Lab 03 - Hardware Security


  • Side Channel Attacks
  • Hardware Security Basics
  • OpenSSL / PKCS#11 & #15 tools
  • HSMs: Java Card & Simulator




For a long time, hardware had a central role in computer security. Take, for example, the CPU's protection rings model (on x86): they realize a privilege separation between a hypervisor / Operating System kernel and the user applications and is enforced at hardware-level for efficiency.

Nowadays, the security requirements of certain applications has led to the implementation of additional access control or cryptographic functions directly into the hardware, e.g., AES-NI / SHA SSE-based instructions, the Trusted Platform Module cryptoprocessor, Smart Cards or Trusted Execution Environments (ARM TrustZone, Intel SGX, memory encryption etc.).

On a different note, hardware is also susceptible to security bugs: side channel attacks, cryptographic vulnerabilities (e.g., cache or timing attacks or the much recent Spectre / Meltdown speculative execution bugs), hardcoded credentials or even manufacturer-introduced backdoors. These are very difficult (or even impossible) to fix without re-designing the chip and replacing the faulty products.

Side Channel Attacks

A side-channel attack is a type of cyber-attack that targets the unintended side effects of a software application / hardware component in a computer system, rather than attacking it directly. These side effects may include signals or data that are generated by the system's physical components, such as its power consumption, electromagnetic emissions, or even sound.

By analyzing these side effects, an attacker can gain information about the system's operations, such as encryption keys or other sensitive data, without directly accessing the system. Side-channel attacks can be executed remotely or locally and are often used to target cryptographic systems that use secret keys.

Java Smart Cards

Java smart cards are small electronic devices that have an embedded microprocessor and memory, which can be programmed with Java Card technology to perform secure transactions and store sensitive information. Java Card technology is a subset of Java that has been designed specifically for smart card environments.

Java smart cards can be found in various forms, such as SIM cards in mobile phones, banking cards, e-passports, and employee ID cards. They can be purchased from smart card manufacturers or vendors, or provided by organizations to their customers or employees.

To program and manage Java smart cards, specialized software development kits and tools are needed, such as Java Card Development Kit (JCDK), Global Platform Card Specification, and Smart Card Integrated Development Environment (IDE). Developers can use these tools to create and test Java Card applets that run on the smart cards and perform various secure operations.


[40p] 1. Python timing side channel attack

Download the side channel demo archive here.

Implement the TODOs and crack the password via a timing attack ;)

Hint: you have LunarVim installed on the VM, use lvim ${file} to start it!

[30p] 2. Using OpenSSL

You are tasked with encrypting a large file using RSA. For this, you will need to use both symmetric and asymmetric crypto, and all of this can be done using one swiss-army-knife-like tool openssl!

  • For starters, we need a file to encrypt; let's make a backup of /etc/:
    sudo tar czf etc-backup-2023.tar.gz -C /etc .
  • We will use a symmetric cipher to encrypt the file using an ephemeral (random) key (which we will then encrypt using RSA):
    # generate the random passphrase
    dd if=/dev/urandom of=.mysecretpass bs=20 count=1
  • Encrypt the file using openssl enc -aes-256-cbc -e and the password generated earlier from file;
  • Hint: openssl enc --help (you can specify password from file using -pass file:<path-to-passphrase-file>).

Almost all openssl operations take their options using a single dash (-); all subcommand may take input from a file specified by -in <file-path> and may output their results to a file specified by -out <file-path>!

OpenSSL's symmetric encryption can use PBKDF2 to derive a key from an arbitrary password (salted, by default). It also chooses a secure IV for the first block automatically, so we don't have to do anything else (but we could: using the -K and -iv arguments).

  • Generate a RSA key pair:
    openssl genrsa -out <specify your filename>
  • Export the public key to a separate file (hint: use openssl rsa -pubout – ofc, --help to see the syntax!);
  • Encrypt the AES passphrase file (then delete the original!):
    openssl pkeyutl -in <path-to-passphrase-file> -out backup-secret.enc -pubin -inkey <your-public-key> -encrypt
    rm -f <path-to-passphrase-file>
  • some time later…
  • Oh noes, our system crashed and we lost all configuration! Fortunately, we have the encrypted backup file! First, you need to decrypt the AES passphrase using your private RSA key! Use openssl pkeyutl with -decrypt (note: -inkey must point to your private key generated above!)!
  • Once you obtain the AES passphrase, decrypt the backup file and test it:
    openssl enc -aes-256-cbc -d -pbkdf2 -in etc-backup-encrypted.bin -pass file:<decrypted-passfile> -out backup-decrypted.tar.gz
    # test whether the resulting .tar.gz archive is valid?
    file backup-decrypted.tar.gz

[30p] 3. Java Card Simulator

In order to simulate a Java Card, we must install all required Java components (Oracle JavaCard SDKs, jCardSim, IsoApplet, VSmartCard).

