Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only - - PowerPoint PPT Presentation

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Cryptanalysis of the “Kindle” Cipher

Alex Biryukov, Gaëtan Leurent, Arnab Roy

University of Luxembourg

SAC 2012

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 1 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Cryptography: theory and practice

In theory

▶ Random Oracle ▶ Ideal Cipher ▶ Perfect source of

randomness . In practice

▶ Algorithms

▶ AES ▶ SHA2 ▶ RSA

▶ Modes of operation

▶ CBC ▶ OAEP ▶ ...

▶ Random Number Generators

▶ Hardware RNG ▶ PRNG

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 2 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Cryptography in the real world

Several examples of flaws in industrial cryptography:

▶ Bad random source

▶ SLL with 16bit entropy (Debian) ▶ ECDSA with fixed k (Sony)

▶ Bad key size

▶ RSA512 (TI)

▶ Export restrictions... ▶ Bad mode of operation

▶ CBCMAC with the RC4 streamcipher (Microsoft) ▶ TEA with DaviesMeyer (Microsoft)

▶ Bad (proprietary) algorithm

▶ A5/1 (GSM)

▶ CSS (DVD forum)

▶ Crypto1 (MIFARE/NXP)

▶ KeeLoq (Microchip)

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 3 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Amazon Kindle

▶ Ebook reader by Amazon ▶ Most popular ebook reader

(≈ 50% share)

▶ 4 generations, 7 devices ▶ Software reader for 7 OS,

plus cloud reader

▶ Several million devices sold ▶ Amazon sells more ebooks

than paper books

▶ Uses crypto for DRM

(Digital Rights Management)

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 4 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Digital Rights Management

. .

Charly

. .

Bob

. .

Alice

.

▶ Company sells media

(music, video, ebook, game, ...)

▶ Wants to prevent sharing

▶ Customer should read but

not copy

DRM scheme

▶ Encipher media ▶ Give player to users

▶ Hardware or software

▶ Player contains the key

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 5 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Digital Rights Management

. .

Charly

. .

Bob

. .

Alice

.

?

▶ Company sells media

(music, video, ebook, game, ...)

▶ Wants to prevent sharing

▶ Customer should read but

not copy

DRM scheme

▶ Encipher media ▶ Give player to users

▶ Hardware or software

▶ Player contains the key

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 5 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Breaking DRM

▶ Copy the media while being played

. .

▶ Extract the key from the player, decipher media

. . Tamperproof hardware? Obfuscation? Whitebox crypto?

▶ No need to break the crypto! ▶ Pirates break once, copy...

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 6 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Digital Rights Management

. .

Charly

. .

Bob

. .

Alice

. Legal User

▶ Can only use authorized player

▶ Collection lockedin

▶ DRM can restrict user rights

▶ Lending, reselling, ...

▶ No format shifting:

▶ play DVD on tablet ▶ read ebook w/ speech synth.

Illegal User

▶ Can still find illegal copies ▶ Can do anything with the media

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 7 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

DRM on the Kindle

▶ Kindle ebooks use DRM ▶ Like any DRM system, it is bound to fail ▶ In practice, it is easy to extract the key (Google for details...)

Overview

▶ In this talk, we study the cipher used in this DRM system

We don’t study the DRM system itself

▶ The DRM system uses a cipher called PC1 ▶ It’s a really weak cipher...

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 8 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Outline

Introduction Cryptography in the real world Digital Rights Management The PC1 Cipher Description Weaknesses Known-plaintext key-recovery Collision detection Key recovery Ciphertext only key-recovery Bias with independent keys Recovering the plaintext

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 9 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

The PC1 Cipher

. . 𝖫𝖦 . 𝖳𝖦 . s . π .

16

.

8 × 16

. w .

16

. σk .

16

. σs .

8

. k .

128

. p .

8

. 𝗀𝗉𝗆𝖾 .

16

.

8

. σ . p . c

▶ Designed by Pukall in 1991 ▶ Posted on Usenet ▶ Kindle DRM based on PC1 ▶ Selfsynchronizing stream cipher

No IV!

▶ 16bit arithmetic: add, mult, xor

Main loop (𝖫𝖦 and 𝖳𝖦) for 0 ≤ i < 8 do w ← w ⊕ ki ⊕ (π × 257) x ← 346 × w w ← 20021 × w + 1 s ← s + x σ ← σ ⊕ w ⊕ s s ← 20021 × (s + (i+1 mod 8)) + x

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 10 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Weakness 1: T-functions

. . 𝖫𝖦 . 𝖳𝖦 . s . π .

16

.

8 × 16

. w .

16

. σk .

16

. σs .

8

. k .

8 × 16

. p .

