Breaking LMAP Etvs Lornd University, Budapest, Hungary ELTECRYPT - - PowerPoint PPT Presentation
Mihly Brsz, Balzs Boros, Pter Ligeti, Krisztina Lja, Dniel A. Nagy Breaking LMAP Etvs Lornd University, Budapest, Hungary ELTECRYPT Research Group LMAP Pedro Peris-Lopez, Julio Cesar Hernandez- Castro, Juan M. Estvez
Mihály Bárász, Balázs Boros, Péter Ligeti, Krisztina Lója, Dániel A. Nagy
Eötvös Loránd University, Budapest, Hungary ELTECRYPT Research Group
Pedro Peris-Lopez, Julio Cesar Hernandez- Castro, Juan M. Estvez Tapiador, Arturo Ribagorda:
in: Proc. of RFIDSec06 Workshop on RFID Security, July 12-14, Graz, Austria, 2006.
2/29
Simple operations:
The goal:
Is it possible?
3/29
Tieyan Li, Guilin Wang: Security Analysis of Two Ultra-Lightweight Mutual Authentication Protocol for Low-cost RFID tags, IFIP SEC 2007.
Active attack against the LMAP
de-synchronization attack full-disclosure attack
96 rounds of authentication is needed
4/29
Our attack:
Passive attack Intercepting a few consecutive rounds of
authentication of the same tag is enough to calculate the keys and all other secrets
The attacker can impersonate the tag in the
subsequent rounds
5/29
K = K1 || K2 || K3 || K4 the keys
384 bit = 96 + 96 + 96 + 96 bit
ID: a constant identification number (96 bit) IDS: an identification number that must be updated after every round of authentication (96 bit) n1, n2: random numbers generated by the reader (96 bit)
6/29
hello IDS
A || B || C D
7/29
A = IDS ⊕ K1 ⊕ n1 now the tag knows n1 B = (IDS ∨ K2) + n1 reader authentication C = IDS + K3 + n2 the tag knows n2
D = (IDS + ID) ⊕ n1 ⊕ n2 tag authentication
A, B, C D
8/29
IDS(n+1) = (IDS(n) + (n2(n) ⊕ K4(n))) ⊕ ID K1(n+1) = K1(n) ⊕ n2(n) ⊕ (K3(n) + ID) K2(n+1) = K2(n) ⊕ n2(n) ⊕ (K4(n) + ID) K3(n+1) = (K3(n) ⊕ n1(n) ) + (K1(n) ⊕ ID) K4(n+1) = (K4(n) ⊕ n1(n) ) + (K2(n) ⊕ ID)
9/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
LMAP uses only bitwise operations and
addition modulo 296 every bit depends
For the least significant bits the XOR
same we can compute the least significant bits
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2 IDS(n+1) = (IDS(n) + (n2
(n) ⊕ K4 (n))) ⊕ ID
K1
(n+1) = K1 (n) ⊕ n2 (n) ⊕ (K3 (n) + ID)
K2
(n+1) = K2 (n) ⊕ n2 (n) ⊕ (K4 (n) + ID)
K3
(n+1) = (K3 (n) ⊕ n1 (n) ) + (K1 (n) ⊕ ID)
