9 September 1997
As is apparent from the attached memo, TNO broke Mondex. At Eurocrypt this year, TNO's Ernst Bovenlander gave some details of these attacks (though he didn't mention Mondex as the target). He showed an electron micrograph of a fuzed link in a smartcard; while intact, this link activated a test mode in which the card contents were simply dumped to the serial port. The TNO attack was to bridge the link with two microprobes. At the last RSA conference, Tom Rowley of National Semiconductor reported a similar attack on an unnamed chip using an ion beam to rewrite the link (maybe NatSemi was the `North American entity' cited below).
Bovenlander also told the Eurocrypt audience that microprobing attacks get harder when the feature size drops below one micron. However, there is a simple fix - to use a focussed ion beam to plate a nice large contact for the microprobe on each bus line. He showed a micrograph of a 0.8 micron chip treated in this way. He also related that undergraduates at Delft University routinely break smart card chips using microrprobe workstations, and as part of their assessed course work rather than as personal hacking. So it looks like the current version of Mondex (3101) can be broken by undergraduates.
After EFF Canada disclosed this memo, they got a threatening letter from the National Bank of New Zealand:
David G. Jones, President, Electronic Frontier Canada, Inc., 20 Richmond Avenue, Kitchener, Ontario, N2G 1Y9 CANADA RETAIL PRODUCT MANAGEMENT & MARKETING Level 8 National Bank House 170-186 Featherston Street PO Box 1791 Wellington New Zealand Ph: 0-4-494 4000 Fax: 0-4-494 4402 Dear Sir Unauthorised Use of Confidential Material It has come to the Bank's attention that a memorandum prepared by an officer of the Bank ("Memorandom") is being published by you on the Internet as per the enclosed materials without the permission or consent from the Bank. The Memorandum is protected by copyright, and the copyright is owned by the Bank. The unauthorised publication of the Memorandum by you is a breach of the Bank's copyright. In addition, the Memorandum is confidential, and was produced for the purpose of discussion only amongst authorised personnel. The Bank considers the disclosure of the Memorandum to you, and your publication of it, to be a breach of confidentiality. Moreover, the Bank is concerned that it may suffer serious detriment from this unauthorised use of the Memorandum. The Bank considers the publication of the Memorandum to be a serious breach of its proprietary rights in the Memorandum and requires you to immediately withdraw the Memorandum from any further display, publication, or reproduction by any means whatsoever. The Bank also requires you to immediately destroy all materials that you have which contains any of the Memorandum. The Bank requests that you immediately confirm in writing that you have complied with the above requirements. If we do not receive such confirmation by 14 days from the date of this letter, the Bank will pursue its remedies, including through formal proceedings if necessary. Yours faithfully, (signed) Simon Dixie Manager Strategic Advisory
This could become another cause celebre of censorship on the net, like the Fishman affidavit or the JET report. There is an intense public interest: if a defective payment mechanism is rolled out next year, gets attacked by the Mafia, and banks go belly up, then the poor taxpayers will be expected to foot the bill through FDIC or whatever.
So spread this message as widely as possible, write to your congressman; and if you bank with a Mondex franchisee, move your business somewhere else!
Mondex SVC Security Security Due Diligence, May 1996 The memorandum outlines the main points arising from discussions with Craig Glendenning (Senior Manager, Technology Strategies, Commonwealth Bank) on security issues identified during the May 1996 Mondex due diligence visit to London, by the Australian bank consortium security team. Extent of security evaluation effort The Australian effort to understand Mondex security through the due diligence process has been greater than that of other potential member groups. The Hong Kong Shanghai Bank franchise was essentially purchased on the strength of a business case, with only a cursory view of security. Similarly, comments from Natwest Mondex staff indicate that the US consortiums security due diligence was not as comprehensive/inquisitive as the Australian effort. Potential for chip tampering Weaknesses in 3101 chip (used for the Swindon trial) were identified by TNO through technical attacks on the chip (e.g., microprobing). These weaknesses have reputedly been fixed in the 3109 chip, by: a) reducing the scale of chip technology from 1.3 microns (in the 3101) to 0.8 microns which substantially increases the difficulty of conventional physical probing or memory imaging type attacks. b) changes to the physical architecture of the chip to thwart previously successful attacks through "test mode memory access links". However, no third party reports (substantiating the security claims of the 3109 chip) were released to the Australian security team. Mondex provided verbal representations that an anonymous third party evaluation agency (a North American entity) had started work on attacking the 3109 (by reverse engineering it). TNO would not get the chip until this agency had finished their work sometime later in 1996. Evaluations reports from Cambridge University and TNO were not expected until Q1 1997. Conclusions The risk remains that a significant technical weakness may be found in the 3109 chips. This would require a major change to the chip which could take a significant amount of time to rectify and retest. Mondex staff have stated that NATWEST is obligated (as stated in the Participants agreement) to disclose any material issues that would jeopardise security of the scheme. Consequently, the