Keep your enemies close distance bounding against smart card relay attack
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

Keep your enemies close distance bounding against smart card relay attack PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on
  • Presentation posted in: General

Keep your enemies close distance bounding against smart card relay attack. Saar Drimer and Steven J. Murdoch. 컴퓨터면역 및 정보보안 담당교수님 : 박용수 교수님. 2008. 3. 31 이재준. Paper Information. Title : Keep your enemies close : distance bounding against smart card relay attack Authors :

Download Presentation

Keep your enemies close distance bounding against smart card relay attack

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Keep your enemies close distance bounding against smart card relay attack

Keep your enemies closedistance bounding against smart card relay attack

Saar Drimer and Steven J. Murdoch

컴퓨터면역 및 정보보안

담당교수님 : 박용수 교수님

2008. 3. 31

이재준


Paper information

Paper Information

Title :

Keep your enemies close :distance bounding against smart card relay attack

Authors :

Saar Drimer and Steven J. Murdoch

Publish :

16 th USENIX Security Symposium Boston MA, USA, 6–10 August 2007


Contents of table

Contents of Table

Relay attacks on card payment

Payment environment

Chip & PIN (EMV) process

The relay attack scenario

Prevent the attack

Distance bounding against smartcard relay attacks

Hancke-Kuhn protocol

Distance bounding process

Requirement

Conclusion


Relay attacks on card payment

Relay attacks on card payment

  • Payment environment

    Chip & PIN (EMV)

Smartcard-based payment system

Uses the EMV (Europay MasterCard Visa) protocol with ISO7816

mechanical / electrical / basic interface.

is fully deployed in the UK since 2006,

with banks making grand claims of security

uses 3DES for Static Data Authentication(SDA);

requires a symmetric key shared by bank and card.

requires a correct 4 digit PIN input for authorizing transactions

(both at ATMs and cash registers)


Relay attacks on card payment1

Relay attacks on card payment

  • Payment environment

    A simplified smartcard transaction

On-line authorization

result

Cryptogram

bank

PIN

EMV

(ISO 8716)

merchant

cardholder


Relay attacks on card payment2

Relay attacks on card payment

  • Chip & PIN (EMV) process

challenge

PIN

bank

The terminal sending random number, known as challenge

The customer then input their PIN into terminal and send

and it sent to the card

merchant

cardholder


Relay attacks on card payment3

Relay attacks on card payment

  • Chip & PIN (EMV) process

Challenge and response

challenge

PIN

response

bank

The card computes a cryptographic response which incorporates

the challenge, whether the PIN was entered correctly.

This response sent back to the terminal which then gose on-line

and sends the challenge and response to the bank,

who will verify them.

and also we can detect whether an old response is being replayed.

merchant

cardholder


Relay attacks on card payment4

Relay attacks on card payment

  • Some potential scenarios of fraud which Chip & PIN

With out the correct PIN being entered,

the card will not be produce correct response.

If attacker knows the PIN (or persuades the customer to enter it)

and gets temporary access to the card, the will produce

collect response. However, this response cannot be used later.

With out the card, a fraudster who observe PIN

will find it difficult to produce a fake card.

PIN

Response

Attacker can use the card and PIN to produce valid response

and use it as thought he is right owner.

but the account holder will notice fraudulent transaction

and canceling card.

PIN


Relay attacks on card payment5

Relay attacks on card payment

  • The relay attack scenario

What is the relay attack?

type of attack related to man-in-middle and replay attack.

challenge-response data is forwarded by an attacker over a substantial distance via radio.

Response

Attacker’s goal

obtain goods or services by charging an unwitting victim

who thinks he or she is paying for something different,

at an attacker controlled terminal


Relay attacks on card payment6

Relay attacks on card payment

  • The relay attack scenario

Bob

Carol

Alice

Dave

Alice is the innocent customer and Dave is an honest merchant

Bob is attacker he is now employed as a restaurant waiter.

and his accomplice Carol is waiting for Bob’s signal to participated in attack.


Relay attacks on card payment7

Relay attacks on card payment

  • The relay attack scenario

Bob

Carol

Alice

Dave

Alice is about to pay $20 for meal in a restaurant.

Carol is notified via a radio link or SMS message to insert her

specially modified card into the Dave’s shop’s reader.

and then Carol get PIN from Bob.


Relay attacks on card payment8

Relay attacks on card payment

  • The relay attack scenario

Bob

Carol

Alice

Dave

All ommunication from the Daves’s shop terminal will be through

Carol’s card and Bod’s terminal to Alice’s card, and vice versa.

Dave will see that the transaction has succeeded

and will hand Carol get very expensive goods or service.


