L12_Smart cards security prof Hamid.pptx
FutureTechnologies3
9 views
51 slides
Oct 29, 2025
Slide 1 of 51
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
About This Presentation
gh
Slide Content
CPIT- 645 Smart Cards S ecurity 1 E-Security
Outline Introduction History of Smart Cards Applications Problem Statement Multilevel security model for smart card–based applications Smart card encryption algorithms Smart Card Attacks Existing Countermeasures 2
Outline Smart card authentication Schemes open source tools for the development of smart card–based applications. Advantages and disadvantages Open Issues Conclusion References 3
Introduction speedy progress of Interne using the network exposed to security risks Smart cards are widely used in high security applications due to their self-contained nature. online works became an imperative factor of public activity. 4
Introduction 5 Nilson Report, the purchase amount of goods and services by cards is expected to reach $54.891 trillion by the year 2025 The smart card market is expected to register a CAGR of 8% over the forecast period (2020 - 2025) Source: https:// www.mordorintelligence.com /industry-reports/smart-card-market
Introduction 6 Source: https:// www.mordorintelligence.com /industry-reports/smart-card-market
Introduction What is the smart cards? is a physical electronic authorization device. used to control access to a resource. It is typically a plastic credit card-sized with an embedded integrated circuit (IC) chip 7
Introduction What inside a smart card? 8 microprocessor Security logic Serial i/o interface T est logic ROM RAM EEPROM databus H eart of the chip Detect abnormal conditions, e.g. low voltage Contact to the outside world Self test procedures -Card OS -Self test procedures ’scratchpad’ of the processor -Cryptographic keys -PIN code -Biometric template -Application code Connection between elements of chip
Introduction Type of Smart Card 9 - contain only memory chip and have no processing capabilities. -Provides: on-card data processing capabilities. memory allocation. file access. -increased level of processing, encryption speed and flexibility. -contain a Card Operating System: responsible for organizing data into file structures . provides controlled access to EEPROM .
Introduction How it is work 10 APDU APDU R equest information information
History of Smart Cards 11 a patent for the idea of using plastic card with IC 1968 Research and development in the field of smart cards started in early 70’s in Germany, Japan and France. The first patent on smart card concept. 1970 Patent on microprocessor and memory-based smart cards 1976 replaced magnetic stripe cards with smart cards. 1992 published specifications for secure chip technology. 1999 First large-scale (PKI)–based smart card 2008 First biometric Contactless payment card 2018
Applications 12
Problem Statement 13 Increasing use of smart cards in application areas increase number of opportunities for the attackers . Increase in number of card-based transactions increase in card frauds and consequent financial losses
Multilevel security model for smart card 14 Multilevel security model for smart card–based applications
Basic Smart card encryption algorithms Smart cards imply two types of cryptography: Symmetric key cryptography : used for data encryption of smart cards to make the sensitive information secure from any unauthorized access Asymmetric key cryptography : used for authentication purposes 15
Basic Smart card encryption algorithms 16 The encryption techniques in smart card used in : Inside Smart Card Smart card contains sensitive information which needs to protection i.e. encrypted digital certificate, personal information, program code and cryptographic keys Communication with the outside world Smart Card contacts with reader using protocols responsible for the transmission of data between them. The protocols and data need to protection.
Basic Smart card encryption algorithms The encryption techniques in smart card used for : Data Integrity: Digital signatures RSA digital signature algorithm The Digital Signature Algorithm (DSA) The Elliptic Curve Digital Signature Algorithm (ECDSA) Authentication: Public key cryptography Confidentiality: symmetric cryptographic algorithms 17
Basic Smart card encryption algorithms 18 The keys of traditional encryption methods are Not unbreakable . there are many attacks on smart cards researchers are developing more complex methods
Smart Card Attacks 19 - Require the microprocessor to be removed and directly attacked through a physical means. - Reverse engineering : remove the microprocessor chip out of it and find the possible weaknesses in the chip in order to compromise the card's integrity by accessing the stored values. - Micro-probing : places micro-probes needles on the bus lines between the blocks of the chip to monitor the bus signal and extract the sensitive information. - Focused ion beam (FIB) workstation: creating and destroying tracks on the chip's surface to extract the signals . - Disabling the protected Circuitry : use of laser to shoot away the circuit for alarm or the protective circuitry like access control matrices - litigation attack : misuse the legal discovery process for getting the details of the design
Smart Card Attacks 20 - attacker evades the security of the microprocessor without physically modifying the chip. - UV attacks: they erase the fuse selectively by using a microscope and UV laser.. - Backside Imaging : observing the microprocessor chip under a microscope for analysis. It used for masked ROM content extraction - Active photon probing : Similar to ionizing radiations such as X-rays It can be used for hardware scanning attacks in order to locate the critical areas or blocks on the chip. - Fault injection : introducing errors in the cryptographic processing or algorithms to disrupt the normal control flow of the microprocessor chip e.g. reducing the number of rounds in a block chip.
