6490bbcdff0e820b9152e781b425c7f9.ppt

- Количество слайдов: 143

Part 1 Card Technology

Card Era § credit cards have become part of our daily life as forms of plastic money since its first launch in 1960 § a magnetic card verse a smart card

Magnetic Card § composed of a layer of magnetic material for storing information § easy to carry § can be use for authentication § what is its principles?

Information on Magnetic Card § the stripe is 8. 5 cm X 1. 2 cm § data is constructed based on ISO 7811/2 § maximum 3 stripes § can store around 1 K bits

ISO Standards § Based on ISO 7811 § Track 1 is developed by International Air Transportation Association (IATA) which contains adaptive 6 -bit alphanumerical characters § Track 2 is used by American Bankers Association (ABA) which stores 4 -bit numerical information containing identification number and control information. § Track 3 is originated by Thrift Industry which contains information which is intended to be updated with each transaction.

Capacity Track Record 1 2 3 density bits/inch 210 75 210 Capacity 79 (7 bits/char. ) 40 (5 bits/char. ) 107 (5 bits/char)

Fraud card activities l l Stealing — A legal card may be stolen and used in ATMs or EPOSs. Altering and re-embossing a genuine card, that is modifying the visual features of card. Skimming or altering the original electronic data stored on the magnetic stripe, for example the expire date or the credit limit. Buffering or re-encoding the original data to the magnetic card. This technique is commonly used in producing card counterfeits of store-value ticket.

1. Copying of data from a genuine card to another in an on-line fashion “white plastic fraud” 2. Counterfeiting — “color plastic fraud” may be prepared by reading another legal card and encoding the same information onto another fraud card in an off-line fashion.

Valid Card Fraud Card

Design of card protection technologies § Validation by Appearance — this is a visual mean to protect against illegal duplication of plastic card. The aim is to make the appearance of card so unique and difficult to duplicate that shopkeepers or card handlers can identify the genuine card instantly.

§ Verification on Access — this validation relies on the interaction with the card holder, the objective of the protection mechanism is to identify the person accessing the card is an authorized one.

§ Protection on Data — this is a machine readable protection to avoid data from being access and duplication illegally. The importance of stripe data protection is. to ensure the security of electronic transaction and provide an alternative verification mechanism of magnetic card.

6. 5. 1 Validation by Appearance Computer Chip Hologram IN GOD WE TRUST Magnetic Stripe Logo MR. B Printed & Embossed Data 12/95 Bar Code But Counterfeits Still Exists! VISB Fine Printings Photo ID Authorized Signatures

Holograms § are the most notable marking for credit cards § produced by a combination of photography and laser beams § initially counterfeit holograms were crude and manufactured by stamping tin foils § recently counterfeit holograms were produced by professional technical knowledge is needed to validate the authenticity of holograms

Embossed characters § are some raised marks implemented on the plastic surface of card § the embossed information includes the user name, expiry date, card number and unique embossed symbol — VISA embossed a symbol like “CV” besides the expiry date. § However, the card material is a thermal plastic by warming the card to about 50 C, it allows “debossing” of the characters and re-embossing with fraud information.

Photocards § are introduced by Citi. Bank Corporation § the effectiveness of photocard on marketing purposes seems to be greater than that on security § it is not an effective mean to stop card fraud because counterfeiters had the ability to imitate laser engraved photographs and signatures in rather low cost using a photomachine of around US$ 5000.

Ultra-violet dove, bank identifying number (BIN) and micro-printings § can also be duplicated under the existing technology § technical knowledge is needed to recognize a counterfeit card from a genuine one § most card reading terminals contain no visual detector to validate these visual protection features while human eyes are not a reliable mean of verification § difficult to validate a genuine card

Protection on Card Access § the card holder is requested to prove his identity or the authorized user will be acknowledged about the transaction § methods: l l l signature biometrices PIN

Signature § Signature is the most popular way of verification. § When a transaction is made, the card holder is requested to sign and the signature will be verified visually. § this method is simple § not useful in protection against “color plastic fraud” where the criminal can sign their own signature in the fraud card.

