a practical attack on keeloq
play

A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 - PowerPoint PPT Presentation

Feb 02, 2023 •409 likes •806 views

Introduction Our Attacks Practice Conclusions A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3 Bart Preneel 1 1 Dept. ESAT/SCD-COSIC, K.U.Leuven, Belgium. 2 Einstein Institute of Mathematics,

  1. Introduction Our Attacks Practice Conclusions A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3 Bart Preneel 1 1 Dept. ESAT/SCD-COSIC, K.U.Leuven, Belgium. 2 Einstein Institute of Mathematics, Hebrew University, Israel. 3 Computer Science Department, Technion, Israel. Eurocrypt 2008 Sebastiaan Indesteege A Practical Attack on KeeLoq 1/ 21

  2. Introduction Our Attacks Practice Conclusions Outline 1 Introduction Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq 2 Our Attacks on KeeLoq Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack 3 Practice Experimental Results Practical Applicability of the Attack 4 Conclusions Sebastiaan Indesteege A Practical Attack on KeeLoq 2/ 21

  3. Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Outline 1 Introduction Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq 2 Our Attacks on KeeLoq Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack 3 Practice Experimental Results Practical Applicability of the Attack 4 Conclusions Sebastiaan Indesteege A Practical Attack on KeeLoq 3/ 21

  4. Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Introduction What? ◮ Lightweight block cipher ◮ 32-bit block, 64-bit key ◮ Designed in 1980s ◮ Sold by Microchip Inc. Where Is It Used? ◮ Remote keyless entry applications ◮ Car locks and alarms Sebastiaan Indesteege A Practical Attack on KeeLoq 4/ 21

  5. Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Description of the KeeLoq Block Cipher y ( i ) 31 y ( i ) y ( i ) y ( i ) 16 y ( i ) y ( i ) y ( i ) 528 rounds 26 20 9 1 0 ϕ ( i ) NLF + k 63 k 0 Sebastiaan Indesteege A Practical Attack on KeeLoq 5/ 21

  6. Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Previous Attacks on KeeLoq Attack Type Data Time Memory Ref. 2 32 KP 2 52 Slide/Guess-and-Det. 16 GB [B07] 2 32 KP 2 50 . 6 Slide/Guess-and-Det. 16 GB [B07b] 2 32 KP 2 39 . 4 Slide/Cycle Structure 16 . 5 GB [CB07] 2 32 KP (2 37 ) Slide/Cycle/G&D 16 . 5 GB [B07b] 2 32 KP 2 27 Slide/Fixed Points > 16 GB [C+08] 2 16 KP 2 65 . 4 Slide/Algebraic ? [CB07, C+08] 2 16 KP 2 51 . 4 Slide/Algebraic ? [CB07, C+08] DPA — DEMA - - - [E+08] Sebastiaan Indesteege A Practical Attack on KeeLoq 6/ 21

  7. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Outline 1 Introduction Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq 2 Our Attacks on KeeLoq Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack 3 Practice Experimental Results Practical Applicability of the Attack 4 Conclusions Sebastiaan Indesteege A Practical Attack on KeeLoq 7/ 21

  8. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Determining Keybits in KeeLoq y ( i ) 31 y ( i ) y ( i ) y ( i ) 16 y ( i ) y ( i ) y ( i ) 26 20 9 1 0 ϕ ( i ) NLF + k 63 k 0 ◮ Given two KeeLoq states, 32 rounds or less apart, we can find the key bits used in these rounds. Bogdanov [B07] Sebastiaan Indesteege A Practical Attack on KeeLoq 8/ 21

  9. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Slide Attack ◮ Cipher with many identical “rounds” F ( · ) P 2 . . . P 1 C 1 F F F F . . . P 2 C 2 F F F F C 1 ◮ Slid pair P 2 = F ( P 1 ), then also C 2 = F ( C 1 ) ◮ Encrypting C 1 and C 2 yields another slid pair , . . . ◮ Use these pairs to attack F ( · ) Sebastiaan Indesteege A Practical Attack on KeeLoq 9/ 21

