Escolar Documentos
Profissional Documentos
Cultura Documentos
H = 5 A/m
fc= 13,56 Mhz
S= 40 10-4
ISO 7816 V= 2,2V
Contact Mode Pascal Urien, Porquerolles, 28 mai 2013
6 /47
What is a Secure Element ?
A Secure Element (SE) is a Secure Microcontroller,
equipped with host interfaces such as ISO7816, SPI or I2C .
EXAMPLE: NXP PN532
OS JAVACARD JCOP
GP (Global Platform)
ROM 160 KB
EEPROM 72 KB
RAM 4KB
Crypto-processor
3xDES, AES, RSA, ECC
Certification CC EAL5+
Security Certificates EMVCo
www.chipworks.com
Reader/writer ISO 14443 –A-B, MIFARE, FeliCa®, NFC Forum tags, ISO 15693
Card Emulation ISO 14443 –A-B-B’,
PascalMIFARE, FeliCa RF , SWP
Urien, Porquerolles, 28 mai 2013
RAM 5Ko, ROM 128 Ko, EEPROM 52 Ko 8 /47
The SIM card becomes an NFC device:
the Contactless Front-end (CLF)
The ETSI TS 102 613 Standard
NFC SECURE
CONTROLER ELEMENT
Secure Element
Administration
NFC
SOFTWARE
CONTROLER
LLCP-SYMM [0000]
CONNECT [0521 060F 636F6D2E616E64726F69642E6E7070]
DSAP=1, SSAP=33, Service=“com.android.npp”
CC (Connection Complete) [859002020078]
DSAP=33, SSAP=16, MUI (Maximum Information Unit)
Information
[432100 0100000001010000000F D1010B5402656E 6B657976616C7565]
DSAP=16, SSAP=33, N(S)=0, N(R)=0, NPP HEADER, NDEF RECORD, keyvalue
RR(1) [855001], SSAP=16, DSAP=33
DISCONNECT [4161]Pascal
DSAP=16, SSAP=33
Urien, Porquerolles, 28 mai 2013
12 /47
Smartcard Administration: GP
CSN (Chip Serial
Other KMC-ID (6B) Number, 4B)
Issuer Security
Other KMC (DES Master Key for
Security Domain
Application Personalization Session Keys)
Domain
Card
Manager
KENC KMAC KDEK
Select ISD
Issuer
SKUENC SKUMAC SKUDEK
Application
Global Secure Channel
Platform
Runtime
API
Environment Application Management
The VISA Model* downloading - deletion
*EMV Card Personalization Specification Version
Pascal Urien, 1.1 July 2007
Porquerolles, 28 mai 2013 13 /47
The In2Pay Administration Model*
* http://www.devifi.com/assets/whitepaper.pdf
Pascal Urien, Porquerolles, 28 mai 2013
14 /47
The Google Platform
Reader/Writer Card Emulation Peer to Peer
Android Beams
- EMV Magnetic
NFC Tags Stripe Profile SNEP
- Cloud Storage
Pascal Urien, Porquerolles, 28 mai 2013
15 /47
HID NFC White Paper:
SIM centric Services
Trusted
Service
Manager
- Payment
- Access Control
- Transport
Passive Mode
Active Mode
NFCIP-1
NFCIP-1 ISO 14443-4 NFCIP-1
NCPIP-1
D1: 1 1 0 1 0 001
Identifier 01: Type Length
describing 0A: Payload Length
the TYPE of 54: Type= ‘T’, Text
the payload 02: ID= UTF8
65 6E: “EN”
URI reference 53 61 6D 70 6C 65 20: "Sample "
(RFC 3986)
LIBRAIRIES Application
DALVIK CPU core,
NFC RIL Processor (1GHz)
"Hummingbird"
+ GPU
LINUX KERNEL
Front End
/dev/nfc /dev/baseband Baseband Radio Layer
Module
Processor Interface (RIL)
(FEM)
NFC BASE
CTL BAND SIM
Pascal Urien, Porquerolles, 28 mai 2013
25 /47
Proprietary Libraries
Telephony services
RIL
(ingoing call, outgoing
Daemon
calls are managed
through RIL packets
http://www.kandroid.org/online-pdk/guide/telephony.html
Pascal Urien, Porquerolles, 28 mai 2013
27 /47
2011, Open Mobile API
Pascal Urien,
*Visa Contactless Payment Specification Porquerolles,
Version 28 mai
2.0.2 July 20062013 32 /47
Google Wallet 2
Customer’s
Google Issuer Bank
Acquirer
Card Not Present transaction (CNP)
Google Card
Issuer Network
Customer‘s Acquirer Bank
Cards
Google
Virtual
prepaid card
PascalMasterCard
Urien, Porquerolles, 28 mai 2013
33 /47
About Relay Attack proxy
“A Practical Relay Attack on ISO 14443 Proximity Cards” Gerhard Hancke, 2005
“Keep Your Enemies Close: Distance Bounding
Pascal Against Smartcard
Urien, Porquerolles, Relay Attacks”, Saar Drimer
28 mai 2013
and Steven J. Murdoch, 2007 34 /47
Where is located a bank card ?
