the low call diet authenticated encryption for call
play

The low-call diet: Authenticated Encryption for call counting HSM - PowerPoint PPT Presentation

The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson University of Bristol Joint work with: Mike Bond (Cryptomathic), George French (Barclays Bank Plc) and Nigel P. Smart (UoB) Real World Cryptography


  1. Encryption with redundancy Encryption with redundancy Studied formally by An and Bellare. Two types of redundancy function; secret key and public key. IND-CPA encryption scheme + secret/public redundancy function �⇒ AE. An and Bellare define a scheme with a secret key redundancy function, Nested CBC (NCBC). NCBC uses a different key to encrypt the last block. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 11 / 40

  2. Encryption with redundancy Relating to our scheme Our scheme uses secret redundancy, M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 12 / 40

  3. Encryption with redundancy Relating to our scheme Our scheme uses secret redundancy, where the redundancy function uses a different “key” each time. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 12 / 40

  4. Encryption with redundancy Relating to our scheme Our scheme uses secret redundancy, where the redundancy function uses a different “key” each time. In general any IND-CPA scheme plus one time redundancy function �⇒ AE. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 12 / 40

  5. Managed Encryption Format Background 1 Motivation 2 Encryption with redundancy 3 Managed Encryption Format 4 Analysis 5 Summary 6 Something different... 7 M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 13 / 40

  6. Managed Encryption Format API call The API call is CBC-mode M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  7. Managed Encryption Format API call The API call is CBC-mode with all-zero IV. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  8. Managed Encryption Format API call The API call is CBC-mode with all-zero IV. Need randomness for security. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  9. Managed Encryption Format API call The API call is CBC-mode with all-zero IV. Need randomness for security. Use HSMs ability to generate random numbers. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  10. Managed Encryption Format API call The API call is CBC-mode with all-zero IV. Need randomness for security. Use HSMs ability to generate random numbers. Implementation note – to avoid making an extra HSM call for every encryption, we maintain a cache of randomness. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  11. Managed Encryption Format API call The API call is CBC-mode with all-zero IV. Need randomness for security. Use HSMs ability to generate random numbers. Implementation note – to avoid making an extra HSM call for every encryption, we maintain a cache of randomness. We assume this cache to be secure. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  12. Managed Encryption Format Managed Encryption Format A M [1] M [2] M [ n ] R hash hash ( R, A, M ) F K F K F K F K F K C [0] = F K ( R ) C [1] C [2] C [3] C [ n + 1] M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 15 / 40

  13. Managed Encryption Format Encrypt( K , A , M ) Decrypt( K , A , C ) R � H � M ′ ← D-CBC[ F ]( K , C ) r ← { 0 , 1 } l R M ← dpad( M ′ ) H ← hash( R , A , M ) if M � = ⊥ then C ← E-CBC[ F ]( K , R � H � pad( M )) h ← hash( R , A , M ) return C if h � = h then M = ⊥ return M M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 16 / 40

  14. Managed Encryption Format Encrypt( K , A , M ) Decrypt( K , A , C ) R � H � M ′ ← D-CBC[ F ]( K , C ) r ← { 0 , 1 } l R M ← dpad( M ′ ) H ← hash( R , A , M ) if M � = ⊥ then C ← E-CBC[ F ]( K , R � H � pad( M )) h ← hash( R , A , M ) return C if h � = h then M = ⊥ return M Points to note: Padding (uniform error reporting) “MAC-then-encrypt” IV M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 16 / 40

  15. Analysis Background 1 Motivation 2 Encryption with redundancy 3 Managed Encryption Format 4 Analysis 5 Summary 6 Something different... 7 M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 17 / 40

  16. Analysis Security model – Privacy Let Π = (KeyGen , Encrypt , Decrypt) be a symmetric encryption scheme. Enc ( A , M 0 , M 1 ) C 0 ← Encrypt( K , A , M 0 ) C 1 ← Encrypt( K , A , M 1 ) ∪ C ← C b return C b PRIV A (Π) r K ← KeyGen; b ← { 0 , 1 } b ′ ← A Enc return ( b ′ = b ) Adv priv ( A ) = 2 Pr[ PRIV A (Π) ⇒ true] − 1 , Π M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 18 / 40

