Financial Cryptography and Data Security

When designing a crypto protocol, or building a large security architecture, no competent designer ignores considering the bad guy, and anticipating his plans. But often we designers find ourselves striving to build totally secure systems and protocols, in effect writing the bad guys entirely out of the equation. In a large system, when you exclude the bad guys, they soon muscle their way in elsewhere, and maybe in a new and worse way over which you may have much less control. A crypto protocol with no known weaknesses may be a strong tool, but when it does break, it will break in an unpredictable way. This talk explores the hypothesis that it is safer and better for designers to give the bad guys their cut, but to keep it small, and keep in control. It may not just be our systems but also our protocol building blocks that should be designed to make room for the bad guy to take his cut. The talk is illustrated with examples of very successful systems with known weaknesses, drawn primarily from the European EMV payment system, and banking security in general. We also discuss a few too secure systems that end up failing in worse ways as a result. S. Dietrich and R. Dhamija (Eds.): FC 2007 and USEC 2007, LNCS 4886, p. 1, 2007. c Springer-Verlag Berlin Heidelberg 2007 The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-540-77366-5_37 Vulnerabilities in First-Generation RFID-enabled Credit Cards Thomas S. Heydt-Benjamin1, Daniel V. Bailey2, Kevin Fu1, Ari Juels2, and Tom O’Hare3 1 University of Massachusetts, Amherst, MA, USA {tshb, kevinfu}@cs.umass.edu 2 RSA Laboratories, Bedford, MA, USA {dbailey, ajuels}@rsa.com 3 Innealta, Inc. Salem, MA, USA tom@innealta.com Abstract. RFID-enabled credit cards are widely deployed in the United RFID-enabled credit cards are widely deployed in the United States and other countries, but no public study has thoroughly analyzed the mechanisms that provide both security and privacy. Using samples from a variety of RFID-enabled credit cards, our study observes that (1) the cardholder’s name and often credit card number and expiration are leaked in plaintext to unauthenticated readers, (2) our homemade device costing around $150 effectively clones one type of skimmed cards thus providing a proof-of-concept implementation for the RF replay attack, (3) information revealed by the RFID transmission cross contaminates the security of RFID and non-RFID payment contexts, and (4) RFIDenabled credit cards are susceptible in various degrees to a range of other traditional RFID attacks such as skimming and relaying.

[1]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[2]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[3]  Vincent Rijmen,et al.  The Impact of Carries on the Complexity of Collision Attacks on SHA-1 , 2006, FSE.

[4]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[5]  Aggelos Kiayias,et al.  Group Signatures with Efficient Concurrent Join , 2005, EUROCRYPT.

[6]  Jan Camenisch,et al.  Fair Blind Signatures , 1995, EUROCRYPT.

[7]  Reihaneh Safavi-Naini,et al.  Efficient and Provably Secure Trapdoor-Free Group Signature Schemes from Bilinear Pairings , 2004, ASIACRYPT.

[8]  Jongsung Kim,et al.  Differential and Rectangle Attacks on Reduced-Round SHACAL-1 , 2006, INDOCRYPT.

[9]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[10]  Tsz Hon Yuen,et al.  Group Signature Where Group Manager, Members and Open Authority Are Identity-Based , 2005, ACISP.

[11]  Ian F. Blake,et al.  Scalable, Server-Passive, User-Anonymous Timed Release Cryptography , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[12]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[13]  Aggelos Kiayias,et al.  Efficient Secure Group Signatures with Dynamic Joins and Keeping Anonymity Against Group Managers , 2005, Mycrypt.

[14]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[15]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[16]  Vincent Rijmen,et al.  On Authentication with HMAC and Non-random Properties , 2007, Financial Cryptography.

[17]  David Naccache,et al.  On blind signatures and perfect crimes , 1992, Comput. Secur..

[18]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[19]  K. Arrow,et al.  EXISTENCE OF AN EQUILIBRIUM FOR A COMPETITIVE ECONOMY , 1954 .

[20]  David M'Raïhi,et al.  HOTP: An HMAC-Based One-Time Password Algorithm , 2005, RFC.

[21]  Jongsung Kim,et al.  On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract) , 2006, SCN.

[22]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[23]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[24]  Paul F. Syverson,et al.  Hiding Routing Information , 1996, Information Hiding.

[25]  Scott Contini,et al.  Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions , 2006, ASIACRYPT.

[26]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[27]  Antoine Joux,et al.  Collisions of SHA-0 and Reduced SHA-1 , 2005, EUROCRYPT.

[28]  Aggelos Kiayias,et al.  Hidden Identity-Based Signatures , 2007, Financial Cryptography.

[29]  Vincent Rijmen,et al.  Exploiting Coding Theory for Collision Attacks on SHA-1 , 2005, IMACC.

[30]  M. Davidson Catch 22 , 1977, Nature.

[31]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[32]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[33]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[34]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[35]  Daniel R. Simon,et al.  Anonymous Communication and Anonymous Cash , 1996, CRYPTO.

[36]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[37]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[38]  Yevgeniy Dodis,et al.  Time Capsule Signature , 2005, Financial Cryptography.

[39]  Aviel D. Rubin,et al.  Publius: a robust, tamper-evident, censorship-resistant web publishing system , 2000 .