Upload
haliem
View
221
Download
1
Embed Size (px)
Citation preview
A Low Data Complexity Attack on the GMR-2
Cipher Used in the Satellite Phones
Ruilin Li, Heng Li, Chao Li, Bing Sun
National University of Defense Technology, Changsha, China
FSE 2013, Singapore
11th ~13th March, 2013
2
Outline
• Backgrounds and the GMR-2 Cipher
• Revisit the Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion
3
Outline
• Backgrounds and the GMR-2 Cipher
• Revisit each Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion
4
Backgrounds and the GMR-2 Cipher
• Mobile communication systems have revolutionized the way we interact with each other– GSM, UMTS, CDMA2000, 3GPP LTE
• When do we need satellite based mobile system?– In some special cases
• researchers on a field trip in a desert• crew on ships on open sea
• people living in remote areas or areas that are affected by a natural disaster
5
Backgrounds and the GMR-2 Cipher
• What is GMR?– GMR stands for GEO-Mobile Radio
– GEO stands for Geostationary Earth Orbit
– Design heavily inspired from GSM
6
Backgrounds and the GMR-2 Cipher
• Two major GMR Standards– GMR-1 (de-facto standard, Thuraya etc)
– GMR-2 (Inmarsat and AcES)
• How to protect the security of the communication
in GMR system?– Using symmetric cryptography
– Both the authentication and encryption are similar as that of GSM A3/A5 algorithms.
7
Backgrounds and the GMR-2 Cipher
• Encryption Algorithms in GMR– Stream ciphers– Reconstructed by Driessen et al.
• GMR-1 Cipher– Based on A5/2 of GSM– Totally broken by ciphertext-only attack
• GMR-2 Cipher– New design strategy– Can be broken by known-plaintext attack – Read-collision based technique
8
Backgrounds and the GMR-2 Cipher
• In this talk, we focus on GMR-2 stream cipher– Revisit components of the GMR-2 cipher
– Propose dynamic guess and determine strategy
– Present a low data complexity attack
9
Outline
• Backgrounds and the GMR-2 Cipher
• Revisit each Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion
10
Revisit each Component of the GMR-2 Cipher
• Encryption mechanism of the GMR-2 cipher– Data are divided into frames identified by the frame
number with 22-bits– New frame is re-initialized– Each frame contains 120-bit (15-byte)
• Parameters of the GMR-2 cipher– Key length: 64-bit (Session key)– IV length: 22-bit (Frame number)– Key stream bits length within a frame: 120-bit
11
Revisit each Component of the GMR-2 CipherK
s6s7 …… s1 s0
Zl
p
F G H
t
c
1
388
4
6
6
8
• An overview on the GMR-2 cipher– 8-byte shift register S, a 3-bit counter c, and a toggle bit t– byte-oriented, three major components– combines two bytes of session key with previous output– is a linear function for mixing purpose– consists two DES Sboxes as a nonlinear filter GH
F
12
Revisit each Component of the GMR-2 Cipher
Å
p
c
K t
K0 K1 K2 K3 K4 K5 K6 K7 1t
2t >>>
a
O0
O1
8
4
8
44
Å
• The component– At the l-th clock, the input
• 8-byte array holding the session key K, read from two sides.• a counter c ranging from 0 to 7 sequentially and repeatedly.• a toggle bit t=c mod 2.• the previous key stream byte p=Zl-1
F
13
Revisit each Component of the GMR-2 Cipher
Å
p
c
K t
K0 K1 K2 K3 K4 K5 K6 K7 1t
2t >>>
a
O0
O1
8
4
8
44
Å
• The component– The lower side outputs Kc with the help of the counter c.
– The upper output depends on the lower output Kc , the previous key stream byte p and the toggle bit t.
– maps 4-bit to 3-bit which select the upper output.– maps 3-bit to 3-bit which determine the rotation.
F
1t2t
14
Revisit each Component of the GMR-2 Cipher
Å
p
c
K t
K0 K1 K2 K3 K4 K5 K6 K7 1t
2t >>>
a
O0
O1
8
4
8
44
Å
• The component– The output is
F
10 ( ) 2 1
1
( ( ))
((( ) 4) & 0xF) (( ) & 0xF)c c
O K
O K p K pt a t t a=ìï
í= Å Å Åïî ?
•
( ) & 0xF, if 0
(( ) 4) & 0xF, if 1c
c
K p t
K p ta
Å =ì= í Å = î ?
15
Revisit each Component of the GMR-2 Cipher
Å
1O¢
0O¢
6
6
8
8
4
1BO0
O1
S0
1B
3B
2B
2B
• The componentG
1
1 3 2 1 0 3 0 3 2 0 3 1
2 3 2 1 0 3 0
3 3 2 1 0 0 3 0 3
2
2 1 0
: ( , , , ) ( , , , );
: ( , , , ) ( , , , );
: ( , , , ) ( , , , ).
