The UICC: Recent Work of ETSI TC Smart Card Platform
-
date post
11-Sep-2014 -
Category
Technology
-
view
1.236 -
download
2
description
Transcript of The UICC: Recent Work of ETSI TC Smart Card Platform
Dr. Klaus VedderChairman ETSI TC SCP
The UICC Recent Work of ETSI TC Smart Card Platform
9th ETSI Security Workshop, Sophia Antipolis, France, 15‐16 January 2014
© ETSI 2014. All rights reserved
ETSI TC Smart Card Platform
Home of the UICCThe most widely deployed secure element ‐ world‐wideThe most widely deployed secure element world wide
26 Years of Dedication and Real‐life ExperienceTC SCP was founded in March 2000 as the successor of SMG9, the people who specified the SIM, the most successful smart card application everthe most successful smart card application ever
The MissionCreate a series of specifications for a smart card platform, based on real‐life requirements, on which other bodies from inside and outside the telecom‐world can base their system specific
li i hi ibili b ll li i id happlications to achieve compatibility between all applications resident on the smart car
The WorkETSI TC SCP has published over fifty specifications on smart cards encompassing for every topic the whole range from requirements via the technical solution to the test specification; topics g q p ; prange from administrative commands to APIs, browsers, Internet connectivity, Machine‐to‐Machine, new interfaces for high speed and the NFC chipset as well as remote managementAll can be downloaded free of charge from the ETSI website
The specifications are application agnostic, p pp gthey are not restricted to the world of telecommunications
They can be used as a (secure) platform for basically any smart card application2
The Smart Card Market
120014806000
7000
8000
53206135
71057595
5350510650 750
880
10501200
3000
4000
5000
M. u
nits 3446
2656
41854520
1050 13902040
2650 3200 3400 40004700 5100 5350
280336
410510
0
1000
2000
3000
M
14691889
0
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013e
Industry & Government Payment Telecommunication
Source: Eurosmart, SIMalliance
Some Numbers
Roughly 33 billion smart cards for use in mobile communications have been delivered to the market in the last ten yearsbeen delivered to the market in the last ten years
This is about 3 times to the moon and backto the moon and back if put next to each other in the ID‐1 format
The numbers are still growing though at a slower ratePayment cards are gaining ground due to issuance of EMV cards in China
d N h A iand North America
About 50% of the Telecom cards delivered over the last years are Java™ ycards
4
SIM Broken ?
1998 C 128 1 (A3/A8) f ll k d1998: Comp 128‐1 (A3/A8) successfully attacked• black box attack against the GSM‐MoU example algorithm
• does not utilise any hardware or software property of the SIMk i j d i h i lf• attack against just one card, not against the system itself
• chosen plaintext‐ciphertext attack • approximately 160.000 ‐ 200.000 very specific challenges were thenrequired to calculate the secret subscription specific key Kirequired to calculate the secret, subscription specific key Ki
• PIN has to be known or PIN‐check disabled
authentication counter with "automatic silencing" of the SIM is no longer a valid countermeasurea valid countermeasure
• only 3.000 to 36.000 challenges to calculate Ki needed now
The answer is: NO
The SIM has successfully stood the test of time5
Bug or Bad Choice ?
“… This talk ends this myth of unbreakable SIM cards … d ill t t th t th d lik th ti tand illustrates that the cards ‐ like any other computing system
– are plagued by implementation and configuration bugs.“
Announcement of a presentation by Karsten Nohl for the Black Hat Conference in Las Vegas end of July 2013 ( bl kh )(www.blackhat.com)
Or as found somewhere else:Or, as found somewhere else:
“Note, in most cases this is not a ‘bug’ causing the problem. , g g pIt is poor security choices being made by network operators.”
