cryptanalysis of the kindle cipher
play

Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only - PowerPoint PPT Presentation

Aug 14, 2023 •258 likes •556 views

1 / 22 Introduction SAC 2012 Cryptanalysis of the Kindle Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . .

  1. 1 / 22 Introduction SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . . . . . . . . . . . . Alex Biryukov, Gaëtan Leurent, Arnab Roy University of Luxembourg SAC 2012

  2. 2 / 22 Cryptography: theory and practice SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Introduction In theory In practice Conclusion Known-plaintext key-recovery PC1 Ciphertext only key-recovery . . . . . . . . . . . . . . . . . ▶ Algorithms ▶ Random Oracle ▶ AES ▶ Ideal Cipher ▶ SHA2 ▶ Perfect source of ▶ RSA randomness ▶ Modes of operation ▶ CBC ▶ OAEP ▶ ... ▶ Random Number Generators . ▶ Hardware RNG ▶ PRNG

  3. 3 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Cryptography in the real world . . . . . . . . . . . . . . . . . Several examples of flaws in industrial cryptography: ▶ Bad random source ▶ SLL with 16bit entropy (Debian) ▶ ECDSA with fixed k (Sony) ▶ Bad key size ▶ RSA512 (TI) ▶ Export restrictions... ▶ Bad mode of operation ▶ CBCMAC with the RC4 streamcipher (Microsoft) ▶ TEA with DaviesMeyer (Microsoft) ▶ Bad (proprietary) algorithm ▶ A5/1 (GSM) ▶ CSS (DVD forum) ▶ Crypto1 (MIFARE/NXP) ▶ KeeLoq (Microchip)

  4. 4 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Amazon Kindle . . . . . . . . . . . . . . . . . ▶ Ebook reader by Amazon ▶ Most popular ebook reader ( ≈ 50 % share) ▶ 4 generations, 7 devices ▶ Software reader for 7 OS, plus cloud reader ▶ Several million devices sold ▶ Amazon sells more ebooks than paper books ▶ Uses crypto for DRM (Digital Rights Management)

  5. 5 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Digital Rights Management DRM scheme . . . . . . . . . . . . . . . . . ▶ Company sells media (music, video, ebook, game, ...) ▶ Wants to prevent sharing . . . . . . . ▶ Customer should read but not copy Charly ▶ Encipher media ▶ Give player to users Bob ▶ Hardware or software Alice ▶ Player contains the key

  6. 5 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Digital Rights Management DRM scheme . . . . . . . . . . . . . . . . . ▶ Company sells media (music, video, ebook, game, ...) ▶ Wants to prevent sharing . . . . . . . ▶ Customer should read but not copy Charly ▶ Encipher media ? ▶ Give player to users Bob ▶ Hardware or software Alice ▶ Player contains the key

  7. 6 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Breaking DRM . . . . . . . . . . . . . . . . . ▶ Copy the media while being played . . ▶ Extract the key from the player, decipher media . . Tamperproof hardware? Obfuscation? Whitebox crypto? ▶ No need to break the crypto! ▶ Pirates break once, copy...

  8. 7 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Digital Rights Management Illegal User Legal User . . . . . . . . . . . . . . . . . ▶ Can only use authorized player ▶ Collection lockedin ▶ DRM can restrict user rights . . . . . . . ▶ Lending, reselling, ... Charly ▶ No format shifting: ▶ play DVD on tablet ▶ read ebook w/ speech synth. Bob Alice ▶ Can still find illegal copies ▶ Can do anything with the media

  9. 8 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion DRM on the Kindle Overview . . . . . . . . . . . . . . . . . ▶ Kindle ebooks use DRM ▶ Like any DRM system, it is bound to fail ▶ In practice, it is easy to extract the key (Google for details...) ▶ In this talk, we study the cipher used in this DRM system We don’t study the DRM system itself ▶ The DRM system uses a cipher called PC1 ▶ It’s a really weak cipher...

  10. 9 / 22 Introduction SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Known-plaintext key-recovery Introduction The PC1 Cipher Outline Conclusion PC1 Known-plaintext key-recovery Ciphertext only key-recovery . . . . . . . . . . . . . . . . . Cryptography in the real world Digital Rights Management Description Weaknesses Collision detection Key recovery Bias with independent keys Recovering the plaintext

  11. 10 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion The PC1 Cipher . . . . . . . . . . . . . . . . . ▶ Designed by Pukall in 1991 ▶ Posted on Usenet p s π ▶ Kindle DRM based on PC1 8 8 16 ▶ Selfsynchronizing stream cipher No IV! w . . . . . . . . . . . . . . . . . . . . . . . k ▶ 16bit arithmetic: add, mult, xor 𝖫𝖦 𝖳𝖦 128 8 × 16 Main loop ( 𝖫𝖦 and 𝖳𝖦 ) σ k σ s for 0 ≤ i < 8 do 16 16 16 w ← w ⊕ k i ⊕ (π × 257 ) x ← 346 × w 𝗀𝗉𝗆𝖾 w ← 20021 × w + 1 8 σ s ← s + x p c σ ← σ ⊕ w ⊕ s s ← 20021 × ( s + ( i + 1 mod 8 ) ) + x

  12. 11 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Weakness 1: T-functions Weakness . . . . . . . . . . . . . . . . . This is a Tfunction p s π ▶ Low bits of the output 8 depend only on the 8 16 low bits of the input ▶ Add, mult, xor w . . . . . . . . . . . . . . . . . . . . . . . k 𝖫𝖦 𝖳𝖦 8 × 16 8 × 16 ▶ Guess 8 × 9 bits of the key σ k σ s ▶ Get 9 bits before the fold 16 16 16 ▶ Get 1 bit after the fold 𝗀𝗉𝗆𝖾 ▶ Verify with known plaintext 8 σ p c ▶ Complexity: 2 72 some bytes of known plaintext