  17. Analysis PRIV This can be proved by relating to the security of CBC mode proved by Bellare et al. [BDJR]. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 19 / 40

  18. Analysis PRIV This can be proved by relating to the security of CBC mode proved by Bellare et al. [BDJR]. R hash ( R, A, M ) M [1] F K F K F K C [0] = F K ( R ) C [1] C [2] M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 19 / 40

  19. Analysis Privacy Let F = { F K : K ∈ { 0 , 1 } k } be a permutation family. Let Π[ F ] be the managed encryption format using permutation family F . Let A be an adversary against Privacy which runs in time t ; making q e encryption queries totalling at most µ e bits. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 20 / 40

  20. Analysis Privacy Let F = { F K : K ∈ { 0 , 1 } k } be a permutation family. Let Π[ F ] be the managed encryption format using permutation family F . Let A be an adversary against Privacy which runs in time t ; making q e encryption queries totalling at most µ e bits. Then there exists adversary B such that: ( B ) + q 2 �� µ e �� 2 l + 1 � 2 � µ e Adv PRIV Π[ F ] ( A ) ≤ 2 Adv prp f l + 2 q e − l + 2 q e F 2 l where B runs in time t + O ( µ e ) asking at most q f = µ e l + 2 q e queries. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 20 / 40

  21. Analysis Security model – AUTH Let Π = (KeyGen , Encrypt , Decrypt) be a symmetric encryption scheme. Test ( A ∗ , C ∗ ) Enc ( A , M ) M ∗ ← Decrypt( K , A ∗ , C ∗ ) C ← Encrypt( K , A , M ) if M ∗ � = ⊥ and ( A ∗ , C ∗ ) �∈ C then ∪ C ← ( A , C ) win ← true return C return ( M ∗ � = ⊥ ) AUTH A (Π) K ← KeyGen win ← false ( A ∗ , C ∗ ) ← A Enc , Test return win ( A ) = Pr[ AUTH A (Π) ⇒ true] Adv auth Π M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 21 / 40

  22. Analysis AUTH A M [1] M [2] M [ n ] R hash hash ( R, A, M ) F K F K F K F K F K C [0] = F K ( R ) C [1] C [2] C [3] C [ n + 1] To forge a ciphertext the adversary must forge the hash. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 22 / 40

  23. Analysis Case 1: Hash not queried ← Perm ] ≤ q t r Pr[(hash( R ∗ , A ∗ , M ∗ ) = h ∗ ) ∧ (( R ∗ , A ∗ , M ∗ , h ∗ ) / ∈ H ) | π 2 l Not previously queried. Random chance on verification. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 23 / 40

  24. Analysis Case 2: Hash already queried ← Perm ] ≤ q h µ e r Pr[(hash( R ∗ , A ∗ , M ∗ ) = h ∗ ) ∧ (( R ∗ , A ∗ , M ∗ , h ∗ ) ∈ H ) | π l 2 l . Previous call to random oracle. If call made by encryption query then invalid forgery. So independent call to hash. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 24 / 40

  25. Analysis Case 2: Hash already queried ← Perm ] ≤ q h µ e r Pr[(hash( R ∗ , A ∗ , M ∗ ) = h ∗ ) ∧ (( R ∗ , A ∗ , M ∗ , h ∗ ) ∈ H ) | π l 2 l . Previous call to random oracle. If call made by encryption query then invalid forgery. So independent call to hash. Analysis is then based on the collision event that for some i , j , C i [ j ] ⊕ M i [ j ] = h ∗ ⊕ π ( R ∗ ) . M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 24 / 40

  26. Analysis AUTH Let F = { F K : K ∈ { 0 , 1 } k } be a permutation family. Let Π[ F ] be the managed encryption format using permutation family F . Let A be an adversary against the AUTH security which runs in time t ; making q e encryption queries totalling at most µ e bits, q t test queries totalling at must µ t bits and q h random oracle queries. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 25 / 40

  27. Analysis AUTH Let F = { F K : K ∈ { 0 , 1 } k } be a permutation family. Let Π[ F ] be the managed encryption format using permutation family F . Let A be an adversary against the AUTH security which runs in time t ; making q e encryption queries totalling at most µ e bits, q t test queries totalling at must µ t bits and q h random oracle queries. Then there exists adversary B such that: ( B ) + q t 2 l + q h µ e Adv AUTH ( A ) ≤ Adv sprp Π[ F ] F l 2 l where B makes q f = µ e l + 2 q e + µ t l queries and runs in time t + O ( µ e + µ t ). M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 25 / 40