6
The Attack – Aim and Risks
The aim is to break the OTA security of the SIM to be able to d l d li i li ti t J SIMdownload malicious applications to a Java SIM
A malicious application can without the user realizing thisA malicious application can, without the user realizing this,• Trace the device and the user• Send SMSs to premium numbers• Divert incoming and outgoing calls• Silently include third parties on a call• Try to exploit a flawed implementation of the security framework of y p p y
the SIM OS and read the authentication key Ki and clone the SIM
Note: after a successful attack remote file management (RFM) is also possibleNote: after a successful attack remote file management (RFM) is also possible
The Attack
The attacker sends a rogue binary SMS to the target phone number saying “here is an OTA application for you” Thenumber saying here is an OTA application for you . The binary SMS includes a signature field, and the attacker doesn’t know the OTA key at this point so the signature will be incorrectincorrect.A UICC may then react in one of four ways:
(a) it may reject the incoming message and not send a response;‐ the recommended way by the 3GPP specification since 2012
(b) it may send an unsigned response saying “your signature was invalid”;(c) it may send what looks like a signed response saying “your signature was invalid”,
but with all‐zeroes in the signature field;(d) it may send a genuinely signed response saying “your signature was invalid”
‐ discarded in the relevant UICC specifications in late 2013.
If the SIM answers according to (d) the attacker can calculateIf the SIM answers according to (d) the attacker can calculate the OTA message authentication key using rainbow tables
The Attack ‐ Prerequisites
The SIM uses Single DES for OTA security ‐h T i l DES fi d Si l DESor has Triple DES configured as Single DES
• Single DES had been deprecated in the relevant ETSI specification in 2008
The SIM responds to a fake download request with a specific e S espo ds to a a e do oad equest t a spec cMAC containing known dataThe network allows the forwarding of binary messages –
bl k d i ( b bl ) know blocked in (probably most) networks• The possession of the card or a (cheap) fake base station will however do
Rainbow tables for the specific MAC are available which can beRainbow tables for the specific MAC are available which can be used to break the key within secondsThe OTA implementation does not use a different key for the
h f h l d h llenciphering of the OTA application or does not encipher it at all
The Extended Attack
At 30C3 (30th Chaos Computer Congress) in December 2013, K t N hl t l (SRL b ) t d fi d i f thKarsten Nohl et al. (SRLabs) presented a refined version of the attack• A PC tool that systematically scans the SIM (connected via a card reader)
for vulnerable addresses of SIM applications (esp. applications for remote management) and weak or even missing values for the security level required for incoming messages
• Find a TAR (Toolkit Application Reference) with an attached MSL (Minimum Security Level) of “0” (i.e., no security required for downloading an application) or with MSL=MAC and try to break the DES key of the MAC (if DES is used)DES is used)
• A false base station will do the trick as well
• The tool is available at https://opensource.srlabs.de/projects/simtester
Th bl l i h k d l d lThey were able to exploit the attack and load a rogue applet onto a 4FF SIM from an iPhone 5s
10
The Road to embedded UICCs
3FF 4FF
The SIM card has evolved to meet market requirementsSt l d i b i i t d t t t bilit l ti
Plug-in MFF2
• Strongly driven by size requirements, and to meet portability regulations• Memory, security and interfaces to meet application requirements
Move to the embedded UICC (specifically the soldered MFF2)• T i d b SIM i t t dd th M2M k t h li it d• Triggered by SIM requirements to address the M2M market such as limited
accessibility, reliability• Delivers benefits in size / space, reduced production cost in all types of devices
An embedded UICC is a “UICC which is not easily accessible or replaceable, is not intended to be removed or replaced in the terminal, and enables the secure changing of subscriptions” (ETSI TS 103 383)
The Road Towards Subscription Management
Some M2M applications require new form factorssuch as MFF2
Provisioning of subscription over-the-air (after production, outside of factory) for M2M is needed y)
New ecosystem with dynamic subscription management(provisioning and changing of subscriptions and profiles)