Biometrics § biometrics features were developed such as speed of writing, fingerprint or iris pattern § implementation cost is high § their accuracy is questionable

Personal identifying number (PIN) § PIN is a unique number given by the bank to each user which is effectively fixed by the customer account number and the cryptographic key used in the derived PIN computation. § PIN offset or password is a value that relates a derived PIN to actual PIN value.

§ When a card holder transfer or withdraw his money from a bank account, a 6 -digits password is inputted before transaction processed. § The password will be validated by comparing with the one stored inside the magnetic card by offset or in a centralized database in the bank.

§ The security of password is relied on the encryption algorithm of PIN, the PIN management scheme and the secrecy of password. § PIN does not provides defense against data copied from another card which contains the correct card verification value. § Moreover, the encryption algorithm adopted in validation codes may be tampered and decoded by professional hackers with some insider information.

Protection on Data § the major magnetic card protection techniques have included l l l Watermark Magnetic Print Valugard Xsec-Jitter Macaps

Smart Card § Integrated Circuit - chip § originated from France § invented in 70 and matured in 90 § Magnetic Card replacement

Types of Smart Card § Memory Card § MPU IC card § Crypto processor card § Contactless card

Memory Card § Primitive type § composed of EEPROM/PROM § simple function § as prepay card

Cypto-processor IC Cards § composed of cypto-processor & PROM § a powerful MPU § can recognise illegal signal and security features

MPU IC Smart Card § Composed of MCU/MPC § software driven § have flexibility and primitive intelligence § some security features

Contactless Smart Card § similar to contact smart card § with RF transceiver to increase robustness and security

Advantages of Smart Card § § Large storage capacity more security features multiple functions flexibility in use - intelligent, lower power consumption, effective packaging § as access card, electronic purse, debit/credit cards, ID card etc. - particular off-line applications

Hardware Technologies § new memory technologies - EEPROM and flash-EPROM § new silicon technologies - 1. 3 m to 0. 65 or even 0. 18 m for more storage and security, lower power consumption § new packaging technologies - against breakage, rubbing and bending

Smart Card Software § Intelligent Chip Operating System -COS § Encryption techniques - RSA & DES § Multiple Application OS (MAOS) l Mondex, EMV, GSM, Loyalty § New requirements l hot list, trust key management

6. 6. 4 Smart Card Worldwide § Use Distribution 40% Western Europe, 25% Asia, 15% North America, 8% South America and 12% others § Major user is France over 130 M cards § Germany 80 M health insurance § over 20 countries use GSM and electronic purse

Smart Card Project Worldwide § § § Mondex - UK Barclay/Mercury one-2 -one project (UK) Detemobil Toll Collection (UK) Advantages Card in RSA ID card in Taiwan Mastercard &Visa + Netscape and Microsoft - COS project § Credit Card in USA

Some Difficulties Worldwide § Bank card project cancellation - Taiwan § Mondex tampering slow down bank sector development - RSA and New Zealand § Mastercard - year 2000 delay of massive launching § Visa - adoption of magnetic card in RSA debit card project § Major concern - COST EFFECTIVENESS

Smart Card in Hong Kong § § § § Mondex Visa Cash City Smart Octopus - smart travelling card Jockey Club -pre-pay card New airport - access control card HKT - telephone card Parking Meter - prepay card project

Smart Card in Electronic Commerce § § § Electronic Data Interchange (EDI) Tradelink Electronic Purchasing Home Banking Internet Shopping

New Technologies Required § Data Storage Management - information protection § authentication process l biometric: fingerprint, facial features, iris identification, dynamic signature recognition, speech recognition § encryption methods l Elliptic Curve Cryptography, chaotic techniques

