1 / 22 Introduction SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . . . . . . . . . . . . Alex Biryukov, Gaëtan Leurent, Arnab Roy University of Luxembourg SAC 2012
2 / 22 Cryptography: theory and practice SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Introduction In theory In practice Conclusion Known-plaintext key-recovery PC1 Ciphertext only key-recovery . . . . . . . . . . . . . . . . . ▶ Algorithms ▶ Random Oracle ▶ AES ▶ Ideal Cipher ▶ SHA2 ▶ Perfect source of ▶ RSA randomness ▶ Modes of operation ▶ CBC ▶ OAEP ▶ ... ▶ Random Number Generators . ▶ Hardware RNG ▶ PRNG
3 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Cryptography in the real world . . . . . . . . . . . . . . . . . Several examples of flaws in industrial cryptography: ▶ Bad random source ▶ SLL with 16bit entropy (Debian) ▶ ECDSA with fixed k (Sony) ▶ Bad key size ▶ RSA512 (TI) ▶ Export restrictions... ▶ Bad mode of operation ▶ CBCMAC with the RC4 streamcipher (Microsoft) ▶ TEA with DaviesMeyer (Microsoft) ▶ Bad (proprietary) algorithm ▶ A5/1 (GSM) ▶ CSS (DVD forum) ▶ Crypto1 (MIFARE/NXP) ▶ KeeLoq (Microchip)
4 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Amazon Kindle . . . . . . . . . . . . . . . . . ▶ Ebook reader by Amazon ▶ Most popular ebook reader ( ≈ 50 % share) ▶ 4 generations, 7 devices ▶ Software reader for 7 OS, plus cloud reader ▶ Several million devices sold ▶ Amazon sells more ebooks than paper books ▶ Uses crypto for DRM (Digital Rights Management)
5 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Digital Rights Management DRM scheme . . . . . . . . . . . . . . . . . ▶ Company sells media (music, video, ebook, game, ...) ▶ Wants to prevent sharing . . . . . . . ▶ Customer should read but not copy Charly ▶ Encipher media ▶ Give player to users Bob ▶ Hardware or software Alice ▶ Player contains the key
5 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Digital Rights Management DRM scheme . . . . . . . . . . . . . . . . . ▶ Company sells media (music, video, ebook, game, ...) ▶ Wants to prevent sharing . . . . . . . ▶ Customer should read but not copy Charly ▶ Encipher media ? ▶ Give player to users Bob ▶ Hardware or software Alice ▶ Player contains the key
6 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Breaking DRM . . . . . . . . . . . . . . . . . ▶ Copy the media while being played . . ▶ Extract the key from the player, decipher media . . Tamperproof hardware? Obfuscation? Whitebox crypto? ▶ No need to break the crypto! ▶ Pirates break once, copy...
7 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Digital Rights Management Illegal User Legal User . . . . . . . . . . . . . . . . . ▶ Can only use authorized player ▶ Collection lockedin ▶ DRM can restrict user rights . . . . . . . ▶ Lending, reselling, ... Charly ▶ No format shifting: ▶ play DVD on tablet ▶ read ebook w/ speech synth. Bob Alice ▶ Can still find illegal copies ▶ Can do anything with the media
8 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion DRM on the Kindle Overview . . . . . . . . . . . . . . . . . ▶ Kindle ebooks use DRM ▶ Like any DRM system, it is bound to fail ▶ In practice, it is easy to extract the key (Google for details...) ▶ In this talk, we study the cipher used in this DRM system We don’t study the DRM system itself ▶ The DRM system uses a cipher called PC1 ▶ It’s a really weak cipher...
9 / 22 Introduction SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Known-plaintext key-recovery Introduction The PC1 Cipher Outline Conclusion PC1 Known-plaintext key-recovery Ciphertext only key-recovery . . . . . . . . . . . . . . . . . Cryptography in the real world Digital Rights Management Description Weaknesses Collision detection Key recovery Bias with independent keys Recovering the plaintext
10 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion The PC1 Cipher . . . . . . . . . . . . . . . . . ▶ Designed by Pukall in 1991 ▶ Posted on Usenet p s π ▶ Kindle DRM based on PC1 8 8 16 ▶ Selfsynchronizing stream cipher No IV! w . . . . . . . . . . . . . . . . . . . . . . . k ▶ 16bit arithmetic: add, mult, xor 𝖫𝖦 𝖳𝖦 128 8 × 16 Main loop ( 𝖫𝖦 and 𝖳𝖦 ) σ k σ s for 0 ≤ i < 8 do 16 16 16 w ← w ⊕ k i ⊕ (π × 257 ) x ← 346 × w 𝗀𝗉𝗆𝖾 w ← 20021 × w + 1 8 σ s ← s + x p c σ ← σ ⊕ w ⊕ s s ← 20021 × ( s + ( i + 1 mod 8 ) ) + x
11 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Weakness 1: T-functions Weakness . . . . . . . . . . . . . . . . . This is a Tfunction p s π ▶ Low bits of the output 8 depend only on the 8 16 low bits of the input ▶ Add, mult, xor w . . . . . . . . . . . . . . . . . . . . . . . k 𝖫𝖦 𝖳𝖦 8 × 16 8 × 16 ▶ Guess 8 × 9 bits of the key σ k σ s ▶ Get 9 bits before the fold 16 16 16 ▶ Get 1 bit after the fold 𝗀𝗉𝗆𝖾 ▶ Verify with known plaintext 8 σ p c ▶ Complexity: 2 72 some bytes of known plaintext
12 / 22 Introduction SAC 2012 PC1 Cryptanalysis of the “Kindle” Cipher Known-plaintext key-recovery A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Conclusion Weakness 2: small state Weakness . . . . . . . . . . . . . . . . . The state is very small p s π 8 s 16bit 8 16 π 8bit, keyindependent w . . . . . . . . . . . . . . . . . . . . . . . k 𝖫𝖦 𝖳𝖦 8 × 16 8 × 16 ▶ Build a set of plaintexts x i ‖ y , x i ’s with fixed xorsum σ k σ s ▶ With high probability the 16 16 state collides after x i and x j 16 ▶ Same encryption of y 𝗀𝗉𝗆𝖾 8 σ p ▶ Complexity: 2 8 CP c (distinguisher)
13 / 22 Introduction SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Ciphertext only key-recovery Known-plaintext key-recovery Introduction The PC1 Cipher Outline Conclusion PC1 Known-plaintext key-recovery Ciphertext only key-recovery . . . . . . . . . . . . . . . . . Cryptography in the real world Digital Rights Management Description Weaknesses Collision detection Key recovery Bias with independent keys Recovering the plaintext
14 / 22 How much wood could a woodchuck chuck SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) ghxadiaphjjxicwpidkasqghugbqsjbf if a woodchuck could chuck wood? Introduction gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc Collision detection Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . . . . . . . . . . . . Can we use state collisions in a knownplaintext attack? ▶ In a natural language text, some words will be repeated. ▶ With some probability ( p ≈ 2 − 24 ), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding.
14 / 22 How much wood could a woodchuck chuck SAC 2012 Cryptanalysis of the “Kindle” Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) ghxadiaphjjxicwpidkasqghugbqsjbf if a woodchuck could chuck wood? Introduction gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc Collision detection Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . . . . . . . . . . . . Can we use state collisions in a knownplaintext attack? ▶ In a natural language text, some words will be repeated. ▶ With some probability ( p ≈ 2 − 24 ), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding.
Recommend
More recommend