Australian Gov't Offers $560k Cryptographic Protocol For Free

mask.of.sanity writes "Australia's national welfare agency will release its 'unbreakable' AU$560,000 smart card identification protocol for free. The government agency wants other departments and commercial businesses to adopt the Protocol for Lightweight Authentication of ID (PLAID), which withstood three years of design and testing by Australian and American security agencies. The agency has one of Australia's most advanced physical and logical converged security systems: staff can access doors and computers with a single centrally-managed identity card, and user identities can be automatically updated as employees leave, are recruited or move to new departments. PLAID, which will be available soon, is to be used in the agency's incoming fleet of contact-less smartcards that are currently under trial by staff. It will replace existing identity cards that operate on PKI encryption."

Surprisingly sedate acronym

[Sockatume]

Somehow that makes it more sinister than calling it "RAZORBAK" or "AOK JINGOSIM".

Re:Surprisingly sedate acronym

[Sockatume]

(I'm not saying that the encryption is sinister, just that after so many contrived fist-pumping acronyms in the past decade, it's creepy.)

Re:Surprisingly sedate acronym

[Sockatume]

Jingosim? Damn it.

So when it gets replaced

[courtjester801]

Can it be referred to as the Former Lightweight Authentication of ID, or FLACID?

Re:So when it gets replaced

[tychovi]

I knew I should've taken the blue pill...

A little more info

[explosivejared]

Here is a briefing on the PLAID 6 protocol with more specifics on the actual algorithms and cryptography in general involved. PDF link if the first one doesn't work for you.

Re:A little more info

[TechyImmigrant]

The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.

Their problem is keeping the cards secure and they state clearly that they are using commercially available smart cards.

There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.

Re:A little more info

[swillden]

There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.

Which is fine, because those problems are easily solved.

Commercially-available smart cards provide a rather high degree of security. Extracting keys from them isn't impossible (nothing is), but it is very difficult and expensive. I design high security systems for a living, and we have no concerns about the security of the cards themselves, because experience shows it's just not an issue.

What we do focus on is the security of the issuance process, because that's where those keys get injected. That problem is also solvable, mainly by performing the key injection in secure facilities using highly secure devices (FIPS 140-2 level 4 certified hardware security modules). It's expensive and complex (from a management and process perspective, not a technical perspective), but a high degree of security is achievable.

The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.

It is unremarkable, which is one of its most significant strengths. It's just a lighter-weight approach to the problem, one that can be implemented efficiently on current-generation hardware. Previously, PK authentication on smart cards was considered too slow to use for physical access control and other applications where sub-second authentication was required. Faster smart cards coupled with a lightweight authentication protocol mean that PK authentication can be completed reliably in as little as 200 ms. That's fast enough to use it for transit applications.

Re:A little more info

[oldhack]

If it's so unremarkable, what makes it worth half million Australian dollars, then? Unremarkable patent, perhaps?

Re:A little more info

[profplump]

"Completely unnecessary" is a stretch at best -- contact-less interfaces have real benefits. The most obvious is a lack of contamination and corrosion, both on the card and the reader. Another is decreased read times, which allows you to use the cards in more places without increasing the level of annoyance.

Not to mention the "new attack scenarios" do not include simple copying of the card UUID, so radio-based attacks would need to be interactive:
1. Attacker camps out at door with radio equipment
2. Attacker points antenna at employee coming towards door
3. Attacker is able to authenticate to the door as approaching employee

While that's certainly a technically feasible attack it's not terribly practical in execution, even if you setup an out-of-band comm system to isolate the card under attack from the person entering the building.

Plus you really could just issue a foil-lined holder if you were worried about such attacks. Or make authentication two-factor and require the entry of a PIN or somesuch in addition to the card scan.

Re:A little more info

[swillden]

If it's so unremarkable, what makes it worth half million Australian dollars, then? Unremarkable patent, perhaps?

How do you define the "worth" of a protocol?

Secure protocols are hard to design because there are a lot of subtle errors that can be made. It takes a lot of work by a lot of smart people to make sure that none have been -- and it's even harder if the protocol breaks new ground.

