Lecture Notes in Computer Science 5189 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen UniversityofDortmund,Germany MadhuSudan MassachusettsInstituteofTechnology,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum Max-PlanckInstituteofComputerScience,Saarbruecken,Germany Gilles Grimaud François-Xavier Standaert (Eds.) Smart Card Research and Advanced Applications 8th IFIPWG 8.8/11.2 International Conference, CARDIS 2008 London, UK, September 8-11, 2008 Proceedings 1 3 VolumeEditors GillesGrimaud IRCICA/LIFL,CNRSUMR8022 Univ.Lille1,INRIALille-NordEurope UniversitédesSciencesetTechnologiesdeLilleLIFL BatimentM3,59655citéscientifique,France E-mail:[email protected] François-XavierStandaert UCLCryptoGroup MicroelectronicsLaboratory PlaceduLevant,3,1348Louvain-la-Neuve,Belgium E-mail:[email protected] LibraryofCongressControlNumber:2008933705 CRSubjectClassification(1998):E.3,K.6.5,C.3,D.4.6,K.4.1,E.4,C.2 LNCSSublibrary:SL4–SecurityandCryptology ISSN 0302-9743 ISBN-10 3-540-85892-XSpringerBerlinHeidelbergNewYork ISBN-13 978-3-540-85892-8SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. SpringerisapartofSpringerScience+BusinessMedia springer.com ©IFIPInternationalFederationforInformationProcessing,Hofstrasse3,A-2361Laxenburg,Austria2008 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SPIN:12513536 06/3180 543210 Preface Since1994,CARDIShasbeentheforemostinternationalconferencededicatedto smartcardresearchandapplications.Everytwoyears,the scientific community congregatesto present new ideas and discuss recent developments with both an academicandindustrialfocus.Followingtheincreasedcapabilitiesofsmartcards anddevices,CARDIShasbecomeamajoreventforthediscussionofthevarious issuesrelatedtotheuseofsmallelectronictokensintheprocessofhuman-machine interactions.Thescopeoftheconferenceincludesnumeroussubfieldssuchasnet- working,efficientimplementations,physicalsecurity,biometrics,andsoon. This year’s CARDIS was held in London, UK, on September 8–11, 2008. It was organized by the Smart Card Centre, Information Security Group of the Royal Holloway, University of London. Thepresentvolumecontainsthe21papersthatwereselectedfromthe51sub- missions to the conference. The 22 members of the program committee worked hard in order to evaluate each submission with at least three reviews and agree on a high quality final program. Additionally, 61 external reviewers helped the committee with their expertise. Two invited talks completed the technical pro- gram. The first one, given by Ram Banerjee and Anki Nelaturu, was entitled “Getting Startedwith JavaCard3.0Platform”.The secondone,givenbyAline Gouget,wasabout “RecentAdvances in ElectronicCashDesign” andwascom- pleted by an abstract provided in these proceedings. We would like to express our deepest gratitude to the various people who helped in the organization of the conference and made it a successful event. In thefirstplace,wethanktheauthorswhosubmittedtheirworkandthereviewers who volunteered to discuss the submitted papers over several months. We also acknowledgethe workofourinvitedspeakers.The assistanceofthe SmartCard Centre at Royal Holloway was greatly appreciated. We are particularly grateful to KonstantinosMarkantonakisand Keith Mayes,the organizingcommittee co- chairs. A big thank-you to Damien Sauveron, who maintained the submission webtool,andto the staffat Springerfor solvingthe practicalpublicationissues. Andfinally,wewouldliketothanktheCARDISsteeringcommitteeforallowing us to serve at such a recognized conference. September 2008 Gilles Grimaud Franc¸ois-XavierStandaert Smart Card Research and Advanced Applications 8th IFIP WG 8.8/11.2 International Conference CARDIS 2008 London, UK, September 2008 Organizing Committee Konstantinos Markantonakis Royal Holloway, University of London, UK Keith Mayes Royal Holloway, University of London, UK Program Committee Mehdi-Laurent Akkar Barclays Capital, USA Gildas Avoine Universit´e catholique de Louvain, Belgium Boris Balacheff Hewlett-Packard Laboratories,UK Eduardo De Jong Sun Microsystems, USA Josep