1 / 58

cool smartcard hacks

cool smartcard hacks. peter honeyman citi university of michigan ann arbor. a little bit about citi. center for information technology integration founded in 1986 as part of information technology division now in cio office. citi staff. faculty and staff scientists (3)

mikasi
Download Presentation

cool smartcard hacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. cool smartcard hacks peter honeyman citiuniversity of michiganann arbor

  2. a little bit about citi • center for information technology integration • founded in 1986 as part of information technology division • now in cio office

  3. citi staff • faculty and staff scientists (3) • researchers and programmers (3) • students (13) • doctoral (4) • masters (1) • undergraduate (7) • high school (1)

  4. a little more about citi • mission: advance umich info tech environment, transfer results to university, government, industry • research and development “skunkworks” for cio • externally funded, primarily by short-term industry contracts

  5. citi core competencies • middleware • enterprise-scale info tech integration • distributed file systems • integrated security • mobile and wireless computing

  6. major advances of the 20th century • computing • transportation • mobile computing • newton, pilot • superslims • pcs, e.g., nokia, qualcomm, sprint, etc. • smartcards • a little computing • a lotta mobility

  7. smartcards are cool because • they are tamper resistant • they can do a little crypto • they have a restricted (albeit bizarre) (yet functional) api that can protect secrets • they can store keys • in fact, they have special key files

  8. principal applications • stored value • phone cards • electronic purse • secure identification • challenge/response protocols • gsm phone identity

  9. how smartcards are used • e-purse, e.g., mcard, visacash, mondex • many spectacular failures • gsm authentication • information control • german healthcard • closed market applications • DoD card • welfare card

  10. impediments to use • infrastructure requirements • integration with contemporary computing environments • especially security middleware

  11. outline • smartcard ip • kerberos client • smartcard-based file systems • secure booting • palm pilot hacks

  12. ip on smartcard • expand smartcard accessibility to the internet • network protocols on smartcard • network service unmodified • smartcard as a mobile computer • bring your ip address with you

  13. javacard web server • minimal functional server • one connection at a time • minimal state maintenance • tcp port • file name • tcp state

  14. platform • schlumberger cyberflex access • 16 KB eeprom • iso 7816 smartcard • java card 2.0 • 1.2 KB ram

  15. http only • subset of http 1.0 (or higher) • GET method only

  16. tcp only • three states • listen, established, finwait1 • actually, tcp state is never used • no! • options • retransmission • checksum validation • hosts requirements compliance • use sequence number as file offset

  17. ip only • no! • options • reassembly • ~ 250 byte mtu

  18. tunnel daemon • “near” side: webcard ip address • “far” side: iso 7816 framing • openbsd implementation

  19. cardlet details • ~ 1200 byte codes • leaves about 13k for content

  20. webcard summary • performance: ~ 130 bytes/sec. • copy content to card with scfs • open source • http://smarty.citi.umich.edu

  21. secure internet smartcards • extend webcard to secure ip stack • personal security assistant • secure key storage • personal crypto engine • internet addressable • fixed domain name

  22. why a smartcard on the internet? • convenient • e.g., one office, many computers, one reader • secure • smartcard has excellent physical security • mobile • you can even sit on it

  23. how? • establish secure, authenticated channel to card • PIN for authentication • session key established with SPEKE

  24. SPEKE • DH + PIN-based common base • DH • A  B: gx mod r • B  A: gy mod r • K=gxy mod r • SPEKE: g = f(PIN)

  25. performance

  26. performance timeline

  27. EKE comparison • EKE • A  B: DES(PIN, PUBKEY) • B  A: RSA(PRIVKEY, K) • EKE setup: 4.47 sec • (SPEKE: 3.56) • ~1.5 sec to manufacture key pair

  28. smartcard integration with kerberos • university of michigan computing environment is protected by kerberos • So are mit, cmu, stanford, cornell, … • product offerings from microsoft, ibm, oracle ... • public key cryptography is not practical • (yet) • kerberos security limitations: • lacks external encryption device • lacks secure key storage • passwords vulnerable to dictionary attack • smartcards can solve these problems

  29. ticket decrypt need for encryption device kerberos kdc ticket password • key is exposed to user and workstation • workstation may not be trusted • sniffer, trojan horse, virus ...

