Key Reuse: Theory and Practice - Stanford University · Key Reuse: Theory and Practice Kenny...
Transcript of Key Reuse: Theory and Practice - Stanford University · Key Reuse: Theory and Practice Kenny...
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Key Reuse: Theory and Practice
Kenny PatersonRoyal Holloway, University of London
based on joint work withJean Paul Degabriele, Tibor Jager, Anja Lehmann, Jacob C.N. Schudlt,
Nigel P. Smart, Juraj Somorovsky, Martijn Stam, Mario Strefler, Susan Thomson
Workshop on Real-World Cryptography
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 1/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Outline
1 Key Separation, Key Reuse, and Cryptographic Agility
2 Joint Security
3 Key Reuse in EMV
4 Cryptographic Agility
5 BC Attacks
6 Concluding Remarks
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 2/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Motivation for Key Reuse
Reusing an asymmetric key-pair in different primitives can reduce:
Storage requirements for certificates and keys;Costs of key certification;Net certificate verification time;Footprint of cryptographic code and development effort.
. . . but breaks the key separation principle of using different keys fordifferent purposes.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 3/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Motivation for Key Reuse
Reusing an asymmetric key-pair in different primitives can reduce:
Storage requirements for certificates and keys;Costs of key certification;Net certificate verification time;Footprint of cryptographic code and development effort.
. . . but breaks the key separation principle of using different keys fordifferent purposes.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 3/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Scope of Reuse
Reuse is not restricted to “encryption + signatures”, nor to theasymmetric setting:
Could be, for example, “signature + static DH value” in a morecomplex protocol.
We may wish to reuse a key in the symmetric setting, e.g. CCMmode (CTR + CBC-MAC).
We may wish to use the same key in two different algorithms forthe same primitive, e.g. RSA-OAEP and RSA-PKCS#1v1.5, orAES-CBC and AES-GCM.
– As in the most recent edition of the XML standards.– Related to the concept of cryptographic agility.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 4/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Key Reuse and Certificate Standards
X.509:Certificate contains algorithm identifiers for the signing algorithmused to create the certificate itself.But not necessarily any information about for which purposes thecertified public key can be used.Nor in which specific algorithms the certified public key can beused.X.509 extensions define Key Usage and Subject Public Key Infofields, but plenty of flexibility . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 5/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Key Usage Extension
RFC 5280 (X.509v3):The key usage extension defines the purpose (e.g.,encipherment, signature, certificate signing) ofthe key contained in the certificate. The usagerestriction might be employed when a key thatcould be used for more than one operation is tobe restricted.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 6/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Key Usage Extension
RFC 5280 (X.509v3):KeyUsage ::= BIT STRING {
digitalSignature (0),nonRepudiation (1),keyEncipherment (2),dataEncipherment (3),keyAgreement (4),keyCertSign (5),cRLSign (6),encipherOnly (7),decipherOnly (8) }
RFC 5280 (X.509v3):This profile does not restrict the combinationsof bits that may be set in an instantiation of thekeyUsage extension.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 7/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Main Question
Given that key reuse in all its forms is common in practice, what canwe say about its security?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 8/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Joint Security of Signature and Encryption
Haber and Pinkas, Securely Combining Public-KeyCryptosystems, CCS’01:
First formal security models for joint security.Secure combinations for some schemes in the random oraclemodel.Only partial solutions in the standard model.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 9/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Joint Security of Signature and Encryption
Coron, Joye, Naccache and Paillier, Universal Padding Schemesfor RSA, CRYPTO’02:
Signature padding scheme PSS also gives IND-CCA secureencryption.Resulting encryption and signature schemes can securely usesame RSA key-pair.Proof of joint security in ROM.
Komano and Ohta, Efficient Universal Padding Techniques forMultiplicative Trapdoor One-Way Permutation, CRYPTO’03:
Consider OAEP+ and REACT encodings, also in ROM.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 10/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Joint Security of Signature and Encryption
Coron, Joye, Naccache and Paillier, Universal Padding Schemesfor RSA, CRYPTO’02:
Signature padding scheme PSS also gives IND-CCA secureencryption.Resulting encryption and signature schemes can securely usesame RSA key-pair.Proof of joint security in ROM.
Komano and Ohta, Efficient Universal Padding Techniques forMultiplicative Trapdoor One-Way Permutation, CRYPTO’03:
Consider OAEP+ and REACT encodings, also in ROM.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 10/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Joint Security of Signature and Encryption
P., Schuldt, Stam and Thomson, On the Joint Security ofEncryption and Signature, Revisited, ASIACRYPT’11:
Target: to find new constructions for jointly secure combinedschemes in the standard model.
