サイドチャネル攻撃に対する安全性評価の研究動向とEMVカード固有の留意点

EMV IC IC 20 IC EMV IC EMV IC EMV... E-mail: masataka.suzuki@boj.or.jp E-mail: Sugawara.Takeshi@bp.MitsubishiElectric.co.jp E-mail: Suzuki.Daisuke@bx.MitsubishiElectric.co.jp / /2015.10 107

1. IC 2011 40 1 IC IC ATM 23.0 91.4 2012 8 ATM IC IC IC IC IC 65.6 63.6 IC 2016 80 2020 100 2015 IC SEPA 1 IC SEPA IC IC 2 1 IC 1 2013 2014 2 2013 2015 3 2014 6 2014 4 2013 2005 8.2 2014 5 2013 2002 165 2014... 1 Single Euro Payments Area EU 34 2SEPA IC IC IC IC 108 /2015.10

EMV 3 2015 European Payment Council: EPC [2011] 1 VISA IC 2015 10 1 4 VISA [2011] IC IC IC 1980 5 1990 Kocher [1995] 2000 Eisenbarth et al. [2008] Oswald and Paar [2011] CMVP JCMVP ISO/IEC 15408 Common Criteria 6... 3 Liability Shift IC IC IC 4 VISA [2011] 2 2017 10 1 5 1980 IBM µ ABYSS Anderson [2008] Chap.4 6CMVP Cryptographic Module Validation Program JCMVP Japan Cryptographic Module Validation Program URL CMVP http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2015.htm JCMVP http://www.ipa.go.jp/security/jcmvp/val.html 109

CMVP JCMVP 1 7 Common Criteria 8 IC IC EMV 9 IC EMV 2 3 4 EMV 2. IC 10 1... 7 Covert channel attack 8 Joint Interpretation Library [2013]. 9EMV Europay International MasterCard International Visa International 2011 EMV 4.3 EMVCo [2011a, b, c, d] 10 2008 110 /2015.10

EMV 2 1 IC 11 12 2. IC 3 1980 Anderson [2008] Chap. 4 4 IC IC... 11 invasive attack non-invasive attack 2003 2008 12 2009 2013 111

3 IC 2004 2.2 4 IC Skorobogatov [2005]. 1996 Bellcore [1996] Boneh, DeMillo, and Liption [1997] 5 112 /2015.10

EMV 5 6 1 0. IC 6 1995 Kocher [1995, 1996] PC 113

7 2. 13 2 0 A 1 B 0 1 7 a 14 RSA 7 b 1 0 2 A 1 2 B... 13 14 114 /2015.10

EMV 8 B IC 8 a CMOS 8 b AES 8 c r t+1 r t t+1. 115

9 IC DES Kocher, Jaffe, and Jun [1999] 9 15. Kocher, Jaffe, and Jun [1998, 1999] Gandolfi, Mourtel, and Olivier [2001] Kocher [1996] 16 10... 15 trace 16 Genkin, Shamir, and Tromer [2014] 116 /2015.10

EMV 10 3. 17 Common Criteria 11. 2 12 a 0 A B 12 b... 17 117

11 Joint Interpretation Library [2013] 12 118 /2015.10

EMV 3. IC 2 3 1 1 1 13 100 N 13 i ii 18 13... 18 119

2 2 2 19 14 N N 2... 19 Goodwill, Jun, Jaffe, and Rohatgi [2011], Jaffe and Rohatgi [2011]. 120 /2015.10

EMV 14 3 3 2 1 3 3 1 2014 Mizuno et al. [2014] 15 S Z S+Z S Z C = 1 ( 2 log 2 1 + S ) [bit/sample] Z 2014 16 16 3 121

15 16 3 2014 6 2014 4 1 100 2 3 122 /2015.10

EMV 17 17 17 1 2 Step 1. 2 Step 2. Step 3. Step 4. Step 3 1 2 3 1 100 100 1,000 100 3 1 123

4. EMV EMV EMV EMV 1 EMV POS ATM MAC 20 3 21 MAC 18 SK 1 PK 1 EMV 22 RSA SK 1 /PK 1 PK 1 SK 2 /PK 2 23... 20 Message Authentication Code EMV Application Cryptogram Generation 21 MAC EMV 22 Dynamic Data Authentication EMV Static Data Authentication 23 EMV SK 1 /PK 1 SK 2 /PK 2 124 /2015.10

EMV 18 PIN PK 2 SK 2 PIN EMV PIN RSA MAC 1 MAC MAC SK 3 MAC MAC SK 3 MAC MAC SK 3 3 SK 3 MAC EMV MAC AES 125

2 EMV 19 EMV SK 1 /PK 1 SK 2 /PK 2 SK 3 /PK 3 PIN 3 MAC POS SK 1 POS 24 19... 24 PIN POS POS Murdoch et al. [2010] 2012 126 /2015.10

EMV PIN POS PIN MAC SK 3 MAC MAC SK 1 SK 2 SK 3 PIN MAC MAC ATM IC Box Box ATM IC IC PIN ATM IC PIN 3 1 IC IC 2 Match on Card ATM PIN 3 PIN ATM ATM PIN PIN 2 IC PIN 127