Smart Card Attacks 21 -extracting the key information during the normal processing without physically modifying the card. “side channel attacks” Analysis Attacks : passive attacks, observe behavior of the electronic circuitry during the ongoing transactions. - Timing Analysis: involves measuring the data dependent timing for extract the key information - Power Analysis : monitor the instantaneous power consumption of a microprocessor while executing cryptographic operations. SPA: looking for patterns to determine the location of the functional logic. DPA : is a statistical analysis-based technique to extract the secret information. - Electromagnetic Analysis : measuring the instantaneous electromagnetic emissions using probes while a cryptographic algorithm is under processing Manipulation Attacks: involve modification of parameters of the electronic circuit. - Fault injection: inject faults i.e. by introducing transients into the power supply or clock lines.
Smart Card Attacks 22
Smart Card Attacks 23 manipulate the message during the communication between the smart card and smart card reader to reveal the secret information The commands that are active from the initialization phase may be misused to retrieve confidential data or data modification. attacker scans the command buffer and to analyze the results to determine details of the command in execution and its manipulation A parameter value or length which is not allowed may be misinterpreted instead of being rejected and that is lead to unexpected results the access permissions may sometimes allow more access than needed, i.e. When multiple distinct applications request for the same file access in a single session, hence access permissions may be confused. Smart cards that are designed to support multiple applications are susceptible to malicious and rogue applets such as Trojan applets responsible for performing cryptographic operations. An improper design and implementation can lead to confidentiality breach, replay attacks, relay attacks… It is an inadvertent flaw in the smart card system software because of the inadequate software design to handle exceptional conditions This type of attack can affect financial transactions based on smart cards in which inappropriate balance check can lead to improper balance results
Smart Card Attacks 24 cracking the PIN associated with the card using brute force attacks obtaining and reusing information from past communications by session key disclosure attacks. obtaining access in an unauthorized manner. copying database files containing user passwords or other identifying information. monitoring secret data and PIN that is being transferred during the transactions.
Smart Card Attacks 25
26
Existing Countermeasures 27 make the blocks over the smart card with different size, or hiding the exact functionality of the chip using customized digital to make reverse engineering attack difficult Add an additional metallic layer does not carry any electric signals over the functional layers of the microprocessor chip embedded anomaly detectors within the smart card circuitry to detect the unexpected environmental conditions or abnormal events related to external voltage or clock supply to the smart card and generate alert featured size chips are available that are difficult to be analyzed by standard microscopes due to small size and sophisticated design. deploy a multiple layer structure to bury the sensitive connections like data buses underneath layers containing less sensitive connections.
Existing Countermeasures 28 1- Embedding the fuse within the memory array or placing it near to the memory makes it difficult to locate. This technique can be used against UV attacks 2- Covering the fuses with top metallic layer which is opaque to UV light. To protect against UV attacks 3- Encrypting the memory content would protect the data even when the chip is exposed 4- using Inverted memory cells which relatively less sensitive to UV light. 5- Using Light sensitive detection circuitry to protect against UV attacks.
Existing Countermeasures 29 1- cryptographic algorithm is made to execute in a fixed time whenever it processes some secret information. 2- shifts the execution timing of operations randomly by inserting dummy code or function at any point in the executed cryptographic algorithm. 3- masking of data values stored in the memory with a random value known as mask to protect them from direct inferences. 4- These prevent unwanted modification of the data bits. 5- It involves manipulation of data in randomized fashion so that the attacker would not know what is being manipulated at a given point of time. 6- increasing the time required to attack 7- repeating the execution of algorithms and comparing the results to determine whether they are correct or not. 8- Once the testing is done, it can be removed by cutting it off to prevent attacker from exploiting it to obtain access to control lines and buses.
