Abstract
GlobalPlatform (GP) card specifications are the de facto standards for the industry of smart cards. Being highly sensitive, GP specifications were defined regarding stringent security requirements. In this paper, we analyze the cryptographic core of these requirements; i.e. the family of Secure Channel Protocols (SCP). Our main results are twofold. First, we demonstrate a theoretical attack against SCP02, which is the most popular protocol in the SCP family. We discuss the scope of our attack by presenting an actual scenario in which a malicious entity can exploit it in order to recover encrypted messages. Second, we investigate the security of SCP03 that was introduced as an amendment in 2009. We find that it provably satisfies strong notions of security. Of particular interest, we prove that SCP03 withstands algorithm substitution attacks (ASAs) defined by Bellare et al. that may lead to secret mass surveillance. Our findings highlight the great value of the paradigm of provable security for standards and certification, since unlike extensive evaluation, it formally guarantees the absence of security flaws.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: concrete results and practical countermeasures. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003). doi:10.1007/3-540-36400-5_20
Bard, G.V.: A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL. In: Proceedings of the International Conference on Security and Cryptography. SECRYPT 2006, pp. 7–10. INSTICC Press (2006)
Béguelin, S.Z.: Formalisation and verification of the GlobalPlatform card specification using the B method. In: Barthe, G., Grégoire, B., Huisman, M., Lanet, J.-L. (eds.) CASSIS 2005. LNCS, vol. 3956, pp. 155–173. Springer, Heidelberg (2006). doi:10.1007/11741060_9
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of the 38th Annual Symposium on Foundations of Computer Science. FOCS 1997, pp. 394–403. IEEE (1997)
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)
Bellare, M., Kohno, T., Namprempre, C.: Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. In: Proceedings of the 9th ACM Conference on Computer and Communications Security. CCS 2002, pp. 1–11. ACM (2002)
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). doi:10.1007/3-540-44448-3_41
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)
Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_1
Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25937-4_25
Chen, Z.: Java Card Technology for Smart Cards: Architecture and Programmer’s Guide. Addison-Wesley Longman Publishing Co. Inc., Boston (2000)
Dai, W.: An attack against SSH2 protocol, email to the SECSH Working Group. ftp://ftp.ietf.org/ietf-mail-archive/secsh/2002-02.mail
Degabriele, J.P., Paterson, K., Watson, G.: Provable security in the real world. IEEE Secur. Priv. 9(3), 33–41 (2011)
Duong, T., Rizzo, J.: Here come the XOR Ninjas (2011). Unpublished
Dworkin, M.: Recommendation for block cipher modes of operation: methods and techniques. National Institute of Standards and Technology (NIST), NIST Special Publication 800–38A., December 2001
Dworkin, M.: Recommendation for block cipher modes of operation: the CMAC mode for authentication. National Institute of Standards and Technology (NIST), NIST Special Publication 800–38B, November 2001
EMVCo: EMVCo Specification. https://www.emvco.com/specifications.aspx
EMVCo: EMV card personalization specification - version 1.1. https://www.emvco.com/specifications.aspx?id=20
Feix, B., Thiebeauld, H.: Defeating ISO9797-1 MAC Algo 3 by combining side-channel and brute force techniques. Cryptology ePrint Archive, Report 2014/702 (2014)
Fouque, P.-A., Joux, A., Martinet, G., Valette, F.: Authenticated on-line encryption. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 145–159. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24654-1_11
GlobalPlatform: The standard for managing applications on secure chip technology. https://www.globalplatform.org
GlobalPlatform: Secure channel protocol ‘3’ - card specification v2.2 - amendment d v1.1.1. http://www.globalplatform.org/specificationscard.asp
GlobalPlatform: GlobalPlatform card specification v2.3. http://www.globalplatform.org/specificationscard.asp
GlobalPlatform: About GlobalPlatform - security task force activities and achievements - 2016 activities and priorities (2016). https://www.globalplatform.org/aboutustaskforcesSecurity.asp
Hemme, L.: A differential fault attack against early rounds of (triple-)DES. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 254–267. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28632-5_19
