key reuse: theory, practice, and future · key reuse: theory, practice, and future kenny paterson...

Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020

Key Reuse: Theory, Practice, and Future

Kenny PatersonRoyal Holloway, University of London

based on joint work withJean Paul Degabriele, Tibor Jager, Anja Lehmann, Jacob C.N. Schuldt,

Nigel P. Smart, Juraj Somorovsky, Martijn Stam, Mario Strefler, Susan Thomson

ECRYPT-II – Crypto for 2020

Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory, Practice, and Future 1/34

Outline

1 Key Separation, Key Reuse, and Cryptographic Agility

2 Joint Security

3 Key Reuse in EMV

4 Cryptographic Agility

5 BC Attacks

6 Looking Ahead to 2020

Motivation for Key Reuse

Reusing an asymmetric key-pair in different primitives can reduce:

Storage requirements for certificates and keys;Costs of key certification;Net certificate verification time;Footprint of cryptographic code and development effort.

. . . but breaks the key separation principle of using different keys fordifferent purposes.

Motivation for Key Reuse

Reusing an asymmetric key-pair in different primitives can reduce:

Storage requirements for certificates and keys;Costs of key certification;Net certificate verification time;Footprint of cryptographic code and development effort.

. . . but breaks the key separation principle of using different keys fordifferent purposes.

Scope of Reuse

Reuse is not restricted to “encryption + signatures”, nor to theasymmetric setting:

Could be, for example, “signature + static DH value” in a morecomplex protocol.

We may wish to reuse a key in the symmetric setting, e.g. CCMmode (CTR + CBC-MAC).

We may wish to use the same key in two different algorithms forthe same primitive, e.g. RSA-OAEP and RSA-PKCS#1v1.5, orAES-CBC and AES-GCM.

– As in the most recent edition of the XML standards.– Related to the concept of cryptographic agility, Acar et al.,

EUROCRYPT’10.

Key Reuse and Certificate Standards

X.509:Certificate contains algorithm identifiers for the signing algorithmused to create the certificate itself.But not necessarily any information about for which purposes thecertified public key can be used.Nor in which specific algorithms the certified public key can beused.X.509 extensions define Key Usage and Subject Public Key Infofields, but plenty of flexibility . . .

Key Usage Extension

RFC 5280 (X.509v3):The key usage extension defines the purpose (e.g.,encipherment, signature, certificate signing) ofthe key contained in the certificate. The usagerestriction might be employed when a key thatcould be used for more than one operation is tobe restricted.

Key Usage Extension

RFC 5280 (X.509v3):KeyUsage ::= BIT STRING {

digitalSignature (0),nonRepudiation (1),keyEncipherment (2),dataEncipherment (3),keyAgreement (4),keyCertSign (5),cRLSign (6),encipherOnly (7),decipherOnly (8) }

RFC 5280 (X.509v3):This profile does not restrict the combinationsof bits that may be set in an instantiation of thekeyUsage extension.

Main Question

Given that key reuse in all its forms is common in practice, what canwe say about its security?

Joint Security of Signature and Encryption

Haber and Pinkas, Securely Combining Public-KeyCryptosystems, CCS’01:

First formal security models for joint security.Secure combinations for some schemes in the random oraclemodel.Only partial solutions in the standard model.

Coron, Joye, Naccache and Paillier, Universal Padding Schemesfor RSA, CRYPTO’02:

Signature padding scheme PSS also gives IND-CCA secureencryption.Resulting encryption and signature schemes can securely usesame RSA key-pair.Proof of joint security in ROM.

Komano and Ohta, Efficient Universal Padding Techniques forMultiplicative Trapdoor One-Way Permutation, CRYPTO’03:

Consider OAEP+ and REACT encodings, also in ROM.

Coron, Joye, Naccache and Paillier, Universal Padding Schemesfor RSA, CRYPTO’02:

Signature padding scheme PSS also gives IND-CCA secureencryption.Resulting encryption and signature schemes can securely usesame RSA key-pair.Proof of joint security in ROM.

