• No results found

Smart Card Security How Can We Be So Sure?

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "Smart Card Security How Can We Be So Sure?"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

B. Preneel, V. Rijmen (Eds.): COSIC'97 Course, LNCS 1528, pp. 332-337, 1998.

 Springer-Verlag Berlin Heidelberg 1998

‘How Can We Be So Sure?’

Ernst Bovelander

TNO Centre for Evaluation of Instrumentation and Security Techniques PO Box 5013

2600 GA Delft, The Netherlands bovenlander@tpd.tno.nl

1. Introduction

TNO is the Netherlands Organisation for Applied Scientific Research. Its primary tasks are to support trade and industry, the authorities and other groups of the community in technological innovation and to assist clients and sponsors in solving problems. TNO is a fully independent R&D organisation with a staff of approximately 4,000 and an annual turnover of more than US$ 500 million.

The main features of TNO are:

• multidisciplinary,

• practice and market-oriented,

• independent,

• possessing unique knowledge and facilities,

• internationally oriented.

TNO's research takes place at 15 institutes spread throughout the Netherlands.

Nearly all scientific fields are covered by these institutes.

The Centre for Evaluation of Instrumentation and Security Techniques (EIB) is part of the TNO Institute of Applied Physics (TPD).

The security section of the Evaluation Centre is specialised in the evaluation of security related systems and products. The evaluations are ranging from intruder and fire alarm systems, assessing the possibilities of counterfeiting credit-cards and documents, to the study of optical security features like holograms. The evaluation of electronic payment systems and their components forms the main part of our security activities. This includes assessment of the security aspects of PIN Pads, single chip security modules and smart cards. Our projects are carried out for both financial institutions and manufacturers of EFT (Electronic Funds Transfer) equipment from all over the world.

(2)

The security aspects of more than 75 different smart card based security systems have been investigated by the Evaluation Centre. These investigations comprise of physical security aspects (the 'silicon'), logical security aspects (card operating systems) and organisational measures (e.g. transport, initialisation) .

2. Security Evaluations

Security functions of any system, including smart cards, revolve around the three basic security principles: integrity, confidentiality and availability.

2.1 Card and System Authentication

The first line of defence in (smart) card authentication are the security features on the card itself. The most commonly used techniques used are photographs, signatures, iris print (rainbow print), pearl lustre ink, tactile laser engraving, holograms, kinegrams etc. These measures depend on human inspection.

Additional security is provided by measures which link the ‘plastic’ to the chip. In general optically readable security features, such as holographic barcodes, unique optical patterns, are used for this purpose. An additional reader is often required to

‘read’ the optical pattern.

The authentication of both the chip and the system is normally based on a shared secret, the cryptographic key. The quality of the authentication relies on the secrecy of the cryptographic keys. The security measures of the systems will therefore in general be focused on the protection of these cryptographic keys.

2.2 System Security

The total security of a system depends on the implementation of three aspects:

• physical security measures (hardware),

• logical security measures (software),

• organisational measures.

An adequate level of security can only be accomplished if these three aspects are combined in such a way that all possible weak aspects are covered.

In general, weak aspects in the design of security product will emerge at the interfaces of physical, logical and organisational measures. A 100% secure product cannot be made. There will always be a way to break the system. A system is considered to be 'secure' if the chances of breaking the system and the consequences of this unauthorised access, e.g. compromising the cryptographic keys or the biometric template, are acceptable for the end-user.

(3)

A security scheme of a system, based on secrecy of the security principles, is in general not acceptable for end-users. The security of a cryptographic algorithm must be based only on the secrecy of the key(s) and not on the secrecy of the algorithm (Kerckhoffs’ principle).

A generic secure application module, see figure 1, will comprise the following elements:

• a physical barrier, e.g. a metal box,

• fraud sensors, to detect an attempt to fraud the system,

• an alarm circuitry; this circuitry must process the information from the fraud sensors and act appropriately,

• memory to store sensitive data, e.g. cryptographic keys, biometric template,

• software to define the functionality of the system.

sensor

micro processor

software

alarm circuit

memory input

output

sensor

Fig. 1 Generic Secure Application Module

A smart card is a miniature of the conventional security module, but with a major difference: in general, a conventional security module is always powered and the security functions will therefore always be active, the smart card is most of the time not powered and will therefore not have active fraud detection measures.

Furthermore, the memory of the smart card, in which the secret information is stored, much be non-volatile. Normally, EEPROM is used for this purpose.

(4)

micro

processor memory

physical barrier i/o

software

Fig. 2 Generic smart card

The Evaluation Centre has developed methods for the evaluation of security systems, including smart cards. The main goal of the investigations is to establish the level of security of the application. More practically, we find out how much effort it takes to reveal the secrets of the systems and what can be done with these secrets.

Smart cards are an important part in modern security systems, where they often function as secure application modules. The security aspects of smart cards can be analysed internally and externally.