THE SMART CARD MARKET IN THE YEAR 2000 (in millions – Source: Philips Communication Systems) Application France Europe Others Total Phone cards 140. 8 553. 1 640. 0 1334 GSM cards 4. 0 15. 0 42. 0 61 Health cards 10. 0 55. 0 92. 0 157 Bank cards 25. 0 85. 0 75. 0 185 ID cards Transport tickets Pay TV cards 4. 5 24. 0 81. 0 110 Access control 1. 8 3. 0 5. 0 10 City cards /Misc 24. 0 55. 1 64. 3 143 Total 210. 1 790. 2 999. 3 2000

Some Difficulties Worldwide § Bank card project cancellation - Taiwan § Card tampering slow down bank sector development - RSA and New Zealand § Master. Card - year 2000 delay of massive launching § Visa - adoption of magnetic card in RSA debit card project § Major concern - COST EFFECTIVENESS

Smart Card in Electronic Commerce § § § Electronic Data Interchange (EDI) Tradelink Electronic Purchasing Home Banking Internet Shopping

New Technologies Required § Data Storage Management - information protection § authentication process l biometric: fingerprint, facial features, iris identification, dynamic signature recognition, speech recognition § encryption methods l Elliptic Curve Cryptography, chaotic techniques

Smart Card in Mobile Phone Applications § Wireless Application Protocol (WAP) emerges for a mobile Internet access § Research work launched in Japan indicates a good market if available. § Mobile operators will provide add on WAP gateways and WAP services to enable wireless internet services: o o o Banks, financial institutions, restaurants, retailers, Utilities, transit operators, hotels, entertainment and media, selling goods and information

§ Limitation, the SIM card inside the WAP phone cannot provide complicated the PKI authentication process thus security is an issue. § A possible solution is to introduce an additional smart card interface (either contact or contactless) to enable the authentication process. (Master. Card – dual card phone)

§ New technologies requirements: l l l The development of m-PKI (mobile PKI) in the multiple-application OS is more essential and practical The development of high security low power card modules A better interface to new wireless internet platform, other ancillary technologies, such as Bluetooth and Wireless Wallets are also important

Java Card § More powerful processor & memories § Allow download of applications § Open software platform for code transportability § For multi-function, e-purse, loyalty, health care database and Internet/Intranet access card

Smart Card in Hong Kong § § § § § Mondex Visa Cash Campus card Octopus - smart traveling card Jockey Club -pre-pay card New airport - access control card Telephone card & SIM Card Parking Meter - prepay card project Residential access card Possible new ID card, Road Toll Pay Card

Governing Body § The Hong Kong Monetary Authority will set rules on use of smart card for financial applications § only banks may issue general purpose cards § HKMA can authorize other non-bank issuer l l l core use relating to business of the issuer needs to establish a business case an non-core uses subject to limits determined by HKMA

Exemptions § Risk to payment system and card holders is slight § replace an existing non-regulated payment instrument like travelers’ cheques § soundness of issuer § max. of HK$1000 limits on card § only allow 15% for non core uses § use in a limited and distinct areas

Examples § Mondex : equivalent to bank note, and no audit trail § Visa Cash: equivalent to cheques, link to accounts and have audit trails

Mondex scheme Issue of Bank Notes Origination of Mondex Value Notes Issuing Bank Adjustment to interbank A/C Mondex Originator Adjustment to interbank A/C Bank notes Other Banks Adjustment to customer A/C Member Banks Adjustment to customer A/C Bank notes va te s no x de on k f M o er Tr Tr an sf o er sf an de s ce vi er ue /S val x ds on M Ba s ce vi er es /S t ds no nk oo G oo an Cardholder A G f b Mondex value lu e Notes holder A Notes holder B Mondex value Bank notes Goods/Services Merchant Cardholder B Mondex value Goods/Services Merchant Note : There is no clearing system for the transfer to Mondex value (in the same way as transfer of bank notes).