  10. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario 16 rounds 16 rounds 16 rounds 16 rounds → P j P i → k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 Expect a slid pair among 2 16 plaintexts (birthday paradox) Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  11. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario 16 rounds 16 rounds 16 rounds 16 rounds → P j P i → k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 16 rounds 16 rounds 16 rounds 16 rounds → C j C i → 528 rounds = 8 × 64 + 16 rounds Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  12. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  13. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Guess 16 key bits: k 0 ... 15 Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  14. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Guess 16 LSB’s of P ⋆ j : P ⋆ j = X ⋆ i Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  15. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext j , determine k 48 ... 63 Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  16. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext j , partially decrypt Y j to Y ⋆ j Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  17. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext i , determine k 16 ... 31 Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  18. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext i , partially encrypt C i to C ⋆ i Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  19. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → ? j i Find ± 2 16 collision(s) between C ⋆ i and Y ⋆ j Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  20. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 ? k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Determine (and check ) k 32 ... 47 ; ± 1 collision survives Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  21. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Verify key candidates using trial encryptions ( ± 2 16 in total) Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  22. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → Complexity j i Data 2 16 known plaintexts Memory ± 2 MB for the table Time 2 45 KeeLoq encryptions Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

  23. Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext A Generalisation of the Attack Why 16 rounds throughout the attack? Sebastiaan Indesteege A Practical Attack on KeeLoq 11/ 21

Recommend

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University College of London, UK 2 - University of Maryland, US KeeLoq and Algebraic Cryptanalysis KeeLoq Block cipher used to unlock doors and the alarm in

171 views • 13 slides
A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans

A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans

A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans 1 Christian Grothoff 1 Roger Dingledine 2 1 University of Denver, Denver CO 2 The Tor Project August, 12 2009 A Practical Congestion Attack on Tor

2.41k views • 56 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work with R emi Piau and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Africacrypt 2020 Cairo, Egypt 1/32 How to attack ECDSA

646 views • 32 slides
Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

953 views • 79 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA,

Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA,

Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA, Switzerland - Mara Naya-Plasencia FHNW, Windisch, Switzerland and University of Versailles, France - Markku-Juhani O. Saarinen Revere

263 views • 15 slides
NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1,

NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1,

1 NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1, 2 , Zhenhua Li 1 , Yunhao Liu 1 1 School of Software, Tsinghua University, China 2 Beijing Feifanshi Technology Co., Ltd., China 2 Outline

1.01k views • 21 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of

Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of

The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of Versailles - France Nanyang Technological

846 views • 43 slides
A Practical Attack to De-Anonymize Social Network Users Gilbert Wondracek (Vienna University of

A Practical Attack to De-Anonymize Social Network Users Gilbert Wondracek (Vienna University of

Int. Secure Systems Lab Vienna University of Technology A Practical Attack to De-Anonymize Social Network Users Gilbert Wondracek (Vienna University of Technology) Thorsten Holz (Vienna University of Technology) Engin Kirda (Institute Eurecom)

776 views • 31 slides
When We Need Audit Logs Computer forensics in courts Recovering from an attack

When We Need Audit Logs Computer forensics in courts Recovering from an attack

Systematic and Practical Methods for Computer Attack Analysis and Forensics Dr. Sean Peisert UC Davis Computer Science Dept. NSF I/UCRC Meeting ~ Davis, CA June 17, 2008 1 When We Need Audit Logs Computer forensics in courts

524 views • 11 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Outline Attack Conclusion ECHO-256 Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy Jean and Pierre-Alain Fouque Ecole Normale Suprieure FSE2011 February 14, 2011 FSE2011 Jrmy

562 views • 42 slides
Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst Grtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks

1.45k views • 32 slides
A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler Federal Office for Information Security (BSI), Germany Lausanne, September 7, 2009 Outline r Introduction and Motivation r The Attack r Basic attack

514 views • 25 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack Summary : The attack was severe and sophisticated; categorized as a catastrophic attack. It was highly strategic with regard to timing

329 views • 16 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
ASCs 5.1 Surround ATTACK Wall walls and corners. Its name, ATTACK is an acronym that

ASCs 5.1 Surround ATTACK Wall walls and corners. Its name, ATTACK is an acronym that

December 7-8, 2001, Beverly Hills, CA. Corporation, at the Surround 2001 International Conference and Technology Showcase, .E., President of Acoustic Sciences Transcript of a seminar presented by Arthur Noxon P ASCs 5.1 Surround ATTACK Wall

243 views • 6 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides

More recommend