A Low Data Complexity Attack on the GMR-2 Cipher Used in the - PowerPoint PPT Presentation

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones Ruilin Li, Heng Li, Chao Li, Bing Sun National University of Defense Technology, Changsha, China FSE 2013, Singapore 11 th ~13 th March, 2013

Outline • Backgrounds and the GMR-2 Cipher • Revisit the Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 2

Outline • Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 3

Backgrounds and the GMR-2 Cipher • Mobile communication systems have revolutionized the way we interact with each other – GSM, UMTS, CDMA2000, 3GPP LTE • When do we need satellite based mobile system? – In some special cases • researchers on a field trip in a desert • crew on ships on open sea • people living in remote areas or areas that are affected by a natural disaster 4

Backgrounds and the GMR-2 Cipher • What is GMR? – GMR stands for GEO-Mobile Radio – GEO stands for Geostationary Earth Orbit – Design heavily inspired from GSM 5

Backgrounds and the GMR-2 Cipher • Two major GMR Standards – GMR-1 (de-facto standard, Thuraya etc) – GMR-2 (Inmarsat and AcES) • How to protect the security of the communication in GMR system? – Using symmetric cryptography – Both the authentication and encryption are similar as that of GSM A3/A5 algorithms. 6

Backgrounds and the GMR-2 Cipher • Encryption Algorithms in GMR – Stream ciphers – Reconstructed by Driessen et al. • GMR-1 Cipher – Based on A5/2 of GSM – Totally broken by ciphertext-only attack • GMR-2 Cipher – New design strategy – Can be broken by known-plaintext attack – Read-collision based technique 7

Backgrounds and the GMR-2 Cipher • In this talk, we focus on GMR-2 stream cipher – Revisit components of the GMR-2 cipher – Propose dynamic guess and determine strategy – Present a low data complexity attack 8

Outline • Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 9

Revisit each Component of the GMR-2 Cipher • Encryption mechanism of the GMR-2 cipher – Data are divided into frames identified by the frame number with 22-bits – New frame is re-initialized – Each frame contains 120-bit (15-byte) • Parameters of the GMR-2 cipher – Key length: 64-bit (Session key) – IV length: 22-bit (Frame number) – Key stream bits length within a frame: 120-bit 10

Revisit each Component of the GMR-2 Cipher K t 1 G 6 H Z l F 8 c 8 6 3 4 s 7 s 6 s 1 s 0 …… 8 p • An overview on the GMR-2 cipher – 8-byte shift register S , a 3-bit counter c , and a toggle bit t – byte-oriented, three major components – combines two bytes of session key with previous output F – is a linear function for mixing purpose G – consists two DES Sboxes as a nonlinear filter H 11

Revisit each Component of the GMR-2 Cipher K t t O 0 >>> 2 8 a t Å O 1 K 0 K 1 K 2 K 3 K 4 K 5 K 6 K 7 1 4 c 4 4 Å 8 p F • The component – At the l -th clock, the input • 8-byte array holding the session key K , read from two sides. • a counter c ranging from 0 to 7 sequentially and repeatedly. • a toggle bit t=c mod 2. • the previous key stream byte p=Z l - 1 12

Revisit each Component of the GMR-2 Cipher K t t O 0 >>> 2 8 a t Å O 1 K 0 K 1 K 2 K 3 K 4 K 5 K 6 K 7 1 4 c 4 4 Å 8 p F • The component – The lower side outputs K c with the help of the counter c . – The upper output depends on the lower output K c , the previous key stream byte p and the toggle bit t . t – maps 4-bit to 3-bit which select the upper output. 1 t – maps 3-bit to 3-bit which determine the rotation. 13 2

Revisit each Component of the GMR-2 Cipher K t t O 0 >>> 2 8 a t Å O 1 K 0 K 1 K 2 K 3 K 4 K 5 K 6 K 7 1 4 c 4 4 Å 8 p F • The component – The output is = • t t a ì ï O K ( ( )) t a 0 ( ) 2 1 í 1 = Å Å Å ï ? î O ((( K p ) 4) & 0xF) (( K p ) & 0xF) 1 c c Å = ì ( K p ) &0xF, if t 0 a = í c Å = ? î 14 (( K p ) 4) &0xF, if t 1 c

Revisit each Component of the GMR-2 Cipher B O ¢ 1 0 O 0 6 8 B 1 O 1 B Å 3 4 B 2 O ¢ 1 8 B 6 2 S 0 G • The component Å Å Å ì a :( , , , ) ( , , , ); B x x x x x x x x x x x 1 3 2 1 0 3 0 3 2 0 3 1 ï a í B :( , x x x x , , ) ( , x x , x , x ); 2 3 2 1 0 1 3 0 2 ï Å Å Å a î B :( , x x x x , , ) ( , x x , x x x , x x ). 3 3 2 1 0 2 0 3 1 0 3 0 15