Visa. Cash scheme Cheques Debit Customer A/C (after cheque is cleared) Issue of cheques Bank Debit Customer A/C (once value is uploaded) Bank Uploading value onto card Cheque Clearing System Bank Customer Payment by cheque Visa. Cash Cardholder Presentation of cheque received from customer Goods/ Services Credit Merchant A/C Merchant Visa. Cash Clearing System Goods/ Services Payment by card Redemption of value received from cardholder Credit Merchant A/C Merchant Note : Transfer of Visa. Cash value would go through a clearing system in same way as clearing for cheques.

ISO 7816 Standards § 7816/1 • Specifies the physical and dimensional features of the plastic supports. Additional characteristics specified are Mechanical strength, Static electricity, Electromagnetic fields and Bending properties etc.

7816/2 § Specifies the meaning and location of the contacts. § This part defines eight contact referred to as C 1 to C 8. The contacts are located as shown in figure below.

Pin Assignment

7816/3 § Specifies electronics signals and transmission protocols that the DC electrical characteristics, the character format and the command protocol for the Smart Card. § This ISO standard describes two types of data transfer between Smart Card and card Reader/Writer: § § asynchronous protocol with two data coding conventions synchronous protocol

Asynchronous protocol § Character format: § Each character (described in figure below) is composed of: § one start bit § 8 bits of data § one even parity bit § guardtime slot including two stop bits

§ The data speed transmission depends on the clock signal frequency input into the Smart Card on the CLK contact. § The nominal bit duration sent on the I/O line is called the "elementary time unit" "etu" by the ISO standard.

§ This bit duration is directly proportional to the input clock during the "answer to reset", but may be requested to be modified (by the Smart Card) for the following data exchange. The parameters of this modification are given during the "answer to reset".

§ I/O Line management: l The I/O line (Input/output line) is used to exchange data in input mode (reception mode) or in output mode (transmission mode). This line must have two states: § stand-by state or high level state § working state or low level state:

§ Furthermore, the I/O line (as shown in figure below) is used to generate or to detect data parity errors in reception or transmission The transmitter must sample the I/O line during the guardtime duration. § The transmission is presumed valid if the I/O line stays at a high level during the guardtime slot § The transmission is wrong if the I/O line is pulled down during at least one etu (two etu max) during the guardtime slot. § The receiver, in order to signal a reception error, must pull down the I/O line.

Data coding § The ISO 7816 - 3 standard gives the possibility of two kinds of data coding. The direct convention or inverse convention. The type of convention is fixed by the Smart Card and is declared in the first character of the "answer to reset'.

l l In direct convention, the logical "l " level is 5 Volt and the least significant bit (LSB) is transmitted first. In inverse convention, the logical "1" level is 0 Volt and the most significant bit (MSB) is transmitted first.

Synchronous protocol l In synchronous protocol, successions of bits are sent on the I/O line, synchronized with the clock signal on CLK pin. In synchronous protocol, the data frame format described previously is not available.

7816/4 § Specifies the inter-industry command for interchange include: § The content of the message, commands and responses, transmitted by the interface device to the card and conversely. § The structure and content of the historical bytes sent by the card during the answer to reset.

§ The structure of files and data, as seen at the interface when processing inter-industry commands for interchange. § Access methods to files and data in the card. § A security architecture defining access rights to files and data in the card. § Methods for secure messaging.

APDU (application protocol data unit) message structure § A step in an application protocol consists of sending a command, processing it in the receiving entity and sending back the response. Therefore a specific response corresponds to a specific command, referred to as a command-response pair.

§ An application protocol data unit (APDU) contains either a command message or a response message, sent from the interface device to the card or conversely. § In a command-response pair, the command message and the response message may contain data, thus inducing four cases, which are summarized by table below.

Command-response pair

Command APDU structure CLA - Class byte INS - Instruction byte P 1, P 2 - Parameter byte Lc field - number of bytes present in the data field Le field - maximum number of bytes expected in the data field of the response APDU

Response APDU structure § The response APDU consists of § Conditional body of variable length. § Mandatory trailer of 2 byte.

