[TLS] draft-urien-tls-psk-emv
Marsh Ray <marsh@extendedsubset.com> Tue, 30 March 2010 01:34 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E4B53A682E for <tls@core3.amsl.com>; Mon, 29 Mar 2010 18:34:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.68
X-Spam-Level:
X-Spam-Status: No, score=0.68 tagged_above=-999 required=5 tests=[AWL=-0.451, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XPB2-Xb6UMSK for <tls@core3.amsl.com>; Mon, 29 Mar 2010 18:34:32 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 260CA3A6774 for <tls@ietf.org>; Mon, 29 Mar 2010 18:34:32 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NwQM8-000K2g-4z for tls@ietf.org; Tue, 30 Mar 2010 01:35:00 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id CD6D060B8 for <tls@ietf.org>; Tue, 30 Mar 2010 01:34:58 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18KyHRmi2pWFRd5n2kQhFwg9HipMcnxEwM=
Message-ID: <4BB15543.1060200@extendedsubset.com>
Date: Mon, 29 Mar 2010 20:34:59 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [TLS] draft-urien-tls-psk-emv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2010 01:34:34 -0000
I saw the emails on the Draft Agenda for IETF-77 came across the statment about "In 2009, about 1 billion EMV device were issued". I figured then this proposal could benefit from some review. I haven't heard whatever discussion occurred at IETF-77. ======== EMV Background Disclaimer: I didn't know any about EMV beforehand, but I downloaded some pdfs and stayed up late one night clicking around on the web. EMV provides a framework for developing protocols for card and user authentication, and for authorization of specific transactions, specifically payment systems. The details of the actual protocol deployed depend on the card issuer, although it seems that there is large degree of compatibility in practice and the card itself is able to describe the needs of its issuer. Cards can support multiple "applications". The EMV architecture has three components (from EMV Book 1): 1. A card with a smart chip and electrical contacts. The standards refer to this as an ICC. 2. A terminal: "The device used [] at the point of transaction to perform a financial transaction". This was envisioned to be a device possessed by a merchant with its own display and keypad. This is different than a simple card reader which might adapt the electrical interface to something like USB. 3. A card issuer: This term is not defined, but presumably it's expected to be a financial institution. Operations with a card could be done online (where the terminal has an active connection to the issuer) or offline. User authentication is usually done with a shared secret between the user and the card, with a four-digit PIN deemed good enough for legal purposes. EMV card systems have been subject to a number of attacks over the years. Notably: 1. "Yes-card" skimming >From what I can ascertain on the web, until recently most cards being issued did not have the horsepower to do RSA. As a result, operations relied on a Static Data Authentication (SDA) method based solely on a MAC function involving a shared secret between the card and issuer. Cards are issued with a Signed Static Application Data (SSAD) block, which is not considered secret by the card. In online mode, authentication happens with coordination of the issuer. However, in offline mode, the terminal cannot strongly authenticate the card, user, or the transaction. Brief physical access to a card ("skimming") allows an attacker to produce a clone which doesn't bother to validate the entered PIN ("yes-card"). All cards are required to support SDA at the protocol level, but I don't think it's still accepted universally. Modern cards support RSA and can thus do reasonable authentication offline. Specs call this "Dynamic Data Authentication (DDA)" 2. Optimized to Fail: Card Readers for Online Banking Saar Drimer, Steven J. Murdoch, Ross Anderson http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf Lists several vulnerabilities with the "Chip & PIN" brand of EMV under the UK Chip Authentication Programme (CAP). 3. Chip and PIN is Broken Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf The authors demonstrate a mitm attack between the card and terminal which allows bypassing the PIN check even when the terminal is online. ======== Notes on draft-urien-tls-psk-emv This is the version reviewed here: http://tools.ietf.org/html/draft-urien-tls-psk-emv-01 The ID proposes an enhancement to TLS allowing the use of EMV's SDA mode to authenticate TLS connections. -------- Design scope extension The vulnerabilities and limitations found in past and current EMV card deployments suggest that designers of actual systems tend to discount certain modes of attack. For example, like many "closed" systems, there is less defenses against malicious terminal hardware. The presence of 32-bit Unpredictable Numbers, four digit PINS, trivial card cloning, and interface shimming attacks suggests that the system was more designed to