Breaking LMAP Etvs Lornd University, Budapest, Hungary ELTECRYPT - PowerPoint PPT Presentation

Mihály Bárász, Balázs Boros, Péter Ligeti, Krisztina Lója, Dániel A. Nagy Breaking LMAP Eötvös Loránd University, Budapest, Hungary ELTECRYPT Research Group

LMAP Pedro Peris-Lopez, Julio Cesar Hernandez- Castro, Juan M. Estvez Tapiador, Arturo Ribagorda: LMAP: A Real Lightweight Mutual Authentication Protocol for Low-cost RFID tags in: Proc. of RFIDSec06 Workshop on RFID Security, July 12-14, Graz, Austria, 2006. 2/29

LMAP Minimalist cryptography Simple operations: Bitwise XOR ( ⊕ ) � Bitwise OR ( ∨ ) � Addition mod 2 m ( + ) � The goal: low complexity in the tags � adequate level of security � Is it possible? 3/29

Active attack against LMAP Tieyan Li, Guilin Wang: Security Analysis of Two Ultra-Lightweight Mutual Authentication Protocol for Low-cost RFID tags , IFIP SEC 2007. � Active attack against the LMAP � de-synchronization attack � full-disclosure attack � 96 rounds of authentication is needed 4/29

Breaking LMAP Our attack: � Passive attack � Intercepting a few consecutive rounds of authentication of the same tag is enough to calculate the keys and all other secrets � The attacker can impersonate the tag in the subsequent rounds 5/29

LMAP keys and secrets K = K 1 || K 2 || K 3 || K 4 the keys 384 bit = 96 + 96 + 96 + 96 bit ID : a constant identification number (96 bit) IDS : an identification number that must be updated after every round of authentication (96 bit) n 1 , n 2 : random numbers generated by the reader (96 bit) 6/29

Mutual authentication Tag identification hello READER TAG READER IDS Mutual authentication A || B || C READER TAG READER D 7/29

Messages A, B, C, D A, B, C READER TAG READER A = IDS ⊕ K 1 ⊕ n 1 now the tag knows n 1 B = (IDS ∨ K 2 ) + n 1 reader authentication C = IDS + K 3 + n 2 the tag knows n 2 D READER TAG READER D = (IDS + ID) ⊕ n 1 ⊕ n 2 tag authentication 8/29

Updating the keys and IDS IDS (n+1) = (IDS (n) + (n 2(n) ⊕ K 4(n) )) ⊕ ID K 1(n+1) = K 1(n) ⊕ n 2(n) ⊕ (K 3(n) + ID) K 2(n+1) = K 2(n) ⊕ n 2(n) ⊕ (K 4(n) + ID) K 3(n+1) = (K 3(n) ⊕ n 1(n) ) + (K 1(n) ⊕ ID) K 4(n+1) = (K 4(n) ⊕ n 1(n) ) + (K 2(n) ⊕ ID) A = IDS ⊕ K 1 ⊕ n 1 B = (IDS ∨ K 2 ) + n 1 C = IDS + K 3 + n 2 D = (IDS + ID) ⊕ n 1 ⊕ n 2 9/29

Weaknesses of the LMAP � LMAP uses only bitwise operations and addition modulo 2 96 every bit depends only on the less significant bits � For the least significant bits the XOR operation and addition modulo 2 96 are the same we can compute the least significant bits (n) ⊕ K 4 IDS (n+1) = (IDS (n) + (n 2 (n) )) ⊕ ID (n) ⊕ n 2 (n) ⊕ (K 3 (n+1) = K 1 K 1 (n) + ID) A = IDS ⊕ K 1 ⊕ n 1 (n) ⊕ n 2 (n) ⊕ (K 4 K 2 (n+1) = K 2 (n) + ID) B = (IDS ∨ K 2 ) + n 1 C = IDS + K 3 + n 2 (n) ⊕ n 1 (n) ⊕ ID) K 3 (n+1) = (K 3 (n) ) + (K 1 D = (IDS + ID) ⊕ n 1 ⊕ n 2 (n) ⊕ n 1 (n) ⊕ ID) K 4 (n+1) = (K 4 (n) ) + (K 2 10/29

