Overview of Security Threats for Smart Cards in ... - Damien Sauveron
Overview of Security Threats for Smart Cards in ... - Damien Sauveron
Overview of Security Threats for Smart Cards in ... - Damien Sauveron
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
contact cards, <strong>in</strong> terms <strong>of</strong> process<strong>in</strong>g power, memory<br />
capacity and cryptographic capabilities. The ma<strong>in</strong><br />
characteristics <strong>of</strong> contactless smart card technology<br />
(e.g. physical robustness, enable fast passenger flows,<br />
relatively secure, etc.) <strong>in</strong>dicate that it is currently the<br />
best available solution <strong>for</strong> the transport <strong>in</strong>dustry and as<br />
a result different types <strong>of</strong> cards are used <strong>in</strong> a number <strong>of</strong><br />
projects all over the world.<br />
2.3. Dual Interface <strong>Smart</strong> Card Technology<br />
A dual <strong>in</strong>terface or “combi” card, as the name<br />
implies, comb<strong>in</strong>es a contact and contactless <strong>in</strong>terfaces<br />
<strong>for</strong> the underly<strong>in</strong>g chip functionality. There<strong>for</strong>e, the<br />
card may allow access to the same data us<strong>in</strong>g contact<br />
and contactless smart card readers. However, it is also<br />
possible to comb<strong>in</strong>e a contact and contactless chip on<br />
the same card such that they are completely<br />
<strong>in</strong>dependent. We will focus our discussions on the<br />
s<strong>in</strong>gle chip “dual <strong>in</strong>terface” card.<br />
3. The Operational Environment<br />
In this section we highlight the operational<br />
requirements <strong>of</strong> smart card technology <strong>in</strong> the transport<br />
<strong>in</strong>dustry <strong>in</strong> terms <strong>of</strong> the parties <strong>in</strong>volved, their control<br />
over different aspects <strong>of</strong> the overall ticket<strong>in</strong>g systems<br />
and also their motivation. The follow<strong>in</strong>g requirements<br />
are not exhaustive and the goal is to categorize them so<br />
that they will help us to def<strong>in</strong>e the security boundaries<br />
<strong>for</strong> our analysis.<br />
3.1. The Entities Involved<br />
There are different entities <strong>in</strong>volved <strong>in</strong> any smart<br />
card transport based scheme. For the sake <strong>of</strong><br />
simplicity and completeness we draw attention to the<br />
follow<strong>in</strong>g:<br />
• The smart card is <strong>of</strong>ten a credit card sized plastic<br />
card (it can also be a low cost carry<strong>in</strong>g medium<br />
like paper based) embedded with an <strong>in</strong>tegrated<br />
chip. In general the chip <strong>of</strong>fers certa<strong>in</strong> process<strong>in</strong>g<br />
power along with volatile and non-volatile storage<br />
memory (the types <strong>of</strong> memories will be described<br />
later on).<br />
• The cardholder is def<strong>in</strong>ed as the person to whom<br />
the card was issued. It is assumed to be the party<br />
that has possession <strong>of</strong> the smart card on a day-today<br />
basis. It should also be noted that the<br />
cardholders serve a dual role. Under certa<strong>in</strong><br />
circumstances they might have every <strong>in</strong>terest <strong>in</strong><br />
reta<strong>in</strong><strong>in</strong>g the <strong>in</strong>tegrity <strong>of</strong> the system (e.g. when<br />
they receive a refund <strong>for</strong> a card based purchase).<br />
On the other hand they could be the orig<strong>in</strong>ators <strong>of</strong><br />
attacks that will result <strong>in</strong> direct or <strong>in</strong>direct benefits<br />
from fraud.<br />
• The card issuer, as the name implies, is the party<br />
that issues the smart card. It is a common<br />
requirement <strong>of</strong> smart card issuers that they always<br />
reta<strong>in</strong> control <strong>of</strong> the card.<br />
• The smart card application developers are<br />
responsible <strong>for</strong> develop<strong>in</strong>g the smart card<br />
hardware and s<strong>of</strong>tware <strong>in</strong>clud<strong>in</strong>g any applications<br />
and <strong>of</strong>ten the underly<strong>in</strong>g operat<strong>in</strong>g system.<br />
There<strong>for</strong>e, we assume that this category does not<br />
impose a major risk factor with<strong>in</strong> our analysis.<br />
• The term<strong>in</strong>al represents the device that allows the<br />
card to communicate with the outside world.<br />
Some term<strong>in</strong>als might be directly controlled by the<br />
cardholder such as a card reader connected to the<br />
cardholders PC or <strong>in</strong>directly by tamper<strong>in</strong>g with a<br />
Po<strong>in</strong>t-<strong>of</strong>-Sale (POS) term<strong>in</strong>al mach<strong>in</strong>e at a tra<strong>in</strong><br />
station gate<br />
• The back <strong>of</strong>fice systems are responsible <strong>for</strong><br />
manipulat<strong>in</strong>g card, cardholder and transaction<br />
(journey related) data.<br />
• The smart card manufacturers are <strong>of</strong>ten the card<br />
distributors as they <strong>of</strong>ten manufacture and directly<br />
deliver the cards to transport operators. It is<br />
assumed that smart card manufacturers are trusted<br />
entities that follow all the necessary best practices<br />
<strong>for</strong> the protection and secure distribution <strong>of</strong> cards.<br />
• The attackers <strong>in</strong>volve any party with an <strong>in</strong>terest to<br />
attack the security <strong>of</strong> the overall system. These<br />
could <strong>in</strong>clude traditional hackers, academics, but<br />
also cardholders.<br />
3.2. General Observations Regard<strong>in</strong>g Exist<strong>in</strong>g<br />
<strong>Smart</strong> card Technology<br />
It is widely believed that smart cards have a lot to<br />
<strong>of</strong>fer <strong>in</strong> security sensitive applications by support<strong>in</strong>g<br />
cryptographic algorithms and secure storage <strong>of</strong><br />
sensitive <strong>in</strong><strong>for</strong>mation. When the card utilises<br />
cryptographic algorithms and well designed security<br />
protocols it can be used as a tamper resistant token <strong>for</strong><br />
authorisation and access control. Over the last few<br />
years major hardware and s<strong>of</strong>tware improvements have<br />
taken place <strong>in</strong> order to improve the security <strong>of</strong> the<br />
smart card device. As a result the high-end smart card<br />
technology deploys adequate security functionality that<br />
it is relatively difficult to penetrate. Technological<br />
improvements will cont<strong>in</strong>ue to take place as smart card<br />
attacks become more and more sophisticated.<br />
It is important to note that smart cards can not <strong>of</strong>fer<br />
complete security, not because they have restricted<br />
functionality but simply because absolute security can<br />
not be guaranteed by a s<strong>in</strong>gle device. The overall