Sustainable reuse: the adaptive reuse of the Chattanooga ...
Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson...
Transcript of Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson...
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse: Theory, Practice, and Future
Kenny PatersonRoyal Holloway, University of London
based on joint work withJean Paul Degabriele, Tibor Jager, Anja Lehmann, Jacob C.N. Schuldt,
Nigel P. Smart, Juraj Somorovsky, Martijn Stam, Mario Strefler, Susan Thomson
ECRYPT-II – Crypto for 2020
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 1/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Outline
1 Key Separation, Key Reuse, and Cryptographic Agility
2 Joint Security
3 Key Reuse in EMV
4 Cryptographic Agility
5 BC Attacks
6 Looking Ahead to 2020
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 2/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Motivation for Key Reuse
Reusing an asymmetric key-pair in different primitives can reduce:
Storage requirements for certificates and keys;Costs of key certification;Net certificate verification time;Footprint of cryptographic code and development effort.
. . . but breaks the key separation principle of using different keys fordifferent purposes.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 3/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Motivation for Key Reuse
Reusing an asymmetric key-pair in different primitives can reduce:
Storage requirements for certificates and keys;Costs of key certification;Net certificate verification time;Footprint of cryptographic code and development effort.
. . . but breaks the key separation principle of using different keys fordifferent purposes.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 3/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Scope of Reuse
Reuse is not restricted to “encryption + signatures”, nor to theasymmetric setting:
Could be, for example, “signature + static DH value” in a morecomplex protocol.
We may wish to reuse a key in the symmetric setting, e.g. CCMmode (CTR + CBC-MAC).
We may wish to use the same key in two different algorithms forthe same primitive, e.g. RSA-OAEP and RSA-PKCS#1v1.5, orAES-CBC and AES-GCM.
– As in the most recent edition of the XML standards.– Related to the concept of cryptographic agility, Acar et al.,
EUROCRYPT’10.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 4/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse and Certificate Standards
X.509:Certificate contains algorithm identifiers for the signing algorithmused to create the certificate itself.But not necessarily any information about for which purposes thecertified public key can be used.Nor in which specific algorithms the certified public key can beused.X.509 extensions define Key Usage and Subject Public Key Infofields, but plenty of flexibility . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 5/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Usage Extension
RFC 5280 (X.509v3):The key usage extension defines the purpose (e.g.,encipherment, signature, certificate signing) ofthe key contained in the certificate. The usagerestriction might be employed when a key thatcould be used for more than one operation is tobe restricted.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 6/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Usage Extension
RFC 5280 (X.509v3):KeyUsage ::= BIT STRING {
digitalSignature (0),nonRepudiation (1),keyEncipherment (2),dataEncipherment (3),keyAgreement (4),keyCertSign (5),cRLSign (6),encipherOnly (7),decipherOnly (8) }
RFC 5280 (X.509v3):This profile does not restrict the combinationsof bits that may be set in an instantiation of thekeyUsage extension.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 7/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Main Question
Given that key reuse in all its forms is common in practice, what canwe say about its security?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 8/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Joint Security of Signature and Encryption
Haber and Pinkas, Securely Combining Public-KeyCryptosystems, CCS’01:
First formal security models for joint security.Secure combinations for some schemes in the random oraclemodel.Only partial solutions in the standard model.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 9/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Joint Security of Signature and Encryption
Coron, Joye, Naccache and Paillier, Universal Padding Schemesfor RSA, CRYPTO’02:
Signature padding scheme PSS also gives IND-CCA secureencryption.Resulting encryption and signature schemes can securely usesame RSA key-pair.Proof of joint security in ROM.
Komano and Ohta, Efficient Universal Padding Techniques forMultiplicative Trapdoor One-Way Permutation, CRYPTO’03:
Consider OAEP+ and REACT encodings, also in ROM.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 10/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Joint Security of Signature and Encryption
Coron, Joye, Naccache and Paillier, Universal Padding Schemesfor RSA, CRYPTO’02:
Signature padding scheme PSS also gives IND-CCA secureencryption.Resulting encryption and signature schemes can securely usesame RSA key-pair.Proof of joint security in ROM.
