1. Trang chủ
  2. » Kỹ Thuật - Công Nghệ

Smart cards a fascinating and fruitful adventure ppt

12 209 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 12
Dung lượng 3,04 MB

Nội dung

Smart cards a fascinating and fruitful adventure Gemalto Technology & Innovation Nguyen Quang Huy 2 Smart Cards in the our life  Secure transaction (banking, pay-TV)  Telecom (SIM/USIM/RUIM, M2M, convergence, M-TV, M-banking, M-ticket)  Control Access (physical and logical resource)  E-citizen (e-passport, e-ID, e-Heath, e-driving license, ) 3  No internal timer, battery  No keyboard, display, network interface  Current generation  µ-processor: 16-bits, <=10MHz  RAM: 4K  ROM: 100K for code storage  E 2 PROM (10 5 updates ): 64K for data storage  I/O: serial (9600 bps), – Contactless protocols: MiFare, FeliCa, Calypso  Next generation  µ-processor: 32-bits, up to 100MHz  Flash memory: more durable and more rapid  I/O: USB (12 Mbps) – Contactless open protocols: NFC, ZigBee 25 mm 25 mm 2 2 Smart Card HW 4 Smart Card SW  Proprietary architecture  Undisclosed specification  Tedious application development  Closed configuration: no application can be added after issuance  Open architecture  Open specification  High-level programming languages  Post-issuance applications are available  Some open architectures  Java Card  MULTOS  .NET Card  Basic Card 5 Example: Java Card  Introduced by Schlumberger in 1996  Leading open multi-applicative architecture  >5 billions Java-embedded cards issued  Applications (applets) developed in Java Integrated Circuit Operating System Java Card Virtual Machine API in Java Native API Card Manager Applet 1 Applet 2 JC Firewall I/O command 6 Security threats  No battery  Card tearing (or power failure ) may cause inconsistency data  No internal timer  Logging for post-mortem analysis is not possible  No keyboard, display, network device  secure usage environment  Payment terminals (POS and ATM): security certification  Security of PC and handset: keyboard logger, false display (phishing), etc  Contactless interface  Cardholder is not aware of malicious actions  Physically owned by attackers  Vulnerable to both logical and physical attacks 7 Attacks  Logical attacks: use I/O commands to exploit SW vulnerabilities  buffer overflow, type confusion, covert channels, protocol attacks, etc  Physical attacks: use physical phenomenon to exploit SW/HW vulnerabilities  Invasive attacks: destructive and require specific logistics  HW reverse-engineering; disabling HW security features, etc  Non invasive attacks: affordable logistics – Side-channel: use the emitted signals (power consumption, execution time) to guess the secret (keys, PIN)  Execution signature (E 2 PROM update, DES rounds, etc) may leak secret – Fault-injection attacks: use physical means (infrared heat, laser, X-ray) to flip some bits in the memory  Modify code and runtime control flow, data: the consequence is hardly predictable  Combined attacks 8 Counter-measures and beyond  Detection  HW: (shield-removal, temperature, frequency, laser, light) sensors  SW: checksum, fault-trap  Protection  HW: memory/bus encryption, redundancy, error-correcting code  SW: transaction mechanism (anti-tearing), random noise, protection of control flow  Auditing  HW: security registers  SW: fault-counters, security exception  Reaction  Muting (infinite loop) and clearing RAM No counter-measure is perfect Trade-off between security and performance (tender eligibility criterion)  Use of mathematical techniques: formal methods 9 Mathematically proven security assurances 10 Vietnam: smart card deployment  Mobile telecom  Low-end cards: <=64K EEPROM  Banking  Small-scale migrations to EMV standard: VP Bank, VCB, etc  Online banking (secure reader/authentication server): VCB  Why the banks are not keen on using smart cards ? – Cards mainly used for ATM withdrawal: rare (offline) POS payment ⇒ fraud is limited – Card holders are usually paying for the fraud ! – Insfratructure cost for a migration (ATM, POS, servers, etc)  E-government  e-passport project (since 2006) [...]... Small market implies small players  Few smart cards manufacturers  MK Technology JSC: 20 milions smart cards delivered in 2008  Main products: SIM, USIM, RUIM – Sale representative of foreign products  Dosmetic share in final products – Card personalization for final clients – A first Vietnamese smart card OS ? MKCos (Sao Khue 2008)  Even fewer application developers  Vietnamizing imported applications... Vietnamizing imported applications 11 Joining the adventure  Expanding dosmetic market by SIM-based attractive applications e.g.,  M-payment, online payment  Value-added applications on mobile network  M-ticket for public transport  Making E-Government come true  Healthcare card, ID-card, etc  Education/Training  More training courses for – embeded programming: lucrative outsourcing market – security... card, ID-card, etc  Education/Training  More training courses for – embeded programming: lucrative outsourcing market – security engineering: go beyond anti-virus  Support of overseas experts  Enterprising  Win-win JV with foreign partners to learn technology 12 . Smart cards a fascinating and fruitful adventure Gemalto Technology & Innovation Nguyen Quang Huy 2 Smart Cards in the our life  Secure transaction (banking, pay-TV)  Telecom. Circuit Operating System Java Card Virtual Machine API in Java Native API Card Manager Applet 1 Applet 2 JC Firewall I/O command 6 Security threats  No battery  Card tearing (or power failure ) may. issuance  Open architecture  Open specification  High-level programming languages  Post-issuance applications are available  Some open architectures  Java Card  MULTOS  .NET Card  Basic Card 5 Example:

Ngày đăng: 07/07/2014, 05:20

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN