Slashdot Mirror
Australian Gov't Offers $560k Cryptographic Protocol For Free
mask.of.sanity writes "Australia's national welfare agency will release its 'unbreakable' AU$560,000 smart card identification protocol for free. The government agency wants other departments and commercial businesses to adopt the Protocol for Lightweight Authentication of ID (PLAID), which withstood three years of design and testing by Australian and American security agencies. The agency has one of Australia's most advanced physical and logical converged security systems: staff can access doors and computers with a single centrally-managed identity card, and user identities can be automatically updated as employees leave, are recruited or move to new departments. PLAID, which will be available soon, is to be used in the agency's incoming fleet of contact-less smartcards that are currently under trial by staff. It will replace existing identity cards that operate on PKI encryption."
Somehow that makes it more sinister than calling it "RAZORBAK" or "AOK JINGOSIM".
No kidding!!! What do you say at this point?
Can it be referred to as the Former Lightweight Authentication of ID, or FLACID?
Here is a briefing on the PLAID 6 protocol with more specifics on the actual algorithms and cryptography in general involved. PDF link if the first one doesn't work for you.
I got a catholic block.
That's a much better acronym than the originally proposed Protocol for Automated National Identification and Control.
I'm guessing that the publicity around this will soon result in dePLACID.
Given Australian government's views on privacy, I wonder when the back door will be discouvered? Or is looking for it agianst the law?
If you want news from today, you have to come back tomorrow.
"Here, have my lock and key. Nobody will be able to get into your home. Except, maybe, me :-)"
... when an organization claims that they're going to provide something that's unbreakable
The claim is usually an open invitation to reduce the "unbreakable" object to ashes.
Oh god, that woman is John Romero!
I guess it's perfectly OK. It withstood 3 years of in-agency cracking. Now they want to see whether it will survive in the wild. What better method than to claim it is unbreakable? If it has vulnerabilities known to modern cryptoanalysis, all the tech news will laugh and point at them - quite an easy event to spot. Some people are not afraid to be laughed at if they get what they need...
I am sure it will blend.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
... that must mean it's secure {\sarcasm}
FTFA: Centrelink documents reported the hackers cannot break the PLAID protocol because it uses two cryptographic algorithms in its scrambling process in rapid succession - typically less than a quarter of a second - whereas other systems use a single algorithm.
Oh god, that woman is John Romero!
Imagine government IDs had contactless smart cards with certificates on them keyed to an ID database managed by the government (for revocation purposes and identity information). Now imagine contactless smart card readers were standard equipment in PCs.
You would just need one card in your wallet to log you in to any computer or web site, make purchases, board planes or trains... anything! No more wasted effort on having a hundred weak authentication cards and passwords. You have one strong authentication method that can't be forged, or at least not without fantastically more effort than forging a check or credit card.
Enormous economic and security benefit.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
...which withstood three years of design and testing by Australian and American security agencies
Anything that withstands three years of attempted government design must be robust indeed.
* Uses existing off-the-shelf symmetric and asymmetric crypto algorithms (SHA1, AES 256, RSA 1024, RSA 1984) tied together via the PLAID protocol
- Note - Neither SHA256 nor ECC are used at this time because production cards are either not obtainable from all vendors nor do they achieve the required performance, (in spite of theoretical advantage of ECC)
- Note - RSA 1984 is a trade off between performance and security, and ensuring the transaction fits in one APDU command.
* Fast & simple - less than 1/2 second (400ms) and the Java Card - applet is extremely small (about 4 Kb)
* Not clone-able, re-playable or subject to privacy or identity leakage
* Same protocol can be used for PACS/LACS & contact/contactless
* PIN can be verified when card-not-present by comparing PIN hash
- Saves user having to hold contactless card to reader during typical PKI session
* Mutual authentication Protocol
* Algorithms used are commercially available on virtually all modern smartcards including Java
Card, MULTOS, most SIMs and many proprietary cards
* Algorithms and their selected key lengths have been tested on production cards and devices to ensure speeds are real, not theoretical
* No IP issues - IP was developed solely by the Australian Government by its agency, Centrelink, and will be openly and freely licensed
* Designed to be used either stand-alone or as a bootstrap into other specifications like Australian IMAGE, US PIV, ICAO Passports etc.
