Free government-penned crypto can swipe identities
Beware of Australians bearing gifts
The PLAID (Protocol for Lightweight Authentication of Identity) cryptography kit appears to be insecure.
PLAID is a homebrew cryptography system designed by Centrelink - the Australian government agency that shovels out tens of billions a year in welfare payments. The system has been considered for use by US government agencies.
The software offers a means of contactless authentication using smart cards and is designed not to leak identities to scammers with dodgy card readers.
The newly-disclosed flaws from researchers at the University of Royal Holloway and TU Darmstadt (PDF) allow an attacker to fuzz cards in order to generate error messages. Attackers armed with a bushel of error messages could identify individual identity numbers.
Further problems identified included a lack of RSA padding leaving certain implementations of PLAID open RSA signature cloning in a mode similar to Bleichenbacher's attack, the team of eight cryptographers from the universities found.
"I figure if someone has to use 'free' to lure you in the door, there's a good chance they're waiting on the other side with a hammer and a bottle of chloroform, or whatever the cryptographic equivalent might be," Matthew Green said of a PLAID story broken by this correspondent in a previous life.
"A quick look at PLAID didn't disappoint. The designers used ECB like it was going out of style; did unadvisable things with RSA encryption, and that was only the beginning."
Green offered a concise analysis of the recent university paper A Cryptographic Analysis of an ISO-standards-track Authentication Protocol.
"As well as reporting a number of undesirable cryptographic features of the protocol, we show that the privacy properties of PLAID are significantly weaker than claimed: using a variety of techniques we can fingerprint and then later identify cards," the researchers wrote. "These techniques involve a novel application of standard statistical and data analysis techniques in cryptography."
Attackers could ascertain a user identity by running a variation of the mathematical equation allies used in World War two to accurately establish the number of Nazi tanks in production.
In short, attackers can run at least a thousand scans on a PLAID card where a reader would request possibly absurd information such as the user's favourite nursery in order to generate errors.
Beleaguered cards spat out junk data encrypted with an RSA shill key and it was this ciphertext which could be crunched to discover the key used, and a users' card number with accuracy that increased significantly with the number of scans.
While cards would not contain details for a nursery, they would under government plans contain health care information such as hospitals visited or possibly the users' bank (but not specific data like account numbers) and so on.
While these were a risk, it was not a coup de grace for the crypto scheme because it did not break fundamental user identification security. It did however require the Government modify the scheme to use stronger encryption schemes such as Diffie-Hellman, notably since it was on a fast track to ISO/IEC 25185-1.2 standardisation.
It was to the undoubted glee of Human Services being considered for adoption across US Government agencies in a move that could bring down the cost of PLAID systems. ®