JavaCard, Global Platform and SIM vulnerabilities

Security researcher Karsten Nohl recently announced discovery of vulnerabilities in SIM cards, to be presented at the upcoming BlackHat conference. Since exact details of the problem are scant, this post will cover background material on smart cards– which SIM is a special case– and their management model. Nohl’s summary hints at the existence of two independent problems:

  • A cryptographic key used for provisioning code to the SIM card can be brute-forced. Recovering the key allows installing new applications.
  • Implementation error in the smartcard operating system running inside the SIM card, which allowed one application to access data belonging to another one.

The first problem is nominally the realm of Global Platform. GP is a standard dating back to the 1990s for describing how to carry out content management operations on a smart card. (Here we will use “smart card” in generic sense of a tamper-resistant execution environment regardless of its form factor. By this definition plastic cards used for chip & PIN, electronic passports, smaller SIM cards used in mobile phones to connect to the cellular network, embedded secure elements featured in certain Android phones, USB tokens etc. all feature a “card” environment inside.) Content management includes installing/deleting applications, creating new security domains– roughly corresponding to notion of user accounts on a desktop operating system– as well as assigning cryptographic keys and privileges for these domains. Unlike commodity desktop OSes, card platforms are inherently locked down: these operations are only allowed to well-defined roles such as “card issuer.” The end-user holding the card rarely has that power. Instead a centralized service called “trusted services manager” or TSM has possession of cryptographic keys used to authenticate to the card OS and carry out these privileged operations. GP defines a secure messaging protocol, prescribing the protocol for establishing an authenticated channel, and laying out the format for how individual messages addressed to the card are authenticated and encrypted. GP also has a notion of a card manager application, which performs a role akin to a software installer. Typically the TSM authenticates to the card manager using the issuer-security domain or ISD keys, informally known as card manager keys and uploads new application code over the secure channel. Until GP2.2 the card manager was the only way to install new code. GP2.2 introduced the notion supplementary security domains with privilege for managing code on the card.

How strong is the secure messaging protocol? The answer is, it depends on the choice of parameters. GP defines many options when it comes to the choice of cryptographic primitives. Most of them are based on symmetric keys, with TSM and card sharing a secret, typically unique for each card– so-called “diversified” set up because each card has different keys, avoiding a single global secret across the system. This is a historical artifact of public-key cryptography not being fast enough on the early generation of hardware, since smart cards are highly constrained in terms of power, CPU speed and memory. Cards used in payment applications typically support 2TDEA, which is to say triple-DES with two independent keys, with first and third key being equal. (Only specifying two keys and leaving the third constant would not work because it is vulnerable to a meet-in-the-middle attack.) For example 2TDEA is used for over-the-air provisioning of applets to the Android secure element when Google Wallet is set up. Latest amendments to the GP spec also introduced the option for using AES.

SIM cards however support an alternative way to install applications, using the SIM Application Toolkit. This is a standard only relevant to wireless carriers, independent of Global Platform.  Judging by reports it was this application using a single DES key for authenticating code installation rather than the card manager.

Assume that we recovered the card manager keys– while in this case it sounds like the attack did not accomplish that, we will conservatively look at the worst-case scenario. Now what? It’s tempting to conclude that it is game over. But the GP specification is a bit more nuanced than “ISD equals root.” In fact there is no concept of an all-powerful root or administrator role in cards compliant with GP. Here are examples of things that TSM can not do, even with complete control over card manager keys:

  • Read/write raw EEPROM, Flash or other persistent storage of the card
  • Recover private data belonging to an existing application
  • Upgrade the code for an existing application. In fact GP has no notion of in-place upgrade. An application can be deleted and reinstalled but that will lose all existing data associated with that instance. There is no way to “backdoor” an already installed application with a malicious version without losing all instance data.
  • Read out the cryptographic keys associated with any other security domain– TSM can overwrite them to take over any other supplementary security domain, but not learn the previous keys.
  • Attach debugger or other diagnostic schemes to existing applications; GP has no such concept either.
  • Recover the binary for an existing applications. Surprisingly even reading out the executable code is not possible after the application is installed.

This presents the attacker with a dilemma. We have a SIM card with previous installed application– the GSM applet– which contains valuable cryptographic secrets used to authenticate to the carrier network. (Just to be clear: the GSM key has nothing to do with Global Platform. It is used for obtaining cell phone service by proving identity of the subscriber to the base-station.) Even with ISD keys we can not scrape that secret out directly. But we are able to install other applications on the card. What can those applications do?

Global Platform is silent on this point. That is up to the underlying card environment. That brings us to the second vulnerability hinted in Nohl’s summary. JavaCard is a common standard for programming smart cards, running a highly restricted set of Java. Not all cards are JC-based, but it is popular enough that many SIM products utilize this platform. JavaCard in principle has a very clean model for supporting multiple, isolated applets running side-by-side on the same virtual machine. (This is unlike the model used for running Java on a commodity OS, where each application typically runs in its own process with its own instance of JVM. Due to the resource constraints of card environments, there is just one VM.) Short version is that all applets are isolated from each other, and the only way to communicate is by going through an explicit “sharable interface” mechanism to make RPC-style calls from one applet to another. Outside that mechanism, it is not possible for one applet to reach-in and read out data associated with another applet in the same VM.

