A Low Data Complexity Attack on the GMR-2 Cipher Used in the - - PowerPoint PPT Presentation

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

Ruilin Li, Heng Li, Chao Li, Bing Sun National University of Defense Technology, Changsha, China

FSE 2013, Singapore 11th ~13th March, 2013

2

Outline

• Backgrounds and the GMR-2 Cipher
• Revisit the Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion

3

Outline

• Backgrounds and the GMR-2 Cipher
• Revisit each Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion

4

Backgrounds and the GMR-2 Cipher

• Mobile communication systems have revolutionized

the way we interact with each other

– GSM, UMTS, CDMA2000, 3GPP LTE

• When do we need satellite based mobile system?

– In some special cases

• researchers on a field trip in a desert
• crew on ships on open sea
• people living in remote areas or areas that are affected

by a natural disaster

5

Backgrounds and the GMR-2 Cipher

• What is GMR?

– GMR stands for GEO-Mobile Radio – GEO stands for Geostationary Earth Orbit – Design heavily inspired from GSM

6

Backgrounds and the GMR-2 Cipher

• Two major GMR Standards

– GMR-1 (de-facto standard, Thuraya etc) – GMR-2 (Inmarsat and AcES)

• How to protect the security of the communication

in GMR system?

– Using symmetric cryptography – Both the authentication and encryption are similar as that of GSM A3/A5 algorithms.

7

Backgrounds and the GMR-2 Cipher

• Encryption Algorithms in GMR

– Stream ciphers – Reconstructed by Driessen et al.

• GMR-1 Cipher

– Based on A5/2 of GSM – Totally broken by ciphertext-only attack

• GMR-2 Cipher

– New design strategy – Can be broken by known-plaintext attack – Read-collision based technique

8

Backgrounds and the GMR-2 Cipher

• In this talk, we focus on GMR-2 stream cipher

– Revisit components of the GMR-2 cipher – Propose dynamic guess and determine strategy – Present a low data complexity attack

9

Outline

• Backgrounds and the GMR-2 Cipher
• Revisit each Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion

10

Revisit each Component of the GMR-2 Cipher

• Encryption mechanism of the GMR-2 cipher

– Data are divided into frames identified by the frame number with 22-bits – New frame is re-initialized – Each frame contains 120-bit (15-byte)

• Parameters of the GMR-2 cipher

– Key length: 64-bit (Session key) – IV length: 22-bit (Frame number) – Key stream bits length within a frame: 120-bit

11

Revisit each Component of the GMR-2 Cipher

K

s6 s7

……

s1 s0

Zl

p

F G H

t c

1 3 8 8 4 6 6 8

• An overview on the GMR-2 cipher

– 8-byte shift register S, a 3-bit counter c, and a toggle bit t – byte-oriented, three major components – combines two bytes of session key with previous output – is a linear function for mixing purpose – consists two DES Sboxes as a nonlinear filter

G H F

12

Revisit each Component of the GMR-2 Cipher

Å

p

c

K t K0 K1 K2 K3 K4 K5 K6 K7

1

t

2

t

>>>

a

O0 O1 8 4 8 4 4

Å

• The component

– At the l-th clock, the input

• 8-byte array holding the session key K, read from two sides.
• a counter c ranging from 0 to 7 sequentially and repeatedly.
• a toggle bit t=c mod 2.
• the previous key stream byte p=Zl-1

F

13

Revisit each Component of the GMR-2 Cipher

Å

p

c

K t K0 K1 K2 K3 K4 K5 K6 K7

1

t

2

t

>>>

a

O0 O1 8 4 8 4 4

Å

• The component

– The lower side outputs Kc with the help of the counter c. – The upper output depends on the lower output Kc , the previous key stream byte p and the toggle bit t. – maps 4-bit to 3-bit which select the upper output. – maps 3-bit to 3-bit which determine the rotation.

F

1

t

2

t

14

Revisit each Component of the GMR-2 Cipher

Å

p

c

K t K0 K1 K2 K3 K4 K5 K6 K7

1

t

2

t

>>>

a

O0 O1 8 4 8 4 4

Å

• The component

– The output is

F

1

( ) 2 1 1

( ( )) ((( ) 4) & 0xF) (( ) & 0xF)

c c

O K O K p K p

t a

t t a = ì ï í = Å Å Å ï î ?

• (

) &0xF, if (( ) 4) &0xF, if 1

c c

K p t K p t a Å = ì = í Å = î ?

15

Revisit each Component of the GMR-2 Cipher

Å

1

O¢ O¢

6 6 8 8 4

1

B

O0 O1 S0

1

B

3

B

2

B

2

B

• The component

G

1 1 3 2 1 3 3 2 3 1 2 3 2 1 3 3 3 2 1 3 3 2 2 1

:( , , , ) ( , , , ); :( , , , ) ( , , , ); :( , , , ) ( , , , ). B x x x x x x x x B x x x x x x x B x x x x x x x x x x x x x x x Å Å ì ï Å Å Å Å í ï î a a a

16

Revisit each Component of the GMR-2 Cipher

6

S

2

S

t

l

Z

6 6 4 4 8

1

O¢ O¢

• The component

H

2 1 6 8 2 6 1 8

( ( ), ( )) if ( ( ), ( )) if 1

l

O O t Z O O t ¢ ¢ = ì = í ¢ ¢ = î S S S S

6 5 4 3 2 1 1 5 4 2 3 2

where and are the two sboxes of DES.Assume the input of is ( , , , , , ), then ( , ) selects the row index, and ( , , , ) selects the column index. x x x x x x x x x x x x S S S

Revisit each Component of the GMR-2 Cipher

• Initialization Mode

– Set c=0, t=0, and initialize S with frame number N – 8-byte key is written into the resister in – Clock the cipher 8 times and discard the output Zl

17

F G H

F

Revisit each Component of the GMR-2 Cipher

• Generation Mode

– For each frame number N, further clock the cipher 15 times, and the output keystream is denotes the l-th byte of keystream generated after initialization with N

18

F G H

(0) (0) (0) (1) (1) (1) (2) 1 14 1 14

( , , , ; , , ; , ) Z Z Z Z Z Z Z Z ¢ = L L L

( ) N l

Z

19

Revisit each Component of the GMR-2 Cipher

• Property of

– If p is known, then we can get the value of only by the most/least significant four bits of Kc

F

Å

p

c

K t K0 K1 K2 K3 K4 K5 K6 K7

1

t

2

t

>>>

a

O0 O1 8 4 8 4 4

Å

( )&0xF, if (( ) 4)&0xF, if 1

c c

K p t K p t a Å = ì = í Å = î ?

a

20

Revisit each Component of the GMR-2 Cipher

• Property of

– We can “invert ”

• Given the row index and the output, the column index can be

uniquely obtained.

• Given the column index and the output, the row index can be

uniquely obtained, except for when the column index is 4 and the output is 9, the row index can be either 0 or 3.

• Given the outputs of both S-boxes, there will be 16 possible inputs.

H

6

S

2

S

l

Z

1

O¢ O¢ 6 2 /

S S

6

S

21

Revisit each Component of the GMR-2 Cipher

• Property of

– The key point – The links between the input and output of the component can be expressed by a well-structured matrix

G G

Å

1

O¢ O¢

6 6 8 8 4

1

B

O0 O1 S0

1

B

3

B

2

B

2

B

' 0 , 5 ' 0 , 4 ' 0 , 3 ' 0 , 2 ' 1, 5 ' 1, 4 ' 1, 3 ' 1, 2 ' 0 ,1 ' 0 , 0 ' 1,1 ' 1, 0

1 0 0 1 0 0 0 0 0 0 0 0 1 1 O O O O O O O O O O O O æ ö ç ÷ ç ÷ ç ÷ 0 1 0 0 0 0 0 0 0 0 ç ÷ 1 0 0 0 0 0 0 0 0 0 0 0 ç ÷ ç ÷ 0 0 1 0 0 0 0 0 0 0 0 0 ç ÷ ç ÷ ç ÷ ç ÷ = ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ è ø 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 é ê ê ê ê ê ê 0 0 0 1 0 0 1 0 0 0 0 ê 0 0 0 0 1 1 0 1 0 0 0 0 ê ê ê ê ê 1 0 1 1 ê 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 ë

0 , 7 0 , 6 0 , 5 0 , 4 0 , 3 0 , 2 0 ,1 0 , 0 1, 3 1, 2 1,1 0 , 5 0 , 7 0 , 1, 0 4 0 , 6 0 ,1 0 , 3 0 , 0 0 , 2

O O O O O O O O O O O O S S S S S S S S æ ö ù ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú æ ö ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç Å ç ç ç ç ç ç ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ê ú ç ÷ ê ú ç ÷ ê ú ç ÷ ê ú ç ç ç è ø ç ÷ û ç ÷ è ø g ÷ ÷ ÷ ÷ ÷ ÷ ÷ ÷ ÷ ÷

22

' 0 , 5 ' 0 , 4 ' 0 , 3 ' 0 , 2 ' 1, 5 ' 1, 4 ' 1, 3 ' 1, 2 ' 0 ,1 ' 0 , 0 ' 1,1 ' 1, 0

