rsa data security, inc. some perspectives on smart card cryptography burt kaliski, chief scientist...
TRANSCRIPT
RSA Data Security, Inc.
Some Perspectives on Smart Card Cryptography
Burt Kaliski, Chief ScientistRSA Laboratories
SCIA IC Card & System Security MeetingNovember 16–17, 1998
© RSA 1998
Introduction
• The emerging world of e-commerce depends on security services:– user authentication– key distribution– data integrity and confidentiality– digital signatures / nonrepudiation
• Smart cards and cryptography are helpful tools for implementing these services
© RSA 1998
Smart Cards and Cryptography
• Smart cards carry the keys, perform cryptographic operations– ideal for “personal” cryptography
• Other tokens also considered in many designs:– PC cards– palmtops
© RSA 1998
Cryptography Choices
1. Public key vs. symmetric
2. Algorithms
3. Protocols
© RSA 1998
Public Key vs. Symmetric
• A classic choice: scalability vs. speed– symmetric cryptography up to 100x faster– but management of public keys much
easier
• Open system or closed?
• Benefits can be combined
© RSA 1998
A Hybrid Approach
• Registration with public-key cryptography:– smart card establishes symmetric key via
server’s public key
• User authentication, key distribution, data protection with symmetric key
• Digital signatures combine public-key cryptography with hashing
© RSA 1998
Public-Key Algorithms
• Three families considered in standards:– discrete logarithm (DL): Diffie-Hellman,
DSA, MQV– elliptic curve (EC): analogs of DL– integer factorization (IF): RSA, RW
• Tradeoffs in key and data size, security, speed
© RSA 1998
Symmetric Algorithms
• Encryption algorithms:– DES, triple-DES, AES– “exportable” alternatives
• Integrity-protection algorithms
• Hash functions
• Tradeoffs primarily in security, speed
© RSA 1998
Protocols
• Many to choose from for each service
• Examples:– time-based vs. challenge-response user
authentication– key transport vs. key agreement
• Tradeoffs in algorithms supported, number of messages
© RSA 1998
Implementation Considerations
• Many kinds of physical attacks to contend with, beyond the cryptography:– timing analysis– power analysis– reverse engineering
• Logical attacks especially of concern in multi-application environments
© RSA 1998
Crypto-Coprocessors
• Cryptographic operations in smart cards are often accelerated with coprocessors– typical: modular exponentiation
• All three families can be accelerated with a modular arithmetic coprocessor– RSA (mod n)
– DL, EC over GF(p) for odd p
• What’s in a coprocessor today may be standard tomorrow
© RSA 1998
RSA Cryptography
• Cryptographic operations based on the RSA algorithm– PKCS #1, IEEE P1363, ANSI X9.31, X9.44
(draft) standards
• Key pair generation, encryption / decryption, signature / verification
• Example times given for several smart card chips– most with 8-bit CPUs, coprocessors
© RSA 1998
Key Length
• Typical RSA key length: 1024 bits
• Security about 280 against best methods– comparable to 160-bit ECC, 80-bit
symmetric in terms of operations– … but RSA-breaking methods require
much more memory
© RSA 1998
Private-Key Operations
• Signature generation and decryption with private key (n,d):
y = xd mod n– with Chinese Remainder Theorem:
yp = xd mod p-1 mod p
yq = xd mod q-1 mod q
y = [(yp-yq)q-1 mod p] q + yq
• Typical: two 512-bit modexps– 100-800ms on example smart cards
© RSA 1998
Public-Key Operations
• Signature verification or encryption with public key (n,e):
y = xe mod n– e = 3, 17, 216+1 common
• Typical: a few 1024-bit modmults– 5-265ms on smart cards with e = 216+1
• except in two cases, 50ms
– coprocessor not needed for small e
© RSA 1998
Key Pair Generation
• Public key (n,e)
• Private key (n,d)– where
n = pq
de 1 mod lcm (p-1, q-1)
• Typical: two 512-bit prime generations– est. 10-100 seconds on examples
© RSA 1998
Key and Data Sizes
• Nominal: about 1024 bits for signature, ciphertext, public key (+ e); 2560 bits for private key
• But many optimizations available:– 100 bits for private key with seed, offsets– 160-320 bits overhead for signatures with
message recovery
© RSA 1998
Example Timings
Manufacturer Device Clock(MHz)
Coproc. Sign(ms)
Verify(ms)
SGS-Thomson ST16CF54B 5 MAP 800 265
ST19CF68 10 MAP 400 150
ST19KF16 10 MAP 110 5
Philips P83W854 / 8 indep. FameX 250 50
P83W8516 / 32 indep. FameX 160 25
Siemens SLE66CX160S 5 ACE 230 24
NEC PD789828 40 SuperMAP 100 7
Source: H. Handschuh and P. Paillier, “Smart Card Crypto-Coprocessors for Public-Key Cryptography,” RSA Laboratories’ CryptoBytes, Summer 1998 (www.rsa.com/rsalabs/pubs/cryptobytes)
© RSA 1998
RSA and ECC Advantages
• ECC advantages– signature generation
/ decryption speed
– key pair generation speed
• key agreement, forward secrecy
– key and data sizes
– GF(2m) option
• RSA advantages– signature
verification / encryption speed
• certificate-based key management
– parameter generation speed (none)
– security analysis
For more reading: M.J. Wiener, “Performance Comparisons of Public-Key Cryptosystems,” RSA Laboratories’ CryptoBytes, Summer 1998(www.rsa.com/rsalabs/pubs/cryptobytes)
© RSA 1998
Interfaces and File Formats
• Interoperability is more than just the same algorithms and protocols
• Other aspects to consider:– physical interface (ISO 7816)– programming interface (PKCS #11)– information formats (PKCS #15)
© RSA 1998
PKCS: The Public-Key Cryptography Standards
• Informal, intervendor specifications
• Coordinated by RSA Laboratories, developed with the cryptography community
• More information:– www.rsa.com/rsalabs/pubs/PKCS
© RSA 1998
PKCS #11 / Cryptoki
• Programming interface for cryptographic tokens
• “Logical token” has objects, operations, access rights, independent of physical implementation
• Currently v2.01, revision in progress
© RSA 1998
PKCS #15: Information Formats
• Common formats for cryptographic objects– file formats in case of smart cards
• Coordination with several groups:– WAP Forum– DC/SC Forum– SEIS (Sweden)
• Draft available for comment
© RSA 1998
Conclusions
• Smart card security has many choices
• RSA cryptography a practical solution
• Interoperability also includes interfaces, file formats