A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

Transcription

1 A Low Data Complexity Attack on the GMR-2 Cipher Used in the atellite Phones Ruilin Li, Heng Li, Chao Li, Bing un National University of Defense Technology, Changsha, China FE 2013, ingapore 11 th ~13 th March, 2013

2 Outline Backgrounds and the GMR-2 Cipher Revisit the Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 2

3 Outline Backgrounds and the GMR-2 Cipher Revisit each Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 3

4 Backgrounds and the GMR-2 Cipher Mobile communication systems have revolutionized the way we interact with each other GM, UMT, CDMA2000, 3GPP LTE When do we need satellite based mobile system? In some special cases researchers on a field trip in a desert crew on ships on open sea people living in remote areas or areas that are affected by a natural disaster

5 Backgrounds and the GMR-2 Cipher What is GMR? GMR stands for GEO-Mobile Radio GEO stands for Geostationary Earth Orbit Design heavily inspired from GM 5

6 Backgrounds and the GMR-2 Cipher Two major GMR tandards GMR-1 (de-facto standard, Thuraya etc) GMR-2 (Inmarsat and AcE) How to protect the security of the communication in GMR system? Using symmetric cryptography Both the authentication and encryption are similar as that of GM A3/A5 algorithms. 6

7 Backgrounds and the GMR-2 Cipher Encryption Algorithms in GMR tream ciphers Reconstructed by Driessen et al. GMR-1 Cipher Based on A5/2 of GM Totally broken by ciphertext-only attack GMR-2 Cipher New design strategy Can be broken by known-plaintext attack Read-collision based technique 7

8 Backgrounds and the GMR-2 Cipher In this talk, we focus on GMR-2 stream cipher Revisit components of the GMR-2 cipher Propose dynamic guess and determine strategy Present a low data complexity attack

9 Outline Backgrounds and the GMR-2 Cipher Revisit each Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 9

10 Revisit each Component of the GMR-2 Cipher Encryption mechanism of the GMR-2 cipher Data are divided into frames identified by the frame number with 22-bits New frame is re-initialized Each frame contains 120-bit (15-byte) Parameters of the GMR-2 cipher Key length: 6-bit (ession key) IV length: 22-bit (Frame number) Key stream bits length within a frame: 120-bit 10

11 Revisit each Component of the GMR-2 Cipher K t 1 c 3 F G 6 H 6 Z l s 7 s 6 s 1 s 0 An overview on the GMR-2 cipher -byte shift register, a 3-bit counter c, and a toggle bit t byte-oriented, three major components p F combines two bytes of session key with previous output G is a linear function for mixing purpose consists two DE boxes as a nonlinear filter H 11

12 Revisit each Component of the GMR-2 Cipher K t t 2 >>> O 0 c K 0 K 1 K 2 K 3 K K 5 K 6 K 7 t1 a Å O 1 Å The component F At the l-th clock, the input -byte array holding the session key K, read from two sides. a counter c ranging from 0 to 7 sequentially and repeatedly. a toggle bit t=c mod 2. p the previous key stream byte p=z l-1 12

13 Revisit each Component of the GMR-2 Cipher K t t 2 >>> O 0 c K 0 K 1 K 2 K 3 K K 5 K 6 K 7 t1 a Å O 1 Å The component F The lower side outputs K c with the help of the counter c. The upper output depends on the lower output K c, the previous key stream byte p and the toggle bit t. t 1 t 2 maps -bit to 3-bit which select the upper output. maps 3-bit to 3-bit which determine the rotation. p 13

14 Revisit each Component of the GMR-2 Cipher K t t 2 >>> O 0 c K 0 K 1 K 2 K 3 K K 5 K 6 K 7 t1 a Å O 1 Å The F component The output is 1 p ìï O0 = Kt1 ( a ) t 2 ( t1( a)) í ïî O = ((( K Å p)? ) & 0xF) Å (( K Å p) & 0xF) c ì( Kc Å p) & 0xF, if t = 0 a = í î (( Kc Å p)? ) & 0xF, if t = 1 c 1

15 Revisit each Component of the GMR-2 Cipher O 0 B 1 O 0 6 B 1 O 1 B 3 Å B 2 B 2 6 O 1 The G 0 component ìb1 :( x3, x2, x1, x0) a( x3 Å x0, x3 Å x2 Å x0, x3, x1 ); ï íb2 :( x3, x2, x1, x0) a( x1, x3, x0, x2); ï îb3 :( x3, x2, x1, x0 ) a( x2, x0, x3 Å x1 Å x0, x3 Å x0). 15

16 Revisit each Component of the GMR-2 Cipher t O 0 O Z l The 5 H Z l component ì( 2( O 1), 6( O 0)) if t = 0 = í î( 2( O 0), 6( O 1)) if t = 1 where and are the two sboxes of DE. Assume the input of 2 6 is ( x, x, x, x, x, x ), then ( x, x ) selects the row index, and ( x, x, x, x ) selects the column index