At least that is the theory. In principle the virtual machine implementations running on card environments have much weaker validation rules compared to their full-fledged desktop incarnations. For example, the applet installation process for JavaCard includes an off-card validation step:

From Oracle, http://www.oracle.com/technetwork/java/javacard/javacard2-138597.html

From Oracle, JavaCard framework description

At this point, alarm bells should go off. The whole point of Java is that it promises sandboxing for code, in ways that native execution environments can not easily provide without great overhead. Yet the JVM on the card is relying on some external validation of bytecode to guarantee those properties? What happens if someone decides to “skip” that off-card validation step and install deliberately corrupted bytecode?

That we will find out at BlackHat this year.

CP

Using cloud services as glorified drive: virtual disks (part II)

The preceding post looked at a naïve approach for combining local file encryption using EFS with cloud storage, explaining why that mixture does not accomplish the intended objective. Here we look at an alternative design that does work as expected. There are three ingredients:

  1. Virtual disk images (also known as VHD files, after the extension used by MSFT virtualization software for this type of image)
  2. BitLocker-To-Go full volume encryption (“BL2G”)
  3. Any remote storage/backup system that relies on syncing a local folder to the cloud. For these examples we will use MSFT SkyDrive, but the same approach works for DropBox, Google Drive or any other service patterned on keeping a local folder synchronized

“All problems in computer science can be solved by adding one more layer of indirection” goes one popular CS aphorism. Virtualization happens to be one of the more broadly applicable ways of adding indirection. Virtual disk files are typically used to represent images for virtual machines. In this case, they solve a slightly different problem of bridging abstraction levels. The encryption scheme we plan to use operates on entire drives. Meanwhile cloud storage solutions typically work at the level of folders and files.  There are many ways to make a directory appear as a full disk drive– for example sharing the folder and then making a loopback connection to that network share will mount it as a drive. But that approach will present the “disk” in the wrong representation, as a remote SMB share not directly controlled by the local OS. By contrast BL2G requires disks directly addressable at block level.

This is where the ability to mount VHDs as removable drives comes in handy. In effect what looks like a single file to the cloud synchronization software appears as a removable drive to the operating system, much like a USB thumb drive that can be connected and disconnected at will. Better yet, Windows BL2G encryption feature is directly applicable to this type of disk. (For completeness: VMware also has a comparable VMDK format for disk images. However manipulating these requires additional software installation while VHD is natively supported out of the box.)

Creating the disk image

The first step then is creating the VHD. There are different ways of doing this based on the operating system version. For Windows 7, one needs the Storage Manager snap-in. This can be either added to any MMC console, or it can be accessed directly by right-clicking on “Computer” and choosing the Manage option. Right-clicking on storage manager brings up a context menu with the option to create a new VHD:

CreateVHD_ComputerManagement      CreateVirtualDisk_details

While the location of the VHD file is not important,  it helps to choose a modest size due to limitations of the synchronization process that will be discussed in greater detail later. After the file is created, the virtual disk has to be initialized and formatted, as described in this tutorial. These steps only need to be performed once. Once the VHD image is initialized with a file system, it can be mounted/unmounted multiple times.

Mounting the disk image

The other half of the puzzle is mounting an existing VHD which has been downloaded from the cloud. In other words, we want to get to a point where Windows views that file as an ordinary disk drive with a letter assigned such as R. In that state we can browse into that folder in Explorer and drag-and-drop files for cloud storage. In Windows 8 this is as simple as double-clicking the VHD file. Windows 7 requires more work, as the file extension is not recognized natively. Going back to the Disk Manager snap-in, the same context menu for creating new VHD images also has an option to attach existing ones, as illustrated in the above screenshot.

(In a more polished flow, these steps could be automated with diskpart utility present in Windows out-of-the-box. It is possible to write scripts that automatically mount and unmount the VHD compatible with either OS, and even associating that for handling the extension.)

With the VHD mounted as disk drive, it is now possible to open that drive in Explorer and move any files there. But doing so would result in those files getting backed up to the cloud provider as cleartext without encryption. Since our objective is to protect data from mishaps associated with the cloud provider, BL2G must be enabled first before using the virtual disk.

[continued]

CP

Using cloud storage as glorified drive: dead ends (part I)

Revisiting the ideal layered model for encrypted cloud backups from the previous post:

  • Encrypt user data with keys managed directly by the user, and not available to any third-party
  • Upload the resulting ciphertext after encryption to the cloud

Many solutions exists for the first part of the problem, which makes it a natural question to ask if they can be used without modification with a standard cloud storage offering to protect data from any mishaps in the cloud. In other words, the goal is to use the cloud as a glorified disk drive storing opaque bits, with no ability to peer into the meaning of those bits or perform any intelligent manipulation on them in the name of “adding value.”