Komano and Ohta, Efficient Universal Padding Techniques forMultiplicative Trapdoor One-Way Permutation, CRYPTO’03:

Consider OAEP+ and REACT encodings, also in ROM.

P., Schuldt, Stam and Thomson, On the Joint Security ofEncryption and Signature, Revisited, ASIACRYPT’11 [PSST11]:

Target: to find new constructions for jointly secure combinedschemes in the standard model.

Main contributions:A trivial Cartesian product construction for benchmarking.

A generic construction from IBE:Naor trick + CHK transform + domain separation.

An efficient, specific construction using pairings.

(Applications to signcryption.)

P., Schuldt, Stam and Thomson, On the Joint Security ofEncryption and Signature, Revisited, ASIACRYPT’11 [PSST11]:

Target: to find new constructions for jointly secure combinedschemes in the standard model.

Main contributions:A trivial Cartesian product construction for benchmarking.

A generic construction from IBE:Naor trick + CHK transform + domain separation.

An efficient, specific construction using pairings.

(Applications to signcryption.)

The EMV Specification

EMV is the de facto global standard for IC credit/debit cards –Chip & PIN.

As of Q2 2012, there were 1.55 billion EMV cards in useworldwide.

The specification defines the inter-operation of IC cards withPoint-of-Sale (PoS) terminals and Automated Teller Machines(ATMs) .

EMV Cards

An EMV card contains a chip which allows it to performcryptographic computations.

All EMV cards contain a symmetric key which it shares with theIssuing Bank.

Most cards are also equipped with RSA keys to computesignatures for card authentication and transaction authorization,and to encrypt the PIN between the terminal and the card.

Key Reuse in EMV

Given the constrained on-card processing environment, reducingthe storage and computation consumed by the cryptographicfunctions in EMV is very important.

The EMV standard allows the same RSA key-pair to be used forboth PIN encryption and CDA signature generation.

Encryption and signature algorithms are based on theRSA-PKCS#1v1.5 standards.

Is this key reuse is detrimental to the security of the EMV systemor not?

Wedge Attacks

A wedge is a special device interposed between the card and theterminal which allows MITM attacks to be carried out on the EMVprotocols.

Such attacks received a lot of publicity because of an Oakland2010 paper by Murdoch et al. – the so-called “CambridgeAttack”.

Wedge Attacks

A wedge is a special device interposed between the card and theterminal which allows MITM attacks to be carried out on the EMVprotocols.

Such attacks received a lot of publicity because of an Oakland2010 paper by Murdoch et al. – the so-called “CambridgeAttack”.

Wedge Attacks

Picture source:www.cl.cam.ac.uk/research/security/banking/relay

An Attack on EMV

Degabriele, Lehmann, P., Smart and Strefler, On the JointSecurity of Encryption and Signature in EMV, CT-RSA’12[DLPSS12]:

A wedge attack exploiting the reuse of RSA keys in an EMV cardto allow an attacker to make transactions without knowing thecard’s PIN.

The attack is only applicable to a CDA card in an offlinetransaction.

The attack would still work even if the countermeasures againstthe Cambridge Attack were in place!

The attack is a variant of Bleichenbacher’s attack against RSAwith PKCS#1v1.5 encoding (CRYPTO’98).

PIN Encryption in EMV

Encoding used in EMV for PIN encryption:

7F || PIN block || ICC challenge || Random padding

where the PIN block and the ICC Challenge (from the card) are 8bytes long.

Upon decryption the card performs multiple checks.

If test for ‘7F’ byte is carried out first, and its success or failurecan be distinguished (e.g. via timing or power analysis), then aBleichenbacher-style attack may be possible.

Using Bleichenbacher to Forge Signatures

View Bleichenbacher’s attack as a black box, which when given avalid ciphertext c and access to a ciphertext-validity oraclerecovers the underlying (encoded) message m.

The attack inverts the RSA function m→ me mod N.

The same key-pair is used for RSA encryption and RSAsignatures.