ISO/IEC JTC 1/SC 27: Information technology - security techniques - modes of operation for an n-bit block cipher. Technical report, International Organization for Standardization, February 2006
ISO/IEC JTC 1/SC 6: Information technology - ASN.1 encoding rules: specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). Technical report, International Organization for Standardization, December 2002
Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). doi:10.1007/978-3-540-39887-5_11
Joux, A., Martinet, G., Valette, F.: Blockwise-adaptive attackers revisiting the (in)security of some provably secure encryption modes: CBC, GEM, IACBC. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 17–30. Springer, Heidelberg (2002). doi:10.1007/3-540-45708-9_2
Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. Chapman & Hall Book, Boca Raton (2015)
Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Goos, G., Hartmanis, J., Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001). doi:10.1007/3-540-44706-7_20
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). doi:10.1007/3-540-45708-9_3
Markantonakis, C.: The case for a secure multi-application smart card operating system. In: Okamoto, E., Davida, G., Mambo, M. (eds.) ISW 1997. LNCS, vol. 1396, pp. 188–197. Springer, Heidelberg (1998). doi:10.1007/BFb0030420
Mitchell, C.J.: Error Oracle attacks on CBC Mode: is there a future for CBC mode encryption? In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 244–258. Springer, Heidelberg (2005). doi:10.1007/11556992_18
NXP Semiconductors Germany Gmbh: Nxp j3e081_m64, j3e081_m66, j2e081_m64, j3e041_m66, j3e016_m66, j3e016_m64, j3e041_m64 secure smart card controller. Common Criteria for Information Technology Security Evaluation, certification Report: NSCIB-CC-13-37761-CR2, August 2014
Oracle: Java card protection profile - closed configuration. Common Criteria for Information Technology Security Evaluation, certification Report: ANSSI-CC-PP-2010/07, December 2012
Paterson, K.G., Watson, G.J.: Authenticated-encryption with padding: a formal security treatment. In: Naccache, D. (ed.) Cryptography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 83–107. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28368-0_9
Rankl, W., Effing, W.: Smart Card Handbook, 4th edn. Wiley, Chichester (2010)
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25937-4_22
Rogaway, P.: Evaluation of some blockcipher modes of operation. Technical report, Cryptography Research and Evaluation Committees (CRYPTREC) for the Government of Japan (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Proposition 1
We start by providing three definitions that we will use throughout our proof.
MAC Function. Here, we just recall how a MAC scheme is related to its MAC function. Let \(\mathcal {MA}[F] = (\mathcal {K},\mathcal {T},\mathcal {V})\) be a MAC scheme based on the MAC function F. F takes as input a key \(\mathsf {K}\) and a message M to output a tag \(\tau \). The tagging algorithm \(\mathcal {T}_{\mathsf {k}}\) and the verification algorithm \(\mathcal {V}_{\mathsf {k}}\) are defined as follows:
Truncated MAC. Let \(T: \{0,1\}^{n} \longrightarrow \{0,1\}^{n_{T}}\) be a transformation function. Let \(\mathcal {MA}[F] = (\mathcal {K},\mathcal {T},\mathcal {V})\) be a MAC scheme based on the MAC function F. We define the transformed MAC scheme \(T o \mathcal {MA} = (\mathcal {K},T o \mathcal {T},T o \mathcal {V})\) that uses ToF as its MAC function, where o denotes the composition operator. A truncated MAC is a transformed MAC in which T(.) is the \(\texttt {MSB}_{l}(.)\) function that takes a message as input and returns the l most significant (i.e. left-most) bits.
Tweak Chaining MAC2 ( \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}2\) ). Let \(\widetilde{F}_{\mathsf {k}}: \{0,1\}^{n} \times \texttt {MSG} \longrightarrow \{0,1\}^{n}\) be a tweakable function and let \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}\) be its associated chaining scheme. We define \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}2\) as \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}\) except that \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}2\) operates on the entire tag returned by \(\widetilde{F}(.,.)\) and not only on its half as in \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}\). Stated differently, \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}2\) is a MAC scheme in which the MAC function F2 is defined as follows:
where chained is a static variable (i.e. maintains its value between calls) that was initialized with \(\mathbf {0}^{n}\).
