1 / 16

When an e-Passport Talks and it Should Not

When an e-Passport Talks and it Should Not. Martin Hlaváč and Tomáš Rosa Department of Algebra, MFF UK in Prague PPF banka a.s. and eBanka, a.s. Outline. e-Passport Active Authentication Electro-Magnetic Side Channel RSA with Chinese Remainder Theorem and Montgomery Exponentiation

matt
Download Presentation

When an e-Passport Talks and it Should Not

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. When an e-Passport Talksand it Should Not Martin Hlaváč and Tomáš Rosa Department of Algebra, MFF UK in Prague PPF banka a.s. and eBanka, a.s.

  2. Outline • e-Passport • Active Authentication • Electro-Magnetic Side Channel • RSA with Chinese Remainder Theorem and Montgomery Exponentiation • Extracting Private Key • Conclusion

  3. Electronic Passport • Equipped with a contact-less smartcard chip • Compatible with ISO 14443 and ISO 7816 • Application code: A0 00 00 02 47 10 01 • Data files • DG1 to DG15: related to the travel document (DG1 – copy of machine readable zone (MRZ), DG2 – photo of the face, DG15 public key for active authentication) • EF.COM, EF.SOD, EF.DIR: service data

  4. P5CD072

  5. Talking with the Passport passport RFID terminal RFID internal network transponder field terminal field

  6. Security Mechanisms • Required by ICAO • Passiveauthentication – digital signature of all data files DG1, …, DG15 • Required in EU members • BAC – basic access control to data files and selected functions (e.g. active authentication) • Optional • Active authentication – challenge-response authentication of the chip (e.g. used in Czech Republic, not in Germany)

  7. Active Authentication I (CZ) • Terminal: • Generates 8B random number V and sends it to passport • Passport: • Generates 106B random numberU • Computesw = SHA-1( U || V ). • Setsm = 6A || U || w || BC, (21022 < m < 21024) • Computess = md mod N, where (N, d) is private RSA key of the passport • Sends s to terminal

  8. Active Authentication II (CZ) • Message m is chosen jointly by the passport and terminal, i.e. can not be conveniently chosen by neither side • Existing chosen-plaintext attacks can not be employed

  9. FAME-XE Exposure in the Field s = md mod N S M S M S M S M S M S Measurements by doc. Lórencz’s team, KP FEL ČVUT in Prague, april 2007

  10. Chinese Remainder Theorem (CRT) • private RSA operation mdmodN is computed using CRT as follows sp = (mp)dpmodp sq = (mq)dqmodq s = ((sq-sp)pinvmodq)p + sp • 4x faster than simple exponentiation • use of secret p,q makes CRT more vulnerable

  11. Montgomery exponentiation • exponentiation Input: c, p, d (=dn-1dn-2…d1d0)2) Output: x = cdmodp • ucRmodp • zu • for i = n-2 to 0 • z mont(z,z,p) • if di == 1 then • z mont(z,u,p) • else • z’ mont(z,u,p) • endfor • z mont(z,1,p) • return z • multiplication (mont) Input: x,yZp Output: w = xyR-1modp • wxy • t s(-p-1) modR • gs + tp • wg/R • if w>p then • ww – p (final substitution) • return w • operations mod/div R=2512, i.e. it’s fast • leaks information about secret p in final substitution

  12. Amount of Final Substitutions • we suspect the amount of FS leaks from the passport in EM channel • More higher-quality measurements are needed to support this hypothesis If this hypothesis is correct the Active Authentication can be broken

  13. lin. algebra Outline of the attack approximations of secret q # FS (known) Experiments indicate some approximations are good enough. function of p (unknown) The relationship between the number of FS during the computation mcmodN and the value miRmodp. (Tomoeda, 2006) precision in bits # FS app. 2%

  14. Key Recovery • Construct suitable lattice • Reduce its basis with LLL algorithm • Hope the hidden number q is revealed Experiments: • With 150 measurements filtered from app. 7000, the key is recovered in 40 minutes on 2GHz Opteron

  15. Conclusion • EM side channel on e-passport exists • New cryptanalytic technique using this side information is elaborated • Higher quality measurements needed • If our hypothesis is correct, AA can be broken, i.e. e-passport can be duplicated, in order of hours

  16. Thank you for your attention … Martin Hlaváč Department of Algebra MFF UK, PPF banka, a.s. hlavm1am@artax.karlin.mff.cuni.cz Tomáš Rosa eBanka, a.s. Department of Algebra MFF UK, trosa@ebanka.cz

More Related