key reuse: theory, practice, and future · key reuse: theory, practice, and future kenny paterson...
TRANSCRIPT
![Page 1: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/1.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse: Theory, Practice, and Future
Kenny PatersonRoyal Holloway, University of London
based on joint work withJean Paul Degabriele, Tibor Jager, Anja Lehmann, Jacob C.N. Schuldt,
Nigel P. Smart, Juraj Somorovsky, Martijn Stam, Mario Strefler, Susan Thomson
ECRYPT-II – Crypto for 2020
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 1/34
![Page 2: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/2.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Outline
1 Key Separation, Key Reuse, and Cryptographic Agility
2 Joint Security
3 Key Reuse in EMV
4 Cryptographic Agility
5 BC Attacks
6 Looking Ahead to 2020
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 2/34
![Page 3: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/3.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Motivation for Key Reuse
Reusing an asymmetric key-pair in different primitives can reduce:
Storage requirements for certificates and keys;Costs of key certification;Net certificate verification time;Footprint of cryptographic code and development effort.
. . . but breaks the key separation principle of using different keys fordifferent purposes.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 3/34
![Page 4: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/4.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Motivation for Key Reuse
Reusing an asymmetric key-pair in different primitives can reduce:
Storage requirements for certificates and keys;Costs of key certification;Net certificate verification time;Footprint of cryptographic code and development effort.
. . . but breaks the key separation principle of using different keys fordifferent purposes.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 3/34
![Page 5: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/5.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Scope of Reuse
Reuse is not restricted to “encryption + signatures”, nor to theasymmetric setting:
Could be, for example, “signature + static DH value” in a morecomplex protocol.
We may wish to reuse a key in the symmetric setting, e.g. CCMmode (CTR + CBC-MAC).
We may wish to use the same key in two different algorithms forthe same primitive, e.g. RSA-OAEP and RSA-PKCS#1v1.5, orAES-CBC and AES-GCM.
– As in the most recent edition of the XML standards.– Related to the concept of cryptographic agility, Acar et al.,
EUROCRYPT’10.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 4/34
![Page 6: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/6.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse and Certificate Standards
X.509:Certificate contains algorithm identifiers for the signing algorithmused to create the certificate itself.But not necessarily any information about for which purposes thecertified public key can be used.Nor in which specific algorithms the certified public key can beused.X.509 extensions define Key Usage and Subject Public Key Infofields, but plenty of flexibility . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 5/34
![Page 7: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/7.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Usage Extension
RFC 5280 (X.509v3):The key usage extension defines the purpose (e.g.,encipherment, signature, certificate signing) ofthe key contained in the certificate. The usagerestriction might be employed when a key thatcould be used for more than one operation is tobe restricted.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 6/34
![Page 8: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/8.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Usage Extension
RFC 5280 (X.509v3):KeyUsage ::= BIT STRING {
digitalSignature (0),nonRepudiation (1),keyEncipherment (2),dataEncipherment (3),keyAgreement (4),keyCertSign (5),cRLSign (6),encipherOnly (7),decipherOnly (8) }
RFC 5280 (X.509v3):This profile does not restrict the combinationsof bits that may be set in an instantiation of thekeyUsage extension.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 7/34
![Page 9: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/9.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Main Question
Given that key reuse in all its forms is common in practice, what canwe say about its security?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 8/34
![Page 10: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/10.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Joint Security of Signature and Encryption
Haber and Pinkas, Securely Combining Public-KeyCryptosystems, CCS’01:
First formal security models for joint security.Secure combinations for some schemes in the random oraclemodel.Only partial solutions in the standard model.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 9/34
![Page 11: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/11.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Joint Security of Signature and Encryption
Coron, Joye, Naccache and Paillier, Universal Padding Schemesfor RSA, CRYPTO’02:
Signature padding scheme PSS also gives IND-CCA secureencryption.Resulting encryption and signature schemes can securely usesame RSA key-pair.Proof of joint security in ROM.
Komano and Ohta, Efficient Universal Padding Techniques forMultiplicative Trapdoor One-Way Permutation, CRYPTO’03:
Consider OAEP+ and REACT encodings, also in ROM.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 10/34
![Page 12: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/12.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Joint Security of Signature and Encryption
Coron, Joye, Naccache and Paillier, Universal Padding Schemesfor RSA, CRYPTO’02:
Signature padding scheme PSS also gives IND-CCA secureencryption.Resulting encryption and signature schemes can securely usesame RSA key-pair.Proof of joint security in ROM.
