Hack Our New Authentication Protocol, Says Centrelink

Centrelink released draft auth protocol hoping for torture test...

Australia's welfare agency released the the draft implementation of PLAID last month. It created the new protocol because off-the-shelf solutions didn't match Centrelink's "business needs," Mitchell says.

He now hopes crypto-geeks all over the world will rip into the software, now in its second draft. "We need to make sure it's as secure as we believe it to be," he told the Risky Business podcast. "There may be issues... if anyone does any issues with it then we're more than happy to take feedback on board and see what we can do to review it."

Off the shelf solutions allow contactless smartcards to be identified via passive sniffing, Mitchell says. Even a PKI-based solution will allow an observer to intercept some static information that could be used to identify specific cards.

"[PLAID is] designed for privacy and security," Mitchell says. "For what we're issuing here at Centrelink there's a lot of traffic transmitted from the reader to the card and the card responds through the airwaves. That traffic... possibly if it had static information or determinable information, could identify the card holder."

With PLAID, he says, there's "no way to identify the card involved in the transaction".

While Mitchell recognises "rolling your own" cryptographic systems is risky, he says the use of well established, peer-reviewed cryptographic algorithms within the PLAID protocol will insulate Centrelink from the worst kind of mistakes.

"I completely agree. Rolling your own crypto is definitely not the done thing. History has shown us [it's] always a bad idea," he says. "[But] PLAID isn't a cryptographic algorithm, it's a protocol... it uses two algorithms, the first being the RSA cipher, the second being Rine-Dale."

The agency will roll out an off-the-shelf PKI-based smartcard system before upgrading the cards to use the PLAID protocol when, or if, it becomes ready.

While Mitchell hopes vendors will adopt the new protocol, he says most have shown reluctance to embrace a protocol that isn't recognised as a standard. "Once it is standardised... then we expect to see a little more enthusiasm," he says.

The plan is to have the protocol recognised as an Australian standard and eventually an ISO standard.

Click here to listen to the full interview with Glenn Mitchell in the Risky Business podcast.