practical algebraic attacks on the hitag2 tm stream cipher
play

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. - PowerPoint PPT Presentation

Sep 24, 2023 •364 likes •995 views

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

  1. Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O ’ Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Université Catholique de Louvain, Belgium

  2. Algebraic Attacks on Hitag 2 Cipher Disclaimer First of all, this pure crypto research: Spec of Algebraic the cipher => Attack. Not all attacks work on actual industrial systems due to the protocol subtleties. Moreover: one should not expect that every information found on the Internet is correct. One can expect some small glitches… 2 Courtois, O’Neil, Quisquater

  3. Algebraic Attacks on Hitag 2 Cipher Outline 1. Hitag2 cipher and products. 2. Discussion: open source vs. closed source crypto. 3. Algebraic attacks with SAT solvers. 4. Our results. 5. Industry impact, discussion. 3 Courtois, O’Neil, Quisquater

  4. Algebraic Attacks on Hitag 2 Cipher Hitag2 • A stream cipher used in car locks [e.g. BMW]: Philips Hitag2 family. • Also used in building access. – According to [Nohl, Plötz HAR’09] used in German government and army buildings… – But Hitag2 proximity cards are not available anymore in shops. They have been discontinued. Here we concentrate just on car locks. 4 Courtois, O’Neil, Quisquater

  5. Algebraic Attacks on Hitag 2 Cipher What ’ s Inside? 5 Courtois, O’Neil, Quisquater

  6. Algebraic Attacks on Hitag 2 Cipher Open Source vs. Closed Source Crypto 6 Courtois, O’Neil, Quisquater

  7. Algebraic Attacks on Hitag 2 Cipher Secrecy: Very frequently an obvious business decision. Creates entry barriers for competitors. • But also defends against hackers. • 7 Courtois, O’Neil, Quisquater

  8. Algebraic Attacks on Hitag 2 Cipher Kerckhoffs ’ principle: [1883] “ The system must remain secure should it fall in enemy hands …” 8 Courtois, O’Neil, Quisquater

  9. Algebraic Attacks on Hitag 2 Cipher *Remark: Smart Cards: They are already in ‘ enemy ’ hands - even more for RFID … 9 Courtois, O’Neil, Quisquater

  10. Algebraic Attacks on Hitag 2 Cipher Kerckhoffs ’ principle: [1883] Most of the time: incorrectly understood. No obligation to disclose. • Security when disclosed. • Better security when not disclosed??? 10 Courtois, O’Neil, Quisquater

  11. Algebraic Attacks on Hitag 2 Cipher Yes (1,2,3): 1. Military: layer the defences. 11 Courtois, O’Neil, Quisquater

  12. Algebraic Attacks on Hitag 2 Cipher Yes (2): 2) Basic economics: these 3 extra months (and not more � ) are simply worth a a lot of money. 12 Courtois, O’Neil, Quisquater

  13. Algebraic Attacks on Hitag 2 Cipher Yes (3): 3) Prevent the erosion of profitability / barriers for entry for competitors / “ inimitability ” 13 Courtois, O’Neil, Quisquater

  14. Algebraic Attacks on Hitag 2 Cipher Kerckhoffs principle is kind of WRONG in the world of smart cards Reasons: • side channel attacks are HARD and COSTLY to prevent when the algo is known • in some applications, for example Pay TV the system is broken immediately when the cryptographic algorithms are public. 14 Courtois, O’Neil, Quisquater

  15. Algebraic Attacks on Hitag 2 Cipher Kerckhoffs principle is kind of WRONG? Well OK, but then we need other means to evaluate evaluate evaluate evaluate crypto algorithms used by the industry. • [OLD] private consulting … • [NEW] TODAY: Automated Cryptanalysis Automated Cryptanalysis Automated Cryptanalysis Automated Cryptanalysis Spec of Try our the cipher => software 15 Courtois, O’Neil, Quisquater

  16. Algebraic Attacks on Hitag 2 Cipher Silicon Hacking 16 Courtois, O’Neil, Quisquater

  17. Algebraic Attacks on Hitag 2 Cipher Tarnovsky Lab [Freelance Silicon Hacker] Only a few thousands of dollars worth of equipment 17 Courtois, O’Neil, Quisquater

  18. Algebraic Attacks on Hitag 2 Cipher Clear and Present Danger Reverse engineering is NOT that hard. No need for a FIB device (Focused Ion Beam, 0.5 M € ). A few thousand dollars microscope +software. 18 Courtois, O’Neil, Quisquater