Weaknesses of the LMAP � The addition modulo 2 96 means no difficulty if we know every less significant bit � The bitwise OR ( ∨ ) operation is a weak point in the protocol. B = (IDS ∨ K 2 ) + n 1 information about n 1 with the help of 1 bits of the IDS A = IDS ⊕ K 1 ⊕ n 1 B = (IDS ∨ K 2 ) + n 1 C = IDS + K 3 + n 2 D = (IDS + ID) ⊕ n 1 ⊕ n 2 11/29

The steps of breaking LMAP � We will need a few consecutive rounds of authentication of the same tag � We compute the least significant bits (the 96 th bits) in a round where the least significant bit of the IDS is 1 � Next we compute the 95 th bits � We will need r rounds so that [IDS (n) ] k ∨ [IDS (n+1) ] k ∨ [IDS (n+2) ] k ∨ … ∨ [IDS (n+r-1) ] k = 1 for every k = 1, 2, …, 96 + two more rounds and we can A = IDS ⊕ K 1 ⊕ n 1 compute every key and secret B = (IDS ∨ K 2 ) + n 1 [M (n) ] k : the k -th bit of C = IDS + K 3 + n 2 message M in round n D = (IDS + ID) ⊕ n 1 ⊕ n 2 12/29

The least significant bits: n 1 , K 1 Let us assume, that [IDS (n) ] 96 = 1 [M (n) ] k : the k -th bit of message M in round n ([IDS (n) ] 96 ∨ [K 2(n) ] 96 ) = 1 Known B = (IDS ∨ K 2 ) + n 1 k Unknown Is actually calculated [B (n) ] 96 = 1 ⊕ [n 1(n) ] 96 Known: A, B, C, D, IDS [n 1(n) ] 96 = [B (n) ] 96 ⊕ 1 Unknown: K 1 , K 2 , K 3 , K 4 , ID, n 1 , n 2 [A (n) ] 96 = [IDS (n) ] 96 ⊕ [K 1(n) ] 96 ⊕ [n 1(n) ] 96 [K 1(n) ] 96 = [A (n) ] 96 ⊕ [IDS (n) ] 96 ⊕ [n 1(n) ] 96 A = IDS ⊕ K 1 ⊕ n 1 B = (IDS ∨ K 2 ) + n 1 Unknown: K 1 , K 2 , K 3 , K 4 , ID, n 1 , n 2 C = IDS + K 3 + n 2 Known: the 96 th bit of n 1 , K 1 D = (IDS + ID) ⊕ n 1 ⊕ n 2 13/29

The least significant bits: K 4 D = (IDS + ID) ⊕ n 1 ⊕ n 2 [D (n) ] 96 = [IDS (n) ] 96 ⊕ [ID] 96 ⊕ [n 1(n) ] 96 ⊕ [n 2(n) ] 96 IDS (n+1) = (IDS (n) + (n 2(n) ⊕ K 4(n) )) ⊕ ID [IDS (n+1) ] 96 = ([IDS (n) ] 96 + ([n 2(n) ] 96 ⊕ [K 4(n) ] 96 )) ⊕ ⊕ [ID] 96 [K 4(n) ] 96 = [IDS (n+1) ] 96 ⊕ [D (n) ] 96 ⊕ [n 1(n) ] 96 A = IDS ⊕ K 1 ⊕ n 1 Unknown: the 96 th bit of K 2 , K 3 , ID, n 2 B = (IDS ∨ K 2 ) + n 1 C = IDS + K 3 + n 2 Known: the 96 th bit of n 1 , K 1 , K 4 D = (IDS + ID) ⊕ n 1 ⊕ n 2 14/29

