Download Key Reuse: Theory and Practice and more Lecture notes Cryptography and System Security in PDF only on Docsity!
Key Reuse: Theory and Practice
Kenny Paterson Royal Holloway, University of London
based on joint work with Jean Paul Degabriele, Tibor Jager, Anja Lehmann, Jacob C.N. Schudlt, Nigel P. Smart, Juraj Somorovsky, Martijn Stam, Mario Strefler, Susan Thomson
Workshop on Real-World Cryptography
Outline
1 Key Separation, Key Reuse, and Cryptographic Agility
2 Joint Security
3 Key Reuse in EMV
4 Cryptographic Agility
5 BC Attacks
6 Concluding Remarks
Motivation for Key Reuse
Reusing an asymmetric key-pair in different primitives can reduce:
Storage requirements for certificates and keys; Costs of key certification; Net certificate verification time; Footprint of cryptographic code and development effort.
... but breaks the key separation principle of using different keys for different purposes.
Scope of Reuse
Reuse is not restricted to “encryption + signatures”, nor to the asymmetric setting: Could be, for example, “signature + static DH value” in a more complex protocol.
We may wish to reuse a key in the symmetric setting, e.g. CCM mode (CTR + CBC-MAC).
We may wish to use the same key in two different algorithms for the same primitive, e.g. RSA-OAEP and RSA-PKCS#1v1.5, or AES-CBC and AES-GCM.
- As in the most recent edition of the XML standards.
- Related to the concept of cryptographic agility.
Key Usage Extension
RFC 5280 (X.509v3): The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted.
Key Usage Extension
RFC 5280 (X.509v3): KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) }
RFC 5280 (X.509v3): This profile does not restrict the combinations of bits that may be set in an instantiation of the keyUsage extension.
Joint Security of Signature and Encryption
Haber and Pinkas, Securely Combining Public-Key Cryptosystems, CCS’01:
First formal security models for joint security. Secure combinations for some schemes in the random oracle model. Only partial solutions in the standard model.
Joint Security of Signature and Encryption
Coron, Joye, Naccache and Paillier, Universal Padding Schemes for RSA, CRYPTO’02:
Signature padding scheme PSS also gives IND-CCA secure encryption. Resulting encryption and signature schemes can securely use same RSA key-pair. Proof of joint security in ROM.
Komano and Ohta, Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation, CRYPTO’03:
Consider OAEP+ and REACT encodings, also in ROM.
Joint Security of Signature and Encryption
P., Schuldt, Stam and Thomson, On the Joint Security of Encryption and Signature, Revisited, ASIACRYPT’11: Target: to find new constructions for jointly secure combined schemes in the standard model.
Main contributions: A trivial Cartesian product construction for benchmarking.
A generic construction from IBE: Naor trick + CHK transform + domain separation.
An efficient, specific construction using pairings.
(Applications to signcryption.)
Joint Security of Signature and Encryption
P., Schuldt, Stam and Thomson, On the Joint Security of Encryption and Signature, Revisited, ASIACRYPT’11: Target: to find new constructions for jointly secure combined schemes in the standard model.
Main contributions: A trivial Cartesian product construction for benchmarking.
A generic construction from IBE: Naor trick + CHK transform + domain separation.
An efficient, specific construction using pairings.
(Applications to signcryption.)
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards – Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in use worldwide.
Coming to the US real soon now.
The specification defines the inter-operation of IC cards with Point-of-Sale (PoS) terminals and Automated Teller Machines (ATMs).
The EMV Specification
EMV is the de facto global standard for IC credit/debit cards – Chip & PIN.
As of Q2 2012, there were 1.55 billion EMV cards in use worldwide.
Coming to the US real soon now.
The specification defines the inter-operation of IC cards with Point-of-Sale (PoS) terminals and Automated Teller Machines (ATMs).
EMV Cards
An EMV card contains a chip which allows it to perform cryptographic computations.
All EMV cards contain a symmetric key which it shares with the Issuing Bank.
Most cards are also equipped with RSA keys to compute signatures for card authentication and transaction authorization, and to encrypt the PIN between the terminal and the card.
Key Reuse in EMV
Given the constrained on-card processing environment, reducing the storage and computation consumed by the cryptographic functions in EMV is very important.
The EMV standard allows the same RSA key-pair to be used for both PIN encryption and CDA signature generation.
Encryption and signature algorithms are based on the RSA-PKCS#1v1.5 standards.
Is this key reuse is detrimental to the security of the EMV system or not?