Having thus presented the above definitions, we are now on a position to make our proof. Let \(\widetilde{F}_{\mathsf {k}}: \{0,1\}^{n} \times \texttt {MSG} \longrightarrow \{0,1\}^{n}\) be a tweakable function and let \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}2[F2]\) be its associated tweak chaining MAC2 scheme. We notice that the \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}} = (\widetilde{\mathcal {K}},\widetilde{\mathcal {T}},\widetilde{\mathcal {V}})\) scheme presented in Definition 7 can be seen as the truncated MAC of \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}2[F2]\), where \(T(.) = \texttt {MSB}_{n/2}(.)\). Thus, we denote the MAC function of \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}\) as ToF2.
Consider any polynomial-time SUF-CMA adversary \(\mathbf {A}\) against \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}\). Recall that \(\mathbf {A}\) can make two types of queries: tagging queries and verification queries. We suppose that \(\mathbf {A}\) makes q tagging queries. We associate two adversaries to \(\mathbf {A}\): an sPRF adversary \(\mathbf {B}\) against the MAC function F2 (or equivalently against \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}2[F2]\)), and an \(\widetilde{\text {IND}}\)-CPA distinguisher \(\mathbf {D}\) against the tweakable function \(\widetilde{F}_{\mathsf {k}}\). Now, we state the following lemmas in which we define how the adversaries \(\mathbf {A}\), \(\mathbf {B}\) and \(\mathbf {D}\) interact between each other and from which the Proposition 1 follows directly.
Lemma A.1
\(\mathbf {Adv}_{\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}}^{\textit{suf-cma}}(A) = \mathbf {Adv}_{F2}^{\textit{sprf}}(B) + 1/2^{n/2}\)
Lemma A.2
\(\mathbf {Adv}_{F2}^{\textit{sprf}}(B) \le \mathbf {Adv}_{\widetilde{F}}^{\widetilde{\textit{ind}}{} \textit{-cpa}}(D) + \mathsf {Pr[Col]} + \mathsf {Pr[Col_{q}]} \)
Lemma A.3
\(\mathsf {Pr[Col]} \le q^{2}/2^{n}\)
Proof of Lemma A.1 : Recall that \(\mathbf {B}\) has access to the oracle \(\mathcal {O}\) and her goal is to distinguish whether \(\mathcal {O}\) is the MAC function F2 or the stateful random oracle \(\mathcal {R}_{\mathcal {S}}\). Recall also that the MAC function of \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}\) is ToF2. The algorithm \(\mathbf {B}\) is described below:
We can see that \(\mathbf {B}\) perfectly simulates the answers to \(\mathbf {A}\). In addition, \(\mathbf {B}\) returns 1 (i.e. guesses that the oracle \(\mathcal {O}\) is the MAC function F2) when \(\mathbf {A}\) succeeds in forging a tag. Therefore, the following relation holds:
where we use the equivalent notation in which we note that the adversary \(\mathbf {A}\) has access to the MAC function as oracle instead of the tagging/verification oracles.
By definition of strong unforgeability of the MAC scheme \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}\) (see Definition 2), the advantage of \(\mathbf {A}\) is defined by the probability of her success when she has access to the oracle ToF2. Therefore, we have:
Now, we examine \(\mathsf {Pr}[\mathbf {A}^{T o \mathcal {R}_{\mathcal {S}}} \text { forges}]\), which is equal to the probability that \(\mathbf {A}\) forges against a MAC scheme that has \(T o \mathcal {R}_{\mathcal {S}}\) as its MAC function. Recall that \(\mathcal {R}_{\mathcal {S}}\) is a random oracle. Let us suppose that \((M,\tau )\) is the forging query that \(\mathbf {A}\) uses to break the scheme. Therefore, the following relations holds: \(\tau = T\left( \mathcal {R}_{\mathcal {S}}(M)\right) \). Thus, we conclude our proof by showing that we have:
Proof of Lemma A.2 : Here, we consider any sPRF adversary \(\mathbf {B}\) against F2 and we associate it to a particular \(\widetilde{\text {IND}}\)-CPA distinguisher \(\mathbf {D}\) against the tweakable function \(\widetilde{F}_{\mathsf {k}}: \{0,1\}^{n} \times \texttt {MSG} \longrightarrow \{0,1\}^{n}\). Recall that \(\mathbf {D}\) has access to the oracle \(\mathcal {O}(.,.)\) and her goal is to distinguish whether \(\mathcal {O}\) is \(\widetilde{F}_{\mathsf {k}}(.,.)\) or \(\widetilde{\mathcal {R}}(.,.)\), where \(\widetilde{\mathcal {R}}(.,.)\) is a function that, on input (T, M), returns n-bit random strings. Recall also that \(\mathbf {D}\) is a tweak-respecting adversary (i.e. does not repeat tweak). We define the algorithm of \(\mathbf {D}\) as follows:
where \(\mathsf {S}\) is a multiset in which values can repeat. We argue that when \(\mathsf {S}\) does not contain the same value twice, \(\mathbf {D}\) is perfectly simulating \(\mathbf {B}\)’s execution environment. This is true because \(\widetilde{F}(.,.)\) is no distinguishable from the random oracle \(\widetilde{\mathcal {R}}(.,.)\) only against tweak-respecting adversaries. We illustrate the importance of such a condition by an example. In our example, we take \(\widetilde{\text {OMAC}}(T,M)\ (= \text {OMAC}(T||M))\) as the tweakable function \(\widetilde{F}(.,.)\). Now, we show that \(\mathbf {B}\) can easily see under the simulation environment that she is not interacting with a random oracle. \(\mathbf {B}\) knows that the initial tweak (i.e. state) is \(\mathbf {0}^{n}\) and queries \(M_{1} = \mathbf {0}^{n}\) to receive \(\tau _{1}\) from her oracle. Then, let T be a tweak that repeats twice. For the first occurrence of T, \(\mathbf {B}\) queries \(M_{2} = \mathbf {0}^{n}\) to receive \(\tau _{2}\) and for its second occurrence she queries \(M_{2} = \mathbf {0}^{n}\,||\,\tau _{2}\,||\,\mathbf {0}^{n}\) to receive \(\tau _{3}\). It is easy to see that \(\tau _{1} = \tau _{3}\) when \(\mathcal {O} = \widetilde{F}_{\mathsf {k}}(.,.)\ ({\ne }\widetilde{\mathcal {R}}(.,.))\). Indeed, we have
Thus, from \(\mathbf {D}\)’s algorithm, we can see that
where \(\mathsf {Pr[S]}\) is the probability that the multiset \(\mathsf {S}\) contains duplicate values.
By using the two above relations, we get
where \(\mathsf {Pr[Col_{q}]}\) is the collision probability of the tweakable function \(\widetilde{F}\) after q messages. Thus, our proof ends.
Proof of Lemma A.3 : Informally speaking, the lemma means that the set \(\{x: x_{0} = \mathbf {0}^{n},\ x_{i} = \mathcal {R}(x_{0},.)\}\) has asymptotically negligible probability to include duplicate values. Recall that q is the number of \(\mathbf {B}\)’s queries. We start our proof by making induction on q. For all \(q \ge 1\), we prove that
Then, we conclude our proof by noticing that \(q(q+1)/2^{n+1} \le q^{2}/2^{n}\).
Base case. When \(q = 1\), the right side of (2) is \(1/2^{n}\). Now, let’s look at the left side. After only one call, there are two elements in \(\mathsf {S}\): \(\left\{ \mathbf {0}^{n}, y\right\} \), where \(y \longleftarrow \mathcal {R}(\mathbf {0}^{n}, .)\). Thus, \(\mathsf {Pr[Col]} = \mathsf {Pr}[x \mathop {\leftarrow }\limits ^{R} \{0,1\}^{n}, x = \mathbf {0}^{n}]\), which is equal to \(1/2^{n}\).
Induction step. Suppose that the Eq. 2 is true for \(q = m - 1\). Here, \(x_{i}\) denotes the ith element of the multiset \(\mathsf {S}\). After \(q = m\) calls, we have
Hence, the Eq. 2 holds for \(q=m\), and the induction step is complete.
B Proof of Theorem 1
Recall that \(\mathbf {A}\) can make two types of queries: encryption queries and decryption queries. We denote \(\mathbf {A}\)’s i-th encryption query as \(M_{i}\) and the returned ciphertext as \(C_{i} = \sigma _{i}||\tau _{i}\). We denote \(\mathbf {A}\)’s i-th decryption query as \(C'_{i} = \sigma '_{i}||\tau '_{i}\) and the returned message as \(m_{i}\). We associate to \(\mathbf {A}\) an SUF-CMA forger \(\mathbf {F}\) against \(\mathcal {TC}\)-\(\widetilde{\mathcal {MA}}\). This association is similar to the one given in the Case 1 of Theorem 4: \(\mathbf {F}\) generates a key \(\mathsf {K1}\in \texttt {Key}\) that she uses for the encryption/decryption algorithms of Sf-n\(\mathcal {SE}\). We recall that the forger \(\mathbf {F}\) has access to two oracles: a tagging oracle \(\widetilde{\mathcal {T}}_{\mathsf {k2}}\) and a verification oracle \(\widetilde{\mathcal {V}}_{\mathsf {k2}}\), where the key \(\mathsf {K2}\) is independent from \(\mathsf {K1}\). Below, we describe our trivial association.
-
1.
When \(\mathbf {A}\) makes an encryption query M, \(\mathbf {F}\) outputs \(\sigma \longleftarrow \mathsf {Enc}\left( n\mathcal {E}_{\mathsf {k1}}\text {-Sf}(M)\right) \). Then, she queries \(\sigma \) to her tagging oracle \(\widetilde{\mathcal {T}}_{\mathsf {k2}}\) and receives \(\tau \) in response. Finally, she outputs \(C = \sigma \,||\,\tau \) to \(\mathbf {A}\).
-
2.
When \(\mathbf {A}\) makes a decryption query \(C = \sigma \,||\,\tau \), the forger \(\mathbf {F}\) queries \(\tau \) to her verification oracle \(\widetilde{\mathcal {V}}_{\mathsf {k2}}\) and receives a binary value b. If b is false, then \(\mathbf {F}\) halts after outputting \(\bot \). Otherwise, \(\mathbf {F}\) computes \(n\mathcal {D}_{\mathsf {k1}}\text {-Sf}\left( \mathsf {Dec}(\sigma )\right) \) and outputs the result to \(\mathbf {A}\).
-
3.
When \(\mathbf {A}\) wins in her INT-SFCTXT experiment, namely providing a new valid out-of-sync decryption query \(C = \sigma \,||\,\tau \), then \(\mathbf {F}\) stops and attempts to evaluate the pair \((\sigma ,\tau )\) in order to see whether she succeeds in her forgery. The different cases are presented below in the proof of Lemma B.1.
Now, suppose \(\mathbf {A}\) has made q encryption queries and d decryption ones. Let j be the index of \(\mathbf {A}\)’s first out-of-sync decryption query. We only consider the first out-of-sync query because if it fails, the decryption algorithm will return \(\bot \) and halt for all ensuing queries (see our discussion about the approach of halting state in Sect. 4.1). We define two events in case the \(\mathbf {A}\)’s j-th decryption query succeeds: (1) \(\mathsf {Col}\): \(\exists i \le q\) such that \(\tau '_{j} = \tau _{i}\) and \(i \ne j\); (2) \(\mathsf {Bad}\): \(q \ge j\), \(\tau '_{j} = \tau _{j}\) and \(m_{j} = M_{j}\). We state the following lemmas from which Theorem 1 follows directly (using Proposition 1).
Lemma B.1
\(\mathbf {Adv}_{\text {Sf-nEtTw}}^{\text {int-sfctxt}}(A) \le \mathbf {Adv}_{\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}}^{\text {suf-cma}}(F) + \mathsf {Pr[q\text {-}Col]} + \mathsf {Pr[Bad]}\)
Lemma B.2
\(\mathsf {Pr[Bad]} = 0\)
Proof of Lemma B.1 : As said previously, \(\mathbf {A}\) made q encryption queries before her first out-of-sync query (\(\mathcal {Q}\)) which is the j-th decryption query \((C'_{j} = \sigma '_{j}\,||\,\tau '_{j})\). We define the following events.