  30. need for secure storage • keys stored on hard disk or in memory are vulnerable • hard disks are not secure • adversary with administrative rights can access keys • data in a hard disk may be backed up in an unprotected mass storage device • memory is not secure • adversary can scan memory • data in memory can be paged out to a hard disk

  31. dictionary attack • create a list of english words, names, etc. • Also star wars, german, shakespeare, … • thx1138 is a vulnerable password! :-( • derive keys from the words in the list • obtain a <plaintext, ciphertext> pair • kerberos gives up <plaintext, ciphertext> easily • decrypt ciphertext with the derived key • if plaintext recovered, password is exposed • umich: > 4,000 vulnerable accounts in 1997 • 2,400 in 1999

  32. ticket ticket decrypt countermeasures - use a smartcard kerberos kdc • key is not exposed to user, workstation, or network • no password ticket

  33. ticket ticket decrypt smartcard kerberos client kerberos kdc • key is not exposed to user, workstation, or network • no password ticket

  34. implementation • starcos v. 2.1 from giesecke & devrient • cyberflex access from schlumberger • mit kerberos v5-1.0.5 client • kerberos server unmodified for global interoperability … well, almost • ticket length > 200 bytes, requires cbc • des_cbc_crc method uses key as ivec • modify server to permit des_cbc_md5

  35. kerberos+smartcard performance enddecryption kinit start card reset start decryption kinitend • smartcard time: g&d: 0.9 sec, slb: 2.48 sec • communication cost: 0.05 sec, 0.10 sec with 115 kbps and 56 Kbps • javacard performance is ok g&d 0 0.16 0.36 1.06 1.09 0 0.38 0.74 2.86 2.89 slb time in sec.

  36. kerberos+smartcard w-i-p • udp/ip implementation • store ticket on smartcard • pc/sc library for interoperability • server ticket generation • using ibm 4758 secure pci 486

  37. smartcard filesystem (scfs) • iso-7816 • standard smartcard interface • message framing protocol (too primitive to be usable) • many vendor dependencies • smartcard programming toolkits • ibm mfc, microsoft pc/sc, opencard framework, emv’96, pkcs#11, … • smartcard-specific everything: language, api, toolkit, library, application, etc. • hassle learning toolkit after toolkit • api dependencies

  38. scfs goals and policies • integrate a smartcard with unix • vfs: unix filesystem api • take advantage of unix environment • allows sophisticated unix commands (cd, ls, cat ...) and systems calls (open, close, read, write …) • access through symlinks • any iso-7816 smartcard • easy integration with applications • netscape cookies • pgp private keyring • kerberos tickets • ssh private key

  39. application to ssh citi% mount_scfs /dev/scfs0 /smartcard citi% ln -s ~/.ssh/identity /smartcard/ss/id citi% ssh sin.citi.umich.edu Enter PIN: sin% logout

  40. scfsd smartcard application VFS XFS scfs design • kernel vfs assisted by user process user kernel • XFS handles application requests • scfsd translates requests to ISO-7816 APDUs • No caching

  41. scfs performance • scfs overhead under 1ms

  42. scfs problem areas • order of remove • directories and metadata

  43. directory entry file • iso-7816 does not have the right metadata • file type, size, age • required for ls, cat • Hack: “.i” in every directory

  44. abstraction mismatch • some iso-7816-4 features do not fit the unix filesystem abstraction • creat(), mkdir() need size • crypto commands (authentication, verify key, …) • hack: ioctl()

  45. comparing pc/sc and scfs PC/SC: Application modified or created Application Application PC/SC OS OS SCFS: Application not modified Application Application OS OS SCFS

  46. pc/sc and scfs (cont’d) • pc/sc supports more cards and readers • scfs can take advantage of it • work in progress Application Application OS OS SCFS PC/SC

  47. scfs extensions • encrypted file system • key per file, derived from smartcard master key • 300 msec. overhead to derive key • caching keys helps

  48. scfs conclusion • powerful, flexible api • overhead is small • useful as a low-level development tool • ls, cd, pwd, emacs, etc. • secure storage for user profiles, web cookies, kerberos tickets, private keys, etc.

  49. secure booting with smartcard • netboot aegis from rom to load an integrity-checked specialized os • os checks macs stored on a smartcard • so check the kernel image integrity • and boot • check integrity of important applications (kerberos kdc, databases, etc.) with the smartcard • can boot linux, openbsd, win9x, …

  50. secure bootstrap with smartcard • signed executables for software integrity check • hardware-based solutions • secure coprocessor, aegis (from upenn) • secure, but hard to configure • software-based solutions • tripwire, authenticode • but is os trusted?

More Related