First point is that this composition is not always straightforward. Many obvious combinations do not work, due to the mismatch in the level where cloud backup systems operate and the level local data encryption is typically applied. To take on example of how things fail: Encrypted File System or EFS has been a feature of Windows since the W2K release. EFS operates at the filesystem level as part of NTFS, allowing entire directories or even individual files to be encrypted. Fortunately  many popular cloud storage systems such as Google Drive, Windows Sky Drive and Drop Box also present themselves as a local folder where files can be drag/dropped. A first attempt than might be enabling EFS on that folder, on the assumption that will result in encrypting the underlying content and keeping it safe from prying eyes on the cloud provider side. Enabling EFS is simple enough, via the advanced properties for any directory:

SkyDrive_properties       EFS_AdvancedProperties

This may look straightforward but it does not accomplish the intended effect of keeping the original data invisible to the cloud provider. To see why, we need a few facts about the way these cloud storage services usually operate. Typically there is a background process which we can call the synchronization agent, although they are often not implemented as a proper Windows service as one might expect. That agent is responsible for monitoring a set of local directories for changes, as well as listening to notifications from the cloud provider about availability of new content in the cloud. When the operating system informs the agent that a local file has changed, that agent kicks into action and uploads latest version of the modified file to the cloud. In the other direction, when the cloud provider sends a notification to the agent that there is a more recent version of the file available in the cloud, it is downloaded and dropped into the local folder.

The reason this does not interact as expected with EFS encryption is that the latter operates at a very low level, transparent to the I/O capabilities used by agents. Synchronization takes place under the same user account as the person who owns the EFS-protected directory containing confidential information. When that process attempts to open some file for reading, EFS driver in the filesystem stack kicks into action. It recognizes that the file is encrypted and looks for a decryption key. Because there is a private key associated with the same user account– corresponding public key was used to encrypt the directory in the first place– the driver can transparently decrypt that file and return its unprotected contents to the agent. The result is that instead of encrypted files, the original cleartext data will get sent over to the cloud provider.**

Incidentally this transparency is entirely by design. Reading/writing contents of encrypted files works exactly the same as for ordinary files. Same APIs and code paths are invoked from the developer perspective. Imagine the alternative: if there was a different set of APIs involved, every application would have to be rewritten to become compatible with EFS. Pragmatically then nobody could enable EFS, out of fear that some application they use had not been upgraded to become encryption-aware yet. EFS designers made the right call in opting for compatibility. It is an unintended consequence that EFS does not compose directly with popular cloud-storage designs in use today. (Incidentally there are specific APIs to retrieve encrypted contents of a file. While these would have achieved the desired effect of only backing up ciphertext, it requires modifying the synchronization agents to invoke different code paths.)

Next post will look at tricks for combining specific local encryption schemes with arbitrary off-the-shelf cloud storage solutions to achieve the desired privacy property: data stored remotely is not accessible to the cloud provider  regardless of their intentions.

[continued]

CP

** As an aside, lack of encryption is not the only problem.  Even if that could be addressed, there is loss of functionality in that uploaded data would become inaccessible on any other machine or even a fresh install of Windows on the same box. EFS uses public-key pairs that are generated locally on the machine where encryption is first applied. It is not trivial to roam that key to another device. EFS does have a notion of recovery agents to allow decryption when the original key pair is not available, but that heavyweight process would have to be invoked on every new device to recover access. For now we put aside this problem of access from multiple devices, focusing only on privacy in the context of just one device getting backed up and restored.

Cloud backup and privacy: the problem with SpiderOak (part II)

In the crowded field of online backup services, SpiderOak is an example of a company trying to distinguish itself on privacy. Billing itself a “zero-knowledge privacy environment,” the company emphasizes what they can NOT do:

SpiderOak is, in fact, truly zero knowledge.  The only thing we know for sure about your data is how many encrypted data blocks it uses […]  On the servers, we only see sequentially numbered data blocks — not your foldernames, filenames, etc.

As expected, this also translates into a limitation around password reset:

How is this reconciled with our ability to do a password reset?  The short answer is: It isn’t!  We cannot reset your password.  When you create a SpiderOak account, the setup process happens on your computer […] and there your password is used in combination with a strong key derivation function to create your outer layer encryption keys. Your password is never stored as part of the data sent to SpiderOak servers.

So far, so good. All user data is encrypted using keys derived from the password, before that information is backed up to the cloud. That password in turn is never communicated to the cloud provider. On the surface this appears to satisfy property #3 (and by implication #2) alluded to in the previous post: the service provider can not access user data even with full use of its own resources.

But there is a catch: values derived from the password are stored. The details are buried in the engineering matters section, under “User Authentication Details.” Ostensibly written to assure users that the protocol for verifying knowledge of the password is sound, it amounts to an admission that there is something stored by the service provider that can be used to distinguish correct versus incorrect password submissions. Specifically:

  1. Two random salts, stored in the clear by necessity
  2. A serialized RSA public key, also stored as plaintext
  3. A “challenge key” that is computed as output as a specific key-derivation function with the second salt, namely PBKDF2(password, first salt)
  4. Full RSA key including the private-half, AES-encrypted using the output of PBKDF2(password, second salt) as the encryption key

That combination serves as a password hash. It can be brute-forced. Given the first random salt and challenge key, it is possible to check if a password guess such as “asdfgh” is correct by re-computing the same key-derivation process via PBKDF2 and comparing the result to the stored value. That means it is in fact possible to recover data by trying large number of possible passwords. While the effectiveness of such an attack depends on the user choice of password and computing power available to the attacker, the risk calculus is the same in all cases. Data recovery can be attempted by the service provider going rogue, a disgruntled employee acting independently or law-enforcement/intelligence agency who obtains access to the encrypted data from the provider. This is in fact corroborated by one of the privacy FAQs directly taking up the question of whether user data can be recovered with access to bits stored in the cloud:

Unless there are significant advances in mathematics […] password derivation techniques on the SpiderOak key structure are very difficult. The key derivation functions we use are strongly designed to withstand heavy brute force password techniques and pre-computation, such that even on a very modern computer, each password guess takes about one second. […]  Of course, if you were to choose a password that is made entirely from words in a dictionary, fewer attempts may be needed to guess it.

