Australian Gov't Offers $560k Cryptographic Protocol For Free 163
mask.of.sanity writes "Australia's national welfare agency will release its 'unbreakable' AU$560,000 smart card identification protocol for free. The government agency wants other departments and commercial businesses to adopt the Protocol for Lightweight Authentication of ID (PLAID), which withstood three years of design and testing by Australian and American security agencies. The agency has one of Australia's most advanced physical and logical converged security systems: staff can access doors and computers with a single centrally-managed identity card, and user identities can be automatically updated as employees leave, are recruited or move to new departments. PLAID, which will be available soon, is to be used in the agency's incoming fleet of contact-less smartcards that are currently under trial by staff. It will replace existing identity cards that operate on PKI encryption."
Re:It scares me when ... (Score:2, Interesting)
I guess it's perfectly OK. It withstood 3 years of in-agency cracking. Now they want to see whether it will survive in the wild. What better method than to claim it is unbreakable? If it has vulnerabilities known to modern cryptoanalysis, all the tech news will laugh and point at them - quite an easy event to spot. Some people are not afraid to be laughed at if they get what they need...
contactless smart cards are the way to go (Score:3, Interesting)
Imagine government IDs had contactless smart cards with certificates on them keyed to an ID database managed by the government (for revocation purposes and identity information). Now imagine contactless smart card readers were standard equipment in PCs.
You would just need one card in your wallet to log you in to any computer or web site, make purchases, board planes or trains... anything! No more wasted effort on having a hundred weak authentication cards and passwords. You have one strong authentication method that can't be forged, or at least not without fantastically more effort than forging a check or credit card.
Enormous economic and security benefit.
Re:contactless smart cards are the way to go (Score:3, Interesting)
You would just need one card in your wallet to log you in to any computer or web site, make purchases, board planes or trains... anything! No more wasted effort on having a hundred weak authentication cards and passwords. You have one strong authentication method that can't be forged, or at least not without fantastically more effort than forging a check or credit card.
Enormous economic and security benefit.
Until you lose your wallet and the person who finds it has complete control to ruin every aspect of your life connected to said card... ...
Re:contactless smart cards are the way to go (Score:3, Interesting)
Re:contactless smart cards are the way to go (Score:5, Interesting)
Until you lose your wallet and the person who finds it has complete control to ruin every aspect of your life connected to said card... ...
Yes, because clearly they would have no system to revoke lost cards.
Re:contactless smart cards are the way to go (Score:4, Interesting)
Enormous economic and security benefit.
Yes, for just $429.95 I will sell you a very nice mask and a programmable contactless identity chip. Enormous economic benefit to me, enormous security benefit to you. Well, it will benefit you in bypassing security, and framing someone for a crime anyway.
You still need at minimum two-factor authentication to be secure, so you're still going to need a PIN for non-trivial uses. However, even non-trivial uses could be enough to get you into plenty of trouble.
It's not hard to consolidate multiple usernames and passwords down to a single username and password. This is done for users through any number of freely available schemes. This is preferable to concentrating them down to a single system which, when corrupted (not "if") will permit virtually unlimited abuse. I do not believe that you are so helpless that you need government to assist you with password management. Therefore I submit that you are trolling. You could call it sarcasm if you had left any clues in your comment. Perhaps you used > rather than & someplace?
Re:I laugh ... (Score:5, Interesting)
This allows one to completely securely transmit up to n bits of data from a source stream, and because the source and destination can pick new X and Y values with every transmission, and unencrypted data is never found on any transmitted data stream. The likelihood of breaking it is genuinely 1 in 2^n and can only be broken by brute force attack. Factoring methods will not break the encryption because what would normally be associated as a public/private key pair (X,Y) in some other encryption protocols is never shared with the other party.
Re:I laugh ... (Score:4, Interesting)
... when an organization claims that they're going to provide something that's unbreakable [securityfocus.com] The claim is usually an open invitation to reduce the "unbreakable" object to ashes.
This one has already been under discussion and review by the cryptologic community for several years now. It has received a lot of attention by the top academic cryptographers, as well as by government organizations like the NSA.
Never say never, and I'm sure the "unbreakable" word came from management or from news agencies, not the authors of the protocol, but I'll be very surprised if this is broken.
Re:contactless smart cards are the way to go (Score:3, Interesting)
yes because the govt. has shown such wisdom in the past by making it easy to replace social security numbers
Re:Yeah Right... (Score:4, Interesting)
Well, these are off-the-shelf cards, so if there are back doors, they're already there. That has nothing to do with this protocol.
Also, it's not really accurate to say that Javacards have a "back door if you know the keys". They're delivered from the manufacturer with an initial key set, which is generally swapped out for new, randomly-generated keys by the card issuer. The card issuer knows those keys and can use them to install and remove applets and what not. The card issuer is the true owner of the card, and has complete control over it, because they know the keys. That's not so much a "back door" as the reality that the card holder is generally not the one that owns the card.
Parent is fail! Don't take crypto advice on /. (Score:4, Interesting)
Meh.... unbreakable encryption is easy, or so close to it that the difference is largely irrellevant: [protocol] [...]
Well, this will have to be performed over a channel which solves almost all the important cryptographic problems.
If not, consider this scenario:
Alice wants to send something to Bob. Both know A, B and C (why not p, q and n?). She sends out D^Xs. She receives D' from someone. She sends out D'^Ys.
Consider Bob: he receives E from someone, sends out E^Xd. Then he receives E' from someone and computes E'^Yd.
There is no guarantee and no way to check whether "someone" is the person you think you're talking to; they might appear to be Bob in Alice's eyes and vice versa while in reality they're Doctor Evil.
There's also no way to be sure that the message(s) you receive from the network have any particular relation to what you sent out. Doctor Evil could, for instance, multiply the data by 2 without anyone noticing.
Besides, doing modular exponentiation is slow like molasses. You really do not want to do that for every chunk of data; you'd much rather use those kinds of operations to agree on a (secret) key for a symmetric cipher (say, AES) and then encrypt the data using the symmetric cipher.
I hope to god no one implements this.
Factoring methods will not break the encryption because what would normally be associated as a public/private key pair (X,Y) in some other encryption protocols is never shared with the other party.
And that is why all you can know is that you sent an encrypted message to someone: there's nothing distinguishing your intended receiver from anyone else. The sender/receiver has no shared secret knowledge, nor any private/public asymmetric knowledge, so anyone can do the same computations as either intended party in this protocol.
Similar to optimization, there are two rules for cryptography:
If you're curious about my background, I'm a crypto phd student (that I am, even if you're not curious). I want to stress: I'm not trying to make an argument from authority.
I'm also not trying to make crypto an exclusive thing; I welcome anyone to educate themselves on the matters of cryptography. It's just that this shit is hard, and if you don't know your shit, your own designs is extremely likely to be insecure.
Re:A little more info (Score:5, Interesting)
The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.
That's a good thing.
Their problem is keeping the cards secure and they state clearly that they are using commercially available smart cards.
Which is also a good thing, as long as these cards have been analyzed well. I would be worried if they were using cards with "military grade" security meaning that they were only analyzed by few, without any standardized security level like FIPS or CC.
There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.
Sorry, but you are wrong on both matters.
The RSA private key and AES master keys are not on the card. It contains the RSA public key and the AES derived key (one that is specific to the card).
There are many interesting things about this protocol. Lets have a list so I can get a few mod points on this old discussion:
Ok, for some disadvantages
All in all, this protocol is very interesting for mutual authentication. I'll have to look into it further (e.g. how much the private key needs to stay private).