Schneier on Security
A blog covering security and security technology.
« Cartoon: NSA Surveillance Devices |
| Wireless Surveillance Camera Detector »
June 11, 2006
The Security of RFID Cards
Interesting paper on the security of contactless smartcards:
Interestingly, the outcome of this investigation shows that contactless smartcards are not fundamentally less secure than contact cards. However, some attacks are inherently facilitated. Therefore both the user and the issuer should be aware of these threats and take them into account when building or using the systems based on contactless smartcards.
Posted on June 11, 2006 at 7:04 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I can agree with the author of the article that side-channel attacks make it "just as easy" to obtain secret keys from contact cards as from contactless cards. She didn't sufficiently address the privacy and other issues related to evesdropping and "rogue access" to the contactless card. (What is her/Gemplus's agenda?)
I value physical security highly; it can be explained easily: "Don't put your bank card in a dubious ATM." How can the average consumer prevent access to a contactless card? Yes, tinfoil wallets help; but even then you'll have to take out your card once in a while and criminals can use that window of opportunity by placing their rogue readers near ATMs or POS terminals.
This article examines the threat model of extracting the private key from a smart card, effectively "cloning" it. It doesn't look easy to do, even in a laboratory setting. Is this attack going to be feasible in the field? If so, reading device could be placed someplace a cardholder could be expected to linger for a minute or two in a controlled setting. Park benches, for instance. If I had an application which made this sort of attack economical, I'm not sure I'd trust it only to a smart card. While lost or stolen magnetic stripe cards can be copied or used, we already have measures in place in banking industries to protect the card holder. Can we make it obvious to the user when his card was last "talked to"?
Well, look at the detail picture on page 5 where you can easily read 16 bits of the card's secret key (required equipment: see page 4). The "detector coil" can easily be added to a standard card reader while the read-out scope is hidden behind a desk.
"A sound approach to protect against this attack strategy is strong mutual authentication between the card, the reader and the user, possibly relying on certificates, and requiring some kind of user interaction."
The whole point of going to RFID was to avoid user interaction.
The simplest way to implement this security protection would be to use a card swiped in a reader, making the user a vital ally in security instead of a witless dope. If his card can't work without reader contact, then he can avoid trouble by keeping the card in a safe place, taking it out only when needed.
If the reader isn't compromised, eavesdropping, operation interruption, denial of service, and covert transactions are ruled out in one fell swoop.
Geez, what ever happened to just putting a "on" switch on stuff?
Can't get any more secure than a computer that's off.
I've never read anywhere that contactless needs to be "always-on". Stick an ON button on the thing, and then it's only vulnerable when you're actually using it.
I think we all know that they would be a billion times more secure if they were 'pincards' with a keypad on them, then there is no chance that the vendor kit can store PINs, and again, it can't be queried by ""accident"".
"interestingly, the outcome of this investigation shows that contactless smart cards are not fundamentally less secure than contact cards. however, some attacks are inherently facilitated..."
did somebody just fart in my office?
PIN is never stored plaintext on the bankcard, only the PIN offset. It requires the secret key to decrypt the PIN offset and modulo 10 arithmetic to calculate the natural PIN. Knowing the offset alone, isn't enough. The idea that contactless smart cards are not fundamentally less secure than contact cards, is correct.
Besides the ATM thing and PIN storage on smartcards i mentioned, I forgot to mention that with smartcard security, like smartcard locks, those are easy to be bruteforced with powermagnets. Creating a powerfull magnetic field will open most smartcard locks. But this is the flaw in the locks itself and not in the architecture of smartcard security.
A bit off topic... there is an interesting article on eWeek (http://www.eweek.com/article2/0,1895,1974937,00.asp) claiming that RFID might be obsoleted by a new technology named RuBee. The most interesting facts are that RuBee is going to take an active approach and that it will be "ideal for liquid and metal situations". No more security from aluminium foil hats here.
Is that a convincing line of reasoning? . . . that contactless smartcards are just as secure because each of their conspicuous vulnerabilities can in principle be addressed with some technical fix? Doesn't that line of reasoning also lead to the conclusion that skydiving is just as safe as chess?
What?! Since when is chess considered, "safe"?!
Jungsonn wrote: "PIN is never stored plaintext on the bankcard, only the PIN offset. It requires the secret key to decrypt the PIN offset and modulo 10 arithmetic to calculate the natural PIN. Knowing the offset alone, isn't enough. The idea that contactless smart cards are not fundamentally less secure than contact cards, is correct."
I must disagree, most strongly.