Domingo-Ferrer Universitat Rovira i Virgili, Spain Dieter Gollmann TU Hamburg-Harburg,Germany Louis Goubin Universit´e de Versailles, France Gilles Grimaud University of Lille 1, France (co-chair) Pieter Hartel University of Twente, The Netherlands Jaap-Henk Hoepman Radbout University Nijmegen, The Netherlands Dirk Husemann IBM Zurich Research Laboratories,Switzerland Marc Joye Thomson Multimedia, France Jean-Louis Lanet GemAlto, France Javier Lopez University of Malaga, Spain Pierre Paradinas INRIA, France Joachim Posegga University of Hamburg, Germany Emmanuel Prouff Oberthur Card Systems, France Damien Sauveron University of Limoges, France Isabelle Simplot-Ryl University of Lille, France Franc¸ois-Xavier Standaert UCL Crypto Group, Belgium (co-chair) Issa Taore University of Victoria, Canada Mike Tunstall University College Cork, Ireland Jean-Jacques Vandewalle GemAlto, France Johannes Wolkerstorfer IAIK/ Universisity of Graz, Austria VIII Organization External Reviewers AntoniMartinezBalleste Alain Durand Robert Naciri Claude Barral Pierre Dusart Gilles Piret Salvatore Bocchetti Martin Feldhofer Henrich C. Poehls Pierre-Franc¸oisBonnefoi Pierre Girard Emanuel Popovici Arnaud Boscher Sylvain Guilley Thomas Popp Samia Bouzefrane Stuart Haber Christian Rechberger Bastian Braun Georg Hofferek Mathieu Rivain Emmanuel Bresson Michael Hutter Tomas Sander Ileana Buhan Samuel Hym Daniel Schreckling Jordi Castella-Roca Luan Ibraimi Francesc Sebe Serge Chaumette Franc¸ois Ingelrest Saeed Sedghi Liqun Chen Martin Johns Yannick Sierra Christophe Clavier Chong Hee Kim Sergei Skorobogatov Julien Cordry Markus Kuhn Agusti Solanas Mark Crosbie Cedric Lauradoux Junko Takahashi Vanesa Daza Franc¸ois Mace Jean-Marc Talbot Lauren Del Giudice Mark Manulis Ronald Toegl Eric Deschamps Nathalie Mitton Claire Whelan Trajce Dimkow Ayse Morali Emmanuele Zambon Roberto Di Pietro Christophe Mourtel Emmanuelle Dottax Christophe Muller Table of Contents Malicious Code on Java Card Smartcards: Attacks and Countermeasures................................................. 1 Wojciech Mostowski and Erik Poll Static ProgramAnalysis for Java Card Applets ...................... 17 Vasilios Almaliotis, Alexandros Loizidis, Panagiotis Katsaros, Panagiotis Louridas, and Diomidis Spinellis On Practical Information Flow Policies for Java-Enabled Multiapplication Smart Cards ..................................... 32 Dorina Ghindici and Isabelle Simplot-Ryl New Differential Fault Analysis on AES Key Schedule: Two Faults Are Enough......................................................... 48 Chong Hee Kim and Jean-Jacques Quisquater DSA Signature Scheme Immune to the Fault Cryptanalysis............ 61 Maciej Nikodem ABlackHenLaysWhiteEggs:BipartiteMultiplierOutofMontgomery One for On-Line RSA Verification.................................. 74 Masayuki Yoshino, Katsuyuki Okeya, and Camille Vuillaume Ultra-Lightweight Implementations for Smart Devices – Security for 1000 Gate Equivalents............................................ 89 Carsten Rolfes, Axel Poschmann, Gregor Leander, and Christof Paar Fast Hash-Based Signatures on Constrained Devices.................. 104 Sebastian Rohde, Thomas Eisenbarth, Erik Dahmen, Johannes Buchmann, and Christof Paar Fraud Detection and Prevention in Smart Card Based Environments Using Artificial Intelligence........................................ 118 Wael William Zakhari Malek, Keith Mayes, and Kostas Markantonakis The Trusted Execution Module: Commodity General-Purpose Trusted Computing...................................................... 133 Victor Costan, Luis F.G. Sarmenta, Marten van Dijk, and Srinivas Devadas Management of Multiple Cards in NFC-Devices...................... 149 Gerald Madlmayr, Oliver Dillinger, Josef Langer, and Josef Scharinger X Table of Contents Coupon Recalculation for the GPS Authentication Scheme ............ 162 Georg Hofferek and Johannes Wolkerstorfer Provably Secure Grouping-Proofs for RFID Tags..................... 176 Mike Burmester, Breno de Medeiros, and Rossana Motta Secure Implementation of the Stern Authentication and Signature Schemes for Low-Resource Devices ................................. 