Main contributions:A trivial Cartesian product construction for benchmarking.
A generic construction from IBE:Naor trick + CHK transform + domain separation.
An efficient, specific construction using pairings.
(Applications to signcryption.)
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 11/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Joint Security of Signature and Encryption
P., Schuldt, Stam and Thomson, On the Joint Security ofEncryption and Signature, Revisited, ASIACRYPT’11:
Target: to find new constructions for jointly secure combinedschemes in the standard model.
Main contributions:A trivial Cartesian product construction for benchmarking.
A generic construction from IBE:Naor trick + CHK transform + domain separation.
An efficient, specific construction using pairings.
(Applications to signcryption.)
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 11/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.
Coming to the US real soon now.
The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 12/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.
Coming to the US real soon now.
The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 12/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.
Coming to the US real soon now.
The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 12/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.
Coming to the US real soon now.
The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 12/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
EMV Cards
An EMV card contains a chip which allows it to performcryptographic computations.
All EMV cards contain a symmetric key which it shares with theIssuing Bank.
Most cards are also equipped with RSA keys to computesignatures for card authentication and transaction authorization,and to encrypt the PIN between the terminal and the card.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 13/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Key Reuse in EMV
Given the constrained on-card processing environment, reducingthe storage and computation consumed by the cryptographicfunctions in EMV is very important.
The EMV standard allows the same RSA key-pair to be used forboth PIN encryption and CDA signature generation.
Encryption and signature algorithms are based on theRSA-PKCS#1v1.5 standards.
Is this key reuse is detrimental to the security of the EMV systemor not?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 14/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Wedge Attacks
A wedge is a special device interposed between the card and theterminal which allows MITM attacks to be carried out on the EMVprotocols.
Such attacks received a lot of publicity because of an Oakland2010 paper by Murdoch et al. – the so-called “CambridgeAttack”.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 15/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Wedge Attacks
A wedge is a special device interposed between the card and theterminal which allows MITM attacks to be carried out on the EMVprotocols.
Such attacks received a lot of publicity because of an Oakland2010 paper by Murdoch et al. – the so-called “CambridgeAttack”.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 15/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Wedge Attacks
Picture source:www.cl.cam.ac.uk/research/security/banking/relay
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 16/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
An Attack on EMV
Degabriele, Lehmann, P., Smart and Strefler, On the JointSecurity of Encryption and Signature in EMV, CT-RSA’12:
A wedge attack exploiting the reuse of RSA keys in an EMV cardto allow an attacker to make transactions without knowing thecard’s PIN.
The attack is only applicable to a CDA card in an offlinetransaction.
The attack would still work even if the countermeasures againstthe Cambridge Attack were in place!
The attack is a variant of Bleichenbacher’s attack against RSAwith PKCS#1v1.5 encoding (CRYPTO’98).
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 17/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
PIN Encryption in EMV
Encoding used in EMV for PIN encryption:
7F || PIN block || ICC challenge || Random padding
where the PIN block and the ICC Challenge (from the card) are 8bytes long.
Upon decryption the card performs multiple checks.
If test for ‘7F’ byte is carried out first, and its success or failurecan be distinguished (e.g. via timing or power analysis), then aBleichenbacher-style attack may be possible.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 18/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
PIN Encryption in EMV
Encoding used in EMV for PIN encryption:
7F || PIN block || ICC challenge || Random padding
where the PIN block and the ICC Challenge (from the card) are 8bytes long.
Upon decryption the card performs multiple checks.
If test for ‘7F’ byte is carried out first, and its success or failurecan be distinguished (e.g. via timing or power analysis), then aBleichenbacher-style attack may be possible.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 18/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
PIN Encryption in EMV
Encoding used in EMV for PIN encryption:
7F || PIN block || ICC challenge || Random padding
where the PIN block and the ICC Challenge (from the card) are 8bytes long.
Upon decryption the card performs multiple checks.
