A Cryptographic Analysis of OPACITY

(Extended Abstract)
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8134)


We take a closer look at the Open Protocol for Access Control, Identification, and Ticketing with privacY (OPACITY). This Diffie-Hellman-based protocol is supposed to provide a secure and privacy-friendly key establishment for contactless environments. It is promoted by the US Department of Defense and meanwhile available in several standards such as ISO/IEC 24727-6 and ANSI 504-1. To the best of our knowledge, so far no detailed cryptographic analysis has been publicly available. Thus, we investigate in how far the common security properties for authenticated key exchange and impersonation resistance, as well as privacy-related properties like untraceability and deniability, are met.

OPACITY is not a single protocol but, in fact, a suite consisting of two protocols, one called Zero-Key Management (ZKM) and the other one named Fully Secrecy (FS). Our results indicate that the ZKM version does not achieve even very basic security guarantees. The FS protocol, on the other hand, provides a decent level of security for key establishment. Yet, our results show that the persistent-binding steps, for re-establishing previous connections, conflict with fundamental privacy properties.


Random Oracle Honest Party Direct Anonymous Attestation Identity Hiding Ephemeral Secret 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Albrecht, M.R., Paterson, K.G., Watson, G.J.: Plaintext recovery attacks against SSH. In: 2009 IEEE Symposium on Security and Privacy, pp. 16–26. IEEE Computer Society Press (May 2009)Google Scholar
  3. 3.
    Smart Card Alliance: Industry technical contributions: Opacity (April 2013),
  4. 4.
    ANSI X9-63-199X – Public key cryptography for the financial services industry: Key agreement and key transport using elliptic curve cryptography (1999)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  6. 6.
    Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: Domain-specific pseudonymous signatures for the german identity card. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 104–119. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. 7.
    Black, J., Rogaway, P.: CBC MACs for arbitrary-length messages: The three-key constructions. Journal of Cryptology 18(2), 111–131 (2005)MathSciNetzbMATHCrossRefGoogle Scholar
  8. 8.
    Boyd, C., Mao, W., Paterson, K.G.: Deniable authenticated key establishment for internet protocols. In: Security Protocols Workshop, pp. 255–271 (2003)Google Scholar
  9. 9.
    Brands, S.: Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy. The MIT Press (2000)Google Scholar
  10. 10.
    Brickell, E.F., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Atluri, V., Pfitzmann, B., McDaniel, P. (eds.) ACM CCS 2004, pp. 132–145. ACM Press (October 2004)Google Scholar
  11. 11.
    Brzuska, C., Fischlin, M., Smart, N., Warinschi, B., Williams, S.: Less is more: Relaxed yet composable security notions for key exchange. Cryptology ePrint Archive, Report 2012/242 (2012),
  12. 12.
    Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.C.: Composability of Bellare-Rogaway key exchange protocols. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM CCS 2011, pp. 51–62. ACM Press (October 2011)Google Scholar
  13. 13.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press (October 2001)Google Scholar
  14. 14.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Chaum, D.: Security without identification: transaction systems to make big brother obsolete. Commun. ACM 28 (October 1985)Google Scholar
  16. 16.
    Dagdelen, Ö., Fischlin, M., Gagliardoni, T., Marson, G.A., Mittelbach, A., Onete, C.: A cryptographic analysis of OPACITY. Cryptology ePrint Archive, Report 2013/234 (2013),
  17. 17.
    Deeg, M., Eichelmann, C., Schreiber, S.: Programmed insecurity — SySS cracks yet another usb flash drive,
  18. 18.
    Deeg, M., Schreiber, S.: Cryptographically secure? SySS cracks a usb flash drive,
  19. 19.
    Di Raimondo, M., Gennaro, R.: New approaches for deniable authentication. Journal of Cryptology 22(4), 572–615 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  20. 20.
    Dodis, Y., Katz, J., Smith, A., Walfish, S.: Composability and on-line deniability of authentication. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 146–162. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. J. ACM 51(6), 851–898 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  22. 22.
    Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally composable security analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Goldberg, I., Stebila, D., Ustaoglu, B.: Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptography 67(2), 245–269 (2013)MathSciNetzbMATHCrossRefGoogle Scholar