* Supports multiple concurrent specs dependant on device request to card
- i.e. Card could supply Weigand number or CHUID or Centrelink CSIC or Passport MRZ etc etc dependant on use case
* Supports multiple (256) key sets dependant on device request to card
- i.e. there might be a "perimeter key set" and a "high security key set" and a "LACS key set" and an "administrative key set" etc etc and the terminal device only requests the one it requires, reducing the possibility of compromise of the others.
- The key sets can be rolled, by loading spare unused key sets (up to 255) in case of compromise (memory is the limitation)
* Optionally provides session keys for higher level specs
* Protocol can be registered and implemented under ISO/IEC 24727-3 and 6, and either used under ISO/IEC 24727or implemented separately
However:
Slightly slower than existing physical access Tag and proprietary solutions (by 0.2 to 0.3 seconds)
- Keys MUST be distributed & managed
* Vendors need to build key management for PLAID into existing or new key management systems. (Centrelink vendor is doing this for LACS)
* PACS using older Weigand technologies need secure SAM devices in the readers
* Newer PACS can utilise back end HSM devices/SAMs on the network or in distribution frames
...Protocol for Lightweight Authentication of ID (PLACID), which withstood three years of design and testing by...
... three years later
Withstood three years of design? What the blazes does that mean?
Boss 0: Here is all the material we have on the PLACID system. I want you to design it.
Agent X: Right away, Boss!
Agent X: Sorry Boss. Me and my team have been trying for three years. PLACID simply withstands all attemps at being designed.
Boss 0: I was afraid of that. We'll have to release it to the public, and see if those open source people can get it designed. Pity. It looked like a good system.
Agent X: That it did, Boss.
Boss 0:Oh, well. On to your next assignment. I want you to... Hey! What's this wire? It shouldn't be her*&($@#^$ No Carrier.
When our name is on the back of your car, we're behind you all the way!
... when an organization claims that they're going to provide something that's unbreakable
So I guess neither Oracle nor Slashdot moderation is unbreakable.
Stories like this frequently conflate the smart card goings-on with the system functions.
In this case, the newsy bit about the smart card is they apparently have a new protocol for authenticating from the smart card. For those that don't know, there are many kinds of smart cards including ones that have an operating system on-board. Their protocol is probably employed on top of the smart card OS. Yes, you too can write your own authentication protocol and use it on a smart card.
The backend system appears to have new automagical features related to the status of the employee. Don't confuse the two like the summary has.
OT, I have always thought that "the way forward" in infosec was loosely decentralized smart card infrastructure, but the powerful among us like their power optimized and centralized. Too bad two, the only smart card developers left work exclusively for gov't contractors.
Even further OT: A 'fun' OSS project for those inclined would be to port a BSD to one of these low-cost suckers. http://www.st.com/stonline/stappl/productcatalog/app?path=/comp/stcom/PcStComRPNTableView.onClickFromProductTree&primaryheader=Smartcard%20ICs&secondaryheader=ST32%2032-bit%20Smartcard%20ICs%20for%20Mobile&subclassheader=ST32%2C%2032-bit%20Flash%20Microcontrollers&subclassid=1192.0&count=3&producttype=
In theory, these have a crypto accelerator: http://www.st.com/stonline/stappl/productcatalog/app?path=/comp/stcom/PcStComRPNTableView.onClickFromProductTree&primaryheader=Smartcard%20ICs&secondaryheader=ST19%20Smartcard%20ICs&subclassheader=ST19%2C%20Crypto-Processor%20Solutions&subclassid=1118.0&count=4&producttype=
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Dark Helmet: Yes, we're gonna have to go right to ludicrous speed... Lonestar: It's Spaceball 1. Barf: They've gone to plaid! ...
