The low-call diet: Authenticated Encryption for call counting HSM - - PowerPoint PPT Presentation

The low-call diet: Authenticated Encryption for call counting HSM users

Gaven J. Watson – University of Bristol

Joint work with: Mike Bond (Cryptomathic), George French (Barclays Bank Plc) and Nigel P. Smart (UoB)

Real World Cryptography Workshop, Stanford – January 10th 2012

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 1 / 40

1

Background

2

Motivation

3

Encryption with redundancy

4

Managed Encryption Format

5

Analysis

6

Summary

7

Something different...

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 2 / 40

Background

1

Background

2

Motivation

3

Encryption with redundancy

4

Managed Encryption Format

5

Analysis

6

Summary

7

Something different...

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 3 / 40

Background

The story of this work

Designed by Mike Bond and George French.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 4 / 40

Background

The story of this work

Designed by Mike Bond and George French. Scheme presented by Mike Bond at: “Is Cryptographic Theory Practically Relevant?” – Workshop, Cambridge, UK, Feb 2012.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 4 / 40

Background

The story of this work

Designed by Mike Bond and George French. Scheme presented by Mike Bond at: “Is Cryptographic Theory Practically Relevant?” – Workshop, Cambridge, UK, Feb 2012. Security analysis.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 4 / 40

Background

The story of this work

Designed by Mike Bond and George French. Scheme presented by Mike Bond at: “Is Cryptographic Theory Practically Relevant?” – Workshop, Cambridge, UK, Feb 2012. Security analysis. Presented today at: Real World Crypto Workshop, Stanford, Jan 2013.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 4 / 40

Background

The story of this work

Designed by Mike Bond and George French. Scheme presented by Mike Bond at: “Is Cryptographic Theory Practically Relevant?” – Workshop, Cambridge, UK, Feb 2012. Security analysis. Presented today at: Real World Crypto Workshop, Stanford, Jan 2013. Paper to appear at CT-RSA 2013 (February).

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 4 / 40

Motivation

1

Background

2

Motivation

3

Encryption with redundancy

4

Managed Encryption Format

5

Analysis

6

Summary

7

Something different...

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 5 / 40

Motivation

Setting

Industry commonly manages keys with special purpose hardware:

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 6 / 40

Motivation

Setting

Industry commonly manages keys with special purpose hardware:

Hardware Security Module (HSM).

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 6 / 40

Motivation

Setting

Industry commonly manages keys with special purpose hardware:

Hardware Security Module (HSM).

HSMs store keys which should not be exposed outside the module.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 6 / 40

Motivation

Setting

Industry commonly manages keys with special purpose hardware:

Hardware Security Module (HSM).

HSMs store keys which should not be exposed outside the module. Keys used via an API call to the HSM.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 6 / 40

Motivation

Setting

Industry commonly manages keys with special purpose hardware:

Hardware Security Module (HSM).

HSMs store keys which should not be exposed outside the module. Keys used via an API call to the HSM.

e.g. Provides an API call for CBC Mode. Input: plaintext and the name of a key. HSM recovers key and applies CBC-Mode.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 6 / 40

Motivation

Setting

Industry commonly manages keys with special purpose hardware:

Hardware Security Module (HSM).

HSMs store keys which should not be exposed outside the module. Keys used via an API call to the HSM.

e.g. Provides an API call for CBC Mode. Input: plaintext and the name of a key. HSM recovers key and applies CBC-Mode.

Whole process is expensive.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 6 / 40

Motivation

Setting

Industry commonly manages keys with special purpose hardware:

Hardware Security Module (HSM).

HSMs store keys which should not be exposed outside the module. Keys used via an API call to the HSM.

e.g. Provides an API call for CBC Mode. Input: plaintext and the name of a key. HSM recovers key and applies CBC-Mode.

Whole process is expensive. Minimizing calls to the HSM is important.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 6 / 40

Motivation

What are our options?