  19. Algebraic Attacks on Hitag 2 Cipher Silicon Hacking => Wikipedia TM 19 Courtois, O’Neil, Quisquater

  20. Algebraic Attacks on Hitag 2 Cipher 20 Courtois, O’Neil, Quisquater

  21. Algebraic Attacks on Hitag 2 Cipher Crypto-1 is VERY WEAK • Crypto 1 Has regular LFSR taps =>Broken in 0.05 seconds. [de Koning Gans et al, Esorics 2008] 21 Courtois, O’Neil, Quisquater

  22. Algebraic Attacks on Hitag 2 Cipher much better: • Crypto 1 Has regular LFSR taps • Crypto 1 Has regular LFSR taps Crypto 1 Has regular LFSR taps • =>Broken in 0.05 seconds . =>Broken in 0.05 seconds. . =>Broken in 0.05 seconds [de Koning Gans et al, Esorics 2008] [de Koning Gans Koning Gans et al, et al, Esorics Esorics 2008] 2008] [de • Hitag 2 has IRREGULAR taps. Not so easy. • State of the art: Inversion attacks: – [Ross Anderson: Searching for the Optimum Correlation Attack, In FSE’94] – Our present work is a sort of automated inversion attack where human insights into how to invert the augmented filter function are replaced by the [clever] SAT solver software… 22 Courtois, O’Neil, Quisquater

  23. Algebraic Attacks on Hitag 2 Cipher 23 Courtois, O’Neil, Quisquater

  24. Algebraic Attacks on Hitag 2 Cipher Silicon Hacking => Wikipedia A Cryptanalyst can start working … 24 Courtois, O’Neil, Quisquater

  25. Algebraic Attacks on Hitag 2 Cipher Circuit High-Level View of Hitag2 25 Courtois, O’Neil, Quisquater

  26. Algebraic Attacks on Hitag 2 Cipher Exhaustive Key Search • 48 bits, about 4 years on 1 CPU. • But only hours/days with more expensive devices such as FPGA/Copacobana etc… 26 Courtois, O’Neil, Quisquater

  27. Algebraic Attacks on Hitag 2 Cipher Algebraic Cryptanalysis 27 Courtois, O’Neil, Quisquater

  28. Algebraic Attacks on Hitag 2 Cipher Algebraic Cryptanalysis [Shannon] Breaking a « good » cipher should require: “as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type” [Shannon, 1949] 28 Courtois, O’Neil, Quisquater

  29. Algebraic Attacks on Hitag 2 Cipher Algebraic Cryptanalysis: An Emerging Technology XSL Gartner ’ s Technology Hype Cycle AES 29 Courtois, O’Neil, Quisquater

  30. Algebraic Attacks on Hitag 2 Cipher Strong or Weak? High Algebraic Immunity. • Does NOT help. • Many “direct” algebraic attacks exist. – First mention of such attack: Ars-Faugère in their INRIA report: • Experimental attacks with a very small quantity of keystream. – Now we have a portfolio of techniques… We can break “any cipher”, if not too complex… 30 Courtois, O’Neil, Quisquater

  31. Algebraic Attacks on Hitag 2 Cipher “direct” algebraic attacks Our fastest attacks use algebraic equations + conversion + SAT solvers • [cf. recent attacks on DES and KeeLoq by Courtois and Bard 2007-08] 31 Courtois, O’Neil, Quisquater

  32. Algebraic Attacks on Hitag 2 Cipher Our Attacks …AC can break “any cipher”, if not too complex… Remark: • Other attacks can be faster. • However, this method is more generally applicable: • we can also break many modified versions of Hitag2 • and this without any human intervention ! 32 Courtois, O’Neil, Quisquater

  33. Algebraic Attacks on Hitag 2 Cipher Algebraic Cryptanalysis Step 1. Write a system of Multivariate Quadratic equations [MQ] Step 2. Solve it. 33 Courtois, O’Neil, Quisquater

  34. Algebraic Attacks on Hitag 2 Cipher Step 1 – Write Quadratic Equations Method? Follow Closely a gate-efficient implementation of the cipher. x z xy+1=z y This process can be fully automated. Better implementation (less NAND gates) => better attack � 34 Courtois, O’Neil, Quisquater

  35. Algebraic Attacks on Hitag 2 Cipher Step 2: Solve it. Theory: NP-hard problem… Practice: hopefully solvable…. 35 Courtois, O’Neil, Quisquater

  36. Algebraic Attacks on Hitag 2 Cipher ANF-to-CNF method - The Outsider [Courtois, Bard, Jefferson] Before we did try, we actually never believed it could work… � � � Convert MQ to a SAT problem. (both are NP-hard problems) 36 Courtois, O’Neil, Quisquater

  37. Algebraic Attacks on Hitag 2 Cipher *ANF-to-CNF – Main Idea Principle 1: each monomial = one dummy variable. d+1 clauses for each degree d monomial 37 Courtois, O’Neil, Quisquater

  38. Algebraic Attacks on Hitag 2 Cipher *Also Principle 2: Handling XORs – Not obvious. Long XORs known to be hard problems for SAT solvers. • Split longer XORs in several shorter with more dummy variables. • About 4 h clauses for a XOR of size h. 38 Courtois, O’Neil, Quisquater

  39. Algebraic Attacks on Hitag 2 Cipher *ANF-to-CNF This description is enough to produce a working version. Space for non-trivial optimisations. See: Gregory V. Bard, Nicolas T. Courtois and Chris Jefferson: “Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers”. eprint.iacr.org/2007/024 39 Courtois, O’Neil, Quisquater

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with

Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with

Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with B.Preneel and G. Sekar) Computer Security and Industrial Cryptography (COSIC) Department of Electrical Engineering-ESAT Katholieke Universiteit

655 views • 16 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC Overview 1. Introduction to Helix and Phelix 2. Description of Phelix 3. Differential propagation of

790 views • 28 slides
The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and

Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and

Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and Claude Carlet 2 1 FH Aargau, Switzerland 2 INRIA, Rocquencourt, France Overview Algebraic attacks in general ... and on LFSR-based stream

316 views • 27 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University College of London, UK 2 - University of Maryland, US KeeLoq and Algebraic Cryptanalysis KeeLoq Block cipher used to unlock doors and the alarm in

171 views • 13 slides
Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

S PRITZ A SPONGY RC4- LIKE STREAM CIPHER AND HASH FUNCTION Ronald L. Rivest 1 Jacob C. N. Schuldt 2 1 Vannevar Bush Professor of EECS MIT CSAIL Cambridge, MA 02139 rivest@mit.edu 2 Research Institute for Secure Systems AIST, Japan

603 views • 37 slides
Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for Quantifiable Quality of Service in Communication Systems Centre of Excellence NTNU, Norway NTNU, Trondheim, 2012-04-23 www.q2s.ntnu.no Rune Steinsmo

716 views • 49 slides
Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

T-79.514 Special Course on Cryptology November 25 th , 2004 Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology mkivihar@cc.hut.fi T-79.514 Special Course on Cryptology Mikko Kiviharju 1 Overview

493 views • 28 slides
PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

1.33k views • 102 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

367 views • 19 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020 Previous Class The CIA Triad as security objectives Threat: potential Attack: attempt Compromise: success Vulnerability: security

660 views • 29 slides
Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 14 : 590.03 Fall 12 1 Outline Differential Privacy Implementations PINQ: Privacy Integrated Queries [McSherry SIGMOD

1.22k views • 40 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

566 views • 38 slides
Optical Properties of Liquid Argon measured by the PDS in ProtoDUNE-SP Bryan Ramson (on behalf of

Optical Properties of Liquid Argon measured by the PDS in ProtoDUNE-SP Bryan Ramson (on behalf of

Optical Properties of Liquid Argon measured by the PDS in ProtoDUNE-SP Bryan Ramson (on behalf of the DUNE collaboration) LIDINE 2019, Manchester, UK August 30, 2019 You Inst Logo Introduction(What is DUNE?) The Fermilab Deep Underground

346 views • 18 slides
Looking for Dark Matter in the Earth's Shadow Bradley J. Kavanagh LPTHE (Paris) & IPhT

Looking for Dark Matter in the Earth's Shadow Bradley J. Kavanagh LPTHE (Paris) & IPhT

Looking for Dark Matter in the Earth's Shadow Bradley J. Kavanagh LPTHE (Paris) & IPhT (CEA/Saclay) with Riccardo Catena (Chalmers) and Chris Kouvaris (CP 3 -Origins) IDM - Sheffield - 19th July 2016 bradley.kavanagh@lpthe.jussieu.fr

317 views • 30 slides
Determination of the photon mass attenuation coefficients Geometrical set-up N 0 N d primary

Determination of the photon mass attenuation coefficients Geometrical set-up N 0 N d primary

Determination of the photon mass attenuation coefficients Geometrical set-up N 0 N d primary photons generated primary photons detected Vacuum material Check on (checked) ParentID( ) surrounds Energy value the experimental

409 views • 14 slides
Full Duplex Radios Dinesh Bharadia, Emily McMilin, Sachin Katti Stanford University 8/14/13 1

Full Duplex Radios Dinesh Bharadia, Emily McMilin, Sachin Katti Stanford University 8/14/13 1

Full Duplex Radios Dinesh Bharadia, Emily McMilin, Sachin Katti Stanford University 8/14/13 1 It is generally not possible for radios to receive and transmit on the same frequency band because of the interference that results. - Andrea

984 views • 34 slides

More recommend