Design and Analysis of Cryptographic Algorithms for Mobile Communication Systems Henri Gilbert Orange Labs {firstname.lastname@orange-ftgroup.com} research & development outline development of cryptographic algorithms for a real life application � introduction � cryptographic features of 2G and 3G systems � algorithms development process within ETSI/SAGE � approach to design / specification / evaluation � links with academic research � case studies � 1999: KASUMI block cipher + resulting encryption ( UEA1, A5/3 ) and MAC ( UIA1 ) � 2005: SNOW 3G stream cipher + resulting encryption ( UEA2 ) and MAC ( UIA2 ) 2000: MILENAGE authentication and key generation algorithm research & development Orange Group development of 3G algorithms (2)
security in mobile systems Radio access network External networks Core Network (PSTN, IP…) � radio access security aspects: � terminal � core network MS = ME + (U)SIM � e2e transactions research & development Orange Group development of 3G algorithms (3) cryptographic algorithms of GSM � subscriber authentication RAND (challenge) � authentication & key generation algorithms A3/A8 128 128 � permanent subscriber key Ki (SIM & HLR) A3/A8 Ki � A3/A8 is not standardized (operator dependent) 64 32 SRES Kc � traffic and signalling encryption IV (frame nb.) 22 64 Kc A5 � circuit switched GSM: standard A5 algorithms A5/1, A5/2, A5/3 114-bit keystream (counter, dir.) IV � packet oriented GSM (GPRS): 33 64 standard GEA algorithms GEA1, GEA2, GEA3 GEA Kc* 5 to 1600-byte keystream research & development Orange Group development of 3G algorithms (4)
GSM SECURITY: OVERVIEW HLR/AuC MSC/VLR BTS SIM ME RAND Ki visited network A3/A8 n triplets (RAND, SRES, Kc) off line SRES Kc on line RAND Ki SRES checks A3/A8 SRES start enc. Kc , start enc. Kc home Kc network ACK IV IV A5 A5 (frame nb.) (frame nb.) 114-bit keystream 114-bit keystream plain traffic &sig . plain traffic& sig. + encrypted traffic & sig. + research & development Orange Group development of 3G algorithms (5) limitations of GSM security � no network authentication and no explicit integrity protection � moreover encryption initiative is left up to the network � eavesdropping attacks using false base stations turned out to be a reality… ⇒ UMTS: network authentication and signalling messages auth. ⇒ GSM and UMTS: encryption indicator (in some mobiles) � limitations of GSM encryption � encryption ends at the base station => vulnerability of the BTS-BSC interface � efficient attack on A5/2, gradual erosion of the protection offered by A5/1 [Biham et al.] ⇒ UMTS: strong encryption (128-bit key, hopefully full strength), ends at RNC ⇒ GSM: move to A5/3 (derived from 3G algorithm KASUMI) research & development Orange Group development of 3G algorithms (6)
cryptographic features of UMTS � mutual authentication (slightly simplified) RAND SQN AMF � subscriber auth. ≈ GSM auth 128 48 16 � generation of session keys CK and IK 128 K f2 f3 f4 f5 f1 � network auth. ≈ MAC of sequence nb. SQN � SQN anonymization: mask AK RES CK IK AK MAC-A f1-f5 also named AKA (auth. & key agreement) 64 128 128 48 64 no standard AKA; example AKA: MILENAGE IV (count-c, bearer, dir.) � traffic and signalling encryption 128 � two standard f8 algorithms 128 CK f8 • UEA1 derived from KASUMI • UEA2 derived from SNOW 3G keystream message + (count, fresh, direction) � message authentication � t wo standard f9 algorithms 128 • UEA1 derived from KASUMI f9 IK • UEA2 derived from SNOW 3G 32 MAC research & development Orange Group development of 3G algorithms (7) UMTS SECURITY: OVERVIEW HLR/AuC RAND, SQN USIM Node-B MSC/VLR K RNC ME f1-f5 n quintets (RAND,RES,IK,CK, AUTN) RES IK CK AUTN RAND, AUTN K RES checks RES f1-f5 home checks CK start enc. start enc., CK, IK CK AUTN ACK network IK IV IV f8 f8 { DATA || MAC } { DATA || MAC } + + encrypted traffic & sig. checks f9 f9 count, fresh count, fresh MAC research & development Orange Group development of 3G algorithms (8)