originates for M2M
originates for M2M
The embedded UICC in 2013
TC SCP accepted the following new specificationf• ETSI TS 103 383: Smart Cards; Embedded UICC; Requirements Specification
• “The present document enables remote management of an embedded UICC (eUICC) for purposes of changing an MNO subscription without requiring a physical removal and replacement of the UICC in the end Device.The present document develops use cases and requirements for the "enhanced, remote management" of a UICC, which is embedded in a communication device, i.e. where the UICC is not intended to be removed. This type of embedded UICC (eUICC) is compatible with Machine‐to‐Machine (M2M) applications. The eUICC may be embedded at the manufacturing site(eUICC) is compatible with Machine to Machine (M2M) applications. The eUICC may be embedded at the manufacturing site in advance, depending on the country and network operator, and is compatible for use in a variety of end‐user equipment. In these scenarios there may be a requirement to remotely change a subscription easily, similar to what is currently achieved byphysically changing the UICC. “
Work is continuing by members of all parties having some interest in the topic– device manufacturers, chipset manufacturers, SIM manufacturers and mobile network operators, p , p
SCP started the following new Work Item• Smart Cards; Embedded UICC; Physical, Logical, and Electrical
CharacteristicsCharacteristics•Definition of the architecture of the eUICC and its relation to the remote profile provisioning/management system; definition of the physical, logical, and electrical characteristics of the eUICC‐Terminal interface according to TS 103 383 requirements; definition of the profile structure; definition of transmission protocols; identification of the eUICC and profiles; definition of robust processes for creating containers, loading, installing, enabling, disabling, and deleting of profiles; definition of a complete security mechanism covering authorisation authentication integrity andprofiles; definition of a complete security mechanism covering authorisation, authentication, integrity and confidentiality of profile management and operations, as well as procedures to protect against spoofing, replay attacks, and profile cloning; definition of the credentials to perform the loading, installation, and management of profiles; definition of the process to manage these credentials in the eUICC; definition of policy enforcement function•An evaluation of existing standardised mechanisms will be performed in order to assess possible re‐use and extension13
Some Work Completed in 2013
Card Application Toolkit Security• Security for encapsulated Card Application Toolkit (CAT)Security for encapsulated Card Application Toolkit (CAT)
• Definition of a mechanism that allows securing of encapsulated CAT commands and envelopes. The mechanism can be used on top of the AT commands defined for CAT over the modem interface.
• Security for CATSecurity for CAT• Definition of a mechanism that allows securing of CAT commands and envelopes. Existing security mechanisms from TS 102 484 are re‐used
Requirements for environmental information to be stored inRequirements for environmental information to be stored in the UICC
Specification of a mechanism that allows the SIM to use the pnetwork based configuration mechanism for DNS servers. This allows better integration of IP SIM based services into the Operator's infrastructure
14
Some Other Work in 2013
Work continued on P2P mode for contactless communicationsEnhancement of test specifications• TC SCP is the only standardisation committee providing test
specifications for (nearly) all its Technical Specifications
Test environment integrity, test case execution• Development of a technical report (TR) that defines how to optimally set
up the test environment to execute test case implementations based onup the test environment to execute test case implementations based on ETSI TC SCP test specifications
UICC Access OptimisationsA l i f i l d h d i f h i f h i l• Analysis of issues related to the reduction of the time for the terminal to access the content on the UICC in order to provide a better user experience
Joint work with GlobalPlatform and the NFC Forum on theJoint work with GlobalPlatform and the NFC Forum on the routing of applications in case of multiple Secure Elements
15
Some New Work Items
UICC Access Optimisation• A l i f i l t d t th d ti f th ti f th t i l t• Analysis of issues related to the reduction of the time for the terminal to access