I suspect that the half-million figure is an estimate of how much has been put into the design and verification of the protocol. That's a goodly amount of work. Had the protocol been extremely novel, verifying it to the world's satisfaction would have been *much* more expensive that 0.5M AUD.

Re:A little more info

[owlstead]

The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.

That's a good thing.

Their problem is keeping the cards secure and they state clearly that they are using commercially available smart cards.

Which is also a good thing, as long as these cards have been analyzed well. I would be worried if they were using cards with "military grade" security meaning that they were only analyzed by few, without any standardized security level like FIPS or CC.

There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.

Sorry, but you are wrong on both matters.

The RSA private key and AES master keys are not on the card. It contains the RSA public key and the AES derived key (one that is specific to the card).

There are many interesting things about this protocol. Lets have a list so I can get a few mod points on this old discussion:

• No ID before authentication (card ID is encrypted with public RSA key, standard RSA encryption uses random padding)
• No RSA private key encryption for the authentication (vulnerable to attack)
• Uses standardized, up to date algorithms (SHA-1 is only used in a secure way as far as I can see)
• Uses RSA public key on the card, which is *faster* than ECC because the public exponent will likely be small (010001h normally)

Ok, for some disadvantages

• Requires contact-less processor card with AES and hardware RSA support
• Access is much slower than with AES only authentication
• Time and power usage of RSA calculations may make it more difficult to do a successful authentication
• Unremarkable (probably has been invented earlier)
• Requires terminal that performs RSA private key encryption
• Requires RSA private key to be present on reader side, key cannot be revoked
• Still requires a single master key (hopefully it will never be leaked)

All in all, this protocol is very interesting for mutual authentication. I'll have to look into it further (e.g. how much the private key needs to stay private).

Re:A little more info

[PitaBred]

Hell, if you're really worried, make an "airlock" gate, where the outside door is free to open, but it is built like a faraday cage for the frequencies uses, and the reader is inside that.

PLACID

[ajlitt]

That's a much better acronym than the originally proposed Protocol for Automated National Identification and Control.

Re:PLACID

[Java+Pimp]

That's a much better acronym than the originally proposed Protocol for Automated National Identification and Control.

Or the lesser known Protocol for Enhanced Network and Internet Security.

Re:PLACID

[Red+Flayer]

But any of us with good fashion sense would prefer the Protocol for Authenticating Identification Systems with Latent Encryption Yobs over the original PLAID anyway.

Re:PLACID

[StikyPad]

Nobody Asked Me Before Labeling the Authentication!

Yeah Right...

[Frosty+Piss]

Given Australian government's views on privacy, I wonder when the back door will be discouvered? Or is looking for it agianst the law?

Re:Yeah Right...

[swillden]

Given Australian government's views on privacy, I wonder when the back door will be discouvered? Or is looking for it agianst the law?

Look at the protocol. It's so simple that there's virtually no way for a back door to exist.

Implementations can have back doors, of course, but that's a separate issue.

Re:Yeah Right...

[swillden]

Well, these are off-the-shelf cards, so if there are back doors, they're already there. That has nothing to do with this protocol.

Also, it's not really accurate to say that Javacards have a "back door if you know the keys". They're delivered from the manufacturer with an initial key set, which is generally swapped out for new, randomly-generated keys by the card issuer. The card issuer knows those keys and can use them to install and remove applets and what not. The card issuer is the true owner of the card, and has complete control over it, because they know the keys. That's not so much a "back door" as the reality that the card holder is generally not the one that owns the card.

Re:Yeah Right...

[swillden]

I wasn't talking about the issuer keys. There are more keys that let you in to other levels of the card hardware. This is not generally publicized and the only reason I know about it is because of how long I have been working in this field. Now this may not be true of all Java Cards but it is for every one I have seen.

Well, I've been working with smart cards in general for over 12 years, and with Javacards ever since they've existed, including having done some work on the JCOP operating system (IBM's implementation of Javacard, now owned by NXP), and I've NEVER heard of keys at a lower level than the CardManager keys.

Which specific cards have you seen this to be true of? And how did you find out? It's certainly not in the documentation of the cards from Gemalto, Oberthur, G&D or NXP.

Mmmh

[Britz]

"Here, have my lock and key. Nobody will be able to get into your home. Except, maybe, me :-)"

Re:Mmmh

[MobyDisk]

They aren't giving a way the lock and key. They are giving away a design for locks and keys.

