Presentation is loading. Please wait.

Presentation is loading. Please wait.

EPassports EAC Conformity & Interoperability Tests, Prague September 7-12, 2008 When an e-Passport Talks and it Should Not Martin Hlaváč and Tomáš Rosa.

Published byChristiana Lawson Modified over 9 years ago

Similar presentations

Presentation on theme: "EPassports EAC Conformity & Interoperability Tests, Prague September 7-12, 2008 When an e-Passport Talks and it Should Not Martin Hlaváč and Tomáš Rosa."— Presentation transcript:

1 ePassports EAC Conformity & Interoperability Tests, Prague September 7-12, 2008 When an e-Passport Talks and it Should Not Martin Hlaváč and Tomáš Rosa Department of Algebra, MFF UK in Prague PPF banka a.s. and eBanka, a.s.

2 September 7-12, 2008, page 2 Outline e-Passport Active Authentication Electro-Magnetic Side Channel RSA with Chinese Remainder Theorem and Montgomery Exponentiation Extracting Private Key Conclusion

3 September 7-12, 2008, page 3 Electronic Passport Equipped with a contact-less smartcard chip Compatible with ISO 14443 and ISO 7816 Application code: A0 00 00 02 47 10 01 Data files  DG1 to DG15: related to the travel document (DG1 – copy of machine readable zone (MRZ), DG2 – photo of the face, DG15 public key for active authentication)  EF.COM, EF.SOD, EF.DIR: service data

4 September 7-12, 2008, page 4 P5CD072

5 September 7-12, 2008, page 5 Talking with the Passport terminal RFID passport RFID internal network transponder field terminal field

6 September 7-12, 2008, page 6 Security Mechanisms Required by ICAO  Passive authentication – digital signature of all data files DG1, …, DG15 Required in EU members  BAC – basic access control to data files and selected functions (e.g. active authentication) Optional  Active authentication – challenge-response authentication of the chip (e.g. used in Czech Republic, not in Germany)

7 September 7-12, 2008, page 7 Active Authentication I (CZ) Terminal:  Generates 8B random number V and sends it to passport Passport:  Generates 106B random number U  Computes w = SHA-1( U || V ).  Sets m = 6A || U || w || BC, (2 1022 < m < 2 1024 )  Computes s = m d mod N, where (N, d) is private RSA key of the passport  Sends s to terminal

8 September 7-12, 2008, page 8 Active Authentication II (CZ) Message m is chosen jointly by the passport and terminal, i.e. can not be conveniently chosen by neither side Existing chosen-plaintext attacks can not be employed

9 September 7-12, 2008, page 9 FAME-XE Exposure in the Field Measurements by doc. Lórencz’s team, KP FEL ČVUT in Prague, april 2007 SMSSSSSMMMM s = m d mod N

10 September 7-12, 2008, page 10 Chinese Remainder Theorem (CRT) private RSA operation m d mod N is computed using CRT as follows s p = (m p ) dp mod p s q = (m q ) dq mod q s = ((s q -s p )p inv mod q)p + s p 4x faster than simple exponentiation use of secret p,q makes CRT more vulnerable

11 September 7-12, 2008, page 11 Montgomery exponentiation exponentiation Input:c, p, d (=d n-1 d n-2 …d 1 d 0 ) 2 ) Output:x = c d mod p 1. u  cR mod p 2. z  u 3. for i = n-2 to 0 4. z  mont(z,z,p) 5. if d i == 1 then 6. z  mont(z,u,p) 7. else 8. z’  mont(z,u,p) 9. endfor 10. z  mont(z,1,p) 11. return z multiplication (mont) Input:x,y  Z p Output:w = xyR -1 mod p 1. w  xy 2. t  s(-p-1) mod R 3. g  s + tp 4. w  g/R 5. if w>p then 6. w  w – p (final substitution) 7. return w operations mod/div R=2 512, i.e. it’s fast leaks information about secret p in final substitution

12 September 7-12, 2008, page 12 Amount of Final Substitutions we suspect the amount of FS leaks from the passport in EM channel More higher-quality measurements are needed to support this hypothesis If this hypothesis is correct the Active Authentication can be broken

13 September 7-12, 2008, page 13 Outline of the attack The relationship between the number of FS during the computation m c mod N and the value m i R mod p. (Tomoeda, 2006) function of p (unknown) # FS (known) lin. algebra approximations of secret q precision in bits # FS Experiments indicate some approximations are good enough. app. 2%

14 September 7-12, 2008, page 14 Key Recovery Construct suitable lattice Reduce its basis with LLL algorithm Hope the hidden number q is revealed Experiments: With 150 measurements filtered from app. 7000, the key is recovered in 40 minutes on 2GHz Opteron

15 September 7-12, 2008, page 15 Conclusion EM side channel on e-passport exists New cryptanalytic technique using this side information is elaborated Higher quality measurements needed If our hypothesis is correct, AA can be broken, i.e. e-passport can be duplicated, in order of hours

16 September 7-12, 2008, page 16 Thank you for your attention … Tomáš Rosa eBanka, a.s. Department of Algebra MFF UK, trosa@ebanka.cz Martin Hlaváč Department of Algebra MFF UK, PPF banka, a.s. hlavm1am@artax.karlin.mff.cuni.cz

Download ppt "EPassports EAC Conformity & Interoperability Tests, Prague September 7-12, 2008 When an e-Passport Talks and it Should Not Martin Hlaváč and Tomáš Rosa."

Similar presentations

Technical Report PKI for Machine Readable Travel Documents offering ICC read-only access TAG_15 Montreal, 2004-05-18 Tom Kinneging.

Technical Report PKI for Machine Readable Travel Documents offering ICC read-only access TAG_15 Montreal, Tom Kinneging.
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
E- passports Erik Poll Digital Security Group Radboud University Nijmegen.

E- passports Erik Poll Digital Security Group Radboud University Nijmegen.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Nairobi, Kenya 29-31October 2007 1 Fifth Special Meeting of the Counter- Terrorism Committee with International, Regional and Subregional Organizations.

Nairobi, Kenya 29-31October Fifth Special Meeting of the Counter- Terrorism Committee with International, Regional and Subregional Organizations.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.

UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.

Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Cryptography in Subgroups of Z n * Jens Groth UCLA.

Cryptography in Subgroups of Z n * Jens Groth UCLA.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
CPE5021 Advanced Network Security --- Advanced Cryptography: RSA and its implementation --- Lecture 1.1 Last lecture we saw the data encryption standard.

CPE5021 Advanced Network Security --- Advanced Cryptography: RSA and its implementation --- Lecture 1.1 Last lecture we saw the data encryption standard.

Similar presentations

Ads by Google