Limitations of the SmartPGP app?

Duckliffe · August 21, 2023, 2:25pm

So I was looking at the repository for the SmartPGP app (GitHub - github-af/SmartPGP: SmartPGP is a JavaCard implementation of the OpenPGP card specifications) and I saw that there are a number of limitations around Secure Messaging - can anyone explain what this means in laymans terms? I’m a software engineer, I’ve studied the basics of encryption academically, and I’ve used PGP before, but this isn’t really my area so I’m wondering if someone who’s more knowledgeable than me could give me a TL;DR

amal · August 21, 2023, 4:43pm

@StarGate01 correct me if I’m wrong here… but…

Okay so… when you want to communicate with some other machine, you can do it through plain text or unencrypted communication… You can send your bites and bits over a modem, DSL, cable modem, Wi-Fi, whatever your medium is… even NFC … you can send and receive data unencrypted…

Or… If the machine is smart enough, you can set up a secure encrypted channel using diffie helman key exchange or something similar so you don’t have to share a symmetric key to get a secure channel set up… just like how your browser can set up a secure channel over SSL with the web server.

“Secure channel” is just a way to ensure the data flowing to and from the secure element over NFC is done so through a secure channel.

The code required to set up an operate this secure channel is a little chunky, and it’s a pretty narrow attack vector because a sniffer would have to be physically between your NFC reader and the NFC transponder… so the benefit vs memory use isn’t typically worth it for most people, hence there is a version without secure channel support for chips with ram and eeprom limitations.

BryanJacobs · August 22, 2023, 9:28am

I think you’ve got the core right and some of the details not quite right.

Yes, Secure Messaging is about securing the link between the smartcard and the computer using it.
You can’t set up a secure channel without either a shared secret or a trusted third party, because without one of those things you can “secure” a channel to the wrong person. You don’t just want encryption, you also want some way to verify you’re encrypting stuff TO someone who isn’t a malicious attacker. Diffie-Helman lets you have an encrypted channel without a shared secret, but it doesn’t solve the problem of you doing DH to the attacker, and then the attacker doing DH to the intended recipient of your traffic.
The SmartPGP app’s “Secure Messaging” feature uses a key generated on the card and shared with the host(s) as that shared secret.
NFC nominally operates at a short range, but researchers have been able to use directional antennas to intercept realistic traffic from over 20ft away (with line-of-sight). I think it’s very safe to assume that nobody will realistically eavesdrop on an NFC channel, but it’s not technically impossible with good equipment.

Agreeing with the bulk of what @amal said, my summary is that a SmartPGP app without “Secure Messaging” support is marginally more vulnerable to having private keys you load to/from the card (not ones generated ON the card) intercepted over an NFC link. That said, the cryptography used for the “Secure Messaging” is also not state of the art, sooooo… not a huge difference.

amal · August 22, 2023, 5:34pm

Thanks Bryan!

I’m super interested in seeing an example of this. I’ve only ever seen people attacking UHF cards at this range over backscatter and that’s just not same thing.

BryanJacobs · August 22, 2023, 10:25pm

https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/joe.2013.0087 shows eavesdropping of real 14443 traffic at 1m. https://arxiv.org/pdf/2001.08143.pdf shows active interference at 50cm, https://www.cs.ru.nl/~erikpoll/papers/rfidgate.pdf (good paper) at 50cm, and Range Extension Attacks on Contactless Smart Cards | SpringerLink at 1m (note: timing constraints cap how far away you can actively interfere very well. Thanks, physics). RFID Reader Snoops Cards From 3 Feet Away | Hackaday is a practical construction. https://dl.acm.org/doi/10.1145/3387514.3406219 exceeds 3m.

There’s more out there, and I didn’t immediately find the paper I read before using a directional antenna instead of a loop, but these all show the read range of 13.56Mhz in active mode is “a few meters” not a tiny number of centimeters.

It’s definitely not the case that the interceptor needs to be “between”. It just has to be around. Active attacks are quite hard and need to be close. Passive sniffing is medium-hard and needs to be medium-close.