1 / 12

Smart cards a fascinating and fruitful adventure

Smart cards a fascinating and fruitful adventure. Gemalto Technology & Innovation. Nguyen Quang Huy. Secure transaction (banking, pay-TV). Smart Cards in the our life. Telecom (SIM/USIM/RUIM, M2M, convergence, M-TV, M-banking, M-ticket). Control Access (physical and logical resource).

hermanclair
Download Presentation

Smart cards a fascinating and fruitful adventure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Smart cardsa fascinating and fruitful adventure Gemalto Technology & Innovation Nguyen Quang Huy

  2. Secure transaction (banking, pay-TV) Smart Cards in the our life • Telecom (SIM/USIM/RUIM, M2M, convergence, M-TV, M-banking, M-ticket) • Control Access (physical and logical resource) • E-citizen (e-passport, e-ID, e-Heath, e-driving license, ..)

  3. 25 mm2 Smart Card HW • No internal timer, battery • No keyboard, display, network interface • Current generation • µ-processor: 16-bits, <=10MHz • RAM: 4K • ROM: 100K for code storage • E2PROM (105 updates ): 64K for data storage • I/O: serial (9600 bps), • Contactless protocols: MiFare, FeliCa, Calypso • Next generation • µ-processor: 32-bits, up to 100MHz • Flash memory: more durable and more rapid • I/O: USB (12 Mbps) • Contactless open protocols: NFC, ZigBee

  4. Proprietary architecture Undisclosed specification Tedious application development Closed configuration: no application can be added after issuance Open architecture Open specification High-level programming languages Post-issuance applications are available Some open architectures Java Card MULTOS .NET Card Basic Card Smart Card SW

  5. JC Firewall Applet 1 Applet 2 Card Manager API in Java Native API Java Card Virtual Machine Operating System Integrated Circuit Example: Java Card • Introduced by Schlumberger in 1996 • Leading open multi-applicative architecture • >5 billions Java-embedded cards issued • Applications (applets) developed in Java I/O command

  6. Security threats • No battery • Card tearing (or power failure ) may cause inconsistency data • No internal timer • Logging for post-mortem analysis is not possible • No keyboard, display, network device  secure usage environment • Payment terminals (POS and ATM): security certification • Security of PC and handset: keyboard logger, false display (phishing), etc • Contactless interface • Cardholder is not aware of malicious actions • Physically owned by attackers • Vulnerable to both logical and physical attacks

  7. Attacks Logical attacks: use I/O commands to exploit SW vulnerabilities buffer overflow, type confusion, covert channels, protocol attacks, etc Physical attacks: use physical phenomenon to exploit SW/HW vulnerabilities • Invasive attacks: destructive and require specific logistics  HW reverse-engineering; disabling HW security features, etc • Non invasive attacks: affordable logistics • Side-channel: use the emitted signals (power consumption, execution time) to guess the secret (keys, PIN)  Execution signature (E2PROM update, DES rounds, etc) may leak secret • Fault-injection attacks: use physical means (infrared heat, laser, X-ray) to flip some bits in the memory Modify code and runtime control flow, data: the consequence is hardly predictable Combined attacks

  8. Counter-measures and beyond • Detection • HW: (shield-removal, temperature, frequency, laser, light) sensors • SW: checksum, fault-trap • Protection • HW: memory/bus encryption, redundancy, error-correcting code • SW: transaction mechanism (anti-tearing), random noise, protection of control flow • Auditing • HW: security registers • SW: fault-counters, security exception • Reaction • Muting (infinite loop) and clearing RAM No counter-measure is perfect Trade-off between security and performance (tender eligibility criterion)  Use of mathematical techniques: formal methods

  9. Mathematically proven security assurances

  10. Vietnam: smart card deployment • Mobile telecom • Low-end cards: <=64K EEPROM • Banking • Small-scale migrations to EMV standard: VP Bank, VCB, etc • Online banking (secure reader/authentication server): VCB • Why the banks are not keen on using smart cards ? • Cards mainly used for ATM withdrawal: rare (offline) POS payment  fraud is limited • Card holders are usually paying for the fraud ! • Insfratructure cost for a migration (ATM, POS, servers, etc) • E-government • e-passport project (since 2006)

  11. Dosmetic industry • Small market implies small players • Few smart cards manufacturers • MK Technology JSC: 20 milions smart cards delivered in 2008 • Main products: SIM, USIM, RUIM • Sale representative of foreign products • Dosmetic share in final products • Card personalization for final clients • A first Vietnamese smart card OS ? MKCos (Sao Khue 2008) • Even fewer application developers • Vietnamizing imported applications

  12. Joining the adventure • Expanding dosmetic market by SIM-based attractive applications e.g., • M-payment, online payment • Value-added applications on mobile network • M-ticket for public transport • Making E-Government come true • Healthcare card, ID-card, etc • Education/Training • More training courses for • embeded programming: lucrative outsourcing market • security engineering: go beyond anti-virus • Support of overseas experts • Enterprising • Win-win JV with foreign partners to learn technology

More Related