Sounds like a multipass.
and went straight to PLAID? Are they crazy or just big helmeted!
It seems like the NSA and other intelligence agencies around the world have a real trust problem.
On the one hand, they make some of their living out of breaking codes. And worse, as we saw with the NSA illegal wiretapping, they're not necessarily acting in legal ways or in the interests of the general public.
So for that reason, we citizens have a good reason to distrust anything they say, especially large wooden statues of horses.
On the other hand, the NSA et al also have a desire (we believe) to help the businesses in a country be genuinely secure, to avoid the economic disadvantage the country has when criminals or foreign intelligence agencies crack into the businesses' computers. And the NSA et al would know that if the protocol was crackable by themselves, foreign intelligence agencies might not be far behind. So the NSA et al might really be offering a protocol that they can't currently crack in a reasonable amount of time.
So for that reason, it's plausible that the protocol really is quite secure, even from supposedly friendly security agencies.
I'm not sure how the average business is supposed to figure out which of those things is the case. Or is it a moot point, because at the very least, such a protocol is likely to be resilient to criminals, and as the "blessed" protocol, would provide some legal cover in the case of a data breach?
While some crypto protocols are capable of ludicrous speed, this protocol can go plaid.
Strong security requires a lot of processing power. If this secure card can not support a lot of MIPS security is weak. That may just be fine if the secrets one is trying to hide are low value. Otherwise, it ain't good enough.
It is nice to see a little social responsibility out there. More people should read up and adopt similar business models such as Ben & Jerry's Ice Cream which is proof one can be both successful and socially responsible in business.
"They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety" Franklin
Consolidating this to a single card would be utterly retarded, as it provides both the issuer (the government) and entities that you do business with far more information about you than they need to know, and it greatly increases the consequences when a card is compromised.
On the other hand, having a standard authentication mechanism which was integrated into most computers would be very useful. Then when my bank issued me a pin-and-chip credit card, I would know that it worked with my computer as well as at the grocery store. Your ISP could issue you one which you could use for signing/encrypting email (using S/MIME where they manage the public key repository, and the card has your private key). Same for all these other cards that I carry in my wallet.
No need to get the government involved at all.
Barf: What the hell was that?
Lone Starr: Spaceball One Encryption.
Barf: They've gone to plaid!
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
Consider the source. You've got a manager telling you it's unbreakable. Perhaps his cryptographers said to him "it's a good protocol, fixes the weakness in this previous protocol, and FOR ALL YOU KNOW it's unbreakable." They maybe didn't say those capitalized words out loud, because they figured their boss wouldn't know the difference anyway. But they forgot their boss might blab it on to someone else that way.
My point is this is the kind of phrasing that comes out of the mouths of higher-ups who don't know that "unbreakable" has a lot of negative connotations in the cryptographic community, and is usually associated with naïve or unscrupulous snake-oil salesmen.
John
The problem is some people LIVE for challenges like this and it's an ecryption method based off of other encryption methods. That means there is only 1 piece of the puzzle to figure out.
My concern is that they (the government) suddenly say that all ID's must be tied to this and like several posts above... now someone who knows how to crack this and tag a specific person now has access to everything about them. Banking, health records etc...
They've gone to plaid!
Best Slashdot Co
Why don't I think the US or Aussie government (especially the Aussies, given their recent track record on civil liberties and disregarding privacy concerns of their citizens) would give away an "unbreakable" form of crypto?
My feeling is that they must have a backdoor into this, and that makes me suspicious.
It seems to me it might be more like "Here, use this, this is great encryption, nobody can crack it." Well, it may be unbreakable - but what if they have a master key or something?
It is bad "hygiene" to combine ID with payment.
It is better to have at least two types of cards. One for official ID - which should rarely leave my sight.
