Download presentation
Presentation is loading. Please wait.
Published byChristiana Lawson Modified over 9 years ago
1
ePassports EAC Conformity & Interoperability Tests, Prague September 7-12, 2008 When an e-Passport Talks and it Should Not Martin Hlaváč and Tomáš Rosa Department of Algebra, MFF UK in Prague PPF banka a.s. and eBanka, a.s.
2
September 7-12, 2008, page 2 Outline e-Passport Active Authentication Electro-Magnetic Side Channel RSA with Chinese Remainder Theorem and Montgomery Exponentiation Extracting Private Key Conclusion
3
September 7-12, 2008, page 3 Electronic Passport Equipped with a contact-less smartcard chip Compatible with ISO 14443 and ISO 7816 Application code: A0 00 00 02 47 10 01 Data files DG1 to DG15: related to the travel document (DG1 – copy of machine readable zone (MRZ), DG2 – photo of the face, DG15 public key for active authentication) EF.COM, EF.SOD, EF.DIR: service data
4
September 7-12, 2008, page 4 P5CD072
5
September 7-12, 2008, page 5 Talking with the Passport terminal RFID passport RFID internal network transponder field terminal field
6
September 7-12, 2008, page 6 Security Mechanisms Required by ICAO Passive authentication – digital signature of all data files DG1, …, DG15 Required in EU members BAC – basic access control to data files and selected functions (e.g. active authentication) Optional Active authentication – challenge-response authentication of the chip (e.g. used in Czech Republic, not in Germany)
7
September 7-12, 2008, page 7 Active Authentication I (CZ) Terminal: Generates 8B random number V and sends it to passport Passport: Generates 106B random number U Computes w = SHA-1( U || V ). Sets m = 6A || U || w || BC, (2 1022 < m < 2 1024 ) Computes s = m d mod N, where (N, d) is private RSA key of the passport Sends s to terminal
8
September 7-12, 2008, page 8 Active Authentication II (CZ) Message m is chosen jointly by the passport and terminal, i.e. can not be conveniently chosen by neither side Existing chosen-plaintext attacks can not be employed
9
September 7-12, 2008, page 9 FAME-XE Exposure in the Field Measurements by doc. Lórencz’s team, KP FEL ČVUT in Prague, april 2007 SMSSSSSMMMM s = m d mod N
10
September 7-12, 2008, page 10 Chinese Remainder Theorem (CRT) private RSA operation m d mod N is computed using CRT as follows s p = (m p ) dp mod p s q = (m q ) dq mod q s = ((s q -s p )p inv mod q)p + s p 4x faster than simple exponentiation use of secret p,q makes CRT more vulnerable
11
September 7-12, 2008, page 11 Montgomery exponentiation exponentiation Input:c, p, d (=d n-1 d n-2 …d 1 d 0 ) 2 ) Output:x = c d mod p 1. u cR mod p 2. z u 3. for i = n-2 to 0 4. z mont(z,z,p) 5. if d i == 1 then 6. z mont(z,u,p) 7. else 8. z’ mont(z,u,p) 9. endfor 10. z mont(z,1,p) 11. return z multiplication (mont) Input:x,y Z p Output:w = xyR -1 mod p 1. w xy 2. t s(-p-1) mod R 3. g s + tp 4. w g/R 5. if w>p then 6. w w – p (final substitution) 7. return w operations mod/div R=2 512, i.e. it’s fast leaks information about secret p in final substitution
12
September 7-12, 2008, page 12 Amount of Final Substitutions we suspect the amount of FS leaks from the passport in EM channel More higher-quality measurements are needed to support this hypothesis If this hypothesis is correct the Active Authentication can be broken
13
September 7-12, 2008, page 13 Outline of the attack The relationship between the number of FS during the computation m c mod N and the value m i R mod p. (Tomoeda, 2006) function of p (unknown) # FS (known) lin. algebra approximations of secret q precision in bits # FS Experiments indicate some approximations are good enough. app. 2%
14
September 7-12, 2008, page 14 Key Recovery Construct suitable lattice Reduce its basis with LLL algorithm Hope the hidden number q is revealed Experiments: With 150 measurements filtered from app. 7000, the key is recovered in 40 minutes on 2GHz Opteron
15
September 7-12, 2008, page 15 Conclusion EM side channel on e-passport exists New cryptanalytic technique using this side information is elaborated Higher quality measurements needed If our hypothesis is correct, AA can be broken, i.e. e-passport can be duplicated, in order of hours
16
September 7-12, 2008, page 16 Thank you for your attention … Tomáš Rosa eBanka, a.s. Department of Algebra MFF UK, trosa@ebanka.cz Martin Hlaváč Department of Algebra MFF UK, PPF banka, a.s. hlavm1am@artax.karlin.mff.cuni.cz
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.