 and ISO 7816 • Application code: A0 00 00 02 47 10 01 • Data files • DG1 to DG15: related to the travel document (DG1 – copy of machine readable zone (MRZ), DG2 – photo of the face, DG15 public key for active authentication) • EF.COM, EF.SOD, EF.DIR: service data
Security Mechanisms • Required by ICAO • Passiveauthentication – digital signature of all data files DG1, …, DG15 • Required in EU members • BAC – basic access control to data files and selected functions (e.g. active authentication) • Optional • Active authentication – challenge-response authentication of the chip (e.g. used in Czech Republic, not in Germany)
Apparent Weaknesses of ICAO e-Passport • Detectability of passport presence • Markers: presence of application A0 00 00 02 47 10 01, BAC protocol support, etc. • Brute force attack on BAC • Apparently low main password entropy • Listening to terminal is sufficient • Partial weaknesses of BAC and SM • Detectability of passport with known password (MRZ) • SM does not protect the command headers and status error answers
Relay Attack on Active Authentication • Passport asks to extend the answer time to 4949 ms. • If not acknowledged or if shorter time acknowledged, passport terminated the communication in our experiments • Presumably, terminals on country borders have to accept 5s delay • Passport responded within 1s during the experiments • Remaining 4 s can be used to relay the challenge from the counterfeit to real passport and send back the response
Attack Illustration terminal fakepassport faketerminal passport RF channel 1 channel 2 RF channel 3 initialization initialization file reading AA challenge challenge relay AA challenge S(WTX) S(WTX) AA response response relay AA response
Side Channels • SCH is any unwanted information exchange between the cryptographic module and its surroundings • Physical principles of passive RF chips greatly facilitate existence of many SCH • Electromagnetic field is a primary concern
Active Authentication I (CZ) • Terminal: • Generates 8B random number V and sends it to passport • Passport: • Generates 106B random numberU • Computesw = SHA-1( U || V ). • Setsm = 6A || U || w || BC, (21022 < m < 21024) • Computess = md mod N, where (N, d) is private RSA key of the passport • Sends s to terminal
Active Authentication II (CZ) • Message m is chosen jointly by the passport and terminal, i.e. can not be conveniently chosen by neither side • Existing chosen-plaintext attacks (e.g. Schindler, Tomoeda) can not be employed
FAME-XE Exposure in the Field s = md mod N S M S M S M S M S M S Measurements by doc. Lórencz’s team, KP FEL ČVUT in Prague, april 2007
Chinese Remainder Theorem (CRT) • private RSA operation mdmodN is computed using CRT as follows • 4x faster than simple exponentiation • use of secret p,q makes CRT more vulnerable
Montgomery exponentiation • exponentiation Input: c, p, d (=dn-1dn-2…d1d0)2) Output: x = cdmodp • ucRmodp • zu • for i = n-2 to 0 • z mont(z,z,p) • if di == 1 then • z mont(z,u,p) • else • z’ mont(z,u,p) • endfor • z mont(z,1,p) • return z • multiplication (mont) • Input: x,yZp • Output: w = xyR-1modp • wxy • t s(-p-1) modR • gs + tp • wg/R • if w>p then • ww – p (final substitution) • return w • operations mod/div R=2512, i.e. it’s fast • leaks information about secret p in final substitution
Amount of Final Substitutions • we suspect the amount of FS leaks from the passport in EM channel • More higher-quality measurements are needed to support this hypothesis If this hypothesis is correct the Active Authentication can be broken
lin. algebra Outline of the attack approximations of secret q # FS (known) Experiments indicate some approximations are good enough. function of p (unknown) The relationship between the number of FS during the computation mcmodN and the value miRmodp. (Tomoeda, 2006) precision in bits # FS app. 2%
HNP Problem • Given the approximations where only unknown value is x • Find hidden number x • How? Theory of numbers, LLL algorithm.
Key Recovery • Construct lattice L(B) and approximation vector • Reduce its basis with LLL algorithm • Hope to find hidden vector and hidden number x
Experiments • Hardware setup: 16x Opteron 246 • Measurements: 150 filtered from 7000 • Time: app. 40 minutes • Result: private RSA key found
Conclusion • EM side channel on e-passport exists • New cryptanalytic technique using this side information is elaborated • Higher quality measurements needed • If our hypothesis is correct, AA can be broken, i.e. e-passport can be duplicated, in order of hours
Thank you for your attention … Martin Hlaváč Department of Algebra MFF UK, PPF banka, a.s. hlavm1am@artax.karlin.mff.cuni.cz Tomáš Rosa eBanka, a.s. Department of Algebra MFF UK, trosa@ebanka.cz
References • ČSN ISO/IEC 14443-1..4 • ČSN ISO/IEC 7816-3, 4 • Development of a Logical Data Structure – LDS for Optional Capacity Expansion Technologies, ICAO, ver. 1.7, 2004 • Hancke, G.: A Practical Relay Attack on ISO 14443 Proximity Cards, IEEE Symposium on Security and Privacy 2006 • Heydt-Benjamin, T.-S., Bailey, D.-V., Fu, K., Juels, A., and O'Hare, T.: Vulnerabilities in First-Generation RFID-Enabled Credit Cards, In Proc. of Eleventh International Conference on Financial Cryptography and Data Security, Lowlands, Scarborough, Trinidad/Tobago, February 2007 • Kirschenbaum, I., Wool, A.: How to Build a Low-Cost, Extended-Range RFID Skimmer, USENIX 2006 • Lee, Y.: Antenna Circuit Design for RFID Applications, AN 710, Microchip Tech. Inc., 2003 • Lórencz, R., Buček, J. a Zahradnický, T.: osobní komunikace, 2007 • MIFARE DESFire MF3 IC D40, Preliminary Short Form Specification v. 2.0, Philips Semiconductors, September 2003 • MIFARE MF1 IC S50, Rev 5.1, Philips Semiconductors, May 2005 • Nohl, K, and Plötz, H.: MIFARE – Little Security, Despite Obscurity, 24th Chaos Communication Congress, 2007, http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html • PKI for Machine Readable Travel Documents offering ICC Read-Only Access, IACO, ver. 1.1, 2004 • Rašek, L.: Elektronické pasy – jak fungují, kopie internetových stránek z roku 2006 • SmartMX – P5CD072 Secure Dual Interface PKI Smart Card Controller, Short Form Specification v. 1.2, Philips Semiconductors, October 2004 • Šiková, M.: Biometrie v osobních dokladech – cestovní doklady s biometrickými údaji, Konference CARDS, Praha 13. září 2006