Lucjan Hanzlik

Simplified PACE|AA Protocol

We present SPACE|AA protocol that merges Chip Authentication of a smart card with card owner authorization via PACE protocol implemented in German personal identity documents. It is an improvement of PACE|AA protocol presented at Financial Cryptography 2012. Moreover, we explicitly formulate privacy model implicitely used by the authors of PACE|AA.

Restricted Identification without Group Keys

We present a variant of the protocol stack for anonymous authentication implemented in German personal identity documents. We strengthen the system by eliminating group keys - a potential target of attack for a powerful adversary aiming to undermine Restricted Identification mechanisms. We provide a mechanism of authentication that merges Chip Authentication protocol with Restricted Identification.

Mutual Restricted Identification

We extend the idea of Restricted Identification deployed in the personal identity documents in Germany. Our protocol, Mutual Restricted Authentication (MRI for short), is designed for direct anonymous authentication between users who belong to the same domain (called also a sector). MRI requires only one private key per user. Still there are no limitations to which domain a user may belong and the domains are not fixed in advance. This enables an implementation of MRI when a strictly limited secure memory is available (like for smart cards). MRI guarantees that a user has exactly one identity within a domain, while the identities from different domains of the same user are not linkable. The main difference between RI and MRI is that for MRI the privacy of both participants are protected, while in case of RI the terminal is fully exposed. The protocol is efficient, extremely simple (in particular, it outperforms RI) and well suited for an implementation on resource limited devices such as smart cards.

A Short Paper on Blind Signatures from Knowledge Assumptions

This paper concerns blind signature schemes. We focus on two moves constructions, which imply concurrent security. There are known efficient blind signature schemes based on the random oracle model and on the common reference string model. However, constructing two move blind signatures in the standard model is a challenging task, as shown by the impossibility results of Fischlin et al. The recent construction by Garg et al. (Eurocrypt’14) bypasses this result by using complexity leveraging, but it is impractical due to the signature size (\(\approx \) 100 kB). Fuchsbauer et al. (Crypto’15) presented a more practical construction, but with a security argument based on interactive assumptions. We present a blind signature scheme that is two-move, setup-free and comparable in terms of efficiency with the results of Fuchsbauer et al. Its security is based on a knowledge assumption.

A Short Paper on How to Improve U-Prove Using Self-Blindable Certificates

U-Prove is a credential system that allows users to disclose information about themselves in a minimalistic way. Roughly speaking, in the U-Prove system a user obtains certified cryptographic tokens containing a set of attributes and is able to disclose a subset of his attributes to a verifier, while hiding the undisclosed attributes. In U-prove the actual identity of a token holder is hidden from verifiers, however each token has a static public key (i.e. token pseudonym), which makes a single token traceable, by what we mean that, if a token is presented twice to a verifier, then the verifier knows that it is the same token. We propose an extension to the U-Prove system which enables users to show U-Prove tokens in a blinded form, so even if a single token is presented twice, a verifier is not able to tell whether it is the same token or two distinct tokens. Our proposition is an optional extension, not changing the core of the U-Prove system. A verifier decides whether to use issuer signatures from U-Prove, or the blind certificates from the extension.

Controlled Randomness – A Defense Against Backdoors in Cryptographic Devices

Security of many cryptographic protocols is conditioned by quality of the random elements generated in the course of the protocol execution. On the other hand, cryptographic devices implementing these protocols are designed given technical limitations, usability requirements and cost constraints. This frequently results in black box solutions. Unfortunately, the black box random number generators enable creating backdoors. So effectively the signing keys may be stolen, authentication protocol can be broken enabling impersonation, confidentiality of encrypted communication is not guaranteed anymore.

Insecurity of Anonymous Login with German Personal Identity Cards

One of the major inventions of the new personal identity cards in Germany is supporting anonymous authentication. The Restricted Identification protocol enables to authenticate in an unlimited number of domains with passwords created with strong asymmetric cryptography and not using the insecure login-password mechanism. Moreover, the RI scheme guarantees unlinkability of users authentication in different domains. The Achilles Heel of the RI scheme is Chip Authentication procedure. The terminal must make sure that it is talking with a genuine identification card and authentication via so-called group key is used. The group key is shared by many IDs in order to create a sufficiently large anonymity set. We present an attack, where the party holding the group key and eavesdropping the communication between a card and a terminal can learn the pseudonym and later authenticate as this user in this domain. In this way the party issuing the cards may get an unlimited access to citizens accounts. We show how to solve the problem by slight changes in the protocol.

Mutual Chip Authentication

We present a Anonymous Mutual Authentication (AMA) protocol for authentication and key agreement between cryptographic devices. It is an alternative for Terminal Authentication (TA) plus Chip Authentication (ChA) developed for electronic travel documents. Unlike conventional TA, executing AMA does not provide any digital record that could be used as a proof against third parties that an interaction really took place. AMA is symmetric: the code executed by both participants is the same (apart from the sequence of operations). It eases implementation on resource limited devices such as smart cards. AMA does not require prior disclosure of identities: the protocol participants learn them in a way hidden to eavesdroppers.

Hard Invalidation of Electronic Signatures

We present a new concept for invalidating electronic signatures which, in many situations, seem to be better suited for real business and society applications. We do not rely on an administrative invalidation process executed separately for each single signing key and based on certificate revocation lists. Instead, all signatures created with a certain group are invalidated by a certain event. We propose a hard invalidation via releasing of the inherent cryptographic proof value – instead of soft invalidation via revoking certificates which leaves intact the cryptographic strength of signatures (even if legal validity is partially lost).

Thermal Imaging Attacks on Keypad Security Systems

The paper discusses the issue of thermal imaging attacks on a variety of keyboard devices, such as cash machines, payment terminals, combination locks or computer keyboards. The aim of the research was to obtain the entered code or password in the most non-invasive way. As it turned out, attacks based on images from thermal imaging cameras are very easy to carry out and work in almost every case, which calls for extra safety measures. The authors consider various attack scenarios and come up with recommendations for both manufacturers and users of electronic keyboard security systems.