a practical attack on keeloq
play

A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 - PowerPoint PPT Presentation

Feb 02, 2023 •409 likes •806 views

Introduction Our Attacks Practice Conclusions A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3 Bart Preneel 1 1 Dept. ESAT/SCD-COSIC, K.U.Leuven, Belgium. 2 Einstein Institute of Mathematics,

  1. Introduction Our Attacks Practice Conclusions A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3 Bart Preneel 1 1 Dept. ESAT/SCD-COSIC, K.U.Leuven, Belgium. 2 Einstein Institute of Mathematics, Hebrew University, Israel. 3 Computer Science Department, Technion, Israel. Eurocrypt 2008 Sebastiaan Indesteege A Practical Attack on KeeLoq 1/ 21

  2. Introduction Our Attacks Practice Conclusions Outline 1 Introduction Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq 2 Our Attacks on KeeLoq Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack 3 Practice Experimental Results Practical Applicability of the Attack 4 Conclusions Sebastiaan Indesteege A Practical Attack on KeeLoq 2/ 21

  3. Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Outline 1 Introduction Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq 2 Our Attacks on KeeLoq Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack 3 Practice Experimental Results Practical Applicability of the Attack 4 Conclusions Sebastiaan Indesteege A Practical Attack on KeeLoq 3/ 21

  4. Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Introduction What? ◮ Lightweight block cipher ◮ 32-bit block, 64-bit key ◮ Designed in 1980s ◮ Sold by Microchip Inc. Where Is It Used? ◮ Remote keyless entry applications ◮ Car locks and alarms Sebastiaan Indesteege A Practical Attack on KeeLoq 4/ 21

  5. Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Description of the KeeLoq Block Cipher y ( i ) 31 y ( i ) y ( i ) y ( i ) 16 y ( i ) y ( i ) y ( i ) 528 rounds 26 20 9 1 0 ϕ ( i ) NLF + k 63 k 0 Sebastiaan Indesteege A Practical Attack on KeeLoq 5/ 21

  6. Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Previous Attacks on KeeLoq Attack Type Data Time Memory Ref. 2 32 KP 2 52 Slide/Guess-and-Det. 16 GB [B07] 2 32 KP 2 50 . 6 Slide/Guess-and-Det. 16 GB [B07b] 2 32 KP 2 39 . 4 Slide/Cycle Structure 16 . 5 GB [CB07] 2 32 KP (2 37 ) Slide/Cycle/G&D 16 . 5 GB [B07b] 2 32 KP 2 27 Slide/Fixed Points > 16 GB [C+08] 2 16 KP 2 65 . 4 Slide/Algebraic ? [CB07, C+08] 2 16 KP 2 51 . 4 Slide/Algebraic ? [CB07, C+08] DPA — DEMA - - - [E+08] Sebastiaan Indesteege A Practical Attack on KeeLoq 6/ 21

  7. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Outline 1 Introduction Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq 2 Our Attacks on KeeLoq Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack 3 Practice Experimental Results Practical Applicability of the Attack 4 Conclusions Sebastiaan Indesteege A Practical Attack on KeeLoq 7/ 21

  8. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Determining Keybits in KeeLoq y ( i ) 31 y ( i ) y ( i ) y ( i ) 16 y ( i ) y ( i ) y ( i ) 26 20 9 1 0 ϕ ( i ) NLF + k 63 k 0 ◮ Given two KeeLoq states, 32 rounds or less apart, we can find the key bits used in these rounds. Bogdanov [B07] Sebastiaan Indesteege A Practical Attack on KeeLoq 8/ 21

  9. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Slide Attack ◮ Cipher with many identical “rounds” F ( · ) P 2 . . . P 1 C 1 F F F F . . . P 2 C 2 F F F F C 1 ◮ Slid pair P 2 = F ( P 1 ), then also C 2 = F ( C 1 ) ◮ Encrypting C 1 and C 2 yields another slid pair , . . . ◮ Use these pairs to attack F ( · ) Sebastiaan Indesteege A Practical Attack on KeeLoq 9/ 21

  10. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario 16 rounds 16 rounds 16 rounds 16 rounds → P j P i → k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 Expect a slid pair among 2 16 plaintexts (birthday paradox) Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  11. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario 16 rounds 16 rounds 16 rounds 16 rounds → P j P i → k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 16 rounds 16 rounds 16 rounds 16 rounds → C j C i → 528 rounds = 8 × 64 + 16 rounds Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  12. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  13. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Guess 16 key bits: k 0 ... 15 Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  14. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Guess 16 LSB’s of P ⋆ j : P ⋆ j = X ⋆ i Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  15. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext j , determine k 48 ... 63 Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  16. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext j , partially decrypt Y j to Y ⋆ j Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  17. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext i , determine k 16 ... 31 Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  18. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext i , partially encrypt C i to C ⋆ i Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  19. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → ? j i Find ± 2 16 collision(s) between C ⋆ i and Y ⋆ j Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  20. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 ? k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Determine (and check ) k 32 ... 47 ; ± 1 collision survives Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  21. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Verify key candidates using trial encryptions ( ± 2 16 in total) Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  22. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → Complexity j i Data 2 16 known plaintexts Memory ± 2 MB for the table Time 2 45 KeeLoq encryptions Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  23. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext A Generalisation of the Attack Why 16 rounds throughout the attack? Sebastiaan Indesteege A Practical Attack on KeeLoq 11/ 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University College of London, UK 2 - University of Maryland, US KeeLoq and Algebraic Cryptanalysis KeeLoq Block cipher used to unlock doors and the alarm in