• In the SIM/USIM 2012 Google fees
Less than $3,000 2.9% + $0.30
– Use SWP for NFC $3,000 - $9,999.99 2.5% + $0.30
communication $10,000 - $99,999.99 2.2% + $0.30
– MNO model $100,000 or more 1.9% + $0.30
Cache Operation
769 – 60 – 62 + 820 + 560 = 2027 Pascal
ms Urien, Porquerolles, 28 mai 2013 38 /47
Test with EMV magstripe profile
One TCP packet per ISO7816 command (APDU),
RTT 70 ms (Paris – Hanover)
Paris Hanover
Trc = Tr0 + L x D
where Tr0 is a fix delay (about 20-40 ms), L is the length of exchanged data, D is the NFC
throughput (104 Kbits/s in our platform, i.e. D= 0,1ms/byte)
Trr= Trc + RTT + Tse,
Where Trc is the time consumed by the NFC proxy , RTT is the round trip time over
internet (ranging between 50ms to 100ms), and Tse is a time consumed by a legacy
Pascalas
secure element for the request (such Urien,
440msPorquerolles,
for DDA or28420ms for GenerateAC). 39
mai 2013
/47
Security for NFC
LLCPS
urn:nfc:sn:tls:snep
NDEF NDEF
TLS
NFC-
Controller(s) www.youtube.com/watch?v=CVWHlxoi3eUYou
Pascal Urien, Porquerolles, 28 mai 2013 SIM
41 /47
2013, First Tests With BB 10
http://www.youtube.com/watch?v=CWS41cIZylw
Pascal Urien, Porquerolles, 28 mai 2013
42 /47
NFCIP-1
• The NFCIP-1 layer is usually running in a microcontroller chip
(such as the PN532 from NXP) that drives the NFC radio. An NFC
session occurs in four logical steps.
• 1) Initialization and Anti-collision, the Initiator periodically
probes the presence of a Target.
• 2) Activation and Parameters Selection, once a Target has been
detected a set of parameters are notified or negotiated; in
particular LLCP services are selected.
• 3) Data Exchange, frames are exchanged via the Data Exchange
Protocol (DEP); the Initiator sends (DEP) requests acknowledged
by Target responses; the packets size ranges from 64 to 256
bytes; DEP provides error recovery mechanisms, so upper layers
such as LLCP, exchange error free packets.
• 4) De-Activation, the initiator can release the NFC session at any
time, via Release-Request/Response messages.
Pascal Urien, Porquerolles, 28 mai 2013
43 /47
LLCP - Logical Link Control Protocol
• The LLCP Protocol looks like a light version of the IEEE 802.2 LLC
standard.
• LLCP packets include a mandatory two bytes header comprising
the DSAP (Destination Service Access Point, 6 bits), the SSAP
(Source Service Access Point, 6 bits ) and the PTYPE (4 bits)
indicating the class of the PDU (Protocol Data Unit).
• LLCPS works in connected mode and uses the "com.ietf.tls.snep"
service name, which identifies a SNEP service over TLS. It only
deals with seven PTYPEs:
– CONNECT (connection to the "com.ietf.tls.snep" service),
– CC (Connection Confirm),
– DISC (Disconnect),
– DM (Disconnected Mode),
– INFORMATION (TLS messages in our use case),
– RR (Receiver Reader, i.e. the acknowledgment of an INFORMATION
PDU),
– SYMM (Symmetry) that indicates
Pascal an inactivity
Urien, Porquerolles, 28 maiover
2013 LLCP and avoids
timeout at the DEP level. 44 /47
LLCPS
• The LLCPS layer manages five exclusive
processes in order to exchange TLS messages.
• The connection process (CP) and the
disconnection process (DP) are in charge of
establishing and releasing LLCP sessions with
the "com.ietf.tls.snep" service.
• The sending process (SP) sends a requested
amount of data according to a simple strategy
that performs segmentation, transmits
INFORMATION PDUs and waits for
acknowledgments (RR).
• The receiving process (RP) waits for a
requested amount of incoming data; the
reception of each incoming INFORMATION
packet is acknowledged by a RR PDU.
• The inactivity process (IP) periodically
generates SYMM symbols which may be
echoed by other processes such as IP, SP or RP.
SYMM generation is a consequence of slow TLS
processing by a secure element, or interaction
between the mobile operating system and its
user
Questions