K4
(n+1) = (K4 (n) ⊕ n1 (n) ) + (K2 (n) ⊕ ID)
10/29
The addition modulo 296 means no difficulty if
we know every less significant bit
The bitwise OR ( ∨ ) operation is a weak point
in the protocol. B = (IDS ∨ K2) + n1 information about n1 with the help of 1 bits of the IDS
11/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
We will need a few consecutive rounds of
authentication of the same tag
We compute the least significant bits (the 96th bits) in
a round where the least significant bit of the IDS is 1
Next we compute the 95th bits We will need r rounds so that
[IDS(n)]k ∨ [IDS(n+1)]k ∨ [IDS(n+2)]k ∨ … ∨ [IDS(n+r-1)]k = 1 for every k = 1, 2, …, 96 + two more rounds and we can compute every key and secret
[M(n)]k : the k-th bit of message M in round n
12/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
Let us assume, that [IDS(n)]96 = 1 ([IDS(n)]96 ∨ [K2(n)]96) = 1 B = (IDS ∨ K2) + n1 [B(n)]96 = 1 ⊕ [n1(n)]96 [n1(n)]96 = [B(n)]96 ⊕ 1 [A(n)]96 = [IDS(n)]96 ⊕ [K1(n)]96 ⊕ [n1(n)]96 [K1(n)]96 = [A(n)]96 ⊕ [IDS(n)]96 ⊕ [n1(n)]96
[M(n)]k : the k-th bit of message M in round n Known: A, B, C, D, IDS Unknown: K1, K2, K3, K4, ID, n1, n2 Unknown: K1, K2, K3, K4, ID, n1, n2 Known: the 96th bit of n1, K1 k Known Unknown Is actually calculated 13/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
D = (IDS + ID) ⊕ n1 ⊕ n2 [D(n)]96 = [IDS(n)]96 ⊕ [ID]96 ⊕ [n1(n)]96 ⊕ [n2(n)]96 IDS(n+1) = (IDS(n) + (n2(n) ⊕ K4(n))) ⊕ ID [IDS(n+1)]96 = ([IDS(n)]96 + ([n2(n)]96 ⊕ [K4(n)]96)) ⊕ ⊕ [ID]96 [K4(n)]96 = [IDS(n+1)]96 ⊕ [D(n)]96 ⊕ [n1(n)]96
Unknown: the 96th bit of K2, K3, ID, n2 Known: the 96th bit of n1, K1, K4 14/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
[A(n+1)]96 = [IDS(n+1)]96 ⊕ [K1
(n)]96 ⊕ [n2 (n)]96 ⊕ [K3 (n)]96 ⊕
⊕ [ID]96 ⊕ [n1
(n+1)]96
[B(n+1)]96 = ([IDS(n+1)]96 ∨ ([K2
(n)]96 ⊕ [n2 (n)]96 ⊕ [K4 (n)]96 ⊕
⊕ [ID]96)) ⊕ [n1
(n+1)]96
[C(n+1)]96 = [IDS(n+1)]96 ⊕ [K3
(n)]96 ⊕ [n1 (n)]96 ⊕ [K1 (n)]96 ⊕
⊕ [ID]96 ⊕ [n2
(n+1)]96
[D(n+1)]96 = [IDS(n+1)]96 ⊕ [ID]96 ⊕ [n1
(n+1)]96 ⊕ [n2 (n+1)]96
(If [IDS(n+1)]96 = 1, then [B(n+1)]96 = 1 ⊕ [n1
(n+1)]96 )
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
15/29
(n+1) [C(n+1)]96 = [IDS(n+1)]96 ⊕ [K3(n)]96 ⊕ [n1(n)]96 ⊕ ⊕ [K1(n)]96 ⊕ [ID ]96 ⊕ [n2 (n+1)]96 [C(n)]96 = [IDS(n)]96 ⊕ [K3(n)]96 ⊕ [n2(n)]96 [D(n)]96 = [IDS(n)]96 ⊕ [ID]96 ⊕ [n1(n)]96 ⊕ [n2(n)]96 [C(n)]96 ⊕ [D(n)]96 = [ID]96 ⊕ [n1(n)]96 ⊕ [K3(n)]96 [n2(n+1)]96 = [IDS(n+1)]96 ⊕ [C(n+1)]96 ⊕ [C(n)]96 ⊕ ⊕ [D(n)]96 ⊕ [K1(n)]96
Unknown: the 96th bit of K2, K3, ID, n2 Known: the 96th bit of n1, n2
(n+1), K1, K4
16/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
(n) [IDS(n+2)]96 = [IDS(n+1)]96 ⊕ [n2(n+1)]96 ⊕ ⊕ [K4(n+1)]96 ⊕ [ID]96 = = [IDS(n+1)]96 ⊕ [n2(n+1)]96 ⊕ [K4(n)]96 ⊕ [n1(n)]96 ⊕ [K2(n)]96 [K2(n)]96 = [IDS(n+2)]96 ⊕ [IDS(n+1)]96 ⊕ [n2(n+1)]96 ⊕ ⊕ [K4(n)]96 ⊕ [n1(n)]96
Unknown: the 96th bit of K3, ID, n2 Known: the 96th bit of n1, n2
(n+1), K1, K2, K4
17/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
(n+1), ID
[B(n+1)]96 = ([IDS(n+1)]96 ∨ ([K2
(n)]96 ⊕ [n2 (n)]96 ⊕ [K4 (n)]96 ⊕
⊕ [ID]96)) ⊕ [n1
(n+1)]96
[D(n)]96 = [IDS(n)]96 ⊕ [ID]96 ⊕ [n1
(n)]96 ⊕ [n2 (n)]96
[n1
(n+1)]96 = [B(n+1)]96 ⊕ ([IDS(n+1)]96 ∨ ([K2 (n)]96 ⊕ [K4 (n)]96 ⊕
[D(n)]96 ⊕ [n1
(n)]96 ))
[D(n+1)]96 = [IDS(n+1)]96 ⊕ [ID]96 ⊕ [n1
(n+1)]96 ⊕ [n2 (n+1)]96
[ID]96 = [IDS(n+1)]96 ⊕ [D(n+1)]96 ⊕ [n1
(n+1)]96 ⊕ [n2 (n+1)]96
Unknown: the 96th bit of K3, n2 Known: the 96th bit of n1, n1
(n+1), n2 (n+1), K1, K2, K4, ID
18/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
[D(n)]96 = [IDS(n)]96 ⊕ [ID]96 ⊕ [n1(n)]96 ⊕ [n2(n)]96 [n2(n)]96 = [IDS(n)]96 ⊕ [ID]96 ⊕ [n1(n)]96 ⊕ [D(n)]96 [C(n)]96 = [IDS(n)]96 ⊕ [K3(n)]96 ⊕ [n2(n)]96 [K3(n)]96 = [IDS(n)]96 ⊕ [C(n)]96 ⊕ [n2(n)]96 Now we know the least significant bit of every key and secret!
19/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
[A(n)]95 = [IDS(n)]95 ⊕ [K1(n)]95 ⊕ [n1(n)]95 [B(n)]95 = ([IDS(n)]95 ∨ [K2(n)]95) ⊕ [n1(n)]95 ⊕ ⊕ (([IDS(n)]96 ∨ [K2(n)]96) ∨ [n1(n)]96) [C(n)]95 = [IDS(n)]95 ⊕ [K3(n)]95 ⊕ [n2(n)]95 ⊕ ⊕ ([K3(n)]96 ∨ [n2(n)]96) [D(n)]95 = [IDS(n)]95 ⊕ [ID]95 ⊕ ([IDS(n)]96 ∨ [ID]96) ⊕ ⊕ [n1(n)]95 ⊕ [n2(n)]95
20/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
If [IDS(n)]95 = 1, then the problem is equivalent
with that of least significant bits.
If [IDS(n)]95 = 0, then we have to wait for a
later round where the 95th bit of the IDS is 1.
After this we will compute the 95th bits in
round n as well.
After the 95th bits we compute the 94th bits
and so on. (We use the same few rounds of authentication!)