171 views • 13 slides
A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans

A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans

A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans 1 Christian Grothoff 1 Roger Dingledine 2 1 University of Denver, Denver CO 2 The Tor Project August, 12 2009 A Practical Congestion Attack on Tor

2.41k views • 56 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work with R emi Piau and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Africacrypt 2020 Cairo, Egypt 1/32 How to attack ECDSA

646 views • 32 slides
Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

953 views • 79 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA,

Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA,

Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA, Switzerland - Mara Naya-Plasencia FHNW, Windisch, Switzerland and University of Versailles, France - Markku-Juhani O. Saarinen Revere

263 views • 15 slides
NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1,

NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1,

1 NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1, 2 , Zhenhua Li 1 , Yunhao Liu 1 1 School of Software, Tsinghua University, China 2 Beijing Feifanshi Technology Co., Ltd., China 2 Outline

1.01k views • 21 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of

Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of

The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of Versailles - France Nanyang Technological

846 views • 43 slides
A Practical Attack to De-Anonymize Social Network Users Gilbert Wondracek (Vienna University of

A Practical Attack to De-Anonymize Social Network Users Gilbert Wondracek (Vienna University of

Int. Secure Systems Lab Vienna University of Technology A Practical Attack to De-Anonymize Social Network Users Gilbert Wondracek (Vienna University of Technology) Thorsten Holz (Vienna University of Technology) Engin Kirda (Institute Eurecom)

776 views • 31 slides
When We Need Audit Logs Computer forensics in courts Recovering from an attack

When We Need Audit Logs Computer forensics in courts Recovering from an attack

Systematic and Practical Methods for Computer Attack Analysis and Forensics Dr. Sean Peisert UC Davis Computer Science Dept. NSF I/UCRC Meeting ~ Davis, CA June 17, 2008 1 When We Need Audit Logs Computer forensics in courts

524 views • 11 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
TEMPEST Attacks Against AES Covertly stealing keys for $200 Craig Ramsay & Jasper Lohuis

TEMPEST Attacks Against AES Covertly stealing keys for $200 Craig Ramsay & Jasper Lohuis

TEMPEST Attacks Against AES Covertly stealing keys for $200 Craig Ramsay & Jasper Lohuis September 22, 2017 Introduction Your code just pushes electrons around. 0010101 10 10101010010101 Pushing electrons will make magnetic fjelds.

1.3k views • 111 slides
A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan Lashermes 1 Yanis Linge 2 Gal Thomas 3 Jean Yves Zie 1 INRIA Rennes, LHS/PEC 2 STMicroelectronics 3 Orange Labs Issy Les Moulineaux October 25th, 2016

315 views • 17 slides
Coding for Interactive Communication Mohsen Ghaffari (MIT) , Bernhard Haeupler (MSR, SVC) , and

Coding for Interactive Communication Mohsen Ghaffari (MIT) , Bernhard Haeupler (MSR, SVC) , and

Coding for Interactive Communication Mohsen Ghaffari (MIT) , Bernhard Haeupler (MSR, SVC) , and Madhu Sudan (MSR, NE) Interactive Communication One-way communication : one party wants to send a msg to the other. Two-way (interactive) communication

271 views • 16 slides
Strategies for Schwartz Rounds Marketing & Promotion An Office Hours Webinar January 8,

Strategies for Schwartz Rounds Marketing & Promotion An Office Hours Webinar January 8,

Strategies for Schwartz Rounds Marketing & Promotion An Office Hours Webinar January 8, 2019 1 Your Hosts Today Stephanie Adler Yuan, MS Director of Training & Education The Schwartz Center for Compassionate Healthcare Kathy

261 views • 22 slides
Lattice Agreement in Message Passing Systems Xiong Zheng, Changyong Hu, and Vijay Garg Parallel

Lattice Agreement in Message Passing Systems Xiong Zheng, Changyong Hu, and Vijay Garg Parallel

Lattice Agreement in Message Passing Systems Xiong Zheng, Changyong Hu, and Vijay Garg Parallel and Distributed Systems Lab, Department of Electrical and Computer Engineering, The University of Texas at Austin, Austin, TX 78712 PDSL, UT Austin

413 views • 18 slides
The Quantum Alternating Operator Ansatz on Maximum k-Vertex Cover you joint work with Jeremy

The Quantum Alternating Operator Ansatz on Maximum k-Vertex Cover you joint work with Jeremy

Los Alamos National Laboratory LA-UR-20-28072 The Quantum Alternating Operator Ansatz on Maximum k-Vertex Cover you joint work with Jeremy Cook and Stephan Eidenbenz Andreas Brtschi nt CCS-3 Information Sciences baertschi@lanl.gov wo

777 views • 19 slides
Good Network Updates for Bad Packets Arne Ludwig, Matthias Rost, Damien Foucard, Stefan Schmid 1

Good Network Updates for Bad Packets Arne Ludwig, Matthias Rost, Damien Foucard, Stefan Schmid 1

Good Network Updates for Bad Packets Arne Ludwig, Matthias Rost, Damien Foucard, Stefan Schmid 1 Updates happen Network updates happen Changing security policies Network updates are challenging Even with global view Potential

709 views • 48 slides
libNeuroML - NeuroML meets Python Mike Vella Department of Physiology, Development and

libNeuroML - NeuroML meets Python Mike Vella Department of Physiology, Development and

libNeuroML - NeuroML meets Python Mike Vella Department of Physiology, Development and Neuroscience, University of Cambridge, Cambridge, UK NeuroML What is NeuroML and why should I care? NeuroML: An XML-based Model description language that

256 views • 8 slides

More recommend