Professional Documents
Culture Documents
TTDT - 07 Stored Value Cards
TTDT - 07 Stored Value Cards
E-Government
Banking Mass Transit Public
Telephony
Mobile Retail
Telecommunications W-LAN
Digital Rights
Enterprise Management
Security
Access control SOURCE: JEAN-JACQUES VANDEWALLE
ePayment by Smart Card
Objective: replace cash
Cash is expensive to make and use
Printing, replacement
Anti-counterfeiting measures
Transportation
Security
Cash is inconvenient
not machine-readable
humans carry limited amount
risk of loss, theft
Additional smart card benefits
Smart Cards
Magnetic stripe
3 tracks, ~140 bytes, cost $0.20-0.75
Memory cards
1-4 KB memory, no processor, cost $1.00-2.50
Optical memory cards
4 megabytes read-only (CD-like), $7-12
Microprocessor cards
Imbedded microprocessor
SIM card
Crypto card
USB token
Microprocessor
Contacts
Contacts
Card
(Upside-down) Epoxy
Contacts (8)
SOURCE: SMART CARD FORUM
Old (8-bit) Smart Card Architecture
EEPROM:
Electrically
Erasable
Programmable
Read-Only
Memory
system
Typically varies from 2KB to around 16 KB
Typically 2 - 32 KB
1 2 3
n
n+1st record
ACCOUNT 4-DIGIT
NUMBER PIN
SECRET ENCRYPTED
BANK KEYS
3DES DATA BLOCK
SELECT 4-6 DIGITS
FROM ENCRYPTED DATA
BLOCK TO FORM P V V
PIN VERIFICATION
VALUE (P V V)
CARD HAS
ACCOUNT NUMBER
AND P V V
Using the Card
CARD HAS
ACCOUNT NUMBER
AND PVV
P V Vs MATCH?
ATM MACHINE READS ACCOUNT USER IS AUTHENTIC
NUMBER AND P V V
P V Vs DIFFERENT?
USER TYPES PIN
USER IS REJECTED
MACHINE NOW HAS:
ACCOUNT 4-DIGIT
PVV COMPARE CARD P V V
NUMBER PIN
WITH COMPUTED P V V
MACHINE HAS BANK
KEYS IN HARDWARE:
SECRET ENCRYPTED
BANK KEYS
3DES DATA BLOCK PVV
COMPUTE P V V
OpenCard Framework (OCF)
CardService
Layer
(TALKS TO CARD)
CardTerminal
Layer
(TALKS TO READER)
SOURCE: OPENCARD.ORG
SOURCE: OPENCARD.ORG
Card Security Threats
Group 5
ATTACKS ON THE RUN-TIME
ENVIRONMENT THROUGH THE
Group 6
CARD ACCEPTANCE DEVICE (CAD)
THREATS FROM CARD APPS AND
NEED TO SHARE RESOURCES
Clone
Future
Past Group 7
Group 3 Current
ATTACKS USING CARDS THREATS BASED ON RTE
NOT YET ISSUED, OLD
CARDS, CLONES
CAD IMPLEMENTATION
Group 4
Group 1 ATTACKS ON CARD’S
INTERFACE TO THE OUTSIDE, Group 2
DIRECT ATTACKS ON E.G. PREMATURE REMOVAL INDIRECT ATTACKS
CHIP CIRCUITRY
ON CHIP CIRCUITRY
SOURCE: GAMMA
Power and Timing Analysis
power
consumption
time
Source: Rankl and Effing, "Handbuch der Chipkarten", 2002
Differential Power Analysis
Send different inputs to the Smart Card to learn details of its
encryption key
When a correct key value is tried, the algorithm responds
Incorrect keys have zero average response
16 DES
INITIAL SMART CARD POWER CONSUMPTION
ROUNDS
PERMUTATION DURING DES ENCRYPTION
FINAL PERMUTATION
EXPANDED VIEW
OF ROUNDS 2 & 3
SOURCE: cryptography.com
Reverse engineering
Probing with Needles
Contactless Card
Communicates by radio
Power supplied by reader
Data rate 106 Kb/sec
Read 2.5 ms, write 9 ms
8 Kb EEPROM, unlimited read, 100,000 writes
Effective range: 10 cm, signals encrypted
Lifetime: 2 years (data retention 10 years)
Two-way authentication, nonces, secret keys
Anticollision mechanism for multiple cards
Unique card serial number
SOURCE: GEMPLUS
RFID Tags
IC Chip
Antenna
How RFID Works
Tag enters RF field Antenna
RF signal powers tag
Tag transmits ID, plus data
Reader captures data
Reader sends data to computer
Computer determines action
Computer instructs reader
Reader transmits data to tag
Tag
Computer
RFID
Reader
SOURCE: PHILIPS
Euro Banknotes
European Central Bank has announced plans to
implant RFID tags in banknotes by 2005
• Uses
– Anti-counterfeiting
Octopus
12 million cards, 15,000 readers
7 million transactions/day
$48M HKD per day
Visacash
ComPass Visa (VME)
Mondex
GSM SIM, ePark
Octopus Card Features
Hong Kong RFID payment card
Operating distance: 15 cm
Bandwidth: 211 Kb/sec
Triple DES in 70 sec
EEPROM 1536 bytes
128-byte data backup area
16-byte manufacturer ID; 16-byte issue ID
Processing time: 50 msec on card, 300 msec overall
Random access and cyclic files
Anti-collision protocol
SOURCE: MITSUBISHI
Octopus Card Security
SOURCE: MITSUBISHI
Octopus
SONY RC-S833
CONTACTLESS SMART CARD
SONY READER/WRITER
I/O SPEED: 211 Kbps
SOURCE: SONY
Octopus Expansion
• Identity card
• Access control
• Hotel room key
• Credit card
• McDonalds
• Mobile phone
• Home readers
CENTRAL CLEARING
HOUSE SYSTEM
SERVICE
PROVIDER
CENTRAL
COMPUTER
LOCAL
DATA
PROCESSOR
SOURCE:
• DISTRIBUTE SOFTWARE
CENTRAL
• COLLECT TRANSACTIONS
STATION CLEARING
• PRINT REPORTS
COMPUTER HOUSE
• SEND DATA TO SPCC SYSTEM
CCHS
• VALIDATE DATA
• NET ACCOUNTING
SETTLE MENT
• MUTUAL HSBC HEXAGON OCTOPUS
AUTHENTICATION BANK
• CHECK BLACKLIST