Komano and Ohta, Efficient Universal Padding Techniques forMultiplicative Trapdoor One-Way Permutation, CRYPTO’03:
Consider OAEP+ and REACT encodings, also in ROM.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 10/34
![Page 13: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/13.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Joint Security of Signature and Encryption
P., Schuldt, Stam and Thomson, On the Joint Security ofEncryption and Signature, Revisited, ASIACRYPT’11 [PSST11]:
Target: to find new constructions for jointly secure combinedschemes in the standard model.
Main contributions:A trivial Cartesian product construction for benchmarking.
A generic construction from IBE:Naor trick + CHK transform + domain separation.
An efficient, specific construction using pairings.
(Applications to signcryption.)
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 11/34
![Page 14: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/14.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Joint Security of Signature and Encryption
P., Schuldt, Stam and Thomson, On the Joint Security ofEncryption and Signature, Revisited, ASIACRYPT’11 [PSST11]:
Target: to find new constructions for jointly secure combinedschemes in the standard model.
Main contributions:A trivial Cartesian product construction for benchmarking.
A generic construction from IBE:Naor trick + CHK transform + domain separation.
An efficient, specific construction using pairings.
(Applications to signcryption.)
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 11/34
![Page 15: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/15.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.
The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 12/34
![Page 16: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/16.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.
The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 12/34
![Page 17: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/17.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.
The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 12/34
![Page 18: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/18.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
EMV Cards
An EMV card contains a chip which allows it to performcryptographic computations.
All EMV cards contain a symmetric key which it shares with theIssuing Bank.
Most cards are also equipped with RSA keys to computesignatures for card authentication and transaction authorization,and to encrypt the PIN between the terminal and the card.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 13/34
![Page 19: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/19.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse in EMV
Given the constrained on-card processing environment, reducingthe storage and computation consumed by the cryptographicfunctions in EMV is very important.
The EMV standard allows the same RSA key-pair to be used forboth PIN encryption and CDA signature generation.
Encryption and signature algorithms are based on theRSA-PKCS#1v1.5 standards.
Is this key reuse is detrimental to the security of the EMV systemor not?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 14/34
![Page 20: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/20.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Wedge Attacks
A wedge is a special device interposed between the card and theterminal which allows MITM attacks to be carried out on the EMVprotocols.
Such attacks received a lot of publicity because of an Oakland2010 paper by Murdoch et al. – the so-called “CambridgeAttack”.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 15/34
![Page 21: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/21.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Wedge Attacks
A wedge is a special device interposed between the card and theterminal which allows MITM attacks to be carried out on the EMVprotocols.
Such attacks received a lot of publicity because of an Oakland2010 paper by Murdoch et al. – the so-called “CambridgeAttack”.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 15/34
![Page 22: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/22.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Wedge Attacks
Picture source:www.cl.cam.ac.uk/research/security/banking/relay
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 16/34
![Page 23: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/23.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
An Attack on EMV
Degabriele, Lehmann, P., Smart and Strefler, On the JointSecurity of Encryption and Signature in EMV, CT-RSA’12[DLPSS12]:
A wedge attack exploiting the reuse of RSA keys in an EMV cardto allow an attacker to make transactions without knowing thecard’s PIN.
The attack is only applicable to a CDA card in an offlinetransaction.
The attack would still work even if the countermeasures againstthe Cambridge Attack were in place!
The attack is a variant of Bleichenbacher’s attack against RSAwith PKCS#1v1.5 encoding (CRYPTO’98).
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 17/34
![Page 24: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/24.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
PIN Encryption in EMV
Encoding used in EMV for PIN encryption:
7F || PIN block || ICC challenge || Random padding
where the PIN block and the ICC Challenge (from the card) are 8bytes long.
Upon decryption the card performs multiple checks.