Relay attacks on card payment9

Relay attacks on card payment

  • Prevent the attack

Merchants(Dave) can try to identify fake cards by taking them

from customers, checking the counterfeit detection features.

such as hologram and embossing.

Merchants(Dave) can try to confirm that account number on the

receipt matches the one on the card.

Banks could deploy measures to detect such relay attacks.

This measure will allow terminal to measure how far away the

genuine card is.

This design so-called distance bounding protocol.


Distance bounding against smartcard relay attacks

Distance bounding against smartcard relay attacks

  • Concept

Speed of the light > Speed of information

The maximum distance between card and terminal can be calculated.

The terminal measure the time

The terminal measure the time it takes to communication with card.

This will modification to both the cards and terminals.


Distance bounding against smartcard relay attacks1

Distance bounding against smartcard relay attacks

  • Distance bounding process

Dmax = c td

prover

verifier

- Based on the Hancke-Kuhn protocol

- Distance bouninggives the terminal (verifier) assurance that

the card (prover) is within a maximal distance

by repeating multi single-bit challenge-response exchanges

and assuming signals travel at the speed of light.


Distance bounding against smartcard relay attacks2

Distance bounding against smartcard relay attacks

  • Hancke-Kuhn protocol

Prover ( RFID token )

Secret key K , nonce Np

Pseudorandom function h

Verifier ( RFID reader )

Secret key K

Pseudorandom function h

Calaculateh(K,Nv,Np),

Split result into Rº||R¹ and

Place in to shift registers :

Generate nonce Nv

Time-critical phase

C1 =0

C2 =0

Cn= 0

Nv

Generate random bits

C1,….,Ck

Np

Calaculateh(K,Nv,Np),

Split result into Rº||R¹


Distance bounding against smartcard relay attacks3

Distance bounding against smartcard relay attacks

  • Hancke-Kuhn protocol

The power-supply carrier wave emitted by reader establishes a common time base for synchronizing the pulse communication of both parties.


Distance bounding against smartcard relay attacks4

Distance bounding against smartcard relay attacks

  • Hancke-Kuhn protocol

The token samples its wideband input at timetr

after zero crossing of the carrier wave, to read a challenge bit Ci

Reader must adjust its transmission delay tt ≈ tr

such that its pulse arrives exactly at that time


Distance bounding against smartcard relay attacks5

Distance bounding against smartcard relay attacks

  • Hancke-Kuhn protocol

The token responds with after short, nearly constant switching delay td


Distance bounding against smartcard relay attacks6

Distance bounding against smartcard relay attacks

  • Hancke-Kuhn protocol

The reader must adjust delay td until it receives the correct response,

and can then deduce the distance d=c(ts-tt-td)/2


Distance bounding against smartcard relay attacks7

Distance bounding against smartcard relay attacks

  • Distance bounding process

prover

verifier

The protocol starts with a mutual exchange of nonces.


Distance bounding against smartcard relay attacks8

Distance bounding against smartcard relay attacks

  • Distance bounding process

MACK {Nv,Np}

MACK {Nv,Np}

split

prover

verifier

challenge bits

shift register 0

MACs are computed under shared key.

Verifier loads a shift register with random bits.

response bits

Shift register 1

prover splits MAC into two shift register.


Distance bounding against smartcard relay attacks9

Distance bounding against smartcard relay attacks

  • Distance bounding process

MACK {Nv,Np}

MACK {Nv,Np}

split

Single-bit challenge

Single-bit response

prover

verifier

single-bit challenge-response pairs are exchanged.

challenge bits

shift register 0

Response bit is the next bit from the shift register

corresponding to the challenge bit’s content;

response bits

shift register 1

Response bit is deleted at prover and stored at verifier.


Distance bounding against smartcard relay attacks10

Distance bounding against smartcard relay attacks

  • Distance bounding process

MACK {Nv,Np}

MACK {Nv,Np}

split

Single-bit challenge

Single-bit response

prover

verifier

result

verify

challenge bits

shift register 0

response bits

Shift register 1

The verifier checks that the response are correct and concludes,

based on its timing settings, the maximum distance the prover is away.


Distance bounding against smartcard relay attacks11

Distance bounding against smartcard relay attacks

  • Requirements

Distance bounding support needs to added to EMV specs.

Terminals need to operate at higher frequencies,

plus shift register and control circuitry.

cards added with shift registers and control

re-issued with public-key.


Conclusion

Conclusion

Developed the first implementation of distance bounding defence

against these relay attack and showed it to be the most robust solution.

This solution designed to be appealing for adoption in the next generation

of smartcards by tailoring the design to the EMV framework.


Thank you

Thank you

Question and Answer


  • Login