And one for payment, which I could pass to someone else for a short time.
So if something happens to the payment card or cert (damaged or lost), I can apply for another payment card.
While waiting for a new payment card to be issued, I can still prove I am me, with my ID card.
Putting that all on one card makes that hard.
Currently, I take out my ID card from my wallet far more rarely than I take out my credit cards. So it's the credit cards that are more likely to get lost or damaged.
A combined ID+payment card would mean the card gets used more often and thus more likely to get lost, damaged or revoked.
Just in - smart card defeated by a lump of 4x2 to the back of the skull.
"A cynic is what an idealist calls a realist" - Sir Humphrey Appleby
Additionally, there are a few additional reasons why the lower bound must be smaller than 2^n.
1. The requirement of Xs, Ys, and Xd, Yd to be coprimes significantly reduces computational workload.
2. It is statistically possible to "get lucky", and randomly guess the right results, so the strict lower bound must be 1.
3. Even if using a bench mark like the "average time to break the code", the lower bound must still be much less than 2^n. One only needs to guess on average 1/2 of the possibilities to finish in the mean amount of time.
4. The requirement that A and B are primes must somehow limit the number of guesses considerably, especially if n is large, because the density of primes decreases with increasing n. It just might not be obvious how to make use of this information.
5. The algorithm requires random number generators for A, B, Xs, and Xd. It is very difficult to make "good" random number generators with computers. These algorithms are notorious for being easy to break. Bad seeds were the cause of the recent ssh bug.
Now that it has hit Slashdot I give it 6 months before it's blown apart. Nothing pisses a geek off more then being told "It Can't Be Done"
Ther are very angry cave dwellers that since seeing this have now vowed to make it their EPIC QUEST to crack this thing open. Do not underestimate the power of the geek!
POWER OF THE GEEK COMPELLS YOU!
POWER OF THE GEEK COMPELLS YOU!
THE SPIRIT OF THE WOZ COMPELLS YOU!
POWER OF THE GEEK COMPELLS YOU!
POWER OF THE GEEK COMPELLS YOU!
THE SPIRIT OF THE TORVALD COMMANDS YOU!
POWER OF THE GEEK COMPELLS YOU!
POWER OF THE GEEK COMPELLS YOU!
THE SPIRIT OF MITNICK COMMANDS YOU!
Inteviewer: So Merrick, I see the priest gig don't work out so well now what are you doing?
Merrik: Security Administration
Interviewer: So not much has change in your day to day life I take it.
Merrik: Nope, but at least I don't have to deal with suicidal young priests jumping out of second story windows after I pass out...
Interviewer: So no demons from hell this time?
Merrik: Nope just the errant daemon getting spawned from a fubared XINITD connection...
Interviewer: Well thank you for stopping by father.
Merrik: No thank you THE SPIRIT OF WILL WRIGHT COMPELLS YOU!!! errr.. sorry force of habit...
-=[ Who Is John Galt? ]=-
It was a very short comment. The idea is, that before anyone would like to use it the crypto-community should have a long and hard look at it.
Meh.... unbreakable encryption is easy, or so close to it that the difference is largely irrellevant: [protocol] [...]
Well, this will have to be performed over a channel which solves almost all the important cryptographic problems.
If not, consider this scenario:
Alice wants to send something to Bob. Both know A, B and C (why not p, q and n?). She sends out D^Xs. She receives D' from someone. She sends out D'^Ys.
Consider Bob: he receives E from someone, sends out E^Xd. Then he receives E' from someone and computes E'^Yd.
There is no guarantee and no way to check whether "someone" is the person you think you're talking to; they might appear to be Bob in Alice's eyes and vice versa while in reality they're Doctor Evil.
There's also no way to be sure that the message(s) you receive from the network have any particular relation to what you sent out. Doctor Evil could, for instance, multiply the data by 2 without anyone noticing.