If test for ‘7F’ byte is carried out first, and its success or failurecan be distinguished (e.g. via timing or power analysis), then aBleichenbacher-style attack may be possible.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 18/34
![Page 25: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/25.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
PIN Encryption in EMV
Encoding used in EMV for PIN encryption:
7F || PIN block || ICC challenge || Random padding
where the PIN block and the ICC Challenge (from the card) are 8bytes long.
Upon decryption the card performs multiple checks.
If test for ‘7F’ byte is carried out first, and its success or failurecan be distinguished (e.g. via timing or power analysis), then aBleichenbacher-style attack may be possible.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 18/34
![Page 26: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/26.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
PIN Encryption in EMV
Encoding used in EMV for PIN encryption:
7F || PIN block || ICC challenge || Random padding
where the PIN block and the ICC Challenge (from the card) are 8bytes long.
Upon decryption the card performs multiple checks.
If test for ‘7F’ byte is carried out first, and its success or failurecan be distinguished (e.g. via timing or power analysis), then aBleichenbacher-style attack may be possible.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 18/34
![Page 27: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/27.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 19/34
![Page 28: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/28.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 19/34
![Page 29: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/29.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 19/34
![Page 30: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/30.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Using Bleichenbacher to Forge Signatures
View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.
The attack inverts the RSA function m→ me mod N.
The same key-pair is used for RSA encryption and RSAsignatures.
So Bleichenbacher’s attack can also be used to forge RSAsignatures!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 19/34
![Page 31: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/31.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
CARD WEDGE TERMINAL
card in
authentication
phase
terminal in
authentication
phase
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
![Page 32: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/32.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
card in
authentication
phase
terminal in
authentication
phase
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
![Page 33: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/33.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
![Page 34: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/34.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
![Page 35: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/35.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
![Page 36: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/36.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
c← ρeµ
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
![Page 37: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/37.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/N
c1
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
![Page 38: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/38.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/Nc2
(7F) Y/N
c1
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
![Page 39: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/39.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/Nc2
(7F) Y/N
(7F) Y/N
c1
cn
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
![Page 40: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/40.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Attack on a CDA Transaction
Card Authentication
CARD WEDGE TERMINAL
PIN: $$$$
PIN OK
Request TC + Payload
TC + Signature
card in
authentication
phase
terminal in
authentication
phase
terminal in
cardholder
phase
verification
terminal in
transaction
phase
authorization
card in
phase
cardholder
verification
c← ρeµ
(7F) Y/Nc2
(7F) Y/N
(7F) Y/N
c1
cn
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 20/34
![Page 41: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/41.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Performance (1024 bit keys)
Number of queries
Pro
babi
lity
of n
eedi
ng r
ough
ly X
que
ries
2000 4000 6000 8000 10000
0e+
002e
−04
4e−
046e
−04
8e−
041e
−03
We stress that we did not implement the attack in practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 21/34
![Page 42: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/42.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Performance (1024 bit keys)
Number of queries
Pro
babi
lity
of n
eedi
ng r
ough
ly X
que
ries
2000 4000 6000 8000 10000
0e+
002e
−04
4e−
046e
−04
8e−
041e
−03
We stress that we did not implement the attack in practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 21/34
![Page 43: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/43.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Future of EMV
EMV Co is considering the adoption of elliptic curvecryptography in future versions of the EMV standards.
More specifically, they are thinking of using:
– ECIES (ISO/IEC 18033-2) for PIN encryption.
– EC-DSA or EC-Schnorr (ISO/IEC 14888-3:2006) to compute digitalsignatures.
Another result of [DLPSS12]: the two resulting configurations arejointly secure (in ROM/GGM, under reasonable assumptions).
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 22/34
![Page 44: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/44.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
The Future of EMV
EMV Co is considering the adoption of elliptic curvecryptography in future versions of the EMV standards.
More specifically, they are thinking of using:
– ECIES (ISO/IEC 18033-2) for PIN encryption.
– EC-DSA or EC-Schnorr (ISO/IEC 14888-3:2006) to compute digitalsignatures.
Another result of [DLPSS12]: the two resulting configurations arejointly secure (in ROM/GGM, under reasonable assumptions).
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 22/34
![Page 45: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/45.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Cryptographic Agility
Acar, Belenkiy, Bellare and Cash, Cryptographic Agility and itsRelation to Circular Encryption, EUROCRYPT’10:
Cryptographic agility concerns the use of the same key inmultiple algorithms of the same type.