Komano and Ohta, Efficient Universal Padding Techniques forMultiplicative Trapdoor One-Way Permutation, CRYPTO’03:
Consider OAEP+ and REACT encodings, also in ROM.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 10/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Joint Security of Signature and Encryption
P., Schuldt, Stam and Thomson, On the Joint Security ofEncryption and Signature, Revisited, ASIACRYPT’11 [PSST11]:
Target: to find new constructions for jointly secure combinedschemes in the standard model.
Main contributions:A trivial Cartesian product construction for benchmarking.
A generic construction from IBE:Naor trick + CHK transform + domain separation.
An efficient, specific construction using pairings.
(Applications to signcryption.)
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 11/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Joint Security of Signature and Encryption
P., Schuldt, Stam and Thomson, On the Joint Security ofEncryption and Signature, Revisited, ASIACRYPT’11 [PSST11]:
Target: to find new constructions for jointly secure combinedschemes in the standard model.
Main contributions:A trivial Cartesian product construction for benchmarking.
A generic construction from IBE:Naor trick + CHK transform + domain separation.
An efficient, specific construction using pairings.
(Applications to signcryption.)
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 11/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.
The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 12/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.
The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 12/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.
The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 12/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
EMV Cards
An EMV card contains a chip which allows it to performcryptographic computations.
All EMV cards contain a symmetric key which it shares with theIssuing Bank.
Most cards are also equipped with RSA keys to computesignatures for card authentication and transaction authorization,and to encrypt the PIN between the terminal and the card.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 13/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse in EMV
Given the constrained on-card processing environment, reducingthe storage and computation consumed by the cryptographicfunctions in EMV is very important.
The EMV standard allows the same RSA key-pair to be used forboth PIN encryption and CDA signature generation.
Encryption and signature algorithms are based on theRSA-PKCS#1v1.5 standards.
Is this key reuse is detrimental to the security of the EMV systemor not?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 14/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Wedge Attacks
A wedge is a special device interposed between the card and theterminal which allows MITM attacks to be carried out on the EMVprotocols.
Such attacks received a lot of publicity because of an Oakland2010 paper by Murdoch et al. – the so-called “CambridgeAttack”.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 15/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Wedge Attacks
A wedge is a special device interposed between the card and theterminal which allows MITM attacks to be carried out on the EMVprotocols.
Such attacks received a lot of publicity because of an Oakland2010 paper by Murdoch et al. – the so-called “CambridgeAttack”.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 15/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Wedge Attacks
Picture source:www.cl.cam.ac.uk/research/security/banking/relay
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 16/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
An Attack on EMV
Degabriele, Lehmann, P., Smart and Strefler, On the JointSecurity of Encryption and Signature in EMV, CT-RSA’12[DLPSS12]:
A wedge attack exploiting the reuse of RSA keys in an EMV cardto allow an attacker to make transactions without knowing thecard’s PIN.
The attack is only applicable to a CDA card in an offlinetransaction.
The attack would still work even if the countermeasures againstthe Cambridge Attack were in place!
The attack is a variant of Bleichenbacher’s attack against RSAwith PKCS#1v1.5 encoding (CRYPTO’98).
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 17/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
PIN Encryption in EMV
Encoding used in EMV for PIN encryption:
7F || PIN block || ICC challenge || Random padding
where the PIN block and the ICC Challenge (from the card) are 8bytes long.
Upon decryption the card performs multiple checks.
If test for ‘7F’ byte is carried out first, and its success or failurecan be distinguished (e.g. via timing or power analysis), then aBleichenbacher-style attack may be possible.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 18/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
PIN Encryption in EMV
Encoding used in EMV for PIN encryption:
7F || PIN block || ICC challenge || Random padding
where the PIN block and the ICC Challenge (from the card) are 8bytes long.
Upon decryption the card performs multiple checks.
If test for ‘7F’ byte is carried out first, and its success or failurecan be distinguished (e.g. via timing or power analysis), then aBleichenbacher-style attack may be possible.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 18/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
PIN Encryption in EMV
Encoding used in EMV for PIN encryption:
7F || PIN block || ICC challenge || Random padding
where the PIN block and the ICC Challenge (from the card) are 8bytes long.
Upon decryption the card performs multiple checks.
