cool smartcard hacks - PowerPoint PPT Presentation

1 / 58
About This Presentation
Title:

cool smartcard hacks

Description:

Title: cool smartcard hacks Subject: computer security Author: peter honeyman Keywords: javacard, kerberos, vfs, bootstrap, web server, tcp/ip, palm pilot – PowerPoint PPT presentation

Number of Views:170
Avg rating:3.0/5.0
Slides: 59
Provided by: PETERHO3
Category:

less

Transcript and Presenter's Notes

Title: cool smartcard hacks


1
cool smartcard hacks
  • peter honeyman
  • citiuniversity of michiganann arbor

2
a little bit about citi
  • center for information technology integration
  • founded in 1986 as part of information technology
    division
  • now in cio office

3
citi staff
  • faculty and staff scientists (3)
  • researchers and programmers (3)
  • students (13)
  • doctoral (4)
  • masters (1)
  • undergraduate (7)
  • high school (1)

4
a little more about citi
  • mission advance umich info tech environment,
    transfer results to university, government,
    industry
  • research and development skunkworks for cio
  • externally funded, primarily by short-term
    industry contracts

5
citi core competencies
  • middleware
  • enterprise-scale info tech integration
  • distributed file systems
  • integrated security
  • mobile and wireless computing

6
major advances of the 20th century
  • computing
  • transportation
  • mobile computing
  • newton, pilot
  • superslims
  • pcs, e.g., nokia, qualcomm, sprint, etc.
  • smartcards
  • a little computing
  • a lotta mobility

7
smartcards are cool because
  • they are tamper resistant
  • they can do a little crypto
  • they have a restricted (albeit bizarre) (yet
    functional) api that can protect secrets
  • they can store keys
  • in fact, they have special key files

8
principal applications
  • stored value
  • phone cards
  • electronic purse
  • secure identification
  • challenge/response protocols
  • gsm phone identity

9
how smartcards are used
  • e-purse, e.g., mcard, visacash, mondex
  • many spectacular failures
  • gsm authentication
  • information control
  • german healthcard
  • closed market applications
  • DoD card
  • welfare card

10
impediments to use
  • infrastructure requirements
  • integration with contemporary computing
    environments
  • especially security middleware

11
outline
  • smartcard ip
  • kerberos client
  • smartcard-based file systems
  • secure booting
  • palm pilot hacks

12
ip on smartcard
  • expand smartcard accessibility to the internet
  • network protocols on smartcard
  • network service unmodified
  • smartcard as a mobile computer
  • bring your ip address with you

13
javacard web server
  • minimal functional server
  • one connection at a time
  • minimal state maintenance
  • tcp port
  • file name
  • tcp state

14
platform
  • schlumberger cyberflex access
  • 16 KB eeprom
  • iso 7816 smartcard
  • java card 2.0
  • 1.2 KB ram

15
http only
  • subset of http 1.0 (or higher)
  • GET method only

16
tcp only
  • three states
  • listen, established, finwait1
  • actually, tcp state is never used
  • no!
  • options
  • retransmission
  • checksum validation
  • hosts requirements compliance
  • use sequence number as file offset

17
ip only
  • no!
  • options
  • reassembly
  • 250 byte mtu

18
tunnel daemon
  • near side webcard ip address
  • far side iso 7816 framing
  • openbsd implementation

19
cardlet details
  • 1200 byte codes
  • leaves about 13k for content

20
webcard summary
  • performance 130 bytes/sec.
  • copy content to card with scfs
  • open source
  • http//smarty.citi.umich.edu

21
secure internet smartcards
  • extend webcard to secure ip stack
  • personal security assistant
  • secure key storage
  • personal crypto engine
  • internet addressable
  • fixed domain name

22
why a smartcard on the internet?
  • convenient
  • e.g., one office, many computers, one reader
  • secure
  • smartcard has excellent physical security
  • mobile
  • you can even sit on it

23
how?
  • establish secure, authenticated channel to card
  • PIN for authentication
  • session key established with SPEKE

