Paper 2020/855

Fooling primality tests on smartcards

Vladimir Sedlacek, Jan Jancar, and Petr Svenda

Abstract

We analyse whether the smartcards of the JavaCard platform correctly validate primality of domain parameters. The work is inspired by the paper Prime and prejudice: primality testing under adversarial conditions, where the authors analysed many open-source libraries and constructed pseudoprimes fooling the primality testing functions. However, in the case of smartcards, often there is no way to invoke the primality test directly, so we trigger it by replacing (EC)DSA and (EC)DH prime domain parameters by adversarial composites. Such a replacement results in vulnerability to Pohlig-Hellman style attacks, leading to private key recovery. Out of nine smartcards (produced by five major manufacturers) we tested, all but one have no primality test in parameter validation. As the JavaCard platform provides no public primality testing API, the problem cannot be fixed by an extra parameter check, %an additional check before the parameters are passed to existing (EC)DSA and (EC)DH functions, making it difficult to mitigate in already deployed smartcards.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. ESORICS 2020
Keywords
pseudoprimesprimality testingJavaCard(EC)DSA(EC)DH
Contact author(s)
vlada sedlacek @ mail muni cz
History
2020-07-12: received
Short URL
https://ia.cr/2020/855
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2020/855,
      author = {Vladimir Sedlacek and Jan Jancar and Petr Svenda},
      title = {Fooling primality tests on smartcards},
      howpublished = {Cryptology ePrint Archive, Paper 2020/855},
      year = {2020},
      note = {\url{https://eprint.iacr.org/2020/855}},
      url = {https://eprint.iacr.org/2020/855}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.