Constructions which provide authenticated encryption:

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 7 / 40

Motivation

What are our options?

Constructions which provide authenticated encryption: Encrypt-then-MAC

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 7 / 40

Motivation

What are our options?

Constructions which provide authenticated encryption: Encrypt-then-MAC Dedicated AE scheme: OCB, EAX, CCM etc.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 7 / 40

Motivation

What are our options?

Constructions which provide authenticated encryption: Encrypt-then-MAC Dedicated AE scheme: OCB, EAX, CCM etc. Why not use one of these well studied schemes?

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 7 / 40

Motivation

HSMs designed before need for AE was understood.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 8 / 40

Motivation

HSMs designed before need for AE was understood. More modern modes are not supported.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 8 / 40

Motivation

HSMs designed before need for AE was understood. More modern modes are not supported. Solution: Use a generic construction such as Encrypt-then-MAC.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 8 / 40

Motivation

HSMs designed before need for AE was understood. More modern modes are not supported. Solution: Use a generic construction such as Encrypt-then-MAC. Solution Problem: This uses two keys. Meaning two HSM calls.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 8 / 40

Motivation

Design criteria

Basic requirements:

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 9 / 40

Motivation

Design criteria

Basic requirements: All secret keys should reside on the HSM. Only one call to the HSM is allowed, i.e. single key. Such a call should be to a CBC-Encrypt.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 9 / 40

Encryption with redundancy

1

Background

2

Motivation

3

Encryption with redundancy

4

Managed Encryption Format

5

Analysis

6

Summary

7

Something different...

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 10 / 40

Encryption with redundancy

Encryption with redundancy

Studied formally by An and Bellare.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 11 / 40

Encryption with redundancy

Encryption with redundancy

Studied formally by An and Bellare. Two types of redundancy function; secret key and public key.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 11 / 40

Encryption with redundancy

Encryption with redundancy

Studied formally by An and Bellare. Two types of redundancy function; secret key and public key. IND-CPA encryption scheme + secret/public redundancy function ⇒ AE.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 11 / 40

Encryption with redundancy

Encryption with redundancy

Studied formally by An and Bellare. Two types of redundancy function; secret key and public key. IND-CPA encryption scheme + secret/public redundancy function ⇒ AE. An and Bellare define a scheme with a secret key redundancy function, Nested CBC (NCBC). NCBC uses a different key to encrypt the last block.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 11 / 40

Encryption with redundancy

Relating to our scheme

Our scheme uses secret redundancy,

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 12 / 40

Encryption with redundancy

Relating to our scheme

Our scheme uses secret redundancy, where the redundancy function uses a different “key” each time.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 12 / 40

Encryption with redundancy

Relating to our scheme

Our scheme uses secret redundancy, where the redundancy function uses a different “key” each time. In general any IND-CPA scheme plus one time redundancy function ⇒ AE.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 12 / 40

Managed Encryption Format

1

Background

2

Motivation

3

Encryption with redundancy

4

Managed Encryption Format

5

Analysis

6

Summary

7

Something different...

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 13 / 40

Managed Encryption Format

API call

The API call is CBC-mode

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

Managed Encryption Format

API call

The API call is CBC-mode with all-zero IV.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

Managed Encryption Format

API call

The API call is CBC-mode with all-zero IV. Need randomness for security.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

Managed Encryption Format

API call

The API call is CBC-mode with all-zero IV. Need randomness for security. Use HSMs ability to generate random numbers.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

Managed Encryption Format

API call

The API call is CBC-mode with all-zero IV. Need randomness for security. Use HSMs ability to generate random numbers. Implementation note – to avoid making an extra HSM call for every encryption, we maintain a cache of randomness.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

Managed Encryption Format

API call

The API call is CBC-mode with all-zero IV. Need randomness for security. Use HSMs ability to generate random numbers. Implementation note – to avoid making an extra HSM call for every encryption, we maintain a cache of randomness. We assume this cache to be secure.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

