[I posted this earlier today but it never appeared, apologies if you've seen
it before. In any case the bit about the SigG card has been updated]
Martin Minow <[EMAIL PROTECTED]> writes:
>The Register <http://www.theregister.co.uk> reports that the Siemens
>Digital Signature Chip used for cashless payments (and recently ratified
>for use by the European Union) was disassembled. According to The Register's
>sources, "the knowledge gained has already been used to get hold of Telesec
>private keys".
This story isn't terribly accurate, I'd suggest people wait a few days before
they draw any final conclusions (and prepare for a lot of spin control from the
vendors involved).
In any case what makes the SLE66 a more interesting target than most is that
it's sort of certified at ITSEC E4 with an assurance level of high. The reason
I say "sort of certified" is that tracing exactly what's been certified leads
you into a spaghetti of confusing claims and statements cunningly designed to
mislead anyone responsible for making purchasing decisions :-).
To understand what's involved, you need to know a bit of background material.
The Siemens 44 series run a basic OS (more a kind of bootstrap loader) called
CMS (chip management system), the 66 series run something called RMS (resource
management system) which is an evolution of CMS. The 66 series typically run
RMS at the development stage but often run an OEM OS which may or may not
include RMS (as I said, the documentation is pretty confusing, the implication
is that vendors will supplant it with their own code but I'd guess most just
call down to RMS from their code).
The original E4 certification was by TUVIT, a private certification body
recognised by the BSI but not necessarily by anyone else (only BSI
certifications are required to be recognised internationally, if you look at
something like the UK certified product list you won't find the private-body
certifications listed). What was certified in April of this year was the card
hardware, the crypto engine, and RMS with STS (self-test software). The
certification report goes into quite some detail about all the security
enforcing functions (SEF's, ITSEC jargon for security measures) used to prevent
someone from dumping the firmware and other card contents, *if* this is what's
been done then it looks like it's a genuine attack against an E4-certified
product.
In addition, Deutsche Telekom got their own E4 certification for TCOS, their
OEM OS which runs on the card. Since the attack works on the SigG cards, it's
probable that they incorporate RMS into TCOS to handle lower-level
functionality (although they omitted to mention this anywhere in the
certification report).
There are a number of other vendors using the 66 series as well, if they're
linking in RMS then their cards may be vulnerable too. There was a comment in
de.comp.security to the effect that "all the SLE cards we have here have the
problem" (I expect some vendors aren't going to be getting much sleep in the
next few days :-). In any case though the claim in The Register about the
Geldkarte being in trouble isn't correct, and some of the other claims aren't
too accurate either.
Peter.