Existing Countermeasures Cryptographic co-processors can be used to enhance reliability in case of technical problems. Software must be designed by partitioning the functionality into smaller building blocks for easy understanding and testing. Mathematical models like RSA, random oracle model, can provide the security of the functional blocks Finding and fixing the bugs to prevent security vulnerabilities Reusing the already validated software decreases the chances of flaws and makes it easier for implementing the security policies Applications and operating system must be assigned separate memory area So attacks on one cannot affect the functionality of the other. 30
Existing Countermeasures 31
Existing Countermeasures 32
Existing Countermeasures 33
Smart card authentication Schemes 34
Smart card authentication Schemes RSA-based schemes Cryptanalysis and Improvement of an RSA Based Remote User Authentication Scheme Using Smart Card, 2017[1] Initialization Phase: server S selects two large primes p, q and computes n = p * q. chooses a prime e (where 1<e < (p -1)(q -1)) and computes d such that e * d = 1 mod (p -1)(q -1) . chooses one-way hash function f(.) : X Y, where X ={0,1} * , Y={0,1} L The server S publishes e as public key and keeps d as secret key 35
Smart card authentication Schemes Registration Phase 36 It is difficult to know the PW due to invertible of one-way cryptographic hash function. It is not possible to guess secret key in polynomial time.
Smart card authentication Schemes Login Phase 37
Smart card authentication Schemes Authentication Phase 38
Smart card authentication Schemes Elgamal -based schemes A robust ElGamal -based password-authentication protocol using smart card for client-server communication,2017[2] Initialization phase Server selects a generator g of a multiplicative group G of prime order p. S selects a private key x and calculates the corresponding public key as PK = g x mod p . S selects a one-way cryptographic hash function h(·): 0, 1*→ 0, 1 L , Finally, S made the information ⟨p , g, PK , h(·)⟩ public. 39
Smart card authentication Schemes 40 Registration phase L It is infeasible to guess pw and ID at the same time within a polynomial time. impossible to find secret key from L i And B i It is hard to extract h(A i ), A i , ID i and x due to one-way-ness of the hash function
Can not compute r i , D i due to hardness of the Discrete Logarithm Problem (DLP) and because of the unavailability of Ai Can not compute Because of the hardness of the Computational Diffie-Hellman problem. Smart card authentication Schemes 41 Login Phase
Smart card authentication Schemes 42 Authentication Phase cannot retrieve Gi from Ki because of the hardness of the DLP
open source tools for the development of smart card–based applications. 43
Open source tools for the development of smart card–based applications. 44
Open Issues Uniform technological standard Mutual agreement between public and private sector over a common technological standard is required . To promote application development for both consumers and traders. Access control and privacy issues mass usage of smart cards is still facing privacy issues e.g : Multi-application cards. access permissions and exchange of user's private information across an insecure network 45
Open Issues Design challenges Smart cards need power to run the programs or commands. Ensuring low-power design along with resistance to numerous security attacks is challenging. Malware attacks Growing use of smart cards will increase the occurrences of attacks. E.g. Trojan, rootkits, spyware Software and application developers should design mature security schemes. 46
Advantages A chip is tamper resistant information stored on the card can PIN protected and read/ write protected. Capable of performance data encryption Capable of processing information 47
Disadvantages The accuracy of information is small. It gives liability issues if stolen or lost It is potential area for too much data on one card if lost or stolen It is potential area for computer hacker and computer viruses Lack of technology to support user 48
Conclusion Smart card is an excellent technology to secure storage and authentication Smart card technology is emerging, applications everywhere Smart cards enhance service and security Perfect security dose not exist, even not for smart cards A smart world is the future 49
References [ 1] Amin, R., Maitra, T., Giri , D., & Srivastava, P. D. (2017). Cryptanalysis and improvement of an rsa based remote user authentication scheme using smart card. Wireless Personal Communications, 96(3), 4629-4659. [2] AMIN, Ruhul , et al. Cryptanalysis and improvement of an rsa based remote user authentication scheme using smart card. Wireless Personal Communications, 2017, 96.3: 4629-4659. Gupta BB, Quamara M. A taxonomy of various attacks on smart card–based applications and countermeasures. Concurrency Computat Pract Exper . 2018;e4993. https:// doi.org /10.1002/cpe.4993 Kaur, J., Kumar, A., & Bansal, M. (2017, September). Lightweight cipher algorithms for smart cards security: A survey and open challenges. In 2017 4th International Conference on Signal Processing, Computing and Control (ISPCC) (pp. 541-546). IEEE Savari , M., & Montazerolzohour , M. (2012, June). All about encryption in smart card. In Proceedings Title: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic ( CyberSec ) (pp. 54-59). IEEE. https://en.wikipedia.org/wiki/Smart_card https://www.gemalto.com/companyinfo/smart-cards-basics 50
51 Tank you
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 9
- Slides 51
- Age 33 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views