Managed Encryption Format

Managed Encryption Format

R C[0] = FK(R) FK FK FK hash(R, A, M) hash M[1] C[1] C[2] A FK M[2] C[3] FK M[n] C[n + 1]

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 15 / 40

Managed Encryption Format

Encrypt(K, A, M) R

r

← {0, 1}l H ← hash(R, A, M) C ← E-CBC[F](K, RHpad(M)) return C Decrypt(K, A, C) RHM′ ← D-CBC[F](K, C) M ← dpad(M′) if M =⊥ then h ← hash(R, A, M) if h = h then M =⊥ return M

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 16 / 40

Managed Encryption Format

Encrypt(K, A, M) R

r

← {0, 1}l H ← hash(R, A, M) C ← E-CBC[F](K, RHpad(M)) return C Decrypt(K, A, C) RHM′ ← D-CBC[F](K, C) M ← dpad(M′) if M =⊥ then h ← hash(R, A, M) if h = h then M =⊥ return M Points to note: Padding (uniform error reporting) “MAC-then-encrypt” IV

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 16 / 40

Analysis

1

Background

2

Motivation

3

Encryption with redundancy

4

Managed Encryption Format

5

Analysis

6

Summary

7

Something different...

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 17 / 40

Analysis

Security model – Privacy

Let Π = (KeyGen, Encrypt, Decrypt) be a symmetric encryption scheme. Enc(A, M0, M1) C0 ← Encrypt(K, A, M0) C1 ← Encrypt(K, A, M1) C

∪

← Cb return Cb PRIVA(Π) K ← KeyGen; b

r

← {0, 1} b′ ← AEnc return (b′ = b) Advpriv

Π

(A) = 2 Pr[PRIVA(Π) ⇒ true] − 1,

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 18 / 40

Analysis

PRIV

This can be proved by relating to the security of CBC mode proved by Bellare et

• al. [BDJR].
• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 19 / 40

Analysis

PRIV

This can be proved by relating to the security of CBC mode proved by Bellare et

• al. [BDJR].

hash(R, A, M) M[1] R C[0] = FK(R) FK FK FK C[1] C[2]

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 19 / 40

Analysis

Privacy

Let F = {FK : K ∈ {0, 1}k} be a permutation family. Let Π[F] be the managed encryption format using permutation family F. Let A be an adversary against Privacy which runs in time t; making qe encryption queries totalling at most µe bits.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 20 / 40

Analysis

Privacy

Let F = {FK : K ∈ {0, 1}k} be a permutation family. Let Π[F] be the managed encryption format using permutation family F. Let A be an adversary against Privacy which runs in time t; making qe encryption queries totalling at most µe bits. Then there exists adversary B such that: AdvPRIV

Π[F] (A) ≤ 2Advprp F

(B) + q2

f

2l + 1 2l µe l + 2qe 2 − µe l + 2qe

• where B runs in time t + O(µe) asking at most qf = µe

l + 2qe queries.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 20 / 40

Analysis

Security model – AUTH

Let Π = (KeyGen, Encrypt, Decrypt) be a symmetric encryption scheme. Enc(A, M) C ← Encrypt(K, A, M) C

∪

← (A, C) return C Test(A∗, C ∗) M∗ ← Decrypt(K, A∗, C ∗) if M∗ =⊥ and (A∗, C ∗) ∈ C then win ← true return (M∗ =⊥) AUTHA(Π) K ← KeyGen win ← false (A∗, C ∗) ← AEnc,Test return win Advauth

Π

(A) = Pr[AUTHA(Π) ⇒ true]

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 21 / 40

Analysis

AUTH

R C[0] = FK(R) FK FK FK hash(R, A, M) hash M[1] C[1] C[2] A FK M[2] C[3] FK M[n] C[n + 1]

To forge a ciphertext the adversary must forge the hash.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 22 / 40

