cryptanalysis of the kindle cipher
play

Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only - PowerPoint PPT Presentation

Aug 14, 2023 •258 likes •556 views

1 / 22 Introduction SAC 2012 Cryptanalysis of the Kindle Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . .

  1. 1 / 22 Introduction SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . . . . . . . . . . . . Alex Biryukov, Gaëtan Leurent, Arnab Roy University of Luxembourg SAC 2012

  2. 2 / 22 Cryptography: theory and practice SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Introduction In theory In practice Conclusion Known-plaintext key-recovery PC1 Ciphertext only key-recovery . . . . . . . . . . . . . . . . . ▶ Algorithms ▶ Random Oracle ▶ AES ▶ Ideal Cipher ▶ SHA2 ▶ Perfect source of ▶ RSA randomness ▶ Modes of operation ▶ CBC ▶ OAEP ▶ ... ▶ Random Number Generators . ▶ Hardware RNG ▶ PRNG

  3. 3 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Cryptography in the real world . . . . . . . . . . . . . . . . . Several examples of flaws in industrial cryptography: ▶ Bad random source ▶ SLL with 16bit entropy (Debian) ▶ ECDSA with fixed k (Sony) ▶ Bad key size ▶ RSA512 (TI) ▶ Export restrictions... ▶ Bad mode of operation ▶ CBCMAC with the RC4 streamcipher (Microsoft) ▶ TEA with DaviesMeyer (Microsoft) ▶ Bad (proprietary) algorithm ▶ A5/1 (GSM) ▶ CSS (DVD forum) ▶ Crypto1 (MIFARE/NXP) ▶ KeeLoq (Microchip)

  4. 4 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Amazon Kindle . . . . . . . . . . . . . . . . . ▶ Ebook reader by Amazon ▶ Most popular ebook reader ( ≈ 50 % share) ▶ 4 generations, 7 devices ▶ Software reader for 7 OS, plus cloud reader ▶ Several million devices sold ▶ Amazon sells more ebooks than paper books ▶ Uses crypto for DRM (Digital Rights Management)

  5. 5 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Digital Rights Management DRM scheme . . . . . . . . . . . . . . . . . ▶ Company sells media (music, video, ebook, game, ...) ▶ Wants to prevent sharing . . . . . . . ▶ Customer should read but not copy Charly ▶ Encipher media ▶ Give player to users Bob ▶ Hardware or software Alice ▶ Player contains the key

  6. 5 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Digital Rights Management DRM scheme . . . . . . . . . . . . . . . . . ▶ Company sells media (music, video, ebook, game, ...) ▶ Wants to prevent sharing . . . . . . . ▶ Customer should read but not copy Charly ▶ Encipher media ? ▶ Give player to users Bob ▶ Hardware or software Alice ▶ Player contains the key

  7. 6 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Breaking DRM . . . . . . . . . . . . . . . . . ▶ Copy the media while being played . . ▶ Extract the key from the player, decipher media . . Tamperproof hardware? Obfuscation? Whitebox crypto? ▶ No need to break the crypto! ▶ Pirates break once, copy...

  8. 7 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Digital Rights Management Illegal User Legal User . . . . . . . . . . . . . . . . . ▶ Can only use authorized player ▶ Collection lockedin ▶ DRM can restrict user rights . . . . . . . ▶ Lending, reselling, ... Charly ▶ No format shifting: ▶ play DVD on tablet ▶ read ebook w/ speech synth. Bob Alice ▶ Can still find illegal copies ▶ Can do anything with the media

  9. 8 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion DRM on the Kindle Overview . . . . . . . . . . . . . . . . . ▶ Kindle ebooks use DRM ▶ Like any DRM system, it is bound to fail ▶ In practice, it is easy to extract the key (Google for details...) ▶ In this talk, we study the cipher used in this DRM system We don’t study the DRM system itself ▶ The DRM system uses a cipher called PC1 ▶ It’s a really weak cipher...

