available at www.sciencedirect.com
www.compseconline.com/publications/prodinf.htm
Information Security Group Smart Card Centre, Royal Holloway, University of London, UK
Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol BS8 1UB, UK
c
Institute of Computer Science, Foundation for Research and Technology-Hellas, Heraklion, Greece
b
abstract
Keywords:
Smart card technology has evolved over the last few years following notable improvements
Smart card
in the underlying hardware and software platforms. Advanced smart card microproces-
Security
sors, along with robust smart card operating systems and platforms, contribute towards
a broader acceptance of the technology. These improvements have eliminated some of the
Relay attacks
traditional smart card security concerns. However, researchers and hackers are constantly
EMV
looking for new issues and vulnerabilities. In this article we provide a brief overview of the
Satellite TV
main smart card attack categories and their corresponding countermeasures. We also
Contactless
provide examples of well-documented attacks on systems that use smart card technology
(e.g. satellite TV, EMV, proximity identification) in an attempt to highlight the importance
of the security of the overall system rather than just the smart card.
2009 Elsevier Ltd. All rights reserved.
1.
Introduction
2.
* Corresponding author.
E-mail addresses: k.markantonakis@rhul.ac.uk (K. Markantonakis), tunstall@cs.bris.ac.uk (M. Tunstall), gerhard.hancke@rhul.ac.uk
(G. Hancke), asko@ics.forth.gr (I. Askoxylakis), keith.mayes@rhul.ac.uk (K. Mayes).
1363-4127/$ see front matter 2009 Elsevier Ltd. All rights reserved.
doi:10.1016/j.istr.2009.06.001
47
3.
3.1.
Invasive attacks
48
3.2.
3.2.1.
Countermeasures
Fig. 1 An example of the power consumption during the execution of an implementation of AES.
49
Fig. 2 The correlation trace (upper) shows at what points in the power consumption trace (lower) data is being
manipulated.
3.3.
Fault analysis
4.
Attacks on systems that use smart card
technology
In this section we present three examples of systems that use
smart card technology in order to enhance their product
offerings, and, at the same time, maintain adequate levels of
security. A common characteristic of these systems is that
they have suffered, or could potentially suffer, direct or indirect costs. These may not attributed directly to the selected
smart card technology but to the system and specific operational design decisions.
4.1.
Satellite TV issues
50
4.1.2.
4.1.1.
51
4.2.
Issuer Bank
Financial
Network
For Clearing
and
Settlement
(Transaction Authorisation)
Billing
Cardholder
Acquirer Bank
Shopping
Relationship
Merchant (POS)
52
4.2.1.
4.2.2.
53
4.3.
Attackers equipment
Smart
Token
Proxy
Reader
Relay
Channel
Proxy
Token
Token
Reader
54
5.
Conclusions
Acknowledgements
The work of Michael Tunstall is supported in part by the
European Commission IST Programme under Contract IST2002-507932 ECRYPT and EPSRC grant EP/F039638/1. Keith
Mayes, Konstantinos Markantonakis and Gerhard Hancke
would like to thank the Information Security Group Smart
55
references
56