Analysis

Case 1: Hash not queried

Pr[(hash(R∗, A∗, M∗) = h∗) ∧ ((R∗, A∗, M∗, h∗) / ∈ H)|π

r

← Perm] ≤ qt 2l Not previously queried. Random chance on verification.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 23 / 40

Analysis

Case 2: Hash already queried

Pr[(hash(R∗, A∗, M∗) = h∗) ∧ ((R∗, A∗, M∗, h∗) ∈ H)|π

r

← Perm] ≤ qhµe l2l . Previous call to random oracle. If call made by encryption query then invalid forgery. So independent call to hash.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 24 / 40

Analysis

Case 2: Hash already queried

Pr[(hash(R∗, A∗, M∗) = h∗) ∧ ((R∗, A∗, M∗, h∗) ∈ H)|π

r

← Perm] ≤ qhµe l2l . Previous call to random oracle. If call made by encryption query then invalid forgery. So independent call to hash. Analysis is then based on the collision event that for some i, j, Ci[j] ⊕ Mi[j] = h∗ ⊕ π(R∗).

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 24 / 40

Analysis

AUTH

Let F = {FK : K ∈ {0, 1}k} be a permutation family. Let Π[F] be the managed encryption format using permutation family F. Let A be an adversary against the AUTH security which runs in time t; making qe encryption queries totalling at most µe bits, qt test queries totalling at must µt bits and qh random oracle queries.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 25 / 40

Analysis

AUTH

Let F = {FK : K ∈ {0, 1}k} be a permutation family. Let Π[F] be the managed encryption format using permutation family F. Let A be an adversary against the AUTH security which runs in time t; making qe encryption queries totalling at most µe bits, qt test queries totalling at must µt bits and qh random oracle queries. Then there exists adversary B such that: AdvAUTH

Π[F]

(A) ≤ Advsprp

F

(B) + qt 2l + qhµe l2l where B makes qf = µe

l + 2qe + µt l queries and runs in time t + O(µe + µt).

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 25 / 40

Summary

1

Background

2

Motivation

3

Encryption with redundancy

4

Managed Encryption Format

5

Analysis

6

Summary

7

Something different...

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 26 / 40

Summary

Summary

We have discussed the Managed Encryption Format

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

Summary

Summary

We have discussed the Managed Encryption Format Despite its limitation we were still able to prove it secure.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

Summary

Summary

We have discussed the Managed Encryption Format Despite its limitation we were still able to prove it secure. With several important implementation caveats.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

Summary

Summary

We have discussed the Managed Encryption Format Despite its limitation we were still able to prove it secure. With several important implementation caveats. Care needs to be taken with implementation to ensure security.

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

Something different...

1

Background

2

Motivation

3

Encryption with redundancy

4

Managed Encryption Format

5

Analysis

6

Summary

7

Something different...

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 28 / 40

Something different...

And now for something completely different....

• M. Bond, G. French, N.P. Smart, G.J. Watson

Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 29 / 40

Something different...

Analysis of the new EMV key agreement protocol

Christina Brzuska1 Nigel P. Smart2 Bogdan Warinschi2 Gaven J. Watson2

1School of Computer Science,

Tel Aviv University, Israel.

• 2Dept. Computer Science,

University of Bristol, UK.

Real World Cryptography Workshop, Stanford – January 10th 2012

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 30 / 40

Something different...

Scheme

Card (C) Terminal (T) secret key: d ∈ Fq “public” key: QC = dP certC = (sigsk(QC), QC)

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 31 / 40

Something different...

Scheme

Card (C) Terminal (T) secret key: d ∈ Fq “public” key: QC = dP certC = (sigsk(QC), QC) a

r

← {0, 1}l

A=aQC

− − − − − − − − − − − − − − − →

E=eP

← − − − − − − − − − − − − − − − e

r

← Fq

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 31 / 40

Something different...