Messages A, B, C, D in round n+1 [A (n+1) ] 96 = [IDS (n+1) ] 96 ⊕ [K 1 (n) ] 96 ⊕ [n 2 (n) ] 96 ⊕ [K 3 (n) ] 96 ⊕ ⊕ [ID] 96 ⊕ [n 1 (n+1) ] 96 [B (n+1) ] 96 = ([IDS (n+1) ] 96 ∨ ([K 2 (n) ] 96 ⊕ [n 2 (n) ] 96 ⊕ [K 4 (n) ] 96 ⊕ ⊕ [ID] 96 )) ⊕ [n 1 (n+1) ] 96 [C (n+1) ] 96 = [IDS (n+1) ] 96 ⊕ [K 3 (n) ] 96 ⊕ [n 1 (n) ] 96 ⊕ [K 1 (n) ] 96 ⊕ ⊕ [ID] 96 ⊕ [n 2 (n+1) ] 96 [D (n+1) ] 96 = [IDS (n+1) ] 96 ⊕ [ID] 96 ⊕ [n 1 (n+1) ] 96 ⊕ [n 2 (n+1) ] 96 (If [IDS (n+1) ] 96 = 1, then [B (n+1) ] 96 = 1 ⊕ [n 1 (n+1) ] 96 ) A = IDS ⊕ K 1 ⊕ n 1 B = (IDS ∨ K 2 ) + n 1 C = IDS + K 3 + n 2 D = (IDS + ID) ⊕ n 1 ⊕ n 2 15/29

The least significant bits: n 2 (n+1) ‏ [C (n+1) ] 96 = [IDS (n+1) ] 96 ⊕ [K 3(n) ] 96 ⊕ [n 1(n) ] 96 ⊕ ⊕ [K 1(n) ] 96 ⊕ [ID ] 96 ⊕ [n 2 (n+1) ] 96 [C (n) ] 96 = [IDS (n) ] 96 ⊕ [K 3(n) ] 96 ⊕ [n 2(n) ] 96 [D (n) ] 96 = [IDS (n) ] 96 ⊕ [ID] 96 ⊕ [n 1(n) ] 96 ⊕ [n 2(n) ] 96 [C (n) ] 96 ⊕ [D (n) ] 96 = [ID] 96 ⊕ [n 1(n) ] 96 ⊕ [K 3(n) ] 96 [n 2(n+1) ] 96 = [IDS (n+1) ] 96 ⊕ [C (n+1) ] 96 ⊕ [C (n) ] 96 ⊕ ⊕ [D (n) ] 96 ⊕ [K 1(n) ] 96 A = IDS ⊕ K 1 ⊕ n 1 Unknown: the 96 th bit of K 2 , K 3 , ID, n 2 B = (IDS ∨ K 2 ) + n 1 C = IDS + K 3 + n 2 Known: the 96 th bit of n 1 , n 2 (n+1) , K 1 , K 4 D = (IDS + ID) ⊕ n 1 ⊕ n 2 16/29

The least significant bits: K 2 (n) [IDS (n+2) ] 96 = [IDS (n+1) ] 96 ⊕ [n 2(n+1) ] 96 ⊕ ⊕ [K 4(n+1) ] 96 ⊕ [ID] 96 = = [IDS (n+1) ] 96 ⊕ [n 2(n+1) ] 96 ⊕ [K 4(n) ] 96 ⊕ [n 1(n) ] 96 ⊕ [K 2(n) ] 96 [K 2(n) ] 96 = [IDS (n+2) ] 96 ⊕ [IDS (n+1) ] 96 ⊕ [n 2(n+1) ] 96 ⊕ ⊕ [K 4(n) ] 96 ⊕ [n 1(n) ] 96 A = IDS ⊕ K 1 ⊕ n 1 Unknown: the 96 th bit of K 3 , ID, n 2 B = (IDS ∨ K 2 ) + n 1 C = IDS + K 3 + n 2 Known: the 96 th bit of n 1 , n 2 (n+1) , K 1 , K 2 , K 4 D = (IDS + ID) ⊕ n 1 ⊕ n 2 17/29