B x x x x x x x x
B x x x x x x x
B
x x
x x x x x x x x
x
x
x x x
Å Å ìï
Å
Å Å Å í
ï î
aaa
16
Revisit each Component of the GMR-2 Cipher
6S
2S
t
lZ6
6
4
4
81O¢
0O¢
• The componentH2 1 6 0 8
2 0 6 1 8
( ( ), ( )) if 0
( ( ), ( )) if 1l
O O tZ
O O t
¢ ¢ = ì= í ¢ ¢ = î
S SS S
6
5 4 3 2 1 0 1 0
5 4
2
3 2
where and are the two sboxes of DES. Assume the input of
is ( , , , , , ), then ( , ) selects the row index, and
( , , , ) selects the column index.
x x x x x x x x
x x x x
S SS
Revisit each Component of the GMR-2 Cipher
• Initialization Mode– Set c=0, t=0, and initialize S with frame number N
– 8-byte key is written into the resister in
– Clock the cipher 8 times and discard the output Zl
17
F G H
F
Revisit each Component of the GMR-2 Cipher
• Generation Mode– For each frame number N, further clock the cipher 15 times,
and the output keystream is
denotes the l-th byte of keystream generated after initialization with N 18
F G H
(0) (0) (0) (1) (1) (1) (2)0 1 14 0 1 14 0( , , , ; , , ; , )Z Z Z Z Z Z Z Z¢ = L L L
( )NlZ
19
Revisit each Component of the GMR-2 Cipher
• Property of
– If p is known, then we can get the value of only by the most/least significant four bits of Kc
F
Å
p
c
K t
K0 K1 K2 K3 K4 K5 K6 K7 1t
2t >>>
a
O0
O1
8
4
8
44
Å
( ) & 0xF, if 0
(( ) 4) & 0xF, if 1c
c
K p t
K p ta
Å =ì= í Å = î ?
a
20
Revisit each Component of the GMR-2 Cipher
• Property of – We can “invert ”
• Given the row index and the output, the column index can be uniquely obtained.
• Given the column index and the output, the row index can be uniquely obtained, except for when the column index is 4 and the output is 9, the row index can be either 0 or 3.
• Given the outputs of both S-boxes, there will be 16 possible inputs.
H
6S
2SlZ
1O¢
0O¢
62 / S S
6S
21
Revisit each Component of the GMR-2 Cipher
• Property of– The key point
– The links between the input and output of the component can be expressed by a well-structured matrix
G
G
Å
1O¢
0O¢
6
6
8
8
4
1BO0
O1
S0
1B
3B
2B
2B
'0 , 5
'0 , 4
'0 , 3
'0 , 2
'1 , 5
'1 , 4
'1 , 3
'1 , 2
'0 ,1
'0 , 0
'1 ,1
'1 , 0
1 0 0 1 0 0 0 0 0 0 0 0
1 1
O
O
O
O
O
O
O
O
O
O
O
O
æ öç ÷ ç ÷ç ÷ 0 1 0 0 0 0 0 0 0 0ç ÷
1 0 0 0 0 0 0 0 0 0 0 0ç ÷ç ÷ 0 0 1 0 0 0 0 0 0 0 0 0ç ÷
0 ç ÷ç ÷ç ÷ =ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷è ø
0 0 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 1 0 0 0 0 0
0 0 0 0 0 0 0 0
éêêêêêê 0 0 0 1 0 0 1 0 0 0 0ê
0 0 0 0 1 1 0 1 0 0 0 0êê êê ê
1 0 1 1ê0 0 0 0 0 0 0 0 1 0 0 10 0 0 0 0 0 0 0 0 1 0 00 0 0 0 0 0 0 0 0 0 0 1ë