Scheme

Card (C) Terminal (T) secret key: d ∈ Fq “public” key: QC = dP certC = (sigsk(QC), QC) a

r

← {0, 1}l

A=aQC

− − − − − − − − − − − − − − − →

E=eP

← − − − − − − − − − − − − − − − e

r

← Fq (κ1, κ2) = H(daE) (κ1, κ2) = H(eA)

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 31 / 40

Something different...

Scheme

Card (C) Terminal (T) secret key: d ∈ Fq “public” key: QC = dP certC = (sigsk(QC), QC) a

r

← {0, 1}l

A=aQC

− − − − − − − − − − − − − − − →

E=eP

← − − − − − − − − − − − − − − − e

r

← Fq (κ1, κ2) = H(daE) (κ1, κ2) = H(eA)

ct=encκ1(certC ,QC ,a)

− − − − − − − − − − − − − − − → (certC, QC, a) = decκ1(ct) Check: aQC

?

= A verpk(certC, QC)

?

= true

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 31 / 40

Something different...

Scheme

Card (C) Terminal (T) secret key: d ∈ Fq “public” key: QC = dP certC = (sigsk(QC), QC) a

r

← {0, 1}l

A=aQC

− − − − − − − − − − − − − − − →

E=eP

← − − − − − − − − − − − − − − − e

r

← Fq (κ1, κ2) = H(daE) (κ1, κ2) = H(eA)

ct=encκ1(certC ,QC ,a)

− − − − − − − − − − − − − − − → (certC, QC, a) = decκ1(ct) Check: aQC

?

= A verpk(certC, QC)

?

= true

cti=encκ1(mi)

− − − − − − − − − − − − − − − →

ctj=encκ2(mj)

← − − − − − − − − − − − − − − −

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 31 / 40

Something different...

What is the correct security model?

Authenticated key exchange security model – Bellare and Rogaway 1993.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 32 / 40

Something different...

What is the correct security model?

Authenticated key exchange security model – Bellare and Rogaway 1993. Model in a nutshell: A is permitted NewSession, Send, Reveal and Corrupt queries. At some point A makes Test query which returns either real or random session key. A must distinguish cases.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 32 / 40

Something different...

What is the correct security model?

Authenticated key exchange security model – Bellare and Rogaway 1993. Model in a nutshell: A is permitted NewSession, Send, Reveal and Corrupt queries. At some point A makes Test query which returns either real or random session key. A must distinguish cases. Schemes with a key confirmation step cannot be secure.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 32 / 40

Something different...

What is the correct security model?

Authenticated key exchange security model – Bellare and Rogaway 1993. Model in a nutshell: A is permitted NewSession, Send, Reveal and Corrupt queries. At some point A makes Test query which returns either real or random session key. A must distinguish cases. Schemes with a key confirmation step cannot be secure. (Decrypt the last message and check.)

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 32 / 40

Something different...

ACCE

Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE).

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 33 / 40

Something different...

ACCE

Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 33 / 40

Something different...

ACCE

Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt Challenge –

For each session the challenger chooses a random bit b.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 33 / 40

Something different...

ACCE

Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt Challenge –

For each session the challenger chooses a random bit b. Encrypt takes as input two messages m0, m1 and returns encryption of mb.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 33 / 40

Something different...

ACCE

Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt Challenge –

For each session the challenger chooses a random bit b. Encrypt takes as input two messages m0, m1 and returns encryption of mb. A must guess b for one particular session.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 33 / 40

Something different...

ACCE issues

Permitted Decryptions:

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 34 / 40

Something different...

ACCE issues

Permitted Decryptions: Consider partners i and j.

Different keys for each direction. j encrypts messages for i to decrypt.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 34 / 40

Something different...

ACCE issues

Permitted Decryptions: Consider partners i and j.

Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 34 / 40

Something different...

ACCE issues

Permitted Decryptions: Consider partners i and j.

Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j. As stated model checks i does not returned decrypt messages encrypted by itself.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 34 / 40

Something different...

