Why Migrating to Triple DES is Not Easy

More documents

Recommendations

Info

4.3 Key blocks Why Migrating to Triple DES is Not Easy Current key blocks 2 such as the key block for the keys encrypted in the payment application key databases, and the key blocks for the key exchange keys, are not adequate to support 3DES. Attacks have been presented ([7], [5]) against key blocks currently used by the financial institutions, in which keys can be used for functionalities that they where not intended for, and knowledge of certain working keys can leak knowledge of other keys, violating security property SP2. The attacks work even if the key blocks use encryption with a provably secure mode of operation such as CBC, even when used in combination with variants or control vectors 3 . The techniques of the attacks are based on substituting parts of the keys and brute forcing single DES keys twice. This can be done on average in 2×2 55 = 2 56 steps, which is much smaller than 2 112 (the number of steps needed to try each and every double length 3DES key). This clearly violates security properties SP3 and SP4. It is crucial to cryptographically tie the functionality of a key to the key itself, this can be achieved by securely using a MAC or a digital signature scheme for example, or an encryption mode of operation that also provides integrity such as the one described in [8]. A proposal to ANSI X.9F for a new key block format is described in [5]. What is important to remember is that encryption alone does not provide integrity. 4.4 Hardware update There are obvious problems if hardware, such as PIN pads, ATMs and cryptographic processors, cannot be upgraded in the field. Even if upgrades can be done in the field, migration has to be coordinated with other devices and software. If a PIN pad can only use single DES and a switch has been upgraded to use 3DES, the switch needs to be configured to be backwards compatible with single DES. This backwards compatibility feature could potentially be used to the advantage of an attacker (as was discussed in section 4.1). There is also a question of speed. 3DES encryption and decryption takes approximately three times longer to execute than does single DES encryption and 2 a key block is a data structure for specifying the value and attributes of a key that is to be stored or exchanged, key blocks for private keys usually use some sort of encryption. 3 variants and control vectors are bitpatterns that are bound to encrypted keys by a XOR operation with the encrypting key. If a naive attacker introduces into a cryptoprocessor a cryptogram of a key bounded by a control vector or variant of the wrong type the cryptoprocessor’s decryption operation should simply produce garble and no useful information about the key would be revealed. This technique does not work when encrypting keys longer then the block size. c○Copyright Okiok Data 2002 6
Why Migrating to Triple DES is Not Easy decryption 4 . Memory allocation and caching can also affect the speed of execution of 3DES encryption and decryption, especially during the key setup stages. Some custom designed cryptoprocessors also deal poorly with the safeguarding of 3DES keys in memory register, some key parts can get overwritten in their register slots by other 3DES key parts or single DES keys if allocation is not done correctly. This was observed in a PIN pad we once evaluated, the problem had to do more with the architecture of the hardware rather than 3DES itself however, mostly due to the fact that some embedded systems have limited storage space. The lesson to learn is that a cryptoprocessor can work perfectly well when it only does single DES but start showing strange behavior when using 3DES. 4.5 Software/Firmware update Command sets will undoubtedly be modified if a system is to support 3DES. It is crucial to make certain that there will be no compatibility problems and that security is not affected. For example, one can have software running on a device which will accept to load new software after verifying a MAC. If the new software is needed to use 3DES, but the old software’s MAC is based on single DES, one needs to make sure that this procedure is secure in the given context (for example, it is secure if you still trust single DES). It is highly recommended to analyze any new transaction set, to be convinced of this one simply has to look at the recent API-level attacks on embedded systems described in [2]. 4.6 Payment application database We already talked about the need for a new key block in section 4.3. It is also important to consider the simple fact that 3DES keys are larger than single DES keys and that the format of the key blocks will be different. One should make sure that databases will be able to handle this change. 4.7 Key Management Key management is probably one of the more complex parts of any cryptosystem. New kinds of cryptographic keys means new kinds of key management. Key exchange methods (manual or automated) for 3DES will differ from those for 4 if no pipelining is done. c○Copyright Okiok Data 2002 7
Page 1 and 2: Why Migrating to Triple DES is Not
Page 3 and 4: 1 Introduction Why Migrating to Tri
Page 7: Why Migrating to Triple DES is Not
Page 13 and 14: References Why Migrating to Triple

Why Migrating to Triple DES is Not Easy

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?