0 , 7
0 , 6
0 , 5
0 , 4
0 , 3
0 , 2
0 ,1
0 , 0
1 , 3
1 , 2
1 ,1
0 , 5
0 , 7
0 ,
1 , 0
4
0 , 6
0 ,1
0 , 3
0 , 0
0 , 2
0
0
0
0
O
O
O
O
O
O
O
O
O
O
O
O
S
S
S
S
S
S
S
S
æ öù ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ ú ç ÷ú
æ öç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷çÅ çççç
çç
ç ÷ú ç ÷ú ç ÷ú ç ÷
ê ú ç ÷ê ú ç ÷ê ú ç ÷ê ú
ç ç
ç è øç ÷û ç ÷è ø
g ÷÷÷÷÷÷÷÷÷÷
22
'0 , 5
'0 , 4
'0 , 3
'0 , 2
'1 , 5
'1 , 4
'1 , 3
'1 , 2
'0 ,1
'0 , 0
'1 ,1
'1 , 0
1 0 0 1 0 0 0 0 0 0 0 0
1 1
O
O
O
O
O
O
O
O
O
O
O
O
æ öç ÷ ç ÷ç ÷ 0 1 0 0 0 0 0 0 0 0ç ÷
1 0 0 0 0 0 0 0 0 0 0 0ç ÷ç ÷ 0 0 1 0 0 0 0 0 0 0 0 0ç ÷
0 ç ÷ç ÷ç ÷ =ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷è ø
0 0 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 1 0 0 0 0 0
0 0 0 0 0 0 0 0
éêêêêêê 0 0 0 1 0 0 1 0 0 0 0ê
0 0 0 0 1 1 0 1 0 0 0 0êê êê ê
1 0 1 1ê0 0 0 0 0 0 0 0 1 0 0 10 0 0 0 0 0 0 0 0 1 0 00 0 0 0 0 0 0 0 0 0 0 1ë
0 , 7
0 , 6
0 , 5
0 , 4
0 , 3
0 , 2
0 ,1
0 , 0
1 , 3
1 , 2
1 ,1
0 , 5
0 , 7
0 ,
1 , 0
4
0 , 6
0 ,1
0 , 3
0 , 0
0 , 2
0
0
0
0
O
O
O
O
O
O
O
O
O
O
O
O
S
S
S
S
S
S
S
S
æ öù ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ ú ç ÷ú
æ öç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷çÅ çççç
çç
ç ÷ú ç ÷ú ç ÷ú ç ÷
ê ú ç ÷ê ú ç ÷ê ú ç ÷ê ú
ç ç
ç è øç ÷û ç ÷è ø
g ÷÷÷÷÷÷÷÷÷÷
23
'0 , 5
'0 , 4
'0 , 3
'0 , 2
'1 , 5
'1 , 4
'1 , 3
'1 , 2
'0 ,1
'0 , 0
'1 ,1
'1 , 0
1 0 0 1 0 0 0 0 0 0 0 0
1 1
O
O
O
O
O
O
O
O
O
O
O
O
æ öç ÷ ç ÷ç ÷ 0 1 0 0 0 0 0 0 0 0ç ÷
1 0 0 0 0 0 0 0 0 0 0 0ç ÷ç ÷ 0 0 1 0 0 0 0 0 0 0 0 0ç ÷
0 ç ÷ç ÷ç ÷ =ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷è ø
0 0 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 1 0 0 0 0 0
0 0 0 0 0 0 0 0
éêêêêêê 0 0 0 1 0 0 1 0 0 0 0ê
0 0 0 0 1 1 0 1 0 0 0 0êê êê ê
1 0 1 1ê0 0 0 0 0 0 0 0 1 0 0 10 0 0 0 0 0 0 0 0 1 0 00 0 0 0 0 0 0 0 0 0 0 1ë
0 , 7
0 , 6
0 , 5
0 , 4
0 , 3
0 , 2
0 ,1
0 , 0
1 , 3
1 , 2
1 ,1
0 , 5
0 , 7
0 ,
1 , 0
4
0 , 6
0 ,1
0 , 3
0 , 0
0 , 2
0
0
0
0
O
O
O
O
O
O
O
O
O
O
O
O
S
S
S
S
S
S
S
S
æ öù ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ú ç ÷ ú ç ÷ú
æ öç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷ç ÷çÅ çççç
çç
ç ÷ú ç ÷ú ç ÷ú ç ÷
ê ú ç ÷ê ú ç ÷ê ú ç ÷ê ú
ç ç
ç è øç ÷û ç ÷è ø
g ÷÷÷÷÷÷÷÷÷÷
24
1y
2y
1x
2x
1v
2v
A
B
A
Revisit each Component of the GMR-2 Cipher
• are known values.
• Given , we can obtain , and vice vera.
• Given , we can get , and vice vera.
• selects the column index of the S-box and selects the
row index.
