Subdividing Crypto with Smart Cards

1
Subdividing Crypto with Smart Cards

• Burt Kaliski, RSA LaboratoriesMay 2, 2000
• CardTech/SecurTech 2000

2
Smart Card Cryptography

• Smart cards are ideal for cryptographic
  operations
• But not all cryptographic operations can (or
  should) be implemented on smart cards
• Question How to subdivide securely between smart
  cards and other components?

3
Security Assumptions

• Typical assumptions about opponent
• 1. Knows specification of operation
• 2. Has full knowledge of output
• 3. May have full knowledge of input
• known input attack
• 4. May have full control of input
• chosen input attack
• 5. Has no access to internals
• Design goal prove operation secure under these
  assumptions

4
Achieving the Goal

• Typical security proofs focus on full operation,
  not individual elements
• i.e., no access to internals
• With a smart card implementation, proof must
  focus on how operations are subdivided
• Most methods can have acceptable security if
  subdivided, but some need special modifications

5
Attack Model

• Generally, a user may control access to smart
  card operations with a PIN
• Access to operations is thus limited to opponents
  who know the PIN
• But what if a hostile reader?
• What if a hostile user?
• e.g., private key on smart card owned by someone
  else
• Opponents goal one or more undetected results
• extreme case total compromise of private key

6
Example Scenarios

• Signature generation
• Key unwrapping
• both operations with private key

7
Signature Generation

• User signs message with private key
• ? SignK(M)
• Typical model hash, pad, signature primitive
• 1. h Hash(M)
• 2. x Pad(h)
• 3. ? SigPrimK(x)
• Security generally based on full SignK operation

8
Example PKCS 1 v1.5

• Signature method based on RSA algorithm, in
  widespread use
• Hash MD5 or SHA-1
• Pad(h) 00 01 ff ff ff ff 00 . HashID . h
• SigPrim(x) xd mod n

9
Signature Generation
Hash
Pad
SigPrim
Message
Signature
Key
10
Signature Generation
Hash
Pad
SigPrim
Message
Signature
Key
full operation may be impractical
11
Signature Generation
Hash
Pad
SigPrim
Message
Signature
Key
signature primitive only may not be secure
12
Signature Generation
Hash
Pad
SigPrim
Message
Signature
Key
signature primitive pad seems just about right
13
Assessment

• Full operation may be impractical, because
  message may be too long
• Signature primitive only may be insecure, because
  raw access given to private key
• at least a loss of assurance
• potential loss of tracing, e.g., via blind
  signatures
• Primitive pad is just about right
• short input
• no raw access
• but a security proof would be even better
• and smart card must know about padding method

14
Hash vs. Message

• Hostile reader can change the hash
• But if card does the hashing, reader can still
  change the message
• ? Hash, message essentially the same w.r.t.
  message integrity
• If card needs to know what its signing, should
  sign a smaller message containing critical
  fields, hash of rest

15
Key Unwrapping

• User recovers symmetric key with private key
• k UnwrapK(c)
• (presumably, another user has wrapped k)
• Typical model decryption primitive, unpad
• 1. x DecPrimK(c)
• 2. k Unpad(x)
• Security generally based on full UnwrapK operation

16
Assessment

• Decryption primitive only may be insecure,
  because raw access given to private key
• Primitive unpad is just about right (with
  appropriate padding method)
• short input
• no raw access
• security proof is often available, e.g., OAEP
  encryption
• (OAEP Optimal Asymmetric Encryption Padding
  Bellare and Rogaway, 1994, as in PKCS 1 v2.0)

17
Symmetric Key vs. Message

• Hostile reader can read the symmetric key
• But if card does the decryption, reader can read
  the message
• ? Key, message essentially the same w.r.t.
  message confidentiality, if one message per key
• If more than one message per key, then card
  should keep the key

18
Case Study PSS

• New signature method with provable security
  (Bellare and Rogaway, 1996) based on RSA
  algorithm
• proposed for PKCS 1 v2.1, IEEE P1363a,ISO/IEC
  9796-2
• Initial model randomized hash, pad, signature
  primitive
• 1. h Hash(M, salt), where salt random
• 2. x Pad(h, salt)
• 3. ? SigPrimK(x)
• Security based on full SignK operation

19
Details of Initial PSS

• Hash SHA-1, etc.
• Pad(h, salt) 00 . h . (G(h) xor (salt . 00
  00))
• where G is mask generation function
• SigPrim(x) xd mod n
• Provable security under random oracle model
• Hash, G viewed as black box
• assumes opponent can only control message, not
  hash value
• heuristic security if opponent can control hash

20
Assessment

• Full operation may be impractical, because
  message may be too long
• Signature primitive only may be insecure, because
  raw access given to private key
• Primitive pad is not just about right
• security proof assumes that attacker cannot
  control hash value

21
Revised PSS

• Alternative model to accommodate subdivision
  hash, (randomized) pad, signature primitive
• 1. h Hash(M)
• 2. x Pad(h)
• 3. ? SigPrimK(x)
• Security for full SignK operation, and for
  primitive pad
• Additional benefit protection against fault
  analysis attacks

22
Details of Revised PSS

• Hash SHA-1, etc.
• Pad(h) 00 . w . (G(w) xor (salt . 00 01))
• where w Hash(h, salt)
• salted hash has been moved inside
• some details omitted, e.g., header and trailer
  fields
• SigPrim(x) xd mod n
• Provable security, even if attacker can control
  hash value

23
Conclusions

• Smart cards are ideal for cryptographic
  operations
• But cryptographic methods havent always been
  designed for smart cards
• New methods, like PSS, should take subdivision of
  operations into account