That is the glass-half-full view. Key derivation is indeed using PBKDF2 with a reasonable number of iterations set to 16384. But already password cracking schemes have been built by hobbyists achieving billions of hashes per second, where the hash function is the underlying primitive operation. Bumping up the repetitions helps quantitatively, but does not address the root cause. As ArsTechnica found out much to their surprise, that random looking “qeadzcwrsfxv1331” may not be a great choice after all.

In case this seems like an inescapable consequence of how encryption works, consider a hypothetical alternative design. Suppose a user manages their own RSA encryption key, stored on their machine. This key is used to encrypt a randomly generated AES key, which is in turn used to encrypt bulk data uploaded to the cloud. In this model, there is no password to brute-force from any data uploaded to the cloud. Ciphertext available to the cloud provider is encrypted in a truly random 128-bit key, where all possible choices of the key are equally likely. (As an aside: that RSA private key may be locally encrypted with a user-chosen passphrase, which sounds like rearranging deck chairs.  There is a critical difference: brute-forcing that key will require access to the user machine. There is nothing uploaded to the cloud that helps.) Of course this would mean the data is not accessible on other devices unless the private-key can be roamed there. That is why the ideal implementation would utilize smart cards instead of locally storing keys on disk. Still the possibility of excluding brute-force attacks can be demonstrated without resorting to any fancy gadgets.

There is a broader architectural flaw here. Designs in the spirit of SpiderOak are badly conflating two orthogonal problems:

  • Encrypting user data with keys that are managed directly by the user and not available to any third-party
  • Saving the resulting ciphertext after encryption to a third-party cloud provider

Many popular solutions already exist for the first problem, with different security properties, key management options and cross-platform availability: BitLocker, PGP disk encryption, truecrypt, loop-aes, FileVault, … There is little reason to introduce yet another arbitrary scheme with new risks– in this case, susceptibility to brute forcing by the cloud provider.

Following posts will look at experimental ways to “compose” existing local encryption schemes with cloud backup services transparently, without giving up any control over cryptography and key management.

CP

Cloud backup and privacy: the problem with SpiderOak (part I)

Continuing the theme from an earlier post– that economic incentives for cloud computing favor service providers to have access to user data, instead of serving as repository of opaque bits– here we look at a service that attempts to swim against the current.

In the wake of FUD created around cloud computing due to PRISM allegations, SpiderOak has come to the forefront as exemplary service that optimizes for user privacy. SpiderOak provides remote backup and file access service, allowing users to save copies of their data in the cloud and access it from any of their devices. This is a crowded space with many competitors, ranging from startups specializing in that one field (DropBox, Mozy) to established companies (SkyDrive from MSFT, Google Drive from Google) offering cloud storage as one piece of  their product portfolio. Wikipedia has a comparison of online backup services, with helpful table that can be sorted on each attribute.

From a privacy perspective the interesting column is the one labeled “personal encryption.” The reason for this non-descriptive label is probably owing to the successful campaign of disinformation cloud service providers have embarked on to reassure users. Every service provider throws around phrases like “military grade encryption” and “256-bit AES” without any consideration to the overall threat model around what exactly that fancy cryptography is designed to protect against. Stripping away this usage of encryption as magic pixie dust, there are three distinct scenarios where it can be effective:

  1. Protecting data in transit. This assumes a bad guy eavesdropping on the network, trying to snoop on private information as it is being backed up to the cloud or, going in the opposite direction, as it is being downloaded from the cloud. This a well-understood problem, with established solutions. A standard communication protocol such as TLS can be used to set up an encrypted channel from the user to the service provider.
  2. Protecting data at rest, from unauthorized access. This is a slightly more nebulous threat model. Perhaps the provider backs up their own data on tape archives offsite, or sends off defective drives for repair– situations where media containing user data could be stolen. In this case bad guys– who are not affiliated with the cloud provider– attain physical possession of the storage. Proper encryption can still prevent them from recovering any useful information from that media.
  3. Protecting data from the service provider itself. This is the most demanding threat model. One envisions the provider itself going rogue, as opposed to #2 where they are only assumed to be incompetent/accident-prone. Standard scenario is the disgruntled employee with full access to the service, who decides to violate company policy and dig through private information belonging to customers. Slightly different but very contemporary issue is that of law enforcement access.