Status Codes of response APDU trailer.

Part 2 Card Security

Simple security § Random Number Generator for dynamic key generation § Cipher Engine for data protection: l l l Block Stream Choatic Function

Random Number Generator § For generation of session keys § Digital approach can only generate pseudo random number based on Xi =(a Xi-1 + b) mod c § Other use analogue approaches like VCO, white noise generator etc.

Block Cipher Method – Write to Memory Block Cipher Method – Read from Memory § K 1: Master Key of length 16 -bit § K 2: Card ID of length 16 -bit

§ K 1 and K 2 act as the key parameters to the block cipher § The block cipher constructs a one-to-one mapping § For different combination of K 1 and K 2, different mapping can be obtained § Exhaustive search through 28=256 combinations, the mapping can be obtained without revealing the key parameters § To reveal the key parameters, exhaustive search of 2^16*2^16=2^32 combination is required § If the Card ID is known, a search of 2^16 combinations can reveal the Master Key

Stream Cipher • The Stream Cipher can be viewed as a state machine with K 1 K 2 as the initial state • It generates a pseudorandom number sequences which are XOR with the Input Data to form the Output Data • The data must be in sequence in order to encode and decode correctly § Not suitable

Chaotic Function

§ The neural network construct a mapping for 32 -bit input and 8 -bit output § The 8 -bit output for the Neural Network is XORed with the Input Data to from the Output Data § For different K 1 & K 2, the same output of Neural Network will be obtained, collision occurs § Knowing a pair of Data input and Data Output will recover the output from the Neural Network § As collision occurs, knowing K 1, exhaustive search through K 2, different K 2 will result the same output, hence increase difficulty in searching K 2

Using a 8 -bit Artificial Neural Network to generate Chaotic Function

Advance Data Protection - Encryption § Encryption l Encryption will modify data into irregular form for security storage and transmission. The reconstruction is achieved by using a set of relevant Keys. § Two cryptosystems are currently being used, i. e. symmetric (DES/FEAL) and asymmetric (RSA, ECC). Symmetric cryptosystem requires only one common key for encryption and decryption whereas asymmetric system requires two keys, i. e. private/user key and public/system key.

Common Encryption Techniques § Three algorithms will be introduced l DES (Data Encryption Standard) l RSA (Rivet, Shamir, Adleman) l ECC (Elliptic Curve Cryptography)

DES § DES l l the most well-known symmetric system being used by banking sector and computer security. the technique was originated from IBM and certified by National Bureau of Standards in 1977. an official unclassified data encryption method. widely been used by Banking sectors

Encryption Process DES System 64 Bit Plaintext 64 Bit Key Initial Permutation 32 Bit L 0 + 32 Bit R 0 Key Schedule Permutation Choice 1 Building Block F(R 0, K 1) 56 Bit Key 32 Bit L 15 + 32 Bit L 16 32 Bit R 15 Final Permutation 64 Bit Ciphertext Right Shift D 16 Permuted Choice 2 F(R 15, K 16) 32 Bit R 16 Left Shift C 16 K 1(48 bits) 28 Bit D 0 C 1 32 Bit L 1 28 Bit C 0 Permuted Choice 2

Function f Li-1 32 bits Ri-1 32 bits Expansion Permutation 48 bits S-Box Substitution choice 32 bits P-box Permutation Li 32 bits Ri 32 bits 56 bits Key Permuted Choice 48 bits

DES Substitution Boxes Operation

Operation Tables of DES (IP, IP-1, E and P)

RSA § RSA l l l developed by 3 researchers at MIT in 1977 based on two prime numbers (p & q) to generate the keys most popular is RSA 129 where p x q gives a 129 bit number highly security and has once been proposed to replace DES in banking application report cipheranalysed by a group of 600 specialist in May 1994 through internet

RSA Steps § § Select two large prime p& q Generate n = pq Generate f(n) = (p-1)(q-1) Select e (encryption/public key) and d (decryption/secret) as l ed = 1 (mod(f(n)) § Encrption by C =(Me, mod n) where M is the message § Decrypt by M =(Cd, mod n)

