Showing posts with label Protocol for Lightweight Authentication of Identity. Show all posts
Showing posts with label Protocol for Lightweight Authentication of Identity. Show all posts

Friday, November 7, 2014

Australian Department of Human Services Releases an Auth Mechanism Called PLAID and it Stinks

Recently a division of the Australian Department of Human Services released an authentication mechanism to secure smart card transactions. They named their creation Protocol for Lightweight Authentication of Identity, or PLAID. The plan was to allow other Australian government agencies to use the auth protocol for free. Feeling very sure of themselves, Ozzy's DHS released the protocol for inspection.

A group of cryptographers from two universities stepped up to do the deed. The Information Security Group of Royal Holloway, University of London was one such school. Representing the Continent was Cryptoplexity of Technische Universität Darmstadt, Germany. And do the deed they did.

As it turns out, PLAID is a lemon. It does just about everything wrong. It implements an RSA encryption function poorly, which is a bit suspicious given RSA's recent history with that Five Eyes Intelligence service from the Western hemisphere we all love to hate, the NSA. Beyond that, the function is vulnerable to essentially ancient and incredibly basic statistical attacks.

There is more, much more. Those using Australian smart cards, or in a position where they may have to use such cards, should familiarize themselves with the report from ISG and Cryptoplexity.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...