Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian PLAID Crypto, ISO Conspiracies, and German Tanks

Posted by Soulskill on from the get-what-you-pay-for dept.

New submitter Gaglia writes: PLAID, the Australian 'unbreakable' smart card identification protocol has been recently analyzed in this scientific paper (disclaimer: I am one of the authors, and this is a personal statement.)

Technically, the protocol is a disaster. In addition to many questionable design choices, we found ways for tracing user identities and recover card access capabilities. The attacks are efficient (few seconds on 'home' hardware in some cases), and involve funny techniques such as RSA moduli fingerprinting and... German tanks. See this entry on Matt Green's crypto blog for a pleasant-to-read explanation.

But the story behind PLAID's standardization is possibly even more disturbing. PLAID was pushed into ISO with a so-called "fast track" procedure. Technical loopholes made it possible to cut off from any discussion the ISO groups responsible for crypto and security analysis. Concerns from tech-savvy experts in the other national panels were dismissed or ignored. We contacted ISO and CERT Australia before going public with our paper, but all we got was a questionable and somewhat irate response (PDF) by PLAID's project editor (our reply here). Despite every possible evidence of bad design, PLAID is now approved as ISO standard, and is coming to you very soon inside security products which will advertise non-existing privacy capabilities.

The detailed story of PLAID in the paper is worth a read, and casts many doubts on the efficacy of the most important standardizing body in the world. It is interesting to see how a "cryptography" product can be approved at ISO without undergoing any real security scrutiny.

On a related note, the enthusiastic comments to PLAID's design made by a few readers in the old Slashdot story reminds us as a cautionary tale that you need cryptographers to assess the security of cryptography. Quoting Bruce Schneier: amateurs produce amateur cryptography.

10 of 62 comments (clear)

  1. PLAID must be fast! by greenwow · · Score: 5, Funny

    Even faster than LUDICROUS.

    1. Re:PLAID must be fast! by chilenexus · · Score: 3, Funny

      They're Assholes, sir.

  2. ISO corruption by Anonymous Coward · · Score: 5, Insightful

    The detailed story of PLAID in the paper is worth a read, and casts many doubts on the efficacy of the most important standardizing body in the world. It is interesting to see how a "cryptography" product can be approved at ISO without undergoing any real security scrutiny.

    Not really surprising given the Microsoft OOXML standard controversy a few years ago. I suppose the ISO could always have been susceptible to influence peddling in the past, but the OOXML thing was the first time I, and a lot of others, became aware of it.

  3. Re:Australians lost a long time ago by hawguy · · Score: 5, Insightful

    Australians have been selling their freedom for security for years. Socialized society, insane gun control, and their crypto attitude is just horrible.

    With a firearm related homicide rate 1/30th that of the USA (and firearm related deaths due to all causes about 1/12th that of the USA), maybe their gun control isn't so insane.

  4. Response to criticism by myrdos2 · · Score: 5, Interesting

    Here's the meat of the "questionable and somewhat irate" response:

    The following are factual and editorial errors in the document:

    1. Abstract – States that for AS 5185-2010 "we show that the privacy properties of PLAID are significantly weaker than claimed" but in fact the report shows that the privacy properties of PLAID are unbroken by the attack and in fact unbreakable by the attack. The report actually shows that the "ID Leakage" properties of the protocol (as defined in AS 5185-2010) could be better implemented in the 2010 version of the reference implementation by implementing the fake "ShillKey" better - see further discussion in section 6.2.

    2. Abstract – states that it will be ...." reporting a number of undesirable cryptographic features of the protocol" This is however unargued and not actualised. The reference appears to logically means section 5.3 of the Unpicking PLAID paper however, as shown in section 7 of this discussion these are either not claims of the protocol or are not shown to be weaknesses by any argument presented by the Researchers - see further discussion in section 7.

    3. History in Introduction is not 100% correct – the Public Consultation process included additional workshops and stages – see section 4 "History" above

    4. P3, Last paragraph, the words "added for privacy reasons" is incorrect, the ShillKey was added to delay and distract an atacker, privacy was never an issue and is not stated as a design requirement.

    5. P4, last paragraph, P5 first paragraph – Not clear what point is being made – OPACITY is a completely different protocol based on Eliptic Curve technology. Last sentence seems to mix this Paper on PLAID up with a completely seperate report on OPACITY.

    6. P3 2nd last paragraph the Researchers state "Even though the encryption key in RSA is usually public, in PLAID it is kept secret to enhance privacy". This is an incorrect representation of PLAID, the reason for both keys being kept secret is in fact to prevent any leakage to an attacker of the AES diversification seed in order to enhance security. Note that PLAID is not a PKI, and the use of public and private key concepts is not relevant, ALL keys are secured in (preferably) hardware crypto devices.

    I'm no crypto expert - can anyone explain to me why these points aren't valid? Especially points 1 and 4.

    1. Re:Response to criticism by suutar · · Score: 4, Informative

      1 and 4 together make me think that the author is saying that shill is completely irrelevant to privacy and the rest of plaid is just as private as advertised. The problem is that while shill may have been intended as a bolt-on to distract and slow attackers, it apparently also can be used to do the tracking that the rest of plaid was designed to avoid. The author claims that's not a problem because it wasn't designed to be private, but the end effect seems to be that the card is more trackable than intended. A better implementation of the shillkey could help with this, but is not required by the standard nor implemented by the reference, so how many commodity hardware makers are going to bother?

    2. Re:Response to criticism by Anonymous Coward · · Score: 5, Insightful

      Part of the argument the PLAID designers are making boils down to "well it's theoretically possible to implement it securely even if the standard doesn't warn you about that risk, nobody does it right, and even the reference implementation got it wrong".

      For examples of how well that works out in real life, see:

      * WiFi WPS pins - just search the web for "WiFi WPS pin attack" - most WiFi routers were vulnerable
      * DNS source port randomisation - http://www.kb.cert.org/vuls/id/800113 - most DNS resolvers were vulnerable
      * PKCS#1 signature validation - https://www.imperialviolet.org/2014/09/26/pkcs1.html - most browsers were vulnerable
      * Many others

  5. Re:Australians lost a long time ago by BadDreamer · · Score: 5, Informative

    Australia is at about 1 homicide per 100,000 inhabitants per year. The rate has been steadily declining since 1990. In the US it's at around 4.5 homicides per 100,000 inhabitants per year.

    Robberies are at around half the rate of what they are in the US. Sexual assault is about equivalent, though it used to be higher before the new gun legislation.

  6. Re:Australians lost a long time ago by hawguy · · Score: 3, Informative

    Here, now you know how to fish.

    Australia's robbery rate is about half (55%) that of the US, overall murder rate is about 1/4.

            http://www.nationmaster.com/co...

    And I'll just throw this out there, last night in my town, someone not only managed to shoot himself in the foot, but the same bullet seriously injured a 9 year old neighbor:

            http://abc7news.com/news/san-j...

  7. amateur hour at the crypto factory.... by xeno · · Score: 4, Insightful

    It's irrelevant to the core logic of the issue, but misspellings and grammar errors are a pretty good indicator of the quality of a piece of work.
    A "mute" item would be "(1) refraining from making sound or (2) silent" -- one that does not make an actual audible sound.
    A "moot" item is one that is "(1) of no importance or (2) merely hypothetical."
    There are many other errors that seem to indicate this whole document was whipped up in a hurry by a pissed off individual without review, but the high-school-level error "mute point" sticks out like a sore thumb.

    Seeing this kind of minor but highly-visible mistake in the headings and TOC of a formal document... does not lend credibility to the whole.

    --
    I think not...(*poof*)