If test for ‘7F’ byte is carried out first, and its success or failurecan be distinguished (e.g. via timing or power analysis), then aBleichenbacher-style attack may be possible.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 18/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 19/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 19/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 19/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 19/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
CARD WEDGE TERMINAL
card in
authentication
phase
terminal in
authentication
phase
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
card in
authentication
phase
terminal in
authentication
phase
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
c← ρeµ
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/N
c1
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/Nc2
(7F) Y/N
c1
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/Nc2
(7F) Y/N
(7F) Y/N
c1
cn
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
TC + Signature
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/Nc2
(7F) Y/N
(7F) Y/N
c1
cn
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Performance (1024 bit keys)
Number of queries
Pro
babi
lity
of n
eedi
ng r
ough
ly X
que
ries
2000 4000 6000 8000 10000
0e+
002e
−04
4e−
046e
−04
8e−
041e
−03
We stress that we did not implement the attack in practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 21/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Performance (1024 bit keys)
Number of queries
Pro
babi
lity
of n
eedi
ng r
ough
ly X
que
ries
2000 4000 6000 8000 10000
0e+
002e
−04
4e−
046e
−04
8e−
041e
−03
We stress that we did not implement the attack in practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 21/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Future of EMV
EMV Co is considering the adoption of elliptic curvecryptography in future versions of the EMV standards.
More specifically, they are thinking of using:
– ECIES (ISO/IEC 18033-2) for PIN encryption.
– EC-DSA or EC-Schnorr (ISO/IEC 14888-3:2006) to compute digitalsignatures.
Another result of [DLPSS12]: the two resulting configurations arejointly secure (in ROM/GGM, under reasonable assumptions).
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 22/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Future of EMV
EMV Co is considering the adoption of elliptic curvecryptography in future versions of the EMV standards.
More specifically, they are thinking of using:
– ECIES (ISO/IEC 18033-2) for PIN encryption.
– EC-DSA or EC-Schnorr (ISO/IEC 14888-3:2006) to compute digitalsignatures.
Another result of [DLPSS12]: the two resulting configurations arejointly secure (in ROM/GGM, under reasonable assumptions).
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 22/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Cryptographic Agility
Acar, Belenkiy, Bellare and Cash, Cryptographic Agility and itsRelation to Circular Encryption, EUROCRYPT’10:
Cryptographic agility concerns the use of the same key inmultiple algorithms of the same type.
Individual algorithms may be secure, but joint use with same keymay not!
OK for CRHF and IND-CPA PKE, but insecure in general foralmost everything else.
Use algorithm identifier as input to key derivation to achievesuitable key separation from a single starting key.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 23/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Jager, P. and Somorovsky, One Bad Apple: BackwardsCompatibility Attacks on State-of-the-Art Cryptography,NDSS’13 [JPS13]:
Standards get updated, but “insecure algorithms” are still included forbackwards compatibility reasons:
GSM supports A5 variants with different strengths.
SSL/TLS still uses PKCS#1v1.5.
Web Services servers support AES-CBC and PKCS#1v1.5.
JSON Web Encryption servers support PKCS#1v1.5.
What could possibly go wrong?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 24/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Jager, P. and Somorovsky, One Bad Apple: BackwardsCompatibility Attacks on State-of-the-Art Cryptography,NDSS’13 [JPS13]:
Standards get updated, but “insecure algorithms” are still included forbackwards compatibility reasons:
GSM supports A5 variants with different strengths.
SSL/TLS still uses PKCS#1v1.5.
Web Services servers support AES-CBC and PKCS#1v1.5.
JSON Web Encryption servers support PKCS#1v1.5.
What could possibly go wrong?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 24/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 25/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 26/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 26/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 26/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 26/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 26/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Attacks “on paper”:
Public key setting, exploiting legacy support for PKCS#v1.5:Decryption of RSA-OAEP ciphertexts.Forging RSA signatures (c.f. EMV attack).
Symmetric key setting, exploiting legacy support for CBC-mode:Breaking indistinguishability of AES-GCM (allowing decryption ofciphertexts with low entropy).Decryption of AES-KW.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 27/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Attacks then applied to:
Implementations of newest versions of XML Encryption and XMLSignature standards.
Implementations of JavaScript Object Notation Web Encryptionand Web Signature standards.
Full details of affected vendors and countermeasures in NDSS paperto appear in February.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 28/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Attacks then applied to:
Implementations of newest versions of XML Encryption and XMLSignature standards.
Implementations of JavaScript Object Notation Web Encryptionand Web Signature standards.
Full details of affected vendors and countermeasures in NDSS paperto appear in February.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 28/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse: Current Status
Certificate standards leave room for key reuse, and practitionerswant to do it.
