On the Joint Security of Encryption and Signature in EMV

  • Jean Paul Degabriele
  • Anja Lehmann
  • Kenneth G. Paterson
  • Nigel P. Smart
  • Mario Strefler
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7178)

Abstract

We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single key-pair is used for both signature and encryption. We give a theoretical attack for EMV’s current RSA-based algorithms, showing how access to a partial decryption oracle can be used to forge a signature on a freely chosen message. We show how the attack might be integrated into EMV’s CDA protocol flow, enabling an attacker with a wedge device to complete an offline transaction without knowing the cardholder’s PIN. Finally, the elliptic curve signature and encryption algorithms that are likely to be adopted in a forthcoming version of the EMV standards are analyzed in the single key-pair setting, and shown to be secure.

Keywords

Hash Function Elliptic Curve Encryption Scheme Signature Scheme Random Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    An, J.H., Dodis, Y., Rabin, T.: On the Security of Joint Signature and Encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Bleichenbacher, D.: Chosen Ciphertext Attacks against Protocols Based on the RSA Encryption Standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 1. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. 4.
    Brown, D.: Generic groups, collision resistance, and ECDSA. Des. Codes Cryptography 35, 119–152 (2005)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Brown, D.: On the provable security of ECDSA. In: Seroussi, G., Blake, I.F., Smart, N.P. (eds.) Advances in Elliptic Curve Cryptography, pp. 21–40. Cambridge University Press (2005)Google Scholar
  6. 6.
    Coron, J.-S., Joye, M., Naccache, D., Paillier, P.: Universal Padding Schemes for RSA. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 226–241. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Coron, J.-S., Naccache, D., Tibouchi, M.: Fault Attacks against EMV Signatures. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 208–220. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Coron, J.-S., Naccache, D., Tibouchi, M., Weinmann, R.-P.: Practical Cryptanalysis of ISO/IEC 9796-2 and EMV Signatures. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 428–444. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing 33, 167–226 (2003)MathSciNetCrossRefMATHGoogle Scholar
  10. 10.
    Dent, A.W.: Proofs of security for ECIES. In: Seroussi, G., Blake, I.F., Smart, N.P. (eds.) Advances in Elliptic Curve Cryptography, pp. 41–66. Cambridge University Press (2005)Google Scholar
  11. 11.
    Desmedt, Y., Odlyzko, A.M.: A Chosen Text Attack on the RSA Cryptosystem and some Discrete Logarithm Schemes. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 516–522. Springer, Heidelberg (1986)Google Scholar
  12. 12.
    EMV Co. EMV Common Payment Application Specification – Version 1.0 (December 2005)Google Scholar
  13. 13.
    EMV Co. EMV Book 2 – Security and Key Management – Version 4.1z ECC – With support for Elliptic Curve Cryptography (May 2007)Google Scholar
  14. 14.
    EMV Co. EMV Book 1 – Application Independent ICC to Terminal Interface Requirements – Version 4.2 (June 2008)Google Scholar
  15. 15.
    EMV Co. EMV Book 2 – Security and Key Management – Version 4.2 (June 2008)Google Scholar
  16. 16.
    EMV Co. EMV Book 3 – Application Specification – Version 4.2 (June 2008)Google Scholar
  17. 17.
    EMV Co. EMV Book 4 – Cardholder, Attendant, and Acquirer Interface Requirements – Version 4.2 (June 2008)Google Scholar
  18. 18.
    EMV Co. EMV Specification Bulletin No. 84 (December 2010)Google Scholar
  19. 19.
    Haber, S., Pinkas, B.: Securely combining public-key cryptosystems. In: ACM Conference on Computer and Communications Security, pp. 215–224 (2001)Google Scholar
  20. 20.
    ISO/IEC. ISO/IEC 14888-3:2006, Information technology – Security techniques – Digital signatures with appendix – Part 3: Discrete logarithm based mechanisms (2006)Google Scholar
  21. 21.
    ISO/IEC. ISO/IEC 18033-2, Information technology – Security techniques – Encryption algorithms – Part 2: Asymmetric ciphers (2006)Google Scholar
  22. 22.
    ISO/IEC. Final Draft of ISO/IEC 14888-3:2006, Information technology – Security techniques – Digital signatures with appendix Part 3: Discrete logarithm based mechanisms Amendment 1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm (2010)Google Scholar
  23. 23.
    Naccache, D., Coron, J.-S., Stern, J.P.: On the Security of RSA Padding. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 1–18. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  24. 24.
    Klíma, V., Rosa, T.: Further Results and Considerations on Side Channel Attacks on RSA. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 244–259. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Komano, Y., Ohta, K.: Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 366–382. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 433–446 (May 2010)Google Scholar
  27. 27.
    Neven, G., Smart, N.P., Warinschi, B.: Hash function requirements for Schnorr signatures. J. Mathematical Cryptology 3, 69–87 (2009)MathSciNetCrossRefMATHGoogle Scholar
  28. 28.
    Paillier, P., Vergnaud, D.: Discrete-Log-Based Signatures May not be Equivalent to Discrete Log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. 29.
    Paterson, K.G., Schuldt, J.C.N., Stam, M., Thomson, S.: On the Joint Security of Encryption and Signature, Revisited. In: Lee, D.H. (ed.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 161–178. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  30. 30.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptology 13(3), 361–396 (2000)CrossRefMATHGoogle Scholar
  31. 31.
    Shoup, V.: A proposal for an ISO standard for public key encryption (version 2.1) (2001), http://www.shoup.net/papers/iso-2_1.pdf
  32. 32.
    Smart, N.P.: The Exact Security of ECIES in the Generic Group Model. In: Honary, B. (ed.) IMACC 2001. LNCS, vol. 2260, pp. 73–84. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  33. 33.
    Smart, N.P.: Errors Matter: Breaking RSA-Based PIN Encryption with Thirty Ciphertext Validity Queries. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 15–25. Springer, Heidelberg (2010)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jean Paul Degabriele
    • 1
  • Anja Lehmann
    • 2
  • Kenneth G. Paterson
    • 1
  • Nigel P. Smart
    • 3
  • Mario Strefler
    • 4
  1. 1.Information Security GroupRoyal Holloway, University of LondonUK
  2. 2.IBM Research – ZurichSwitzerland
  3. 3.Department of Computer ScienceUniversity of BristolUK
  4. 4.INRIA / ENS / CNRSParisFrance

Personalised recommendations