nach oben

International Journal of Information Security

Erschienen in:

02.01.2016 | Special Issue Paper

Unpicking PLAID: a cryptographic analysis of an ISO-standards-track authentication protocol

verfasst von: Jean Paul Degabriele, Victoria Fehr, Marc Fischlin, Tommaso Gagliardoni, Felix Günther, Giorgia Azzurra Marson, Arno Mittelbach, Kenneth G. Paterson

Erschienen in: International Journal of Information Security | Ausgabe 6/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The Protocol for Lightweight Authentication of Identity (PLAID) aims at secure and private authentication between a smart card and a terminal. Originally developed by a unit of the Australian Department of Human Services for physical and logical access control, PLAID has now been standardized as an Australian standard AS-5185-2010 and is currently in the fast-track standardization process for ISO/IEC 25185-1. We present a cryptographic evaluation of PLAID. As well as reporting a number of undesirable cryptographic features of the protocol, we show that the privacy properties of PLAID are significantly weaker than claimed: using a variety of techniques, we can fingerprint and then later identify cards. These techniques involve a novel application of standard statistical and data analysis techniques in cryptography. We discuss potential countermeasures to our attacks and comment on our experiences with the standardization process of PLAID.

Vorheriger Artikel Analyzing proposals for improving authentication on the TLS-/SSL-protected Web

Nächster Artikel Improving the ISO/IEC 11770 standard for key management techniques

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

The standard neither specifies the exact format nor the length of this randomly generated string.

The standard is ambiguous in whether the trial \(\text {KeySetID}\) of the IFD or the value contained in \({}^e\text {STR1}\) is stored.

The standard does not specify what is meant by “authentication fails.” We assume the protocol aborts in this case.

Though referring to ISO/IEC 9797-1 method 2, the PLAID draft standard explicitly describes a different padding method and thus makes unambiguous decoding impossible (cf. Sect. 5.4).

Again, the standard does neither specify the exact format nor the length (note that \(\text {STR3}\) in Step 7 contains a variable sized field \(\text {Payload}\)) of this random byte string.

See [24] for a good introduction. The name stems from the problem initially being posed as that of estimating the total number of tanks in the German army from observing a subset of their serial numbers.

Note that, in contrast to the first two scenarios, the third scenario and our according lunchtime attack is independent of the overall number of cards in the system.

Recall that terminals announce their supported keysets by sending corresponding \(\text {KeySetID}\)s in the clear. As a consequence, any observer can see which keys are related to which resource/terminal.

We note that the unauthenticated nature of the PLAID protocol messages has already been criticized in the national body comments on an earlier ISO draft [18]. In our attack, we exploit this weakness, refuting the claim of the current ISO draft [19, Annex H.1.1] that sending \({\text {KeySetID}{}\text {s}}\) in clear is “of no use to an attacker.”

For 2048-bit RSA decryptions or signatures, [34] reports times of over 100 ms for mobile devices (without cryptographic coprocessor), while our simulations on an Intel Core i7 2.4 GHz are around 10 ms.

The protocol explicitly notes that no error messages should be issued, but wrong implementations or side-channel attacks may reveal such information.

Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: CRYPTO 1993, pp. 232–249. Springer Berlin, Hidelberg (1994)

Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Eurocrypt 2000, pp. 139–155. Springer Berlin, Hidelberg (2000)

Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: ASIACRYPT 2001, pp. 566–582. Springer Berlin, Hidelberg (2001)

Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.Y., Zanella Béguelin, S.: Proving the TLS handshake secure (as it is). 235–255 (2014). doi:10.1007/978-3-662-44381-1_14

Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. 1–12 (1998)

Brzuska, C., Fischlin, M., Smart, N.P., Warinschi, B., Williams, S.C.: Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Secur. 12(4), 267–297 (2013)CrossRef

Centrelink: Protocol for Lightweight Authentication of Identity (PLAID)—Logical Smartcard Implementation Specification PLAID Version 8.0—Final. http://www.humanservices.gov.au/corporate/publications-and-resources/plaid/technical-specification (2009)

Coisel, I., Martin, T.: Untangling RFID privacy models. J. Comput. Netw. Commun. doi:10.1155/2013/710275

Dagdelen, Ö., Fischlin, M., Gagliardoni, T., Marson, G.A., Mittelbach, A., Onete, C.: A cryptographic analysis of OPACITY—(extended abstract). pp. 345–362 (2013). doi:10.1007/978-3-642-40203-6_20

10.

Degabriele, J.P., Fehr, V., Fischlin, M., Gagliardoni, T., Günther, F., Marson, G.A., Mittelbach, A., Paterson, K.G.: Response to “Nit-Picking PLAID AS & ISO Project Editors Report into ‘Unpicking Plaid’ ”. Cryptology ePrint Archive Forum, http://www.cryptoplexity.informatik.tu-darmstadt.de/media/crypt/pdf/plaid-editorreport-response.pdf (2014)

11.

Degabriele, J.P., Fehr, V., Fischlin, M., Gagliardoni, T., Günther, F., Marson, G.A., Mittelbach, A., Paterson, K.G.: Unpicking PLAID—a cryptographic analysis of an ISO-standards-track authentication protocol. In: 1st International Conference on Research in Security Standardisation (SSR 2014). Springer, Lecture Notes in Computer Science, vol. 8893, pp. 1–25 (2014)

12.

