Practical Security With Smartcards

1
Practical Security With Smartcards

• Peter HoneymanCITIUniversity of MichiganAnn
  Arbor

2
Smartcards a pragmatic approach

• Build on what we have
• Use existing infrastructure (UMCE)
• UNIX filesystem mail, web servers
• Kerberos
• NT GINA
• Use open standards (IETF, ISO)
• Add secure hardware smartcard
• Integrate smartcard with infrastructure
• Secrets in a smartcard remain safe even if
  hardware / software is compromised

3
Experimental approach

• Home-brew software, hardware

4
Experimental software

• screset(fd, atr, ep)
• scopen(ttyn, flags, ep)
• scfdopen(fd, flags, ep)
• scclose(fd)
• scread(fd, cla, ins, p1, p2, p3, buf, sw1p,
  sw2p)
• scwrite(fd, cla, ins, p1, p2, p3, buf, sw1p,
  sw2p)
• scgetc(fd, cp, ms)
• scputc(fd, ic)
• scdsr(fd)
• scdtr(fd, cmd)
• void scsleep(ms)

5
Experimental software (contd)

• Primary targets
• OpenBSD
• Linux
• AIX
• NT
• PalmPilot
• JavaCard
• T0, T1

6
Experimental hardware
7
Experimental hardware (contd)
8
Experimental Hardware (contd)
9
Smartcard integration with Kerberos

• University of Michigan computing environment is
  protected by Kerberos
• So are MIT, CMU, Stanford, Cornell, ...
• Public key cryptography is not practical
• (yet)
• Kerberos security limitations
• Lacks external encryption device
• Lacks secure key storage
• Passwords vulnerable to dictionary attack
• Smartcards can solve these problems

10
Need for encryption device
Kerberos KDC
ticket
password

• Key is exposed to user and workstation
• Workstation may not be trusted
• Workstation storage is vulnerable

11
Need for secure hardware

• Keys stored on hard disk or in memory are
  vulnerable
• Hard disks are not secure
• Adversary with administrative rights can access
  keys
• Data in a hard disk may be backed up in an
  unprotected mass storage device
• Memory is not secure
• Adversary can scan memory
• Data in memory can be paged out to a hard disk

12
Dictionary attack

• Create a list of English words, names, etc.
• Also Star Wars, German, Shakespeare,
• thx1138 is a vulnerable password! -(
• Derive keys from the words in the list
• Obtain a ltplaintext, ciphertextgt pair
• Kerberos gives up ltplaintext, ciphertextgt easily
• Decrypt ciphertext with the derived key
• If plaintext recovered, password is exposed
• UMich gt 4,000 vulnerable accounts in 1997

13
Countermeasures - use a smartcard
Kerberos KDC
ticket

• Key is not exposed to user, workstation, or
  network
• No password

14
Implementation

• STARCOS v. 2.1 from Giesecke Devrient
• Modify MIT Kerberos v5-1.0.5 client
• Kerberos server unmodified for global
  interoperability
• Well, almost
• des_cbc_crc method uses key as ivec
• Modify server to allow des_cbc_md5

15
Kerberossmartcard performance
kinit start
card reset
enddecryption
kinitfinish
start decryption
0
0.06
0.34
1.32
1.54
time in sec.

• Ticket decrypt time 1.26 sec.
• Native STARCOS CBC
• Two rounds
• Obviates 27 round host ECB 2.09 sec
• Communication cost _at_ 9600 bps half

16
Kerberossmartcard conclusion

• Practical smartcard authentication method
• Addresses major weakness of Kerberos
• Fairly fast room to improve
• Future work store ticket on smartcard

17
Smartcard filesystem (SCFS)

• ISO-7816
• Standard smartcard interface
• Primitive message framing protocol
• Too primitive to be useful
• Many vendor dependencies
• Smartcard programming toolkits
• IBM MFC, Microsoft PC/SC, OpenCard framework,
  EMV96, PKCS11, JavaCard
• Smartcard-specific everything language, API,
  toolkit, library, application, etc.
• Hassle learning toolkit after toolkit
• API dependencies

18
SCFS goals and policies

• Integrate a smartcard with UNIX
• VFS UNIX filesystem API
• Take advantage of UNIX environment
• Allows sophisticated UNIX commands
• Access through symlinks
• Any ISO-7816 smartcard
• Easy integration with applications
• Netscape cookies
• PGP private keyring
• Kerberos tickets
• SSH private key

19
Application to SSH
citi mount_scfs /dev/scfs0 /smartcard citi ln
-s /.ssh/identity /smartcard/ss/id citi ssh
sin.citi.umich.edu Enter PIN sin logout
20
SCFS design

• Kernel VFS assisted by user process

user kernel

• VFS handles application requests
• scfsd translates requests to ISO-7816 APDUs
• No caching

21
SCFS implementation

• xfs_mount()
• Send reset to smartcard
• Choose smartcard type from configuration table
  based on ATR
• Mount the scfs filesystem
• xfs_read()
• Translate FID into ISO-7816 name
• Select the file
• Send read APDU
• Copy data to user space (uiomove)

22
SCFS performance
total
read() call
finish reading smartcard
read() return
start reading smartcard
smartcard access
scfs overhead
scfs overhead

• Command total card overhead
• Read 8 28.9 28.2 0.7
• Read 128 190.2 189.4 0.8
• Write 8 63.4 62.7 0.7
• Write 128 1259.5 1258.9 0.7
• all times in ms

23
SCFS conclusion

• Flexible API
• Overhead is small
• Useful as a low-level development tool
• ls, cd, pwd, make, etc.
• Secure storage for user profiles, web cookies,
  Kerberos tickets, private keys, etc.
• Problems
• Readdir is broken in ISO-7816
• Must preconfigure for each card
• File length is troublesome

24
Future directions

• Smartcard filesystem
• Complete missing vnodeops
• Porting to other operating systems
• Authentication
• Secure Kerberos ticket generation
• Smartcard public key integration
• IP for smartcard
• honey.mcard.umich.edu
• Secure network storage, service provider