Professional Documents
Culture Documents
Securing E-Passports With Elliptic Curves
Securing E-Passports With Elliptic Curves
Editors: Peter Gutmann, pgut001@cs.auckland.ac.nz David Naccache, david.naccache@ens.fr Charles C. Palmer, ccpalmer@us.ibm.com
his is the story of how the solution to a relatively abstract mathematics problem related to elliptic curves has led to improved security for ID documents.
secret. Theyre also required to be as secure as possible against all passive and active attacks. Basically, all an adversary can do to learn the password is an online dictionary attack (guess the password and try to execute the protocol with one of the parties). We can prevent this through latency, smart card blocking, and so on. For implementing PAKE pro-
Suppose that two parties share a common low-entropy secret (such as a four-digit PIN or a selfpicked alphabetic password) and want to establish a secure, authenticated communication channel. This scenario is common, from payment terminals and e-passport readers to online services. But even today, many implementations rely on more or less ad hoc protocols that might be vulnerable to replay attacks, man-inthe-middle attacks, and so on. Moreover, although some of those protocols are reasonably secure when the shared secret cant be guessed, they tend to be vulnerable to offline dictionary attacks. In these attacks, the attacker eavesdrops on communication between the parties and uses the data recorded that way to bruteforce the password without further interaction with either party. Because the password has low entropy, the search space is small, so offline brute-forcing isnt difficult. A class of cryptographic protocols called Password-Authenticated Key Exchange (PAKE) provides a more robust solution to this problem. PAKE protocols ensure that an eavesdropper cant learn any information on the low-entropy
MARCH/APRIL 2011
tocols, especially in constrained environments such as e-passports, elliptic-curve cryptography is fast and requires little memory. However, it involves representing numeric values (in this case, passwords) as points on an elliptic curve, and how to do this efficiently and securely isnt obvious. Here we discuss how researchers have solved this problem and describe two PAKE protocols that use this technique to achieve different security properties. More generally, encoding to curve points provides a convenient way to integrate passwords into existing elliptic-curvebased protocols, in addition to other cryptographic applications.
75
Crypto Corner
Input: u, an integer Output: (x, y), a point of the curve for i 0 to k 1 do x ui; if x3 + ax + b is a square then return (x, y = (x3 + ax + b)1/2) end end return ;
Figure 1. The try-and-implement algorithm enables construction of a group-valued encoding function. However, for Password-Authenticated Key Exchange (PAKE) protocols, this algorithm would still allow an adversary to determine a password.
protocols based on other groups, such as nonzero integers modulo a prime number. Cryptographic protocols based on groups often involve representing certain numeric values as elements of the group. In the elliptic- curve case, this amounts to mapping an integer u to a point (x, y) on the curve. For instance, Dan Boneh and Matt Franklins identity-based encryption represents user identities as curve points.4 For this purpose, they proposed a very natural way to encode values to that curve. However, this works only for curves of a special form (supersingular curves), which arent suitable for most applications owing to subpar security properties. Because a typical PAKE implementation using elliptic curves would preferably avoid super singular curves, we need to encode points on ordinary (that is, nonsupersingular) elliptic curves.
isnt the case for elliptic curves. You cant hope to construct an encoding function by, for example, choosing the numeric value as a curve points x-coordinate. This is because only about half of all the possible x-values correspond to actual points on the curve. What does work is the try-andincrement algorithm (see Figure 1). Append a short counter to the value to be encoded, and initialize it to 0. If the resulting concatenated value is an existing x-coordinate, return the corresponding point. Otherwise, increment the counter and try again. For each value of counter i, the probability of x being the x -coordinate of an actual point on the elliptic curve is approximately 1/2. So, if the counter can take k values, the algorithm will fail to find a point with a probability of 2 k . This is negligibly small if we take, for example, k = 128, so the algorithm will always succeed in practice. However, this algorithms running time depends on u, which can be a problem for implementations of protocols in which u must stay confidential. Regarding PAKE protocols, u is related to the underlying password. So, different passwords lead to different running times. An attacker can then partition the password dictionary according to the different running times, which will reveal the password after a few executions of the protocol.5 We could modify the try-and-increment algorithm to make it run in constant time and thwart this attack, but this makes the encoding function prohibitively inefficient.
Crypto Corner
a secret values point encoding efficiently without leaking information about it to timing attackers. Also, we can compute preimages under the encoding function in polynomial time. This ensures that knowledge of u doesnt help an attacker compute the discrete logarithm of encoding(u). Additionally, we can compute the size of such a functions image.6,7 For Icarts function, the size is approximately 5/8 of all the points on the curve, which is large enough for most applications.
Chip Password Stage 1 (randomization) Randomly select s, a binary string. z Encrypt s by a block cipher keyed by to get z. Stage 2 (mapping) = encoding ((s||)), Compute G where is a hash function and || stands for concatenation.
