cool smartcard hacks

1
cool smartcard hacks

• peter honeyman
• citiuniversity of michiganann arbor

2
a little bit about citi

• center for information technology integration
• founded in 1986 as part of information technology
  division
  
• now in cio office

3
citi staff

• faculty and staff scientists (3)
• researchers and programmers (3)
• students (13)
• doctoral (4)
• masters (1)
• undergraduate (7)
• high school (1)

4
a little more about citi

• mission advance umich info tech environment,
  transfer results to university, government,
  industry
  
• research and development skunkworks for cio
• externally funded, primarily by short-term
  industry contracts

5
citi core competencies

• middleware
• enterprise-scale info tech integration
• distributed file systems
• integrated security
• mobile and wireless computing

6
major advances of the 20th century

• computing
• transportation
• mobile computing
• newton, pilot
• superslims
• pcs, e.g., nokia, qualcomm, sprint, etc.
• smartcards
• a little computing
• a lotta mobility

7
smartcards are cool because

• they are tamper resistant
• they can do a little crypto
• they have a restricted (albeit bizarre) (yet
  functional) api that can protect secrets
  
• they can store keys
• in fact, they have special key files

8
principal applications

• stored value
• phone cards
• electronic purse
• secure identification
• challenge/response protocols
• gsm phone identity

9
how smartcards are used

• e-purse, e.g., mcard, visacash, mondex
• many spectacular failures
• gsm authentication
• information control
• german healthcard
• closed market applications
• DoD card
• welfare card

10
impediments to use

• infrastructure requirements
• integration with contemporary computing
  environments
  
• especially security middleware

11
outline

• smartcard ip
• kerberos client
• smartcard-based file systems
• secure booting
• palm pilot hacks

12
ip on smartcard

• expand smartcard accessibility to the internet
• network protocols on smartcard
• network service unmodified
• smartcard as a mobile computer
• bring your ip address with you

13
javacard web server

• minimal functional server
• one connection at a time
• minimal state maintenance
• tcp port
• file name
• tcp state

14
platform

• schlumberger cyberflex access
• 16 KB eeprom
• iso 7816 smartcard
• java card 2.0
• 1.2 KB ram

15
http only

• subset of http 1.0 (or higher)
• GET method only

16
tcp only

• three states
• listen, established, finwait1
• actually, tcp state is never used
• no!
• options
• retransmission
• checksum validation
• hosts requirements compliance
• use sequence number as file offset

17
ip only

• no!
• options
• reassembly
• 250 byte mtu

18
tunnel daemon

• near side webcard ip address
• far side iso 7816 framing
• openbsd implementation

19
cardlet details

• 1200 byte codes
• leaves about 13k for content

20
webcard summary

• performance 130 bytes/sec.
• copy content to card with scfs
• open source
• http//smarty.citi.umich.edu

21
secure internet smartcards

• extend webcard to secure ip stack
• personal security assistant
• secure key storage
• personal crypto engine
• internet addressable
• fixed domain name

22
why a smartcard on the internet?

• convenient
• e.g., one office, many computers, one reader
• secure
• smartcard has excellent physical security
• mobile
• you can even sit on it

23
how?

• establish secure, authenticated channel to card
• PIN for authentication
• session key established with SPEKE

24
SPEKE

• DH PIN-based common base
• DH
• A ? B gx mod r
• B ? A gy mod r
• Kgxy mod r
• SPEKE g f(PIN)

25
performance
26
performance timeline
27
EKE comparison

• EKE
• A ? B DES(PIN, PUBKEY)
• B ? A RSA(PRIVKEY, K)
• EKE setup 4.47 sec
• (SPEKE 3.56)
• 1.5 sec to manufacture key pair

28
smartcard integration with kerberos

• university of michigan computing environment is
  protected by kerberos
  
• So are mit, cmu, stanford, cornell,
• product offerings from microsoft, ibm, oracle
  ...
  
• public key cryptography is not practical
• (yet)
• kerberos security limitations
• lacks external encryption device
• lacks secure key storage
• passwords vulnerable to dictionary attack
• smartcards can solve these problems

29
need for encryption device
kerberos kdc
ticket
password

• key is exposed to user and workstation
• workstation may not be trusted
• sniffer, trojan horse, virus ...

30
need for secure storage

• keys stored on hard disk or in memory are
  vulnerable
  
• hard disks are not secure
• adversary with administrative rights can access
  keys
  
• data in a hard disk may be backed up in an
  unprotected mass storage device
  
• memory is not secure
• adversary can scan memory
• data in memory can be paged out to a hard disk

31
dictionary attack

• create a list of english words, names, etc.
• Also star wars, german, shakespeare,
• thx1138 is a vulnerable password! -(
• derive keys from the words in the list
• obtain a pair
• kerberos gives up easily
• decrypt ciphertext with the derived key
• if plaintext recovered, password is exposed
• umich 4,000 vulnerable accounts in 1997
• 2,400 in 1999

32
countermeasures - use a smartcard
kerberos kdc
ticket

• key is not exposed to user, workstation, or
  network
  
• no password

33
smartcard kerberos client
kerberos kdc
ticket

• key is not exposed to user, workstation, or
  network
  
• no password

34
implementation

• starcos v. 2.1 from giesecke devrient
• cyberflex access from schlumberger
• mit kerberos v5-1.0.5 client
• kerberos server unmodified for global
  interoperability well, almost
  
• ticket length 200 bytes, requires cbc
• des_cbc_crc method uses key as ivec
• modify server to permit des_cbc_md5

35
kerberossmartcard performance
enddecryption
kinit start
card reset
kinitend
start decryption
gd
0
0.16
0.36
1.06
1.09
0
0.38
0.74
2.86
2.89
slb
time in sec.

