cool smartcard hackspeter honeymancitiuniversity of michiganann arbor

a little bit about citi

center for information technology integration founded in 1986 as part of information

technology division now in cio office

citi staff

faculty and staff scientists (3) researchers and programmers (3) students (13)

– doctoral (4)– masters (1)– undergraduate (7)– high school (1)

a little more about citi

mission: advance umich info tech environment, transfer results to university, government, industry– research and development “skunkworks”

for cio– externally funded, primarily by short-term

industry contracts

citi core competencies

middleware enterprise-scale info tech integration

– distributed file systems– integrated security

mobile and wireless computing

major advances of the 20th century

computing transportation mobile computing

– newton, pilot– superslims– pcs, e.g., nokia, qualcomm, sprint, etc.

smartcards– a little computing– a lotta mobility

smartcards are cool because

they are tamper resistant they can do a little crypto they have a restricted (albeit

bizarre) (yet functional) api that can protect secrets

they can store keys– in fact, they have special key files

principal applications

stored value– phone cards– electronic purse

secure identification– challenge/response protocols– gsm phone identity

how smartcards are used

e-purse, e.g., mcard, visacash, mondex– many spectacular failures

gsm authentication information control

– german healthcard closed market applications

– DoD card– welfare card

impediments to use

infrastructure requirements integration with contemporary

computing environments– especially security middleware

outline

smartcard ip kerberos client smartcard-based file systems secure booting palm pilot hacks

ip on smartcard

expand smartcard accessibility to the internet

network protocols on smartcard– network service unmodified

smartcard as a mobile computer– bring your ip address with you

javacard web server

minimal functional server one connection at a time minimal state maintenance

– tcp port– file name– tcp statetcp state

platform

schlumberger cyberflex access 16 KB eeprom iso 7816 smartcard java card 2.0 1.2 KB ram

http only

subset of http 1.0 (or higher) GET method only

tcp only

three states– listen, established, finwait1– actually, tcp state is never used

no! – options– retransmission– checksum validation– hosts requirements compliance

use sequence number as file offset

ip only

no!– options– reassembly

~ 250 byte mtu

tunnel daemon

“near” side: webcard ip address “far” side: iso 7816 framing openbsd implementation

cardlet details

~ 1200 byte codes leaves about 13k for content

webcard summary

performance: ~ 130 bytes/sec. copy content to card with scfs open source http://smarty.citi.umich.edu

secure internet smartcards

extend webcard to secure ip stack personal security assistant

– secure key storage– personal crypto engine

internet addressable– fixed domain name

why a smartcard on the internet?

convenient– e.g., one office, many computers, one

reader secure

– smartcard has excellent physical security mobile

– you can even sit on it

how?

establish secure, authenticated channel to card– PIN for authentication– session key established with SPEKE

SPEKE

DH + PIN-based common base DH

– A B: gx mod r– B A: gy mod r– K=gxy mod r

SPEKE: g = f(PIN)

performance

local remoteKerberos 3.33 12.8 sec.SSH 3.43 12.6 sec.

performance timeline

kinit start 0.00send QA 0.03recv QB 2.07recv card ready 3.56recv key num 5.88recv tgt block 1 9.93recv tgt block 2 12.8

EKE comparison

EKE– A B: DES(PIN, PUBKEY)– B A: RSA(PRIVKEY, K)

EKE setup: 4.47 sec (SPEKE: 3.56) ~1.5 sec to manufacture key pair

smartcard integration with kerberos

university of michigan computing environment is protected by kerberos– So are mit, cmu, stanford, cornell, …– product offerings from microsoft, ibm,

oracle ... public key cryptography is not practical

– (yet) kerberos security limitations:

– lacks external encryption device– lacks secure key storage– passwords vulnerable to dictionary attack

smartcards can solve these problems

decrypt

need for encryption device

kerberoskdc

key is exposed to user and workstationworkstation may not be trustedsniffer, trojan horse, virus ...

passwordticket

ticket

need for secure storage

keys stored on hard disk or in memory are vulnerable

hard disks are not secure – adversary with administrative rights can

access keys– data in a hard disk may be backed up in

an unprotected mass storage device memory is not secure

– adversary can scan memory– data in memory can be paged out to a

hard disk

dictionary attack

create a list of english words, names, etc.– Also star wars, german, shakespeare, …– thx1138 is a vulnerable password! :-(

derive keys from the words in the list obtain a <plaintext, ciphertext> pair

– kerberos gives up <plaintext, ciphertext> easily

decrypt ciphertext with the derived key– if plaintext recovered, password is

exposed umich: > 4,000 vulnerable accounts in

1997– 2,400 in 1999

decrypt

countermeasures - use a smartcard

key is not exposed to user, workstation, or network no password

kerberoskdc

ticket

ticket

ticket

decrypt

smartcard kerberos client

key is not exposed to user, workstation, or network no password

kerberoskdc

ticket

ticket

ticket

implementation

starcos v. 2.1 from giesecke & devrient cyberflex access from schlumberger mit kerberos v5-1.0.5 client kerberos server unmodified for global

interoperability … well, almost– ticket length > 200 bytes, requires cbc– des_cbc_crc method uses key as ivec – modify server to permit des_cbc_md5

kinitstart

card reset

enddecryption

kinitend

startdecryption

0 0.16 0.36 1.06 1.09

kerberos+smartcard performance

smartcard time: g&d: 0.9 sec, slb: 2.48 sec communication cost: 0.05 sec, 0.10 sec

with 115 kbps and 56 Kbps javacard performance is ok

time in sec.