27
,a1y
( )iy y
1 ( ) 2 1( ( )
·
·
· · ·
)
·
Kt a t t a
ì = Åï
= Åïï = Åíï =
Å Å Åïï =î
1 1
2 2
1
2
1
2
h l 2
1
2 2 2 2
y
y
y
W v
W v
W v
W W W u v
x
x
k k
x
y
x
•
( ) ix x
1 ( ), Kt a1x
,, , , ,1 2 1 2W W W v v v u
1y 2y
28
Revisit each Component of the GMR-2 Cipher
1 2 1( ) ( ( ))Kt a t t a•\
F G HcK pÅ S
'S
1 2 1( ) ( ( ))Kt a t t a•\1 2 1( ) ( ( ))Kt a t t a•\
cK pÅ
29
Revisit each Component of the GMR-2 Cipher
1 2 1( ) ( ( ))Kt a t t a•\
F G HcK pÅ S
'S
1 2 1( ) ( ( ))Kt a t t a•\1 2 1( ) ( ( ))Kt a t t a•\
cK pÅ
1x
2x
30
Revisit each Component of the GMR-2 Cipher
1 2 1( ) ( ( ))Kt a t t a•\
F G HcK pÅ S
'S
1 2 1( ) ( ( ))Kt a t t a•\1 2 1( ) ( ( ))Kt a t t a•\
cK pÅ
2x1x
1y
2y
31
Outline
• Backgrounds and the GMR-2 Cipher
• Revisit each Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion
32
The Low Data Complexity Attack
• Known-plaintext attack– From keystream bits to recover the session key
• Guess and Determine– Guess -Determine -Verify
– The Guessed and Determined Parts of the internal state are known
in prior before applying the attack
• Dynamic Guess and Determine– Dynamically Guess and Determine
– Dynamically Check the candidate by backtracking
33
The Low Data Complexity Attack
• Basic Analysis– How these three components interact each other
• The linear transformation plays a central role• Since p and S0 must be known to us, we should analyze the cipher
at the (c+8)th-clock ( ) in the keystream generation phase.
G
0 6c£ £
1 2 1( ) ( ( ))Kt a t t a•\
F G HcK pÅ S
'S6
6
8
4S0
8cZ +
34
The Low Data Complexity Attack
• Rule 1–
1 2 1( ) ( ( ))Kt a t t a•\
F G HcK pÅ S
'S6
6
8
4S0
8cZ +
1
( )8
Let ( , ), assume is odd, and given a guessed value for , if ( ),
then using the theory of , has no solution or can be
determined by ; Similarly,assume
c
Nc
linear consistence tes
K c c
Z c
t
t a
+
= =
h l h
l
k k k
k
( )1 8
is even,and given a guessed value for ,
if ( ), then has no solution or can be determined by .Ncc Zt a +
= l
h
k
k
35
The Low Data Complexity Attack
• Rule 2–
1 2 1( ) ( ( ))Kt a t t a•\
F G HcK pÅ S
'S6
6
8
4S0
8cZ +
1
1
( )
( )8 ( )
( )8
Let ( , ), and given guessed values for and , then can be
determined by ; Similarly, given guessed values for and , then
can be determined by .
c
Nc
Nc
K K
Z K
Z
t a
t a+
+
=
h l h l
l h
k k k k
k k
36
The Low Data Complexity Attack
• Rule 3–
1 2 1( ) ( ( ))Kt a t t a•\
F G HcK pÅ S
'S6
6
8
4S0
8cZ +
11 ( )
( )8
Given a guessed value for , if ( ) , then can be
determined by .
c
Nc
K c K
Z
t at a
+
¹
37
The Low Data Complexity Attack
• Rule 4–
1 2 1( ) ( ( ))Kt a t t a•\
F G HcK pÅ S
'S6
6
8
4S0
8cZ +
1 ( )Given guessed values for and , then we can determine whether
those guessed values are wrong.cK Kt a
38
The Low Data Complexity Attack
• Attack Procedure– Capture a frame of keystream bits (15-byte)
– Apply Guess-and-Determine Attack on 8~14th clock• Define a index set , and initialized with
– saves the indices for the session key that has been known
• Analyzing the cipher at the (c+8)-th clock sequentially– Calculate t, c, p, S0, judge whether
– Adopt Rule 1~ Rule 4 to perform the attack– A little boring, see the full version paper
( )(0) (0) (01 7 8
) (0) (0)0 14, , , , , ,Z Z Z Z Z¼ ¼
G G = ÆG
c ÎG
39
The Low Data Complexity Attack
• Complexity analysis– Data Comp.
• A frame of Data (15-byte keystream)• The last 7 bytes used for guess-and-determine
• The first 8 bytes used for verification
– Time Comp.• When guessing 8/4-bit, we will determine 8/4-bit• The 64-bit session key can be obtained by guessing at most 32-bit
• Rough estimation, seems hard to obtain exact analysis
• Experimental results are a little better, about 228 exhaustive search
40
Outline
• Backgrounds and the GMR-2 Cipher
• Revisit each Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion
42
Experimental Result
• Some explanations– Operated on a 3.2 GHz laptop
– Non-optimized realization
– 700 seconds on average• 580 seconds for deducing candidates• 120 seconds for exhaustive search
43
Outline
• Backgrounds and the GMR-2 Cipher
• Revisit each Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion
44
Conclusion
• We perform a security analysis of the GMR-2 cipher– Revisit the components of GMR-2 cipher
– Propose “dynamic guess and determine strategy”– Present a low data complexity attack
• The design methodology of the GMR-2 cipher is far
from what is “state of the art” in stream ciphers
• Be careful when using the Satellite phones