I laugh ...

[Morphine007]

... when an organization claims that they're going to provide something that's unbreakable

The claim is usually an open invitation to reduce the "unbreakable" object to ashes.

Re:I laugh ...

[mark-t]

Meh.... unbreakable encryption is easy, or so close to it that the difference is largely irrellevant:

1. Find any two nice and large prime numbers and publish them. Call them A and B. Call their product C. Let n = one less than the number of bits in C.
2. Both the source and destination can pick any number that is coprime to (A-1)*(B-1), call them Xs and Xd. They do not share this information.
3. The source and destination then compute Ys and Yd, respectively, such that their own X*Y is congruent to 1 mod (A*B). They do not share this information.
4. The source takes n bits from the data, D, and applies the following transform: D = D ^ Xs mod C. This data is transmitted.
5. The destination then applies the transform D = D ^ Xd mod C and transmits that back to the source.
6. The source applies the transform D = D ^ Ys mod C and transmits that to the destination
7. The destination finally applies D = D ^ Yd mod C, and in this final transform retrieves the unencrypted data.

This allows one to completely securely transmit up to n bits of data from a source stream, and because the source and destination can pick new X and Y values with every transmission, and unencrypted data is never found on any transmitted data stream. The likelihood of breaking it is genuinely 1 in 2^n and can only be broken by brute force attack. Factoring methods will not break the encryption because what would normally be associated as a public/private key pair (X,Y) in some other encryption protocols is never shared with the other party.

Re:I laugh ...

[smallfries]

That looks familiar but I can't remember the name, what scheme is it?

The likelihood of breaking it is genuinely 1 in 2^n and can only be broken by brute force attack.

That's not strictly true. Although the discrete log problem is hard it is still a computational assumption. Proving that 2^n is a lower bound would be a significant achievement. This scheme is only "unbreakable" in the sense that RSA is - breaking it requires solving a problem that we suspect, but are unable to prove, is very hard.

Re:I laugh ...

[swillden]

... when an organization claims that they're going to provide something that's unbreakable The claim is usually an open invitation to reduce the "unbreakable" object to ashes.

This one has already been under discussion and review by the cryptologic community for several years now. It has received a lot of attention by the top academic cryptographers, as well as by government organizations like the NSA.

Never say never, and I'm sure the "unbreakable" word came from management or from news agencies, not the authors of the protocol, but I'll be very surprised if this is broken.

Re:I laugh ...

[Confuse+Ed]

3.The source and destination then compute Ys and Yd, respectively, such that their own X*Y is congruent to 1 mod (A*B). They do not share this information.

Should that be 1 mod ((A-1)*(B-1))?

I'm not that convinced that relying on the discrete logarithm problem (at the cost of 4x as much network communication) rather than directly on the factoring problem (like more commonly discussed PK based systems) has any additional security : aren't the 2 problems of identical complexity?

Re:I laugh ...

[smallfries]

I'm not really sure what you mean. Assuming that A and B are roughly the same size, A, B and SQRT(c) will all have about n/2 bits. But I don't see the connection to discrete logs. The scheme assumes that the attacker can't compute Xd,Xs,Yd,Ys. If the attacker observes the D transmitted in steps 5,6 and 7 then he can attempt to invert the exponentiation revealing Xd and Ys.

My head is a bit too hungover to follow through the implications, but Xs is the multiplicative inverse of Ys and so should be unique and can be computed cheaply using Euclid's algorithm. The same holds for Xd and Yd, so if the attacker can solve discrete logs (inverting the modular exponentiation) then he can recover all four of Xd,Xs,Yd and Ys. This then reveals the original D.

In practice solving discrete logs for this type of group is about as hard as factoring. It hasn't been proven to be hard, but nobody has come up with an efficient way of doing it. Either proving a lower bound of O(2^n), or finding a cheap algorithm to solve the problem would be a significant break-through.

The other main problem with the scheme is that it is susceptible to a Man In The Middle attack. If the attacker can intercept and alter the communications between source and destination then he can substitute his own choice of Xd and Yd and reveal D directly. To get around this there needs to be some form of authentication as well as the encryption.
 

Re:It scares me when ...

I guess it's perfectly OK. It withstood 3 years of in-agency cracking. Now they want to see whether it will survive in the wild. What better method than to claim it is unbreakable? If it has vulnerabilities known to modern cryptoanalysis, all the tech news will laugh and point at them - quite an easy event to spot. Some people are not afraid to be laughed at if they get what they need...

What unbreakble? Fah!

[140Mandak262Jamuna]

I am sure it will blend.

contactless smart cards are the way to go

[Lord+Ender]

Imagine government IDs had contactless smart cards with certificates on them keyed to an ID database managed by the government (for revocation purposes and identity information). Now imagine contactless smart card readers were standard equipment in PCs.

You would just need one card in your wallet to log you in to any computer or web site, make purchases, board planes or trains... anything! No more wasted effort on having a hundred weak authentication cards and passwords. You have one strong authentication method that can't be forged, or at least not without fantastically more effort than forging a check or credit card.

Enormous economic and security benefit.

Re:contactless smart cards are the way to go

[Trikki+Nikki!]

You would just need one card in your wallet to log you in to any computer or web site, make purchases, board planes or trains... anything! No more wasted effort on having a hundred weak authentication cards and passwords. You have one strong authentication method that can't be forged, or at least not without fantastically more effort than forging a check or credit card.

Enormous economic and security benefit.

Until you lose your wallet and the person who finds it has complete control to ruin every aspect of your life connected to said card... ...

Re:contactless smart cards are the way to go

[UberOogie]

And now imagine that the system is compromised, and complete identity theft is available to anyone who can crack that one database.

Re:contactless smart cards are the way to go

[Burkin]

Until you lose your wallet and the person who finds it has complete control to ruin every aspect of your life connected to said card... ...

Yes, because clearly they would have no system to revoke lost cards.

Re:contactless smart cards are the way to go

[drinkypoo]

Enormous economic and security benefit.

Yes, for just $429.95 I will sell you a very nice mask and a programmable contactless identity chip. Enormous economic benefit to me, enormous security benefit to you. Well, it will benefit you in bypassing security, and framing someone for a crime anyway.

You still need at minimum two-factor authentication to be secure, so you're still going to need a PIN for non-trivial uses. However, even non-trivial uses could be enough to get you into plenty of trouble.

It's not hard to consolidate multiple usernames and passwords down to a single username and password. This is done for users through any number of freely available schemes. This is preferable to concentrating them down to a single system which, when corrupted (not "if") will permit virtually unlimited abuse. I do not believe that you are so helpless that you need government to assist you with password management. Therefore I submit that you are trolling. You could call it sarcasm if you had left any clues in your comment. Perhaps you used > rather than & someplace?

Re:contactless smart cards are the way to go

"To revoke privileges to your lost card, please validate your identity by presenting your smart card"

Re:contactless smart cards are the way to go

[leonardluen]

yes because the govt. has shown such wisdom in the past by making it easy to replace social security numbers

Re:contactless smart cards are the way to go

[profplump]

The government never issued SSN with the intent of being a universal identifier.

Surviving design...

[knifeyspooney]

...which withstood three years of design and testing by Australian and American security agencies

Anything that withstands three years of attempted government design must be robust indeed.

PLAID 6 Protocol

* Uses existing off-the-shelf symmetric and asymmetric crypto algorithms (SHA1, AES 256, RSA 1024, RSA 1984) tied together via the PLAID protocol
- Note - Neither SHA256 nor ECC are used at this time because production cards are either not obtainable from all vendors nor do they achieve the required performance, (in spite of theoretical advantage of ECC)
- Note - RSA 1984 is a trade off between performance and security, and ensuring the transaction fits in one APDU command.
* Fast & simple - less than 1/2 second (400ms) and the Java Card - applet is extremely small (about 4 Kb)
* Not clone-able, re-playable or subject to privacy or identity leakage
* Same protocol can be used for PACS/LACS & contact/contactless
* PIN can be verified when card-not-present by comparing PIN hash
- Saves user having to hold contactless card to reader during typical PKI session
* Mutual authentication Protocol
* Algorithms used are commercially available on virtually all modern smartcards including Java
Card, MULTOS, most SIMs and many proprietary cards
* Algorithms and their selected key lengths have been tested on production cards and devices to ensure speeds are real, not theoretical