reluctance of Mondex to make available all reports on the security of the 3109 chip should not necessarily be interpreted as "hiding a known weakness". Conversely, fears about the security of the 3109 chip will not be resolved until Q1 1997 when the evaluation agency reports are available for scrutiny. The "reverse engineering" attacks on the chip indicate that Mondex believes the security of the scheme relies primarily on the secrecy of the cryptographic keys rather than chip design. "Fit for purpose" Mondex have made a general statement about the security of the card/scheme to the effect that the card is "fit for purpose". However, this "purpose" is not explicitly defined in the participation agreement. Statements in the participation agreement tend to indicate that the purpose is confined to "low value payments". The Australian banks appear to have a more expansive view/expectation, that the purpose covers large denomination transactions. While there does not appear to be an explicit "meeting of minds" over purpose, it could be argued that as the chip is integral to all security functions (from Originators purse through the GKC to the customer purse) then it is possible that the chip is being evaluated against all these roles, in terms of purpose. KPMG report The KPMG report for the BoE (Bank of England) did not cover tamper resistance of the chip. A different agency investigated this for the BoE (presumably the North American entity). Mondex would not disclose the name of this agency or contents of their report. Nine weaknesses in the operation of the Mondex scheme were identified in the KPMG report. All but one (reliance on key personnel) appear to have been addressed. Chip failure The failure rate of the chip is reputedly now < 1%. This has arisen through: a) Elimination of manufacturing defects b) Reduction in the chip technology size (to 0.8 microns) makes the chip more robust Embossing the card is still not permitted by Mondex as this reduces chip/card reliability. Public key cryptographic systems Mondex claims support for nine public key cryptographic schemes. Mondex has reputedly performed public key cryptography using the card in less than 2 secs. However, this performance claim is somewhat nebulous as they have refused to disclose the key size (i.e., performance is directly related to key size in most public key implementations). Conclusions The Swindon trial used a private key cryptographic system, primarily because of private key cryptographic systems currently process faster than public key systems (in both hardware and software implementations). The performance related viability of public key cryptographic systems still remains unresolved. Difference in initial understanding The following changes or differences in initial understanding between Mondex and the Australian due diligence team were identified: * No "hot list" scheme is being developed by Mondex. Their approach to protecting value in the scheme is based on a "prevention, detection, and recovery" strategy. This makes the risk management database initiative crucial for the detection of value being added to the scheme. However, the due diligence team were unable to obtain any proof of the efficiency of the risk management database. * The role of the Global Key Centre in the scheme has changed. Purse customisation/personalisation can now be undertaken anywhere (even at Issuers sites). Manufacturers will require a trusted facility from which to inject keys. * Loyalty schemes can only be run on the present application by adding the scheme as a new currency (until MAOS is developed). This has the effect of reducing the number of real currency purses. Also, how terminals will handle loyalty schemes is still up in the air. MAOS (Multiple Application Operating System) MAOS is a different operating system to the operating system employed for the Swindon Mondex trial. MAOS allows for simultaneous support and secure segregation of co-resident applications. Although multiple applications can exist on the current operating system, they co-process (i.e., share the same memory space). MAOS is being developed to increase the value of the card to consumers, merchants, and members through the provision of a range of complementary business applications on one card. Mondex also sees a larger potential market for MAOS on non-Mondex cards. The stated goal is to have MAOS capable of supporting: * the Mondex purse application * EMV debit/credit applications * GSM * Loyalty applications The Target date for an initial MAOS application is 1 January 1998. The security requirements defined for MAOS are: * Secure load and deletion of applications * Secure segregation of co-resident applications * Confidentiality of applications to prevent one application peeking or fishing in another application ITSEC E6 evaluation (certification criteria used to guarantee a binding link between requirements and code) is to be used to enforce a disciplined development to ensure the security of the object code. This is essential to prove that the MAOS can be relied upon to prevent a members application interfering with Mondex application (so that members can write their own applications without having them evaluated by Mondex and owners of other co-resident applications). Risks * MAOS is an ambitious project with high risk of failing to meet scheduled delivery. * Failure to achieve E6 certification for the MAOS could lead to reduction in security and increase the risk associated with the entire scheme. * There is a risk that MAOS will not become the industry standard as espoused by Mondex. Other Matters Discussions with Glendenning indicated that Commonwealth Bank views their Mondex "investment" purely as "having bought an option". Their belief appears to be that the underlying technology still has a way to go before implementation issues can be assessed in any detail. Gavin Weekes 10/06/96
12 August, 1997