D3.6: Study on ID Documents

Title: CHIP CARD TECHNOLOGIES (SMART CARDS)

Security Aspects

The essential characteristic of a smart card in comparison with other data storage media, such as a magnetic-stripe card, is that it provides a secure environment for data and programs. Thus smart cards are all about security. An essential requirement for this is chip hardware that is tailored and optimised for this purpose, along with suitable cryptographic methods for protecting confidential data. However, security depends on more than just special microcontroller hardware and algorithms implemented in operating system software. To discuss security, the PC is a good starting point to show security or rather the lack of it. When the PC’s first started to emerge back in the 70s, or later when IBM launched the PC in 1983 who conquered the world, the requirement for security was not there. The indifference with respect to security is still reflected in today’s computer architectures (see Fig. 2 left). The software has a hierarchical layer structure and operates above the hardware. This allows a hardware independent interface between the BIOS (basic input/output system) and the Windows/Linux operating system. Therefore the operating system offers the applications a hardware independent interface. Due to this well defined separation between BIOS and the operating system, the hardware as well as the operating system can continuously and independently be upgraded. This was one of the reasons for the fast penetration of the market for todays PCs. In theory any application program should pass all its requests for peripheral services to the Windows/Linux operating system. The BIOS further translates these commands into direct interaction with the hardware devices (input/ouput, disk, memory, etc). However, in practice an application program once executing can totally ignore the Windows/Linux and even BIOS layers and can thus interact with the hardware directly. This is often done to improve the efficiency for applications. As an application is allowed direct access to the BIOS and hardware, including memory which contains all the application data, it is evident that any concept of security is a figment of imagination.

Figure : Architecture of today’s PCs; application data can have direct access to the BIOS or hardware peripherals (left); secure architecture principle in smart cards where the applications must pass through a security kernel to have no direct access to the hardware & peripherals.

In secure systems for example, an authorised user wishes to be assured that only he can read and modify his personal data. In other words, the service provider and the user want controls to prevent unauthorised access to their data. We distinguish between logical access and physical access control. Logical access control concerns with such familiar principles as password checking or the more sophisticated cryptographic mechanisms for authentication. Physical access control relates to the difficulty of a perpetrator physically breaking into a store of data, by for example connecting wires to the disk drive directly and bypassing the rest of the computer completely. The secure architecture (see Fig. 2 right) must thus prevent any application to access hardware peripherals directly (especially memory) or gain any sort of control of the microprocessor. A security kernel prevents applications to take control of the processor in an unrestrained way, enforces the mapping of the data between application and the data stored and provides for each application its own security controls. The security kernel can for example be realised by an interpreter or a virtual machine where all resource requests are checked against a rights matrix.  

An emerging technology for such an interpreter architecture is the Java language defined by SUN microsystems, resulting in the Java Card Platform technology (SUN 2006) for smart cards. Java instructions are translated in a hardware independent bytecode suitable for a virtual Java processor. The Java technology with the necessary Java Virtual Machine and its bytecode interpreter is a natural candidate for the security need of smart cards as its interpreter acts as a security software wall. It is also possible to achieve control mechanisms by security hardware walls in the microprocessor where an application can be constrained from direct accessing secure memory domains using special hardware circuitry. Such software or hardware measures can ensure that an application can only access the date to which it is authorised and in the prescribed way. To preserve security segregation between the various applications, in addition each application implements its own security mechanisms. State-of-the-art cryptographic controlled security mechanisms can be implemented in smart cards, like authentication, data integrity, confidentiality and non-repudiation. It is important to know that all these cryptographic controls involve key attack management which requires the secure distribution of cryptographic keys into various entities and the need for these entities to provide a tamper resistant environment.  

It is naturally practically impossible to configure a complete system, or even a smart card, such that it has a perfect security that is proof against everything and everybody. If the effort expended on the attack is raised to a high enough level, it is possible to gain access to any system or manipulate it. However every potential attacker makes a cost/benefit analysis for himself and his target. The rewards of breaking into a system must be worth the time, money and effort that the potential attacker must expend to attain his objective. The security of a smart card is as strong as the weakest of the following four components:  

1. application 

2. operating system 

3. integrated chip hardware 

4. card body 

The card body can be a simple chip housing or a more complicated body for securing complex multi-chip hardware. In the former case the body is a component which is not only machine readable, but can also be visually checked by humans, in the latter case precautions against physical opening attacks need to be applied. The data and programs in the smart cards are in addition protected by the remaining three components, the integrated chip hardware, the operating system and the application. If any of these components fail, the smart card is no longer secure, as the components are strongly coupled to each other.  

Basically, attacks on smart cards can be divided into three different types of categories: 

• Attacks at the social level are primarily directed against people that work with smart cards. These can be smart card engineers at the various design and production stages. Further on in the life cycle of the card these are card-holders. Social level attacks can only partially be countered by technical measures and must therefore be countered by organisational measures.