These properties are not entirely orthogonal. If data is not protected in transit, clearly it can not be protected from the service provider either– it is exposed during the upload time at a minimum. Likewise #3 implies #2: if the service provider can not decrypt the data even with full malicious intent, there is no act of negligence they can commit to enable third-parties to decrypt it either. The converse does not hold. Consider encrypted backups. If done correctly, the low-skilled burglars walking off with  backup tapes can not recover any user data. But since the provider can decrypt that data using keys held in its own system, so can others with access to the full capabilities of the company. That means not only the disgruntled employee looking for retribution, but also law enforcement showing up with appropriate papers not to mention APT from halfway around the world who 0wned the service provider.

It is easy to verify that #1 has been implemented, since that part can be observed by any user. Granted there are many ways to get TLS wrong, some more subtle than others. But that pales in comparison to the difficulty of independently verifying the internal processes used by the provider. Are  they indeed encrypting data at rest as claimed? Is there an unencrypted copy left somewhere accidentally? This is why designs that provide stringent guarantees about #3 are very appealing. If user data can not be recovered by the provider, it matters much less what goes on behind the closed doors of their data center.

[continued]

CP

Cloud computing and privacy: misaligned incentives

Continuing revelations from The Guardian and Washington Post about the extent of US and British surveillance over Internet communications is once again raising questions around privacy and cloud computing. This is not the first time critics have argued that increasingly storing greater amounts of data with remote services is a step backwards. But in previous instances underlying issues were often quirks of regulation, such as ECPA setting a lower bar for access to stored communications.

There is a more fundamental reason cloud services amplify privacy risks, if not necessarily create them in the first place. The ideal model from a commercial  perspective calls for hoarding user data and having free reign over processing that data internally. That freedom enables  services built on intelligent ways of crunching information to generate new value. The ideal model from the perspective of user privacy calls for minimizing data collection and keeping the provider at arm’s length from having direct access to data. Models optimizing for privacy stand at significant disadvantage in economic terms.

It comes down to a distinction between two different uses of the cloud: storage and processing. Storage is a commodity. Processing is not. Storage can be made privacy-friendly easily, processing can not.

Let’s take a simple example: backing up files to protect against data loss. Hardware failures happen, disks crash, sometimes entire systems are burglarized from residences. Each person trying to protect against this individually becomes unwieldy: imagine backing up your data regularly on drives and locking them away in bank vaults. There are clear economies of scale from centralizing that into commercial services, offering users the option to have their data remotely backed up over the network to the cloud– which is short hand for distributing it across data centers that may be located anywhere in the world. This enables another use case: since the information uploaded is always accessible from anywhere with a network connection– unlike offline backups stored in a vault– consumers also enjoy the benefit of mobility.

The critical question: can the provider offering this service read uploaded data? In principle there is no need. All of the information can be encrypted by the user before getting uploaded to the cloud, using cryptographic keys that are only known to the owner of that information. If the user experiences data loss and wants to restore the files lost, they download the encrypted bits from the cloud, then use those keys to decrypt locally to recover the original information.

The problem is few services operate this way. There is one design/engineering reason, and one business reason for that. To get the design argument out-of-the-way: “users can not be trusted to manage their own encryption keys” the critiques charge. “If they lose access to keys, we can not be the ones to tell them all their data is gone.” (One amusing manifestation of this is a type of design where data is encrypted but the encryption keys are escrowed with service provider– in other words, useless window dressing.) Aside from the obvious problem of patronizing users, this argument overlooks the obvious fact that many fielded systems work exactly that way. BitLocker disk encryption technology in Windows makes it very clear that loss of keys means loss of access to encrypted volumes. It nudges and cajoles the user into printing a hard-copy of recovery keys for safe keeping to forestall that outcome.

The deeper problem is economical.

Remote storage is a mature technology with limited room for innovation. It has a simple, one-dimensional competitive model based on price per gigabyte of capacity. Some variability can be thrown in by an escalating feature arms-race: Does it support sharing? Can files be accessed from mobile devices? Is syncing automated? Yet it is difficult to distinguish a service based on these features because at the end of the day most providers have converged on similar paradigms with comparable feature set. Cloud storage appears as a local folder or drive, with items uploaded by simply dragging icons into that location, using the familiar GUI metaphor. Once feature sets have reached equilibrium and all the check-boxes are marked in the comparison table, the result is a race to the bottom in pricing between interchangeable services, competing on offering most storage at lowest cost. That number will quickly converge to zero.

It is much easier to compete on clever ways of processing uploaded data, “adding value” in the IT lexicon. For example, scan all the documents for keywords and offer full-text search. Index all of the photographs, sort them by location and time taken, identify faces for tagging. Allow publishing those images for all the world to admire, or limited sharing with groups of friends.  Given a spreadsheet modeling financial data, keep it updated with stock quotes in real-time. Sometimes the processing is for the benefit of the provider: scan email messages for keywords to display relevant advertising. The extreme case is “pure” cloud computing, where all processing of the data, including the process of creating/editing the documents is done by interacting with the service online.

Such intelligence built into the hosted service is a sustainable advantage that can continue differentiating the business over time. The price of storage continues to drop thanks to Moore’s law but that has an equalizing effect. Not only does a rising tide lift all boats, it wipes out any temporary advantage. Even if one provider temporarily builds a cheaper/more efficient storage system using custom in-house designs, less skilled competitors will sooner or later close the gap when they purchase the next generation hardware off-the-shelf. (Better yet, they can outsource storage requirements to an existing cloud platform such as EC2 or Azure to benefit from their economies of scale.) By contrast better algorithms for crunching customer data and producing new information provide a competitive edge that is more difficult to replicate. Improvements in hardware alone do not help achieve parity. Nor can these capabilities that purchased from a third-party as part of a standardized offering.