* No IP issues - IP was developed solely by the Australian Government by its agency, Centrelink, and will be openly and freely licensed
* Designed to be used either stand-alone or as a bootstrap into other specifications like Australian IMAGE, US PIV, ICAO Passports etc.
* Supports multiple concurrent specs dependant on device request to card
- i.e. Card could supply Weigand number or CHUID or Centrelink CSIC or Passport MRZ etc etc dependant on use case
* Supports multiple (256) key sets dependant on device request to card
- i.e. there might be a "perimeter key set" and a "high security key set" and a "LACS key set" and an "administrative key set" etc etc and the terminal device only requests the one it requires, reducing the possibility of compromise of the others.
- The key sets can be rolled, by loading spare unused key sets (up to 255) in case of compromise (memory is the limitation)
* Optionally provides session keys for higher level specs
* Protocol can be registered and implemented under ISO/IEC 24727-3 and 6, and either used under ISO/IEC 24727or implemented separately

However:
Slightly slower than existing physical access Tag and proprietary solutions (by 0.2 to 0.3 seconds)
- Keys MUST be distributed & managed
* Vendors need to build key management for PLAID into existing or new key management systems. (Centrelink vendor is doing this for LACS)
* PACS using older Weigand technologies need secure SAM devices in the readers
* Newer PACS can utilise back end HSM devices/SAMs on the network or in distribution frames

Spaceballs

[GordonCopestake]

Dark Helmet: Yes, we're gonna have to go right to ludicrous speed... Lonestar: It's Spaceball 1. Barf: They've gone to plaid! ...

It is the fastest protocol

While some crypto protocols are capable of ludicrous speed, this protocol can go plaid.

Getting PLAID

[sakonofie]

I'm just waiting for the advertisement that says:

I can't wait to get PLAID by the Australian government.

Parent is fail! Don't take crypto advice on /.

[jonaskoelker]

Meh.... unbreakable encryption is easy, or so close to it that the difference is largely irrellevant: [protocol] [...]

Well, this will have to be performed over a channel which solves almost all the important cryptographic problems.

If not, consider this scenario:

Alice wants to send something to Bob. Both know A, B and C (why not p, q and n?). She sends out D^Xs. She receives D' from someone. She sends out D'^Ys.

Consider Bob: he receives E from someone, sends out E^Xd. Then he receives E' from someone and computes E'^Yd.

There is no guarantee and no way to check whether "someone" is the person you think you're talking to; they might appear to be Bob in Alice's eyes and vice versa while in reality they're Doctor Evil.

There's also no way to be sure that the message(s) you receive from the network have any particular relation to what you sent out. Doctor Evil could, for instance, multiply the data by 2 without anyone noticing.

Besides, doing modular exponentiation is slow like molasses. You really do not want to do that for every chunk of data; you'd much rather use those kinds of operations to agree on a (secret) key for a symmetric cipher (say, AES) and then encrypt the data using the symmetric cipher.

I hope to god no one implements this.

Factoring methods will not break the encryption because what would normally be associated as a public/private key pair (X,Y) in some other encryption protocols is never shared with the other party.

And that is why all you can know is that you sent an encrypted message to someone: there's nothing distinguishing your intended receiver from anyone else. The sender/receiver has no shared secret knowledge, nor any private/public asymmetric knowledge, so anyone can do the same computations as either intended party in this protocol.

Similar to optimization, there are two rules for cryptography:

1. Don't design your own
2. Don't design your own, unless it goes through thorough review by cryptography experts (this rule is for experts only).

If you're curious about my background, I'm a crypto phd student (that I am, even if you're not curious). I want to stress: I'm not trying to make an argument from authority.

I'm also not trying to make crypto an exclusive thing; I welcome anyone to educate themselves on the matters of cryptography. It's just that this shit is hard, and if you don't know your shit, your own designs is extremely likely to be insecure.

Re:You are correct

[MobyDisk]

From the summary:

which withstood three years of design and testing by Australian and American security agencies.

I took that to mean the crypto-community had a long hard look at it.