1 0 0 1 0 0 0 0 0 0 0 0 1 1 O O O O O O O O O O O O æ ö ç ÷ ç ÷ ç ÷ 0 1 0 0 0 0 0 0 0 0 ç ÷ 1 0 0 0 0 0 0 0 0 0 0 0 ç ÷ ç ÷ 0 0 1 0 0 0 0 0 0 0 0 0 ç ÷ ç ÷ ç ÷ ç ÷ = ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ è ø 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 é ê ê ê ê ê ê 0 0 0 1 0 0 1 0 0 0 0 ê 0 0 0 0 1 1 0 1 0 0 0 0 ê ê ê ê ê 1 0 1 1 ê 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 ë

0 , 7 0 , 6 0 , 5 0 , 4 0 , 3 0 , 2 0 ,1 0 , 0 1, 3 1, 2 1,1 0 , 5 0 , 7 0 , 1, 0 4 0 , 6 0 ,1 0 , 3 0 , 0 0 , 2

O O O O O O O O O O O O S S S S S S S S æ ö ù ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú æ ö ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç Å ç ç ç ç ç ç ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ê ú ç ÷ ê ú ç ÷ ê ú ç ÷ ê ú ç ç ç è ø ç ÷ û ç ÷ è ø g ÷ ÷ ÷ ÷ ÷ ÷ ÷ ÷ ÷ ÷

23

' 0 , 5 ' 0 , 4 ' 0 , 3 ' 0 , 2 ' 1, 5 ' 1, 4 ' 1, 3 ' 1, 2 ' 0 ,1 ' 0 , 0 ' 1,1 ' 1, 0

1 0 0 1 0 0 0 0 0 0 0 0 1 1 O O O O O O O O O O O O æ ö ç ÷ ç ÷ ç ÷ 0 1 0 0 0 0 0 0 0 0 ç ÷ 1 0 0 0 0 0 0 0 0 0 0 0 ç ÷ ç ÷ 0 0 1 0 0 0 0 0 0 0 0 0 ç ÷ ç ÷ ç ÷ ç ÷ = ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ è ø 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 é ê ê ê ê ê ê 0 0 0 1 0 0 1 0 0 0 0 ê 0 0 0 0 1 1 0 1 0 0 0 0 ê ê ê ê ê 1 0 1 1 ê 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 ë

0 , 7 0 , 6 0 , 5 0 , 4 0 , 3 0 , 2 0 ,1 0 , 0 1, 3 1, 2 1,1 0 , 5 0 , 7 0 , 1, 0 4 0 , 6 0 ,1 0 , 3 0 , 0 0 , 2

O O O O O O O O O O O O S S S S S S S S æ ö ù ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ú æ ö ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç ÷ ç Å ç ç ç ç ç ç ç ÷ ú ç ÷ ú ç ÷ ú ç ÷ ê ú ç ÷ ê ú ç ÷ ê ú ç ÷ ê ú ç ç ç è ø ç ÷ û ç ÷ è ø g ÷ ÷ ÷ ÷ ÷ ÷ ÷ ÷ ÷ ÷

24

1

y

2

y

1

x

2

x

1

v

2

v A B A

Revisit each Component of the GMR-2 Cipher

• Three linear systems

25

Revisit each Component of the GMR-2 Cipher

• Another linear system

– Let then thus from we obtain

26

Revisit each Component of the GMR-2 Cipher

• are known values.
• Given , we can obtain , and vice vera.
• Given , we can get , and vice vera.
• selects the column index of the S-box and selects the

row index.

27

,a

1

y

( )

i

y y

1(

) 2 1

( ( ) · · · · · ) · Kt

a

t t a ì = Å ï = Å ï ï = Å í ï = Å Å Å ï ï = î

1 1 2 2 1 2 1 2 h l 2 1 2 2 2 2

y y y W v W v W v W W W u v x x k k x y x

• (

)

i

x x

1(

)

, Kt

a 1

x

, , , , ,

1 2 1 2

W W W v v v u

1

y

2

y

28

Revisit each Component of the GMR-2 Cipher

1

2 1

( )

( ( )) Kt

a

t t a

• F

G H

c

K p Å

S

'

S

1

2 1

( )

( ( )) Kt

a

t t a

• 1

2 1

( )

( ( )) Kt

a

t t a

• c

K p Å

29

Revisit each Component of the GMR-2 Cipher

1

2 1

( )

( ( )) Kt

a

t t a

• F

G H

c

K p Å

S

'

S

1

2 1

( )

( ( )) Kt

a

t t a

• 1

2 1

( )

( ( )) Kt

a

t t a

• c

K p Å

1

x

2

x

30

Revisit each Component of the GMR-2 Cipher

1

2 1

( )

( ( )) Kt

a

t t a

• F

G H

c

K p Å

S

'

S

1

2 1

( )

( ( )) Kt

a

t t a

• 1

2 1

( )

