Skip to main content
SpringerLink
Log in
Book cover

International Conference on Research in Security Standardisation

SSR 2014: Security Standardisation Research pp 1–25Cite as

Unpicking PLAID

A Cryptographic Analysis of an ISO-Standards-Track Authentication Protocol

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8893))

Abstract

The Protocol for Lightweight Authentication of Identity (PLAID) aims at secure and private authentication between a smart card and a terminal. Originally developed by a unit of the Australian Department of Human Services for physical and logical access control, PLAID has now been standardized as an Australian standard AS-5185-2010 and is currently in the fast track standardization process for ISO/IEC 25185-1.2. We present a cryptographic evaluation of PLAID. As well as reporting a number of undesirable cryptographic features of the protocol, we show that the privacy properties of PLAID are significantly weaker than claimed: using a variety of techniques we can fingerprint and then later identify cards. These techniques involve a novel application of standard statistical and data analysis techniques in cryptography. We also discuss countermeasures to our attacks.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Standards Australia: AS 5185-2010 Protocol for Lightweight Authentication of IDentity (PLAID). Standards Australia (2010)

    Google Scholar 

  2. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  3. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  4. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)

    Chapter  Google Scholar 

  5. Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS Handshake Secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  6. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  7. Brzuska, C., Fischlin, M., Smart, N.P., Warinschi, B., Williams, S.C.: Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Sec. 12(4), 267–297 (2013)

    Article  Google Scholar 

  8. Centrelink: Protocol for Lightweight Authentication of Identity (PLAID) — Logical Smartcard Implementation Specification PLAID Version 8.0 - Final (December 2009), http://www.humanservices.gov.au/corporate/publications-and-resources/plaid/technical-specification

  9. Dagdelen, Ö., Fischlin, M., Gagliardoni, T., Marson, G.A., Mittelbach, A., Onete, C.: A cryptographic analysis of OPACITY (extended abstract). In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 345–362. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  10. Department of Human Services: Protocol for Lightweight Authentication of Identity, PLAID (2014), http://www.humanservices.gov.au/corporate/publications-and-resources/plaid/

  11. Freedman, G.: Personal communication by e-mail (July 2014)

    Google Scholar 

  12. Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 387–398. ACM Press (November 2013)

    Google Scholar 

  13. ISO: Draft International Standard ISO/IEC DIS 25185-1 Identification cards — Integrated circuit card authentication protocols — Part 1: Protocol for Lightweight Authentication of Identity. International Organization for Standardization, Geneva, Switzerland (2013)

    Google Scholar 

  14. ISO: Draft International Standard ISO/IEC DIS 25185-1.2 Identification cards — Integrated circuit card authentication protocols — Part 1: Protocol for Lightweight Authentication of Identity. International Organization for Standardization, Geneva, Switzerland (2014)

    Google Scholar 

  15. Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  16. Jager, T., Schinzel, S., Somorovsky, J.: Bleichenbacher’s attack strikes again: Breaking PKCS#1 v1.5 in XML encryption. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 752–769. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  17. Johnson, R.: Estimating the size of a population. Teaching Statistics 16(2), 50–52 (1994), http://www.mcs.sdsmt.edu/rwjohnso/html/tank.pdf

    Article  Google Scholar 

  18. Kiat, K.H., Run, L.Y.: An Analysis of OPACITY and PLAID Protocols for Contactless Smart Cards. Master’s thesis, Naval Postgraduate School, Monterey, CA, USA (September 2012)

    Google Scholar 

  19. Kline, R.: Improving contactless security is goal of emerging PLAID project, secureIDNews (January 2010), http://secureidnews.com/news-item/improving-contactless-security-is-goal-of-emerging-plaid-project/

  20. Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: A systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  21. Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J.: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. In: 23rd USENIX Security Symposium (USENIX Security 2014). USENIX Association, San Diego (2014), https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/meyer

  22. National Institute of Standards and Technology: Protocol for Lightweight Authentication of Identity (PLAID) Workshop (July 2009), http://csrc.nist.gov/news_events/plaid-workshop/

  23. Rifà-Pous, H., Herrera-Joancomartí, J.: Computational and energy costs of cryptographic algorithms on handheld devices. Future Internet 3(1), 31–48 (2011)

    Article  Google Scholar 

  24. Risky.biz: Risky Business 106 — Centrelink’s new PLAID auth protocol (May 2009), http://risky.biz/netcasts/risky-business/risky-business-106-centrelinks-new-plaid-auth-protocol

  25. Sakurada, H.: Security evaluation of the PLAID protocol using the ProVerif tool (September 2013), http://crypto-protocol.nict.go.jp/data/eng/ISOIEC_Protocols/25185-1/25185-1_ProVerif.pdf

  26. Taylor, J.: Centrelink ID protocol still in trial phase, zDNet (May 2012), http://www.zdnet.com/centrelink-id-protocol-still-in-trial-phase-1339336953/

  27. Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS ... In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–546. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  28. Watanabe, D.: Security analysis of PLAID (September 2013), http://crypto-protocol.nict.go.jp/data/eng/ISOIEC_Protocols/25185-1/25185-1_Scyther.pdf

Download references

Author information

Authors and Affiliations

  1. Information Security Group, Royal Holloway, University of London, U.K.

    Jean Paul Degabriele & Kenneth G. Paterson

  2. Cryptoplexity, Technische Universität Darmstadt, Germany

    Victoria Fehr, Marc Fischlin, Tommaso Gagliardoni, Felix Günther, Giorgia Azzurra Marson & Arno Mittelbach

Authors
  1. Jean Paul Degabriele
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Victoria Fehr
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marc Fischlin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tommaso Gagliardoni
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Felix Günther
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Giorgia Azzurra Marson
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Arno Mittelbach
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Kenneth G. Paterson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. HP Labs, Bristol, UK

    Liqun Chen

  2. Information Security Group, University of London, Royal Holloway, TW20 0EX, Egham, Surrey, UK

    Chris Mitchell

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Degabriele, J.P. et al. (2014). Unpicking PLAID. In: Chen, L., Mitchell, C. (eds) Security Standardisation Research. SSR 2014. Lecture Notes in Computer Science, vol 8893. Springer, Cham. https://doi.org/10.1007/978-3-319-14054-4_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-14054-4_1

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-14053-7

  • Online ISBN: 978-3-319-14054-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation