Skip to main content

Unpicking PLAID: a cryptographic analysis of an ISO-standards-track authentication protocol

International Journal of Information Security volume 15pages 637–657 (2016)Cite this article

Abstract

The Protocol for Lightweight Authentication of Identity (PLAID) aims at secure and private authentication between a smart card and a terminal. Originally developed by a unit of the Australian Department of Human Services for physical and logical access control, PLAID has now been standardized as an Australian standard AS-5185-2010 and is currently in the fast-track standardization process for ISO/IEC 25185-1. We present a cryptographic evaluation of PLAID. As well as reporting a number of undesirable cryptographic features of the protocol, we show that the privacy properties of PLAID are significantly weaker than claimed: using a variety of techniques, we can fingerprint and then later identify cards. These techniques involve a novel application of standard statistical and data analysis techniques in cryptography. We discuss potential countermeasures to our attacks and comment on our experiences with the standardization process of PLAID.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price includes VAT (USA)
Tax calculation will be finalised during checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Notes

  1. The standard neither specifies the exact format nor the length of this randomly generated string.

  2. The standard is ambiguous in whether the trial \(\text {KeySetID}\) of the IFD or the value contained in \({}^e\text {STR1}\) is stored.

  3. The standard does not specify what is meant by “authentication fails.” We assume the protocol aborts in this case.

  4. Though referring to ISO/IEC 9797-1 method 2, the PLAID draft standard explicitly describes a different padding method and thus makes unambiguous decoding impossible (cf. Sect. 5.4).

  5. Again, the standard does neither specify the exact format nor the length (note that \(\text {STR3}\) in Step 7 contains a variable sized field \(\text {Payload}\)) of this random byte string.

  6. See  [24] for a good introduction. The name stems from the problem initially being posed as that of estimating the total number of tanks in the German army from observing a subset of their serial numbers.

  7. Note that, in contrast to the first two scenarios, the third scenario and our according lunchtime attack is independent of the overall number of cards in the system.

  8. Recall that terminals announce their supported keysets by sending corresponding \(\text {KeySetID}\)s in the clear. As a consequence, any observer can see which keys are related to which resource/terminal.

  9. We note that the unauthenticated nature of the PLAID protocol messages has already been criticized in the national body comments on an earlier ISO draft [18]. In our attack, we exploit this weakness, refuting the claim of the current ISO draft [19, Annex H.1.1] that sending \({\text {KeySetID}{}\text {s}}\) in clear is “of no use to an attacker.”

  10. For 2048-bit RSA decryptions or signatures, [34] reports times of over 100 ms for mobile devices (without cryptographic coprocessor), while our simulations on an Intel Core i7 2.4 GHz are around 10 ms.

  11. The protocol explicitly notes that no error messages should be issued, but wrong implementations or side-channel attacks may reveal such information.

References

  1. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: CRYPTO 1993, pp. 232–249. Springer Berlin, Hidelberg (1994)

  2. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Eurocrypt 2000, pp. 139–155. Springer Berlin, Hidelberg (2000)

  3. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: ASIACRYPT 2001, pp. 566–582. Springer Berlin, Hidelberg (2001)

  4. Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.Y., Zanella Béguelin, S.: Proving the TLS handshake secure (as it is). 235–255 (2014). doi:10.1007/978-3-662-44381-1_14

  5. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. 1–12 (1998)

  6. Brzuska, C., Fischlin, M., Smart, N.P., Warinschi, B., Williams, S.C.: Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Secur. 12(4), 267–297 (2013)

    Article  Google Scholar 

  7. Centrelink: Protocol for Lightweight Authentication of Identity (PLAID)—Logical Smartcard Implementation Specification PLAID Version 8.0—Final. http://www.humanservices.gov.au/corporate/publications-and-resources/plaid/technical-specification (2009)

  8. Coisel, I., Martin, T.: Untangling RFID privacy models. J. Comput. Netw. Commun. doi:10.1155/2013/710275

  9. Dagdelen, Ö., Fischlin, M., Gagliardoni, T., Marson, G.A., Mittelbach, A., Onete, C.: A cryptographic analysis of OPACITY—(extended abstract). pp. 345–362 (2013). doi:10.1007/978-3-642-40203-6_20