8

. 𝗀𝗉𝗆𝖾 .

16

.

8

. σ . p . c Weakness This is a Tfunction

▶ Low bits of the output

depend only on the low bits of the input

▶ Add, mult, xor ▶ Guess 8 × 9 bits of the key ▶ Get 9 bits before the fold ▶ Get 1 bit after the fold ▶ Verify with known plaintext ▶ Complexity: 272

some bytes of known plaintext

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 11 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Weakness 2: small state

. . 𝖫𝖦 . 𝖳𝖦 . s . π .

16

.

8 × 16

. w .

16

. σk .

16

. σs .

8

. k .

8 × 16

. p .

8

. 𝗀𝗉𝗆𝖾 .

16

.

8

. σ . p . c Weakness The state is very small s 16bit π 8bit, keyindependent

▶ Build a set of plaintexts xi‖y,

xi’s with fixed xorsum

▶ With high probability the

state collides after xi and xj

▶ Same encryption of y ▶ Complexity: 28 CP

(distinguisher)

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 12 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Outline

Introduction Cryptography in the real world Digital Rights Management The PC1 Cipher Description Weaknesses Known-plaintext key-recovery Collision detection Key recovery Ciphertext only key-recovery Bias with independent keys Recovering the plaintext

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 13 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Collision detection

Can we use state collisions in a knownplaintext attack? How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf

▶ In a natural language text, some words will be repeated. ▶ With some probability (p ≈ 2−24),

two instances of a repeated word begin with the same state.

▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext,

we can assume that the state is colliding.

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 14 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Collision detection

Can we use state collisions in a knownplaintext attack? How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf

▶ In a natural language text, some words will be repeated. ▶ With some probability (p ≈ 2−24),

two instances of a repeated word begin with the same state.

▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext,

we can assume that the state is colliding.

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 14 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Collision detection

Can we use state collisions in a knownplaintext attack? How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf

▶ In a natural language text, some words will be repeated. ▶ With some probability (p ≈ 2−24),

two instances of a repeated word begin with the same state.

▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext,

we can assume that the state is colliding.

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 14 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Collision detection

Can we use state collisions in a knownplaintext attack? How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf

▶ In a natural language text, some words will be repeated. ▶ With some probability (p ≈ 2−24),

two instances of a repeated word begin with the same state.

▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext,

we can assume that the state is colliding.

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 14 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Collision Based Key-recovery

. . 𝖫𝖦 . 𝖳𝖦 . s . π .

16

.

8 × 16

. w . p .

8

.

8

. k .

8 × 16

.

16

. σk .

16

. σs . 𝗀𝗉𝗆𝖾 .

16

.

8

. σ . p . c

▶ Use state collisions to

test key guess

▶ Skip output part

Weakness This is a Tfunction

▶ Guess 8 × 1 bits of the key ▶ Compute 1 bit of s,

check collisions in s

▶ Repeat with 2nd bit, ...

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 15 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Collision Based Key-recovery

. . 𝖫𝖦 . 𝖳𝖦 . s . π .

16

.

8 × 16

. w . p .

8

.

8

. k .

8 × 16

.

16

. σk .

16

. σs . 𝗀𝗉𝗆𝖾 .

16

.

8

. σ . p . c

▶ Use state collisions to

test key guess

▶ Skip output part

Weakness This is a Tfunction

▶ Guess 8 × 1 bits of the key ▶ Compute 1 bit of s,

check collisions in s

▶ Repeat with 2nd bit, ...

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 15 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Improving the Complexity

. . 𝖫𝖦′ . 𝖳𝖦′ . s . π .

16

.

16

. w .

8

. k .

128

. p .

8 ▶ Simplified state update:

st+1 = wt + b × st + c

▶ w ≜ ∑7

i=0 (ai × wi)

▶ keydep. Sbox 𝖫𝖦′ ∶ π → wπ

▶ Iterate the state update:

st = Rt(w0, ..., w255) linear Explicit with known πt

▶ State collisions give linear

relations of wx: Rt = Ru

▶ Look for sparse relations

▶ For each (partial) key guess,

compute wx  check relations

▶ Faster than computing s

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 16 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Experiments

E-book of 336kB (with LZ77 compression)

. . . 6 . 7 . 8 . 16 . 32 . 64 . 128 . 216 . 220 . 224 . 228 . 232 . Number of collisions . Key trials . . . Experiments . . Median Practical key-recovery attack Complexity ≈ 231 with ≈ 220 bytes of (low entropy) known plaintext

Key trial costs less than 256 instead of full encryption

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 17 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Outline

