Cryptanalysis of GlobalPlatform Secure Channel Protocols

  • Mohamed Sabt
  • Jacques Traoré
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10074)


GlobalPlatform (GP) card specifications are the de facto standards for the industry of smart cards. Being highly sensitive, GP specifications were defined regarding stringent security requirements. In this paper, we analyze the cryptographic core of these requirements; i.e. the family of Secure Channel Protocols (SCP). Our main results are twofold. First, we demonstrate a theoretical attack against SCP02, which is the most popular protocol in the SCP family. We discuss the scope of our attack by presenting an actual scenario in which a malicious entity can exploit it in order to recover encrypted messages. Second, we investigate the security of SCP03 that was introduced as an amendment in 2009. We find that it provably satisfies strong notions of security. Of particular interest, we prove that SCP03 withstands algorithm substitution attacks (ASAs) defined by Bellare et al. that may lead to secret mass surveillance. Our findings highlight the great value of the paradigm of provable security for standards and certification, since unlike extensive evaluation, it formally guarantees the absence of security flaws.


GlobalPlatform Secure Channel Protocol Provable security Plaintext recovery Stateful encryption 

Supplementary material


  1. 1.
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: concrete results and practical countermeasures. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003). doi: 10.1007/3-540-36400-5_20 CrossRefGoogle Scholar
  2. 2.
    Bard, G.V.: A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL. In: Proceedings of the International Conference on Security and Cryptography. SECRYPT 2006, pp. 7–10. INSTICC Press (2006)Google Scholar
  3. 3.
    Béguelin, S.Z.: Formalisation and verification of the GlobalPlatform card specification using the B method. In: Barthe, G., Grégoire, B., Huisman, M., Lanet, J.-L. (eds.) CASSIS 2005. LNCS, vol. 3956, pp. 155–173. Springer, Heidelberg (2006). doi: 10.1007/11741060_9 CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of the 38th Annual Symposium on Foundations of Computer Science. FOCS 1997, pp. 394–403. IEEE (1997)Google Scholar
  5. 5.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Bellare, M., Kohno, T., Namprempre, C.: Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. In: Proceedings of the 9th ACM Conference on Computer and Communications Security. CCS 2002, pp. 1–11. ACM (2002)Google Scholar
  7. 7.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). doi: 10.1007/3-540-44448-3_41 CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44371-2_1 CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25937-4_25 CrossRefGoogle Scholar
  11. 11.
    Chen, Z.: Java Card Technology for Smart Cards: Architecture and Programmer’s Guide. Addison-Wesley Longman Publishing Co. Inc., Boston (2000)Google Scholar
  12. 12.
    Dai, W.: An attack against SSH2 protocol, email to the SECSH Working Group.
  13. 13.
    Degabriele, J.P., Paterson, K., Watson, G.: Provable security in the real world. IEEE Secur. Priv. 9(3), 33–41 (2011)CrossRefGoogle Scholar
  14. 14.
    Duong, T., Rizzo, J.: Here come the XOR Ninjas (2011). UnpublishedGoogle Scholar
  15. 15.
    Dworkin, M.: Recommendation for block cipher modes of operation: methods and techniques. National Institute of Standards and Technology (NIST), NIST Special Publication 800–38A., December 2001Google Scholar
  16. 16.
    Dworkin, M.: Recommendation for block cipher modes of operation: the CMAC mode for authentication. National Institute of Standards and Technology (NIST), NIST Special Publication 800–38B, November 2001Google Scholar
  17. 17.
    EMVCo: EMVCo Specification.
  18. 18.
    EMVCo: EMV card personalization specification - version 1.1.
  19. 19.
    Feix, B., Thiebeauld, H.: Defeating ISO9797-1 MAC Algo 3 by combining side-channel and brute force techniques. Cryptology ePrint Archive, Report 2014/702 (2014)Google Scholar
  20. 20.
    Fouque, P.-A., Joux, A., Martinet, G., Valette, F.: Authenticated on-line encryption. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 145–159. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24654-1_11 CrossRefGoogle Scholar
  21. 21.
    GlobalPlatform: The standard for managing applications on secure chip technology.
  22. 22.
    GlobalPlatform: Secure channel protocol ‘3’ - card specification v2.2 - amendment d v1.1.1.
  23. 23.
    GlobalPlatform: GlobalPlatform card specification v2.3.
  24. 24.
    GlobalPlatform: About GlobalPlatform - security task force activities and achievements - 2016 activities and priorities (2016).
  25. 25.
    Hemme, L.: A differential fault attack against early rounds of (triple-)DES. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 254–267. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28632-5_19 CrossRefGoogle Scholar
  26. 26.
    ISO/IEC JTC 1/SC 27: Information technology - security techniques - modes of operation for an n-bit block cipher. Technical report, International Organization for Standardization, February 2006Google Scholar
  27. 27.
    ISO/IEC JTC 1/SC 6: Information technology - ASN.1 encoding rules: specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). Technical report, International Organization for Standardization, December 2002Google Scholar
  28. 28.
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-39887-5_11 CrossRefGoogle Scholar
  29. 29.
    Joux, A., Martinet, G., Valette, F.: Blockwise-adaptive attackers revisiting the (in)security of some provably secure encryption modes: CBC, GEM, IACBC. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 17–30. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_2 CrossRefGoogle Scholar
  30. 30.
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. Chapman & Hall Book, Boca Raton (2015)zbMATHGoogle Scholar
  31. 31.
    Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Goos, G., Hartmanis, J., Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001). doi: 10.1007/3-540-44706-7_20 CrossRefGoogle Scholar
  32. 32.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_3 CrossRefGoogle Scholar
  33. 33.
    Markantonakis, C.: The case for a secure multi-application smart card operating system. In: Okamoto, E., Davida, G., Mambo, M. (eds.) ISW 1997. LNCS, vol. 1396, pp. 188–197. Springer, Heidelberg (1998). doi: 10.1007/BFb0030420 CrossRefGoogle Scholar
  34. 34.
    Mitchell, C.J.: Error Oracle attacks on CBC Mode: is there a future for CBC mode encryption? In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 244–258. Springer, Heidelberg (2005). doi: 10.1007/11556992_18 CrossRefGoogle Scholar
  35. 35.
    NXP Semiconductors Germany Gmbh: Nxp j3e081_m64, j3e081_m66, j2e081_m64, j3e041_m66, j3e016_m66, j3e016_m64, j3e041_m64 secure smart card controller. Common Criteria for Information Technology Security Evaluation, certification Report: NSCIB-CC-13-37761-CR2, August 2014Google Scholar
  36. 36.
    Oracle: Java card protection profile - closed configuration. Common Criteria for Information Technology Security Evaluation, certification Report: ANSSI-CC-PP-2010/07, December 2012Google Scholar
  37. 37.
    Paterson, K.G., Watson, G.J.: Authenticated-encryption with padding: a formal security treatment. In: Naccache, D. (ed.) Cryptography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 83–107. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28368-0_9 CrossRefGoogle Scholar
  38. 38.
    Rankl, W., Effing, W.: Smart Card Handbook, 4th edn. Wiley, Chichester (2010)CrossRefGoogle Scholar
  39. 39.
    Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25937-4_22 CrossRefGoogle Scholar
  40. 40.
    Rogaway, P.: Evaluation of some blockcipher modes of operation. Technical report, Cryptography Research and Evaluation Committees (CRYPTREC) for the Government of Japan (2011)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Orange Labs, 42 rue des couturesCaenFrance
  2. 2.Sorbonne universités, Université de technologie de Compiègne, Heudiasyc, Centre de recherche RoyallieuCompiègneFrance

Personalised recommendations