ECC § ECC l l a new elliptic curve cryptosystem method for public key applications developed by Neil Koblitz (Washington University) and Victor Miller (IBM, Yorktown Heights) in 1985 using points in the elliptic curve as the elements for encryption will become IEEE standard in 1997/8 (99? )

Elliptic Curve Groups over Real Numbers § An elliptic curve over real numbers may be defined as the set of points (x, y) which satisfy an elliptic curve equation of the form: y 2 = x 3 + ax + b, where x, y, a and b are real numbers. Each choice of the numbers a and b yields a different elliptic curve.

§ For example, a = -4 and b = 0. 67 gives the elliptic curve with equation y 2 = x 3 - 4 x + 0. 67; the graph of this curve is shown below: If x 3 + ax + b contains no repeated factors, or equivalently if 4 a 3 + 27 b 2 is not 0, then the elliptic curve y 2 = x 3 + ax + b § Can be used to form a group. An elliptic curve group over real numbers consists of the points on the corresponding elliptic curve, together with a special point O called the point at infinity. § P + Q = R is the additive property defined geometrically.

Elliptic Curve Addition: A Geometric Approach § Elliptic curve groups are additive groups; that is, their basic function is addition. The addition of two points in an elliptic curve is defined geometrically. § The negative of a point P = (x. P, y. P) is its reflection in the x-axis: the point -P is (x. P, -y. P). Notice that for each point P on an elliptic curve, the point -P is also on the curve.

Adding distinct points P and Q § Suppose that P and Q are two distinct points on an elliptic curve, and the P is not -Q. To add the points P and Q, a line is drawn through the two points. This line will intersect the elliptic curve in exactly one more point, call -R. The point -R is reflected in the x-axis to the point R. The law for addition in an elliptic curve group is P + Q = R. For example:

Adding the points P and -P § The line through P and -P is a vertical line which does not intersect the elliptic curve at a third point; thus the points P and -P cannot be added as previously. § It is for this reason that the elliptic curve group includes the point at infinity O. § By definition, P + (-P) = O. As a result of this equation, P + O = P in the elliptic curve group. O is called the additive identity of the elliptic curve group; all elliptic curves have an additive identity.

Doubling the point P § To add a point P to itself, a tangent line to the curve is drawn at the point P. If y. P is not 0, then the tangent line intersects the elliptic curve at exactly one other point, -R. -R is reflected in the xaxis to R. This operation is called doubling the point P; the law for doubling a point on an elliptic curve group is defined by: P + P = 2 P = R. § The tangent from P is always vertical if y. P = 0.

Doubling the point P if y. P = 0 § If a point P is such that y. P = 0, then the tangent line to the elliptic curve at P is vertical and does not intersect the elliptic curve at any other point. By definition, 2 P = O for such a point P. If one wanted to find 3 P in this situation, one can add 2 P + P. This becomes P + O = P Thus 3 P = P, 4 P = O, 5 P = P, 6 P = O, 7 P = P, etc.

Elliptic Curve Addition: An Algebraic Approach § Geometrical approach is not practical Adding distinct points P and Q When P = (x. P, y. P) and Q = (x. Q, y. Q) are not negative of each other, P + Q = R where s = (y. P - y. Q) / (x. P - x. Q) x. R = s 2 - x. P - x. Q and y. R = -y. P + s(x. P - x. R) Note that s is the slope of the line through P and Q

Doubling the point P When y. P is not 0, 2 P = R where s = (3 x. P 2 + a) / (2 y. P ) x. R = s 2 - 2 x. P and y. R = -y. P + s(x. P - x. R) Recall that a is one of the parameters chosen with the elliptic curve and that s is the tangent on the point P.