Terminal Password
PACE v2
One application of these encoding functions is PACE (Password- Authenticated Communication Esta blishment) v2, a PAKE protocol recently standardized for epassport applications. The International Civil Aviation Organization (ICAO) maintains a series of specifications pertaining to secure communication between the chips on machine-readable travel documents (MRTDs) and MRTD readers. Recently, the ICAO expanded the specifications to include PACE, which uses Icarts encoding for authenticated key agreement.8 PACE aims to establish a secure communication channel between a chip and terminal sharing a password p. For e-passports, this password is obtained from the MRTDs machine-readable zone. PACE has six steps; Figure 2 describes the first three. After these three steps, the two parties have obtained a common highentropy secret: point Z on the elliptic curve. The next three steps are key derivation, key confirmation, and session establishment, which are relatively standard and dont involve point encodings. We dont describe them here. In this very practical instance, the ICAO presumably preferred Icarts encoding to other, more classic techniques (such as the try-and
Figure 2. The first three steps of PACE (Password-Authenticated Communication Establishment) v2, a PAKE (Password-Authenticated Key Exchange) protocol for e-passport applications. After these first three steps, the two parties have obtained a common high-entropy secret: a point Z on the elliptic curve.
increment algorithm) to protect the password against side-channel attacks. This encoding is also more efficient (slightly faster than the best case of try-and-increment, and many times faster than the worst case), which is desirable in such a resource-constrained setting.
A few executions of the protocol are then sufficient to recover the actual password p. To avoid such an attack, it would be desirable to represent curve points as bit strings such that all bit strings correspond to actual points and a uniformly random bit string corresponds to a uniformly distributed curve point. We can achieve this using admissible encoding, which Eric Brier and his colleagues developed.10 A function f from a set of bit strings to an elliptic curve is admissible if it satisfies three requirements: Its efficiently computable. It can be sampled; that is, an efficient algorithm exists that takes a curve point as input and returns a bit string chosen uniformly at random among its preimages by f. Its regular; that is, the image by f of a uniformly random bit string is an almost uniformly random curve point. Icarts encoding(u) function
www.computer.org/security
Private PAKE
Another application is the classic PAKE protocol, DH-EKE (DiffieHellman encrypted key exchange; see Figure 3).9 DH-EKE can be implemented over any group, but over the group of points on an elliptic curve, its vulnerable to the following offline dictionary attack. An eavesdropping attacker who sees an encryption of point Gi can try to decrypt it using a guessed password p . If the guess is incorrect, then, with a probability of approximately 1/2 (or much higher than that, depending on how the points are represented), the resulting point wont belong to the curve. So, the attacker can throw away half or more of his or her password dictionary for every encrypted message the attacker catches between the two parties.
77
Crypto Corner
Chip Parameter: G, a point on the curve Password Pick . Compute G1 = G. Send G1 encrypted by a block cipher that depends on . Retreive G2 by decryption, and compute K = G2.
Server Password Pick . Compute G2 = G. Send G2 encrypted by a block cipher that depends on . Retreive G1 by decryption, and compute K = G1.
Figure 3. DH-EKE (Diffie-Hellman encrypted key exchange), a classic PAKE (Password-Authenticated Key Exchange) protocol. The basic protocol is vulnerable to offline dictionary attacks, but elliptic-curve cryptography can alleviate this problem.
fulfills the first two requirements but not the third. From this functions image size alone, we can see that it cant be regular. Fortunately, Brier and his colleagues showed that Encoding(u, v) =
encoding(u) + encoding(v)
is admissible. On the basis of admissible encoding, Julien Bringer and his colleagues introduced a PAKE protocol with the novel property that the underlying elliptic-curve parameters remain private.11 This property is particularly useful for e-passports and other identification documents because the country issuing the documents typically chooses the curve parameters. If the parameters leak during authentication, an eavesdropper can discover the document owners nationality, which is a security concern. To achieve privacy, Bringer and his colleagues treated the curve parameters as part of the password and modified DH-EKE to use the Encoding function instead of a block cipher. So, the messages exchanged by the parties are completely random bit strings, which reveal no information about the password or curve.
8. Supplemental Access Control for Machine Readable Travel Documents, ver. 1.01, tech. report, Intl Civil Aviation Org., 11 Nov. 2010; w w w 2 . ic a o. i nt /e n /M RT D/ D o w n l o a d s / Te c h n i c a l % 2 0 Reports/Technical%20Report.pdf. 9. S.M. Bellovin and M. M errit, Encrypted Key Exchange: Password-Based Protocol Secure against Dictionary Attacks, Proc. Symp. Research in Security and Privacy, IEEE Press, 1992, pp. 7284. 10. E. Brier et al., Efficient Indifferentiable Hashing into Ordinary Elliptic Curves, Advances in CryptologyCrypto 2010, LNCS 6223, Springer, 2010, pp. 237254. 11. J. Bringer, H. Chabanne, and T. Icart, Password Based Key Exchange Protocols on Elliptic Curves Which Conceal the Public Parameters, Applied Cryptography and Network Security, LNCS 6123, 2010, pp. 291308.
Herv Chabanne is a deputy director and security expert in Morphos identification division and an associate professor of cryptography at Tlcom ParisTech. Contact him at herve. chabanne@morpho.com. Mehdi Tibouchi is a researcher and PhD candidate in the cryptology team at cole normale suprieure. Contact him at mehdi.tibouchi@normalesup.org.
S
78
ome questions regarding encoding points of elliptic curves are still open. For instance, on the mathematical side, having injective encodings to ordinary curves would be interesting. More
IEEE SECURITY & PRIVACY
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.
MARCH/APRIL 2011