Individual algorithms may be secure, but joint use with same keymay not!
OK for CRHF and IND-CPA PKE, but insecure in general foralmost everything else.
Use algorithm identifier as input to key derivation to achievesuitable key separation from a single starting key.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 23/34
![Page 46: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/46.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Jager, P. and Somorovsky, One Bad Apple: BackwardsCompatibility Attacks on State-of-the-Art Cryptography,NDSS’13 [JPS13]:
Standards get updated, but “insecure algorithms” are still included forbackwards compatibility reasons:
GSM supports A5 variants with different strengths.
SSL/TLS still uses PKCS#1v1.5.
Web Services servers support AES-CBC and PKCS#1v1.5.
JSON Web Encryption servers support PKCS#1v1.5.
What could possibly go wrong?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 24/34
![Page 47: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/47.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Jager, P. and Somorovsky, One Bad Apple: BackwardsCompatibility Attacks on State-of-the-Art Cryptography,NDSS’13 [JPS13]:
Standards get updated, but “insecure algorithms” are still included forbackwards compatibility reasons:
GSM supports A5 variants with different strengths.
SSL/TLS still uses PKCS#1v1.5.
Web Services servers support AES-CBC and PKCS#1v1.5.
JSON Web Encryption servers support PKCS#1v1.5.
What could possibly go wrong?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 24/34
![Page 48: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/48.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 25/34
![Page 49: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/49.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 26/34
![Page 50: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/50.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 26/34
![Page 51: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/51.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 26/34
![Page 52: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/52.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 26/34
![Page 53: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/53.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
More interesting attack:
The same key may be used in the “legacy” and “new” algorithms.
The sender uses the key for encryption with “new” algorithm,creating target C∗.
In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).
This induces the receiver to use the key for decryption with theinsecure legacy algorithm.
The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 26/34
![Page 54: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/54.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Attacks “on paper”:
Public key setting, exploiting legacy support for PKCS#v1.5:Decryption of RSA-OAEP ciphertexts.Forging RSA signatures (c.f. EMV attack).
Symmetric key setting, exploiting legacy support for CBC-mode:Breaking indistinguishability of AES-GCM (allowing decryption ofciphertexts with low entropy).Decryption of AES-KW.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 27/34
![Page 55: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/55.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Attacks then applied to:
Implementations of newest versions of XML Encryption and XMLSignature standards.
Implementations of JavaScript Object Notation Web Encryptionand Web Signature standards.
Full details of affected vendors and countermeasures in NDSS paperto appear in February.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 28/34
![Page 56: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/56.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Backwards Compatibility Attacks
Attacks then applied to:
Implementations of newest versions of XML Encryption and XMLSignature standards.
Implementations of JavaScript Object Notation Web Encryptionand Web Signature standards.
Full details of affected vendors and countermeasures in NDSS paperto appear in February.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 28/34
![Page 57: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/57.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse: Current Status
Certificate standards leave room for key reuse, and practitionerswant to do it.
In the symmetric setting: practitioners also want to reuse keys,even if they know it’s a bad idea in general.
EMV, JSON, XML attacks illustrate some of the dangers.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 29/34
![Page 58: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/58.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse: Current Status
Certificate standards leave room for key reuse, and practitionerswant to do it.
In the symmetric setting: practitioners also want to reuse keys,even if they know it’s a bad idea in general.
EMV, JSON, XML attacks illustrate some of the dangers.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 29/34
![Page 59: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/59.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Key Reuse: Current Status
Certificate standards leave room for key reuse, and practitionerswant to do it.
In the symmetric setting: practitioners also want to reuse keys,even if they know it’s a bad idea in general.
EMV, JSON, XML attacks illustrate some of the dangers.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 29/34
![Page 60: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/60.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
![Page 61: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/61.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
![Page 62: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/62.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
![Page 63: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/63.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
![Page 64: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/64.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
![Page 65: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/65.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.
Even though they know this introduces potential and actualvulnerabilities.
Backwards compatibility and support for legacy repeatedlytriumph over security.
Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.
Ditto for encryption only CBC-mode in some deployments.
So what can we (primarily academic) cryptographers do?