3. External Analysis

In an external analysis we attempt to learn as much as possible of the functionality of a card by investigating the physical side effects of this functionality, such as noise, emission, power consumption, dataflow etc. These experiments are carried without opening the chip (black box approach). External analysis can be very threatening from an end-users point of view, as possible attacks revealed by this analysis can have a low realisation threshold. Examples of external attacks are the ‘Kocher attack’

and the latest ‘Bell-core attack’. A lot of experience and creativity is essential to reveal secrets in the chip, if at all possible. The outcome of external analyses strongly depends on the application. In general, no direct information is gained from an external analysis, but what we learn may be used to develop new attack scenarios.

4. Internal Analysis

The methods for an internal analysis require opening of the chip. For most smart cards this is not a problem. Several etching techniques, for opening the chip and preparing the chip surface have been developed by the Evaluation Centre.

The most common techniques used for an internal analysis of smart cards are probing and SEM analysis.

(5)

4.1 Probing

A sub-micron probe station, comprising a microscope and an optically stable platform with probe manipulators, is used for these investigations. The smallest probe needles have a tip radius of approximately 0.5 micron. Tracks on the chip surface with the same dimensions can be tapped. A maximum number of 10 probes can be placed on the chip, but this number is in practice strongly dependent on the chip design.

Two methods of probing are generally used:

• active probing: inserting information, generally at the databus, e.g. to change the sequence of the program,

• passive probing: reading information, generally from the databus.

4.2 Scanning Electron Microscope Analysis

A scanning electron microscope (SEM) can be used in various ways during the evaluation process. It is mostly used for surface analysis: e.g. for reverse engineering of chip structures.

The SEM can also be used for visualisation of voltages on the chip surface (voltage contrast). With this technique, a thorough understanding of the functionality of the chip can be obtained.

With a special technique (single beam voltage contrast), the SEM can be used for passive 'probing' on very small tracks (<0.25 micron).

4.3 Focused Ion Beam Systems

New techniques for analysing integrated circuits are being developed constantly.

One of these new developments is the Focused Ion Beam system (FIB). The FIB proves to be a very useful tool for the attack of integrated circuits.

A FIB system has three main features:

View mode

It is possible to use the FIB system as a surface microscope like a Scanning Electron Microscope (SEM)

Milling mode

The FIB system can be used as a micro milling device. Depending on the use of special gases during etching, very small holes can be cut. Such holes can be made at very specific locations and with very great precision. This technique can be used to selectively remove material from the chip surface, such as the passivation layer.

(6)

Deposition mode

When using specific gases together with the ion beam, metals can be deposited on the chip surface. Such metal objects can be used to create e.g. test bondpads for probe needles, or as new metal tracks. FIB systems are nowadays common in the semiconductor industry. The resolution of these systems is by far sufficient to modify all integrated circuits available on the market today and tomorrow. A major concern is the availability of these systems. All chip manufacturers use FIB systems for device modification during chip design and testing. Also, a large number of commercial service laboratories all over the world can be used for this kind of work.

5. Conclusions

The security aspects in a design should not be viewed upon as an add-on feature. The security thinking must be fully incorporated in the design process and implemented in the production.

Although 100% security can never be accomplished, it is possible to build very secure systems using smart cards. An adequate design and implementation of combined physical-, logical- and organisational security measures can result in a secure product. Most products that fail to fulfil their requirements have security flaws at the interface between physical, logical and organisational measures.

References

Download now ( PDF - 6 Page - 23.76 KB )

Related documents

The lived experience of university students from low-income backgrounds: an interpretative phenomenological analysis of academic resilience.

These two opposing views presented in the construct resilience literature define resilience as either a single personality trait or cluster of traits (Block and

EU strategy for the Baltic Sea region: challenges and perspectives of international cooperation

— increasing regional cohesions, — securing prosperity. On the other hand, the Strategy encourages a constant search for a more efficient mechanism to manage cooperation within

NOTICIAS FAD/FEV ESTADISTICO INFORMATIVA

The Bangkok Metropolitan Administration with prior approval of the Spanish Administration, announces a public bidding for the elaboration of a feasibility study for the

Beer is perhaps the oldest

Brands in the market Apart from Kingfisher and Fos- ter’s Beer, the other brands in the Indian market are Carling Black Label, Carlsberg, Dansberg, Golden Eagle, Guru,

Amendments to the Compendium of Classification Opinions

Sterile, graduated urinary drainage bag made of plastics, used for collection, measurement and direct sampling of urine output through an indwelling catheter.. The bag is opaque

Too many PhDs? An invalid argument for countries developing their scientific and academic systems: the case of Portugal

Portugal compared with other countries in Europe; ii) the quali fication level of higher education teaching staff; iii) the aging of the doctorate holder population and academic

Measurement Errors in the Japanese Consumer Price Index

In these two sections, I specify four major causes of the upward bias in the CPI: (1) problems in the index formula; (2) problems in aggregating individual prices into item levels;

Smart Card Based User Authentication

The user’s login request to the web server will start the user authentication phase, where the smart card will compute the hash, using the username and password entered, and return