Degabriele, J.P., Fehr, V., Fischlin, M., Gagliardoni, T., Günther, F., Marson, G.A., Mittelbach, A., Paterson, K.G.: Unpicking PLAID—a cryptographic analysis of an ISO-standards-track authentication protocol. Cryptology ePrint Archive, Report 2014/728. http://eprint.iacr.org/ (2014)

13.

Department of Human Services: Protocol for Lightweight Authentication of Identity (PLAID). (2014). http://www.humanservices.gov.au/corporate/publications-and-resources/plaid/

14.

Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). http://www.ietf.org/rfc/rfc5246.txt, updated by RFCs 5746, 5878, 6176 (2008)

15.

Freedman, G.: Nit-Picking PLAID: AS & ISO Project Editors Report into “Unpicking Plaid”. Cryptology ePrint Archive Forum. https://dl.dropboxusercontent.com/u/41736374/UnpickingReport%20V1.pdf (2014)

16.

Freedman, G.: Personal communication by e-mail (2014)

17.

Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: ACM Conference on Computer and Communications Security, pp. 387–398. ACM, New York (2013)

18.

ISO: DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 25185–1 Identification cards—Integrated circuit card authentication protocols—Part 1: Protocol for Lightweight Authentication of Identity. International Organization for Standardization, Geneva (2012)

19.

ISO: DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 25185-1.2 Identification cards—Integrated circuit card authentication protocols—Part 1: Protocol for Lightweight Authentication of Identity. International Organization for Standardization, Geneva (2014)

20.

ISO: Benefits of international standards. (2015). http://www.iso.org/iso/home/standards/benefitsofstandards.htm

21.

ISO 25185–1 Editor (2013) Disposition of comments on ISO/IEC 25185–1 Protocol for a lightweight authentication of devices

22.

Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. 273–293 (2012)

23.

Jager, T., Schinzel, S., Somorovsky, J.: Bleichenbacher’s attack strikes again: breaking PKCS#1 v1.5 in XML encryption. 752–769 (2012)

24.

Johnson, R.: Estimating the size of a population. Teach. Stat. 16(2), 50–52 (1994). http://www.mcs.sdsmt.edu/rwjohnso/html/tank.pdf

25.

Juels, A.: RFID security and privacy: a research survey. IEEE J. Selected Areas Commun. 24(2), 381–394 (2006)MathSciNetCrossRef

26.

Kaliski, B.: PKCS#1: RSA Encryption Version 1.5. RFC 2313 (1998)

27.

Kelsey, J.: Dual EC DRBG and NIST crypto process review. In: Invited talk at the Real World Cryptography Workshop 2015, January 7–9, London (2015)

28.

Kiat, K.H., Run, L.Y.: An analysis of OPACITY and PLAID protocols for contactless smart cards. Master’s thesis, Naval Postgraduate School, Monterey (2012)

29.

Kline, R.: Improving contactless security is goal of emerging PLAID project. http://secureidnews.com/news-item/improving-contactless-security-is-goal-of-emerging-plaid-project/, secureIDNews (2010)

30.

Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. (2013). doi:10.1007/978-3-642-40041-4_24

31.

Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J.: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. In: 23rd USENIX Security Symposium (USENIX Security 14), USENIX Association, San Diego (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/meyer

32.

National Institute of Standards and Technology: Protocol for Lightweight Authentication of Identity (PLAID) Workshop (2009). http://csrc.nist.gov/news_events/plaid-workshop/

33.

National Institute of Standards and Technology: Cryptographic Standards and Guidelines Development Process (Second Draft). National Institute of Standards and Technology Interagency Report 7977. http://csrc.nist.gov/publications/drafts/nistir-7977/nistir_7977_second_draft.pdf (2015)

34.

Rifà-Pous, H., Herrera-Joancomartí, J.: Computational and energy costs of cryptographic algorithms on handheld devices. Future Internet 3(1), 31–48 (2011)CrossRef

35.

Riskybiz: Risky Business 106—Centrelink’s new PLAID auth protocol. http://risky.biz/netcasts/risky-business/risky-business-106-centrelinks-new-plaid-auth-protocol (2009)

36.

Sakurada, H.: Security evaluation of the PLAID protocol using the ProVerif tool. http://crypto-protocol.nict.go.jp/data/eng/ISOIEC_Protocols/25185-1/25185-1_ProVerif.pdf (2013)

37.

Sanders, T.: The Aims and Principles of Standardization. International Organization for Standardization—ISO (1972)

38.

Standards Australia: AS 5185-2010 Protocol for Lightweight Authentication of IDentity (PLAID). Standards Australia (2010)

39.

Taylor, J.: Centrelink ID protocol still in trial phase. http://www.zdnet.com/centrelink-id-protocol-still-in-trial-phase-1339336953/, zDNet (2012)

40.

Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS. pp. 534–546 (2002)

41.

Watanabe, D.: Security analysis of PLAID. http://crypto-protocol.nict.go.jp/data/eng/ISOIEC_Protocols/25185-1/25185-1_Scyther.pdf (2013)

Titel: Unpicking PLAID: a cryptographic analysis of an ISO-standards-track authentication protocol
verfasst von: Jean Paul Degabriele
Victoria Fehr
Marc Fischlin
Tommaso Gagliardoni
Felix Günther
Giorgia Azzurra Marson
Arno Mittelbach
Kenneth G. Paterson
Publikationsdatum: 02.01.2016
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 6/2016
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-015-0309-6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 6/2016

Secure modular password authentication for the web using channel bindings

Improving the ISO/IEC 11770 standard for key management techniques

Message from the guest editors

Measuring protocol strength with security goals

Analyzing proposals for improving authentication on the TLS-/SSL-protected Web