Revisit each Component of the GMR-2 Cipher t S O ¢ Z 2 4 0 6 l 8 S O ¢ 6 1 4 6 H • The component ¢ ¢ S S = ì ( ( O ), ( O )) if t 0 = 2 1 6 0 8 í Z ¢ ¢ S S = l î ( ( O ), ( O )) if t 1 2 0 6 1 8 S S where and are the two sboxes of DES.Assume the input of 2 6 S is ( x x , , x x , , x x , ), then ( x x , ) selects the row index, and 5 4 3 2 1 0 1 0 16 ( x x , , x x , ) selects the column index. 5 4 3 2

Revisit each Component of the GMR-2 Cipher G H F • Initialization Mode – Set c=0, t=0, and initialize S with frame number N F – 8-byte key is written into the resister in – Clock the cipher 8 times and discard the output Z l 17

Revisit each Component of the GMR-2 Cipher G H F • Generation Mode – For each frame number N , further clock the cipher 15 times, and the output keystream is ¢ = L L L (0) (0) (0) (1) (1) (1) (2) Z ( Z , Z , , Z ; Z , Z , Z ; Z , ) 0 1 14 0 1 14 0 ( N ) Z denotes the l -th byte of keystream generated after l 18 initialization with N

Revisit each Component of the GMR-2 Cipher F • Property of Å = ì ( K p )&0xF, if t 0 a = í c Å = ? î (( ) 4)&0xF, if 1 K p t c a – If p is known, then we can get the value of only by the most/least significant four bits of K c K t t O 0 >>> 2 8 a t Å O 1 K 0 K 1 K 2 K 3 K 4 K 5 K 6 K 7 1 4 c 4 4 Å 19 8 p

Revisit each Component of the GMR-2 Cipher H • Property of S 2 / S – We can “invert ” 6 • Given the row index and the output, the column index can be uniquely obtained. • Given the column index and the output, the row index can be S uniquely obtained, except for when the column index is 4 and 6 the output is 9, the row index can be either 0 or 3. • Given the outputs of both S-boxes, there will be 16 possible inputs. S O ¢ Z 2 0 l S O ¢ 6 1 20

Revisit each Component of the GMR-2 Cipher G • Property of – The key point G – The links between the input and output of the component can be expressed by a well-structured matrix B O ¢ 1 O 0 0 6 8 B 1 O 1 B Å 3 4 B 2 O ¢ 1 8 B 6 2 21 S 0

æ ö ' O æ ö ç 0 , 5 ÷ O æ ö S é ù ç 0 , 7 ÷ 1 0 0 1 0 0 0 0 0 0 0 0 ç ÷ 0 , 5 ç ÷ ' O ê ú ç ÷ 0 , 4 O ç ÷ ç ÷ S 0 1 0 0 0 0 0 0 0 0 0 , 6 1 1 ê ú ç 0 , 7 ÷ ç ' ÷ ç ÷ O O ê ú ç 0 , 3 1 0 0 0 0 0 0 0 0 0 0 0 ÷ S ç ÷ ç ÷ 0 , 5 0 , 4 ê ú ç ÷ ' ç ÷ O ç ÷ O 0 0 1 0 0 0 0 0 0 0 0 0 S 0 , 2 ê ú ç ÷ 0 , 4 ç ÷ ç ÷ 0 , 6 ê ú ç ' ÷ O 0 0 0 0 1 0 0 1 0 0 0 0 ç ÷ O ç ÷ S 1, 5 ê ú ç 0 , 3 ÷ 0 ,1 ç ÷ ç ÷ 0 0 0 0 1 1 0 1 0 0 0 0 ' ê ú ç O O ÷ ç ÷ = S ç ÷ 1, 4 0 , 2 Å ç g 0 , 3 ê ú ç ÷ ç ÷ ÷ ' 0 0 0 0 1 0 0 0 0 0 0 0 O O ê ú S ç ÷ ç ÷ 0 ,1 ç ÷ 1, 3 0 , 0 ê ú ç ÷ ç ÷ 0 0 0 0 0 0 1 0 0 0 0 0 ç ÷ O ' O S ê 1 0 1 1 ú ç 0 , 0 ÷ ç 1, 2 ÷ 0 , 2 ç ÷ ê 0 0 0 0 0 0 0 0 ú ç ÷ O ç ÷ ç ÷ ' 0 O 1, 3 ê ú ç ÷ 0 ,1 0 0 0 0 0 0 0 0 1 0 0 1 ç ÷ ç ÷ ê ú ç O 0 ÷ ç ' ÷ ç ÷ O 1, 2 0 0 0 0 0 0 0 0 0 1 0 0 ê ú ç 0 , 0 ÷ ç ÷ ç ÷ 0 O ê ú ' ç ÷ 1,1 ç O ÷ ç ÷ 0 0 0 0 0 0 0 0 0 0 0 1 ë û ç ÷ 1,1 è ø 0 ç ÷ è O ø 1, 0 ' è O ø 1, 0 22