Note: you don't need to do this on the ISC VM 2023, it's already been setup!

Click to display ⇲

Click to hide ⇱

git clone "$HOME/oracle_javacard_sdks"
export JC_HOME="$HOME/oracle_javacard_sdks/jc222_kit"
export JC_CLASSIC_HOME="$HOME/oracle_javacard_sdks/jc305u3_kit"
  • Since we don't have a physical smart card, we need a simulator: download & install JCardSim:
git clone "$HOME/jcardsim"
cd "$HOME/jcardsim"; mvn initialize && mvn clean install
  • We now need an applet to install on our (emulated) Smart Card. IsoApplet is an open source applet implementing Public Key cryptography operations (with OpenSC integration):
git clone -b main-javacard-v2.2.2 "$HOME/IsoApplet"
cd "$HOME/IsoApplet"
# install dependencies (fortunately, this project uses git submodules)
git submodule init && git submodule update
# unfortunately, jCardSim cannot simulate CAPs (compiled applet firmwares)...
# so we directly compile the Java files (make sure to have the card simulator's SDK in Java Path):
javac -classpath "$HOME/jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar" "$HOME/IsoApplet/src/xyz/wendland/javacard/pki/isoapplet/"*.java
  • Finally, note that we need a Card Reader to interface with the smart cards. So, with our simulated card, we will have to use a virtual card reader software (vpcd from vsmartcard):
git clone "$HOME/vsmartcard"
cd "$HOME/vsmartcard/virtualsmartcard"
autoreconf -vis && ./configure && sudo make install
# Restart PCSC daemon to load our new vcard driver
sudo systemctl restart pcscd
cd ~  # go back to home

Finally, we must create a configuration file for jcardsim':

$ cat $HOME/jcardsim.cfg  # <-- yes, create this file !

[Re]Start the PCSC service:

# the VM does not automatically start this, so do it manually
sudo systemctl restart pcscd

Start the simulator:

java -classpath "$HOME/jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar:$HOME/IsoApplet/src" com.licel.jcardsim.remote.VSmartCard "$HOME/jcardsim.cfg"

Hint: use separate terminals or tmux, since the command is blocking and prints lots of debugging info, so it will not be a good idea to run it in background with & and reuse that terminal!

Loading the Smart Card applet:

The APDU Smart Card Application Protocol Data Unit is a communication protocol used for interfacing with smart cards, standardized in ISO/IEC 7816-4.

We use an initial APDU script to install & execute the IsoApplet into the emulated smart card.

# install IsoApplet usign a APDU script
opensc-tool --card-driver default --send-apdu 80b800001a0cf276a288bcfba69d34f310010cf276a288bcfba69d34f3100100
opensc-tool -n
# create PKCS#15 structure on our smart card (also set a PIN and a PUK, for security purposes)
pkcs15-init --create-pkcs15 --so-pin 123456 --so-puk 0123456789abcdef
# generate an RSA key pair to use for signing (note: auth-id is a PIN slot)
pkcs15-init --generate-key rsa/2048  --id 1 --key-usage decrypt,sign --label MyRSAKey --auth-id FF --pin 123456
# download the generated public key to your machine
pkcs15-tool --read-public-key "1" --output "smartcard-pubkey.pem"
echo "Sunt de acord să cedez toată averea mea asistenților de ISC. Adevăraaat\!" > textToSign.txt
openssl dgst -engine pkcs11 -sign "pkcs11:object=MyRSAKey;type=private;pin-value=123456" -keyform ENGINE -sha256 -out textSignature.sig textToSign.txt
# now everyone can check whether the document is correctly signed using the public key:
openssl dgst -sha256 -verify smartcard-pubkey.pem -keyform PEM -signature textSignature.sig textToSign.txt
# modificați fișierul textToSign.txt și re-verificați semnătura digitală... ce se întâmplă?

Unfortunately, jCardSim is unstable and will crash after some short timeout (approx. several minutes), so make sure you run these commands with little pause between them (make a script). If it crashed, you must restart both the pcscd service and the simulator:

killall java
sudo systemctl restart pcscd
java -classpath "$HOME/jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar:$HOME/IsoApplet/src" com.licel.jcardsim.remote.VSmartCard "$HOME/jcardsim.cfg"

Finally, here's one last challenge: use openssl to encrypt / decrypt a file using this key!

Bonus: You can configure OpenSSH to use a private key stored inside a smart card for authentication!

3. Feedback

Please take a minute to fill in the feedback form for this lab.

isc/labs/03.txt · Last modified: 2024/03/18 09:07 by alexandru.mircea98
CC Attribution-Share Alike 3.0 Unported Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0