g&d

slb 0 0.38 0.74 2.86 2.89

kerberos+smartcard w-i-p

udp/ip implementation store ticket on smartcard pc/sc library for interoperability server ticket generation

– using ibm 4758 secure pci 486

smartcard filesystem (scfs) iso-7816

– standard smartcard interface– message framing protocol (too primitive

to be usable)– many vendor dependencies

smartcard programming toolkits– ibm mfc, microsoft pc/sc, opencard

framework, emv’96, pkcs#11, …– smartcard-specific everything: language,

api, toolkit, library, application, etc. – hassle learning toolkit after toolkit– api dependencies

scfs goals and policies

integrate a smartcard with unix – vfs: unix filesystem api

take advantage of unix environment– allows sophisticated unix commands (cd,

ls, cat ...) and systems calls (open, close, read, write …)

– access through symlinks any iso-7816 smartcard easy integration with applications

– netscape cookies– pgp private keyring– kerberos tickets– ssh private key

application to ssh

citi% mount_scfs /dev/scfs0 /smartcardciti% ln -s ~/.ssh/identity /smartcard/ss/idciti% ssh sin.citi.umich.eduEnter PIN:sin% logout

scfs design

kernel vfs assisted by user process

XFSVFS

application scfsd smartcard

XFS handles application requests scfsd translates requests to ISO-

7816 APDUs No caching

userkernel

scfs performance

scfs overhead under 1ms

scfs problem areas

order of remove directories and metadata

directory entry file

iso-7816 does not have the right metadata– file type, size, age

required for ls, cat Hack: “.i” in every directory

abstraction mismatch

some iso-7816-4 features do not fit the unix filesystem abstraction

creat(), mkdir() need size crypto commands (authentication,

verify key, …) hack: ioctl()

comparing pc/sc and scfs

PC/SC

SCFS: Application not modified

OS

Application

OS

Application

PC/SC: Application modified or created

OS

Application

OS

Application

SCFS

pc/sc and scfs (cont’d) pc/sc supports more cards and readers scfs can take advantage of it work in progress

PC/SC

OS

Application

OS

Application

SCFS

scfs extensions

encrypted file system key per file, derived from

smartcard master key 300 msec. overhead to derive key

– caching keys helps

scfs conclusion

powerful, flexible api overhead is small useful as a low-level development tool

– ls, cd, pwd, emacs, etc. secure storage for user profiles, web

cookies, kerberos tickets, private keys, etc.

secure booting with smartcard

netboot aegis from rom to load an integrity-checked specialized os

os checks macs stored on a smartcard so check the kernel image integrity and boot check integrity of important applications

(kerberos kdc, databases, etc.) with the smartcard

can boot linux, openbsd, win9x, …

secure bootstrap with smartcard

signed executables for software integrity check

hardware-based solutions– secure coprocessor, aegis (from

upenn)– secure, but hard to configure

software-based solutions– tripwire, authenticode– but is os trusted?

code signing with smartcard

use aegis to boot a specialized os (boot os)

store macs in a smartcard check the kernel integrity (second

os) with the smartcard check integrity of important

applications (kerberos kdc, databases, etc.) with the smartcard

secure booting summary

multi-level bootstrap, with assurance at each level

can boot linux, openbsd, win9x

palm pilot hacks

palmreader, software tools smartcard explorer blaze rke cipher

– appropriate cipher for length-preserving file encryption using smartcard

s/key calculator value checker (mcard, visacash,

mondex)– and transfer?

encrypted beam?

projects under incubation extend ip stack

– sun rpc on smartcard (rmi wrapper? shrpc?) ldap server on ip smartcard pki based user authentication ssl between smartcard and web server

(to send data securely), or ssl between client and smartcard web server

cyberflex simera. (ip over sms?) new os for javacard

summary: citi’s focus

secure computing– secure storage– authentication– secure booting– application integration

convenient use of smartcard– operating system extensions– internet access– pda integration

publications N. Itoi and P. Honeyman, “Practical Security

Solutions with Smartcards,” in Proc. 7th IEEE Workshop on Hot Topics in Operating Systems, Rio Rico, AZ (March 1999)

N. Itoi and P. Honeyman, "Smartcard Integration with Kerberos V5," in Proc. USENIX Workshop on Smartcard Technology, Chicago (May 1999)

N. Itoi, P. Honeyman, and J. Rees, "SCFS: A UNIX Filesystem for Smartcards,” in Proc. USENIX Workshop on Smartcard Technology, Chicago (May 1999)

publications N. Itoi, "Secure Coprocessor Integration with

Kerberos V5,” in Proc. USENIX Security'2000, Denver (July 2000).]

N. Itoi, P. Honeyman, and T. Fukuzawa, “Secure Internet Smartcards,” in Proc. Java Card Workshop, Cannes (September 2000).

J. Rees and P. Honeyman, "Webcard: a Java Card web server," in Proc. IFIP CARDIS 2000, Bristol, UK (September 2000)

P. Honeyman, “New I/O Models for Smartcards” (in preparation).

any questions?http://www.citi.umich.edu/