defend against a malicious waitperson than it was expected to be resilient against dedicated reverse engineering. It is even less likely that the designers considered the possibility that their proprietary protocol would be used over the public net. The differences between an EMV terminal and an ordinary smart card reader are becoming a bit blurred. EMV terminals were originally expected to be controlled by merchants, then they took the form of pocket-calculator style devices. I don't know if any financial institutions support payment this way, but some popular PC OSes can run the EMV protocol over basic card readers (which have no dedicated keypad or display). For historical comparison, in response to the ease of copying audio CDs, DVDs were introduced with copy protection which relied on secret encryption algorithms and keys stored in hardware. This was broken soon after a software player was made available which could simply be observed in a debugger. This is not to say that repurposing a closed industry-specific protocol could never be made to work, only that it must be done with the greatest of care. All assumptions (often unstated) made in the independent security analyses of each protocol must be revisited, as well as the new considerations (often subtle) raised by the combination of the two protocols. It is not specifically stated in this ID whether or not the 'terminal' role as defined in EVP is intended to be implemented on specialized hardware, in software on the PC, or even on the web server. This is essential to define in order to discuss the security of an EVP protocol. The Introduction (section 1 of the ID) implies that the purpose of this proposal is user authentication, but there is no mention of where a PIN would be entered. Because EMV systems typically authenticate the user to the card using a PIN, it is essential to discuss this process. Section 1.3 says "The user is equipped with an EMV chip and a smart card reader." Using a simple card reader may violate common design assumptions of EMV systems which expect the merchant to ensure physical security of the terminal. -------- Non-public data transmitted in the clear The ID specifies that the psk-identity value be sent in the ClientKeyExchange (CKE) message. CKE is sent before ChangeCipherSpec (CCS), and thus in-the-clear for an initial handshake. Multiple data items are concatenated to form psk-identity, three of which are read directly from the card. * Card Risk Management Data Object List 1 (CDOL1) This is the list of data elements (but not the values themselves) that the card is programmed to require for initiating a transaction. There's probably nothing super-secret in this field, but it could also uniquely identify the issuer. It could represent an information leak that tells the passive eavesdropper that the user has a particular type of account at a particular bank and that card is currently inserted into the reader. * "EMV-CPG" Response to (yCDOL1) Authorization Request Cryptogram (ARQC) The cryptogram generated by the card in response to a request to begin a transation. This value actually was intended by EMV to be transmitted remotely, although the designers may have had something more like a private phone line in mind rather than the hostile internet. * PAN Sequence Number (PSN) (PAN stands for Primary Account Number) This article http://www.isg.rhul.ac.uk/~kp/EEMV.pdf says "the PAN sequence number helps to identify a card amongst several cards belonging to the same customer with the same PAN." It seems to be up to the issuer to define the exact semantics of this value. The EMV Books show a method where it is used in the generation of the "16-byte ICC Master Key MK". It's usually listed alongside the primary card number, much like the expiration date or the Card Security Code (CSC). Like most other values in the EMV specs, it isn't explicitly stated whether it's considered public or privileged information. Nevertheless, spec designers probably didn't intend for it to be sent over the public internet unencrypted. -------- Public data used for secrets The ID defines three new cipher suites based on RFC 4279 TLS-PSK. http://tools.ietf.org/html/rfc4279 All three cipher suites define: > PSK = EMV-PSK and > EMV-PSK = h(SSAD), where - SSAD is the Signed Static Application > Data, - and h is a digest function Based on the docs and the captured data in oakland10chipbroken.pdf, it sure looks like the card considers SSAD to be public information. In other words, the card will hand it over to any reader that asks for it. Generally a pre-shared key is expected to be kept secret, like a password. This case, however, is somewhat worse than a password. With an actual password the web server doesn't have to store it in plaintext in order to validate it. Recommended practice for web sites is to store only a salted hash of the passwords (I think PCI card tranaction industry standards require it). In this architecture (Figure 1) every website which could potentially need to