Power cracking of cash card codes.Loaded with electronic cash that has been protected by an encryption scheme, a smart card represents a convenient, versatile medium for business transactions. Roughly the size of a standard credit card, it incorporates circuitry for processing information and keeping records. That microcircuitry also makes it vulnerable to attack. Cryptographers have now identified techniques for breaking the security system built into a smart card. They cracked the codes by monitoring power consumption as the circuitry performed its cryptographic operations. "We have implemented these attacks against a large number of smart cards Example of widely used contactless smart cards are Hong Kong's Octopus card, Paris' Calypso/Navigo card and Lisbon' LisboaViva card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. and, at this point, do not believe that any cryptographic smart cards on the market are immune to these analysis techniques," says Paul Kocher This article is about the cryptographer. For the author, see Paul H. Kocher. Paul Carl Kocher (born June 11, 1973) is an American cryptographer and cryptography consultant, currently the president of Cryptography Research, Inc. of the consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a Cryptography Research in San Francisco San Francisco (săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden . Last week, Kocher and his coworkers Joshua Jaffe and Benjamin Jun posted their report revealing the security flaw. It can be found on the World Wide Web at http://www.cryptography.com/dpa/. "[The flaw] is indeed a serious security threat to many existing systems, says Ross Anderson of the University of Cambridge Computer Laboratory The Computer Laboratory at Cambridge is the computer science department of University of Cambridge. It was founded as the Mathematical Laboratory under the leadership of John Lennard-Jones on 14 May 1937, though it did not get properly established until after World War II. in England. "it allows relatively low-budget attackers to get at key material that previously required a moderately well-equipped lab." The integrated circuits Integrated circuits Miniature electronic circuits produced within and upon a single semiconductor crystal, usually silicon. Integrated circuits range in complexity from simple logic circuits and amplifiers, about 1/20 in. (1. on smart cards consist of vast arrays of transistors, which act as voltage-controlled switches. Different microprocessor instructions initiate characteristic switching patterns. The resulting motion of electric charge consumes power and generates electromagnetic radiation electromagnetic radiation, energy radiated in the form of a wave as a result of the motion of electric charges. A moving charge gives rise to a magnetic field, and if the motion is changing (accelerated), then the magnetic field varies and in turn produces an , which can be detected outside the card. Researchers have already demonstrated that it is possible to accumulate enough data to deduce secret keys--strings of Is and Os--required to decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead stored on smart cards. Using sophisticated tools, they've measured the duration of cryptographic operations (SN: 12/16/95, p. 406) or exploited processing errors (SN: 2/1/97, p. 78). In the new threat, an attacker can use less expensive equipment to monitor a smart card's electronic responses. Fluctuations in power consumption correspond to different stages in a cryptographic process. By magnifying the signal, it is possible to detect individual microprocessor instructions and distinguish between various arithmetic operations. A more sophisticated analysis of these data relies on the application of statistical and error-correction techniques to extract information useful for deducing secret keys. Once the secret key is found, a criminal could make a copy of the smart card and obtain unauthorized access to someone else's account or, in some systems, automatically refill the card with cash. Such threats, however, require that criminals have special equipment attached to or physically near the card. Smart cards are safe when stored in a wallet or purse, Kocher says. Stolen or lost smart cards are another matter, because they can be connected to a power sensor and computer. One approach to increased security is to recognize a smart card's vulnerability. An electronic cash system used by Visa International, for example, checks for unusual account activity. When that system was designed, Anderson says, "we did not know as much about breaking into smart cards as we do now, but we suspected that it would be done." Other companies have also started to adopt countermeasures. Security expert Peter G. Neumann Peter G. Neumann is a researcher who has worked on the Multics operating system in the 1960s. He edits the Computer Risks columns for ACM Software Engineering Notes and Communications of the ACM. He founded ACM SIGSOFT and is a Fellow of the ACM, IEEE and AAAS. of SRI International in Menlo Park, Calif., notes that "unfortunately, attacks such as Paul Kocher's merely remind us of how difficult--if not impossible--it is to achieve security that can withstand very determined and well-funded attacks." |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion