New mobile phone algorithms a real world story Steve Babbage - - PowerPoint PPT Presentation

C1 - Unrestricted Version 1.0 Vodafone Group R&D 1 LTE algorithms, for SKEW 2011 17 Feb 2011

New mobile phone algorithms – a real world story

Steve Babbage Vodafone Group R&D 17 February 2011

C1 - Unrestricted Version 1.0 Vodafone Group R&D 2 LTE algorithms, for SKEW 2011 17 Feb 2011

Standards groups

C1 - Unrestricted Version 1.0 Vodafone Group R&D 3 LTE algorithms, for SKEW 2011 17 Feb 2011

First generation

C1 - Unrestricted Version 1.0 Vodafone Group R&D 4 LTE algorithms, for SKEW 2011 17 Feb 2011

GSM security architecture

SIM RAND, XRES, KC RAND

AKA KC XRES

RES RES = XRES?

Encryption algorithm A5 KC RAND AKA RES Ki

Home network Visited network KC

ENCRYPT USING KC

Ki RAND Authentication and cipher key generation algorithm A3/A8

C1 - Unrestricted Version 1.0 Vodafone Group R&D 5 LTE algorithms, for SKEW 2011 17 Feb 2011

GSM security limitations

> Key length > One-way authentication > Unprotected signalling > A5/1, A5/2

C1 - Unrestricted Version 1.0 Vodafone Group R&D 6 LTE algorithms, for SKEW 2011 17 Feb 2011

UMTS security architecture (slightly simplified)

SIM RAND, XRES, CK, IK, SQN, MAC RAND, SQN, MAC

CK XRES

RES RES = XRES? CK, IK

Authentication and key agreement algorithm f1–f5 Encryption algorithm UEA, integrity algorithm UIA

Home network Visited network

ENCRYPT USING CK INTEGRITY PROTECT USING IK

RAND SQN IK MAC CK XRES RAND SQN IK MAC K K Check SQN Check MAC AKA AKA

C1 - Unrestricted Version 1.0 Vodafone Group R&D 7 LTE algorithms, for SKEW 2011 17 Feb 2011

First UMTS algorithms, UEA1 / UIA1

KASUMI (CK) BLKCTR = 0 BLKCTR = 1 BLKCTR = 2 BLKCTR = n

A

KASUMI (CK) KASUMI (CK) KASUMI (CK) KASUMI (CK) KASUMI (CK) KASUMI (CK) BLKCTR = 0 BLKCTR = 1 BLKCTR = 2 BLKCTR = n

A

KASUMI (CK) KASUMI (CK) KASUMI (CK) KASUMI (CK) KASUMI (CK) KASUMI (CK) KASUMI (CK) KASUMI (CK)

KASUMI (IK) KASUMI (IK) First 64 bits Second 64 bits Last 64 bits KASUMI (IK) KASUMI (IK) KASUMI (IK) KASUMI (IK) Third 64 bits KASUMI (IK) KASUMI (IK) KASUMI (IK) KASUMI (IK) MAC (left 32 bits)

A5/3 ≈ UEA1

(but 64-bit key)

C1 - Unrestricted Version 1.0 Vodafone Group R&D 8 LTE algorithms, for SKEW 2011 17 Feb 2011

So now we can replace A5/1 with A5/3 …

Image from http://www.elkomas.lt/

C1 - Unrestricted Version 1.0 Vodafone Group R&D 9 LTE algorithms, for SKEW 2011 17 Feb 2011

Second UMTS algorithms, UEA2 / UIA2

> SNOW 3G – Why not AES? – Why not SNOW 2.0?

C1 - Unrestricted Version 1.0 Vodafone Group R&D 10 LTE algorithms, for SKEW 2011 17 Feb 2011

LTE security architecture (part 1)

SIM RAND, XRES, CK, IK, SQN, MAC, KASME RAND, SQN, MAC

CK AKA XRES

RES RES = XRES? CK, IK

Authentication and key agreement algorithm f1–f5

Home network Visited network

RAND SQN IK MAC CK AKA XRES RAND SQN IK MAC K K Check SQN Check MAC PLMNID KASME PLMNID KASME

C1 - Unrestricted Version 1.0 Vodafone Group R&D 11 LTE algorithms, for SKEW 2011 17 Feb 2011

GSM security limitations

> Key length > One-way authentication > Unprotected signalling > A5/1, A5/2 > Same key regardless of algorithm choice

C1 - Unrestricted Version 1.0 Vodafone Group R&D 12 LTE algorithms, for SKEW 2011 17 Feb 2011

LTE security architecture (part 2)

SIM Home network Visited network

KASME

ALGID

Kα

ALGID

Kβ

ALGID

Kγ

ALGID

Kδ Kε

ALGID

KASME

ALGID

Kα

ALGID

Kβ

ALGID

Kγ

ALGID

Kδ Kε

ALGID

MOBILITY SIGNALLING: ENCRYPT USING Kα INTEGRITY PROTECT USING Kβ RADIO RESOURCE SIGNALLING: ENCRYPT USING Kγ INTEGRITY PROTECT USING Kδ USER PLANE: ENCRYPT USING Kε

Encryption algorithm EEA, integrity algorithm EIA

C1 - Unrestricted Version 1.0 Vodafone Group R&D 13 LTE algorithms, for SKEW 2011 17 Feb 2011

Original LTE algorithms (from day one)

> Based on SNOW-3G – 128-EEA1: straightforward stream cipher use – 128-EIA1: polynomial evaluation UHF – Identical to UMTS algorithms > Could have been based on Kasumi or AES; chose AES – 128-EEA2: AES in counter mode – 128-EIA2: AES in CMAC mode

C1 - Unrestricted Version 1.0 Vodafone Group R&D 14 LTE algorithms, for SKEW 2011 17 Feb 2011

The designers

DACAS: Data Assurance and communication security research center, Chinese Academy of Sciences Dongdai Lin Xiutao Feng

C1 - Unrestricted Version 1.0 Vodafone Group R&D 15 LTE algorithms, for SKEW 2011 17 Feb 2011

Plan A

May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb 2009 2010 Mar Apr May Jun Jul 2011 SAGE evaluation Paid expert team evaluation Algorithm acceptance (hopefully) Public evaluation Under NDA

C1 - Unrestricted Version 1.0 Vodafone Group R&D 16 LTE algorithms, for SKEW 2011 17 Feb 2011

Plan B

May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb 2009 2010 Mar Apr May Jun Jul 2011 SAGE evaluation Paid expert team evaluation Algorithm acceptance (hopefully) Public evaluation Agree and sign NDA

C1 - Unrestricted Version 1.0 Vodafone Group R&D 17 LTE algorithms, for SKEW 2011 17 Feb 2011

Take your time

Advanced Encryption Standard process From Wikipedia, the free encyclopedia Start of the process On January 2, 1997, NIST announced that they wished to choose a successor to DES to be known as AES …. The result of this feedback was a call for new algorithms on September 12, 1997 Rounds one and two In the nine months that followed, fifteen different designs were created and submitted …. NIST held two conferences to discuss the submissions (AES1, August 1998 and AES2, March 1999), and in August 1999 they announced that they were narrowing the field from fifteen to five …. … AES3 conference in April 2000 …. Selection of the winner On October 2, 2000, NIST announced that Rijndael had been selected as the proposed AES ….

C1 - Unrestricted Version 1.0 Vodafone Group R&D 18 LTE algorithms, for SKEW 2011 17 Feb 2011

Encryption

PLAINTEXT BLOCK EEA COUNT DIRECTION BEARER LENGTH KEY KEYSTREAM BLOCK CIPHERTEXT BLOCK EEA COUNT DIRECTION BEARER LENGTH KEY KEYSTREAM BLOCK PLAINTEXT BLOCK Sender Receiver

C1 - Unrestricted Version 1.0 Vodafone Group R&D 19 LTE algorithms, for SKEW 2011 17 Feb 2011

Integrity

EIA

KEY COUNT BEARER DIRECTION LENGTH MESSAGE MAC-I Sender

EIA

KEY COUNT BEARER DIRECTION LENGTH MESSAGE XMAC-I Receiver

C1 - Unrestricted Version 1.0 Vodafone Group R&D 20 LTE algorithms, for SKEW 2011 17 Feb 2011

ZUC – named after Zu Chongzhi

C1 - Unrestricted Version 1.0 Vodafone Group R&D 21 LTE algorithms, for SKEW 2011 17 Feb 2011

ZUC

One of these words mixed into LFSR during nonlinear initialisation

C1 - Unrestricted Version 1.0 Vodafone Group R&D 22 LTE algorithms, for SKEW 2011 17 Feb 2011

Encryption algorithm 128-EEA3

C1 - Unrestricted Version 1.0 Vodafone Group R&D 23 LTE algorithms, for SKEW 2011 17 Feb 2011

Integrity algorithm 128-EIA3

Universal Hash Function

C1 - Unrestricted Version 1.0 Vodafone Group R&D 24 LTE algorithms, for SKEW 2011 17 Feb 2011

Initial SAGE evaluation

> Fit for purpose > Smells OK – Must be not just strong, but free of suspicion

C1 - Unrestricted Version 1.0 Vodafone Group R&D 25 LTE algorithms, for SKEW 2011 17 Feb 2011

Plan B

May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb 2009 2010 Mar Apr May Jun Jul 2011 SAGE evaluation Paid expert team evaluation Algorithm acceptance (hopefully) Public evaluation Agree and sign NDA

C1 - Unrestricted Version 1.0 Vodafone Group R&D 26 LTE algorithms, for SKEW 2011 17 Feb 2011

Plan C

May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb 2009 2010 Mar Apr May Jun Jul 2011 Paid expert team evaluation Algorithm acceptance (hopefully) Public evaluation Agree and sign NDA Expert team contract SAGE evaluation

C1 - Unrestricted Version 1.0 Vodafone Group R&D 27 LTE algorithms, for SKEW 2011 17 Feb 2011

External expert team evaluation

> Codes and Ciphers Limited – Carlos Cid, Sean Murphy, Fred Piper, Matthew Dodd > Alice and Bob Technologies – Lars Knudsen, Bart Preneel, Vincent Rijmen > Several corrections / improvements to existing evaluation > All standard attack types considered – all seem unlikely to succeed > Strength inherited from SNOW-like construction > Some components not fully explained > Like most UHF MACs – not robust against nonce reuse

C1 - Unrestricted Version 1.0 Vodafone Group R&D 28 LTE algorithms, for SKEW 2011 17 Feb 2011

Conclusion of the SAGE and paid evaluation

> Transparency is vital – nothing suspicious

C1 - Unrestricted Version 1.0 Vodafone Group R&D 29 LTE algorithms, for SKEW 2011 17 Feb 2011

Plan C

May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb 2009 2010 Mar Apr May Jun Jul 2011 Paid expert team evaluation Algorithm acceptance (hopefully) Public evaluation Agree and sign NDA Expert team contract SAGE evaluation

C1 - Unrestricted Version 1.0 Vodafone Group R&D 30 LTE algorithms, for SKEW 2011 17 Feb 2011

Plan D

May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb 2009 2010 Mar Apr May Jun Jul 2011 Paid expert team evaluation Go public Public evaluation Agree and sign NDA Expert team contract Algorithm acceptance (hopefully) SAGE evaluation

C1 - Unrestricted Version 1.0 Vodafone Group R&D 31 LTE algorithms, for SKEW 2011 17 Feb 2011

Crypto rump session

C1 - Unrestricted Version 1.0 Vodafone Group R&D 32 LTE algorithms, for SKEW 2011 17 Feb 2011

IACR newsletter

C1 - Unrestricted Version 1.0 Vodafone Group R&D 33 LTE algorithms, for SKEW 2011 17 Feb 2011

The ZUC Forum

C1 - Unrestricted Version 1.0 Vodafone Group R&D 34 LTE algorithms, for SKEW 2011 17 Feb 2011

The first post

C1 - Unrestricted Version 1.0 Vodafone Group R&D 35 LTE algorithms, for SKEW 2011 17 Feb 2011

Questions

> Why not AES? > Why not eStream? > ―Chinese algorithm‖ means China can break it? > Is there something wrong with the other LTE algorithms? > What happens now to the other LTE algorithms? > Why does China get this special privilege? > If every other country insists on a home-grown algorithm, will every LTE phone have to support 200 algorithms? > Authenticated encryption?

C1 - Unrestricted Version 1.0 Vodafone Group R&D 36 LTE algorithms, for SKEW 2011 17 Feb 2011

ZUC-10 Workshop

C1 - Unrestricted Version 1.0 Vodafone Group R&D 37 LTE algorithms, for SKEW 2011 17 Feb 2011

Loss of entropy in initialisation (1)

Z mixed into LFSR during nonlinear initialisation

Matthew Dodd (private communication) Bing Sun et al (ZUC workshop)

C1 - Unrestricted Version 1.0 Vodafone Group R&D 38 LTE algorithms, for SKEW 2011 17 Feb 2011

Loss of entropy in initialisation (2)

Hongjun Wu et al (AsiaCrypt rump session, IACR ePrint archive)

s16 = f  z If s16 = 0, set s16 = 231-1 Whatever f is … … z = 231-1-f gives the same result as z = f Two IVs → colliding state z f

C1 - Unrestricted Version 1.0 Vodafone Group R&D 39 LTE algorithms, for SKEW 2011 17 Feb 2011

Forgery attack on EIA3

Fuhr/Gilbert/Reinhard/Videau (ZUC workshop, IACR ePrint archive)

C1 - Unrestricted Version 1.0 Vodafone Group R&D 40 LTE algorithms, for SKEW 2011 17 Feb 2011

New versions

C1 - Unrestricted Version 1.0 Vodafone Group R&D 41 LTE algorithms, for SKEW 2011 17 Feb 2011

Plan D

May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb 2009 2010 Mar Apr May Jun Jul 2011 Paid expert team evaluation Go public Public evaluation Agree and sign NDA Expert team contract Algorithm acceptance (hopefully) SAGE evaluation

C1 - Unrestricted Version 1.0 Vodafone Group R&D 42 LTE algorithms, for SKEW 2011 17 Feb 2011

Plan E

May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb 2009 2010 Mar Apr May Jun Jul 2011 Paid expert team evaluation Go public Public evaluation Agree and sign NDA Expert team contract Algorithm revision Algorithm acceptance (hopefully) Public evaluation Algorithm acceptance (hopefully) SAGE evaluation

C1 - Unrestricted Version 1.0 Vodafone Group R&D 43 LTE algorithms, for SKEW 2011 17 Feb 2011

Thank you

http://zucalg.forumotion.net/ http://gsmworld.com/our-work/programmes-and-initiatives/fraud-and- security/gsm_security_algorithms.htm

• r http://tinyurl.com/33ezbmj

C1 - Unrestricted Version 1.0 Vodafone Group R&D 44 LTE algorithms, for SKEW 2011 17 Feb 2011

f8 construction for UMTS

> Note: a single frame of UMTS keystream will contain no more than 20000 bits (so 312 64-bit blocks) – Pre-whitening constant is fixed within a frame, different for different frames > Pre-whitening constant prevents known input/output pairs for single KASUMI > Simple OFB mode allows short cycles — unlikely, but bad if they do happen > Pre-whitening plus simple counter mode gives distinguisher with 232 keystream blocks: – e.g. if A is pre-whitening constant and C is block counter, if [A  C] = [A’  C’] then likely that [A  (C + d)] = [A’  (C’ + d)] for some small d > Simple counter mode without pre-whitening also gives 232-block distinguisher: – No collisions > With the f8 construction, and individual frames limited to 312 64-bit blocks, the only distinguishers we found needed substantially more than 232 blocks – In fact, more than 232 frames — and frame counter COUNT is only 32 bits anyway