  10. Degabriele, J.P., Fehr, V., Fischlin, M., Gagliardoni, T., Günther, F., Marson, G.A., Mittelbach, A., Paterson, K.G.: Response to “Nit-Picking PLAID AS & ISO Project Editors Report into ‘Unpicking Plaid’ ”. Cryptology ePrint Archive Forum, http://www.cryptoplexity.informatik.tu-darmstadt.de/media/crypt/pdf/plaid-editorreport-response.pdf (2014)

  11. Degabriele, J.P., Fehr, V., Fischlin, M., Gagliardoni, T., Günther, F., Marson, G.A., Mittelbach, A., Paterson, K.G.: Unpicking PLAID—a cryptographic analysis of an ISO-standards-track authentication protocol. In: 1st International Conference on Research in Security Standardisation (SSR 2014). Springer, Lecture Notes in Computer Science, vol. 8893, pp. 1–25 (2014)

  12. Degabriele, J.P., Fehr, V., Fischlin, M., Gagliardoni, T., Günther, F., Marson, G.A., Mittelbach, A., Paterson, K.G.: Unpicking PLAID—a cryptographic analysis of an ISO-standards-track authentication protocol. Cryptology ePrint Archive, Report 2014/728. http://eprint.iacr.org/ (2014)

  13. Department of Human Services: Protocol for Lightweight Authentication of Identity (PLAID). (2014). http://www.humanservices.gov.au/corporate/publications-and-resources/plaid/

  14. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). http://www.ietf.org/rfc/rfc5246.txt, updated by RFCs 5746, 5878, 6176 (2008)

  15. Freedman, G.: Nit-Picking PLAID: AS & ISO Project Editors Report into “Unpicking Plaid”. Cryptology ePrint Archive Forum. https://dl.dropboxusercontent.com/u/41736374/UnpickingReport%20V1.pdf (2014)

  16. Freedman, G.: Personal communication by e-mail (2014)

  17. Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: ACM Conference on Computer and Communications Security, pp. 387–398. ACM, New York (2013)

  18. ISO: DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 25185–1 Identification cards—Integrated circuit card authentication protocols—Part 1: Protocol for Lightweight Authentication of Identity. International Organization for Standardization, Geneva (2012)

  19. ISO: DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 25185-1.2 Identification cards—Integrated circuit card authentication protocols—Part 1: Protocol for Lightweight Authentication of Identity. International Organization for Standardization, Geneva (2014)

  20. ISO: Benefits of international standards. (2015). http://www.iso.org/iso/home/standards/benefitsofstandards.htm

  21. ISO 25185–1 Editor (2013) Disposition of comments on ISO/IEC 25185–1 Protocol for a lightweight authentication of devices

  22. Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. 273–293 (2012)

  23. Jager, T., Schinzel, S., Somorovsky, J.: Bleichenbacher’s attack strikes again: breaking PKCS#1 v1.5 in XML encryption. 752–769 (2012)

  24. Johnson, R.: Estimating the size of a population. Teach. Stat. 16(2), 50–52 (1994). http://www.mcs.sdsmt.edu/rwjohnso/html/tank.pdf

  25. Juels, A.: RFID security and privacy: a research survey. IEEE J. Selected Areas Commun. 24(2), 381–394 (2006)

    MathSciNet  Article  Google Scholar 

  26. Kaliski, B.: PKCS#1: RSA Encryption Version 1.5. RFC 2313 (1998)

  27. Kelsey, J.: Dual EC DRBG and NIST crypto process review. In: Invited talk at the Real World Cryptography Workshop 2015, January 7–9, London (2015)

  28. Kiat, K.H., Run, L.Y.: An analysis of OPACITY and PLAID protocols for contactless smart cards. Master’s thesis, Naval Postgraduate School, Monterey (2012)

  29. Kline, R.: Improving contactless security is goal of emerging PLAID project. http://secureidnews.com/news-item/improving-contactless-security-is-goal-of-emerging-plaid-project/, secureIDNews (2010)