So Bleichenbacher’s attack can also be used to forge RSAsignatures!

The Attack on a CDA Transaction

CARD WEDGE TERMINAL

card in

authentication

terminal in

authentication

Card Authentication

CARD WEDGE TERMINAL

card in

authentication

terminal in

authentication

Card Authentication

CARD WEDGE TERMINAL

PIN: $$$$

card in

authentication

terminal in

authentication

terminal in

cardholder

verification

Card Authentication

CARD WEDGE TERMINAL

PIN: $$$$

PIN OK

card in

authentication

terminal in

authentication

terminal in

cardholder

verification

Card Authentication

CARD WEDGE TERMINAL

PIN: $$$$

PIN OK

Request TC + Payload

card in

authentication

terminal in

authentication

terminal in

cardholder

verification

terminal in

transaction

authorization

Card Authentication

CARD WEDGE TERMINAL

PIN: $$$$

PIN OK

card in

authentication

terminal in

authentication

terminal in

cardholder

verification

terminal in

transaction

authorization

c← ρeµ

Card Authentication

CARD WEDGE TERMINAL

PIN: $$$$

PIN OK

card in

authentication

terminal in

authentication

terminal in

cardholder

verification

terminal in

transaction

authorization

card in

cardholder

verification

c← ρeµ

(7F) Y/N

Card Authentication

CARD WEDGE TERMINAL

PIN: $$$$

PIN OK

card in

authentication

terminal in

authentication

terminal in

cardholder

verification

terminal in

transaction

authorization

card in

cardholder

verification

c← ρeµ

(7F) Y/Nc2

(7F) Y/N

Card Authentication

CARD WEDGE TERMINAL

PIN: $$$$

PIN OK

card in

authentication

terminal in

authentication

terminal in

cardholder

verification

terminal in

transaction

authorization

card in

cardholder

verification

c← ρeµ

(7F) Y/Nc2

(7F) Y/N

Card Authentication

CARD WEDGE TERMINAL

PIN: $$$$

PIN OK

TC + Signature

card in

authentication

terminal in

authentication

terminal in

cardholder

verification

terminal in

transaction

authorization

card in

cardholder

verification

c← ρeµ

(7F) Y/Nc2

(7F) Y/N

Performance (1024 bit keys)

Number of queries

2000 4000 6000 8000 10000

We stress that we did not implement the attack in practice.

Performance (1024 bit keys)

Number of queries

2000 4000 6000 8000 10000

We stress that we did not implement the attack in practice.

The Future of EMV

EMV Co is considering the adoption of elliptic curvecryptography in future versions of the EMV standards.

More specifically, they are thinking of using:

– ECIES (ISO/IEC 18033-2) for PIN encryption.

– EC-DSA or EC-Schnorr (ISO/IEC 14888-3:2006) to compute digitalsignatures.

Another result of [DLPSS12]: the two resulting configurations arejointly secure (in ROM/GGM, under reasonable assumptions).

The Future of EMV

EMV Co is considering the adoption of elliptic curvecryptography in future versions of the EMV standards.

More specifically, they are thinking of using:

– ECIES (ISO/IEC 18033-2) for PIN encryption.

– EC-DSA or EC-Schnorr (ISO/IEC 14888-3:2006) to compute digitalsignatures.

Another result of [DLPSS12]: the two resulting configurations arejointly secure (in ROM/GGM, under reasonable assumptions).

Cryptographic Agility

Acar, Belenkiy, Bellare and Cash, Cryptographic Agility and itsRelation to Circular Encryption, EUROCRYPT’10:

Cryptographic agility concerns the use of the same key inmultiple algorithms of the same type.

Individual algorithms may be secure, but joint use with same keymay not!

OK for CRHF and IND-CPA PKE, but insecure in general foralmost everything else.

Use algorithm identifier as input to key derivation to achievesuitable key separation from a single starting key.