The primary difference between a contact card and an RF contactless card is that, with a contact card, the authorised cardholded knows and permits every contact use, or has the opportunity to know of a compromise of that principle. If there is maluse of cards (eg by merchant fraud), there is at least potential for careful cardholders to be able to narrow down potential suspects of the maluse.
With an RF contactless card, the communications between card and system is subject to intercept. Cards are also subject to unauthorised access attempts. Thus the authorised cardholder has much less personal opportunity for ensuring protection against malicious intercept or access.
Such protection as can be given to RF contactless communications is not complete, and relies on complexity outside the control of the authorised cardholder: ie keeping the card secure from unauthorised and unknown physical contact.
[On this, why do banks ask us not to let credit/debit cards out of our sight in restaurants and retail stores? Is it not to protect against malicious access? And please, please don't come back with any crap about retail terminals having (actual or potential) secret decryption keys: with millions of retail cardreaders, there is no effecetive secrecy!]
The primary adavntage of RF contactless cards is (I assume) extended card life and cardreader life, through avoidance of contact wear. By all means argue that that advantage outweighs the reduction in security: I'm waiting!
I understand what you mean.
But instead of analyzing frequencies, it would be much cheaper and quicker to just "copy" the card, in both ways i think.
About the debit/credit cards, the most likely place to scammed is a bar or restaurant. That's true, but they may do this out the line of site for me, i do not care. Because there is an effective way of protect yourself from such CreditCard fraud.
for instance you give the bartender the card, he comes back with the reciept, but you are_not_being charged yet, this is done when you leave the place and may have give a tip afterwards.
I read an article last week about the use of steganography in calculating the tip you gave.
This is how it works:
1. Give the waiter your card
2. Wait for the receipt to come back (not charged yet)
3. Lets say the cost maybe: $12.34
Then engineer the tip so that the final charge has the dollars value encoded into the cents.
Give $2.00 tip (approx.)
So the final charge would be:$14.15
(#dollars +1) = $14.15 - $12.34 = $1.81 tip money.
4. Follow thise scheme anytime you want to tip the waiter.
5. Look on the monthly statements, and you see a fraudulant act if the calculation of cents do not add up with the initial price you've paid.
A simple way of ensuring this, and detect creditcard fraud quick and effectivly, if you maintain the constant of (#dollars + 1) in cents. (or any other you like) Then you also have a prove if you do this often, because you can give your encoding method, which will work always wherever you gave a tip.
I really liked this idea, and sound like a good tip ;)
Chipcards (both contactless and contact cards) are made so that it is possible to configure (write) them with a secret key, but the card will not disclose its secret key volounteerly. After configuration is complete the card ID and keys can not be easily changed.
@Jungsonn, who wrote: "I understand what you mean."
Thank you for coming back on that; it all helps.
And who wrote: "But instead of analyzing frequencies, it would be much cheaper and quicker to just "copy" the card, in both ways i think."
Yes. But with a contact card, that requires contact with the card. Doubtless that will happen, but it's better to make it more difficult to do by ensuring authorised cardholders can take some simple security measures.
Tampering with cardreading equipment does happen (there was a recent case in the UK concerning a chain of petrol stations). However, tampering with someone else's equipment usually does leave some sort of evidential trail.
I did "actually" understand it, but do not completely agree with it.
I am positive that there can (and must) be better security measures for RF cards. But i do not see that it is less secure than contactcards. There are many cases where they put a dummy on the card slith to copy stuff. With RF cards you can't copy the card, only analysing the frequencies and hoping it can be compromised. But still need the card data stored on it. it seems trivial to do this. So no reason for me to believe it is "less" secure.
Jungsonn, you are talking about "magstripe" cards and those are trivially easy to clone. Warnings about the security of magstipe+PIN systems have been going around for at least ten years.
Contact chip cards are an order of magnitude better, using public key encryption for authentication; a simple "dummy" will not get enough information to retreive the card's private key. For some cards it is possible to discover the private key with accurate timing and/or power measurements in a lab. It might be possible to modify a genuine card reader in the wild, but it appears significantly more difficult.
Contactless cards provide totally new opportunities for fraud, think about using the card in the wallet of the guy next in line to pay for your metro or busride. The card itself may be resistant against cloning, but that doesn't mean that consumers couldn't fall victim of other kinds of fraud.
So can I block the unauthorized reading of my RFID by wrapping the card in foil?
Hello, nice site looks this
The read/write range of HF contactless cards is only 5-6cms. Not possible to detect from a distance, let alone hack it ! Dont worry be happy now.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.