21/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
P([IDS(n)]k = 1) = ½ P([IDS(n)]k = 1 | [IDS(n-1)]k = 0) = P([IDS(n)]k = 1 | [IDS(n-1)]k = 1) = ½ IDS(n+1) = (IDS(n) + (n2(n) ⊕ K4(n))) ⊕ ID random If [IDS(n)]95 = 0, then in a later round it must be 1
22/29
If [IDS(n)]95 = 0 and [IDS(n+1)]95 = 1 [A(n)]95 = [K1(n)]95 ⊕ [n1(n)]95 [B(n)]95 = [K2(n)]95 ⊕ [n1(n)]95 ⊕ ⊕ (([IDS(n)]96 ∨ [K2(n)]96) ∨ [n1(n)]96) [C(n)]95 = [K3(n)]95 ⊕ [n2(n)]95 ⊕ ([K3(n)]96 ∨ [n2(n)]96) [D(n)]95 = [ID(n)]95 ⊕ ([IDS(n)]96 ∨ [ID(n)]96) ⊕ [n1(n)]95 ⊕ ⊕ [n2(n)]95
23/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
[K1
(n+1)]95 = [K1 (n)]95 ⊕ [n2 (n)]95 ⊕ [K3 (n)]95 ⊕ [ID]95 ⊕
⊕ ([K3
(n)]96 ∨ [ID]96)
[C(n)]95 = [K3
(n)]95 ⊕ [n2 (n)]95 ⊕ ([K3 (n)]96 ∨ [n2 (n)]96)
[K1
(n)]95 = [K1 (n+1)]95 ⊕ [ID]95 ⊕ ([K3 (n)]96 ∨ [ID]96) ⊕ [C(n)]95 ⊕
⊕ ([K3
(n)]96 ∨ [n2 (n)]96)
[A(n)]95 = [K1
(n)]95 ⊕ [n1 (n)]95
[n1
(n)]95 = [A(n)]95 ⊕ [K1 (n)]95
24/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
[B(n)]95 = [K2
(n)]95 ⊕ [n1 (n)]95 ⊕
⊕ (([IDS(n)]96 ∨ [K2
(n)]96) ∨ [n1 (n)]96)
[K2
(n)]95 = [B(n)]95 ⊕ [n1 (n)]95 ⊕
⊕ (([IDS(n)]96 ∨ [K2
(n)]96) ∨ [n1 (n)]96)
[D(n)]95 = [ID(n)]95 ⊕ ([IDS(n)]96 ∨ [ID(n)]96) ⊕ [n1
(n)]95 ⊕ [n2 (n)]95
[n2
(n)]95 = [D(n)]95 ⊕ [ID(n)]95 ⊕ ([IDS(n)]96 ∨ [ID(n)]96) ⊕ [n1 (n)]95
25/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
[C(n)]95 = [K3(n)]95 ⊕ [n2(n)]95 ⊕ ([K3(n)]96 ∨ [n2(n)]96) [K3(n)]95 = [C(n)]95 ⊕ [n2(n)]95 ⊕ ([K3(n)]96 ∨ [n2(n)]96) [IDS(n+1)]95 = [n2(n)]95 ⊕ [K4(n)]95 ⊕ [ID]95 [K4(n)]95 = [IDS(n+1)]95 ⊕ [n2(n)]95 ⊕ [ID]95
26/29
A = IDS ⊕ K1 ⊕ n1 B = (IDS ∨ K2) + n1 C = IDS + K3 + n2 D = (IDS + ID) ⊕ n1 ⊕ n2
We need r +2 rounds so that for every k =1, 2, …, 96
[IDS(n)]k ∨ [IDS(n+1)]k ∨ [IDS(n+2)]k ∨ … ∨ [IDS(n+r-1)]k = 1
The expected number of r is about 7.93 Expected number of the needed rounds: about 9.93
Distribution of r :
<10-2 0.01 0.02 0.04 0.08 0.14 0.22 P(r =t) 14 13 12 11 10 9 8 t 0.25 0.17 0.05 <10-2 <10-5 <10-11 <10-29 P(r =t) 7 6 5 4 3 2 1 t
27/29
The attack is really effective:
We have given an algorithm to break LMAP
with a passive attack
The probability that 15 consecutive rounds
are enough is about 0.98
The expected value is less than 10
28/29
Partners & sponsors:
29/29