8

Why is it that common smartcards like the SLE5528 are almost always limited to <16K of available memory, and a very slow 8 bit processor? What is the limiting factor that makes it technologically/economically infeasible to raise these limits?

EDIT: Maybe I should give some more background on why I'm asking this question. For a customer at work we had to integrate a smartcard module which basically acted as a keystore (similar to the ones you can use in high-level programming libraries like PKCS11). We were constantly hitting the limits of this device (can't store more than a few keys, can't store any key larger than 1k, have to wait at least 5 seconds before fetching the key list, etc.). The only person at our supplier's end I could reach was a vendor that gave me the "That's the way smartcards work" answer. It's not like there is no real market for storing RSA keys of size >4K on a card. I'd love to know the real reason behind this.

JDoe
  • 93
  • 4
  • It's possible that the market for cards with more resources is small and not lucrative enough for the manufacturer. Unless you ask a manufacturer, this question leaves a lot to speculation. – Nick Alexeev Dec 12 '15 at 18:33
  • Division of functionality - the smart card isn't intended to do more than identify-specific tasks. People have proposed hacks like running Android on a SIM, but it's just not the right place in the overall design of a product to do that. – Chris Stratton Dec 12 '15 at 18:35
  • Yeah, I have always been wondering why they do not run on octa core pentiums... – PlasmaHH Dec 12 '15 at 18:39
  • "Limited" - compared to what. Why should it need to have any more? – Andy aka Dec 12 '15 at 19:25
  • @ChrisStratton I can understand that, but even within the field of authentication and accounting it falls short. A good example of that are the OpenPGP cards, on which the key size is very restrictive, which eventually drove people to use usb sticks for PGP signing purposes instead of smartcards. – JDoe Dec 12 '15 at 19:26
  • @Andyaka Storing a 4096 RSA key would be a start. An entry model smartcard can't do this. Our vendor even suggested we switch to ECC to mitigate this limitation. – JDoe Dec 12 '15 at 19:27
  • Note that a SIM is just a smartcard with the plastic cut away. I'm also surprised that larger ones aren't available; there are some RFID cards that can store 4k. – pjc50 Dec 12 '15 at 19:58

2 Answers2

11

Why is it that common smartcards like the SLE5528 are almost always limited to <16K of available memory, and a very slow 8 bit processor? What is the limiting factor that makes it technologically/economically infeasible to raise these limits?

It's the extra price caused by the security features that drive up the price. Technically you can't compare the non volatile memory of smart-cards with normal flash or eeprom memory. For example it is possible to open up normal flash memory, bond wires onto the die and read out the memory content. With smart-cards this should not be possible (or more realistically: It should be so complicated and expensive that it's not worth it).

The same is true for the CPU. Smart-card CPUs have a ton of built-in security features that aren't required for normal CPUs at all. They should for example not leak any information on the code that they execute by the amount of current they draw, or leak anything by RF radiation.

That said, all these side-channel blindings have a price not only in the manufacturing cost but also in computational performance. It's just more important to be secure than to be fast.

That said, smart-cards with more memory are available. You can buy them with more than 100kb memory. They are expensive though.

The recommendation in the comments to change the keys from RSA to ECC is a very good one. The key size of ECC compared with RSA at the same level of security is much smaller. So you get more out of your limited non volatile memory. ECC is also likely to be faster.

Nils Pipenbrinck
  • 5,087
  • 1
  • 19
  • 28
7

That's the way smartcards work. If you want a USB stick, you know where to find it.

Smartcards are designed for security. They're designed to be tamper resistant. They're designed to store secrets and to commit suicide rather than give up their secrets. You can't (with reasonable effort, barring implementation flaws) extract the data from it, or clone it.

Smartcards are (supposed to be) designed so that if you try to bypass the software interface and read their memory directly, you can't. The only external interfaces are power and serial lines. Everything else is inside a Faraday cage (to counter emissions measurements) which is protected by a layer of corrosive chemicals (acids, I think) so that if you try to make a hole in the protection layer, the chip (especially the memory) will be damaged beyond recovery.

The chip is engineered to draw constant power, to avoid leaking information through power consumption. It's also engineered to allow operations to take constant time. So smartcard chips don't have hardware optimizations such as instruction pipelines or power management to reduce heat dissipation. Smartcard chips often contain parts that don't actually serve any purpose, to make emissions and power draw more constant or harder to analyze, and to make reverse engineering difficult.

A number of things make smartcards slower than non-security-sensitive chips. Since smartcards don't have their own power supply, they need to write to flash memory fairly often — they can't afford to cache things in RAM. Otherwise the adversary could cut the power at advantageous (for him) times. Software has to use constant-time algorithms (to avoid timing attacks), not the fastest algorithm possible. Software has to be written with redundancies, in case the adversary shines a laser at the card to flip some bits in memory and put the software in a state that shouldn't have been reachable (yes, that's a real attack).

Security measures such as these have a cost. Furthermore, since attacks keep improving, the design of the chips has to keep up. Most types of chips become more and more powerful following Moore's law, but with smartcards, the engineering improvements are mostly absorbed by the need to counter new attacks.

There are cards that support 4k RSA keys. But they're uncommon. A few years ago, Java Card 3 was introduced to support almost all the features of the Java language; I think a card capable of doing that would be capable of signing with 4k RSA. But they haven't really taken, partly because engineering improvements are taken up by increasing security protections, and partly because a lot of engineering improvements have gone into contactless cards, which require less power draw and faster response times.

But there isn't much of a market for 4k RSA. As smartcards were reaching that point, ECC became widely available. You can get the same security level as 4k RSA with much smaller ECC keys. The only drawback of switching from RSA to ECC is support for the algorithm throughout your infrastructure, but embedded devices such as smartcards are the hardest part: pretty much anything server-side supports ECC these days.

If you really need something more powerful, there exist USB dongles with “real” computing power, that can store cryptographic keys and perform cryptographic operations with a PKCS#11 interface. These dongles don't have nearly the same physical tamper resistance as a typical PKCS#11. It's a compromise between security and performance.

Further reading:

Community
  • 1
Gilles 'SO- stop being evil'
  • 240
  • 2
  • 15