  28. Summary Background 1 Motivation 2 Encryption with redundancy 3 Managed Encryption Format 4 Analysis 5 Summary 6 Something different... 7 M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 26 / 40

  29. Summary Summary We have discussed the Managed Encryption Format M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

  30. Summary Summary We have discussed the Managed Encryption Format Despite its limitation we were still able to prove it secure. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

  31. Summary Summary We have discussed the Managed Encryption Format Despite its limitation we were still able to prove it secure. With several important implementation caveats. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

  32. Summary Summary We have discussed the Managed Encryption Format Despite its limitation we were still able to prove it secure. With several important implementation caveats. Care needs to be taken with implementation to ensure security. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

  33. Something different... Background 1 Motivation 2 Encryption with redundancy 3 Managed Encryption Format 4 Analysis 5 Summary 6 Something different... 7 M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 28 / 40

  34. Something different... And now for something completely different.... M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 29 / 40

  35. Something different... Analysis of the new EMV key agreement protocol Christina Brzuska 1 Nigel P. Smart 2 Bogdan Warinschi 2 Gaven J. Watson 2 1 School of Computer Science, Tel Aviv University, Israel. 2 Dept. Computer Science, University of Bristol, UK. Real World Cryptography Workshop, Stanford – January 10th 2012 C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 30 / 40

  36. Something different... Scheme Card (C) Terminal (T) secret key: d ∈ F q “public” key: Q C = dP cert C = (sig sk ( Q C ) , Q C ) C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 31 / 40

  37. Something different... Scheme Card (C) Terminal (T) secret key: d ∈ F q “public” key: Q C = dP cert C = (sig sk ( Q C ) , Q C ) A = aQ C r ← { 0 , 1 } l a − − − − − − − − − − − − − − − → E = eP r ← − − − − − − − − − − − − − − − e ← F q C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 31 / 40

  38. Something different... Scheme Card (C) Terminal (T) secret key: d ∈ F q “public” key: Q C = dP cert C = (sig sk ( Q C ) , Q C ) A = aQ C r ← { 0 , 1 } l a − − − − − − − − − − − − − − − → E = eP r ← − − − − − − − − − − − − − − − e ← F q ( κ 1 , κ 2 ) = H ( daE ) ( κ 1 , κ 2 ) = H ( eA ) C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 31 / 40

  39. Something different... Scheme Card (C) Terminal (T) secret key: d ∈ F q “public” key: Q C = dP cert C = (sig sk ( Q C ) , Q C ) A = aQ C r ← { 0 , 1 } l a − − − − − − − − − − − − − − − → E = eP r ← − − − − − − − − − − − − − − − e ← F q ( κ 1 , κ 2 ) = H ( daE ) ( κ 1 , κ 2 ) = H ( eA ) ct =enc κ 1 ( cert C , Q C , a ) − − − − − − − − − − − − − − − → ( cert C , Q C , a ) = dec κ 1 ( ct ) ? Check: aQ C = A ? ver pk ( cert C , Q C ) = true C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 31 / 40

  40. Something different... Scheme Card (C) Terminal (T) secret key: d ∈ F q “public” key: Q C = dP cert C = (sig sk ( Q C ) , Q C ) A = aQ C r ← { 0 , 1 } l a − − − − − − − − − − − − − − − → E = eP r ← − − − − − − − − − − − − − − − e ← F q ( κ 1 , κ 2 ) = H ( daE ) ( κ 1 , κ 2 ) = H ( eA ) ct =enc κ 1 ( cert C , Q C , a ) − − − − − − − − − − − − − − − → ( cert C , Q C , a ) = dec κ 1 ( ct ) ? Check: aQ C = A ? ver pk ( cert C , Q C ) = true ct i =enc κ 1 ( m i ) − − − − − − − − − − − − − − − → ct j =enc κ 2 ( m j ) ← − − − − − − − − − − − − − − − C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 31 / 40

  41. Something different... What is the correct security model? Authenticated key exchange security model – Bellare and Rogaway 1993. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 32 / 40

