Cryptography Reference
In-Depth Information
However, in other applications it may be tempting to use a key that has already
been established for one purpose and then, for convenience, use it for some other
purpose. We illustrate the potential dangers of doing this with two examples.
Example 1
. Like passwords, PINs should not be stored anywhere in the clear.
Hence PINs are often stored in encrypted form using a symmetric
PIN
encrypting key
. This key should only ever be used to encrypt PINs. It should
never be used to decrypt an encrypted PIN. In contrast, a normal symmetric
data key is used both for encryption and decryption. If these two keys are
somehow interchanged within an HSM then we have two serious problems.
Firstly, it may become possible to decrypt and reveal a PIN. Secondly, it
may not be possible to recover any normal data encrypted with the PIN
encrypting key.
Example 2
. Suppose we have an HSM with the following two security functions:
Function 1
. This generates a four-digit PIN for a payment card by:
1. encrypting the card's 16-digit account number using a
PIN generation key
, and
outputting the resulting ciphertext in hex form;
2. scanning the hex output for the first four digits in the range 0 to 9, but ignoring
any in the range A to F, which are then used to form the PIN (additional measures
need to be taken in the unlikely event that there are insufficient digits generated
using this process to form a PIN);
3. outputting the resulting PIN in encrypted form.
Function 2
. This generates a MAC on some input data by:
1. computing a simple CBC-MAC (using the version of CBC-MAC depicted in
Figure 6.7, which is not recommended in practice) on the input data using a
MAC key;
2.outputting the MAC in hex form.
Now suppose that an attacker is able to persuade the HSM to use the key
from Function 1 to compute Function 2. In other words, the attacker is able
to generate a MAC on the card's account number using the PIN generation
key. The result will be that a MAC is output in hex form. Assuming that the
same block cipher is used by both functions (in Function 1 to encrypt and in
Function 2 to compute CBC-MAC) and since the account number is likely to
be a short piece of data less than one block long, the MAC that is output will be
the same as the encrypted account number that is produced in the first stage
of Function 1. The attacker can then scan the MAC for the first four digits in
the range 0 to 9, and hence determine the PIN.
These two examples both illustrate the potential dangers of not enforcing key
separation. It might be argued that they are rather artificial examples for several
reasons, one of which is that it should not be possible to force keys within an
HSM to be used for purposes other than they were intended, especially as the keys
