Australian Gov't Offers $560k Cryptographic Protocol For Free
mask.of.sanity writes "Australia's national welfare agency will release its 'unbreakable' AU$560,000 smart card identification protocol for free. The government agency wants other departments and commercial businesses to adopt the Protocol for Lightweight Authentication of ID (PLAID), which withstood three years of design and testing by Australian and American security agencies. The agency has one of Australia's most advanced physical and logical converged security systems: staff can access doors and computers with a single centrally-managed identity card, and user identities can be automatically updated as employees leave, are recruited or move to new departments. PLAID, which will be available soon, is to be used in the agency's incoming fleet of contact-less smartcards that are currently under trial by staff. It will replace existing identity cards that operate on PKI encryption."
Until you lose your wallet and the person who finds it has complete control to ruin every aspect of your life connected to said card... ...
Yes, because clearly they would have no system to revoke lost cards.
This allows one to completely securely transmit up to n bits of data from a source stream, and because the source and destination can pick new X and Y values with every transmission, and unencrypted data is never found on any transmitted data stream. The likelihood of breaking it is genuinely 1 in 2^n and can only be broken by brute force attack. Factoring methods will not break the encryption because what would normally be associated as a public/private key pair (X,Y) in some other encryption protocols is never shared with the other party.
File under 'M' for 'Manic ranting'
The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.
That's a good thing.
Their problem is keeping the cards secure and they state clearly that they are using commercially available smart cards.
Which is also a good thing, as long as these cards have been analyzed well. I would be worried if they were using cards with "military grade" security meaning that they were only analyzed by few, without any standardized security level like FIPS or CC.
There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.
Sorry, but you are wrong on both matters.
The RSA private key and AES master keys are not on the card. It contains the RSA public key and the AES derived key (one that is specific to the card).
There are many interesting things about this protocol. Lets have a list so I can get a few mod points on this old discussion:
Ok, for some disadvantages
All in all, this protocol is very interesting for mutual authentication. I'll have to look into it further (e.g. how much the private key needs to stay private).