To summarize: economic pressures on cloud services create strong incentives for amassing customer data in ways that can be readily processed. It is not an appealing proposition to become glorified disk drives in the cloud storing opaque blocks of encrypted information the service has no visibility into. That incentive structure means that cloud services will continue to  concentrate information security risk in the short-term. User data may well be protected in transit and even in storage– websites boast of impressive-sounding data practices such as “military grade AES 256-bit encryption.” At the end of the day, the business model depends on being able to recover the original data and operate on it. Regardless of how many layers of encryption exist, somewhere some machine controlled by the service provider has the ability to reconstruct the data. That means so can other people: disgruntled employees, foreign governments such as China conducting industrial espionage, as well as overreaching surveillance programs from US intelligence.

CP

** Is there a middle ground? Some processing can be done on encrypted data. From the early days of cryptography, researchers noted that some encryption schemes had these useful properties: given encrypted version of unknown values, sometimes it was possible to compute a function of the original values, such as their sum or product. But these remained parlor tricks. It was not until more recently that the Holy Grail of the field, fully homomorphic encryption (FHE) schemes were first constructed, allowing the computation of arbitrary functions on encrypted data– in theory. The operative keyword remains “theory”– these schemes are extremely inefficient in the generalized case. For some important use cases such as searching over encrypted text, more specialized , practical implementation exist. To date no major cloud service has attempted to commercialize that model.

T-Mobile, jailbreaking devices and security updates: economics of mobile (part II)

[continued from part I]

Market inefficiencies result when devices are “subsidized” by the carrier, starting with the fact that it is not even a proper subsidy. The analogy with leasing a car breaks down for two reasons:

  • At some point over the lifetime of the service plan, the phone is paid for and subscriber is released from the contract Yet the technical limitations on the device are not lifted. (In fairness, there has been some progress over time, including carriers providing limited unlocking capabilities to customer that ask, reinforced by regulations guaranteeing that freedom.)
  • More fundamentally, consumers are rarely given a meaningful choice of paying outright for their phone from the beginning in exchange for not having any carrier-imposed restrictions imposed in the first place. There is a small market for unlocked devices that can be used in conjunction with any GSM carrier. There is also a healthy grassroots movement for jail-breaking and unlocking devices, but this is hardly sanctioned by carriers or OEMs. Nor is relying on the existence of security vulnerabilities in mobile software a sound basis for improving competition in the market.

Distorted incentives caused by such bundling also explains why the recent ACLU petition to FTC is tilting at windmills. ACLU  charges that wireless carriers are short-changing subscribers by abandoned devices with known, exploitable security vulnerabilities. Looking at the economics makes it clear why that happens:

  • Each time a device is sold directly through the carrier channel, the carrier earns a net profit and extends the “lock-in” period for subscriptions. Shipping updates to existing devices is a cost with intangible benefits. Those costs are increased  owing to carriers’ enthusiasm for customizing the core Android OS with their “value add” software. Since they are no longer shipping an off-the-shelf version, security updates coming out of Google must be carefully reviewed and integrated into their own private fork.
    Compared to the more familiar PC market, this is a fundamentally a different model for software distribution: Dell may sell machines loaded with Windows, but has little say in scheduling security updates to the operating system. Consumers are free to download them directly from Microsoft Update.
  • Further upstream, similar set of incentives apply to the OEM.  Selling one more device generates new revenue, servicing existing ones is pure overhead. Of course there are indirect pressures to continue support: abandoning the device after initial sale would lead to a reputation akin to that of an automobile manufacturer who refuses to service vehicles sold or produce spare parts. (Tampered by the reality that mobile devices last ~18 months on average and are much cheaper to upgrade compared to cars.)
    OEM options are also limited by what the carrier will permit. Since OEMs do not typically sell direct to consumers– with notable exceptions for Apple and that negligible fraction of “pure” Nexus devices— any demand to continue support must originate with the carrier. But the carrier has the exact opposite incentives: the conscientious OEM who eagerly ships Android upgrades and security patches to existing device is undesirable. It eats into the carriers ability to book additional revenue from hardware sales.

There is an argument for vertical integration here. Devices getting upgraded is a net positive for the ecosystem, and it may even allow charging more for hardware by increasing consumer confidence that their large investment will not become obsolete anytime soon. But in a fragmented ecosystem, none of the individual actors in isolation has the right incentives.   In the case of the iPhone by contrast, Apple acts as hardware OEM, operating  system provider and often the distribution channel via retail stores. Coupled with the precedent set by AT&T exclusivity (something AT&T had to compete with other carriers for) Apple has been able to maintain an iron grip on the core operating system and deliver upgrades independently of carrier incentives, optimizing for the brand and ecosystem overall.