  10. 9 / 22 Introduction SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Known-plaintext key-recovery Introduction The PC1 Cipher Outline Conclusion PC1 Known-plaintext key-recovery Ciphertext only key-recovery . . . . . . . . . . . . . . . . . Cryptography in the real world Digital Rights Management Description Weaknesses Collision detection Key recovery Bias with independent keys Recovering the plaintext

  11. 10 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion The PC1 Cipher . . . . . . . . . . . . . . . . . ▶ Designed by Pukall in 1991 ▶ Posted on Usenet p s π ▶ Kindle DRM based on PC1 8 8 16 ▶ Selfsynchronizing stream cipher No IV! w . . . . . . . . . . . . . . . . . . . . . . . k ▶ 16bit arithmetic: add, mult, xor 𝖫𝖦 𝖳𝖦 128 8 × 16 Main loop ( 𝖫𝖦 and 𝖳𝖦 ) σ k σ s for 0 ≤ i < 8 do 16 16 16 w ← w ⊕ k i ⊕ (π × 257 ) x ← 346 × w 𝗀𝗉𝗆𝖾 w ← 20021 × w + 1 8 σ s ← s + x p c σ ← σ ⊕ w ⊕ s s ← 20021 × ( s + ( i + 1 mod 8 ) ) + x

  12. 11 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Weakness 1: T-functions Weakness . . . . . . . . . . . . . . . . . This is a Tfunction p s π ▶ Low bits of the output 8 depend only on the 8 16 low bits of the input ▶ Add, mult, xor w . . . . . . . . . . . . . . . . . . . . . . . k 𝖫𝖦 𝖳𝖦 8 × 16 8 × 16 ▶ Guess 8 × 9 bits of the key σ k σ s ▶ Get 9 bits before the fold 16 16 16 ▶ Get 1 bit after the fold 𝗀𝗉𝗆𝖾 ▶ Verify with known plaintext 8 σ p c ▶ Complexity: 2 72 some bytes of known plaintext

  13. 12 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Weakness 2: small state Weakness . . . . . . . . . . . . . . . . . The state is very small p s π 8 s 16bit 8 16 π 8bit, keyindependent w . . . . . . . . . . . . . . . . . . . . . . . k 𝖫𝖦 𝖳𝖦 8 × 16 8 × 16 ▶ Build a set of plaintexts x i ‖ y , x i ’s with fixed xorsum σ k σ s ▶ With high probability the 16 16 state collides after x i and x j 16 ▶ Same encryption of y 𝗀𝗉𝗆𝖾 8 σ p ▶ Complexity: 2 8 CP c (distinguisher)

  14. 13 / 22 Introduction SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Known-plaintext key-recovery Introduction The PC1 Cipher Outline Conclusion PC1 Known-plaintext key-recovery Ciphertext only key-recovery . . . . . . . . . . . . . . . . . Cryptography in the real world Digital Rights Management Description Weaknesses Collision detection Key recovery Bias with independent keys Recovering the plaintext

  15. 14 / 22 How much wood could a woodchuck chuck SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) ghxadiaphjjxicwpidkasqghugbqsjbf if a woodchuck could chuck wood? Introduction gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc Collision detection Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . . . . . . . . . . . . Can we use state collisions in a knownplaintext attack? ▶ In a natural language text, some words will be repeated. ▶ With some probability ( p ≈ 2 − 24 ), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding.

  16. 14 / 22 How much wood could a woodchuck chuck SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) ghxadiaphjjxicwpidkasqghugbqsjbf if a woodchuck could chuck wood? Introduction gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc Collision detection Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . . . . . . . . . . . . Can we use state collisions in a knownplaintext attack? ▶ In a natural language text, some words will be repeated. ▶ With some probability ( p ≈ 2 − 24 ), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding.

Recommend

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I &amp; II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University Weimar 22nd April 2009 Dennis Hoppe (BUW) DARXplorer 22nd April 2009 1 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3

757 views • 42 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have

Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have

Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have access to the Library2Go full site (not the mobile site) to access Kindle eBooks directly from your device. Click the link on the E-book help page

384 views • 24 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Incentives for LowMC-Cryptanalysis in the Low-Data Scenario Christian Rechberger, Eurocrypt 2020

Incentives for LowMC-Cryptanalysis in the Low-Data Scenario Christian Rechberger, Eurocrypt 2020

S C I E N C E P A S S I O N T E C H N O L O G Y Incentives for LowMC-Cryptanalysis in the Low-Data Scenario Christian Rechberger, Eurocrypt 2020 Rump Session 12.05.2020 &gt; https://lowmcchallenge.github.io/ LowMC First cipher design

503 views • 9 slides
Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay

Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay

Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay Old Cryptography Scytale (ancient Greece) Caesar Cipher 100 BC - 44 BC Cryptanalysis (simple frequency analysis) of Caesar cipher by

368 views • 13 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides

More recommend