Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. - - PowerPoint PPT Presentation

practical algebraic attacks on the hitag2 tm stream cipher
SMART_READER_LITE
LIVE PREVIEW

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. - - PowerPoint PPT Presentation

Sep 24, 2023 364 likes •998 views

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

slide-1
SLIDE 1

Practical Algebraic Attacks on the HITAG2TM Stream Cipher

Nicolas T. Courtois 1 Sean O’Neil 2 Jean-Jacques Quisquater 3

1 - University College London, UK 2 - VEST Corporation, France 3 - Université Catholique de Louvain, Belgium

slide-2
SLIDE 2

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

2

Disclaimer

First of all, this pure crypto research: Spec of Algebraic the cipher => Attack. Not all attacks work on actual industrial systems due to the protocol subtleties.

Moreover: one should not expect that every information found on the Internet is

  • correct. One can expect some small glitches…
slide-3
SLIDE 3

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

3

Outline

1. Hitag2 cipher and products. 2. Discussion: open source vs. closed source crypto. 3. Algebraic attacks with SAT solvers. 4. Our results. 5. Industry impact, discussion.

slide-4
SLIDE 4

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

4

Hitag2

  • A stream cipher used

in car locks [e.g. BMW]: Philips Hitag2 family.

  • Also used in building access.

– According to [Nohl, Plötz HAR’09] used in German government and army buildings… – But Hitag2 proximity cards are not available anymore in shops. They have been discontinued.

Here we concentrate just on car locks.

slide-5
SLIDE 5

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

5

What’s Inside?

slide-6
SLIDE 6

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

6

Open Source vs. Closed Source Crypto

slide-7
SLIDE 7

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

7

Secrecy: Very frequently an obvious business decision.

  • Creates entry barriers for competitors.
  • But also defends against hackers.
slide-8
SLIDE 8

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

8

Kerckhoffs’ principle: [1883]

“The system must remain secure should it fall in enemy hands …”

slide-9
SLIDE 9

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

9

*Remark: Smart Cards: They are already in ‘enemy’ hands

  • even more for RFID…
slide-10
SLIDE 10

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

10

Kerckhoffs’ principle: [1883]

Most of the time: incorrectly understood. No obligation to disclose.

  • Security when disclosed.
  • Better security when not disclosed???
slide-11
SLIDE 11

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

11

Yes (1,2,3):

  • 1. Military:

layer the defences.

slide-12
SLIDE 12

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

12

Yes (2):

2) Basic economics: these 3 extra months

(and not more )

are simply worth a a lot of money.

slide-13
SLIDE 13

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

13

Yes (3):

3) Prevent the erosion of profitability / barriers for entry for competitors / “inimitability”

slide-14
SLIDE 14

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

14

Kerckhoffs principle is kind of WRONG in the world of smart cards Reasons:

  • side channel attacks are HARD and COSTLY to

prevent when the algo is known

  • in some applications, for example Pay TV the

system is broken immediately when the cryptographic algorithms are public.

slide-15
SLIDE 15

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

15

Kerckhoffs principle is kind of WRONG?

Well OK, but then we need other means to evaluate evaluate evaluate evaluate crypto algorithms used by the industry.

  • [OLD] private consulting…
  • [NEW] TODAY: Automated Cryptanalysis

Automated Cryptanalysis Automated Cryptanalysis Automated Cryptanalysis Spec of Try our the cipher => software

slide-16
SLIDE 16

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

16

Silicon Hacking

slide-17
SLIDE 17

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

17

Tarnovsky Lab [Freelance Silicon Hacker] Only a few thousands of dollars worth of equipment

slide-18
SLIDE 18

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

18

Clear and Present Danger Reverse engineering is NOT that hard. No need for a FIB device (Focused Ion Beam, 0.5 M€). A few thousand dollars microscope +software.

slide-19
SLIDE 19

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

19

Silicon Hacking => WikipediaTM

slide-20
SLIDE 20

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

20

slide-21
SLIDE 21

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

21

Crypto-1 is VERY WEAK

  • Crypto 1 Has regular LFSR taps

=>Broken in 0.05 seconds. [de Koning Gans et al, Esorics 2008]

slide-22
SLIDE 22

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

22

much better:

  • Crypto 1 Has regular LFSR taps

Crypto 1 Has regular LFSR taps Crypto 1 Has regular LFSR taps

=>Broken in 0.05 seconds =>Broken in 0.05 seconds =>Broken in 0.05 seconds. . . [de [de [de Koning Gans Koning Gans Koning Gans et al, et al, et al, Esorics Esorics Esorics 2008] 2008] 2008]

  • Hitag 2 has IRREGULAR taps. Not so easy.
  • State of the art: Inversion attacks:

– [Ross Anderson: Searching for the Optimum Correlation Attack, In FSE’94] – Our present work is a sort of automated inversion attack where human insights into how to invert the augmented filter function are replaced by the [clever] SAT solver software…

slide-23
SLIDE 23

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

23

slide-24
SLIDE 24

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

24

Silicon Hacking => Wikipedia A Cryptanalyst can start working…

slide-25
SLIDE 25

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

25

Circuit High-Level View of Hitag2

slide-26
SLIDE 26

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

26

Exhaustive Key Search

  • 48 bits, about 4 years on 1 CPU.
  • But only hours/days with more expensive devices

such as FPGA/Copacobana etc…

slide-27
SLIDE 27

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

27

Algebraic Cryptanalysis

slide-28
SLIDE 28

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

28

Algebraic Cryptanalysis [Shannon]

Breaking a « good » cipher should require: “as much work as solving a system of simultaneous equations in a large number

  • f unknowns of a complex type”

[Shannon, 1949]

slide-29
SLIDE 29

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

29

Algebraic Cryptanalysis: An Emerging Technology

AES XSL

Gartner’s Technology Hype Cycle

slide-30
SLIDE 30

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

30

Strong or Weak?

High Algebraic Immunity.

  • Does NOT help.
  • Many “direct” algebraic attacks exist.

– First mention of such attack: Ars-Faugère in their INRIA report:

  • Experimental attacks with a very small quantity of

keystream.

– Now we have a portfolio of techniques… We can break “any cipher”, if not too complex…

slide-31
SLIDE 31

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

31

“direct” algebraic attacks Our fastest attacks use algebraic equations + conversion + SAT solvers

  • [cf. recent attacks on DES and KeeLoq

by Courtois and Bard 2007-08]

slide-32
SLIDE 32

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

32

Our Attacks

…AC can break “any cipher”, if not too complex…

Remark:

  • Other attacks can be faster.
  • However, this method is more generally

applicable:

  • we can also break many modified versions of Hitag2
  • and this without any human intervention !
slide-33
SLIDE 33

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

33

Algebraic Cryptanalysis

Step 1. Write a system of Multivariate Quadratic equations [MQ] Step 2. Solve it.

slide-34
SLIDE 34

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

34

Step 1 – Write Quadratic Equations Method? Follow Closely a gate-efficient implementation of the cipher. This process can be fully automated. Better implementation (less NAND gates) => better attack x y z xy+1=z

slide-35
SLIDE 35

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

35

Step 2:

Solve it. Theory: NP-hard problem… Practice: hopefully solvable….

slide-36
SLIDE 36

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

36

ANF-to-CNF method - The Outsider

[Courtois, Bard, Jefferson] Before we did try, we actually never believed it could work… Convert MQ to a SAT problem. (both are NP-hard problems)

slide-37
SLIDE 37

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

37

*ANF-to-CNF – Main Idea

Principle 1: each monomial = one dummy variable. d+1 clauses for each degree d monomial

slide-38
SLIDE 38

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

38

*Also

Principle 2: Handling XORs – Not obvious. Long XORs known to be hard problems for SAT solvers.

  • Split longer XORs in several shorter with

more dummy variables.

  • About 4 h clauses for a XOR of size h.
slide-39
SLIDE 39

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

39

*ANF-to-CNF

This description is enough to produce a working version. Space for non-trivial optimisations. See:

Gregory V. Bard, Nicolas T. Courtois and Chris Jefferson: “Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers”. eprint.iacr.org/2007/024

slide-40
SLIDE 40

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

40

Solving SAT

What are SAT solvers? Heuristic algorithms for solving SAT problems.

  • Guess some variables.
  • Examine consequences.
  • If a contradiction found, I can add a new clause saying “In

this set of constraints one is false”.

Very advanced area of research. Introduction for “dummies”: Gregory Bard PhD thesis.

slide-41
SLIDE 41

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

41

MiniSat 2.0. Winner of SAT-Race 2006 competition. An open-source SAT solver package, by Niklas Eén, Niklas Sörensson, http://www.cs.chalmers.se/Cs/ Research/FormalMethods/MiniSat/ Compiles with gcc under both Unix and Windows.

slide-42
SLIDE 42

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

42

**ANF-to-CNF + MiniSat 2.0.

Gives amazing results in algebraic cryptanalysis of just any (not too complex/not too many rounds) cipher. Also for random sparse MQ.

  • Certain VERY large systems solved in seconds
  • n PC (thousands of variables !).
  • Few take a couple hours/days…
  • Then infeasible, we hit the wall…

Jump from 0 to ∞.

slide-43
SLIDE 43

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

43

**What Can Be Done with SAT Solvers ?

  • Clearly it is not the size of the system but the nature of it.
  • Sometimes more powerful than Grobner Bases,

sometimes less. Paradoxes:

  • If you guess some variables, can become much slower .
  • Great variability in results (hard to compute an average

running time, better to look at 20 % faster timings).

  • Memory:

– For many cases tiny: 9 Mbytes while Magma hangs at > 2Gbytes for the same system. – For some working cases: 1.5 Gbytes and substantial time. Then terminates with the solution as well.

slide-44
SLIDE 44

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

44

Hitag2 Protocols

slide-45
SLIDE 45

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

45

From Original Philips Specs

  • Found on a Russian web side(!)
  • Hitag 2 have two modes.

– Password mode [less secure] – Crypto mode.

  • We focus on the crypto mode.

Sort of challenge-response protocol.

– Mutual authentication. – But the reader is authenticated first.

  • Prevents tag-only attacks, or attacks at home:

– sniffed data is needed.

slide-46
SLIDE 46

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

46

Mutual Authentication in the Crypto mode

  • The tag sends:
  • The car picks a random IV (32 bits) and sends:
  • If the stream authenticator ks1 is correct, tag sends

where PWST is a password, ks1,ks2 are the first 32+32 bits of Hitag 2 keystream initialised with (K,IV)

11111 + (Config||PWST)⊕ ks2

5 + 32 bits

IV + ks1

32 + 32 bits

11111 + SN

5 +32 bits

slide-47
SLIDE 47

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

47

Sniffed Traces?

We did not do the actual hacking of car keys. Some recorded Hitag2 traces can be found in [Nohl, Plotz HAR’09]

https://har2009.org/program/attachments/113_breaking_hitag2_part1_hardware.pdf

slide-48
SLIDE 48

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

48

Our Results

slide-49
SLIDE 49

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

49

Our Chosen IV Attack

(in fact a type of counter mode)

slide-50
SLIDE 50

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

50

Our Chosen IV Attack [not practical]

NOT practical.

  • An active attacker can send the data to the tag,

but the tag will NOT respond if the authenticator is incorrect…

  • Purely theoretical attack:

– We need to know the ks1 for 16 authentication attempts with 16 chosen IVs in the counter mode (consecutive integers on 32 bits). – We combine 16 systems of equations. We don’t guess any bits. – The complete 48-bit key is then found in 6 hours on a PC with MiniSat 2.0.

  • The full attack is 6 hours total.
slide-51
SLIDE 51

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

51

Known IV Attack

slide-52
SLIDE 52

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

52

Our Known IV Attack [practical !]

This attack slower BUT it is practical given the protocol:

  • Sniffed data from 4 transactions needed.
  • 32 bits of the keystream per known IV are

available (assuming PWST is already known).

  • We fix/guess 14 bits of the key and combine 4

systems of equations for 4 known IVs.

– The solution is then found in 10 seconds on a PC with MiniSat 2.0.

  • The full attack on a full 48-bit key takes about

214*10 s which is less than 2 days.

slide-53
SLIDE 53

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

53

Cryptanalysis and the Industry

slide-54
SLIDE 54

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

54

Industry Impact? “old” industry:

  • Good excuse to replace these old systems.

– Nobody thought they would be very secure by today’s standards…

“new” industry:

  • Silicon hacking labs: we need to realize that:

what people in Europe/US will do so that they can evaluate the security of the product (and publish a nice paper)…, it will be done routinely in China and by several firms BUT not for research, but for the manufacturing industry (and it will be legal: in Chinese law),

slide-55
SLIDE 55

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

55

*Example, cf. made-in-china.com:

Supports: Mercedes, BMW

slide-56
SLIDE 56

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

56

*Programmer 2: [All come from China] Supports: BMW (2002 -2009) CAS/CAS2/CAS3 CAS/CAS2/CAS3 CAS/CAS2/CAS3 DG512 / CAS3 + DG512 / CAS3 + DG512 / CAS3 + DP512 key and DP512 key and DP512 key and remote control remote control remote control

slide-57
SLIDE 57

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

57

*Programmer 3: [China]

Audi A8, VW Touareg, VW Phaeton, Bentley Continental, Porsche Cayenne, BMW E38, E39, E46, E53, E60, E61, E38, E39, E46, E53, E60, E61, E38, E39, E46, E53, E60, E61, E63, E64, E65, E66, E87, E90, E63, E64, E65, E66, E87, E90, E63, E64, E65, E66, E87, E90, E91, E92 E91, E92 E91, E92

slide-58
SLIDE 58

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

58

*Programmer 4: [China]

Audi A8, VW Touareg, VW Phaeton, Bentley Continental, Porsche Cayenne, BMW E38, E39, E46, E53, E38, E39, E46, E53, E38, E39, E46, E53, E60, E61, E63, E64, E60, E61, E63, E64, E60, E61, E63, E64, E65, E66, E87, E90, E65, E66, E87, E90, E65, E66, E87, E90, E91, E92 E91, E92 E91, E92

slide-59
SLIDE 59

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

59

*Programmer 5: [China]

Audi A8, VW Touareg, VW Phaeton, Bentley Continental, Porsche Cayenne, BMW E38, E39, E46, E53, E38, E39, E46, E53, E38, E39, E46, E53, E60, E61, E63, E64, E60, E61, E63, E64, E60, E61, E63, E64, E65, E66, E87, E90, E65, E66, E87, E90, E65, E66, E87, E90, E91, E92 E91, E92 E91, E92

slide-60
SLIDE 60

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

60

Conclusion Old industrial ciphers can now be routinely broken by automated tools such as SAT solvers.

The industry needs to recognise that:

– Reverse engineering is cheaper and easier than

  • ever. A microscope + software

A microscope + software A microscope + software… … … – “Kindegarten crypto” fails.

slide-61
SLIDE 61

Algebraic Attacks on Hitag 2 Cipher Courtois, O’Neil, Quisquater

61

New Perspective for the Industry

  • Old / Kindegarten crypto fails.
  • Custom/secret crypto is OK.

– But it needs to be evaluated and tested.

We propose a new method to evaluate evaluate evaluate evaluate crypto algorithms used by the industry.

  • [OLD] private consulting…with selective disclosure.
  • [NEW] TODAY: Automated Cryptanalysis

Automated Cryptanalysis Automated Cryptanalysis Automated Cryptanalysis Spec of Try our the cipher => software

no need to DISCLOSE the SPEC!