Elliptic Curve Groups over Fp § Calculations over the real numbers are slow and inaccurate due to round-off error. Cryptographic applications require fast and precise arithmetic; thus elliptic curve groups over the finite fields of Fp and F 2 m are used in practice. § Recall that the field Fp uses the numbers from 0 to p - 1, and computations end by taking the remainder on division by p. For example, in F 23 the field is composed of integers from 0 to 22, and any operation within this field will result in an integer also between 0 and 22.

§ An elliptic curve with the underlying field of Fp can formed by choosing the variables a and b within the field of Fp. The elliptic curve includes all points (x, y) which satisfy the elliptic curve equation modulo p (where x and y are numbers in Fp). For example: y 2 mod p = x 3 + ax + b mod p has an underlying field of Fp if a and b are in Fp. § If x 3 + ax + b contains no repeating factors (or, equivalently, if 4 a 3 + 27 b 2 mod p is not 0), then the elliptic curve can be used to form a group. An elliptic curve group over Fp consists of the points on the corresponding elliptic curve, together with a special point O called the point at infinity. There are finitely many points on such an elliptic curve.

Example of an Elliptic Curve Group over Fp § As a very small example, consider an elliptic curve over the field F 23. With a = 1 and b = 0, the elliptic curve equation is y 2 = x 3 + x. The point (9, 5) satisfies this equation since: y 2 mod p = x 3 + x mod p 52 mod 23 = 93 + 9 mod 23 25 mod 23 = 738 mod 23 2 = 2

§ The 23 points which satisfy this equation are: (0, 0) (1, 5) (1, 18) (9, 5) (9, 18) (11, 10) (11, 13) (13, 5) (13, 18) (15, 3) (15, 20) (16, 8) (16, 15) (17, 10) (17, 13) (18, 10) (18, 13) (19, 1) (19, 22) (20, 4) (20, 19) (21, 6) (21, 17) These points may be graphed as below:

Arithmetic in an Elliptic Curve Group over Fp § There are several major differences between elliptic curve groups over Fp and over real numbers. § Elliptic curve groups over Fp have a finite number of points, which is a desirable property for cryptographic purposes. Since these curves consist of a few discrete points, it is not clear how to "connect the dots" to make their graph look like a curve. It is not clear how geometric relationships can be applied.

§ As a result, the geometry used in elliptic curve groups over real numbers cannot be used for elliptic curve groups over Fp. However, the algebraic rules for the arithmetic can be adapted for elliptic curves over Fp. Unlike elliptic curves over real numbers, computations over the field of Fp involve no round off error - an essential property required for a cryptosystem.

Adding distinct points P and Q § The negative of the point P = (x. P, y. P) is the point -P = (x. P, -y. P mod p). If P and Q are distinct points such that P is not -Q, then P + Q = R where s = (y. P - y. Q) / (x. P - x. Q) mod p x. R = s 2 - x. P - x. Q mod p and y. R = -y. P + s(x. P - x. R) mod p § Note that s is the slope of the line through P and Q.

Doubling the point P § Provided that y. P is not 0, 2 P = R where s = (3 x. P 2 + a) / (2 y. P ) mod p x. R = s 2 - 2 x. P mod p and y. R = -y. P + s(x. P - x. R) mod p Recall that a is one of the parameters chosen with the elliptic curve and that s is the slope of the line through P and Q.

Elliptic Curve groups and the Discrete Logarithm Problem § At the foundation of every cryptosystem is a hard mathematical problem that is computationally infeasible to solve. The discrete logarithm problem is the basis for the security of many cryptosystems including the Elliptic Curve Cryptosystem. More specifically, the ECC relies upon the difficulty of the Elliptic Curve Discrete Logarithm Problem (ECDLP).

