Unpicking PLAID A Cryptographic Analysis of an ISO-standardstrack Authentication Protocol

Unpicking PLAID A Cryptographic Analysis of an ISO-standardstrack Authentication Protocol SSR 2014, RHUL, United Kingdom Jean Paul Degabriele Kenneth...
Author: Aubrie Morris
2 downloads 4 Views 3MB Size
Unpicking PLAID A Cryptographic Analysis of an ISO-standardstrack Authentication Protocol SSR 2014, RHUL, United Kingdom

Jean Paul Degabriele Kenneth G. Paterson

Information Security Group, Royal Holloway, University of London December 16th , 2014 | SSR 2014 | Victoria Fehr | 1

Victoria Fehr Marc Fischlin Tommaso Gagliardoni Felix Günther Giorgia Azzurra Marson Arno Mittelbach

Cryptoplexity, TU Darmstadt

Protocol for Lightweight Authentication of IDentity

I

Okay. You may enter.

ICC

December 16th , 2014 | SSR 2014 | Victoria Fehr | 2

IFD

contactless authentication protocol

Protocol for Lightweight Authentication of IDentity

ISO/IEC 25185-1

PLAID AS-5185-2010

“Fast Track”

2006

2010

December 16th , 2014 | SSR 2014 | Victoria Fehr | 2

2014

I

contactless authentication protocol

I

developed by Centrelink

I

AS 5185-2010

I

submitted to ISO via fast track as ISO/IEC 25185-1

The PLAID Protocol (34, 7, ... ) IFD

ICC RSApk7 (7, “Smarty”, RND1, RND1)

index RSA AES

index RSA AES 2 7

pk2 pk7 . . .

K2ID K7ID

AESK ID (AuthReq, RND2, payload, ksession ) 7

AESksession (AuthResp, payload, “Smarty”) ksession = SHA(RND1||RND2)

7

sk7

K7

34

sk34 . . .

K34

K7ID = AESK7 (“Smarty”) ksession = SHA(RND1||RND2)

Channel secured with ksession (optional) December 16th , 2014 | SSR 2014 | Victoria Fehr | 3

ISO/IEC 25185-1 – PLAID

“PLAID [...] is cryptographically stronger, faster and more private [...]” Centrelink PLAID Specification v8.0, 2009

“[...] strong authentication [...] in a fast, highly secure and private fashion without the exposure of [...] identifying information or any other information which is useful to an attacker.” ISO/IEC 25185-1.2, 2014

There is no security proof! December 16th , 2014 | SSR 2014 | Victoria Fehr | 4

Keyset Fingerprinting Attack

KeySetID = (34, 7)

index 2 7

ICC messages RSA AES are not authenticated! pk2 pk7

K2ID

RSApk7 (7, “Smarty”, RND1, RND1)

K7ID

December 16th , 2014 | SSR 2014 | Victoria Fehr | 5

IFD index RSA AES 7

sk7

K7

34

sk34

K34

Keyset Fingerprinting Attack

KeySetID = (34)

IFD

ICC

index RSA AES

index RSA AES 2

pk2

K2ID

7

pk7

K7ID



pk ∗

K∗

RSApk ∗ ($)

Attack I

Delete Keyset IDs in the first message

I

Card uses first known Key or ShillKey

I

Check if terminal responds with third message

December 16th , 2014 | SSR 2014 | Victoria Fehr | 5

7

sk7

K7

34

sk34

K34

Keyset Fingerprinting Attack

KeySetID = (2, 34, 7)

IFD

ICC

index RSA AES

index RSA AES 2

pk2

K2ID

7

pk7

K7ID



pk ∗

K∗

RSApk2 (2, “Smarty”, RND1, RND1)

Attack I

Add/Delete Keyset IDs in the first message

I

Card uses first known Key or ShillKey

I

Check if terminal responds with third message

⇒ Determine entire Keyset of a card (= Capabilities) December 16th , 2014 | SSR 2014 | Victoria Fehr | 5

7

sk7

K7

34

sk34

K34

Privacy. . .

“[...] strong authentication [...] in a fast, highly secure and private fashion without the exposure of [...] identifying information or any other information which is useful to an attacker.” ISO/IEC 25185-1.2, 2014

December 16th , 2014 | SSR 2014 | Victoria Fehr | 6

ShillKey Fingerprinting Attack

?