3 EMV EMV 3 SK 1 SK 2 SK 3 SK 1 POS 25 SK 1 SK 2 MAC MAC MAC MAC SK 3 SK 3 SK 3 EMV SK 3 EMV SK 3 26 SK 3 SK 3 POS 1 MAC 2 16 65,536 = 2 16 EMV SK 3 MAC 20 21 SK 3... 25 Man-in-the-Middle 26 EMV Application Transaction Counter 128 /2015.10

EMV 20 EMV 21 EMV MAC 2 1 EMV 1 Issuer Script 5. IC IC 129

20 IC IC IC 130 /2015.10

EMV 8 2011 26 3 2014 8 27 http://www.fsa.go.jp/news/26/ginkou/20140827-5.html 2002 2003 3 https://www.ipa.go.jp/security/ enc/cryptrec/fy15/doc/c02_2.pdf IC 31 3 2012 107 140 2014 11 27 http://www.zenginkyo.or.jp/abstract/news/detail/nid/3835/ 15 LSI 2004 3 31 http://www.meti.go.jp/policy/netsecurity/docs/cc/lsi.pdf IC 100 2014 7 14 http://www.jcca-office.gr.jp/topics/ topics_37.html 2014 12 26 http://www.j-credit.or.jp/information/statistics/ download/inv_05_141226.pdf IC 2015 2 27 http://www.j-credit.or.jp/download/150227_ jdm.pdf Vol. 64, No. 7 2009 28 31 Vol. 57, No. 12 2013 505 510 Vol. 49, No. 7 2008 799 809 3 2A4-3 2014 Anderson, Ross, Security Engineering Second Edition, Wiley, 2008. 131

Bellcore, Now, Smart Cards Can Leak Secrets, Bellcore Media Advisory, 25 Sept. 1996. Boneh, Dan, Richard A. DeMillo, and Richard J. Liption, On the Importance of Checking Cryptographic Protocols for Faults, EUROCRYPT 97, Lecture Notes in Computer Science (LNCS), Vol. 1233, 1997, pp. 37 51. Eisenbarth, Thomas, Timo Kasper, Amir Moradi, Christof Paar, Mahmoud Salmasizadeh, and Mohammad T. Manzuri Shalmani, On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme, CRYPTO 2008, LNCS, Vol. 5157, 2008, pp. 203 220. EMVCo, EMV 4.3 Book 1 Application Independent ICC to Terminal Interface Requirements, EMVCo, 2011a., EMV 4.3 Book 2 Security and Key Management, EMVCo, 2011b., EMV 4.3 Book 3 Application Specification, EMVCo, 2011c., EMV 4.3 Book 4 Cardholder, Attendant, and Acquirer Interface Requirements, EMVCo, 2011d. European Payments Council (EPC), Resolution: Preventing Card Fraud in a mature EMV Environment, Doc EPC424-10, 31 Jan., 2011. Gandolfi, Karine, Christophe Mourtel, and Francis Olivier, Electromagnetic analysis: concrete results, Cryptographic Hardware and Embedded Systems (CHES) 2001, LNCS, Vol. 2162, 2001, pp. 251 261. Genkin, Daniel, Adi Shamir, and Eran Tromer, RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, CRYPTO 2014, LNCS, Vol. 8616, 2014, pp. 444 461. Goodwill, Gilbert, Benjamin Jun, Josh Jaffe, and Pankaj Rohatgi, A Testing Methodology for Side-channel Resistance Validation, Non-Invasive Attack Testing Workshop (NIAT), 2011. Jaffe, Josh, and Pankaj Rohatgi, Efficient side-channel testing for public key algorithms: RSA case study, NIAT, 2011. Joint Interpretation Library, Application of Attack Potential of Smartcards, version 2.9, 2013. Kocher, Paul C., Crytptanalysis of Diffie-Hellman, RSA, DSS, and Other Systems Using Timing Attacks, extended abstract, 1995., Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, CRYPTO 96, LNCS, Vol. 1109, 1996, pp. 104 113., Joshua Jaffe, and Benjamin Jun, Introduction to Differential Power Analysis and Related Attacks, 1998.,,and, Differential Power Analysis, CRYPTO 99, LNCS, Vol. 1666, 1999, pp. 388 397. 132 /2015.10

EMV Mizuno, Hiroaki, Keisuke Iwai, Hidema Tanaka, and Takakazu Kurokawa, Analysis of Side-Channel Attack Based on Information Theory, IEICE Transactions on Fundamentals of Electromics, E97-A 7, 2014, pp. 1523 1532. Murdoch, Steven J., Saar Drimer, Ross Anderson, and Mike Bond, Chip and PIN is Broken, 2010 IEEE Symposium on Security and Privacy, 2010. Oswald, David, and Christof Paar, Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World, CHES 2011, LNCS, Vol. 6917, 2011, pp. 207 222. Skorobogatov, Sergei P., Semi-invasive attacks A new approach to hardware security analysis, University of Cambridge Computer Laboratory Technical Report, UCAM-CL- TR-630, 2005. VISA, Visa Announce U.S. Participation in Global Point-of-Sale Counterfeit Liability Shift, VISA BULLETIN, 9 Aug., 2011. 133

134 /2015.10