  42. Something different... What is the correct security model? Authenticated key exchange security model – Bellare and Rogaway 1993. Model in a nutshell: A is permitted NewSession, Send, Reveal and Corrupt queries. At some point A makes Test query which returns either real or random session key. A must distinguish cases. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 32 / 40

  43. Something different... What is the correct security model? Authenticated key exchange security model – Bellare and Rogaway 1993. Model in a nutshell: A is permitted NewSession, Send, Reveal and Corrupt queries. At some point A makes Test query which returns either real or random session key. A must distinguish cases. Schemes with a key confirmation step cannot be secure. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 32 / 40

  44. Something different... What is the correct security model? Authenticated key exchange security model – Bellare and Rogaway 1993. Model in a nutshell: A is permitted NewSession, Send, Reveal and Corrupt queries. At some point A makes Test query which returns either real or random session key. A must distinguish cases. Schemes with a key confirmation step cannot be secure. (Decrypt the last message and check.) C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 32 / 40

  45. Something different... ACCE Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 33 / 40

  46. Something different... ACCE Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 33 / 40

  47. Something different... ACCE Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt Challenge – For each session the challenger chooses a random bit b . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 33 / 40

  48. Something different... ACCE Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt Challenge – For each session the challenger chooses a random bit b . Encrypt takes as input two messages m 0 , m 1 and returns encryption of m b . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 33 / 40

  49. Something different... ACCE Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt Challenge – For each session the challenger chooses a random bit b . Encrypt takes as input two messages m 0 , m 1 and returns encryption of m b . A must guess b for one particular session. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 33 / 40

  50. Something different... ACCE issues Permitted Decryptions: C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  51. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  52. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  53. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . As stated model checks i does not returned decrypt messages encrypted by itself. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  54. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . As stated model checks i does not returned decrypt messages encrypted by itself. Reveal Queries: C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  55. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . As stated model checks i does not returned decrypt messages encrypted by itself. Reveal Queries: Consider both EMV and TLS. Last operation by card is to send an encrypted message. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  56. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . As stated model checks i does not returned decrypt messages encrypted by itself. Reveal Queries: Consider both EMV and TLS. Last operation by card is to send an encrypted message. Immediately after message is sent A can reveal the key and re-encrypt message with new randomness. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  57. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . As stated model checks i does not returned decrypt messages encrypted by itself. Reveal Queries: Consider both EMV and TLS. Last operation by card is to send an encrypted message. Immediately after message is sent A can reveal the key and re-encrypt message with new randomness. The other participant will accept but matching conversations will not hold. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  58. Something different... Our model EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 35 / 40

  59. Something different... Our model EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. Security in three parts: Entity Authentication, Message Authentication and Message Privacy. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 35 / 40

  60. Something different... Our model EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. Security in three parts: Entity Authentication, Message Authentication and Message Privacy. Fixing reveal query issue – entity authentication w.r.t. matching conversations on the plaintext . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 35 / 40

  61. Something different... Our model EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. Security in three parts: Entity Authentication, Message Authentication and Message Privacy. Fixing reveal query issue – entity authentication w.r.t. matching conversations on the plaintext . One-sided authentication. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 35 / 40

  62. Something different... Security Entity Authentication – Matching plaintext conversations – Forge certificates. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 36 / 40

  63. Something different... Security Entity Authentication – Matching plaintext conversations – Forge certificates. Message Authentication – Gap-DH Matching plaintext conversations – certificate forgery AUTH of encryption scheme (stateful) C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 36 / 40

  64. Something different... Security Entity Authentication – Matching plaintext conversations – Forge certificates. Message Authentication – Gap-DH Matching plaintext conversations – certificate forgery AUTH of encryption scheme (stateful) Message Privacy – Gap-DH Matching plaintext conversations – certificate forgery PRIV of encryption scheme (stateful) C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 36 / 40

  65. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

  66. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

  67. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i 0 and i 1 . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

  68. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i 0 and i 1 . Challenger chooses random bit b and creates a session based on i b . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

  69. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i 0 and i 1 . Challenger chooses random bit b and creates a session based on i b . A makes further queries, C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

  70. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i 0 and i 1 . Challenger chooses random bit b and creates a session based on i b . A makes further queries, including Send queries to challenge session. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

Recommend


More recommend