( ( )) Kt

a

t t a

• c

K p Å

2

x

1

x

1

y

2

y

31

Outline

• Backgrounds and the GMR-2 Cipher
• Revisit each Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion

32

The Low Data Complexity Attack

• Known-plaintext attack

– From keystream bits to recover the session key

• Guess and Determine

– Guess -Determine -Verify – The Guessed and Determined Parts of the internal state are known in prior before applying the attack

• Dynamic Guess and Determine

– Dynamically Guess and Determine – Dynamically Check the candidate by backtracking

33

The Low Data Complexity Attack

• Basic Analysis

– How these three components interact each other

• The linear transformation plays a central role
• Since p and S0 must be known to us, we should analyze the cipher

at the (c+8)th-clock ( ) in the keystream generation phase.

G

6 c £ £

1

2 1

( )

( ( )) Kt a t t a

• F

G H

c

K p Å

S

'

S

6 6 8 4

S0

8 c

Z +

34

The Low Data Complexity Attack

• Rule 1

–

1

2 1

( )

( ( )) Kt a t t a

• F

G H

c

K p Å

S

'

S

6 6 8 4

S0

8 c

Z +

1 ( ) 8

Let ( , ), assume is odd, and given a guessed value for , if ( ), then using the theory of , has no solution or can be determined by ;Similarly,assume

c N c

linear consistence tes K c c Z c t t a

+

= =

h l h l

k k k k

( ) 1 8

is even,and given a guessed value for , if ( ), then has no solution or can be determined by .

N c

c Z t a

+

=

l h

k k

35

The Low Data Complexity Attack

• Rule 2

–

1

2 1

( )

( ( )) Kt a t t a

• F

G H

c

K p Å

S

'

S

6 6 8 4

S0

8 c

Z +

1 1

( ) ( ) 8 ( ) ( ) 8

Let ( , ),and given guessed values for and , then can be determined by ;Similarly, given guessed values for and ,then can be determined by .

c N c N c

K K Z K Z

t a t a + +

=

h l h l l h

k k k k k k

36

The Low Data Complexity Attack

• Rule 3

–

1

2 1

( )

( ( )) Kt a t t a

• F

G H

c

K p Å

S

'

S

6 6 8 4

S0

8 c

Z +

1

1 ( ) ( ) 8

Given a guessed value for , if ( ) , then can be determined by .

c N c

K c K Z

t a

t a

+

¹

37

The Low Data Complexity Attack

• Rule 4

–

1

2 1

( )

( ( )) Kt a t t a

• F

G H

c

K p Å

S

'

S

6 6 8 4

S0

8 c

Z +

1(

)

Given guessed values for and , then we can determine whether those guessed values are wrong.

c

K Kt

a

38

The Low Data Complexity Attack

• Attack Procedure

– Capture a frame of keystream bits (15-byte) – Apply Guess-and-Determine Attack on 8~14th clock

• Define a index set , and initialized with

– saves the indices for the session key that has been known

• Analyzing the cipher at the (c+8)-th clock sequentially

– Calculate t, c, p, S0, judge whether – Adopt Rule 1~ Rule 4 to perform the attack – A little boring, see the full version paper

( )

(0) (0) (0 1 7 8 ) (0) (0) 14

, , , , , , Z Z Z Z Z ¼ ¼

G

G = Æ

G

cÎG

39

The Low Data Complexity Attack

• Complexity analysis

– Data Comp.

• A frame of Data (15-byte keystream)
• The last 7 bytes used for guess-and-determine
• The first 8 bytes used for verification

– Time Comp.

• When guessing 8/4-bit, we will determine 8/4-bit
• The 64-bit session key can be obtained by guessing at most 32-bit
• Rough estimation, seems hard to obtain exact analysis
• Experimental results are a little better, about 228 exhaustive search

40

Outline

• Backgrounds and the GMR-2 Cipher
• Revisit each Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion

41

Experimental Result

1000 Experimental Results with Random IV and Session Key

42

Experimental Result

• Some explanations

– Operated on a 3.2 GHz laptop – Non-optimized realization – 700 seconds on average

• 580 seconds for deducing candidates
• 120 seconds for exhaustive search

43

Outline

• Backgrounds and the GMR-2 Cipher
• Revisit each Component of the GMR-2 Cipher
• The Low Data Complexity Attack
• Experimental Result
• Conclusion

44

Conclusion

• We perform a security analysis of the GMR-2 cipher

– Revisit the components of GMR-2 cipher – Propose “dynamic guess and determine strategy” – Present a low data complexity attack

• The design methodology of the GMR-2 cipher is far

from what is “state of the art” in stream ciphers

• Be careful when using the Satellite phones

45

Thanks for your Attention! Q & A