Introduction Cryptography in the real world Digital Rights Management The PC1 Cipher Description Weaknesses Known-plaintext key-recovery Collision detection Key recovery Ciphertext only key-recovery Bias with independent keys Recovering the plaintext

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 18 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Ciphertext Only Attack

Main idea If the state (s, π) collides, then the output stream σ is the same. Note that s depend on the key, but π = ⨁ pi Consider two positions t, u and a random key: Pr

K [σt = σu

] ≈ ⎧ ⎪ ⎨ ⎪ ⎩ 2−8 if πt ≠ πu 2−8 + Pr 􏿯st = st′􏿲 if πt = πu ct ⊕ cu = σt ⊕ pt ⊕ σu ⊕ pu

▶ Consider several copies of a given text,

encrypted with different, unrelated keys (collusion).

▶ Look at the distribution of ct ⊕ cu:

▶ If flat, πt ≠ πu ▶ If one peak, then πt = πu, and get pt ⊕ pu

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 19 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Ciphertext Only Attack

Main idea If the state (s, π) collides, then the output stream σ is the same. Note that s depend on the key, but π = ⨁ pi Consider two positions t, u and a random key: Pr

K [ct ⊕ cu = X] ≈

⎧ ⎪ ⎨ ⎪ ⎩ 2−8 if πt ≠ πu 2−8 + Pr 􏿯st = st′􏿲 if πt = πu, X = pt ⊕ pu ct ⊕ cu = σt ⊕ pt ⊕ σu ⊕ pu

▶ Consider several copies of a given text,

encrypted with different, unrelated keys (collusion).

▶ Look at the distribution of ct ⊕ cu:

▶ If flat, πt ≠ πu ▶ If one peak, then πt = πu, and get pt ⊕ pu

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 19 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Ciphertext Only Attack

Main idea If the state (s, π) collides, then the output stream σ is the same. Note that s depend on the key, but π = ⨁ pi Consider two positions t, u and a random key: Pr

K [ct ⊕ cu = X] ≈

⎧ ⎪ ⎨ ⎪ ⎩ 2−8 if πt ≠ πu 2−8 + Pr 􏿯st = st′􏿲 if πt = πu, X = pt ⊕ pu ct ⊕ cu = σt ⊕ pt ⊕ σu ⊕ pu

▶ Consider several copies of a given text,

encrypted with different, unrelated keys (collusion).

▶ Look at the distribution of ct ⊕ cu:

▶ If flat, πt ≠ πu ▶ If one peak, then πt = πu, and get pt ⊕ pu

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 19 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Tricks to Improve the Bias

1 There are similar bias with the low bits of σ:

. . . 32 . 64 . 96 . 128 . 160 . 192 . 224 . 256 . 1 . 1 + 1/8 . 1 + 1/4 . 𝖼𝗃𝗎𝗌𝖿𝗐 (σu ⊕ σu) . . . Probability (exp.) Use bias in low bit of ct ⊕ cu: if πt = πu and X ≡ pt ⊕ pu mod 2, then Pr

K 􏿯ct ⊕ cu ≡ X mod 2􏿲 ≈ 2−1 + Pr 􏿯st ≡ st′ mod 29􏿲 2 Use positions with t ≡ u mod 8

▶ This gives a bias of 2−6 to 2−4 (cancellations in the state update)

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 20 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Clustering algorithm

Finding relations

▶ Look at the distribution of ct ⊕ cu mod 2:

▶ If flat, then πt ≠ πu ▶ If one peak, then πt = πu

▶ Use a clustering algorithm to recover πt:

▶ Initially, all positions are assigned a different color. ▶ When πt = πu is detected, merge colors.

▶ Easier to detect bias with larger clusters

▶ Combine the biases cti ⊕ ctj

▶ At the end, 256 colors correspond to the 256 values of πt

▶ Recover the value of πt using some known plaintext. ▶ Recover p.

▶ Practical with 210 keys, and 217 data

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 21 / 22

. . . . . . . Introduction . . . PC1 . . . . Known-plaintext key-recovery . . . Ciphertext only key-recovery Conclusion

Conclusion

Don’t use an untested cipher! Attacks on PC1 Complexity Data Ref. Dist. Chosen plaintext 216 216 Usenet Key rec. Known plaintext 272 24 Usenet Key rec. Known plaintext 231 220 New Key rec. Ciphertext only, 210 unrelated keys 235 217 per key New Attacks on PSCHF Complexity Ref. 2nd pre. with meaningful messages 224 New Impact for the Kindle? Pirates can just extract the key... They don’t need to break the cipher to break the DRM scheme.

• A. Biryukov, G. Leurent, A. Roy (uni.lu)

Cryptanalysis of the “Kindle” Cipher SAC 2012 22 / 22