  24. 24.
    INCITS: 504-1, Information Technology - generic identity command set part 1: Card application command setGoogle Scholar
  25. 25.
    ISO/IEC: Identification cards - Integrated circuit(s) cards with contacts - Part 4: Organization, security and commands for interchange. Tech. Rep. ISO/IEC 7816-4, International Organization for Standardization, Geneva, Switzerland (2005)Google Scholar
  26. 26.
    ISO/IEC: Identification cards - Integrated circuit(s) cards with contacts - Part 8: Security related interindustry commands. Tech. Rep. ISO/IEC 7816-8, International Organization for Standardization, Geneva, Switzerland (2009)Google Scholar
  27. 27.
    ISO/IEC: Identification Cards – Integrated Circuit Cards Programming Interface – Part 6: Registration procedures for the authentication protocols for interoperability. Tech. Rep. ISO/IEC FDIS 24727-6, International Organization for Standardization, Geneva, Switzerland (2009)Google Scholar
  28. 28.
    Iwata, T., Kurosawa, K.: OMAC: One-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  29. 29.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  30. 30.
    Juels, A., Weis, S.A.: Defining strong privacy for RFID. Cryptology ePrint Archive, Report 2006/137 (2006),
  31. 31.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (or: How secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  32. 32.
    Kudla, C., Paterson, K.G.: Modular security proofs for key agreement protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 549–565. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  33. 33.
    Küsters, R., Tuengerthal, M.: Composition theorems without pre-established session identifiers. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM CCS 2011, pp. 41–50. ACM Press (October 2011)Google Scholar
  34. 34.
    LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  35. 35.
    Lauter, K., Mityagin, A.: Security analysis of KEA authenticated key exchange protocol. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 378–394. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  36. 36.
    Le, T.V., Burmester, M., de Medeiros, B.: Universally composable and forward-secure RFID authentication and authenticated key exchange. In: Bao, F., Miller, S. (eds.) ASIACCS 2007, pp. 242–252. ACM Press (March 2007)Google Scholar
  37. 37.
    Menezes, A., Ustaoglu, B.: Security arguments for the UM key agreement protocol in the NIST SP 800-56A standard. In: Abe, M., Gligor, V. (eds.) ASIACCS 2008, pp. 261–270. ACM Press (March 2008)Google Scholar
  38. 38.
    Morrissey, P., Smart, N.P., Warinschi, B.: The TLS handshake protocol: A modular analysis. Journal of Cryptology 23(2), 187–223 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  39. 39.
    NIST: Security Requirements for Cryptographic Modules. Tech. Rep. FIPS 140-2, National Institute of Standards and Technology (2002)Google Scholar
  40. 40.
    NIST: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. Tech. Rep. SP 800-38B, National Institute of Standards and Technology (2007)Google Scholar
  41. 41.
    NIST: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. Tech. Rep. SP800-56A, National Institute of Standards and Technology (2007)Google Scholar
  42. 42.
    Okamoto, T., Pointcheval, D.: The gap-problems: A new class of problems for the security of cryptographic schemes. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  43. 43.
    OPACITY: Reference Implementation -
  44. 44.
    Ouafi, K., Phan, R.C.-W.: Privacy of recent RFID authentication protocols. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 263–277. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  45. 45.
    Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size does matter: Attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  46. 46.
    Paterson, K.G., Watson, G.J.: Authenticated-encryption with padding: A formal security treatment. In: Naccache, D. (ed.) Cryphtography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 83–107. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  47. 47.
    Saint, E.L., Fedronic, D.L.J.: Open protocol for authentication and key establishment with privacy (July 2010)Google Scholar
  48. 48.
    Saint, E.L.: Opacity - the new open protocol of choice (August 2012),
  49. 49.
    Saint, E.L.: Personal communication (July 2012)Google Scholar
  50. 50.
    Saint, E.L., Fedronic, D., Liu, S.: Open protocol for access control identification and ticketing with privacy (July 2011),
  51. 51.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.Darmstadt University of TechnologyGermany

Personalised recommendations