Backwards Compatibility Attacks

Jager, P. and Somorovsky, One Bad Apple: BackwardsCompatibility Attacks on State-of-the-Art Cryptography,NDSS’13 [JPS13]:

Standards get updated, but “insecure algorithms” are still included forbackwards compatibility reasons:

GSM supports A5 variants with different strengths.

SSL/TLS still uses PKCS#1v1.5.

Web Services servers support AES-CBC and PKCS#1v1.5.

JSON Web Encryption servers support PKCS#1v1.5.

What could possibly go wrong?

Jager, P. and Somorovsky, One Bad Apple: BackwardsCompatibility Attacks on State-of-the-Art Cryptography,NDSS’13 [JPS13]:

Standards get updated, but “insecure algorithms” are still included forbackwards compatibility reasons:

GSM supports A5 variants with different strengths.

SSL/TLS still uses PKCS#1v1.5.

Web Services servers support AES-CBC and PKCS#1v1.5.

JSON Web Encryption servers support PKCS#1v1.5.

What could possibly go wrong?

More interesting attack:

The same key may be used in the “legacy” and “new” algorithms.

The sender uses the key for encryption with “new” algorithm,creating target C∗.

In some scenarios, a MITM adversary can change the algorithmidentifier undetectably from “new” to “legacy” (e.g. XML, JSON).

This induces the receiver to use the key for decryption with theinsecure legacy algorithm.

The two algorithms may be related closely enough that thisallows C∗ to be attacked . . .

Attacks “on paper”:

Public key setting, exploiting legacy support for PKCS#v1.5:Decryption of RSA-OAEP ciphertexts.Forging RSA signatures (c.f. EMV attack).

Symmetric key setting, exploiting legacy support for CBC-mode:Breaking indistinguishability of AES-GCM (allowing decryption ofciphertexts with low entropy).Decryption of AES-KW.

Attacks then applied to:

Implementations of newest versions of XML Encryption and XMLSignature standards.

Implementations of JavaScript Object Notation Web Encryptionand Web Signature standards.

Full details of affected vendors and countermeasures in NDSS paperto appear in February.

Attacks then applied to:

Implementations of newest versions of XML Encryption and XMLSignature standards.

Implementations of JavaScript Object Notation Web Encryptionand Web Signature standards.

Full details of affected vendors and countermeasures in NDSS paperto appear in February.

Key Reuse: Current Status

Certificate standards leave room for key reuse, and practitionerswant to do it.

In the symmetric setting: practitioners also want to reuse keys,even if they know it’s a bad idea in general.

EMV, JSON, XML attacks illustrate some of the dangers.

Looking Ahead to 2020

Standards bodies seem set to continue to include weakalgorithms in their documents, e.g. WebCrypto.

Even though they know this introduces potential and actualvulnerabilities.

Backwards compatibility and support for legacy repeatedlytriumph over security.

Depressingly, we will probably still be using PKCS#1v1.5 in2020, despite a (by then) 22 year old attack.

Ditto for encryption only CBC-mode in some deployments.

So what can we (primarily academic) cryptographers do?

We are very good at developing new cryptographic primitives,schemes and security proofs.

We are not so good at building and testing implementations ofthese.

We are poor at developing theory for “supporting infrastructure”needed to deploy cryptography – randomness, key management,key hierarchies, PKI, software libraries, . . .

We tend to ignore “everyday” protocols like SSL/TLS, EMV,trusted computing.

Call to Arms for 2020: Useful Theory

Analyse standards and implementations,finding proofs or attacks.

Support this style of research whensubmitted to our major cryptographyconferences.

Engage with standards bodies and industry– responsibly and patiently, if possible (theycan be very receptive).

Recognise that cryptography is not only abranch of theoretical computer science.

Develop useful theory that aids practice.

A community of researchers is gradually emerging.

2014 workshop slated for East Coast of USA.

Similar workshop with contributed talks has been co-located withFinancial Crypto for last few years.

Get involved!

key reuse: theory, practice, and future · key reuse: theory, practice, and future kenny paterson...

Documents