  30. Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. (2013). doi:10.1007/978-3-642-40041-4_24

  31. Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J.: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. In: 23rd USENIX Security Symposium (USENIX Security 14), USENIX Association, San Diego (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/meyer

  32. National Institute of Standards and Technology: Protocol for Lightweight Authentication of Identity (PLAID) Workshop (2009). http://csrc.nist.gov/news_events/plaid-workshop/

  33. National Institute of Standards and Technology: Cryptographic Standards and Guidelines Development Process (Second Draft). National Institute of Standards and Technology Interagency Report 7977. http://csrc.nist.gov/publications/drafts/nistir-7977/nistir_7977_second_draft.pdf (2015)

  34. Rifà-Pous, H., Herrera-Joancomartí, J.: Computational and energy costs of cryptographic algorithms on handheld devices. Future Internet 3(1), 31–48 (2011)

    Article  Google Scholar 

  35. Riskybiz: Risky Business 106—Centrelink’s new PLAID auth protocol. http://risky.biz/netcasts/risky-business/risky-business-106-centrelinks-new-plaid-auth-protocol (2009)

  36. Sakurada, H.: Security evaluation of the PLAID protocol using the ProVerif tool. http://crypto-protocol.nict.go.jp/data/eng/ISOIEC_Protocols/25185-1/25185-1_ProVerif.pdf (2013)

  37. Sanders, T.: The Aims and Principles of Standardization. International Organization for Standardization—ISO (1972)

  38. Standards Australia: AS 5185-2010 Protocol for Lightweight Authentication of IDentity (PLAID). Standards Australia (2010)

  39. Taylor, J.: Centrelink ID protocol still in trial phase. http://www.zdnet.com/centrelink-id-protocol-still-in-trial-phase-1339336953/, zDNet (2012)

  40. Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS. pp. 534–546 (2002)

  41. Watanabe, D.: Security analysis of PLAID. http://crypto-protocol.nict.go.jp/data/eng/ISOIEC_Protocols/25185-1/25185-1_Scyther.pdf (2013)

Download references

Acknowledgments

We thank Pooya Farshim for his contributions during the early stages of this paper, Andrew Waterhouse for providing insights on the ISO standardization process, and the anonymous reviewers for valuable comments. Marc Fischlin is supported by the Heisenberg grants Fi 940/3-1 and Fi 940/3-2 of the German Research Foundation (DFG). Tommaso Gagliardoni and Felix Günther are supported by the German Federal Ministry of Education and Research (BMBF) within EC SPRIDE. Felix Günther and Giorgia Azzurra Marson are supported by the DFG as part of the CRC 1119 CROSSING. Giorgia Azzurra Marson and Arno Mittelbach are supported by the Hessian LOEWE excellence initiative within CASED. Kenneth G. Paterson and Jean Paul Degabriele are supported by the Engineering and Physical Sciences Research Council (EPSRC) Leadership Fellowship EP/H005455/1.

Author information

Authors and Affiliations

  1. Information Security Group, Royal Holloway, University of London, London, UK

    Jean Paul Degabriele & Kenneth G. Paterson

  2. Cryptoplexity, Technische Universität Darmstadt, Darmstadt, Germany

    Victoria Fehr, Marc Fischlin, Tommaso Gagliardoni, Felix Günther, Giorgia Azzurra Marson & Arno Mittelbach

Authors
  1. Jean Paul Degabriele
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Victoria Fehr
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marc Fischlin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tommaso Gagliardoni
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Felix Günther
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Giorgia Azzurra Marson
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Arno Mittelbach
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Kenneth G. Paterson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Giorgia Azzurra Marson.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Degabriele, J.P., Fehr, V., Fischlin, M. et al. Unpicking PLAID: a cryptographic analysis of an ISO-standards-track authentication protocol. Int. J. Inf. Secur. 15, 637–657 (2016). https://doi.org/10.1007/s10207-015-0309-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-015-0309-6

Keywords

  • Protocol analysis
  • ISO standard
  • PLAID
  • Authentication protocol
  • Privacy