Fooling primality tests on smartcards

Investor logo

Warning

This publication doesn't include Faculty of Arts. It includes Faculty of Informatics. Official publication website can be found on muni.cz.
Authors

SEDLÁČEK Vladimír JANČÁR Ján ŠVENDA Petr

Year of publication 2020
Type Article in Proceedings
Conference 25th European Symposium on Research in Computer Security (ESORICS) 2020
MU Faculty or unit

Faculty of Informatics

Citation
Web Website
Doi http://dx.doi.org/10.1007/978-3-030-59013-0_11
Keywords ECC; primality; pseudoprimes; smartcards
Description We analyse whether the smartcards of the JavaCard platform correctly validate primality of domain parameters. The work is inspired by Albrecht et al. (Prime and Prejudice) [1], where the authors analysed many open-source libraries and constructed pseudoprimes fooling the primality testing functions. However, in the case of smartcards, often there is no way to invoke the primality test directly, so we trigger it by replacing (EC)DSA and (EC)DH prime domain parameters by adversarial composites. Such a replacement results in vulnerability to Pohlig-Hellman [30] style attacks, leading to private key recovery. Out of nine smartcards (produced by five major manufacturers) we tested (See https://crocs.fi.muni.cz/papers/primality_esorics20 for more information), all but one have no primality test in parameter validation. As the JavaCard platform provides no public primality testing API, the problem cannot be fixed by an extra parameter check, making it difficult to mitigate in already deployed smartcards.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.