If test for ‘7F’ byte is carried out first, and its success or failurecan be distinguished (e.g. via timing or power analysis), then aBleichenbacher-style attack may be possible.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 18/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 19/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 19/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 19/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 19/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The Attack on a CDA Transaction
CARD WEDGE TERMINAL
card in
authentication
phase
terminal in
authentication
phase
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 20/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
card in
authentication
phase
terminal in
authentication
phase
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 20/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 20/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 20/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 20/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
c← ρeµ
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 20/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/N
c1
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 20/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/Nc2
(7F) Y/N
c1
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 20/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/Nc2
(7F) Y/N
(7F) Y/N
c1
cn
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 20/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
TC + Signature
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/Nc2
(7F) Y/N
(7F) Y/N
c1
cn
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 20/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Performance (1024 bit keys)
Number of queries
Pro
babi
lity
of n
eedi
ng r
ough
ly X
que
ries
2000 4000 6000 8000 10000
0e+
002e
−04
4e−
046e
−04
8e−
041e
−03
We stress that we did not implement the attack in practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 21/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Performance (1024 bit keys)
Number of queries
Pro
babi
lity
of n
eedi
ng r
ough
ly X
que
ries
2000 4000 6000 8000 10000
0e+
002e
−04
4e−
046e
−04
8e−
041e
−03
We stress that we did not implement the attack in practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 21/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Cryptographic Agility
Acar, Belenkiy, Bellare and Cash, Cryptographic Agility and itsRelation to Circular Encryption, EUROCRYPT’10:
Cryptographic agility concerns the use of the same key inmultiple algorithms of the same type.
Individual algorithms may be secure, but joint use with same keymay not!
OK for CRHF and IND-CPA PKE, but insecure in general foralmost everything else.
Use algorithm identifier as input to key derivation to achievesuitable key separation from a single starting key.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 22/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
Jager, P. and Somorovsky, One Bad Apple: BackwardsCompatibility Attacks on State-of-the-Art Cryptography,NDSS’13:
Standards get updated, but “insecure algorithms” are still included forbackwards compatibility reasons:
GSM supports A5 variants with different strengths.
SSL/TLS still uses PKCS#1v1.5.
Web Services servers support AES-CBC and PKCS#1v1.5.
JSON Web Encryption servers support PKCS#1v1.5.
What could possibly go wrong?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 23/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
Jager, P. and Somorovsky, One Bad Apple: BackwardsCompatibility Attacks on State-of-the-Art Cryptography,NDSS’13:
Standards get updated, but “insecure algorithms” are still included forbackwards compatibility reasons:
GSM supports A5 variants with different strengths.
SSL/TLS still uses PKCS#1v1.5.
Web Services servers support AES-CBC and PKCS#1v1.5.
JSON Web Encryption servers support PKCS#1v1.5.
What could possibly go wrong?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 23/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 24/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be broken . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 25/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be broken . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 25/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be broken . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 25/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be broken . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 25/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be broken . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 25/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
Attacks “on paper”:
Public key setting, exploiting legacy support for PKCS#v1.5:Decryption of RSA-OAEP ciphertexts.Forging RSA signatures (c.f. EMV attack).
Symmetric key setting, exploiting legacy support for CBC-mode:Breaking indistinguishability of AES-GCM (allowing decryption ofciphertexts with low entropy).Decryption of AES-KW.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 26/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
Attacks then applied to:
Implementations of newest versions of XML Encryption and XMLSignature standards.
Implementations of JavaScript Object Notation Web Encryptionand Web Signature standards.
Full details of affected vendors and countermeasures in NDSS paperto appear in February.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 27/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Backwards Compatibility Attacks
Attacks then applied to:
Implementations of newest versions of XML Encryption and XMLSignature standards.
Implementations of JavaScript Object Notation Web Encryptionand Web Signature standards.
Full details of affected vendors and countermeasures in NDSS paperto appear in February.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 27/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Concluding Remarks
Certificate standards leave room for key reuse, and practitionerswant to do it.
In the symmetric setting: practitioners also want to reuse keys,even if they know it’s a bad idea.
EMV, JSON, XML attacks illustrate some of the dangers.
Plenty of room for development of useful supporting theory.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 28/29
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Further Reading
More details on the results highlighted in this talk can be found in:
[PSST11] K.G. Paterson, J.C.N. Schuldt, M. Stam and S.Thomson, On the Joint Security of Encryption and Signature,Revisited, ASIACRYPT’11.
[DLPSS12] J.P. Degabriele, A. Lehmann, K.G. Paterson, N.P.Smart and M. Strefler, On the Joint Security of Encryption andSignature in EMV. CT-RSA’12.
[JPS13] T. Jager, K.G. Paterson and J. Somorovsky, One BadApple: Backwards Compatibility Attacks on State-of-the-ArtCryptography. NDSS’13.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 29/29