Post on 15-Dec-2015
© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice
Smart Theory Meets Smartcard Practice
Jean-Jacques Quisquater jjq@dice.ucl.ac.be
Research Director CNRS, France andUniversité catholique de Louvain, Louvain-la-Neuve,
BelgiumUCL Crypto Group http://uclcrypto.org
Part of this work done while visiting scientist at MIT-CSAIL
© UCL Crypto group DIMACS talk - 2004 2
b
CONTENTSCONTENTSCONTENTSCONTENTS
• Introduction• Smart cards• IBC• Remote integrity• Using bad primitives • Conclusion
• Introduction• Smart cards• IBC• Remote integrity• Using bad primitives • Conclusion
© UCL Crypto group DIMACS talk - 2004 3
Goal of the talk
• Show by examples that thinking with tamperproof and doing crypto with constrained objects is interesting for theoretical and practical purposes.
© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice
Short Story of Smart Cards• René Barjavel (1966) « La nuit des temps » (Gondas) • several inventors in USA (IBM - 1968), Japan, Germany,
France• Roland Moreno (F) pushed the right version (1974)• Michel Ugon and Louis Guillou were the technical
inventors (~ 1977)• SPOM: single chip (security): 1981: first crypto algo
and protocol (secret key): tests in France• first DES: 1985 (TRASEC, Belgium,TB100 -> Proton)• first RSA: CORSAIR (Philips): 1989 (coprocessor)• ... • in some sense smart angel-in-the-box (Shai Halevi,
yesterday).
© UCL Crypto group DIMACS talk - 2004 5
Ring by Moreno (1974) and first smart card (1980)
© UCL Crypto group DIMACS talk - 2004 6
The chip (IC)
ROMROM EEPROMflash memory
EEPROMflash memory
CPUCPU I/OI/O coprocessorDES – RSA -ECC
coprocessorDES – RSA -ECC
securitylogic
securitylogic
RAMRAM
sensorssensorsfirewall
Reset Ground Volt Clock
© UCL Crypto group DIMACS talk - 2004 7
A complete computer
© UCL Crypto group DIMACS talk - 2004 8
Passive attacks
ChipChipChipChip
CLK
GRD
VCC
RST
I/O
2. SPA-DPA2. SPA-DPA1. timing1. timing
3. probing3. probing4. measuresof radiations
4. measuresof radiations
© UCL Crypto group DIMACS talk - 2004 9
Active fault attacks(Bellcore attack)
Key=1010110...
© UCL Crypto group DIMACS talk - 2004 10
© UCL Crypto group DIMACS talk - 2004
SENDER k (Alice)E(m)
SENDER k (Alice)E(m)
RECEIVER k(Bob)
D(E(m))=m
RECEIVER k(Bob)
D(E(m))=m
encrypted message
E(m)=10010100111
Tamperproof modelTamperproof model
© UCL Crypto group DIMACS talk - 2004
SENDER k (Alice)E(m)
SENDER k (Alice)E(m)
RECEIVER k(Bob)
D(E(m))=m
RECEIVER k(Bob)
D(E(m))=m
E(m)=10010100111
Tamperproof model => asymmetric crypto(DH-RSA – 1980 public)
Tamperproof model => asymmetric crypto(DH-RSA – 1980 public)
Only able to encryptOnly able to encryptOnly able to decryptOnly able to decrypt
© UCL Crypto group DIMACS talk - 2004
Identification with identity-based crypto(Shamir 1984Guillou 1984
Fiat-Shamir 1986)
PROVER kId
E(r) = R
PROVER kId
E(r) = R
VERIFIER KE(Id) = kE(r) = ? R
VERIFIER KE(Id) = kE(r) = ? R
Id
Surprise r
Response R
Authority KE(Id) = k
Authority KE(Id) = k
IdIdkk
© UCL Crypto group DIMACS talk - 2004 14
Identity-Based Encryption
• Adi Shamir: Identity-Based Cryptosystems and Signature Schemes. CRYPTO 1984: 47-53.
• Yvo Desmedt, Q.: Public-Key Systems Based on the Difficulty of Tampering (Is There a Difference Between DES and RSA?). CRYPTO 1986: 111-117.
• Dan Boneh, Matthew K. Franklin: Identity-Based Encryption from the Weil Pairing. CRYPTO 2001: 213-229.
• Clifford Cocks: An Identity Based Encryption Scheme Based on Quadratic Residues Source LNCS, Proc. of the 8th IMA Intern. Conf. on Cryptography and Coding 2001: 360-363.
© UCL Crypto group DIMACS talk - 2004 15
Hierarchical IBC?
• Was done also in 1984• The easy way: you iterate the
process with cards being mother, daughter, granddaughter, aso.
© UCL Crypto group DIMACS talk - 2004 16
Tamperproof model useful?
• Sometimes proof of concept• Sometimes useful to simulate
public-key crypto in closed systems• Yes, but we don’t know how to
translate tamperproof into trapdoor in a crypto function.
© UCL Crypto group DIMACS talk - 2004 17
First smart card (1980)
© UCL Crypto group DIMACS talk - 2004 18
Security with two chips or with a unsecure server?
• One chip is tamperproof but slow,• The other one is a unsecure memory or a
fast unsecure processor, …• Philippe Béguin, Q.: Secure Acceleration of DSS Signatures
Using Insecure Server. ASIACRYPT 1994: 249-259 • Possible for El gamal signatures with small memory• RSA? • See Philippe Béguin, Q.: Fast Server-Aided RSA Signatures
Secure Against Active Attacks. CRYPTO 1995: 57-69 • but parameters need to be changed due to an attack by
Nguyen–Stern (Asiacrypt 1998). Better?• Work in progress
© UCL Crypto group DIMACS talk - 2004
New problem: “remote integrity”(better than Tripwire®?)
IICIS 2003: Deswarte,Q, Saïdane
PROVERSmart card
IdM (secret)
PROVERSmart card
IdM (secret)
VERIFIER
r! A!h(M)
f(r,h(M))=R?
VERIFIER
r! A!h(M)
f(r,h(M))=R?
Id
Surprise A
Response R
A lot of smart cardsA lot of smart cards
© UCL Crypto group DIMACS talk - 2004 20
Protocol for remote integrity• GENERAL INIT: Let M = (content of the file), integer
n = pq (RSA modulus, 1024 bits) public: factorisation is secret a = a random number, 1 <a <n-1, secret (chosen by verifier)
• INIT for ONE FILE: h = aM mod n precomputed by verifier
• Verifier generates a random number r and computes challenge A = ar mod n
• Smart card computes response: R = AM mod n and send R (or a part of it)
• Verifier computes C = hr mod n and checksif R = C = aMr mod n
• Diffie-Hellman protocol• Problem: Proof!
• Work in progress (optimisations)
© UCL Crypto group DIMACS talk - 2004
Using bad primitives?
PROVER kh(), r1!
E(r1+r2) = R
PROVER kh(), r1!
E(r1+r2) = R
VERIFIER kE(r1+r2) = R ?
VERIFIER kE(r1+r2) = R ?
h(r1) (weak commitment)
r2
Response R, r1
• Bad random generator • Breakable hash function h()• E: resists to linear crypto, • E: bad for differential crypto
• Bad random generator • Breakable hash function h()• E: resists to linear crypto, • E: bad for differential crypto
© UCL Crypto group DIMACS talk - 2004 22
General conclusion
Thinking theoretically with strongly constrained objects set interesting problems with practical results.
Many open problems.
UCL©