Digipass Nano

I recently had an opportunity (thanks SURFnet, and VASCO) to have some hands-on experience with a novel class of authentication tokens. In a project for SURFnet my colleague Maarten Wegdam and myself looked at so-called SIM augmented authentication tokens, and the VASCO Digipass Nano in particular. The results of our analysis, in the form of a more detailed report, is available from the SURFnet website.

About the technology: A SIM augmented solution sits between the SIM and the handset (the ME) and consists of a very thin chip (see the image) in a sticker. It basically relays all traffic, consisting of so-called ISO7816-4 APDUs, from ME to SIM and back, while intercepting certain APDUs and injecting certain other APDUs. The user can interact with this benign man-in-the-middle through the SIM application toolkit (GSM 11.14, see also my earlier post on Mobile PKI), which is implemented in any GSM handset. VASCO's Digipass Nano uses this trick to implement an event based One Time Password token that is accessed by navigating the SIM menu in the handset, yet is fully secure (if GSM 11.14 is implemented securely) from snooping malware.

The man-in-the-middle characterization of SIM augmented solutions sounds scary, if you think about it, especially with respect to the trust that the ME (through GSM 11.14) puts in the SIM. On the other hand:

• The (security, usability, and business model) advantages of secure storage of credentials may outweigh the (security, usability, and business model) disadvantages of asking the user to place a hardware device between SIM and ME. (I.e., the security should not be analyzed in isolation, and there are both security advantages and disadvantages.)
  
• An attack which asks the user to place a (not-to-be-trusted) SIM augmented solution in their handset doesn't scale (and there is so much more low-hanging fruit for attackers, which scales much better). For a full threat analysis, see the report.
  
• The average user isn't too concerned about what the SIM augmented solution can do. We did a small-scale user test as part of our research.
• SIM augmentation based on GSM 11.14 allows, in principle, multiple secure elements (or secure cores, in Du Castel speak) within a single handset. Multiple secure elements, representing multiple stake holders, breaks the Mobile Network Operator dominated model for (very secure) credential storage. We also did a brief business model analysis as part of the report.
  

Whether we will see SIM augmented solutions in the short term remains to be seen. But it's certainly interesting technology to analyze.

SMS text authentication for patient access to Dutch electronic health record

The encryption algorithm A5/1 used in GSM has been suspect since at least 1994 (when the algorithm leaked). Nohl's talk at 26C3 (November 2009) demonstrates that a practical attack will become possible soon. And all of a sudden people start to get nervous in 2010.

As a follow-up to their report for the Dutch Ministry of Health Radboud University and PriceWaterhouseCoopers recently published a risk assessment focusing on GSM based SMS text authentication as a factor to strengthen the Dutch government citizen-to-government authentication solution DigiD.

SMS text authentication is already used in DigiD level 2, but the binding of a user's subscriber number to their DigiD is rather weak: anyone with access to the mailbox of the user's registered home address (the so-called GBA address) can bind a new mobile phone to the user's existing DigiD account (and subsequently order a password reset, completely hijacking the account). The original report by RU, PWC and TILT recommended to strengthen this binding process so that a patient would have to prove possession of a subscriber number to a government representative face-to-face. The strengthened DigiD (known as EPD-DigiD) can then be used by patients to access their electronic health record in a standard SMS OTP authentication scenario (during a session the user has an extra factor with a separate network connection to the provider).

The conclusion of the RU/PWC risk analysis is that although breaking A5/1 leaves SMS authentication relatively secure (the risk of actual abuse is not that high) the perceived lack of security in the public opinion and the non-compliance with security standards may be damaging to the reputation to the government. The solution is not secure enough to allow patients to access their health records at this point in time.

What I don't get is the proposed solution: a conversion table (on paper) sent to each user over regular snail mail (how secure is that?). The user uses this table to manually translate the code that was sent in an SMS message before entering it in the browser's form. This appears not to add an extra factor: an attacker that can eavesdrop on the Web channel and the GSM channel will soon learn the mapping. Also from a user experience perspective that sounds horrible.

An alternative approach would be to install a SIM toolkit applet on the SIM which performs the translation automatically for the user. Rather than a static table per user one can even use a key (but with a decent cipher; I'm sure the current generation of SIMs in the field support AES or at least 3DES) and have real security. Sort of a light-weight-Mobile-PKI-without-the-PKI solution.

