Aug 07 2008

Emeralda Engine

FractalizeR @ 8:30 pm

Emeralda Engine is a client-server suite for secure java card applets upgrade over insecure networks.

1. Introduction

As time goes by, cracking/cloning GSM software becomes a business. That’s why more and more GSM software developers want to protect their products better and better. Almost all known types of protection now can be cracked/cloned starting from the easiest ones (software protectors only, like Armadillo, Themida etc.) and ending with complex hardware solutions based on some kind of microprocessors + software protection. The reason is simple. Almost all kinds of memory can be easily read and almost all kinds of electronic boards can be easily examined and cloned. And all software protectors can be removed from software. The only question here is time needs for cracking.

But still exists at least one type of protection, that can not be cracked. This type is Schlumberger Smart-Cards.

What smart-card is

Smart-card is a small card, of the size like usual GSM SIM cards. Inside this card exists some kind of microcomputer with it’s own processor, small amount of memory. A computer, that was created to keep your secrets… Smart card is connected to PC via small simple USB device called Smart-Card Reader. This reader is like a bridge between smart-card and computer.

Smart-Card Architecture

As said above, smart-card is a microcomputer. Microcomputer with 32Kb memory on-board and cryptographic co-processor, accelerating execution of encryption and decryption blocks of data. Smart-card has in-built support for various cryptographic algos like various CRCs, DES, RSA, secure random numbers generator etc.

Smart-card can have several programs inside, that are called applets. These programs can be written in one of the variants of Java language, that is very easy to learn. Applets can communicate with software from PC using in-out buffer, that allows you to pass commands to your applet and to get results from your applet with few lines of code.

You can easily put your applets to your card if you know card access codes, but nobody including you even knowing codes can’t read applets from card. Under any condition applet source can’t be read from smart-card. This makes your card some kind of safe for your know-how technologies.

Smart card reliability

Reliability of Schlumberger Smart-Cards is confirmed by such a giants in business like Visa, MasterCard and many others. Smart-cards are used as authentication marks, digital signature containers, digital wallets and other holders of VERY important data. There was never a precedent of successful reading applet’s code or applet’s internal data from smart-card in whole world.

2. Protecting GSM software with Smart-Cards

How to?

In process of unlocking/flashing almost any phone there is some algo of processing information (for example, calculating IMEI checksums, various CRCs calculation, decrypting small blocks of data, etc.) This algo can be simply converted to smart-card applet. And after that your software will read some data from phone, that needs to be processed, send it to your applet and then receive back already processed. That’s all!

Algo’s, that should never been put to card

Of course, any protection, even the most powerful, should be correctly applied. Simply checking smart-card presence from software will not make your protection strong. So, there are several kinds of algos, putting which to smart-card will not improve your protection:

• Decryption of static (constant) data blocks, that come from software (PC) (for example, loaders decryption)
• Very easy-to-guess algos (like CRC32 calculations or XOR FFh decryption)
• Static data itself (table of software versions for example)

3. FractalizeR’s Emeralda Engine

What is this?

Of course, simply putting algos to dongle is not enough. Time passes, new phone models appear, algos inside the dongle should be updated, because, if you will put algo for a new model only to soft – this new software can be easily cracked. So you need dongle upgrade system. But, you can’t simply provide file with applet’s source to every user, because hacker can easily extract your algos from it. Also, you need control over all dongle upgrade process (for example, you may need to disable upgrade for some dongle, grant your resellers access their users’ accounts etc.). So, let me introduce to you my smart-card secure update engine: FractalizeR’s Emeralda Engine. All this can be easily done with a help of it.
Emeralda uses advantages of built-in smart-card secure communication protocol to make dongle upgrades safe, so you can be sure, that nobody will be able to extract your applets from any part of traffic, sent to client, or sent by client to smart-card. Emeralda server generates encrypted and signed stream of data, that is transmitted to upgrade client. Client sends stream in encrypted and signed untouched form directly to smart-card and only smart-card itself decrypts and verifies that stream, accepts applets and run internal commands, that are contained inside data stream. So, nobody have access to command source except server and smart-card itself. Data stream can be intercepted and examined by hacker, but it will be useless, because data stream is encrypted and only smart-card, this stream is generated for, can decrypt it.

