Eva van Niekerk
Security evaluator – Brightsight
Speaks at ID WORLD on Chip Security
Eva van Niekerk is security evaluator at Brightsight and active member of the R&D team. She is responsible for Brightsight’s knowledge management on cryptographic implementations and attack methodologies and regularly attends conferences to related topics. She has been involved in e-Passport security evaluation projects under the Common Criteria standard. Eva holds a Master in Mathematics and a Professional Doctorate in Engineering from the University of Eindhoven.
Key issues regarding privacy and security in e-Passports
Many smart cards are using proximity technology (RF) nowadays. Smart cards that perform cryptographic operations use secret keys, which are used for example in mobile payment applications. These applications are often put on a dual-interface card. Another example of the use of secret keys is for ensuring the confidentiality and integrity of the data in an e-passport, which generally is a contactless-only device. In both applications, and in many more, the secret keys are an asset and are of interest to an attacker.
There are several known attack possibilities, which must be countered by developer of the e-passport. Brightsight has investigated the possibilities to apply power analysis attack techniques to dual interface and contactless smart cards. Opposed to other attack methods this method is non-invasive, leaving no evidence on the smart card packaging.
This presentation addresses:
Examples of interesting secret keys used in the e-passport ICAO specification;
The attack characteristics (i.e. how to perform an attack);
The tools and expertise necessary to perform an attack;
Known techniques and implementation guidelines to counter an attack.
This presentation will show that the technique for performing DPA on contactless
smart cards should be considered mature. We will also explain why the attack should be considered in a dual-interface smart card even when the contact interface is already investigated. Concluding, we will argue there is a need for sufficient, proven measures to counter this attack, since RF is not an intrinsically secure technology.