Smart cards a fascinating and fruitful adventure

Chia sẻ: Trình Giang | Ngày: | Loại File: PPT | Số trang:12

Thêm vào BST

Báo xấu

94
lượt xem 17
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

No internal timer, battery. No keyboard, display, network interface. Current generation: μ-processor: 16-bits, 10MHz. RAM: 4K. ROM: 100K for code storage. E2PROM (105 updates ): 64K for data storage. I/O: serial (9600 bps), Contactless protocols: MiFare, FeliCa, Calypso.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Smart cards a fascinating and fruitful adventure

Smart cards a fascinating and fruitful adventure Nguyen Quang Huy Gemalto Technology & Innovation
Smart Cards in the our life  Secure transaction (banking, pay-TV)  Telecom (SIM/USIM/RUIM, M2M, convergence, M-TV, M-banking, M- ticket)  Control Access (physical and logical resource)  E-citizen (e-passport, e-ID, e-Heath, e-driving license, ..) 2
Smart Card HW 25 mm2  No internal timer, battery  No keyboard, display, network interface  Current generation  µ-processor: 16-bits,
Smart Card SW  Proprietary architecture  Undisclosed specification  Tedious application development  Closed configuration: no application can be added after issuance  Open architecture  Open specification  High-level programming languages  Post-issuance applications are available  Some open architectures  Java Card  MULTOS  .NET Card  Basic Card 4
Example: Java Card  Introduced by Schlumberger in 1996  Leading open multi-applicative architecture  >5 billions Java-embedded cards issued  Applications (applets) developed in Java JC Firewall Applet 1 Applet 2 I/O command Card Manager API in Java Native Java Card Virtual Machine API Operating System Integrated Circuit 5
Security threats  No battery  Card tearing (or power failure ) may cause inconsistency data  No internal timer  Logging for post-mortem analysis is not possible  No keyboard, display, network device  secure usage environment  Payment terminals (POS and ATM): security certification  Security of PC and handset: keyboard logger, false display (phishing), etc  Contactless interface  Cardholder is not aware of malicious actions  Physically owned by attackers  Vulnerable to both logical and physical attacks 6
Attacks  Logical attacks: use I/O commands to exploit SW vulnerabilities  buffer overflow, type confusion, covert channels, protocol attacks, etc  Physical attacks: use physical phenomenon to exploit SW/HW vulnerabilities  Invasive attacks: destructive and require specific logistics  HW reverse-engineering; disabling HW security features, etc  Non invasive attacks: affordable logistics – Side-channel: use the emitted signals (power consumption, execution time) to guess the secret (keys, PIN)  Execution signature (E2PROM update, DES rounds, etc) may leak secret – Fault-injection attacks: use physical means (infrared heat, laser, X-ray) to flip some bits in the memory  Modify code and runtime control flow, data: the consequence is hardly predictable  Combined attacks 7
Counter-measures and beyond  Detection  HW: (shield-removal, temperature, frequency, laser, light) sensors  SW: checksum, fault-trap  Protection  HW: memory/bus encryption, redundancy, error-correcting code  SW: transaction mechanism (anti-tearing), random noise, protection of control flow  Auditing  HW: security registers  SW: fault-counters, security exception  Reaction  Muting (infinite loop) and clearing RAM No counter-measure is perfect Trade-off between security and performance (tender eligibility criterion)  Use of mathematical techniques: formal methods 8
Mathematically proven security assurances 9
Vietnam: smart card deployment  Mobile telecom  Low-end cards:
Dosmetic industry  Small market implies small players  Few smart cards manufacturers  MK Technology JSC: 20 milions smart cards delivered in 2008  Main products: SIM, USIM, RUIM – Sale representative of foreign products  Dosmetic share in final products – Card personalization for final clients – A first Vietnamese smart card OS ? MKCos (Sao Khue 2008)  Even fewer application developers  Vietnamizing imported applications 11
Joining the adventure  Expanding dosmetic market by SIM-based attractive applications e.g.,  M-payment, online payment  Value-added applications on mobile network  M-ticket for public transport  Making E-Government come true  Healthcare card, ID-card, etc  Education/Training  More training courses for – embeded programming: lucrative outsourcing market – security engineering: go beyond anti-virus  Support of overseas experts  Enterprising  Win-win JV with foreign partners to learn technology 12