Title: cool smartcard hacks
1cool smartcard hacks
- peter honeyman
- citiuniversity of michiganann arbor
2a little bit about citi
- center for information technology integration
- founded in 1986 as part of information technology
division - now in cio office
3citi staff
- faculty and staff scientists (3)
- researchers and programmers (3)
- students (13)
- doctoral (4)
- masters (1)
- undergraduate (7)
- high school (1)
4a little more about citi
- mission advance umich info tech environment,
transfer results to university, government,
industry - research and development skunkworks for cio
- externally funded, primarily by short-term
industry contracts
5citi core competencies
- middleware
- enterprise-scale info tech integration
- distributed file systems
- integrated security
- mobile and wireless computing
6major advances of the 20th century
- computing
- transportation
- mobile computing
- newton, pilot
- superslims
- pcs, e.g., nokia, qualcomm, sprint, etc.
- smartcards
- a little computing
- a lotta mobility
7smartcards are cool because
- they are tamper resistant
- they can do a little crypto
- they have a restricted (albeit bizarre) (yet
functional) api that can protect secrets - they can store keys
- in fact, they have special key files
8principal applications
- stored value
- phone cards
- electronic purse
- secure identification
- challenge/response protocols
- gsm phone identity
9how smartcards are used
- e-purse, e.g., mcard, visacash, mondex
- many spectacular failures
- gsm authentication
- information control
- german healthcard
- closed market applications
- DoD card
- welfare card
10impediments to use
- infrastructure requirements
- integration with contemporary computing
environments - especially security middleware
11outline
- smartcard ip
- kerberos client
- smartcard-based file systems
- secure booting
- palm pilot hacks
12ip on smartcard
- expand smartcard accessibility to the internet
- network protocols on smartcard
- network service unmodified
- smartcard as a mobile computer
- bring your ip address with you
13javacard web server
- minimal functional server
- one connection at a time
- minimal state maintenance
- tcp port
- file name
- tcp state
14platform
- schlumberger cyberflex access
- 16 KB eeprom
- iso 7816 smartcard
- java card 2.0
- 1.2 KB ram
15http only
- subset of http 1.0 (or higher)
- GET method only
16tcp only
- three states
- listen, established, finwait1
- actually, tcp state is never used
- no!
- options
- retransmission
- checksum validation
- hosts requirements compliance
- use sequence number as file offset
17ip only
- no!
- options
- reassembly
- 250 byte mtu
18tunnel daemon
- near side webcard ip address
- far side iso 7816 framing
- openbsd implementation
19cardlet details
- 1200 byte codes
- leaves about 13k for content
20webcard summary
- performance 130 bytes/sec.
- copy content to card with scfs
- open source
- http//smarty.citi.umich.edu
21secure internet smartcards
- extend webcard to secure ip stack
- personal security assistant
- secure key storage
- personal crypto engine
- internet addressable
- fixed domain name
22why a smartcard on the internet?
- convenient
- e.g., one office, many computers, one reader
- secure
- smartcard has excellent physical security
- mobile
- you can even sit on it
23how?
- establish secure, authenticated channel to card
- PIN for authentication
- session key established with SPEKE
24SPEKE
- DH PIN-based common base
- DH
- A ? B gx mod r
- B ? A gy mod r
- Kgxy mod r
- SPEKE g f(PIN)
25performance
26performance timeline
27EKE comparison
- EKE
- A ? B DES(PIN, PUBKEY)
- B ? A RSA(PRIVKEY, K)
- EKE setup 4.47 sec
- (SPEKE 3.56)
- 1.5 sec to manufacture key pair
28smartcard integration with kerberos
- university of michigan computing environment is
protected by kerberos - So are mit, cmu, stanford, cornell,
- product offerings from microsoft, ibm, oracle ...
- public key cryptography is not practical
- (yet)
- kerberos security limitations
- lacks external encryption device
- lacks secure key storage
- passwords vulnerable to dictionary attack
- smartcards can solve these problems
29need for encryption device
kerberos kdc
ticket
password
- key is exposed to user and workstation
- workstation may not be trusted
- sniffer, trojan horse, virus ...
30need for secure storage
- keys stored on hard disk or in memory are
vulnerable - hard disks are not secure
- adversary with administrative rights can access
keys - data in a hard disk may be backed up in an
unprotected mass storage device - memory is not secure
- adversary can scan memory
- data in memory can be paged out to a hard disk
31dictionary attack
- create a list of english words, names, etc.
- Also star wars, german, shakespeare,
- thx1138 is a vulnerable password! -(
- derive keys from the words in the list
- obtain a ltplaintext, ciphertextgt pair
- kerberos gives up ltplaintext, ciphertextgt easily
- decrypt ciphertext with the derived key
- if plaintext recovered, password is exposed
- umich gt 4,000 vulnerable accounts in 1997
- 2,400 in 1999
32countermeasures - use a smartcard
kerberos kdc
ticket
- key is not exposed to user, workstation, or
network - no password
33smartcard kerberos client
kerberos kdc
ticket
- key is not exposed to user, workstation, or
network - no password
34implementation
- starcos v. 2.1 from giesecke devrient
- cyberflex access from schlumberger
- mit kerberos v5-1.0.5 client
- kerberos server unmodified for global
interoperability well, almost - ticket length gt 200 bytes, requires cbc
- des_cbc_crc method uses key as ivec
- modify server to permit des_cbc_md5
35kerberossmartcard performance
enddecryption
kinit start
card reset
kinitend
start decryption
gd
0
0.16
0.36
1.06
1.09
0
0.38
0.74
2.86
2.89
slb
time in sec.