If \(\mathcal {Q}\) fails, then \(\mathbf {A}\) cannot win any more, since the decryption algorithm will return \(\bot \) for any subsequent query. Therefore, \(\mathbf {Adv}_{\text {Sf-nEtTw}}^{\textit{int-sfctxt}}(A) = \mathsf {Pr}[E]\). Considering the different events, we have \(\mathsf {Pr}[E] = \mathsf {Pr}[E_{1} \vee E_{2,2,2}] + \mathsf {Pr}[E_{2,1}] + \mathsf {Pr}[E_{2,2,1}]\).
Now, we study the probabilities of these events. We can see that \(E_{2,1}\) corresponds to the event \(\mathsf {Col}\), since it implies that \(\tau '_{j}\) has already been produced before and that was not during the j-th encryption query (this includes the fact that \(\mathbf {A}\) might not have made j encryption queries yet). Concerning \(E_{2,2,1}\), it is easy to see that it satisfies the definition of the \(\mathsf {Bad}\) event. Consequently, we have
We conclude the proof by examining \(\mathsf {Pr}[E_{1} \vee E_{2,2,2}]\) and \(\mathsf {Pr[Col]}\).
\(\pmb {\mathsf {Pr}[E_{1} \vee E_{2,2,2}]}\). We notice that when the event \(E_{1} \vee E_{2,2,2}\) occurs, (i.e. the j-th decryption oracle \(C'_{j} = \sigma '_{j}\,||\,\tau '_{j}\) does not return \(\bot \)), then the forger \(\mathbf {F}\) succeeds in finding an SUF-CMA forgery against \(\mathcal {TC}\)-\(\widetilde{\mathcal {MA}}\), since the two events ensure that the pair \((m_{j},\tau '_{j})\) was never produced before by the oracle \(\widetilde{\mathcal {T}}_{\mathsf {k2}}\).
Indeed, the event \(E_{1}\) implies that \(\tau '_{j}\) has never been queried to \(\widetilde{\mathcal {T}}_{\mathsf {k2}}\), while the event \(E_{2,2,2}\) implies that the tag \(\tau '_{j}\) has never been obtained from querying the oracle \(\widetilde{\mathcal {T}}_{\mathsf {k2}}\) with \(\sigma '_{j}\) as input. This is because for any state i, the following implication is asymptotically true (i.e. n\(\mathcal {E}_{\mathsf {k}}\text {-Sf}(.)\) is injective):
Therefore, \(\tau '_{j}\) \((= \tau _{j})\) was computed for \(\sigma _{j} = n\mathcal {E}_{\mathsf {k1}}\text {-Sf}(M_{j})\) which is different from \(\sigma '_{j}\) (i.e. \(\sigma _{j} \ne \sigma '_{j})\), since \(\sigma '_{j} = n\mathcal {E}_{\mathsf {k1}}\text {-Sf}(m_{j})\) and \(M_{j} \ne m_{j}\).
Thus, we have
\(\pmb {\mathsf {Pr[Col]}}\). As previously pointed out, \(\mathsf {Pr[Col]} = \mathsf {Pr}[\exists i \ne j \text { such that } \tau '_{j} = \tau _{i}]\). This means that for two different states the following equality holds:
The above relation supposes that the adversary should find a collision against \(\mathcal {TC}\)-\(\widetilde{\mathcal {MA}}\) after q invocations to the \(\widetilde{\mathcal {T}}_{\mathsf {k2}}(.)\) oracle, which corresponds to find a state \(i (\ne j)\) such that the related MAC tag is equal to the one computed for the state j. By looking at the construction of \(\mathcal {TC}\text {-}\widetilde{\mathcal {MA}}\) in Definition 7, we find that \(\mathsf {Pr[Col]}\) is equivalent to the probability of encountering a collision against the underlying tweakable function \(\widetilde{F}_{\mathsf {k2}}(.,.)\). Stated differently, we have
where, we recall that, given a message M and a list \(\mathsf {S}\) containing q outputs of \(\widetilde{F}_{\mathsf {k}2}\), \(\mathsf {Pr[q\text {-}Col]}\) is the probability that \(\widetilde{F}_{\mathsf {k2}}(M) \in \mathsf {S}\).