In the symmetric setting: practitioners also want to reuse keys,even if they know it’s a bad idea in general.
EMV, JSON, XML attacks illustrate some of the dangers.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 29/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse: Current Status
Certificate standards leave room for key reuse, and practitionerswant to do it.
In the symmetric setting: practitioners also want to reuse keys,even if they know it’s a bad idea in general.
EMV, JSON, XML attacks illustrate some of the dangers.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 29/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse: Current Status
Certificate standards leave room for key reuse, and practitionerswant to do it.
In the symmetric setting: practitioners also want to reuse keys,even if they know it’s a bad idea in general.
EMV, JSON, XML attacks illustrate some of the dangers.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 29/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
We are very good at developing new cryptographic primitives,schemes and security proofs.
We are not so good at building and testing implementations ofthese.
We are poor at developing theory for “supporting infrastructure”needed to deploy cryptography – randomness, key management,key hierarchies, PKI, software libraries, . . .
We tend to ignore “everyday” protocols like SSL/TLS, EMV,trusted computing.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 31/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
We are very good at developing new cryptographic primitives,schemes and security proofs.
We are not so good at building and testing implementations ofthese.
We are poor at developing theory for “supporting infrastructure”needed to deploy cryptography – randomness, key management,key hierarchies, PKI, software libraries, . . .
We tend to ignore “everyday” protocols like SSL/TLS, EMV,trusted computing.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 31/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
We are very good at developing new cryptographic primitives,schemes and security proofs.
We are not so good at building and testing implementations ofthese.
We are poor at developing theory for “supporting infrastructure”needed to deploy cryptography – randomness, key management,key hierarchies, PKI, software libraries, . . .
We tend to ignore “everyday” protocols like SSL/TLS, EMV,trusted computing.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 31/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
We are very good at developing new cryptographic primitives,schemes and security proofs.
We are not so good at building and testing implementations ofthese.
We are poor at developing theory for “supporting infrastructure”needed to deploy cryptography – randomness, key management,key hierarchies, PKI, software libraries, . . .
We tend to ignore “everyday” protocols like SSL/TLS, EMV,trusted computing.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 31/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Call to Arms for 2020: Useful Theory
Analyse standards and implementations,finding proofs or attacks.
Support this style of research whensubmitted to our major cryptographyconferences.
Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).
Recognise that cryptography is not only abranch of theoretical computer science.
Develop useful theory that aids practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 32/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Call to Arms for 2020: Useful Theory
Analyse standards and implementations,finding proofs or attacks.
Support this style of research whensubmitted to our major cryptographyconferences.
Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).
Recognise that cryptography is not only abranch of theoretical computer science.
Develop useful theory that aids practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 32/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Call to Arms for 2020: Useful Theory
Analyse standards and implementations,finding proofs or attacks.
Support this style of research whensubmitted to our major cryptographyconferences.
Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).
Recognise that cryptography is not only abranch of theoretical computer science.
Develop useful theory that aids practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 32/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Call to Arms for 2020: Useful Theory
Analyse standards and implementations,finding proofs or attacks.
Support this style of research whensubmitted to our major cryptographyconferences.
Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).
Recognise that cryptography is not only abranch of theoretical computer science.
Develop useful theory that aids practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 32/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Call to Arms for 2020: Useful Theory
Analyse standards and implementations,finding proofs or attacks.
Support this style of research whensubmitted to our major cryptographyconferences.
Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).
Recognise that cryptography is not only abranch of theoretical computer science.
Develop useful theory that aids practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 32/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
A community of researchers is gradually emerging.
2014 workshop slated for East Coast of USA.
Similar workshop with contributed talks has been co-located withFinancial Crypto for last few years.
Get involved!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 33/34
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Further Reading
More details on the research results highlighted in this talk can befound in:
[PSST11] K.G. Paterson, J.C.N. Schuldt, M. Stam and S.Thomson, On the Joint Security of Encryption and Signature,Revisited. ASIACRYPT’11.
[DLPSS12] J.P. Degabriele, A. Lehmann, K.G. Paterson, N.P.Smart and M. Strefler, On the Joint Security of Encryption andSignature in EMV. CT-RSA’12.
[JPS13] T. Jager, K.G. Paterson and J. Somorovsky, One BadApple: Backwards Compatibility Attacks on State-of-the-ArtCryptography. NDSS’13.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 34/34