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 30/34
![Page 66: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/66.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
We are very good at developing new cryptographic primitives,schemes and security proofs.
We are not so good at building and testing implementations ofthese.
We are poor at developing theory for “supporting infrastructure”needed to deploy cryptography – randomness, key management,key hierarchies, PKI, software libraries, . . .
We tend to ignore “everyday” protocols like SSL/TLS, EMV,trusted computing.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 31/34
![Page 67: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/67.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
We are very good at developing new cryptographic primitives,schemes and security proofs.
We are not so good at building and testing implementations ofthese.
We are poor at developing theory for “supporting infrastructure”needed to deploy cryptography – randomness, key management,key hierarchies, PKI, software libraries, . . .
We tend to ignore “everyday” protocols like SSL/TLS, EMV,trusted computing.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 31/34
![Page 68: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/68.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
We are very good at developing new cryptographic primitives,schemes and security proofs.
We are not so good at building and testing implementations ofthese.
We are poor at developing theory for “supporting infrastructure”needed to deploy cryptography – randomness, key management,key hierarchies, PKI, software libraries, . . .
We tend to ignore “everyday” protocols like SSL/TLS, EMV,trusted computing.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 31/34
![Page 69: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/69.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
We are very good at developing new cryptographic primitives,schemes and security proofs.
We are not so good at building and testing implementations ofthese.
We are poor at developing theory for “supporting infrastructure”needed to deploy cryptography – randomness, key management,key hierarchies, PKI, software libraries, . . .
We tend to ignore “everyday” protocols like SSL/TLS, EMV,trusted computing.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 31/34
![Page 70: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/70.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Call to Arms for 2020: Useful Theory
Analyse standards and implementations,finding proofs or attacks.
Support this style of research whensubmitted to our major cryptographyconferences.
Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).
Recognise that cryptography is not only abranch of theoretical computer science.
Develop useful theory that aids practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 32/34
![Page 71: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/71.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Call to Arms for 2020: Useful Theory
Analyse standards and implementations,finding proofs or attacks.
Support this style of research whensubmitted to our major cryptographyconferences.
Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).
Recognise that cryptography is not only abranch of theoretical computer science.
Develop useful theory that aids practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 32/34
![Page 72: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/72.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Call to Arms for 2020: Useful Theory
Analyse standards and implementations,finding proofs or attacks.
Support this style of research whensubmitted to our major cryptographyconferences.
Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).
Recognise that cryptography is not only abranch of theoretical computer science.
Develop useful theory that aids practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 32/34
![Page 73: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/73.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Call to Arms for 2020: Useful Theory
Analyse standards and implementations,finding proofs or attacks.
Support this style of research whensubmitted to our major cryptographyconferences.
Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).
Recognise that cryptography is not only abranch of theoretical computer science.
Develop useful theory that aids practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 32/34
![Page 74: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/74.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Call to Arms for 2020: Useful Theory
Analyse standards and implementations,finding proofs or attacks.
Support this style of research whensubmitted to our major cryptographyconferences.
Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).
Recognise that cryptography is not only abranch of theoretical computer science.
Develop useful theory that aids practice.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 32/34
![Page 75: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/75.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Looking Ahead to 2020
A community of researchers is gradually emerging.
2014 workshop slated for East Coast of USA.
Similar workshop with contributed talks has been co-located withFinancial Crypto for last few years.
Get involved!
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 33/34
![Page 76: Key Reuse: Theory, Practice, and Future · Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele,](https://reader033.vdocuments.net/reader033/viewer/2022042804/5f5af81f34ccb502e91f1a43/html5/thumbnails/76.jpg)
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020
Further Reading
More details on the research results highlighted in this talk can befound in:
[PSST11] K.G. Paterson, J.C.N. Schuldt, M. Stam and S.Thomson, On the Joint Security of Encryption and Signature,Revisited. ASIACRYPT’11.
[DLPSS12] J.P. Degabriele, A. Lehmann, K.G. Paterson, N.P.Smart and M. Strefler, On the Joint Security of Encryption andSignature in EMV. CT-RSA’12.
[JPS13] T. Jager, K.G. Paterson and J. Somorovsky, One BadApple: Backwards Compatibility Attacks on State-of-the-ArtCryptography. NDSS’13.
Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 34/34