Breaking Up Is Hard To Do:
Modeling Security Threats for Smart Cards Schneier and Shostack.
A very extensive threat model.
Security of Electronic Money, Report by the Committee on Payment and Settlement Systems and the Group of Computer Experts of the Central banks of the Group of Ten countries.
This report was done under the aegis of the Bank for International Settlements. The committee consulted with the major producers of smart cards for electronic money. There were typically non-disclosure agreements in effect which causes some of the details to be blurred. This is the banker’s perspective. They are perhaps as concerned for the appearance of security as security proper considering that if a bank’s smart cards seem insecure it may impact the perceived safety of funds deposited in the bank. The threats discussed in this paper are mostly different from those discussed in other papers mentioned here.
While I disagree with some of the recommendations in How to Make a Mint I must recommend this paper highly as a tutorial in some of the more arcane digital money schemes. It examines technical threats extensively. It is by people within NSA who presumably know what they are talking about. Section 5, Security Issues and Conclusions, may well be read apart from the rest of the document. They contrast privacy and law enforcement needs and lean towards the those of law enforcement.
Tamper Resistancea Cautionary Note, by Ross Anderson and Markus Kuhn, is somewhat of a bombshell. With a little money and a lot of savvy, but little inside information, they tampered with some systems considered highly tamper resistant. Drawing, in part, on the tools of those who debug chips for a living, and adding a few clever ideas, they extract the state of these systems. My impression was that the vulnerabilities are not fundamental, but neither are they cheap to fix.
Another paper by the same authors is Improved Differential Fault Analysis. This extends recent fundamental work done by Biham & Shamir on what they called DFA (Differential Fault Analysis) in which an error in the computation of ciphertext produces output which can be compared with the correct output. Such errors may be possibly induced by devices such as a bogus IFD. The analysis can yield a bit of a key. Iterations of this can yield the key of a symmetric cipher in time linear with the key length! The above paper combines these two schemes.
On the Importance of Checking Computations by people at Bellcore is the first line of defense against DFA and a few other attacks. This paper points to plausible errors in computing RSA ciphertext such that if x is the output of the erroneous computation and y is the correct ciphertext than gcd(x, y) is the secret key!
Paul Kocher’s Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems got a lot of attention a few months ago. The idea is to extract information from the time taken to use a secret key. The statistics are subtle and the obvious fixes usually don’t work. The idea is not as simple as it sounds and the defenses are thus error prone.
A report of breaking Mondex.
In Breaking Up Is Hard To DO: Modeling Security Threats for Smart Cards, Schneier an Shostack ennumerate the various interests within a smart card and analyze who can do what to whom. They note several little discussed conflicts.
Koemmerling and Kuhn’s “Design Principles for Tamper-Resistant Smartcard Processors” provides an revealing exercise in applied tampering along with suggestions for countermeasures.
More smart card security links, and yet more.
Clash of the Titans: Regulating the Competition Between Established and Emerging Electronic Payment Systems. This is an extensive survey of electronic money systems that have gone into use. It compares their niches and tribulations. It also explores the competition between the new and the old systems. It is from 1999. It has many useful foot notes and references but beware: the footnote file kills Internet Explorer 5 on the Mac. Netscape thinks it is OK.
A delightful scheme called “Micro-Payments via Efficient Coin-Flipping” has just come to my attention. The “hazard” in this scheme is integral to the solution.
2004 Jan 8: NY Times has an article on Peppercoin and Bitpass.
2012 perspective by IEEE Spectrum.