On Sat, May 23, 2009 at 12:12:00PM +0200, Ian G wrote:
On 23/5/09 01:24, Lionel Elie Mamane wrote:
On Wed, May 06, 2009 at 12:27:13AM +0200, Ian G wrote:
The predictions of the end of the world are premature. Note that nobody
has stolen money through an MD5 as yet, and nobody has stolen money
because of an RSA-512, either.
Maybe, but people have stolen money because of "too small RSA"
keys. It was RSA-320, not RSA-512. According to my sources, yp to and
including in the year 2007 (I don't know when it was stopped or
whether it was). Because the debit card of the swiss PostFinance was
using RSA-320 for authentication. As was the whole debit / credit card
system in France until the early 21st century; it seems there were
cases of theft up to 2001 in France.
Well, this is an important benchmark, if it indeed happened.
The questions would be: was the RSA cracked, or was it something
else that failed?
Executive summary: The RSA was cracked, but that is not the only non
social-engineering-or-physical attack on the system. AFAIK the RSA
crack came after the other attacks were already used in the wild.
All the information here comes from the websites I linked to, or from
my memory of the media stories in France in 1999/2000 or talk at the
CCC, translated when needed.
AFAIK, the issued before 1999 French "Carte Bleue" and issued up to
2007 (and possibly later) Swiss PostFinance are exactly the same
cards. I suppose the RSA key is not the same between the two systems,
but it is the same modulus length (320 bits). The system around it
(blacklisting bad cards, when to do an on-line check before accepting
payment, ...) may vary, I don't know.
The system has/had other security problems, but when the "factorise
the RSA public key modulus" attack got practical, it got done,
too. Especially since the factorisation started to float on the
Internet. The RSA key is not a key per card, it is the global issuer
key, that (if I remember well) signs the card info to certify that
this card is a valid one that shall be accepted for payment.
In particular, the debit cards can/could be cloned without any
cryptographic attack (the information you need to successfully clone
is readable in cleartext without authenticating to the
smartcard). This attack requires brief access to the debit card of a
victim, and allows only making payments debited from the victim's
account, until he notices and the card number is put in the blacklist
of repudiated cards. AFAIK, in France it didn't require knowing the
PIN code of the original for payment in shops (below a certain amount
(no on-line check, only off-line between the card and the terminal) or
when the on-line checking server is blacklist-based instead of
whitelist-based), because the payment terminal asks the smartcard if
the entered PIN code is the right one; you just program the cloned
smartcard to always say yes. However, using the cloned card in ATMs
usually _did_ require knowing the right PIN, because ATMs did not use
the smartcard but the magnetic strip on the back. (There were some
attacks other than "watch the rightful owner type the PIN" to get the
right PIN; it was on the magnetic stripe and circulated over phone
lines DES-encrypted (one key per issuer bank), some ATMs contained a
copy of the key, so stealing an ATM of that bank would allow getting
the key, ...)
Access to the RSA secret key allows to create "ex nihilo" (without
access to a genuinely issued card) cards accepted for payment by
payment terminals, but that are/were not necessarily linked to a bank
account. In France, you needed to rotate the cards every day (or
reprogram your card with a fresh number), because any card number
accepted for payment but not linked to an account got blacklisted in
the night. If you happen (by chance or design, e.g. by reading it off
a receipt found in a dustbin) to hit an issued number, the
corresponding bank account would be debited and the number blacklisted
only when the card holder notices. Because some banks had predictable
(from the old number) new card numbers when reissuing, the attacker
could then forge the new card (without access to it) and attack the
same holder again.
What's with the 320 number?
I don't understand the question.
Secondly, was money stolen because of this? I noticed that CCC is
in those links, and that indicates more of a "demo" quality.
The CCC talk came years after the speaker had warned the authorities
(both the directors of the post and the federal government ministry
responsible for oversight of the post), and they failed to address the
problem, they were still issuing cards "secured" by RSA-320. Noticing
the problem in Switzerland itself came years after it hit mainstream
media in France and France solved the problem (first by moving to dual
RSA-320 and RSA-768 for newly issued cards in 1999 with a transition
period originally scheduled to go into 2004, during which old cards,
signed only by RSA-320, where still accepted; I think they then to the
EMV system, which was then scheduled to use 786 or 1024 bit keys. I'm
not sure at what date exactly they turned off acceptance of old
RSA-320 cards.).
The "create an accepted-for-payment card ex-nihilo knowing the RSA
secret key" attack was demonstrated in France in mid-1998. The guy did
it because the banks claimed not to believe him and to want proof. He
was then charged (criminally) and sentenced in February 2000 to a
suspended prison sentence, symbolic 1,- EUR damages, 12000,- EUR
opposing counsel's fees and confiscation of his computer and smartcard
equipment. He went public to the press with the story in 1999. He did
ask the banks to pay him a fee for him to explain the attack to them
and explain how to fix it; the banks called that extortion in the PR
war, but he was never charged with anything having remotely to do with
extortion. He also lost his employment as consequence of the affair in
1999.
The CCC speaker was adamant that the attack was in the wild, had been
for more than two years (by December 2006) and the post refused to
reimburse victims fully. For example, he told the story of an elderly
man whose account was debited (for significant amounts) while he was
in surgery. If I remember well, that person only got 10% of the stolen
amount back. I don't remember him saying that explicitly, but my
context-in-the-talk understanding was that this would have been
through the "I know the RSA secret key" (RSA-factorisation) attack,
not a cloning attack. Whether his card number was taken by chance,
read off a receipt or written down by a cashier, I don't know.
In France, a case from November 2001:
http://www.parodie.com/monetique/breveyescard_porteur_21112001.htm
Naturally, the banks in France and post in Switzerland were mum about
details of fraud statistics (and claimed throughout the affairs that
the system was secure); so we don't have statistics of how much fraud
was committed through the RSA crack and how much through other
attacks. It is also hard to know whether a particular theft was done
by cloning or ex-nihilo creation (using the RSA crack). Obviously all
victims will say they never let their card in untrusted hands. But the
cloning could have happened in a twisted payment terminal, that the
victim mistook for a bona fide one. Especially since that terminal
still allowed her to pay and debited her account!
However, you have to realise that all building blocks were
out in the open on the Internet:
- ASM code to program smartcards to emulate a debit card
- factorisation of the RSA modulus (in France; for Switzerland in
2007, your home computer could do the factorisation within one
hour, if I remember well), in a Usenet post indexed by DejaNews /
Google Groups.
- obviously, the RSA algorithm itself (how to compute the secret key
from the two primes, how to compute a signature, ...)
- the exact specification of what data has to be on the card and
signed
- smartcard readers / programmers / blank cards were already rather
cheap at the time.
I would find it hard to believe that such an easy and well documented
attack would not have been exploited, especially since it is so much
more powerful than previous attacks and does not give any additional
risk to the criminal.
(To add insult to injury, some attacks were already documented in the
scientific literature by 1988/1990, that is before the system got
deployed, in 1993!)
Unfortunately my french & german isn't up to it, often a problem
when results come from other countries.
Is there any other information you would like?
--
Lionel