the content on the UICC in order to provide a better user experience• Background: The UICC is a platform that was designed for multiple application
support. While this platform was often used for a single application in the past, itsupport. While this platform was often used for a single application in the past, it is more and more frequent that multiple applications reside on the UICC (e.g. USIM + ISIM + CSIM). The current work in other Technical Committees and organizations may create even further applications to be hosted on the UICC,
h h M2M S i M d lsuch as the M2M Service Module
Use cases and requirements related to the addition of new contactless features• New usages of the UICC in contactless environment shall be taken into account
by the ETSI specifications. For instance, several types of secure elements may use the HCI as an interface. In order to increase interoperability and avoid proprietary implementations there is a need to standardise interaction betweenproprietary implementations, there is a need to standardise interaction between the UICC and these secure elements through HCI
16
The Future: A Smart and Secure Platform
The scope TC SCP is too narrow to really satisfy today’s i d t i tindustry requirements • The interface of the UICC to the outside world need to take the respective
ecosystems into account as shown by the discussion on the embedded UICC• There are other Secure Elements than the UICC in (mobile) devicesThere are other Secure Elements than the UICC in (mobile) devices• There is a need for harmonization across industry sectors to gain scale effects to
achieve a single platform for the various applications
What we aim for: delivery of a smart and secure platformWhat we aim for: delivery of a smart and secure platform• A generic platform for securely managing identities, authentication and
authorization, based on the consolidated requirements of multiple industries• Not only a smart and secure element but also the necessary entities in the
surrounding system (for e.g. issuance, activation, remote application management)
• Common understanding of the security requirements and security levels used by each partyeach party
• Best in class interoperability
17
Shaping the Future of Smart Security Together
An ETSI framework where all sectors can express/develop their requirements with a level playing field for alltheir requirements with a level playing field for all
Banking and Financial Mobile Telecoms Government &
Id tit
Transportation and Access
Machine‐Type Communications
Key Players Key Players Key Players Key Players Key Players
Services Identity Control (M2M)
Use Cases
RequirementsSet #1
Use Cases
RequirementsSet #2
Use Cases
RequirementsSet #3
Use Cases
RequirementsSet #4
Use Cases
RequirementsSet #5
Aggregation of: Sectors RequirementsGeneric Needs
18
Common decision regarding the setup of future activities
Work on technical specifications and compliance aspects
Dr Klaus VedderDr. Klaus Vedder
Group Senior Vice PresidentGiesecke & Devrient GmbHPrinzregentenstr. 15981607 MunichGGermany
Next SCP Plenary Meeting12-14 February at12-14 February at
ETSIsee: www.etsi.org
TC SCP Working Structure
SCP• Final acceptance of Work Items to be progressed by Working GroupsFinal acceptance of Work Items to be progressed by Working Groups• Acceptance for publication of all Technical Specifications and Technical Reports
as well as Change Requests to published documents• Input to its work is received from ETSI members such as TC M2M as well as
f f3GPP, 3GPP2, GlobalPlatform, GSM Association, Global Certification Forum (GCF), NFC Forum, OMA, …
SCP REQQ• Working Group SCP REQ is responsible for developing the requirements for the
Smart Card PlatformSCP TEC• Working Group SCP TEC is responsible for the technical realisation of the
requirements developed by SCP REQ and accepted by SCPSCP TEST• W ki G SCP TEST i ibl f th d l t f t t• Working Group SCP TEST is responsible for the development of test
specifications for deliverables produced by SCP TEC and accepted by SCP20
Structure and Officials
SCP PlenaryyChair: Klaus Vedder, G&DVice Chair: Heiko Kruse, MorphoVice Chair: Denis Praca, Gemalto
SCP Requirement WG SCP Technical WGChair: Davide Pratone, Telecom Italia
Vice Chair: Heiko Kruse, MorphoVice Chair: Denis Praca, Gemalto
Chair: Paul Jolivet, LGVice Chair: Sebastian Hans, Oracle
SCP Testing WGChair: Andreas Bertling, Comprion
Vice Chair: Christophe Dubois, Gemalto