?

KeySetID = (34, 7)

IFD

ICC

index RSA AES

index RSA AES 2

pk2

K2ID



pk ∗

K∗

RSApk ∗ ($)

What is ShillKey? I

“distress” key to prevent error messages

I

randomly chosen per card during system setup

I

unique per card (with high probability)

⇒ possibility of identifying cards! I.e., tracing cards! December 16th , 2014 | SSR 2014 | Victoria Fehr | 7

7

sk7

K7

34

sk34

K34

ShillKey Fingerprinting – Scenario 1 c ICC1

0

pk1∗ = (N1 , e1 ) I

c KeySetID c c = (“3!4$”) cc c cc

22047

22048

N1

1 ≤ RSApk1∗ ($) < N1

Attacker N1 N2 N3

Phase 1 – Identification Phase: I I

for every card i receive k1 encryptions RSApki∗ ($) estimate Ni according to samples “German Tank Problem”

naive approach: Ni = 2 · µ c better: Ni = max c + max k1

December 16th , 2014 | SSR 2014 | Victoria Fehr | 8

ShillKey Fingerprinting – Scenario 1

?

KeySetID = (“value”)

ICC? pk ∗ = (N ∗ , e∗ )

I

Phase 1 – Identification Phase: I I

I

Attacker RSApk ∗ ($)

for every card i receive k1 encryptions RSApki∗ ($) estimate Ni according to samples

Phase 2 – Challenge Phase: I I I

receive k2 encryptions RSApk ∗ ($) estimate N ∗ as in Phase 1 guess card j with minj |N ∗ − Nj |

December 16th , 2014 | SSR 2014 | Victoria Fehr | 8

c

0

c

c

cc c c

N1 N2 22047

N3 22048

ShillKey Fingerprinting – Scenario 1 – Results

Figure: Simulation with k1 = 100 samples

December 16th , 2014 | SSR 2014 | Victoria Fehr | 9

Figure: Simulation with k1 = 1000 samples

ShillKey Fingerprinting – Scenario 2

Let t = #Cards in the System. I

Phase 1 – Identification Phase: I receive k1 · t random samples RSApk ∗ ($)

I

Phase 2 – Challenge Phase:

I

I I I

estimate Ni according to samples receive k2 encryptions RSApk ∗ ($) estimate N ∗ as in Scenario 1 Phase 1 guess card j with minj |N ∗ − Nj |

December 16th , 2014 | SSR 2014 | Victoria Fehr | 10

ShillKey Fingerprinting – Scenario 2

?

KeySetID = (“value”)

ICC?

Attacker RSApk?∗ ($)

pk?∗ = (N? , e? )

I

N1 N2 N3 N4

standard clustering technique based on k -means algorithm cc 0

c 22047

December 16th , 2014 | SSR 2014 | Victoria Fehr | 11

c

cc

c cc

N1

N2

N3

c

c

N4

22048

ShillKey Fingerprinting – Scenario 2 – Results

Figure: Simulation with k1 = 100 samples

December 16th , 2014 | SSR 2014 | Victoria Fehr | 12

Figure: Simulation with k1 = 1000 samples

not authenticated!

→ Key Legacy Attack → Key Revocation?

General Concerns non-standard use of PKE

(KeySetIDs)

PKCS#1.5 Padding used IFD

ICC index RSA AES 2

pk2

index RSA AES

RSApk#i (#i, ID, RND1, RND1)

K2ID

trial-decryptions?! ID

7

pk7

K7



pk ∗

K∗

AESK ID (AuthReq, RND2, payload, ksession )

CBC-mode with IV= 0

#i

n

no forward secrecy!

7

sk7

K7

34

sk34

K34

sending payload to the card

static entity authentication AESksession (AuthResp, payload, ID) reusing session key Channel secured with ksession (optional) non-standard Padding December 16th , 2014 | SSR 2014 | Victoria Fehr | 13

Timeline

ISO/IEC 25185-1

RWC PLAID AS-5185-2010

?

“Fast Track”

2006

2010

December 16th , 2014 | SSR 2014 | Victoria Fehr | 14

2014

2015

Thank you for your attention!

Suggest Documents