Slashdot Mirror
Australian PLAID Crypto, ISO Conspiracies, and German Tanks
New submitter Gaglia writes: PLAID, the Australian 'unbreakable' smart card identification protocol has been recently analyzed in this scientific paper (disclaimer: I am one of the authors, and this is a personal statement.)
Technically, the protocol is a disaster. In addition to many questionable design choices, we found ways for tracing user identities and recover card access capabilities. The attacks are efficient (few seconds on 'home' hardware in some cases), and involve funny techniques such as RSA moduli fingerprinting and... German tanks. See this entry on Matt Green's crypto blog for a pleasant-to-read explanation.
But the story behind PLAID's standardization is possibly even more disturbing. PLAID was pushed into ISO with a so-called "fast track" procedure. Technical loopholes made it possible to cut off from any discussion the ISO groups responsible for crypto and security analysis. Concerns from tech-savvy experts in the other national panels were dismissed or ignored. We contacted ISO and CERT Australia before going public with our paper, but all we got was a questionable and somewhat irate response (PDF) by PLAID's project editor (our reply here). Despite every possible evidence of bad design, PLAID is now approved as ISO standard, and is coming to you very soon inside security products which will advertise non-existing privacy capabilities.
The detailed story of PLAID in the paper is worth a read, and casts many doubts on the efficacy of the most important standardizing body in the world. It is interesting to see how a "cryptography" product can be approved at ISO without undergoing any real security scrutiny.
On a related note, the enthusiastic comments to PLAID's design made by a few readers in the old Slashdot story reminds us as a cautionary tale that you need cryptographers to assess the security of cryptography. Quoting Bruce Schneier: amateurs produce amateur cryptography.
Technically, the protocol is a disaster. In addition to many questionable design choices, we found ways for tracing user identities and recover card access capabilities. The attacks are efficient (few seconds on 'home' hardware in some cases), and involve funny techniques such as RSA moduli fingerprinting and... German tanks. See this entry on Matt Green's crypto blog for a pleasant-to-read explanation.
But the story behind PLAID's standardization is possibly even more disturbing. PLAID was pushed into ISO with a so-called "fast track" procedure. Technical loopholes made it possible to cut off from any discussion the ISO groups responsible for crypto and security analysis. Concerns from tech-savvy experts in the other national panels were dismissed or ignored. We contacted ISO and CERT Australia before going public with our paper, but all we got was a questionable and somewhat irate response (PDF) by PLAID's project editor (our reply here). Despite every possible evidence of bad design, PLAID is now approved as ISO standard, and is coming to you very soon inside security products which will advertise non-existing privacy capabilities.
The detailed story of PLAID in the paper is worth a read, and casts many doubts on the efficacy of the most important standardizing body in the world. It is interesting to see how a "cryptography" product can be approved at ISO without undergoing any real security scrutiny.
On a related note, the enthusiastic comments to PLAID's design made by a few readers in the old Slashdot story reminds us as a cautionary tale that you need cryptographers to assess the security of cryptography. Quoting Bruce Schneier: amateurs produce amateur cryptography.
Here's the meat of the "questionable and somewhat irate" response:
The following are factual and editorial errors in the document:
1. Abstract – States that for AS 5185-2010 "we show that the privacy properties of PLAID are significantly weaker than claimed" but in fact the report shows that the privacy properties of PLAID are unbroken by the attack and in fact unbreakable by the attack. The report actually shows that the "ID Leakage" properties of the protocol (as defined in AS 5185-2010) could be better implemented in the 2010 version of the reference implementation by implementing the fake "ShillKey" better - see further discussion in section 6.2.
2. Abstract – states that it will be ...." reporting a number of undesirable cryptographic features
of the protocol" This is however unargued and not actualised. The reference appears to
logically means section 5.3 of the Unpicking PLAID paper however, as shown in section 7 of
this discussion these are either not claims of the protocol or are not shown to be weaknesses
by any argument presented by the Researchers - see further discussion in section 7.
3. History in Introduction is not 100% correct – the Public Consultation process included additional workshops and stages – see section 4 "History" above
4. P3, Last paragraph, the words "added for privacy reasons" is incorrect, the ShillKey was added to delay and distract an atacker, privacy was never an issue and is not stated as a design requirement.
5. P4, last paragraph, P5 first paragraph – Not clear what point is being made – OPACITY is a completely different protocol based on Eliptic Curve technology. Last sentence seems to mix this Paper on PLAID up with a completely seperate report on OPACITY.
6. P3 2nd last paragraph the Researchers state "Even though the encryption key in RSA is usually public, in PLAID it is kept secret to enhance privacy". This is an incorrect representation of PLAID, the reason for both keys being kept secret is in fact to prevent any leakage to an attacker of the AES diversification seed in order to enhance security. Note that PLAID is not a PKI, and the use of public and private key concepts is not relevant, ALL keys are secured in (preferably) hardware crypto devices.
I'm no crypto expert - can anyone explain to me why these points aren't valid? Especially points 1 and 4.