- smartcard time gd 0.9 sec, slb 2.48 sec
- communication cost 0.05 sec, 0.10 sec with 115
kbps and 56 Kbps - javacard performance is ok
36kerberossmartcard w-i-p
- udp/ip implementation
- store ticket on smartcard
- pc/sc library for interoperability
- server ticket generation
- using ibm 4758 secure pci 486
37smartcard filesystem (scfs)
- iso-7816
- standard smartcard interface
- message framing protocol (too primitive to be
usable) - many vendor dependencies
- smartcard programming toolkits
- ibm mfc, microsoft pc/sc, opencard framework,
emv96, pkcs11, - smartcard-specific everything language, api,
toolkit, library, application, etc. - hassle learning toolkit after toolkit
- api dependencies
38scfs goals and policies
- integrate a smartcard with unix
- vfs unix filesystem api
- take advantage of unix environment
- allows sophisticated unix commands (cd, ls, cat
...) and systems calls (open, close, read, write
) - access through symlinks
- any iso-7816 smartcard
- easy integration with applications
- netscape cookies
- pgp private keyring
- kerberos tickets
- ssh private key
39application to ssh
citi mount_scfs /dev/scfs0 /smartcard citi ln
-s /.ssh/identity /smartcard/ss/id citi ssh
sin.citi.umich.edu Enter PIN sin logout
40scfs design
- kernel vfs assisted by user process
user kernel
- XFS handles application requests
- scfsd translates requests to ISO-7816 APDUs
- No caching
41scfs performance
42scfs problem areas
- order of remove
- directories and metadata
43directory entry file
- iso-7816 does not have the right metadata
- file type, size, age
- required for ls, cat
- Hack .i in every directory
44abstraction mismatch
- some iso-7816-4 features do not fit the unix
filesystem abstraction - creat(), mkdir() need size
- crypto commands (authentication, verify key, )
- hack ioctl()
45comparing pc/sc and scfs
PC/SC Application modified or created
Application
Application
PC/SC
OS
OS
SCFS Application not modified
Application
Application
OS
OS
SCFS
46pc/sc and scfs (contd)
- pc/sc supports more cards and readers
- scfs can take advantage of it
- work in progress
Application
Application
OS
OS
SCFS
PC/SC
47scfs extensions
- encrypted file system
- key per file, derived from smartcard master key
- 300 msec. overhead to derive key
- caching keys helps
48scfs conclusion
- powerful, flexible api
- overhead is small
- useful as a low-level development tool
- ls, cd, pwd, emacs, etc.
- secure storage for user profiles, web cookies,
kerberos tickets, private keys, etc.
49secure booting with smartcard
- netboot aegis from rom to load an
integrity-checked specialized os - os checks macs stored on a smartcard
- so check the kernel image integrity
- and boot
- check integrity of important applications
(kerberos kdc, databases, etc.) with the
smartcard - can boot linux, openbsd, win9x,
50secure bootstrap with smartcard
- signed executables for software integrity check
- hardware-based solutions
- secure coprocessor, aegis (from upenn)
- secure, but hard to configure
- software-based solutions
- tripwire, authenticode
- but is os trusted?
51code signing with smartcard
- use aegis to boot a specialized os (boot os)
- store macs in a smartcard
- check the kernel integrity (second os) with the
smartcard - check integrity of important applications
(kerberos kdc, databases, etc.) with the smartcard
52secure booting summary
- multi-level bootstrap, with assurance at each
level - can boot linux, openbsd, win9x
53palm pilot hacks
- palmreader, software tools
- smartcard explorer
- blaze rke cipher
- appropriate cipher for length-preserving file
encryption using smartcard - s/key calculator
- value checker (mcard, visacash, mondex)
- and transfer?
- encrypted beam?
54projects under incubation
- extend ip stack
- sun rpc on smartcard (rmi wrapper? shrpc?)
- ldap server on ip smartcard
- pki based user authentication
- ssl between smartcard and web server (to send
data securely), or ssl between client and
smartcard web server - cyberflex simera. (ip over sms?)
- new os for javacard
55summary citis focus
- secure computing
- secure storage
- authentication
- secure booting
- application integration
- convenient use of smartcard
- operating system extensions
- internet access
- pda integration
56publications
- N. Itoi and P. Honeyman, Practical Security
Solutions with Smartcards, in Proc. 7th IEEE
Workshop on Hot Topics in Operating Systems, Rio
Rico, AZ (March 1999) - N. Itoi and P. Honeyman, "Smartcard Integration
with Kerberos V5," in Proc. USENIX Workshop on
Smartcard Technology, Chicago (May 1999) - N. Itoi, P. Honeyman, and J. Rees, "SCFS A UNIX
Filesystem for Smartcards, in Proc. USENIX
Workshop on Smartcard Technology, Chicago (May
1999)
57publications
- N. Itoi, "Secure Coprocessor Integration with
Kerberos V5, in Proc. USENIX Security'2000,
Denver (July 2000). - N. Itoi, P. Honeyman, and T. Fukuzawa, Secure
Internet Smartcards, in Proc. Java Card
Workshop, Cannes (September 2000). - J. Rees and P. Honeyman, "Webcard a Java Card
web server," in Proc. IFIP CARDIS 2000, Bristol,
UK (September 2000) - P. Honeyman, New I/O Models for Smartcards (in
preparation).
58any questions?
http//www.citi.umich.edu/