CP

T-Mobile, jailbreaking devices and security updates: economics of mobile (part I)

An economic subtext connects these three seemingly unrelated events:

  1. T-Mobile announcing a new approach to pricing wireless plans, with emphasis on surfacing the full price of phones instead of subsidizing hardware with inflated charges on voice/data service.
  2. ACLU petition to FTC on Android security, urging action against wireless carriers for not delivering security updates to mobile devices
  3. Ongoing argument about user freedom to jailbreak devices and load alternative software– including replacing the entire operating system– than what the device originally shipped with

All of them are facets of the same clash of incentives surrounding mobile devices. The cast of characters in this conflict is numerous, some looming large others largely consigned to invisible roles. First is the hardware manufacturer who assembled the hardware (“assembled” because often times it amounts to no more than sourcing components from dozens of suppliers and soldering/gluing them together) Then there is the operating system vendor who wrote the platform running on that device. There are application developers competing to develop applications running on that platform, trying to reach maximum audience. Fourth is the wireless carrier, who often acts as the distribution channel in the US. While it possible to purchases phones  à la carte without bundled service plans– Google has been on the frontlines of trying to popularize that model with Nexus series of flagship Android devices– most devices are purchased as part of bundle that includes wireless service. In fact as the original exclusivity of iPhone to AT&T demonstrates, a highly desirable device may be available only from one particular carrier.  Finally, there is the hapless consumer at the end of that chain, the one using that phone every day for making calls  and accessing the internet. Sometimes one or more of these roles is played by the same entity. For example Apple both produces  the iPhone, furnishes the operating system and provides some of the key applications. Google did not have the same extent of vertical integration until the 2012 acquisition of Motorola mobility, which builds devices. All of these players are battling over a fundamental question: Who controls the phone? Whose device is it? Who gets to decide what can be done using the capabilities of that hardware? That question has been answered in different ways depending on circumstances. The carrier wins in the majority of cases with a simple argument: the user never really paid for the device. Phones are sold at substantial discount relative to the cost of the hardware, with the expectation that wireless service revenue over the lifetime of the contract will make up for that loss. It is better to view the phone as “leased” to the consumer instead of outright sold, according to this argument. In the same way that lessee can not make extensive modifications to leased cars such as swapping the engine, subscribers are expected to follow the requirements from the carrier. Logical conclusion, if one accepts this premise, is carriers call the shots and impose restrictions according to their own interests.

Most obvious example is that devices are locked to a specific carrier, artificially creating interoperability and restricting full use of hardware capabilities. Not all GSM networks use the same frequency bands, but OEMs intentionally build phones to operate on multiple frequencies. This allows the device to operate with any carrier, by popping in the appropriate SIM card. This helps not only for permanently switching  carries but also when travelling overseas, with a temporary prepaid SIM from the destination country.) But if AT&T has subsidized the cost of the device, then a user who goes over to T-Mobile shortly after purchasing one is a net loss. Naturally the contract imposes 12 or 24 month terms, guaranteed to recoup the hardware subsidy with a healthy profit margin. Not trusting consumers to honor that– it would be messy sending a collections agency after everyone to recoup the amount owed if they defect early– the carrier also raises switching costs at the hardware level. The phone is restricted from operating on other networks, by locking the baseband to one carrier, effectively undoing the flexibility OEMs built-in at manufacture time.

[continued]

CP

GoldKey tokens: installing smart card driver for PIV (part III)

Picking up from part I and part II, we turn to the problem of installing vendor-specific drivers to access additional PIV functionality in GoldKey USB token which is not exposed by the driver built into Windows.

The driver can downloaded from Microsoft Update Catalog. (Credit goes to Himanshu Soni from MSFT for this hint.) First step is obtaining the hardware ID. This is easiest to do from the GUI using Device Manager:

Viewing device properties in Computer Management / MMC

Viewing device properties in Computer Management / MMC

The hardware ID is hidden in the “Details” tab of the Properties dialog, by scrolling the drop down menu:

Device details for GoldKey token detected as smart card

Device details for GoldKey token, detected as PIV-compatible smart card

Right-clicking to copy that ID, we can run a query on online Catalog by hardware ID. The search returns a couple of hits, for different version of the driver and operating system. After installing the latest driver available for the appropriate local Windows version, there will be several changes in the way smart card stack operates. First the USB token will be identified as GoldKey instead of as generic PIV card:

Smart cards and readers, after GoldKey driver installation

Smart cards and readers, after GoldKey driver installation

Note that the virtual smart card reader presented by GoldKey– after all every card must be present in a reader according to PC/SC model– is still identified as a generic MSFT device based on the Windows user-mode driver framework (WUDF)

Another side-effect of installing the driver is a change to the registry to correctly identify all future instances of GoldKey based on the answer-to-reset (ATR) value returned by the card on initial activation. Looking at HKLM\Software\Microsoft\Cryptography\Calais\SmartCards, we observe that there is a new card type in addition to the built-in entries for PIV and GIDS:

Registry key corresponding to GoldKey

Registry key corresponding to GoldKey

As for the meaning of the values:

  • “Crypto Provider” refers to the cryptographic service provider (CSP) associated with this smart  card. Not surprisingly, since the token confirms to the Windows smart-card architecture described earlier, this is the vendor-independent base CSP used for all smart cards. Same goes for the “Key Storage Provider” entry, which is the CSP-equivalent in the next-generation cryptographic API in Windows.
  • 80000001 value identifies the smart-card mini driver. In this case it is a DLL authored by GoldKey installed from Microsoft Update earlier. (By contrast, the other two entries both point to the same system DLL with tell-tale prefix “ms” often used for MSFT binaries.) This module will be loaded by the CSP/KSP, depending on which interface an application is using.
  • The more interesting values are “ATR” and “ATR Mask,” which are responsible for the discovery logic. When a new smart card is presented, the system checks its ATR for exact match against each smart card type defined these registry keys. The criterion for comparison is:

Observed & ATR-Mask == ATR & ATR-Mask

where “Observed” is the ATR returned by the unknown card, & denotes bitwise and operator, ATR and ATR-Mask are the values taken from registry key. The mask provides flexibility when the ATR can vary slightly for the “same” type of card. For example a certain byte may differ depending on card options, even when all of them have exact same card applications and should be mapped to the same driver. By setting specific bytes or bits in the mask to zero, they are effectively ignored in the comparison. In other words it is a rudimentary wild-card pattern. In this case, the ATR mask is set to all ones, indicating an exact byte-for-byte comparison with no variations allowed.

With the ATR mapping in place, all other instances of GoldKey tokens will also be correctly associated with the custom driver. Next we can examine what happens during a provisioning operation by re-running the command line from last post and capturing an APDU trace.

[continued]

CP

PIV cards: provisioning according to FIPS (part II)

The first post in this series described how the PIV specification defined different privilege levels, and specifically required administrator access to enroll for new digital certificates on a compliant card. By itself this is not a technical limitation. After all end users can be given the administrator credential for their cards, in addition to the usual PIN used for authenticating as card-holder. Alternatively cards can be issued with a well-known default administrator key. Realistic deployments do not work this way. Typically those credentials are held by the organization overseeing the card program. Enrollment is either done ahead of time– users are issued cards already configured with the necessary certificates– or it is done in person. The user shows up at the IT department office and connects their card to a dedicated machine that has access to the administrator keys for all cards issued by that organization. There are two arguments for doing it this way:

  • Lower maintenance costs. Users can not delete credentials or otherwise mess up the existing card state if they do not have credentials necessary for doing so. But this argument fails for two reasons. First users would have to go out of their way to trigger provisioning events, using specialized software. Second even with the administrator restriction, they can still lock up a card by entering wrong PIN repeatedly. In the case of Global Platform compliant cards, they may even brick the card for good by repeatedly failing authentication to the card manager.
  • Verify the authenticity of cards. This is a more subtle requirement: when a user is trying to enroll for a certificate, how does the issuer know that keys were indeed generated on a smart card? The whole point of using smart cards is that key material is generated and lives only inside the card; it never leaves that trusted boundary. During certificate enrollment, the user is presenting a CSR already signed with the private key they claim was generated on the card. Can the issuer verify this? Even if enrollment is done in person similar concerns remain for high-assurance environments. How does the IT staff know that user is presenting a genuine card? After all anyone can take a blank white plastic card, print all the right logos and provision an applet that looks like PIV but has an intentional backdoor for leaking keys.
    Requiring extra authentication before generating keys and loading certificates can mitigate that, if the protocol is designed properly. It is not clear this holds for PIV. There is a challenge-response scheme for authenticating administrators, but at the end of the day the card responds with a simple yes/no answer declaring success. A bogus card can always report success making it look indistinguishable from the genuine version. (That said, it is possible to use this as a primitive operation to verify that the card is genuine. Armed with the administrator credentials, one can flip a coin and depending on the result, either authenticate correctly or deliberately supply the wrong answer to the card. A counterfeit card has 50% chance of  returning the correct success/failure status. Repeating that multiple times one can get down the probability of using bogus card as low as desired. It is unclear if such a process is ever used in practice.)

Back to the GoldKey. As hinted earlier, the PIV application on the token supports provisioning as card holder. The catch is that requires installing additional software. This is an unintended side-effect of the way discovery works in Windows: The GoldKey token presents itself as a plain smart card and reader combination, the OS will automatically try to infer the type of card. One of the steps in this process is to check for PIV and GIDS cards by selecting the well-known AID for those standards. By design the token responds successfully to a SELECT for PIV. But that leads the OS to conclude that this is “just” an ordinary PIV card and associate it with the built-in driver. This can be observed by expanding the “Smart cards” node in Device Manager:

GoldKey token detected as PIV card

GoldKey token detected as PIV card

That inscrutable device name comes from the document defining the PIV standard: National Institute of Standards & Technology (NIST) publication 800-73. The good news is smart card discovery worked flawless and identified the GoldKey token as PIV card. The bad news is that built-in driver for PIV does not support provisioning, for reasons alluded to above and in the earlier post. One way to verify this is to try using certreq tool to generate a self-signed certificate for a regular PIV card, as described in the MSDN article on BitLocker. The operation will fail:

Error when attempting to provision to standard PIV card

Error when attempting to provision to standard PIV card using the built-in driver

As an aside, GoldKey would present a different error if used in the same scenario, since it also emulates a card reader with a fixed card– there is no point in asking user to insert a different card.

Getting past this stage requires installing the correct smart card mini driver.

[continued]

CP