SIM security and GSM security

In the old days the SIM was there to control access to the GSM network. A GSM 11.11 compliant handset would forward an authentication request from the network to the SIM by issuing RUN_GSM_ALGORITHM command. And that was it. The threat landscape was clear (unauthenticated access to the network) and security of the solution relied entirely on the security of the SIM.

The SIM application toolkit complicates things, however. A GSM 11.14 compliant handset implements a complex protocol which involves polling multiple Java Card applets and message passing from and to the network and the GUI. If the handset correctly implements this protocol then SIM applets have a trusted interface to the user during so-called proactive SIM sessions. This means, for example that an application on the handset (a MIDlet, say) cannot interfere with the GUI during such sessions. (GSM 11.14 doesn't actually say that, but other ETSI standards such as ETSI 102 206 seem to rely on this.)

Some weeks ago a worm targeting jailbroken iPhones was discovered. The iPhone (besides being a lot of other things) is a GSM handset which implements GSM 11.14 at some level. Big question is: is a jailbroken iPhone still a GSM 11.14 compliant hand set?

With smart phone operating systems becoming more open (and users demanding control over them) this is getting more interesting. Perhaps a hypervised approach is the solution. In any case, it's not as simple as it used to be.

Two ideas I could have submitted to the SIMagine contest

Here are two ideas I could have submitted to the SIMagine contest, but didn't. ;)

1. Info Cards securely stored in your SIM: Florian van Keulen, one of Maarten's students did a project on different architectures for implementing Info Card on mobile devices. One of the options that Florian investigated was to store the Info Cards on the SIM. A handset resident application would then facilitate communication between the Card Selector on a different platform (a PC in an Internet cafe) and the SIM through Bluetooth.
   
2. Turning an existing contactless smart card into a pre-paid mobile SIM application: You're not supposed to be able to clone an ePassport or contactless creditcard, of course. But you can do something else. You can pre-record some challenge-response pairs using an NFC handset and store these in an application on the secure element (SE, usually the SIM card) of the handset. If the application can authenticate itself to an inspection system (a POS terminal) then the handset can be used instead of the original contactless card. This improves convenience: one device instead of multiple cards, you now have a GUI. As for security: You can limit the number of challenge-response pairs, you can time-stamp the challenge-response pairs (the SE can connect to some trusted time server during enrollment), etc.
   

Oh well, deadline expired, never mind.

Mobile PKI

Mobile PKI, also known as Wireless PKI (and a lot of other names such as Mobile Secure Signature Service, Secure Signature Creation Device, ...) is a technology which allows users to place electronic signatures with their cell phone. This can be used for applications that run on the phone, but also for applications that run on other platforms (the user's computer connected to the Internet, for instance). One could use this, for example, as an authentication mechanism at a relying party. In the latter scenario your phone is a "something-you-have" token which provides extra security as an attacker would have to manipulate two separate channels to mount an attack. Before placing a signature, the cell phone will ask the user for his or her PIN.

The SIM card inside the cell phone plays a central role in Mobile PKI. Actually, the obvious way to implement Mobile PKI is through a so-called SIM Application Toolkit (SAT) applet installed on the SIM card. SAT has some really cool features that make things easy, both for the mobile operator and for the user:

• They can be installed over the air (OTA) to an already deployed SIM by the mobile operator, without disturbing the user
• They can add extra (basic menu-based) features to the GUI
• They can react to events such as selection of menus by the user or incoming SMSs sent by the mobile operator

This makes Mobile PKI a pretty secure solution:

• The application resides on a tamper resistant smart card
• Most handset manufacturers will make sure that there's a trusted path from the phone's keyboard to SAT applications (the malware problem seems to still be small for the mobile platform)
• The separate channel advantage was already mentioned above

It's also user-friendlier when compared to other authentication solutions such as smart cards, PKI tokens, and one-time-password SMSs:

• The PIN is the same for each and every transaction
• There's no need to install software on the user's PC
• There's no need to read and type challenges or responses
• Most users will not forget or leave their cell phone unattended, and most will notice and report a missing or stolen phone
  

Mobile PKI has been standardized by ETSI around 2002/2003. Also Common Criteria protection profiles for Secure Signature Creation Devices have existed since 2001. So the technology is pretty old. It has found its way to end-customers in some countries, most notably Turkey and more recently to the Nordic countries (in Finland you can apparently even add your government issued eID to a SIM card). Most of the SIM manufacturers and technology providers offer Mobile PKI as an option to their customers (the mobile operators). I wonder why this hasn't caught on here in the Netherlands.