Tutorials

Tutorial #1: Everything You Always Wanted to Know About Payment Terminals Security*

* But Were Afraid to Ask

Lecturers

* Pr Jean-Jacques Quisquater, Crypto group, Emeritus Université Catholique de Louvain
* David Samyde, former student of Pr Quisquater

Description

On the other side of a smartcard is in general a reader, even if many readers are SIM based nowadays, a number of cards (contact and contactless) care still used for payments and financial transactions. This tutorial explores the world of those payment terminals. The security of payment terminals is an industrial place with some specific processes, methods and requirements. The Payment Card Industry (PCI) manages and regulates this world. How is this done? What are the tradeoffs? Are they all justified and what can be done? What is the idea between the standards and the requirements? What is the gap between academic research and what is running and secured inside those devices?

A terminal has physical security requirements to prevent, limit and even detect a physical intrusion. But a terminal has also logical security requirements to secure the execution of the software running on it and relevant applications. If the payment terminal is connected to a network, then some additional security requirements linked to communication are considered. All interactions between the terminal and smartcards will be analyzed.

This tutorial will summarize the evolution of the standards managing payment terminal security through ages and will detail all the practical security used to make a terminal able to pass a proper certification. The approach of mitigating the risk will be analyzed in depth and blind spots will also be discussed and highlighted. The management of the cryptographic secret inside a payment terminal demands some special attention and is well regulated. How is cryptography and handling of secrets (smartcards, cryptographic processor, …) implemented in this specific domain? All those points will be detailed by the present tutorial.

To avoid legal issues all examples will be anonymized, but some limitations to the rules and the proper application of standards will also be demonstrated and discussed. The discipline of payment terminal security has experienced some hick ups in the past, from a hacked device running frog or Tetris, to a brand new device revealing her PIN to a journalist in real time during a demonstration, or more recently to some Android device accepting to execute some non-secure application. More recently some manufacturers experience some intrusive investigation following allegations of data leakage and extraction. All those stories will be analyzed, and conclusions will be drown from them, with some surprising new elements.

The evolution of the security of payment terminals is now turning in the direction of securing the supply chain, this will be considered from a hardware and software perspective.

By extension some side domain relevant to Automatic Teller Machines will be considered too and a quick comparison will conclude the tutorial.

Additional Information

Some devices will be opened and the audience will have the ability to consider their skills at bypassing some elements of security and how to extract sensitive information from multiple payment terminals.

The slides can be found here.

Tutorial #2: Side-channel cryptanalysis of a masked AES with SCALib

Lecturers

* Olivier Bronchain (NXP Semiconductors), olivier.bronchain@nxp.com
* Gaëtan Cassiers (Graz University of Technology), gaetan.cassiers@iaik.tugraz.at

Description

Side-channel security evaluations often involve complicated workflows and be computationally-intensive, in particular when protected implementations are considered. While some of this complexity is sometimes unavoidable, we will show that evaluations can also be pretty simple and fast.

In this tutorial, we analyze the security of a masked implementation. Starting from the power leakage traces collected by ANSSI (the ASCAD dataset), we will show how to implement a very powerful attack, leading to key recovery in a single trace. The implementation of the attack will be based on the speakers' SCALib library. which provides optimized implementations of common algorithms for side-channel analysis. Its simple interfaces enable the implementation the full attack in a few lines of python code, while running in a few minutes on a laptop.

Concretely, the goal of the tutorial is to implement an attack using SCALib and evaluate it, in a worst-case security setting. That is, we assume that the evaluator as extensive knowledge of the implementation and has complete access to a sample device to profile the leakage, including knowledge of the masks used. The attack will be implemented end-to-end, from the selection of the points-of-interest (POIs) for the leakage, to the computation of the correct key rank after the attack. The attack is based on the profiling of many intermediate variables in the computation, using the signal-to-noise ratio (SNR) to select the POIs and linear discriminant analysis (LDA) to infer posterior distributions for the targeted values. The information on all the intermediate values is then combined to infer the key, using a soft analytical side-channel attack (SASCA). This step produces a probability distribution for each of the key bytes, from which a key enumeration can be attempted. In an evaluation context, we propose instead to use a key rank estimation algorithm, which sidesteps the computationally expensive enumeration and provides an equivalent result for the evaluator. The tutorial will discuss the methods and metrics for the selection of the hyperparameters in the method. A well-tuned attack is able to recover the key in a single trace with a high success rate.

The tutorial will alternate short talks explaining the working principles of the attack steps and hands-on sessions for the implementation of these attack by the participants.

Logistical Requirements

Laptop with python ≥ 3.8 and pip. Download in advance the dataset here (1.3 GB).

Useful Links

* Gaëtan's personal website: https://perso.cassiersg.be/
* Olivier's personal website: https://obronchain.github.io/
* The Side-Channel Analysis Library (SCALib): https://github.com/simple-crypto/SCALib/ and https://github.com/simple-crypto/scalib-tutorial
* SIMPLE-Crypto: https://www.simple-crypto.org/