For a long time, hardware had a central role in computer security. Take, for example, the CPU's protection rings model (on x86): they realize a privilege separation between a hypervisor / Operating System kernel and the user applications and is enforced at hardware-level for efficiency.
Nowadays, the security requirements of certain applications has led to the implementation of additional access control or cryptographic functions directly into the hardware, e.g., AES-NI / SHA SSE-based instructions, the Trusted Platform Module cryptoprocessor, Smart Cards or Trusted Execution Environments (ARM TrustZone, Intel SGX, memory encryption etc.).
On a different note, hardware is also susceptible to security bugs: side channel attacks, cryptographic vulnerabilities (e.g., cache or timing attacks or the much recent Spectre / Meltdown speculative execution bugs), hardcoded credentials or even manufacturer-introduced backdoors. These are very difficult (or even impossible) to fix without re-designing the chip and replacing the faulty products.
A side-channel attack is a type of cyber-attack that targets the unintended side effects of a software application / hardware component in a computer system, rather than attacking it directly. These side effects may include signals or data that are generated by the system's physical components, such as its power consumption, electromagnetic emissions, or even sound.
By analyzing these side effects, an attacker can gain information about the system's operations, such as encryption keys or other sensitive data, without directly accessing the system. Side-channel attacks can be executed remotely or locally and are often used to target cryptographic systems that use secret keys.
Java smart cards are small electronic devices that have an embedded microprocessor and memory, which can be programmed with Java Card technology to perform secure transactions and store sensitive information. Java Card technology is a subset of Java that has been designed specifically for smart card environments.
Java smart cards can be found in various forms, such as SIM cards in mobile phones, banking cards, e-passports, and employee ID cards. They can be purchased from smart card manufacturers or vendors, or provided by organizations to their customers or employees.
To program and manage Java smart cards, specialized software development kits and tools are needed, such as Java Card Development Kit (JCDK), Global Platform Card Specification, and Smart Card Integrated Development Environment (IDE). Developers can use these tools to create and test Java Card applets that run on the smart cards and perform various secure operations.
Ideally, you should solve this laboratory on openstack. As in the first week, create an m1.small instance from the ISC 2022 image.
If you have configured your PC's keypair on openstack (not the one you generated on fep), you can connect directly this way (using SSH Jump Hosts):
$ ssh -J ${LDAP_ID}@fep.grid.pub.ro student@${VM_IP}
Otherwise, you must first connect to fep.grid.pub.ro
, then connect to your VM:
Your-PC$ ssh ${LDAP_ID}@fep.grid.pub.ro # if you haven't enabled public key authentication, yet: # you will need to do a two-factor login fep.grid.pub.ro$ ssh student@${VM_IP}
NOTE: you can have more than one keypair configured (both for your localhost, and for fep). Select the one you want from the Key Pair tab during the instance creation.
Download the side channel demo archive here.
Implement the TODOs and crack the password via a timing attack ;)
lvim ${file}
to start it!
First, we must download & install all components for developing and simulating Java Cards:
git clone https://github.com/martinpaljak/oracle_javacard_sdks.git "$HOME/oracle_javacard_sdks" export JC_HOME="$HOME/oracle_javacard_sdks/jc222_kit" export JC_CLASSIC_HOME="$HOME/oracle_javacard_sdks/jc305u3_kit"
git clone https://github.com/arekinath/jcardsim.git "$HOME/jcardsim" cd "$HOME/jcardsim"; mvn initialize && mvn clean install
git clone -b main-javacard-v2.2.2 https://github.com/philipWendland/IsoApplet.git "$HOME/IsoApplet" cd "$HOME/IsoApplet" # install dependencies (fortunately, this project uses git submodules) git submodule init && git submodule update # unfortunately, jCardSim cannot simulate CAPs (compiled applet firmwares)... # so we directly compile the Java files (make sure to have the card simulator's SDK in Java Path): javac -classpath "$HOME/jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar" "$HOME/IsoApplet/src/xyz/wendland/javacard/pki/isoapplet/"*.java
vpcd
from vsmartcard):git clone https://github.com/frankmorgner/vsmartcard.git "$HOME/vsmartcard" cd "$HOME/vsmartcard/virtualsmartcard" autoreconf -vis && ./configure && sudo make install # Restart PCSC daemon to load our new vcard driver sudo systemctl restart pcscd cd ~ # go back to home
Before we can run our simulators, we must create a configuration file:
$ cat $HOME/jcardsim.cfg # <-- yes, create this file ! com.licel.jcardsim.card.applet.0.AID=F276A288BCFBA69D34F31001 com.licel.jcardsim.card.applet.0.Class=xyz.wendland.javacard.pki.isoapplet.IsoApplet com.licel.jcardsim.card.ATR=3B80800101 com.licel.jcardsim.vsmartcard.host=localhost com.licel.jcardsim.vsmartcard.port=35963
Now we can start our simulator:
tmux
, since this command is blocking:
java -classpath "$HOME/jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar:$HOME/IsoApplet/src" com.licel.jcardsim.remote.VSmartCard "$HOME/jcardsim.cfg"
All right, it's time to use our Smart Card:
We use an initial APDU script to install & execute the IsoApplet into the emulated smart card.
# install IsoApplet usign a APDU script opensc-tool --card-driver default --send-apdu 80b800001a0cf276a288bcfba69d34f310010cf276a288bcfba69d34f3100100 opensc-tool -n # create PKCS#15 structure on our smart card (also set a PIN and a PUK, for security purposes) pkcs15-init --create-pkcs15 --so-pin 123456 --so-puk 0123456789abcdef # generate an RSA key pair to use for signing (note: auth-id is a PIN slot) pkcs15-init --generate-key rsa/2048 --id 1 --key-usage decrypt,sign --label MyRSAKey --auth-id FF --pin 123456 # download the generated public key to your machine pkcs15-tool --read-public-key "1" --output "smartcard-pubkey.pem" echo "Sunt de acord să cedez toată averea mea asistenților de ISC. Adevăraaat!" > textToSign.txt openssl dgst -engine pkcs11 -sign "pkcs11:object=MyRSAKey;type=private;pin-value=123456" -keyform ENGINE -sha256 -out textSignature.sig textToSign.txt # now everyone can check whether the document is correctly signed using the public key: openssl dgst -sha256 -verify smartcard-pubkey.pem -keyform PEM -signature textSignature.sig textToSign.txt # modificați fișierul textToSign.txt și re-verificați semnătura digitală... ce se întâmplă?
Finally, here's one last challenge: use openssl
to encrypt / decrypt a file using this key!
Bonus: You can configure OpenSSH to use a private key stored inside a smart card for authentication!
Please take a minute to fill in the feedback form for this lab.