A Look Into the Benefits and Security Measures of ePassports
EPassports EAC Conformity & Interoperability Tests, Prague September 7-12, 2008 When an e-Passport...
-
Upload
christiana-lawson -
Category
Documents
-
view
212 -
download
0
Transcript of EPassports EAC Conformity & Interoperability Tests, Prague September 7-12, 2008 When an e-Passport...
ePassports EAC Conformity & Interoperability Tests, PragueSeptember 7-12, 2008
When an e-Passport Talksand it Should Not
Martin Hlaváč and Tomáš RosaDepartment of Algebra, MFF UK in PraguePPF banka a.s. and eBanka, a.s.
September 7-12, 2008, page 2
Outline
e-PassportActive AuthenticationElectro-Magnetic Side ChannelRSA with Chinese Remainder Theorem and Montgomery ExponentiationExtracting Private KeyConclusion
September 7-12, 2008, page 3
Electronic Passport
Equipped with a contact-less smartcard chipCompatible with ISO 14443 and ISO 7816Application code: A0 00 00 02 47 10 01Data files DG1 to DG15: related to the travel document
(DG1 – copy of machine readable zone (MRZ), DG2 – photo of the face, DG15 public key for active authentication)
EF.COM, EF.SOD, EF.DIR: service data
September 7-12, 2008, page 4
P5CD072
September 7-12, 2008, page 5
Talking with the Passport
terminal RFID
passportRFID
internal network
transponder field
terminal field
September 7-12, 2008, page 6
Security Mechanisms
Required by ICAO Passive authentication – digital signature of all
data files DG1, …, DG15
Required in EU members BAC – basic access control to data files and
selected functions (e.g. active authentication)
Optional Active authentication – challenge-response
authentication of the chip (e.g. used in Czech Republic, not in Germany)
September 7-12, 2008, page 7
Active Authentication I (CZ)
Terminal: Generates 8B random number V and sends
it to passportPassport: Generates 106B random number U Computes w = SHA-1( U || V ). Sets m = 6A || U || w || BC, (21022 < m < 21024) Computes s = md mod N, where (N, d) is
private RSA key of the passport Sends s to terminal
September 7-12, 2008, page 8
Active Authentication II (CZ)
Message m is chosen jointly by the passport and terminal, i.e. can not be conveniently chosen by neither sideExisting chosen-plaintext attacks can not be employed
September 7-12, 2008, page 9
FAME-XE Exposure in the Field
Measurements by doc. Lórencz’s team,KP FEL ČVUT in Prague, april 2007
S M S S S S SM M M M
s = md mod N
September 7-12, 2008, page 10
Chinese Remainder Theorem (CRT)
private RSA operation md mod N is computed using CRT as follows
sp = (mp)dp mod p
sq = (mq)dq mod q
s = ((sq-sp)pinv mod q)p + sp
4x faster than simple exponentiationuse of secret p,q makes CRT more vulnerable
September 7-12, 2008, page 11
Montgomery exponentiation
exponentiationInput: c, p, d (=dn-1dn-2…d1d0)2)Output: x = cd mod p1. u cR mod p2. z u3. for i = n-2 to 04. z mont(z,z,p)5. if di == 1 then6. z mont(z,u,p)7. else8. z’
mont(z,u,p)9. endfor10. z mont(z,1,p)11. return z
multiplication (mont) Input:x,y Zp
Output: w = xyR-1 mod p1. w xy2. t s(-p-1) mod R3. g s + tp4. w g/R5. if w>p then6. w w – p (final
substitution)7. return w
operations mod/div R=2512, i.e. it’s fastleaks information about secret p in final substitution
September 7-12, 2008, page 12
Amount of Final Substitutions
we suspect the amount of FS leaks from the passport in EM channelMore higher-quality measurements are needed to support this hypothesis
September 7-12, 2008, page 13
FAME-XE Exposure in the Field
Measurements by doc. Lórencz’s team,KP FEL ČVUT in Prague, april 2007
S M S S S S SM M M M
s = md mod N
If this hypothesis is correct the Active Authentication can be broken
September 7-12, 2008, page 13
Outline of the attack
The relationship between the number of FS during the
computation mc mod N and the value miR mod p.(Tomoeda, 2006)
function of p (unknown)
# F
S (
kn
ow
n)
Nnn
nnNkRqm iii
minmax
min
lin. algebra
approximations of secret q
pre
cis
ion
in
bit
s
# FS
Experiments indicate some approximations are good enough.
app. 2%
September 7-12, 2008, page 14
Key Recovery
Construct suitable latticeReduce its basis with LLL algorithmHope the hidden number q is revealed
Experiments:With 150 measurements filtered from app. 7000, the key is recovered in 40 minutes on 2GHz Opteron
September 7-12, 2008, page 15
Conclusion
EM side channel on e-passport existsNew cryptanalytic technique using this side information is elaboratedHigher quality measurements neededIf our hypothesis is correct, AA can be broken, i.e. e-passport can be duplicated, in order of hours
September 7-12, 2008, page 16
Thank you for your attention …
Tomáš RosaeBanka, a.s.Department of Algebra MFF UK,[email protected]
Martin HlaváčDepartment of Algebra MFF UK,PPF banka, [email protected]
ni.cz