authenticate the user is required to store the preshared key (not to mention the card account number) in plaintext. As this information is public, static, and bound to a specific hardware item it is quite difficult to change. When an attacker has this info (again, any reader or website that ever handled this card) the PSK and DHE-PSK modes are vunerable to impersonation of either the client or server end. The RSA-PSK mode would allow impersonation of the client to the server or the server to the client after the initial handshake completed. Additionally, the PSK mode would allow decryption of data captured previously. Of course, much of this caused by the limitations of PSK in general, which comes from the decision to build on top of cards with insufficient CPU for RSA. -------- Replay attack The EMV protocol allows for a 32-bit Unpredictable Number (R32) to be included in the transaction in order to resist replay. R32 is generated solely from the ClientRandom, and ServerRandom values passed in the hello messages in-the-clear (RSA-PSK also includes ServerPublicKey). Something with a known attack that succeeds after just 2^32 tries on average is probably a little weak for a new design, especially one specifically intended for financial data over the public network. This might be a reasonable rate in a system where all failed transactions are transmitted to at a central location where they are correlated for fraud. However, in this case the attacker need only elicit a single Server Hello packet for each attempt and may be content with access to any one of many distributed servers. Furthermore, the attacker can greatly increase his chances if he has multiple previous auths to potentially replay. It is not out of the question that he could observe 100 handshakes during a normal web session, particularly if he can interfere with successful TLS session resumption. With a pool of 100 handshakes to work with, the attacker could expect to succeed after sending only about 43,000,000 packets. It's not clear what time limit would be imposed on the attacker's attempts. An attack could conceivably be diluted over sufficient time so as to not cause a noticeable increase in load to a busy site. -------- Server impersonation and credential forwarding The PSK and DHE-PSK modes provide no server authentication. Hopefully they would not be accepted by legitimate clients and servers in practice. However, note the even the RSA_PSK ciphersuites do not allow the client to effectively verify the server's certificate until the very last message of the handshake (when he receives the Finished message from the server). In all three modes, an attacker impersonating the server side for the first part of the handshake can also control R32. He could test on his own hardware 2^32 variations on ServerRandom before choosing the one he wishes to include in the Server Hello. This suggests that a user connecting to a website could have his authentication forwarded to authenticate the attacker's own connection to the legitimate server. Perhaps the authentication could even be forwarded off the network entirely to a shim device inserted in an actual terminal. The ID states that > complexity may be increased by using multiple EMV cryptograms. but there is no provision for actually doing this in the protocol. It is not clear how well this would work in practice, e.g., would the user be required to enter a PIN multiple times? -------- IPR Disclosure The author lists several patents on his web site including: US Patent 6751671 Method of communication between a user station and a network, in particular such as internet, and implementing architecture Which says: > However, according to another feature of this invention, the smart > card can authorize direct links between the terminal and, in > particular, the navigator, for Internet-type transmissions and the > network, for example, for data that requires security processing > (graphic or image data of "WEB" pages etc.). I'm no expert on these matters, but it seem that it might be appropriate to include an IPR Disclosure with this submission. ======== Conclusion It looks like this proposal has some limitations: The proposal relies on EMV's SDA authentication method which has well-documented susceptibilities to counterfitting. The proposal is subject to various attacks with a complexity of 2^32. The proposal seems to allow any card reader that has ever interacted with the card, as well as any website that could potentially need to authenticate the user in the future, to intercept data and/or impersonate one or both sides of the connection. Potentially this impersonation could be redirected off the net to impersonate a card in a physical terminal. Since the website is required to know the credit card details and PSK in advance, it would probably only be useful for the issuer's own site. For these reasons I don't think this proposal has much utility as an internet standard protocol feature. - Marsh
- [TLS] draft-urien-tls-psk-emv Marsh Ray