Practical Security With Smartcards

1
Practical Security With Smartcards

• Peter HoneymanCITIUniversity of MichiganAnn
  Arbor

2
Practical Approach

• Build on what we have
• Use existing infrastructure (UMCE)
• UNIX filesystem mail, web servers
• Kerberos
• NT GINA
• Use open standards (IETF, ISO)
• Add secure hardware smartcard
• Integrate smartcard with infrastructure
• Secrets in a smartcard remain safe even if
  hardware / software is compromised

3
Experimental Approach

• Home-brew software, hardware

4
Experimental Software

• int scopen(int ttyn, int flags, int ep)
• int scfdopen(int fd, int flags, int ep)
• int screset(int fd, char atr, int ep)
• int scclose(int fd)
• int scread(int fd, int cla, int ins, int p1, int
  p2, int p3, char buf, int sw1p, int sw2p)
• int scwrite(int fd, int cla, int ins, int p1, int
  p2, int p3, char buf, int sw1p, int sw2p)
• int scdsr(int fd)
• int scdtr(int fd, int cmd)
• int scgetc(int fd, char cp, int ms)
• int scputc(int fd, int ic)
• void scsleep(int ms)

5
Experimental Software (Contd)

• OpenBSD, AIX, NT, PalmPilot are primary targets
• T0, T1

6
Experimental Hardware
7
Experimental Hardware (contd)
8
Experimental Hardware (contd)
9
Smartcard Filesystem (SCFS)

• ISO-7816
• Standard smartcard interface
• Primitive message framing protocol
• Too primitive to be useful
• Many vendor dependencies
• Smartcard programming toolkits
• IBM MFC, Microsoft PC/SC, OpenCard framework,
  EMV96, PKCS11, JavaCard
• Smartcard-specific everything language, API,
  toolkit, library, application, etc.
• Hassle learning toolkit after toolkit
• API dependencies

10
SCFS Goals / Policies

• Integrate a smartcard with UNIX
• VFS UNIX filesystem API
• Take advantage of UNIX environment
• Allows sophisticated UNIX commands
• Access through symlinks
• Any ISO-7816 smartcard
• Easy integration with applications
• Netscape cookies
• PGP private keyring
• Kerberos tickets
• SSH private key

11
SCFS Design

• Kernel VFS assisted by user process

user kernel

• VFS handles application requests
• scfsd translates requests to ISO-7816 APDUs
• No caching

12
SCFS Implementation

• xfs_mount()
• Send reset to smartcard
• Choose smartcard type from configuration table
  based on ATR
• Mount the scfs filesystem
• xfs_read()
• Translate FID into ISO-7816 name
• Select the file
• Send read APDU
• Copy data to user space (uiomove)

13
SCFS Performance
read() call
read() return
start reading smartcard
finish reading smartcard
Total
smartcard access
scfs overhead
scfs overhead

• Command total card overhead
• Read 8 28.9 28.2 0.7
• Read 128 190.2 189.4 0.8
• Write 8 63.4 62.7 0.7
• Write 128 1259.5 1258.9 0.7
• All times in ms

14
SCFS Conclusion

• Flexible API
• Overhead is small
• Useful as a low-level development tool
• ls, cd, pwd, make, etc.
• Secure storage for user profiles, web cookies,
  Kerberos tickets, private keys, etc.
• Problems
• Readdir is broken in ISO-7816
• Must preconfigure for each card
• File length is troublesome

15
Smartcard Integration With Kerberos

• University of Michigan computing environment is
  protected by Kerberos
• So are MIT, CMU, Stanford, Cornell, ...
• Security limitations
• Lacks external encryption device
• Lacks secure key storage
• Passwords are vulnerable to dictionary attack
• Smartcards can solve these problems
• Public key cryptography is not practical
• (yet)

16
Need for Encryption Device
Kerberos KDC
ticket
password

• Key is exposed to user and workstation
• Workstation storage is vulnerable
• Workstation may not be trusted

17
Need for Secure Hardware

• Keys stored on hard disk or in memory
• Hard disks are not secure
• Adversary with administrative rights can access
  keys
• Data in a hard disk may be backed up in an
  unprotected mass storage device
• Memory is not secure -- adversary can scan memory
• Data in memory can be paged out to a hard disk

18
Dictionary Attack

• Create a list of English words, names, etc.
• Also Star Wars, German, Shakespeare,
• thx1138 is a vulnerable password!
• Derive keys from the words in the list
• Obtain a ltplaintext, ciphertextgt pair
• Kerberos gives up ltplaintext, ciphertextgt easily
• Decrypt ciphertext with the derived key
• If plaintext is recovered, the password is
  exposed
• UMich gt 4,000 vulnerable accounts

19
Countermeasures - Use Smartcard
Kerberos KDC
ticket

• Key is not exposed to user, work-station, or
  network
• No password

20
Implementation

• STARCOS v. 2.1 from Giesecke Devrient
• Modify MIT Kerberos v5-1.0.5 client
• Kerberos server unmodified for global
  interoperability
• Well, almost
• des_cbc_crc method uses key as ivec
• Modify server to allow des_cbc_md5

21
Kerberos-smartcard Performance
card reset
kinit start
end decryption
kinit finish
start decryption
0
0.02
0.37
2.46
2.52
time in sec.

• Decryption loop is bottleneck _at_ 2.09 sec
• Plan to improve performance with STARCOSs native
  CBC

22
Kerberos-Smartcard Conclusion

• Practical smartcard authentication method
• Addresses major weakness of Kerberos
• Fairly fast room to improve
• Future work store ticket on smartcard

23
Future Directions

• Smartcard filesystem
• Porting to other operating systems
• Distribution
• Authentication
• Smartcard integration for Kerberos servers
• Smartcard decryption optimization
• IP for smartcard
• honey.mcard.umich.edu
• Secure network storage, service provider

24
CITI/Schlumberger Program in Smartcard Technology

• File system transparency
• Secure cookie storage
• Kerberos authentication
• Internet protocol
• Experimental fault analysis
• JavaCard formal verification
• JavaCard performance analysis
• SEM attack and defense

25
Any Questions?
http//www.citi.umich.edu/