Quantum computers present a unique threat to many aspects of modern information technology. In particular, many cryptographic systems could be at risk of compromise in the event a malicious actor came into possession of a capable quantum computer.
Mastercard is intending to stay ahead of the game in this regard. It has launched a new contactless credit card that it says is impervious to certain types of quantum attack.
Hack-Proof?
The card is based on new industry standards from EMVco, a technical body that works in the secure payment space. Known as the EMV Contactless Kernel Specifications, they outline functionality for payment devices like ATMs and point-of-sale terminals to process transactions. The specification includes a new “Secure Channel” method of communication between card and reader that aims to protect against common attacks like eavesdropping, relay, and man-in-the-middle attacks. The new cards are intended to be compatible with existing payment hardware out in the field.
The main highlight of the new cards, though, is in how they operate, cryptographically speaking. Traditionally, payment card systems have relied on public-key cryptography, using methods like the ever-popular RSA algorithm. As explained in our public key encryption primer, the theory is simple. A private key is two prime numbers, and the public key is their product. Encrypt a message using the public key, and it can only be decrypted with the prime numbers in the private key. The problem for attackers is that even though they know the public key, it’s very difficult to figure out the private key, simply because finding two large prime factors of an even larger number is hard.
That is, unless you have the help of a quantum computer. A quantum computer with a sufficient number of qubits can run Shor’s algorithm to quickly find prime factors of very large numbers. This can be used to reveal the private key for a wide variety of encryption algorithms. This would crack open everything from world financial systems to the encrypted documents of governments and companies around the globe. The one benefit we currently have is that no quantum computer with enough entangled qubits yet exists to break our commonly-used algorithms. Experts believe it’s only a matter of time, however, and even the US government is rapidly moving to alternative quantum-secure encryption methods.
Mastercard’s new plastic will thus shift towards new algorithms it says are “quantum-resistant,” and thus not subject to these attacks. This will also involve the use of longer key lengths to further increase the robustness of the encryption method. Ease of use is also important, though, so the new system will keep the authentication process to under 0.5 seconds.
Interestingly, the documentation from EMVco indicates that the new cards will include Elliptic Curve Cryptography (ECC) for authentication purposes. Traditional ECC is not actually considered quantum-secure. In fact, for the key lengths currently in common use, ECC is likely slightly easier to break than RSA with a quantum computer.
So it could just be marketing bluster from Mastercard. It would seem foolhardy for one of the world’s largest payment processors to roll out new technology that was already known to be incapable of solving the stated problem. Instead, it’s perhaps more likely that Mastercard is using some new variant of ECC that is potentially secure against typical quantum computing attacks. Various ideas have sprouted in this area, though some have recently been proven insecure. Maybe they are focusing on some other algorithm, but will also support ECC. But then how to stop degrade attacks?
Overall, it’s a good thing that companies like Mastercard are already pursuing quantum security. Rolling out such infrastructure takes plenty of time, after all. Plus, once a quantum computer is up and running in the hands of a malicious actor, it will be far too late to act. However, at the same time, new encryption methods must be rigorously explored to ensure they indeed deliver on the security we need them to have. Here’s hoping the new cards have been subject to such due diligence.
Headline image: “Credit Card With Money Ver3” from ccPix.com
I think someone as rich as to afford a quantum computer with more than 8192 working stable cubits (impossible right now) might not need my pittance of a low grade academic :)
But I appreciate SSH for example using classic and quantum resistant algorithms together to secure people against both types of attacks. I’m sure the NSA would rather break SSH. Global money traffic is already monitored thanks to SWIFT:
http://www.spiegel.de/international/world/how-the-nsa-spies-on-international-bank-transactions-a-922430.html
Okay and to rant further (sorry for this), there is no NIST quantum secure candidate yet!
A pretty long-lasting candidate passed several rounds of the standardization checks before being figured out as being insecure:
http://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/
We may be away another 10 years from certainty what cipher we can actually trust. Even if a cipher is selected as standard, the eyes of the world’s mathematicians and cryptographers will all have to verify it. Even Rijndael is, in theory, weaker than Serpent. But Serpent was a slow cipher and thus rejected, so Rijndael (today aka AES).
Welp, looks like it’s back to using my petabyte-sized key(seeded from radioactive decay obviously) to generate my one-time pad cipher-data. :)
I can imagine the 21st century milk-man being the guy who delivers new one-time pad storage to everyone. It’s Monday morning, time to swap the cipher-drive.
I wonder who will first create a quantum codebreaker and if they will let us know when they finish it (HA! lmfao). Or if it already exists in some ultra-secret facility somewhere. That would be some very classified stuff, it goes without saying. It wouldn’t be the first time either.
“could be at risk of compromise in the event a malicious actor came into possession”
does not sound very English to me. Or maybe i´m just too foreigner, English is only the third language I learned.
The only thing that looks like it could be a grammatical issue is “in the event a malicious actor”. But it’s the kind of thing I would not have noticed if someone hadn’t said anything.
That’s ok – English doesn’t often make much sense to us native speakers either. xD
It’s grammatically correct English (though adding “that” after “event” would help.)
It’s just the kind of complex sentence structure that’s no longer commonly used in speech or informal writing.
Which is to say, it’s throwing in a bunch of passive constructions and obfuscated weasel-words to say “ok, if a bad guy got your card, maybe they could figure out how to attack it”
without being too obvious about “No, you probably don’t need to worry about this for a long time, if ever.”
But given how long it’s taken to get simple standards like IPv6 into common use, letting the weasels sell you this a decade or two before we need it is not such a bad thing.
All right, another uninformed article with uninformed commenters!
1. Quantum secure authentication is not needed until quantum computers are built. You can’t store authentication credentials and reuse them later — we’ll have switched over to quantum secure authentication methods by the time you would reuse the stored credentials. Quantum secure encryption IS needed now. You can store encrypted transmissions and decrypt them later. Switching over to quantum secure encryption later does not prevent the attacker from decrypting past stored messages. By contrast switching over to quantum secure authentication does prevent them from reusing cached authentication credentials. See the difference?
2. SIKE was broken, but SIKE was not one of the four algorithms chosen as the standard. The four standardized algorithms: Kyber, Dilithium, Falcon, and SPHINCS+, are not (yet) broken.
The ONLY encryption/key-sharing algorithm still standing is CRYSTALS-Kyber.
The other algorithms you mentioned are for signatures. Also, the algorithms you mentioned use lattices, which are fundamentally different than elliptic curves. The author was right to make his observation.
So the question remains, how does Mastercard protect against quantum attacks using elliptic curves given that all of the post quantum ECC/isogeny algorithms appear to be busted open?
You use regular, non-quantum secure elliptic curve authentication until such time as a quantum computer exists. Until that time, there is no need for quantum secure authentication. But there IS need for quantum secure encryption today even if quantum computers don’t yet exist.
You use regular, non-quantum secure authentication until such time as a quantum computer is available commercially, and solutions (such as CA root certificates) are being cracked by nefarious players. The current developers and owners of such computers (the NSA, et al) clearly will not tell you if or when they have the capability to forge certificates.
However, you search for “post-quantum” algorithms today, and you begin to implement them as soon as you can. Because if you’ve ever worked with a project at EMVco scale, you’ll realize that getting 6 million payment terminals worldwide refitted with a new technology will take a decade or more.
You should have heard the businesses wailing and gnashing their teeth when told that they’d have to replace their mag stripe readers with chip readers. You’d have thought the world was ending with all the predictions of doom. In reality, it was bean counters who didn’t want to spend the money on secure payment terminals. The most amazing part? The cutover was completed in Europe over a decade ago, it was supposed to be completed in the USA five years ago, the dates got bumped to 2020, and there are still non-compliant mag stripe readers in such widespread use in gas pumps and old cash registers that banks are *still* issuing cards with mag stripes. So your data is still susceptible to being ripped off and used for fraud because these cheap bastards will never voluntarily cooperate.
When EMVCo decides that they’re going to need a new algorithm and that some of those “new” terminals will need further upgrades, those same whingers are going to make their previous complaints seem like angelic song.
History has taught them that if they want post-quantum protocols by 2035, they better start installing them today.
It is impossible to sneakily forge certificates. I mean, yes, you can sneakily forge a certificate, but if you’re then not using the forged certificate, the forgery has no effect. And if you do use the forged certificate, the forgery has at that point been revealed. So there’s no way the NSA could privately forge certificates and benefit from the forgery in secret. By contrast, there are easy ways for the NSA to break encryption in private and secretly benefit from being able to break encryption. So again there is a difference. By the time you need quantum secure authentication, you know for sure that you need it. It’s totally different from encryption where you need to prepare decades in advance.
[DJ], it is very easy to issue any certificate you want when you have a copy of the private signing key of an issuing CA’s trusted root certificate. Therefore cracking those CA root keys would almost certainly be the first target of any quantum computer effort by the NSA or other similar agency.
I used the word “forgery” above to differentiate a Certificate Signing Request (CSR) signed by a legitimate Certificate Authority like DigiCert, versus a forged CSR signed by the NSA’s cracked copy of DigiCert’s private key. Mathematically both certificates will validate perfectly in any browser that trusts DigiCert’s root CA. The NSA-signed cert might get flagged in OSCP checking, but that’s an unknown depending on the OSCP server they contact.
Remember, they need to be able to deny they have cracked a CA root key, otherwise no-one will trust that root CA anymore, and all their cracking efforts will be wasted. They don’t want to issue a certificate that will be sent to every visitor to a site, because that leaves evidence other people can (and will) find. So they will issue a forged certificate that will be sent only to the specific targets of their attacks, and that cert will likely be discarded as soon as their objective is reached.
This article explains the NSA’s attack patterns called QUANTUM and FOXACID, (revealed in the Snowden documents) which is where they would be able to use a “forged” certificate to target a specific request: https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html While it’s old and only works on http requests, if they could easily forge certificates that would be trusted by their targets they would be able to use it to intercept https traffic.
Yes, the NSA can forge a certificate and send it only to a single victim — but regardless, that victim is now in possession of a piece of information that IN PRINCIPLE can betray the fact that the NSA has certificate-forging technology. Every single use of a forged certificate involves a public, unmitigatable risk that the victim will notice your forgery. If the NSA has such complete control of the victim that they can prevent the victim from going public with the forged certificate, then they don’t need to forge a certificate anyway to exploit the victim.
It is inherently impossible to exploit an authentication break without publicly revealing in some form the fact that you are in possession of an authentication break. By contrast, it is very possible, and very easy, to privately exploit an encryption break with literally no way for anyone to be able to tell that you have broken the encryption. That’s the critical difference.
You can store financial transactions, decrypt then later and use them for extortion or to collect back taxes or as evidence in a trial.
Correct, and that’s why you need quantum secure encryption today, even though quantum computers do not exist today. But you do NOT need quantum secure authentication today. Authenticated data is validated in the present moment. It doesn’t carry a future liability like encrypted data does.
Past proof of authentication can be enough to extort or defraud or convict even if the transaction data is unavailable. Dead people, small children and prison inmates are not supposed to be using their bank accounts.
You’re misunderstanding the threat model. We’re not assuming that some attacker out there can hoard stored authentication credentials and break them after X years. We’re assuming that: 1) some attacker out there can hoard authentication credentials and break them after quantum computers are created, and 2) after quantum computers are created, we will all switch to quantum-secure authentication methods, rendering all past authentication credentials useless (since we are now using different methods for authentication). Under this setup, your scenario does not come to pass.
Average EMV transaction bit length * average number of transactions per day * 365 * 3 years (normal card expiry time) * some padding multiplier to catch most outliers = size of the one-time-pad you need to store on the chip to obviate the quantum computing problem entirely.
Napkin math: assume just use of the OTP in place of the existing key (rather than robustly for all traffic), so 1024 bits per transaction. Say 10 transaction per day for 3 years, so around 11,000 transactions, or ~1.4MB. Even with a 100-fold overprovisioning, that’s trivially includable in an EMV chip’s die area for a moderate cost increase.
“The new cards are intended to be compatible with existing payment hardware out in the field.”
So it has a mag-stripe and is entirely unsecure?
Like most cards, it probably has one to satisfy the legacy US market, and everywhere else the stripe is either disabled (issues reject transactions with it, most PoS terminals refuse to even read it) or entirely unpopulated.
I already have a collection of cards that lack the embossed numbers for the old copy-paper machines, so any concerns over lack of network access for transaction validation have clearly already been quashed for that case. Magstripe should not be too far behind. The US will; be dragged kicking and screaming into the chip&PIN era to match the rest of the world as more and more issuers decline to validate magstripe transactions due to fraud risk.
I think the bank machine still uses the stripe. Unless that’s just a convenient way to position the card.
Ten or fifteen years ago, I was in a store, and something was wrong. But they still had the gizmo for getting the card impression, so they could carry on. I was surprised they still had the gadget, but yes, soon it won’t do a thing.
Not sure about the US, but no ATM here (UK, same applies to most of Europe too) uses the stripe.
Here in Canada, there’s still a slot in the bank machines. This post did make me wonder if the stripe is still read, or if the machines have changed and the slot is just for familiarity.
Here in Canada, we seem to be in between the US and the UK/EU in terms of cards.
I think mine says it’s a NFC card. Unfortunately nothing to test with.
Worse than the possibility of a usable mag strip, you can easily use any card by simply shopping online with the 16-digit card number, 3-digit cvv, and expiration date. Until that absurdity is fixed, all other security measures are largely moot, though I suppose anything that avoids those numbers being exposed in bulk (i.e. From a point of sale terminal) is a step forward.