17 Revisit each Component of the GMR-2 Cipher F G H Initialization Mode et c=0, t=0, and initialize with frame number N -byte key is written into the resister in Clock the cipher times and discard the output Z l 17 F

18 Revisit each Component of the GMR-2 Cipher F G H Generation Mode For each frame number N, further clock the cipher 15 times, and the output keystream is Z l Z = ( Z, Z, L, Z ; Z, Z, LZ ; Z, L) (0) (0) (0) (1) (1) (1) (2) ( N) denotes the l-th byte of keystream generated after 1 initialization with N

19 Revisit each Component of the GMR-2 Cipher Property of F If p is known, then we can get the value of a only by the most/least significant four bits of K c K ì( Kc Å p) & 0xF, if t = 0 a = í î (( Kc Å p)? ) & 0xF, if t = 1 t t 2 >>> O 0 c K 0 K 1 K 2 K 3 K K 5 K 6 K 7 t1 a Å O 1 Å 19 p

20 Revisit each Component of the GMR-2 Cipher Property of H We can invert 2 / Given the row index and the output, the column index can be uniquely obtained. 6 Given the column index and the output, the row index can be uniquely obtained, except for 6 when the column index is and the output is 9, the row index can be either 0 or 3. Given the outputs of both -boxes, there will be 16 possible inputs. O 0 2 Z l O

21 Revisit each Component of the GMR-2 Cipher Property of G The key point The links between the input and output of the component can be expressed by a well-structured matrix G O 0 B 1 O 0 6 B 1 O 1 B 3 Å B 2 B 2 6 O

22 ' æ O ö 0, 5 æ O 0, 7 ö ' , 5 ç O 0, é ù æ ö ê O ' ú ç 0, 6 ç 0, 7 ç O 0, 3 ê ú ç ç ' ê O ç 0, 5 ú ç 0, ç O 0, 2 ê ú ç O 0, ç ç ' ê ç O 1, 5 ê ú 0, ú ç O 0, 3 ç 0,1 ç ' O ê ú 1, ê O ú ' = ç 0, 2 0, 3 ç O ê úg ç 1, 3 ê O Å ç 0,1 ú 0, 0 ç ' ç O ê ú ç O 1, 2 0, 0 ç ê ú 0, 2 ' ç O 0,1 ê O ú ç 1, 3 ç 0 ê ú ç ' ç O O ç 1, 2 0 0, 0 ê ú ç ' ê ú ç O 1,1 ç 0 ç O 1,1 ê ë ú û ç ç ç ' O 0 1, 0 è ø è O è ø 1, 0 ø 22

23 ' æ O ö 0, 5 æ O 0, 7 ö ' , 5 ç O 0, é ù æ ö ê O ' ú ç 0, 6 ç 0, 7 ç O 0, 3 ê ú ç ç ' ê O ç 0, 5 ú ç 0, ç O 0, 2 ê ú ç O 0, ç ç ' ê ç O 1, 5 ê ú 0, ú ç O 0, 3 ç 0,1 ç ' O ê ú 1, ê O ú ' = ç 0, 2 0, 3 ç O ê úg ç 1, 3 ê O Å ç 0,1 ú 0, 0 ç ' ç O ê ú ç O 1, 2 0, 0 ç ê ú 0, 2 ' ç O 0,1 ê O ú ç 1, 3 ç 0 ê ú ç ' ç O O ç 1, 2 0 0, 0 ê ú ç ' ê ú ç O 1,1 ç 0 ç O 1,1 ê ë ú û ç ç ç ' O 0 1, 0 è ø è O è ø 1, 0 ø 23

24 ' æ O ö 0, 5 æ O 0, 7 ö ' , 5 ç O 0, é ù æ ö ê O ' ú ç 0, 6 ç 0, 7 ç O 0, 3 ê A ú ç ç ' ê O ç 0, 5 ú 0, y 1 ç O 0, 2 ê ú ç O 0, x ç ' ê ç O 1, 5 ê ú 0, ú ç O 0, 3 ç 0,1 ç ' O ê ú 1, ê O ú ' = ç 0, 2 0, 3 ç O ê A úg ç 1, 3 ê O Å ç 0,1 ú 0, 0 ç ' ç O ê ú ç O 1, 2 0, 0 ç ê ú 0, 2 ' ç O 0,1 ê O ú ç 1, 3 ç 0 ê ú ç ' ç O O ç 1, 2 0 y 0, 0 ê ú 2 B ç ' ê ú ç O x 1,1 ç 0 ç O 1,1 ê ë ú 2 û ç ç ç ' O 0 1, 0 è ø è O è ø 1, 0 ø v 1 v 2 2

25 Revisit each Component of the GMR-2 Cipher Three linear systems 25

26 Revisit each Component of the GMR-2 Cipher Another linear system Let then thus from we obtain 26

27 Revisit each Component of the GMR-2 Cipher ì y = W x Å v ï y1 = W1 x1 Å v1 ï íy 2 = W2 x2 Å v2 ï y = W kh Å W k l Å W2 u Å v ï ï î x1 = K t ( ( )) 1 ( a t t a ) 2 1 W, W, W, v, v, v u are known values Given x ( x i ), we can obtain y( y i ), and vice vera. Given y 1,a, we can get x 1, K t, and vice vera. 1 ( a ) y1 selects the column index of the -box and y2 selects the row index. 27