• smartcard time gd 0.9 sec, slb 2.48 sec
• communication cost 0.05 sec, 0.10 sec with 115
  kbps and 56 Kbps
  
• javacard performance is ok

36
kerberossmartcard w-i-p

• udp/ip implementation
• store ticket on smartcard
• pc/sc library for interoperability
• server ticket generation
• using ibm 4758 secure pci 486

37
smartcard filesystem (scfs)

• iso-7816
• standard smartcard interface
• message framing protocol (too primitive to be
  usable)
  
• many vendor dependencies
• smartcard programming toolkits
• ibm mfc, microsoft pc/sc, opencard framework,
  emv96, pkcs11,
  
• smartcard-specific everything language, api,
  toolkit, library, application, etc.
  
• hassle learning toolkit after toolkit
• api dependencies

38
scfs goals and policies

• integrate a smartcard with unix
• vfs unix filesystem api
• take advantage of unix environment
• allows sophisticated unix commands (cd, ls, cat
  ...) and systems calls (open, close, read, write
  )
  
• access through symlinks
• any iso-7816 smartcard
• easy integration with applications
• netscape cookies
• pgp private keyring
• kerberos tickets
• ssh private key

39
application to ssh
citi mount_scfs /dev/scfs0 /smartcard
citi ln -s /.ssh/identity /smartcard/ss/id
citi ssh sin.citi.umich.edu Enter PIN sin log
out
40
scfs design

• kernel vfs assisted by user process

user kernel

• XFS handles application requests
• scfsd translates requests to ISO-7816 APDUs
• No caching

41
scfs performance

• scfs overhead under 1ms

42
scfs problem areas

• order of remove
• directories and metadata

43
directory entry file

• iso-7816 does not have the right metadata
• file type, size, age
• required for ls, cat
• Hack .i in every directory

44
abstraction mismatch

• some iso-7816-4 features do not fit the unix
  filesystem abstraction
  
• creat(), mkdir() need size
• crypto commands (authentication, verify key, )
• hack ioctl()

45
comparing pc/sc and scfs
PC/SC Application modified or created
Application
Application
PC/SC
OS
OS
SCFS Application not modified
Application
Application
OS
OS
SCFS
46
pc/sc and scfs (contd)

• pc/sc supports more cards and readers
• scfs can take advantage of it
• work in progress

Application
Application
OS
OS
SCFS
PC/SC
47
scfs extensions

• encrypted file system
• key per file, derived from smartcard master key
• 300 msec. overhead to derive key
• caching keys helps

48
scfs conclusion

• powerful, flexible api
• overhead is small
• useful as a low-level development tool
• ls, cd, pwd, emacs, etc.
• secure storage for user profiles, web cookies,
  kerberos tickets, private keys, etc.

49
secure booting with smartcard

• netboot aegis from rom to load an
  integrity-checked specialized os
  
• os checks macs stored on a smartcard
• so check the kernel image integrity
• and boot
• check integrity of important applications
  (kerberos kdc, databases, etc.) with the
  smartcard
  
• can boot linux, openbsd, win9x,

50
secure bootstrap with smartcard

• signed executables for software integrity check
• hardware-based solutions
• secure coprocessor, aegis (from upenn)
• secure, but hard to configure
• software-based solutions
• tripwire, authenticode
• but is os trusted?

51
code signing with smartcard

• use aegis to boot a specialized os (boot os)
• store macs in a smartcard
• check the kernel integrity (second os) with the
  smartcard
  
• check integrity of important applications
  (kerberos kdc, databases, etc.) with the smartcard

52
secure booting summary

• multi-level bootstrap, with assurance at each
  level
  
• can boot linux, openbsd, win9x

53
palm pilot hacks

• palmreader, software tools
• smartcard explorer
• blaze rke cipher
• appropriate cipher for length-preserving file
  encryption using smartcard
  
• s/key calculator
• value checker (mcard, visacash, mondex)
• and transfer?
• encrypted beam?

54
projects under incubation

• extend ip stack
• sun rpc on smartcard (rmi wrapper? shrpc?)
• ldap server on ip smartcard
• pki based user authentication
• ssl between smartcard and web server (to send
  data securely), or ssl between client and
  smartcard web server
  
• cyberflex simera. (ip over sms?)
• new os for javacard

55
summary citis focus

• secure computing
• secure storage
• authentication
• secure booting
• application integration
• convenient use of smartcard
• operating system extensions
• internet access
• pda integration

56
publications

• N. Itoi and P. Honeyman, Practical Security
  Solutions with Smartcards, in Proc. 7th IEEE
  Workshop on Hot Topics in Operating Systems, Rio
  Rico, AZ (March 1999)
• N. Itoi and P. Honeyman, "Smartcard Integration
  with Kerberos V5," in Proc. USENIX Workshop on
  Smartcard Technology, Chicago (May 1999)
  
• N. Itoi, P. Honeyman, and J. Rees, "SCFS A UNIX
  Filesystem for Smartcards, in Proc. USENIX
  Workshop on Smartcard Technology, Chicago (May
  1999)

57
publications

• N. Itoi, "Secure Coprocessor Integration with
  Kerberos V5, in Proc. USENIX Security'2000,
  Denver (July 2000).
  
• N. Itoi, P. Honeyman, and T. Fukuzawa, Secure
  Internet Smartcards, in Proc. Java Card
  Workshop, Cannes (September 2000).
  
• J. Rees and P. Honeyman, "Webcard a Java Card
  web server," in Proc. IFIP CARDIS 2000, Bristol,
  UK (September 2000)
  
• P. Honeyman, New I/O Models for Smartcards (in
  preparation).

58
any questions?
http//www.citi.umich.edu/