Cryptanalysis of GlobalPlatform Secure Channel Protocols

GlobalPlatform (GP) card specifications are the de facto standards for the industry of smart cards. Being highly sensitive, GP specifications were defined regarding stringent security requirements. In this paper, we analyze the cryptographic core of these requirements; i.e. the family of Secure Channel Protocols (SCP). Our main results are twofold. First, we demonstrate a theoretical attack against SCP02, which is the most popular protocol in the SCP family. We discuss the scope of our attack by presenting an actual scenario in which a malicious entity can exploit it in order to recover encrypted messages. Second, we investigate the security of SCP03 that was introduced as an amendment in 2009. We find that it provably satisfies strong notions of security. Of particular interest, we prove that SCP03 withstands algorithm substitution attacks (ASAs) defined by Bellare et al. that may lead to secret mass surveillance. Our findings highlight the great value of the paradigm of provable security for standards and certification, since unlike extensive evaluation, it formally guarantees the absence of security flaws.

[1]  Z. Chen Java Card Technology for Smart Cards: Architecture and Programmer''s Guide. The Java Series. Addis , 2000 .

[2]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[3]  Benoit Feix,et al.  Defeating ISO9797-1 MAC Algo 3 by Combining Side-Channel and Brute Force Techniques , 2014, IACR Cryptol. ePrint Arch..

[4]  Antoine Joux,et al.  Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models: CBC, GEM, IACBC , 2002, CRYPTO.

[5]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[6]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[7]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[8]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[9]  Antoine Joux,et al.  Authenticated On-Line Encryption , 2003, Selected Areas in Cryptography.

[10]  Kenneth G. Paterson,et al.  Authenticated-Encryption with Padding: A Formal Security Treatment , 2012, Cryptography and Security.

[11]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[12]  Konstantinos Markantonakis The Case for a Secure Multi-Application Smart Card Operating System , 1997, ISW.

[13]  Wolfgang Rankl,et al.  Smart Card Handbook , 1997 .

[14]  Ludger Hemme,et al.  A Differential Fault Attack Against Early Rounds of (Triple-)DES , 2004, CHES.

[15]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[16]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[17]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption against Mass Surveillance , 2014, IACR Cryptol. ePrint Arch..

[18]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[19]  Wolfgang Rankl,et al.  Smart Card Handbook: Rankl/Smart Card Handbook , 2010 .

[20]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[21]  Santiago Zanella-Beguelin Formalisation and Verification of the GlobalPlatform Card Specification Using the B Method , 2006 .

[22]  DegabrieleJean Paul,et al.  Provable Security in the Real World , 2011, S&P 2011.

[23]  Gregory V. Bard,et al.  A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL , 2006, SECRYPT.

[24]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[25]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[26]  Chris J. Mitchell,et al.  Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption? , 2005, ISC.

[27]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .