Keep your enemies close distance bounding against smart card relay attack

1

Keep your enemies closedistance bounding against smart card

relay attack

2008. 3. 31이재준

컴퓨터면역 및 정보보안담당교수님 : 박용수 교수님

Saar Drimer and Steven J. Murdoch

Paper Information

2

Title : Keep your enemies close : distance bounding against smart card relay attack

Authors : Saar Drimer and Steven J. Murdoch Publish : 16 th USENIX Security Symposium Boston MA, USA, 6–10 August 2007

Contents of Table

Relay attacks on card payment Payment environmentChip & PIN (EMV) processThe relay attack scenario Prevent the attack

Distance bounding against smartcard relay attacksHancke-Kuhn protocolDistance bounding processRequirement

Conclusion3

Relay attacks on card payment

4

• Payment environmentChip & PIN (EMV)

is fully deployed in the UK since 2006, with banks making grand claims of security

Uses the EMV (Europay MasterCard Visa) protocol with ISO7816mechanical / electrical / basic interface.

Smartcard-based payment system

requires a correct 4 digit PIN input for authorizing transactions(both at ATMs and cash registers)

uses 3DES for Static Data Authentication(SDA); requires a symmetric key shared by bank and card.


5

• Payment environmentA simplified smartcard transaction

bank

cardholder merchant

EMV(ISO 8716)

PIN

Cryptogram

result

On-line authorization


6

• Chip & PIN (EMV) process

bank

cardholder merchant

challenge

The terminal sending random number, known as challenge

PIN

The customer then input their PIN into terminal and send and it sent to the card


7

• Chip & PIN (EMV) process

bank

cardholder merchant

challenge

PIN

The card computes a cryptographic response which incorporates the challenge, whether the PIN was entered correctly.

response

This response sent back to the terminal which then gose on-line and sends the challenge and response to the bank, who will verify them. and also we can detect whether an old response is being replayed.

Challenge and response


8

• Some potential scenarios of fraud which Chip & PIN

With out the correct PIN being entered, the card will not be produce correct response.

With out the card, a fraudster who observe PIN will find it difficult to produce a fake card.PIN

Attacker can use the card and PIN to produce valid response and use it as thought he is right owner. but the account holder will notice fraudulent transaction and canceling card.

PIN

If attacker knows the PIN (or persuades the customer to enter it) and gets temporary access to the card, the will produce collect response. However, this response cannot be used later.

Response

Response


9

• The relay attack scenario

What is the relay attack?

Attacker’s goal

type of attack related to man-in-middle and replay attack.challenge-response data is forwarded by an attacker over a sub-stantial distance via radio.

obtain goods or services by charging an unwitting victimwho thinks he or she is paying for something differ-

ent, at an attacker controlled terminal


10


AliceDave

Alice is the innocent customer and Dave is an honest merchantBob is attacker he is now employed as a restaurant waiter. and his accomplice Carol is waiting for Bob’s signal to participated in attack.

Bob Carol


11


AliceDave

Alice is about to pay $20 for meal in a restaurant.

Bob Carol

Carol is notified via a radio link or SMS message to insert her specially modified card into the Dave’s shop’s reader. and then Carol get PIN from Bob.


12


AliceDave

All ommunication from the Daves’s shop terminal will be through Carol’s card and Bod’s terminal to Alice’s card, and vice versa.

Bob Carol

Dave will see that the transaction has succeeded and will hand Carol get very expensive goods or service.


13

• Prevent the attack Merchants(Dave) can try to identify fake cards by taking them from customers, checking the counterfeit detection features. such as hologram and embossing.Merchants(Dave) can try to confirm that account number on the receipt matches the one on the card. Banks could deploy measures to detect such relay attacks. This measure will allow terminal to measure how far away the genuine card is. This design so-called distance bounding protocol.

Distance bounding against smartcard relay attacks

14

• Concept

The terminal measure the time it takes to communication with card.

Speed of the light > Speed of informationThe maximum distance between card and terminal can be calculated.

This will modification to both the cards and terminals.

The terminal measure the time


15

• Distance bounding process

verifier prover

- Distance bouning gives the terminal (verifier) assurance that the card (prover) is within a maximal distance by repeating multi single-bit challenge-response exchanges and assuming signals travel at the speed of light.

- Based on the Hancke-Kuhn protocol

Dmax = c td


16

• Hancke-Kuhn protocolVerifier ( RFID reader )

Secret key KPseudorandom function h

Prover ( RFID token )Secret key K , nonce Np

Pseudorandom function hNv

Np

Generate nonce Nv

Calaculate h(K,Nv,Np),Split result into Rº||R¹ andPlace in to shift registers :

Generate random bitsC1,….,Ck

C1 =0

112 CR

C2 =0

122 CR

Cn= 0

112 CR

Calaculate h(K,Nv,Np),Split result into Rº||R¹

… …

Time-critical phase


17

• Hancke-Kuhn protocol

The power-supply carrier wave emitted by reader establishes a com-mon time base for synchronizing the pulse communication of both parties.


18


The token samples its wideband input at time tr

after zero crossing of the carrier wave, to read a challenge bit Ci Reader must adjust its transmission delay tt ≈ tr such that its pulse arrives exactly at that time


19


The token responds with after short, nearly constant switching delay td

iCiR


20


The reader must adjust delay td until it receives the correct re-sponse, and can then deduce the distance d=c(ts-tt-td)/2


21


verifier prover

The protocol starts with a mutual exchange of nonces.


22


verifier prover

MACs are computed under shared key.Verifier loads a shift register with random bits.prover splits MAC into two shift register.

MACK {Nv,Np}

MACK {Nv,Np}

challenge bits

response bits

shift register 0

Shift register 1

split


23


verifier prover

single-bit challenge-response pairs are exchanged.

MACK {Nv,Np}

MACK {Nv,Np}

challenge bits

response bits

shift register 0

shift register 1

splitSingle-bit challenge

Single-bit response

Response bit is the next bit from the shift register corresponding to the challenge bit’s content;

Response bit is deleted at prover and stored at verifier.


24


verifier prover

MACK {Nv,Np}

MACK {Nv,Np}

challenge bits

response bits

shift register 0

Shift register 1

splitSingle-bit challenge

Single-bit response

verifyresult

The verifier checks that the response are correct and concludes, based on its timing settings, the maximum distance the prover is away.


25

• Requirements

Distance bounding support needs to added to EMV specs.

Terminals need to operate at higher frequencies,plus shift register and control circuitry.

cards added with shift registers and controlre-issued with public-key.

Conclusion

26

Developed the first implementation of distance bounding defence against these relay attack and showed it to be the most robust solution.

This solution designed to be appealing for adoption in the next generation of smartcards by tailoring the design to the EMV framework.

Thank you

27

Question and Answer

Documents

Keep your enemies close distance bounding against smart card relay attack