Embed Size (px)
Citation preview
RSA Data Security, Inc.
Some Perspectives on Smart Card Cryptography
Burt Kaliski, Chief ScientistRSA Laboratories
SCIA IC Card & System Security MeetingNovember 16–17, 1998
© RSA 1998
Introduction
• The emerging world of e-commerce depends on security services:– user authentication– key distribution– data integrity and confidentiality– digital signatures / nonrepudiation
• Smart cards and cryptography are helpful tools for implementing these services
© RSA 1998
Smart Cards and Cryptography
• Smart cards carry the keys, perform cryptographic operations– ideal for “personal” cryptography
• Other tokens also considered in many designs:– PC cards– palmtops
© RSA 1998
Cryptography Choices
1. Public key vs. symmetric
2. Algorithms
3. Protocols
© RSA 1998
Public Key vs. Symmetric
• A classic choice: scalability vs. speed– symmetric cryptography up to 100x faster– but management of public keys much
easier
• Open system or closed?
• Benefits can be combined
© RSA 1998
A Hybrid Approach
• Registration with public-key cryptography:– smart card establishes symmetric key via
server’s public key
• User authentication, key distribution, data protection with symmetric key
• Digital signatures combine public-key cryptography with hashing
© RSA 1998
Public-Key Algorithms
• Three families considered in standards:– discrete logarithm (DL): Diffie-Hellman,
DSA, MQV– elliptic curve (EC): analogs of DL– integer factorization (IF): RSA, RW
• Tradeoffs in key and data size, security, speed
© RSA 1998
Symmetric Algorithms
• Encryption algorithms:– DES, triple-DES, AES– “exportable” alternatives
• Integrity-protection algorithms
• Hash functions
• Tradeoffs primarily in security, speed
© RSA 1998
Protocols
• Many to choose from for each service
• Examples:– time-based vs. challenge-response user
authentication– key transport vs. key agreement
• Tradeoffs in algorithms supported, number of messages
© RSA 1998
Implementation Considerations
• Many kinds of physical attacks to contend with, beyond the cryptography:– timing analysis– power analysis– reverse engineering
• Logical attacks especially of concern in multi-application environments
© RSA 1998
Crypto-Coprocessors
• Cryptographic operations in smart cards are often accelerated with coprocessors– typical: modular exponentiation
• All three families can be accelerated with a modular arithmetic coprocessor– RSA (mod n)
– DL, EC over GF(p) for odd p
• What’s in a coprocessor today may be standard tomorrow
© RSA 1998
RSA Cryptography
• Cryptographic operations based on the RSA algorithm– PKCS #1, IEEE P1363, ANSI X9.31, X9.44
(draft) standards
• Key pair generation, encryption / decryption, signature / verification
• Example times given for several smart card chips– most with 8-bit CPUs, coprocessors
© RSA 1998
Key Length
• Typical RSA key length: 1024 bits
• Security about 280 against best methods– comparable to 160-bit ECC, 80-bit
symmetric in terms of operations– … but RSA-breaking methods require
much more memory
© RSA 1998
Private-Key Operations
• Signature generation and decryption with private key (n,d):
y = xd mod n– with Chinese Remainder Theorem:
yp = xd mod p-1 mod p
yq = xd mod q-1 mod q
y = [(yp-yq)q-1 mod p] q + yq
• Typical: two 512-bit modexps– 100-800ms on example smart cards
© RSA 1998
Public-Key Operations
• Signature verification or encryption with public key (n,e):
y = xe mod n– e = 3, 17, 216+1 common
• Typical: a few 1024-bit modmults– 5-265ms on smart cards with e = 216+1
• except in two cases, 50ms
– coprocessor not needed for small e
© RSA 1998
Key Pair Generation
• Public key (n,e)
• Private key (n,d)– where
n = pq
de 1 mod lcm (p-1, q-1)
• Typical: two 512-bit prime generations– est. 10-100 seconds on examples
© RSA 1998
Key and Data Sizes
• Nominal: about 1024 bits for signature, ciphertext, public key (+ e); 2560 bits for private key
• But many optimizations available:– 100 bits for private key with seed, offsets– 160-320 bits overhead for signatures with
message recovery
© RSA 1998
Example Timings
Manufacturer Device Clock(MHz)
Coproc. Sign(ms)
Verify(ms)
SGS-Thomson ST16CF54B 5 MAP 800 265
ST19CF68 10 MAP 400 150
ST19KF16 10 MAP 110 5
Philips P83W854 / 8 indep. FameX 250 50
P83W8516 / 32 indep. FameX 160 25
Siemens SLE66CX160S 5 ACE 230 24
NEC PD789828 40 SuperMAP 100 7
Source: H. Handschuh and P. Paillier, “Smart Card Crypto-Coprocessors for Public-Key Cryptography,” RSA Laboratories’ CryptoBytes, Summer 1998 (www.rsa.com/rsalabs/pubs/cryptobytes)
© RSA 1998
RSA and ECC Advantages
• ECC advantages– signature generation
/ decryption speed
– key pair generation speed
• key agreement, forward secrecy
– key and data sizes
– GF(2m) option
• RSA advantages– signature
verification / encryption speed
• certificate-based key management
– parameter generation speed (none)
– security analysis
For more reading: M.J. Wiener, “Performance Comparisons of Public-Key Cryptosystems,” RSA Laboratories’ CryptoBytes, Summer 1998(www.rsa.com/rsalabs/pubs/cryptobytes)
© RSA 1998
Interfaces and File Formats
• Interoperability is more than just the same algorithms and protocols
• Other aspects to consider:– physical interface (ISO 7816)– programming interface (PKCS #11)– information formats (PKCS #15)
© RSA 1998
PKCS: The Public-Key Cryptography Standards
• Informal, intervendor specifications
• Coordinated by RSA Laboratories, developed with the cryptography community
• More information:– www.rsa.com/rsalabs/pubs/PKCS
© RSA 1998
PKCS #11 / Cryptoki
• Programming interface for cryptographic tokens
• “Logical token” has objects, operations, access rights, independent of physical implementation
• Currently v2.01, revision in progress
© RSA 1998
PKCS #15: Information Formats
• Common formats for cryptographic objects– file formats in case of smart cards
• Coordination with several groups:– WAP Forum– DC/SC Forum– SEIS (Sweden)
• Draft available for comment
© RSA 1998
Conclusions
• Smart card security has many choices
• RSA cryptography a practical solution
• Interoperability also includes interfaces, file formats