ACCE issues

Permitted Decryptions: Consider partners i and j.

Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j. As stated model checks i does not returned decrypt messages encrypted by itself.

Reveal Queries:

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 34 / 40

Something different...

ACCE issues

Permitted Decryptions: Consider partners i and j.

Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j. As stated model checks i does not returned decrypt messages encrypted by itself.

Reveal Queries: Consider both EMV and TLS.

Last operation by card is to send an encrypted message.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 34 / 40

Something different...

ACCE issues

Permitted Decryptions: Consider partners i and j.

Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j. As stated model checks i does not returned decrypt messages encrypted by itself.

Reveal Queries: Consider both EMV and TLS.

Last operation by card is to send an encrypted message. Immediately after message is sent A can reveal the key and re-encrypt message with new randomness.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 34 / 40

Something different...

ACCE issues

Permitted Decryptions: Consider partners i and j.

Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j. As stated model checks i does not returned decrypt messages encrypted by itself.

Reveal Queries: Consider both EMV and TLS.

Last operation by card is to send an encrypted message. Immediately after message is sent A can reveal the key and re-encrypt message with new randomness. The other participant will accept but matching conversations will not hold.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 34 / 40

Something different...

Our model

EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 35 / 40

Something different...

Our model

EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. Security in three parts: Entity Authentication, Message Authentication and Message Privacy.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 35 / 40

Something different...

Our model

EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. Security in three parts: Entity Authentication, Message Authentication and Message Privacy. Fixing reveal query issue – entity authentication w.r.t. matching conversations on the plaintext.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 35 / 40

Something different...

Our model

EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. Security in three parts: Entity Authentication, Message Authentication and Message Privacy. Fixing reveal query issue – entity authentication w.r.t. matching conversations on the plaintext. One-sided authentication.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 35 / 40

Something different...

Security

Entity Authentication – Matching plaintext conversations – Forge certificates.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 36 / 40

Something different...

Security

Entity Authentication – Matching plaintext conversations – Forge certificates. Message Authentication –

Gap-DH Matching plaintext conversations – certificate forgery AUTH of encryption scheme (stateful)

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 36 / 40

Something different...

Security

Entity Authentication – Matching plaintext conversations – Forge certificates. Message Authentication –

Gap-DH Matching plaintext conversations – certificate forgery AUTH of encryption scheme (stateful)

Message Privacy –

Gap-DH Matching plaintext conversations – certificate forgery PRIV of encryption scheme (stateful)

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 36 / 40

Something different...

Unlinkability – Model

We have the additional requirement of unlinkability of card session.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 37 / 40

Something different...

Unlinkability – Model

We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 37 / 40

Something different...

Unlinkability – Model

We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i0 and i1.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 37 / 40

Something different...

Unlinkability – Model

We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i0 and i1. Challenger chooses random bit b and creates a session based on ib.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 37 / 40

Something different...

Unlinkability – Model

We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i0 and i1. Challenger chooses random bit b and creates a session based on ib. A makes further queries,

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 37 / 40

Something different...

Unlinkability – Model

We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i0 and i1. Challenger chooses random bit b and creates a session based on ib. A makes further queries, including Send queries to challenge session.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 37 / 40

Something different...

Unlinkability – Model

We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i0 and i1. Challenger chooses random bit b and creates a session based on ib. A makes further queries, including Send queries to challenge session. A must determine b.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 37 / 40

Something different...

Unlinkability – Security

Security then depends on the following problem: Definition (Small Decisional Discrete Log (SDDL)) Given P, X0, X1, rXi ∈ G, where |r| ≤ 2l < |G| determine i.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 38 / 40

Something different...

Wrapping up

Presented two formal security analyses: Managed Encryption Format – Retrospective analysis. EMV – Analysis as part of the design process.

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 39 / 40

Something different...

Questions

• C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson

EMV Analysis Stanford – January 10th 2012 40 / 40