Besides, doing modular exponentiation is slow like molasses. You really do not want to do that for every chunk of data; you'd much rather use those kinds of operations to agree on a (secret) key for a symmetric cipher (say, AES) and then encrypt the data using the symmetric cipher.
I hope to god no one implements this.
Factoring methods will not break the encryption because what would normally be associated as a public/private key pair (X,Y) in some other encryption protocols is never shared with the other party.
And that is why all you can know is that you sent an encrypted message to someone: there's nothing distinguishing your intended receiver from anyone else. The sender/receiver has no shared secret knowledge, nor any private/public asymmetric knowledge, so anyone can do the same computations as either intended party in this protocol.
Similar to optimization, there are two rules for cryptography:
If you're curious about my background, I'm a crypto phd student (that I am, even if you're not curious). I want to stress: I'm not trying to make an argument from authority.
I'm also not trying to make crypto an exclusive thing; I welcome anyone to educate themselves on the matters of cryptography. It's just that this shit is hard, and if you don't know your shit, your own designs is extremely likely to be insecure.
[discussing key revocation] yes because the govt. has shown such wisdom in the past by making it easy to replace social security numbers
The real failure is not the lack of revocation of SSNs.
Consider this hypothetical security protocol for proving that you are who you claim: you tell them a name, an address and an SSN. The verifier looks up in the person database under your SSN and checks that your claimed name and address matches what the database says.
You have to revoke your SSN after every single use, because otherwise the verifier can "prove" they're you.
The real failure is in the "proving-I'm-me" protocol: it works by you revealing your "password". That is the real problem.
The government never issued SSN with the intent of being a universal identifier.
Really? What would be the problem with that? Isn't that exactly what it's for?
Also, there's nothing wrong, from a security standpoint, with issuing universal identifiers.
For instance, on most online sites I have the "universal" identifier "jonaskoelker". No one seems to want to "steal" it from me, so in that sense it's universal (I can get it when-/whereever I want).
The problem is that in most real-life security protocols, the conceptual "login form" has only a field for the username, and no password; or, alternatively, also a password field and a rule that everyone's password is equal to their username.
That is the real problem.
Should they really be calling it unbreakable? Isn't that essentially the same as asking to have it broken so some hacker can make a name for himself? Any good social-engineer could crack this thing in a few days flat, I'm sure. As /. posters love pointing out, even if the system were perfect its users ain't.
"I Don't Have Enough Faith to be an Atheist"
With just two minor flaws:
1. the bad guys won't tell you about any flaws and
2. the bad gusy won't tell you about any flaws!
Now, I realize that's just one flaw but it was such a BIG one I thought it worth mentioning twice!
insecurity asks the wrong question irritation gives the wrong answer
Please explain to me why is the Australian government, in this case Centerlink of all agencies, is wasting tax payers money on developing secure authentication protocols for contactless smartcards- I mean is this really their job??? Why do they think they should be doing this??? Firstly, it is the role of private sector and IT industry to provide such solutions to meet the requirements of clients such as the government. It is inappropriate of government agencies such as Centerlink to think they can make up protocols, and then ask industry to implement in their products and adopt them as a standard so they can say itâ(TM)s a COTS solution. Who do they think they are? They have no understanding of the commercial realities of vendors who provide these solutions. No mention of who is actually going to implement this protocol to provide the return on the investment made by the tax payer, and which they have decided to give away for free! Secondly, I would like to know what the actual requirements were, and the justification they have for approving the funding and developing of such technology. I donâ(TM)t believe Centerlink has any reason what so ever to be developing smartcards with the level of security they are suggesting. Even the Defence Department does not have this type of technology, but at least they would have a justification. Even if there were really requirements for such a secure protocol for contactless smartcards, then there s a number of other far more superior and suitable agencies who have greater mandate and resources to research and develop this solution, namely CSIRO, DSTO, or one of the many CRCs and universities. ...just another example of agencies with not enough accountability overstepping the mark of responsibility