The least significant bits: n 1 (n+1) , ID [B (n+1) ] 96 = ([IDS (n+1) ] 96 ∨ ([K 2 (n) ] 96 ⊕ [n 2 (n) ] 96 ⊕ [K 4 (n) ] 96 ⊕ ⊕ [ID] 96 )) ⊕ [n 1 (n+1) ] 96 [D (n) ] 96 = [IDS (n) ] 96 ⊕ [ID] 96 ⊕ [n 1 (n) ] 96 ⊕ [n 2 (n) ] 96 (n+1) ] 96 = [B (n+1) ] 96 ⊕ ([IDS (n+1) ] 96 ∨ ([K 2 (n) ] 96 ⊕ [K 4 (n) ] 96 ⊕ [n 1 [D (n) ] 96 ⊕ [n 1 (n) ] 96 )) [D (n+1) ] 96 = [IDS (n+1) ] 96 ⊕ [ID] 96 ⊕ [n 1 (n+1) ] 96 ⊕ [n 2 (n+1) ] 96 [ID] 96 = [IDS (n+1) ] 96 ⊕ [D (n+1) ] 96 ⊕ [n 1 (n+1) ] 96 ⊕ [n 2 (n+1) ] 96 A = IDS ⊕ K 1 ⊕ n 1 Unknown: the 96 th bit of K 3 , n 2 B = (IDS ∨ K 2 ) + n 1 Known: the 96 th bit of n 1 , n 1 (n+1) , n 2 (n+1) , K 1 , K 2 , K 4 , ID C = IDS + K 3 + n 2 D = (IDS + ID) ⊕ n 1 ⊕ n 2 18/29

The least significant bits: n 2 , K 3 [D (n) ] 96 = [IDS (n) ] 96 ⊕ [ID] 96 ⊕ [n 1(n) ] 96 ⊕ [n 2(n) ] 96 [n 2(n) ] 96 = [IDS (n) ] 96 ⊕ [ID] 96 ⊕ [n 1(n) ] 96 ⊕ [D (n) ] 96 [C (n) ] 96 = [IDS (n) ] 96 ⊕ [K 3(n) ] 96 ⊕ [n 2(n) ] 96 [K 3(n) ] 96 = [IDS (n) ] 96 ⊕ [C (n) ] 96 ⊕ [n 2(n) ] 96 Now we know the least significant bit of every key and secret! A = IDS ⊕ K 1 ⊕ n 1 B = (IDS ∨ K 2 ) + n 1 C = IDS + K 3 + n 2 D = (IDS + ID) ⊕ n 1 ⊕ n 2 19/29

The 95th bits [A (n) ] 95 = [IDS (n) ] 95 ⊕ [K 1(n) ] 95 ⊕ [n 1(n) ] 95 [B (n) ] 95 = ([IDS (n) ] 95 ∨ [K 2(n) ] 95 ) ⊕ [n 1(n) ] 95 ⊕ ⊕ (([IDS (n) ] 96 ∨ [K 2(n) ] 96 ) ∨ [n 1(n) ] 96 ) [C (n) ] 95 = [IDS (n) ] 95 ⊕ [K 3(n) ] 95 ⊕ [n 2(n) ] 95 ⊕ ⊕ ([K 3(n) ] 96 ∨ [n 2(n) ] 96 ) [D (n) ] 95 = [IDS (n) ] 95 ⊕ [ID] 95 ⊕ ([IDS (n) ] 96 ∨ [ID] 96 ) ⊕ ⊕ [n 1(n) ] 95 ⊕ [n 2(n) ] 95 A = IDS ⊕ K 1 ⊕ n 1 B = (IDS ∨ K 2 ) + n 1 C = IDS + K 3 + n 2 D = (IDS + ID) ⊕ n 1 ⊕ n 2 20/29

Computing all the bits � If [IDS (n) ] 95 = 1, then the problem is equivalent with that of least significant bits. � If [IDS (n) ] 95 = 0, then we have to wait for a later round where the 95 th bit of the IDS is 1. � After this we will compute the 95 th bits in round n as well. � After the 95 th bits we compute the 94 th bits and so on. (We use the same few rounds of authentication!) A = IDS ⊕ K 1 ⊕ n 1 B = (IDS ∨ K 2 ) + n 1 C = IDS + K 3 + n 2 D = (IDS + ID) ⊕ n 1 ⊕ n 2 21/29

Waiting for the bit 1 in the IDS P([IDS (n) ] k = 1) = ½ P([IDS (n) ] k = 1 | [IDS (n-1) ] k = 0) = P([IDS (n) ] k = 1 | [IDS (n-1) ] k = 1) = ½ IDS (n+1) = (IDS (n) + (n 2(n) ⊕ K 4(n) )) ⊕ ID random If [IDS (n) ] 95 = 0, then in a later round it must be 1 22/29