24
SPEKE
  • DH PIN-based common base
  • DH
  • A ? B gx mod r
  • B ? A gy mod r
  • Kgxy mod r
  • SPEKE g f(PIN)

25
performance
26
performance timeline
27
EKE comparison
  • EKE
  • A ? B DES(PIN, PUBKEY)
  • B ? A RSA(PRIVKEY, K)
  • EKE setup 4.47 sec
  • (SPEKE 3.56)
  • 1.5 sec to manufacture key pair

28
smartcard integration with kerberos
  • university of michigan computing environment is
    protected by kerberos
  • So are mit, cmu, stanford, cornell,
  • product offerings from microsoft, ibm, oracle ...
  • public key cryptography is not practical
  • (yet)
  • kerberos security limitations
  • lacks external encryption device
  • lacks secure key storage
  • passwords vulnerable to dictionary attack
  • smartcards can solve these problems

29
need for encryption device
kerberos kdc
ticket
password
  • key is exposed to user and workstation
  • workstation may not be trusted
  • sniffer, trojan horse, virus ...

30
need for secure storage
  • keys stored on hard disk or in memory are
    vulnerable
  • hard disks are not secure
  • adversary with administrative rights can access
    keys
  • data in a hard disk may be backed up in an
    unprotected mass storage device
  • memory is not secure
  • adversary can scan memory
  • data in memory can be paged out to a hard disk

31
dictionary attack
  • create a list of english words, names, etc.
  • Also star wars, german, shakespeare,
  • thx1138 is a vulnerable password! -(
  • derive keys from the words in the list
  • obtain a ltplaintext, ciphertextgt pair
  • kerberos gives up ltplaintext, ciphertextgt easily
  • decrypt ciphertext with the derived key
  • if plaintext recovered, password is exposed
  • umich gt 4,000 vulnerable accounts in 1997
  • 2,400 in 1999

32
countermeasures - use a smartcard
kerberos kdc
ticket
  • key is not exposed to user, workstation, or
    network
  • no password

33
smartcard kerberos client
kerberos kdc
ticket
  • key is not exposed to user, workstation, or
    network
  • no password

34
implementation
  • starcos v. 2.1 from giesecke devrient
  • cyberflex access from schlumberger
  • mit kerberos v5-1.0.5 client
  • kerberos server unmodified for global
    interoperability well, almost
  • ticket length gt 200 bytes, requires cbc
  • des_cbc_crc method uses key as ivec
  • modify server to permit des_cbc_md5

35
kerberossmartcard performance
enddecryption
kinit start
card reset
kinitend
start decryption
gd
0
0.16
0.36
1.06
1.09
0
0.38
0.74
2.86
2.89
slb
time in sec.
  • smartcard time gd 0.9 sec, slb 2.48 sec
  • communication cost 0.05 sec, 0.10 sec with 115
    kbps and 56 Kbps
  • javacard performance is ok

36
kerberossmartcard w-i-p
  • udp/ip implementation
  • store ticket on smartcard
  • pc/sc library for interoperability
  • server ticket generation
  • using ibm 4758 secure pci 486

37
smartcard filesystem (scfs)
  • iso-7816
  • standard smartcard interface
  • message framing protocol (too primitive to be
    usable)
  • many vendor dependencies
  • smartcard programming toolkits
  • ibm mfc, microsoft pc/sc, opencard framework,
    emv96, pkcs11,
  • smartcard-specific everything language, api,
    toolkit, library, application, etc.
  • hassle learning toolkit after toolkit
  • api dependencies

38
scfs goals and policies
  • integrate a smartcard with unix
  • vfs unix filesystem api
  • take advantage of unix environment
  • allows sophisticated unix commands (cd, ls, cat
    ...) and systems calls (open, close, read, write
    )
  • access through symlinks
  • any iso-7816 smartcard
  • easy integration with applications
  • netscape cookies
  • pgp private keyring
  • kerberos tickets
  • ssh private key

39
application to ssh
citi mount_scfs /dev/scfs0 /smartcard citi ln
-s /.ssh/identity /smartcard/ss/id citi ssh
sin.citi.umich.edu Enter PIN sin logout
40
scfs design
  • kernel vfs assisted by user process

user kernel
  • XFS handles application requests
  • scfsd translates requests to ISO-7816 APDUs
  • No caching

