Smart cards a fascinating and fruitful adventure ppt

Smart cards a fascinating and fruitful adventure Gemalto Technology & Innovation Nguyen Quang Huy... Smart Cards in the our life Secure transaction banking, pay-TV  Telecom SIM/USIM/R

Smart cards

a fascinating and fruitful adventure

Gemalto Technology & Innovation

Nguyen Quang Huy

Smart Cards in the our life

 Secure transaction (banking, pay-TV)  Telecom (SIM/USIM/RUIM, M2M,

convergence, M-TV, M-banking, M-ticket)

 Control Access (physical and logical

resource)

 E-citizen (e-passport, e-ID, e-Heath, e-driving license, )

 No internal timer, battery

 No keyboard, display, network interface

 Current generation

 µ-processor: 16-bits, <=10MHz

 RAM: 4K

 ROM: 100K for code storage

 E2PROM (105 updates ): 64K for data storage

 I/O: serial (9600 bps),

– Contactless protocols: MiFare, FeliCa, Calypso

 Next generation

 µ-processor: 32-bits, up to 100MHz

 Flash memory: more durable and more rapid

 I/O: USB (12 Mbps)

– Contactless open protocols: NFC, ZigBee

25 mm2

Smart Card HW

Smart Card SW

 Proprietary architecture

 Undisclosed specification

 Tedious application development

 Closed configuration: no application can be added after issuance

 Open architecture

 Open specification

 High-level programming languages

 Post-issuance applications are available

 Some open architectures

 Java Card

 MULTOS

 NET Card

 Basic Card

Example: Java Card

 >5 billions Java-embedded cards issued

Integrated Circuit Operating System Java Card Virtual Machine

API in Java Native

API

Card Manager

Applet 1 Applet 2

JC Firewall I/O command

Security threats

 No battery

 Card tearing (or power failure ) may cause inconsistency data

 No internal timer

 Logging for post-mortem analysis is not possible

 No keyboard, display, network device  secure usage environment

 Payment terminals (POS and ATM): security certification

 Security of PC and handset: keyboard logger, false display (phishing), etc

 Contactless interface

 Cardholder is not aware of malicious actions

 Physically owned by attackers

 Vulnerable to both logical and physical attacks

Attacks

 Logical attacks : use I/O commands to exploit SW vulnerabilities

 buffer overflow, type confusion, covert channels, protocol attacks, etc

 Physical attacks: use physical phenomenon to exploit SW/HW

vulnerabilities

 Invasive attacks: destructive and require specific logistics

 HW reverse-engineering; disabling HW security features, etc

 Non invasive attacks: affordable logistics

– Side-channel: use the emitted signals (power consumption, execution time) to

guess the secret (keys, PIN)

– Fault-injection attacks: use physical means (infrared heat, laser, X-ray) to flip some bits in the memory

 Modify code and runtime control flow, data: the consequence is hardly predictable

 Combined attacks

Counter-measures and beyond

 Detection

 HW: (shield-removal, temperature, frequency, laser, light) sensors

 SW: checksum, fault-trap

 Protection

 HW: memory/bus encryption, redundancy, error-correcting code

 SW: transaction mechanism (anti-tearing), random noise, protection of control flow

 Auditing

 HW: security registers

 SW: fault-counters, security exception

 Reaction

 Muting (infinite loop) and clearing RAM

No counter-measure is perfect

Mathematically proven security assurances

Vietnam: smart card deployment

 Mobile telecom

 Low-end cards: <=64K EEPROM

 Banking

 Small-scale migrations to EMV standard: VP Bank, VCB, etc

 Online banking (secure reader/authentication server): VCB

 Why the banks are not keen on using smart cards ?

– Cards mainly used for ATM withdrawal: rare (offline) POS payment

⇒ fraud is limited – Card holders are usually paying for the fraud ! – Insfratructure cost for a migration (ATM, POS, servers, etc)

 E-government

Dosmetic industry

 Small market implies small players

 Few smart cards manufacturers

 MK Technology JSC: 20 milions smart cards delivered in 2008

 Main products: SIM, USIM, RUIM

– Sale representative of foreign products

 Dosmetic share in final products

– Card personalization for final clients – A first Vietnamese smart card OS ? MKCos (Sao Khue 2008)

 Even fewer application developers

 Vietnamizing imported applications

Joining the adventure

 Expanding dosmetic market by SIM-based attractive applications e.g.,

 M-payment, online payment

 Value-added applications on mobile network

 M-ticket for public transport

 Making E-Government come true

 Healthcare card, ID-card, etc

 Education/Training

 More training courses for

– embeded programming: lucrative outsourcing market – security engineering: go beyond anti-virus

 Support of overseas experts