• Attacks at the physical level require technical equipment as it is necessary to obtain physical access to the smart card microprocessor hardware. Here we distinguish between attacks during operating (power is applied to the hardware) and attacks during non-operation (no power is applied to the hardware).

• Attacks at the logical level have been reported as the most successful attacks up to now. This category includes classical cryptoanalysis, as well as attacks that exploit known faults in smart card operating systems and Trojan horses in executable code of smart card applications.

Attacking methods and protection measures is like a never ending ping pong game. As soon, or better before new attacking methods are known, new and sophisticated protection measures are introduced. As an example, since researchers published a method to draw conclusions about stored cryptographic keys from observing execution speed (Kocher 1995) of cryptographic algorithms or from observing the dynamic power consumption (Kocher 1998) of the smart card microprocessor, more secure implementations of the encryption/decryption algorithms very fast became state-of-the-art. Smart card attacks at the physical level demand exceptionally high effort and expensive equipment. In the following text some of the numerous countermeasures are mentioned to get an impression of the complexity effort to block attacks:  

• On the card body level at complex multi-chip smart cards, the objective of the first level of protection is to prevent aggressors to open the box and facing working electronics. Different kind of sensors, like current loops and light sensors are placed in the box to detect attacks and thereupon immediately delete the cryptographic keys.  

• On the smart card chip level even more sophisticated countermeasures are necessary: Data buses from the microprocessor to memory sections within the smart card chips are often dynamically scrambled and data transfered on these buses encrypted. Moreover data buses are optically invisible as they are buried in deeper layers of the integrated silicon chip. In addition the busses are covered by metal layers and intrusion sensors.  

• Analysing the electrical potentials on the chip surface while it is operating represents serious threat. With a suitably high scanning resolution, this technique can be used to measure charge potentials on very small regions of the chip crystal. With such information it would be possible to draw conclusions about the contents of the memory while the chip is operating. A very effective countermeasure is to place current-carrying metalisation layers on top of the memory region. If the intruder removes such metalisation layers by chemical etching, the chip will no longer work properly since the layers are not only needed to distribute the power but are also as sensors to detect intruders.  

• A similar attack scenario tries not to read but to alter memory contents of the smart card. EPROM cells can be discharged by exposing them to ultraviolet light or X-rays. By a collimated beam of light or light from a laser, the attack point can be focused on a fine point and thus the contents of an individual memory cell can be altered. Such a theoretical attack could be applied to a random number generator in such a way that no longer random numbers would be generated but instead always generates the same number. If this were possible, authentication on the smart card terminal could be broken by a replay attack using a previously employed number. Countermeasures for such attacks again are light sensors at critical hardware circuitry.  

• Integrated chip are qualified and work properly as long as voltage, frequency and temperature are within the defined specifications. A strategy of an attacker might be to put the smart card chip out of its specifications of correct working in order to provoke uncontrolled program jumps. Such faulty behavior could again be used to determine secret keys. To prevent such attacks, every smart card chip has voltage, frequency and temperature monitors to detect environmental irregularities and to switch off the smart cards immediately.  

Privacy Aspects

As every other technological system used for processing personal data, chip cards and their background system have to adhere to the legal regulations concerning privacy and security. Apart from that, chip cards offer the possibility to store and process personal data in a decentralised way instead of central data bases. Central data bases can be regarded as a major problem for privacy and security which is pointed out in the strategic vision of CEN [CEN 2005]. In this document Amitai Etzioni, head of the US Institute for Communication Policy studies, is quoted: ‘There is always a balance between privacy, security and trust. The more reliable the card is, the more privacy you have, both in the off-line as in the on-line environment. Once the identity is verified, there is no need for alternative searching in databases, archives etc.’ Thus eID cards can reduce privacy threats because of 1) their decentralised concept, 2) the support of user control for all transactions (at least if an interactive action is needed), and 3) the on-card chip which can carry out security checks itself.

One problem – not only valid in the context of chip cards – became explicit when the discussion on privacy requirements for chip cards began: Because of the transparency principle each holder of a chip card should know which data are stored on it and how they are processed. Usually (in naïve implementations) this means that the holders can also show the information stored on the card to other parties. If there are specific information stored, e.g. about the holder’s health, healthy people may use their chip card to get some benefits (e.g. a cheaper insurance or a job). Those who would not prove their good health status via chip card access would suffer from disadvantages. Even if law prohibited to ask people to see data on their chip card (e.g. in a job interview), they could do it voluntarily – and thus set a standard. This is in particular relevant in (less regulated) civil law. Of course a landlord would prefer a person who has provided evidence for good creditworthiness over others who do not give this information. As the health area has to be treated in a very sensitive way, this problem was addressed by the German Data Protection Commissioners in 1995.