191 Pierre-Louis Cayrel, Philippe Gaborit, and Emmanuel Prouff A Practical DPA Countermeasure with BDD Architecture............. 206 Toru Akishita, Masanobu Katagi, Yoshikazu Miyato, Asami Mizuno, and Kyoji Shibutani SCARE of an Unknown Hardware Feistel Implementation............. 218 Denis R´eal, Vivien Dubois, Anne-Marie Guilloux, Fr´ed´eric Valette, and Mhamed Drissi Evaluation of Java Card Performance............................... 228 Samia Bouzefrane, Julien Cordry, Herv´e Meunier, and Pierre Paradinas Application of Network Smart Cards to Citizens Identification Systems ........................................................ 241 Joaquin Torres, Mildrey Carbonell, Jesus Tellez, and Jose M. Sierra SmartPro: A Smart Card Based Digital Content Protection for ProfessionalWorkflow ............................................ 255 Alain Durand, Marc E´luard, Sylvain Lelievre, and Christophe Vincent A Practical Attack on the MIFARE Classic ......................... 267 Gerhard de Koning Gans, Jaap-Henk Hoepman, and Flavio D. Garcia A Chemical Memory Snapshot..................................... 283 J¨orn-Marc Schmidt Recent Advances in Electronic Cash Design ......................... 290 Aline Gouget Author Index.................................................. 295 Malicious Code on Java Card Smartcards: Attacks and Countermeasures Wojciech Mostowski and Erik Poll Digital Security (DS) group, Department of Computing Science Radboud UniversityNijmegen, The Netherlands {woj,erikpoll}@cs.ru.nl Abstract. Whenitcomestosecurity,aninterestingdifferencebetween Java Card and regular Java is the absence of an on-card bytecode ver- ifier on most Java Cards. In principle this opens up the possibility of malicious, ill-typed code as an avenue of attack, though the Java Card platform offers some protection against this, notably by code signing. Thispapergivesanextensiveoverviewofvulnerabilitiesandpossible runtimecountermeasuresagainst ill-typedcode,anddescribes resultsof experiments with attacking actual Java Cards currently on the market with malicious code. 1 Overview A huge security advantage of type safe language such as Java is that the low level memory vulnerabilities, which plague C/C++ code in the form of buffer overflows,areinprincipleruledout.Also,itallowsustomakeguaranteesabout the behaviour of one piece of code, without reviewing or even knowing all the other pieces of code that may be running on the same machine. However, on Java Card smartcards [9] an on-card bytecode verifier (BCV) is only optional, and indeed most cards do not include one. This means that malicious, ill-typed code is a possible avenue of attack. Ofcourse,theJavaCardplatformoffersmeasurestoprotectagainstthis,most notably by restricting installation of applets by means of digital signatures – or disabling it completely. Still, even if most Java Card smartcards that are deployedrelyonthesemeasurestoavoidmaliciouscode,itremainsaninteresting question how vulnerable Java Card applications are to malicious code. Firstly, the question is highly relevant for security evaluations of code: can we evaluate the code of one applet without looking at other applets that are on the card? Secondly, the defence mechanisms of the Java Card platform are not so easy to understand; for instance, there is the firewall as an extra line of defence, but does that offer any additional protection against ill-typed code, and can it compensate for the lack of BCV? And given the choice between cards with and without BCV, are there good reasons to choose for one over the other? (As we will show, cards with on-card BCV may still be vulnerable to ill-typed code!) In this paper we take a serious look at the vulnerability of the Java Card platform against malicious, ill-typed code. We consider the various ways to get G.GrimaudandF.-X.Standaert(Eds.):CARDIS2008,LNCS5189,pp.1–16,2008. (cid:2)c IFIPInternationalFederationforInformationProcessing2008