Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks
Total Page:16
File Type:pdf, Size:1020Kb
Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Reuse: Theory and Practice Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele, Tibor Jager, Anja Lehmann, Jacob C.N. Schudlt, Nigel P. Smart, Juraj Somorovsky, Martijn Stam, Mario Strefler, Susan Thomson Workshop on Real-World Cryptography Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 1/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Outline 1 Key Separation, Key Reuse, and Cryptographic Agility 2 Joint Security 3 Key Reuse in EMV 4 Cryptographic Agility 5 BC Attacks 6 Concluding Remarks Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 2/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Motivation for Key Reuse Reusing an asymmetric key-pair in different primitives can reduce: Storage requirements for certificates and keys; Costs of key certification; Net certificate verification time; Footprint of cryptographic code and development effort. ::: but breaks the key separation principle of using different keys for different purposes. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 3/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Motivation for Key Reuse Reusing an asymmetric key-pair in different primitives can reduce: Storage requirements for certificates and keys; Costs of key certification; Net certificate verification time; Footprint of cryptographic code and development effort. ::: but breaks the key separation principle of using different keys for different purposes. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 3/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Scope of Reuse Reuse is not restricted to “encryption + signatures”, nor to the asymmetric setting: Could be, for example, “signature + static DH value” in a more complex protocol. We may wish to reuse a key in the symmetric setting, e.g. CCM mode (CTR + CBC-MAC). We may wish to use the same key in two different algorithms for the same primitive, e.g. RSA-OAEP and RSA-PKCS#1v1.5, or AES-CBC and AES-GCM. – As in the most recent edition of the XML standards. – Related to the concept of cryptographic agility. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 4/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Reuse and Certificate Standards X.509: Certificate contains algorithm identifiers for the signing algorithm used to create the certificate itself. But not necessarily any information about for which purposes the certified public key can be used. Nor in which specific algorithms the certified public key can be used. X.509 extensions define Key Usage and Subject Public Key Info fields, but plenty of flexibility ::: Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 5/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Usage Extension RFC 5280 (X.509v3): The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 6/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Usage Extension RFC 5280 (X.509v3): KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } RFC 5280 (X.509v3): This profile does not restrict the combinations of bits that may be set in an instantiation of the keyUsage extension. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 7/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Main Question Given that key reuse in all its forms is common in practice, what can we say about its security? Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 8/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Joint Security of Signature and Encryption Haber and Pinkas, Securely Combining Public-Key Cryptosystems, CCS’01: First formal security models for joint security. Secure combinations for some schemes in the random oracle model. Only partial solutions in the standard model. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 9/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Joint Security of Signature and Encryption Coron, Joye, Naccache and Paillier, Universal Padding Schemes for RSA, CRYPTO’02: Signature padding scheme PSS also gives IND-CCA secure encryption. Resulting encryption and signature schemes can securely use same RSA key-pair. Proof of joint security in ROM. Komano and Ohta, Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation, CRYPTO’03: Consider OAEP+ and REACT encodings, also in ROM. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 10/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Joint Security of Signature and Encryption Coron, Joye, Naccache and Paillier, Universal Padding Schemes for RSA, CRYPTO’02: Signature padding scheme PSS also gives IND-CCA secure encryption. Resulting encryption and signature schemes can securely use same RSA key-pair. Proof of joint security in ROM. Komano and Ohta, Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation, CRYPTO’03: Consider OAEP+ and REACT encodings, also in ROM. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 10/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Joint Security of Signature and Encryption P., Schuldt, Stam and Thomson, On the Joint Security of Encryption and Signature, Revisited, ASIACRYPT’11: Target: to find new constructions for jointly secure combined schemes in the standard model. Main contributions: A trivial Cartesian product construction for benchmarking. A generic construction from IBE: Naor trick + CHK transform + domain separation. An efficient, specific construction using pairings. (Applications to signcryption.) Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 11/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Joint Security of Signature and Encryption P., Schuldt, Stam and Thomson, On the Joint Security of Encryption and Signature, Revisited, ASIACRYPT’11: Target: to find new constructions for jointly secure combined schemes in the standard model. Main contributions: A trivial Cartesian product construction for benchmarking. A generic construction from IBE: Naor trick + CHK transform + domain separation. An efficient, specific construction using pairings. (Applications to signcryption.) Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 11/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks The EMV Specification EMV is the de facto global standard for IC credit/debit cards – Chip & PIN. As of Q2 2012, there were 1.55 billion EMV cards in use worldwide. Coming to the US real soon now. The specification defines the inter-operation of IC cards with Point-of-Sale (PoS) terminals and Automated Teller Machines (ATMs) . Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 12/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks The EMV Specification EMV is the de facto global standard for IC credit/debit cards – Chip & PIN. As of Q2 2012, there were 1.55 billion EMV cards in use worldwide. Coming to the US real soon now. The specification defines the inter-operation of IC cards with Point-of-Sale (PoS) terminals and Automated Teller Machines (ATMs) . Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 12/29 Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks The EMV Specification EMV is the de facto global standard for IC credit/debit cards – Chip & PIN. As of Q2 2012, there were 1.55 billion EMV cards in use