Practical Security With Smartcards

Peter HoneymanCITIUniversity of MichiganAnn Arbor

Smartcards: a pragmatic approach

Build on what we have– Use existing infrastructure (UMCE)

»UNIX filesystem; mail, web servers»Kerberos»NT GINA

– Use open standards (IETF, ISO)– Add secure hardware: smartcard

Integrate smartcard with infrastructure Secrets in a smartcard remain safe

even if hardware / software is compromised

Experimental approach

Home-brew software, hardware

Experimental softwarescreset(fd, atr, ep);

scopen(ttyn, flags, ep);

scfdopen(fd, flags, ep);

scclose(fd);

scread(fd, cla, ins, p1, p2, p3, buf, sw1p, sw2p);

scwrite(fd, cla, ins, p1, p2, p3, buf, sw1p, sw2p);

scgetc(fd, cp, ms);

scputc(fd, ic);

scdsr(fd);

scdtr(fd, cmd);

void scsleep(ms);

Experimental software (cont’d)

Primary targets: – OpenBSD– Linux– AIX– NT– PalmPilot– JavaCard

T=0, T=1

Experimental hardware

Experimental hardware (cont’d)

Experimental Hardware (cont’d)

Smartcard integration with Kerberos

University of Michigan computing environment is protected by Kerberos– So are MIT, CMU, Stanford, Cornell, ...

Public key cryptography is not practical – (yet)

Kerberos security limitations:– Lacks external encryption device– Lacks secure key storage– Passwords vulnerable to dictionary

attack Smartcards can solve these problems

Decrypt

Need for encryption device

KerberosKDC

Key is exposed to user and workstationWorkstation may not be trustedWorkstation storage is vulnerable

passwordticket

ticket

Need for secure hardware

Keys stored on hard disk or in memory are vulnerable

Hard disks are not secure – Adversary with administrative rights can

access keys– Data in a hard disk may be backed up in

an unprotected mass storage device Memory is not secure

– Adversary can scan memory– Data in memory can be paged out to a

hard disk

Dictionary attack

Create a list of English words, names, etc.– Also Star Wars, German, Shakespeare, …– thx1138 is a vulnerable password! :-(

Derive keys from the words in the list Obtain a <plaintext, ciphertext> pair

– Kerberos gives up <plaintext, ciphertext> easily

Decrypt ciphertext with the derived key– If plaintext recovered, password is

exposed UMich: > 4,000 vulnerable accounts in

1997

Decrypt

Countermeasures - use a smartcard

Key is not exposed to user, workstation, or network No password

KerberosKDC

ticket

ticket

ticket

Implementation

STARCOS v. 2.1 from Giesecke & Devrient

Modify MIT Kerberos v5-1.0.5 client Kerberos server unmodified for

global interoperability– Well, almost …– des_cbc_crc method uses key as ivec – Modify server to allow des_cbc_md5

kinitstart

card reset

enddecryption

kinitfinish

startdecryption

0 0.06 0.34 1.32 1.54

Kerberos+smartcard performance

Ticket decrypt time: 1.26 sec.– Native STARCOS CBC– Two rounds– Obviates 27 round host ECB: 2.09 sec– Communication cost @ 9600 bps: ~ half

time in sec.

Kerberos+smartcard conclusion

Practical smartcard authentication method

Addresses major weakness of Kerberos Fairly fast … room to improve Future work: store ticket on smartcard

Smartcard filesystem (SCFS) ISO-7816

– Standard smartcard interface– Primitive message framing protocol

»Too primitive to be useful– Many vendor dependencies

Smartcard programming toolkits– IBM MFC, Microsoft PC/SC, OpenCard

framework, EMV’96, PKCS#11, JavaCard …

– Smartcard-specific everything: language, API, toolkit, library, application, etc.

– Hassle learning toolkit after toolkit– API dependencies

SCFS goals and policies

Integrate a smartcard with UNIX – VFS: UNIX filesystem API

Take advantage of UNIX environment– Allows sophisticated UNIX commands– Access through symlinks

Any ISO-7816 smartcard Easy integration with applications

– Netscape cookies– PGP private keyring– Kerberos tickets– SSH private key

Application to SSH

citi% mount_scfs /dev/scfs0 /smartcardciti% ln -s ~/.ssh/identity /smartcard/ss/idciti% ssh sin.citi.umich.eduEnter PIN:sin% logout

SCFS design

Kernel VFS assisted by user process

XFSVFS

application scfsd smartcard

VFS handles application requests scfsd translates requests to ISO-

7816 APDUs No caching

userkernel

SCFS implementationxfs_mount()

Send reset to smartcardChoose smartcard type from configuration table based on ATRMount the scfs filesystem

xfs_read() Translate FID into ISO-7816 nameSelect the fileSend “read” APDUCopy data to user space (uiomove)

SCFS performance

Command total card overheadRead 8 28.9 28.2 0.7Read 128 190.2 189.4 0.8Write 8 63.4 62.7 0.7Write 128 1259.5 1258.9 0.7

all times in ms

read()call

finish readingsmartcard

read()return

start readingsmartcard

total

smartcard accessscfs overhead scfs overhead

SCFS conclusion

Flexible API Overhead is small Useful as a low-level development tool

– ls, cd, pwd, make, etc. Secure storage for user profiles, web

cookies, Kerberos tickets, private keys, etc.

Problems– Readdir is broken in ISO-7816– Must preconfigure for each card– File length is troublesome

Future directions

Smartcard filesystem– Complete missing vnodeops– Porting to other operating systems

Authentication– Secure Kerberos ticket generation– Smartcard public key integration

IP for smartcard– honey.mcard.umich.edu– Secure network storage, service provider