Jul 13, 2011

Digipass Nano

I recently had an opportunity (thanks SURFnet, and VASCO) to have some hands-on experience with a novel class of authentication tokens. In a project for SURFnet my colleague Maarten Wegdam and myself looked at so-called SIM augmented authentication tokens, and the VASCO Digipass Nano in particular. The results of our analysis, in the form of a more detailed report, is available from the SURFnet website.

About the technology: A SIM augmented solution sits between the SIM and the handset (the ME) and consists of a very thin chip (see the image) in a sticker. It basically relays all traffic, consisting of so-called ISO7816-4 APDUs, from ME to SIM and back, while intercepting certain APDUs and injecting certain other APDUs. The user can interact with this benign man-in-the-middle through the SIM application toolkit (GSM 11.14, see also my earlier post on Mobile PKI), which is implemented in any GSM handset. VASCO's Digipass Nano uses this trick to implement an event based One Time Password token that is accessed by navigating the SIM menu in the handset, yet is fully secure (if GSM 11.14 is implemented securely) from snooping malware.

The man-in-the-middle characterization of SIM augmented solutions sounds scary, if you think about it, especially with respect to the trust that the ME (through GSM 11.14) puts in the SIM. On the other hand:
  • The (security, usability, and business model) advantages of secure storage of credentials may outweigh the (security, usability, and business model) disadvantages of asking the user to place a hardware device between SIM and ME. (I.e., the security should not be analyzed in isolation, and there are both security advantages and disadvantages.)
  • An attack which asks the user to place a (not-to-be-trusted) SIM augmented solution in their handset doesn't scale (and there is so much more low-hanging fruit for attackers, which scales much better). For a full threat analysis, see the report.
  • The average user isn't too concerned about what the SIM augmented solution can do. We did a small-scale user test as part of our research.
  • SIM augmentation based on GSM 11.14 allows, in principle, multiple secure elements (or secure cores, in Du Castel speak) within a single handset. Multiple secure elements, representing multiple stake holders, breaks the Mobile Network Operator dominated model for (very secure) credential storage. We also did a brief business model analysis as part of the report.
Whether we will see SIM augmented solutions in the short term remains to be seen. But it's certainly interesting technology to analyze.