28 Revisit each Component of the GMR-2 Cipher K t ( a ) \ t ( t ( a)) ' Kc Å p F G H Kc Å p K t ( a ) \ t ( t ( a)) K t ( a ) \ t ( t ( a))

29 Revisit each Component of the GMR-2 Cipher K t ( a ) \ t ( t ( a)) Kc Å p x 1 x 2 F G H ' Kc Å p K t ( a ) \ t ( t ( a)) K t ( a ) \ t ( t ( a))

30 Revisit each Component of the GMR-2 Cipher y 1 K t ( a ) \ t ( t ( a)) Kc Å p x 1 x 2 y 2 F G H ' Kc Å p K t ( a ) \ t ( t ( a)) K t ( a ) \ t ( t ( a))

31 Outline Backgrounds and the GMR-2 Cipher Revisit each Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 31

32 The Low Data Complexity Attack Known-plaintext attack From keystream bits to recover the session key Guess and Determine Guess -Determine -Verify The Guessed and Determined Parts of the internal state are known in prior before applying the attack Dynamic Guess and Determine Dynamically Guess and Determine Dynamically Check the candidate by backtracking 32

33 The Low Data Complexity Attack Basic Analysis How these three components interact each other The linear transformation G plays a central role ince p and 0 must be known to us, we should analyze the cipher at the (c+)th-clock ( 0 c 6) in the keystream generation phase. K t ( a ) \ t ( t ( a)) Kc Å p F 0 G H 6 6 ' Z c + 33

34 The Low Data Complexity Attack K t ( a ) \ t ( t ( a)) Kc Å p F 0 G H 6 6 ' Z c + Rule 1 Let K = ( k, k ), assume c is odd, and given a guessed value for k, if c = t ( a), c then using the theory of linear consistence test, k has no solution or can be determined by Z h l h ( N ) c+ l ; imilarly,assume c is even,and given a guessed value for k, ( N ) if c = t1( a ), then kh has no solution or can be determined by Z c l

35 The Low Data Complexity Attack K t ( a ) \ t ( t ( a)) Kc Å p F 0 G H 6 6 ' Z c + Rule 2 Let K = ( k, k ),and given guessed values for K and k, then k can be c h l t ( a ) h l determined by Z ; imilarly, given guessed values for K and k, then k can be determined by Z. ( N ) c+ t ( a ) ( N ) c+ 1 1 l h 35

36 The Low Data Complexity Attack K t ( a ) \ t ( t ( a)) Kc Å p F 0 G H 6 6 ' Z c + Rule 3 Given a guessed value for K, if t ( a) ¹ c, then K can be determined by Z. ( N ) c+ c 1 t ( a ) 1 36

37 The Low Data Complexity Attack K t ( a ) \ t ( t ( a)) Kc Å p F 0 G H 6 6 ' Z c + Rule Given guessed values for Kc and K t a, then we can determine whether those guessed values are wrong. 1 ( ) 37

38 The Low Data Complexity Attack Attack Procedure Capture a frame of keystream bits (15-byte) ( (0) (0) (0) (0) (0) Z ) 0, Z1, ¼, Z7, Z, ¼, Z1 Apply Guess-and-Determine Attack on ~1th clock Define a index set G, and initialized with G = Æ G saves the indices for the session key that has been known Analyzing the cipher at the (c+)-th clock sequentially Calculate t, c, p, 0, judge whether c ÎG Adopt Rule 1~ Rule to perform the attack A little boring, see the full version paper 3

39 The Low Data Complexity Attack Complexity analysis Data Comp. A frame of Data (15-byte keystream) The last 7 bytes used for guess-and-determine The first bytes used for verification Time Comp. When guessing /-bit, we will determine /-bit The 6-bit session key can be obtained by guessing at most 32-bit Rough estimation, seems hard to obtain exact analysis Experimental results are a little better, about 2 2 exhaustive search 39

40 Outline Backgrounds and the GMR-2 Cipher Revisit each Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 0

41 Experimental Result 1000 Experimental Results with Random IV and ession Key 1

42 Experimental Result ome explanations Operated on a 3.2 GHz laptop Non-optimized realization 700 seconds on average 50 seconds for deducing candidates 120 seconds for exhaustive search 2

43 Outline Backgrounds and the GMR-2 Cipher Revisit each Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 3

44 Conclusion We perform a security analysis of the GMR-2 cipher Revisit the components of GMR-2 cipher Propose dynamic guess and determine strategy Present a low data complexity attack The design methodology of the GMR-2 cipher is far from what is state of the art in stream ciphers Be careful when using the atellite phones

45 Thanks for your Attention! Q & A 5