ETSI/SAGE � what's that? � security algorithms group of experts of European Telecommunication Standard Institute � in charge of security algorithms standardisation for telecommunications ‒ mobile communication systems: 2G (GSM/GPRS), 3G (UMTS) … ‒ other systems: radio lans, teleconferencing, smart cards, inter-PNO exchanges, TETRA � created in the early 90's � initial mandate included liaison with national authorities to get export approval � membership � closed group: no longer for secrecy reasons, for efficiency reasons � ~ 10 telecom. operators or manufacturers with strong cryptography expertise � chaired by Gert Roelofsen until he left KPN research and since then by Steve Babbage, Vodafone research & development Orange Group development of 3G algorithms (9) export controls � before 98 � strong export restrictions on encryption , in particular for mobile systems ‒ A5/1 was much stronger than ciphers that were freely exportable at that time � no transparent rules, case by case approval � SAGE algorithms were not published ‒ this was needed to get export approval ‒ however, for massively deployed algorithms, secrecy does not last long… � since 98 (Wassenaar agreements) � export controls still exist… … but have been considerably eased and are no longer a real issue for mobiles � SAGE moved to public algorithms soon after 98 ‒ ☺ increase public confidence ‒ ☺ take advantage from publicly available designs ‒ other less decisive pros & cons: ☺ public evaluation after deployment, � increased vulnerability to side channel attacks research & development Orange Group development of 3G algorithms (10)
SAGE approach to algorithms development "balance the benefits of public evaluation against industry timescales" [S. Babbage] 1. take the best from available research results � investigate most promising public designs � adapt design to specific requirements of the intended application � taking most recent advances in cryptanalysis into account 2. algorithm design /specification / evaluation work � set-up a project team with clear timescales and allocation of tasks � split participants into separate design and evaluation teams ‒ requirements capture (all) ‒ design team: 1st design, 2 nd design, final design ‒ evaluation team: mathematical evaluation, statistical testing � output: specification, ref. implementation and spec.testing, design & eval. report 3. Independent evaluation and follow-on research � evaluation reports by well known academic expert teams (limited evaluation time) � monitoring of (and often contribution to) follow-on public research research & development Orange Group development of 3G algorithms (11) Case study 1: KASUMI, UEA1, UIA1 (1999) � requirements (in brief) IV count-c bearer � stream cipher f8 and MAC f9 dir. ‒ security: full strength 128 ‒ low H/W complexity CK f8 ‒ good H/W and S/W performance ‒ f8: good IV agility keystream ⇒ block cipher with stream cipher & MAC modes message, count, fresh, dir. ‒ for flexibility reasons 128 f9 IK � available research results to start from � strategies to thwart statistical attacks: ‒ [Daemen-Rijmen]: wide trail strategy MAC ‒ [Vaudenay]: decorrelation theory and resulting block ciphers ‒ [Nyberg-Knudsen, Aoki]: differential & linear bounds on 3R-Feistel schemes [Matsui]: application to the embedded construction of MISTY block cipher ⇒ MISTY (a 64-bit block cipher) was selected as the starting point for the design ‒ MISTY's designer, M. Matsui (Mitsubishi) joined SAGE ‒ KASUMI ( ≈ "misty" in Japanese) was designed research & development Orange Group development of 3G algorithms (12)
KASUMI plaintext (64 bits) 32 16 16 16 9 7 64 32 32 KOi1 S9 KL1 KO1, KI1 FIi1 zero-extend KIi1 FL1 FO1 S7 KO2, KI2 KL2 truncate KOi2 FO2 FL2 FIi2 KIi2 KIij1 KIij2 KL3 KO3, KI3 S9 FL3 FO3 KOi3 zero-extend FIi3 KIi3 KO4, KI4 KL4 F FO4 FL4 S7 truncate KL5 KO5, KI5 FL5 FO5 FI FO KO6, KI6 KL6 FO6 FL6 Main changes from MISTY1 32 16 16 - 4th round in FI KL7 KO7, KI7 KLi1 - FL: modified location, rotation FL7 FO7 - new S-boxes S7 and S9 KLi2 KO8, KI8 KL8 - simplified key schedule FO8 FL8 ↓ ≈ same conjectured security FL bitwise AND operation slightly lower H/W complexity bitwise OR operation ciphertext (64 bits) one bit left rotation research & development Orange Group development of 3G algorithms (13) KASUMI-based f8: UEA1 IV (64 bits) non-standard mode, combination of: -"prewhitening" (computation of secret A), - CNT mode - OFB mode 64-bit blocksize => standard modes would have resulted in strong 2 32 -block distinguishers CK(128 bits) keystream KS research & development Orange Group development of 3G algorithms (14)
Recommend
More recommend
