280 likes | 425 Vues
Keep your enemies close distance bounding against smart card relay attack. Saar Drimer and Steven J. Murdoch. 컴퓨터면역 및 정보보안 담당교수님 : 박용수 교수님. 2008. 3. 31 이재준. Paper Information. Title : Keep your enemies close : distance bounding against smart card relay attack Authors :
E N D
Keep your enemies closedistance bounding against smart card relay attack Saar Drimer and Steven J. Murdoch 컴퓨터면역 및 정보보안 담당교수님 : 박용수 교수님 2008. 3. 31 이재준
Paper Information Title : Keep your enemies close :distance bounding against smart card relay attack Authors : Saar Drimer and Steven J. Murdoch Publish : 16 th USENIX Security Symposium Boston MA, USA, 6–10 August 2007
Contents of Table Relay attacks on card payment Payment environment Chip & PIN (EMV) process The relay attack scenario Prevent the attack Distance bounding against smartcard relay attacks Hancke-Kuhn protocol Distance bounding process Requirement Conclusion
Relay attacks on card payment • Payment environment Chip & PIN (EMV) Smartcard-based payment system Uses the EMV (Europay MasterCard Visa) protocol with ISO7816 mechanical / electrical / basic interface. is fully deployed in the UK since 2006, with banks making grand claims of security uses 3DES for Static Data Authentication(SDA); requires a symmetric key shared by bank and card. requires a correct 4 digit PIN input for authorizing transactions (both at ATMs and cash registers)
Relay attacks on card payment • Payment environment A simplified smartcard transaction On-line authorization result Cryptogram bank PIN EMV (ISO 8716) merchant cardholder
Relay attacks on card payment • Chip & PIN (EMV) process challenge PIN bank The terminal sending random number, known as challenge The customer then input their PIN into terminal and send and it sent to the card merchant cardholder
Relay attacks on card payment • Chip & PIN (EMV) process Challenge and response challenge PIN response bank The card computes a cryptographic response which incorporates the challenge, whether the PIN was entered correctly. This response sent back to the terminal which then gose on-line and sends the challenge and response to the bank, who will verify them. and also we can detect whether an old response is being replayed. merchant cardholder
Relay attacks on card payment • Some potential scenarios of fraud which Chip & PIN With out the correct PIN being entered, the card will not be produce correct response. If attacker knows the PIN (or persuades the customer to enter it) and gets temporary access to the card, the will produce collect response. However, this response cannot be used later. With out the card, a fraudster who observe PIN will find it difficult to produce a fake card. PIN Response Attacker can use the card and PIN to produce valid response and use it as thought he is right owner. but the account holder will notice fraudulent transaction and canceling card. PIN
Relay attacks on card payment • The relay attack scenario What is the relay attack? type of attack related to man-in-middle and replay attack. challenge-response data is forwarded by an attacker over a substantial distance via radio. Response Attacker’s goal obtain goods or services by charging an unwitting victim who thinks he or she is paying for something different, at an attacker controlled terminal
Relay attacks on card payment • The relay attack scenario Bob Carol Alice Dave Alice is the innocent customer and Dave is an honest merchant Bob is attacker he is now employed as a restaurant waiter. and his accomplice Carol is waiting for Bob’s signal to participated in attack.
Relay attacks on card payment • The relay attack scenario Bob Carol Alice Dave Alice is about to pay $20 for meal in a restaurant. Carol is notified via a radio link or SMS message to insert her specially modified card into the Dave’s shop’s reader. and then Carol get PIN from Bob.
Relay attacks on card payment • The relay attack scenario Bob Carol Alice Dave All ommunication from the Daves’s shop terminal will be through Carol’s card and Bod’s terminal to Alice’s card, and vice versa. Dave will see that the transaction has succeeded and will hand Carol get very expensive goods or service.
Relay attacks on card payment • Prevent the attack Merchants(Dave) can try to identify fake cards by taking them from customers, checking the counterfeit detection features. such as hologram and embossing. Merchants(Dave) can try to confirm that account number on the receipt matches the one on the card. Banks could deploy measures to detect such relay attacks. This measure will allow terminal to measure how far away the genuine card is. This design so-called distance bounding protocol.
Distance bounding against smartcard relay attacks • Concept Speed of the light > Speed of information The maximum distance between card and terminal can be calculated. The terminal measure the time The terminal measure the time it takes to communication with card. This will modification to both the cards and terminals.
Distance bounding against smartcard relay attacks • Distance bounding process Dmax = c td prover verifier - Based on the Hancke-Kuhn protocol - Distance bouninggives the terminal (verifier) assurance that the card (prover) is within a maximal distance by repeating multi single-bit challenge-response exchanges and assuming signals travel at the speed of light.
Distance bounding against smartcard relay attacks • Hancke-Kuhn protocol Prover ( RFID token ) Secret key K , nonce Np Pseudorandom function h Verifier ( RFID reader ) Secret key K Pseudorandom function h Calaculateh(K,Nv,Np), Split result into Rº||R¹ and Place in to shift registers : Generate nonce Nv Time-critical phase C1 =0 C2 =0 Cn= 0 Nv Generate random bits C1,….,Ck Np Calaculateh(K,Nv,Np), Split result into Rº||R¹ … …
Distance bounding against smartcard relay attacks • Hancke-Kuhn protocol The power-supply carrier wave emitted by reader establishes a common time base for synchronizing the pulse communication of both parties.
Distance bounding against smartcard relay attacks • Hancke-Kuhn protocol The token samples its wideband input at timetr after zero crossing of the carrier wave, to read a challenge bit Ci Reader must adjust its transmission delay tt ≈ tr such that its pulse arrives exactly at that time
Distance bounding against smartcard relay attacks • Hancke-Kuhn protocol The token responds with after short, nearly constant switching delay td
Distance bounding against smartcard relay attacks • Hancke-Kuhn protocol The reader must adjust delay td until it receives the correct response, and can then deduce the distance d=c(ts-tt-td)/2
Distance bounding against smartcard relay attacks • Distance bounding process prover verifier The protocol starts with a mutual exchange of nonces.
Distance bounding against smartcard relay attacks • Distance bounding process MACK {Nv,Np} MACK {Nv,Np} split prover verifier challenge bits shift register 0 MACs are computed under shared key. Verifier loads a shift register with random bits. response bits Shift register 1 prover splits MAC into two shift register.
Distance bounding against smartcard relay attacks • Distance bounding process MACK {Nv,Np} MACK {Nv,Np} split Single-bit challenge Single-bit response prover verifier single-bit challenge-response pairs are exchanged. challenge bits shift register 0 Response bit is the next bit from the shift register corresponding to the challenge bit’s content; response bits shift register 1 Response bit is deleted at prover and stored at verifier.
Distance bounding against smartcard relay attacks • Distance bounding process MACK {Nv,Np} MACK {Nv,Np} split Single-bit challenge Single-bit response prover verifier result verify challenge bits shift register 0 response bits Shift register 1 The verifier checks that the response are correct and concludes, based on its timing settings, the maximum distance the prover is away.
Distance bounding against smartcard relay attacks • Requirements Distance bounding support needs to added to EMV specs. Terminals need to operate at higher frequencies, plus shift register and control circuitry. cards added with shift registers and control re-issued with public-key.
Conclusion Developed the first implementation of distance bounding defence against these relay attack and showed it to be the most robust solution. This solution designed to be appealing for adoption in the next generation of smartcards by tailoring the design to the EMV framework.
Thank you Question and Answer