41
scfs performance
  • scfs overhead under 1ms

42
scfs problem areas
  • order of remove
  • directories and metadata

43
directory entry file
  • iso-7816 does not have the right metadata
  • file type, size, age
  • required for ls, cat
  • Hack .i in every directory

44
abstraction mismatch
  • some iso-7816-4 features do not fit the unix
    filesystem abstraction
  • creat(), mkdir() need size
  • crypto commands (authentication, verify key, )
  • hack ioctl()

45
comparing pc/sc and scfs
PC/SC Application modified or created
Application
Application
PC/SC
OS
OS
SCFS Application not modified
Application
Application
OS
OS
SCFS
46
pc/sc and scfs (contd)
  • pc/sc supports more cards and readers
  • scfs can take advantage of it
  • work in progress

Application
Application
OS
OS
SCFS
PC/SC
47
scfs extensions
  • encrypted file system
  • key per file, derived from smartcard master key
  • 300 msec. overhead to derive key
  • caching keys helps

48
scfs conclusion
  • powerful, flexible api
  • overhead is small
  • useful as a low-level development tool
  • ls, cd, pwd, emacs, etc.
  • secure storage for user profiles, web cookies,
    kerberos tickets, private keys, etc.

49
secure booting with smartcard
  • netboot aegis from rom to load an
    integrity-checked specialized os
  • os checks macs stored on a smartcard
  • so check the kernel image integrity
  • and boot
  • check integrity of important applications
    (kerberos kdc, databases, etc.) with the
    smartcard
  • can boot linux, openbsd, win9x,

50
secure bootstrap with smartcard
  • signed executables for software integrity check
  • hardware-based solutions
  • secure coprocessor, aegis (from upenn)
  • secure, but hard to configure
  • software-based solutions
  • tripwire, authenticode
  • but is os trusted?

51
code signing with smartcard
  • use aegis to boot a specialized os (boot os)
  • store macs in a smartcard
  • check the kernel integrity (second os) with the
    smartcard
  • check integrity of important applications
    (kerberos kdc, databases, etc.) with the smartcard

52
secure booting summary
  • multi-level bootstrap, with assurance at each
    level
  • can boot linux, openbsd, win9x

53
palm pilot hacks
  • palmreader, software tools
  • smartcard explorer
  • blaze rke cipher
  • appropriate cipher for length-preserving file
    encryption using smartcard
  • s/key calculator
  • value checker (mcard, visacash, mondex)
  • and transfer?
  • encrypted beam?

54
projects under incubation
  • extend ip stack
  • sun rpc on smartcard (rmi wrapper? shrpc?)
  • ldap server on ip smartcard
  • pki based user authentication
  • ssl between smartcard and web server (to send
    data securely), or ssl between client and
    smartcard web server
  • cyberflex simera. (ip over sms?)
  • new os for javacard

55
summary citis focus
  • secure computing
  • secure storage
  • authentication
  • secure booting
  • application integration
  • convenient use of smartcard
  • operating system extensions
  • internet access
  • pda integration

56
publications
  • N. Itoi and P. Honeyman, Practical Security
    Solutions with Smartcards, in Proc. 7th IEEE
    Workshop on Hot Topics in Operating Systems, Rio
    Rico, AZ (March 1999)
  • N. Itoi and P. Honeyman, "Smartcard Integration
    with Kerberos V5," in Proc. USENIX Workshop on
    Smartcard Technology, Chicago (May 1999)
  • N. Itoi, P. Honeyman, and J. Rees, "SCFS A UNIX
    Filesystem for Smartcards, in Proc. USENIX
    Workshop on Smartcard Technology, Chicago (May
    1999)

57
publications
  • N. Itoi, "Secure Coprocessor Integration with
    Kerberos V5, in Proc. USENIX Security'2000,
    Denver (July 2000).
  • N. Itoi, P. Honeyman, and T. Fukuzawa, Secure
    Internet Smartcards, in Proc. Java Card
    Workshop, Cannes (September 2000).
  • J. Rees and P. Honeyman, "Webcard a Java Card
    web server," in Proc. IFIP CARDIS 2000, Bristol,
    UK (September 2000)
  • P. Honeyman, New I/O Models for Smartcards (in
    preparation).

58
any questions?
http//www.citi.umich.edu/
Write a Comment
User Comments (0)
About PowerShow.com