Proof of Lemma B.2 : The event \(E_{2,2,1}\) includes all the following events: (1) \(q \ge j\); (2) the decryption query \(C'_{j} = \sigma '_{j}||\tau '_{j}\) is out-of-sync, hence \(C_{j} \ne C'_{j}\); (3) \(\sigma '_{j} \ne \sigma _{j}\), since \(\tau '_{j} = \tau _{j}\); and (4) \(m_{j} = M_{j}\). We notice that the events 3 and 4 are contradictory, and therefore \(\mathsf {Pr[Bad]} = 0\). Indeed, recall that \(n\mathcal {SE} = (\mathcal {K}, n\mathcal {E}, n\mathcal {D})\) encrypts messages using a deterministic algorithm. Therefore, for a fixed nonce N, \(n\mathcal {E}_{\mathsf {k1}}(N, M_{1}) \ne n\mathcal {E}_{\mathsf {k1}}(N, M_{2})\) implies that \(M_{1} \ne M_{2}\). Also, we notice that the encryption and the decryption states were in-sync prior to the j-th decryption query. This means that the associated Sf-n\(\mathcal {SE} = (\mathcal {K}\text {-Sf}, n\mathcal {E}\text {-Sf}, n\mathcal {D}\text {-Sf})\) has called \(n\mathcal {SE}\) algorithms with the same nonce for each state. Thus, the event 3 entails \(\sigma '_{j} = n\mathcal {E}_{\mathsf {k1}}\text {-Sf}(m_{j}) \ne n\mathcal {E}_{\mathsf {k1}}\text {-Sf}(M_{j}) = \sigma _{j}\), which implies \(m_{j} \ne M_{j}\). This concludes our proof, since the event 4 is \(m_{j} = M_{j}\).
C Collision Probabilities
1.1 C.1 OMAC Collision Probabilities
Here, we state two Results proved in [28] about collisions in OMAC.
Result C.1
[\(\mathsf {Pr[Col]_{2}}\)]. Let \(E_{\mathsf {k}}\) be a block cipher of size l and let \(\text {OMAC}[E_{\mathsf {k}}]\) be its associated OMAC scheme. For the sake of simplicity, we only consider messages M whose length is a multiple of l (i.e. |M| / l is an integer). Given a message M, we denote by \(\mu \) the number of its blocks, namely \(\mu = |M|/l\). Consider two messages M and \(M'\), then the following relation characterizes the probability of the OMAC collision:
Result C.2
[\(\mathsf {Pr[Col]_{q}}\)]. Let \(E_{\mathsf {k}}\) be a block cipher of size l and let \(\text {OMAC}[E_{\mathsf {k}}]\) be its associated OMAC scheme. For the sake of simplicity, we only consider messages M whose length is a multiple of l (i.e. |M| / l is an integer). Given a message M, we denote by \(\mu \) the number of its blocks, namely \(\mu = |M|/l\). Given a list \(\mathcal {Q}\) of q messages, the following relation characterizes the probability of the OMAC collision on \(\mathcal {Q}\):
1.2 C.2 Proof of Lemma 5.1
We need to compute both \(\mathsf {Pr[Col_{q}]}\) and \(\mathsf {Pr[q\text {-}Col]}\). The case of \(\mathsf {Pr[Col_{q}]}\) is easy and it can be immediately obtained from Result C.2. Concerning the case \(\mathsf {Pr[q\text {-}Col]}\), it can be calculated from Result C.1. Indeed, given a message M and a list \(\mathsf {S}\), \(\mathsf {Pr[Col_{q}]}\) can be expressed as the sum of the collision probabilities \(\mathsf {Pr[Col_{2}^{i}]}\) between M and a message \(M_{i}\) for all \(M_{i} \in \mathsf {S}\). Here, \(M_{\text {max}}\) denotes any message of maximum length and \(\mu _{\text {max}}\) denotes its number of blocks. Therefore, we have
From all the relations above, we have
which is asymptotically negligible.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Sabt, M., Traoré, J. (2016). Cryptanalysis of GlobalPlatform Secure Channel Protocols. In: Chen, L., McGrew, D., Mitchell, C. (eds) Security Standardisation Research. SSR 2016. Lecture Notes in Computer Science(), vol 10074. Springer, Cham. https://doi.org/10.1007/978-3-319-49100-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-49100-4_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49099-1
Online ISBN: 978-3-319-49100-4
eBook Packages: Computer ScienceComputer Science (R0)