§ Recall that we examined two geometrically defined operations over certain elliptic curve groups. These two operations were point addition and point doubling. By selecting a point in a elliptic curve group, one can double it to obtain the point 2 P. After that, one can add the point P to the point 2 P to obtain the point 3 P. The determination of a point n. P in this manner is referred to as Scalar Multiplication of a point. The ECDLP is based upon the intractability of scalar multiplication products

The Elliptic Curve Discrete Logarithm Problem § In the multiplicative group Zp*, the discrete logarithm problem is: given elements r and q of the group, and a prime p, find a number k such that r = qk mod p. If the elliptic curve groups is described using multiplicative notation, then the elliptic curve discrete logarithm problem is: given points P and Q in the group, find a number that Pk = Q; k is called the discrete logarithm of Q to the base P. When the elliptic curve group is described using additive notation, the elliptic curve discrete logarithm problem is: given points P and Q in the group, find a number k such that Pk = Q

Example: § In the elliptic curve group defined by y 2 = x 3 + 9 x + 17 over F 23, What is the discrete logarithm k of Q = (4, 5) to the base P = (16, 5)?

§ One way to find k is to compute multiples of P until Q is found. The first few multiples of P are: P = (16, 5) 2 P = (20, 20) 3 P = (14, 14) 4 P = (19, 20) 5 P = (13, 10) 6 P = (7, 3) 7 P = (8, 7) 8 P = (12, 17) 9 P = (4, 5) Since 9 P = (4, 5) = Q, the discrete logarithm of Q to the base P is k = 9. In a real application, k would be large enough such that it would be infeasible to determine k in this manner.

ECC - key generation § Select an elliptic curve § Generate the coordinate pairs which satisfy the conditions of modulo n and select starting point P § Key generation: l l l select a random integer d (secret key) in the interval [2, n-2] compute point Q = d. P make Q public

ECC Encryption § Encryption l l select a random integer k in the interval [2, n-2] compute (x , y ) = k. P and (x , y ) = k. Q generate a mask Y from secret as f(x ) and compute C = Y M where M is the message send the encrypted ciphertext EM as concatenated [x , y , C] 1 1 2 2 2 1 1

ECC Decryption § Decryption l l extract (x , y ) from ciphertext EM compute (x , y ) from d(x , y ) compute mask Y as f(x ) recover message by M = C Y 1 1 2 2 1

Security of Smart Card § Possible attacks l l l tracking: based on the protocol exchange between the terminal and the card to track the sequence of commands EM analysis: use electron microscope to inspect the internal structure of the mask confusion: disturb the power supply during PIN verification to confuse the accurate enter of PIN and allow access to the protected memory

§ UV or X-ray inspection: use high efficiency UV or X-ray to inspect the memory areas to extract important information like PIN, secret key and public key Other possible attracts: § attract on DES like differentiate methods § attract on RSA using cyclic properties

Trusted System Evaluation Criteria – USA(Do. D) § D: Minimal protection l No protection § C 1: Discretionary Security Protection l Use control acess § C 2: Controlled Access Protection l Use accountability/auditing § B 1: Labelled Security Protection l Use sensitivity (classification) labels

§ B 2: Structured Protection l Use formal security policy more resistant to penetrate § B 3: Security domain l Highly resistant to penetration. Use security administrator, auditing events and system recovery process § A 1: Verified protection l Highly assure of penetration. Use formal specification and verification approaches.

Information Technology Security Evaluation Criteria (ITSEC) - Europe § § EAL 1 – functional tested EAL 2 – structurally tested EAL 3 – methodologically tested and checked EAL 4 - methodologically designed, tested and reviewed § EAL 5 – semiformally designed and tested § EAL 6 - semiformally verified designed and tested § EAL 7 -formally verified designed and tested

Security requirements § § § Cryptographic modules module interface role and services finite state machine model physical security Environmental Failure Protection/Testing (EFT/EFP) § Software security

§ § § Operation security cryptographic key management cryptographic algorithm EMI/EMC self tests

Security Assessment § USA Federal Information Processing Standard Publications 140 -2 (FIPS PUB 1401 -2): Specifications for security requirements for cryptographic modules § The specifications define 4 levels security: l SL 1 to SL 4 where SL 1 is the lowest

*** END ***