  13. 12 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Weakness 2: small state Weakness . . . . . . . . . . . . . . . . . The state is very small p s π 8 s 16bit 8 16 π 8bit, keyindependent w . . . . . . . . . . . . . . . . . . . . . . . k 𝖫𝖦 𝖳𝖦 8 × 16 8 × 16 ▶ Build a set of plaintexts x i ‖ y , x i ’s with fixed xorsum σ k σ s ▶ With high probability the 16 16 state collides after x i and x j 16 ▶ Same encryption of y 𝗀𝗉𝗆𝖾 8 σ p ▶ Complexity: 2 8 CP c (distinguisher)

  14. 13 / 22 Introduction SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Known-plaintext key-recovery Introduction The PC1 Cipher Outline Conclusion PC1 Known-plaintext key-recovery Ciphertext only key-recovery . . . . . . . . . . . . . . . . . Cryptography in the real world Digital Rights Management Description Weaknesses Collision detection Key recovery Bias with independent keys Recovering the plaintext

  15. 14 / 22 How much wood could a woodchuck chuck SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) ghxadiaphjjxicwpidkasqghugbqsjbf if a woodchuck could chuck wood? Introduction gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc Collision detection Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . . . . . . . . . . . . Can we use state collisions in a knownplaintext attack? ▶ In a natural language text, some words will be repeated. ▶ With some probability ( p ≈ 2 − 24 ), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding.

  16. 14 / 22 How much wood could a woodchuck chuck SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) ghxadiaphjjxicwpidkasqghugbqsjbf if a woodchuck could chuck wood? Introduction gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc Collision detection Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . . . . . . . . . . . . Can we use state collisions in a knownplaintext attack? ▶ In a natural language text, some words will be repeated. ▶ With some probability ( p ≈ 2 − 24 ), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I &amp; II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University Weimar 22nd April 2009 Dennis Hoppe (BUW) DARXplorer 22nd April 2009 1 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3

757 views • 42 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have

Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have

Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have access to the Library2Go full site (not the mobile site) to access Kindle eBooks directly from your device. Click the link on the E-book help page

384 views • 24 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides
Statewide High Speed Network networkMaryland Advisory Group Meeting January 17, 2006 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting January 17, 2006 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting January 17, 2006 Annapolis, Maryland MEETING AGENDA Welcome &amp; Introductions State of the Network Status of Project Other Business 2 Welcome

352 views • 23 slides
Investor Presentation November 2017 NYSE AMERICAN: CTEK Safe Harbor Statements This

Investor Presentation November 2017 NYSE AMERICAN: CTEK Safe Harbor Statements This

Investor Presentation November 2017 NYSE AMERICAN: CTEK Safe Harbor Statements This presentation contains, and our officers and representatives may from time to time make, forward-looking statements within the meaning of the safe harbor

486 views • 24 slides
201 7 /201 8 2016/2017 2 UC Investments Way 1. Less is More 2. Risk Rules 3. Concentrate 4.

201 7 /201 8 2016/2017 2 UC Investments Way 1. Less is More 2. Risk Rules 3. Concentrate 4.

Office Of The Chief Investment Officer Of The Regents Investing for the Long Term 201 7 /201 8 2016/2017 2 UC Investments Way 1. Less is More 2. Risk Rules 3. Concentrate 4. Creativity 5. Build Pays Knowledge 6. Team Up 7. What makes

395 views • 23 slides
Michael Hites Executive CIO University of Illinois 1 3/12/2012 Why are w e here today?

Michael Hites Executive CIO University of Illinois 1 3/12/2012 Why are w e here today?

3/12/2012 2012 IT Governance Planning Summit University of Illinois March 13, 2012 WELCOME to the 2012 IT Governance Planning Summit Opening Remarks Michael Hites Executive CIO University of Illinois 1 3/12/2012 Why are w e here today?

469 views • 24 slides
Emerging use cases and greater cloud adoption are driving encryption strategies in Southeast

Emerging use cases and greater cloud adoption are driving encryption strategies in Southeast

Emerging use cases and greater cloud adoption are driving encryption strategies in Southeast Asia 2019 Southeast Asia Encryption Trends Study July 2019 www.ncipher.com About this research Over 5,800 IT and IT security practitioners in

217 views • 17 slides
Understanding Cryptography: From Caesar to RSA Nicola Chiapolini UZH Inverted CERN School of

Understanding Cryptography: From Caesar to RSA Nicola Chiapolini UZH Inverted CERN School of

Understanding Cryptography: From Caesar to RSA Nicola Chiapolini UZH Inverted CERN School of Computing, 3-4 March 2011 Understanding Cryptography Outline 1 Basic Substitution &amp; Attacks 2 More Complex Methods 3 Something Completely

1.38k views • 111 slides
Encryption Ethical Quandaries that Exist in Privacy Rudolf Musika CS 3111 Overview

Encryption Ethical Quandaries that Exist in Privacy Rudolf Musika CS 3111 Overview

April 12, 2018 Encryption Ethical Quandaries that Exist in Privacy Rudolf Musika CS 3111 Overview Presentation description Brief description of encryption. Bring to attention some of the troubles that plague encryption and

857 views • 23 slides
Joint Word Alignment and Decipherment Improves Machine Translation Qing Dou, Ashish Vaswani, and

Joint Word Alignment and Decipherment Improves Machine Translation Qing Dou, Ashish Vaswani, and

Joint Word Alignment and Decipherment Improves Machine Translation Qing Dou, Ashish Vaswani, and Kevin Knight 10/26/2014 1 Informa(on Sciences Ins(tute Outline What is Decipherment Mo4va4on

493 views • 47 slides

More recommend