Emeralda Engine as it is

Emeralda engine is a standalone set of software components, that provides ability to securely and remotely update user dongles, control upgrade process, control user accounts etc. Here are main features of Emeralda:

  • Remote secure update of smart-cards – client and server applications
  • Multithreaded server
  • User accounts database
  • IP and dongle black list
  • Logging of security violations
  • Logging whole process of dongle upgrade for each user
  • No need in source code of your project. Emeralda is fully stand-alone.

Emeralda server requirements:

  • Usual PC, preferably not slower than PIII-700.
  • 128Mb (better 256Mb) of memory
  • Any type of Internet connection with static or dynamic (in this case no-ip.com services can be used) IP with speed preferably not slower than 10-15Kb/sec (maximum amount of traffic per client session is about 34Kb)
  • Minimum 150Mb (500Mb or more is recommended) free space available on HDD
  • Windows 2000/XP/2003 (Windows 98 is probably supported too, but not tested)

What I suggest?

  • Emeralda engine-based client and server and tools
  • Consultations on all questions related to using Schlumberger cards for protection
  • Consultations on moving to Schlumberger cards protection of already existing project
  • Consultations on software protection itself
  • Custom improvements and additions for Emeralda server and client like additional data check, storing and retrieving additional data from user’s database, mailing lists support via all server’s database, custom parameters to check by server etc. on demand
  • Additionally, I can help in your web-site enhancement: dynamic news on site, forum establishing, protected support area for your product, professional support of your users etc.

What’s new in Emeralda v1.5:

Multiple card types supported:

• SCP01 and SCP02 card protocols supported and that covers most of currently available card types.
• Updated Emeralda client-server protocol allows to support different card types and different applets for each card type

Security improved:
• Per-card unique access keys supported
• Master key protection added to server and to card programmer
• Same-keys secure session bug patched

New smartcard communication libraries:
• Transparent T=0 (e-gate and similar cards) and T=1 (some new cards) communication protocols support
• Refactored design allows easy library extensibility

Refactored client-server protocol support
• New action-based client interface and new status messages to allow/deny client actions
• New action-based internal server architecture
• Card registration infrastructure

Multithreaded card programmer
• Based on Emeralda components and smartcard communication library
• Allows to program several cards at once (using USB hub for example)

Other:
• Database schema simplified (changed completely) to provide an ease of DB administration using standard tools like PHPMyAdmin
• Developer mode for server and programmer introduced to distinguish between production and development cards

Emeralda powered projects:

10 Responses to “Emeralda Engine”

  1. Emeralda Smart Card Upgrade Client-Server Suite 1.5 from FractalizeR available - GSM-Forum says:

    […] that Emeralda 1.5 is almost complete. New customers can check Emeralda description here FractalizeR’s WebSite and here: Smart-card-based protection services offer for developers A brief summary of new […]

  2. Emeralda Smart Card Upgrade Client-Server Suite 1.5 from FractalizeR available | RaDpHoNE Blog's says:

    […] customers can check Emeralda description here FractalizeR’s WebSite and here: […]

  3. Emeralda Smart Card Upgrade Client-Server Suite 1.5 from FractalizeR available | BEC Blog says:

    […] customers can check Emeralda description here FractalizeR’s WebSite and here: […]

  4. Emeralda 1.5: new card types supported, security improved, card programmer added says:

    […] So, I'm just announcing, that Emeralda 1.5 is almost complete. Emeralda description is available here and here. A brief summary of new features in 1.5: Multiple card types supported: • SCP01 and […]

Leave a Reply

You must be logged in to post a comment. Login now.