The Flaw Page 1 of 2

The ANSI X9.17 standard for key exchange fails to satisfy several of the design requirements:

  • A data key or key-encrypting key shared between a communicating pair shall not be disclosed to a third party.
  • A data key shared between a communicating pair shall be secured from third party usage.
  • The compromise of any key shared between any communicating pair shall not compromise and third party.
  • Key security and integrity shall be ensured.

The problem stems from a lack of explicit type information in keys. Several cryptologists have observed that strong typing is important in cryptographic protocols. Without it, it is too easy to replay messages containing ciphertext, using those messages in a manner different from the intended purpose.

Several examples of replay attacks fall into this category. In particular, there have been several published attacks that use signed nonces as signed keys, or vice versa. Keys and nonces are especially prone to this sort of abuse because the misuse is hard to recognize; both are seemingly arbitrary or random bit-strings. Explicit types should be coupled with nonces and keys prior to signing them.

In the X9.17 protocol the ciphertext for encrypted session keys is not always notarized. An attacker can replay un-notorized ciphertext to impersonate a party making a seemingly legitimate request for key translation. Details of the attack are presented in the novel. In short, the attacker conducts the first part of an exchange with a Key Distribution Center. Then, the attacker uses a weakly-typed ciphertext produced by the Key Distribution Center to forge a message in a seperate exchange with a Key Translation Center. Based upon this forgery (replay), the Key Translation Center will produce a ciphertext that the attacker cannot decrypt but one where the attacker knows the corresponding plaintext. The attacker can use this ciphertext, which is an encrypted key, to convince other legitimate parties to use a key which they believe to be secure. The attack is described in detail in Chapter 17 of The Electronic Money Mill.

The flaw can be exploited by an attacker to cause two parties to use a session key that the attacker chooses. Or, the attacker can fool a party, B, into executing a session with him when B
believes B is talking to some other legitimate party, say A. In other words, the attacker can choose to eavesdrop on a secret exchange between two parties, or the attacker can choose to
impersonate a legitimate party.