Security Analysis for MQTT in Internet of Things

Total Page:16

File Type:pdf, Size:1020Kb

Security Analysis for MQTT in Internet of Things DEGREE PROJECT IN COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2018 Security analysis for MQTT in Internet of Things DIEGO SALAS UGALDE KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE Security analysis for MQTT in Internet of Things DIEGO SALAS UGALDE Master in Network Services and Systems Date: November 22, 2018 Supervisor: Johan Gustafsson (Zyax AB) Examiner: Panos Papadimitratos (KTH) Swedish title: Säkerhet analys för MQTT i IoT School of Electrical Engineering and Computer Science iii Abstract Internet of Things, i.e. IoT, has become a very trending topic in re- search and has been investigated in recent years. There can be several different scenarios and implementations where IoT is involved. Each of them has its requirements. In these type IoT networks new com- munication protocols which are meant to be lightweight are included such as MQTT. In this thesis there are two key aspects which are under study: secu- rity and achieving a lightweight communication. We want to propose a secure and lightweight solution in an IoT scenario using MQTT as the communication protocol. We perform different experiments with different implementations over MQTT which we evaluate, compare and analyze. The results obtained help to answer our research questions and show that the proposed solution fulfills the goals we proposed in the beginning of this work. iv Sammanfattning "Internet of Things", dvs IoT, har blivit ett mycket trenderande ämne inom forskning och har undersökts de senaste åren. Det kan finnas flera olika scenarier och implementeringar där IoT är involverad. Var och en av dem har sina krav. I dessa typer av IoT-nätverk ingår nya kommunikationsprotokoll som är lightweight, såsom MQTT. I detta arbete finns två viktiga aspekter som studeras: säkerhet och uppnå en lightweight kommunikation. Vi vill föreslå en säker och light weight lösning i ett IoT-scenario med MQTT som kommunikations- protokoll. Vi utför olika experiment med olika implementeringar över MQTT som vi utvärderar, jämför och analyserar. De erhållna resultaten bidrar till att svara på våra forskningsfrågor och visar att den föreslagna lösningen uppfyller de mål vi föreslog i början av detta arbete. Contents 1 Introduction 1 1.1 Context and motivation . .1 1.2 Problem Statement and Research Question . .2 1.3 Approach . .3 1.4 Main contributions . .4 1.5 Structure . .4 2 Background 6 2.1 MQTT . .6 2.1.1 The protocol . .6 2.1.2 MQTT broker . .8 2.1.3 Topics . .8 2.1.4 Quality of Service . .9 2.1.5 Session and Messages . 12 2.2 Security in MQTT . 14 2.2.1 Security breaches and attacks against MQTT . 14 2.2.2 Security possibilities in MQTT . 15 2.3 Cryptography . 17 2.3.1 Asymmetric key . 17 2.3.2 Symmetric key . 18 2.3.3 AES encryption modes . 19 2.3.4 TLS/SSL . 24 2.4 Related work . 25 2.5 Aim of the thesis . 28 3 Methodology 29 3.1 Research . 29 3.2 Action Research . 29 3.3 Data collection . 30 v vi CONTENTS 3.4 Data analysis . 30 4 Implementation 31 4.1 Hardware . 31 4.2 Software . 31 5 Solution Architecture 33 5.1 Design Overview . 33 6 Results 38 6.1 Bandwidth Overhead . 38 7 Evaluation 45 7.1 Research questions . 45 7.2 Limitations . 47 8 Conclusion and Future Work 48 8.1 Conclusion . 48 8.2 Future Work . 50 Bibliography 51 List of Figures 2.1 MQTT in the TCP/IP stack. Based on [5]. .7 2.2 Basic architecture of MQTT. Based on [5]. .7 2.3 Basic architecture of MQTT. Based on [7]. .8 2.4 QoS 0 of MQTT. Based on [8] . 10 2.5 QoS 1 of MQTT. Based on [8] . 11 2.6 QoS 2 of MQTT. Based on [8] . 11 2.7 MQTT packet format. Based on [9]. 12 2.8 MQTT connect message. Based on [9]. 13 2.9 MQTT Publish message. Based on [9]. 13 2.10 Comparison between ECC and RSA key sizes. Based on [12]. 18 2.11 AES-GCM encryption mode. Based on the one present in the work [16] . 22 2.12 Previous research work in MQTT and security . 27 5.1 Built Scenario . 34 6.1 Size in bytes of the MQTT connect packet . 39 6.2 Size of the packets experiments 2 and 3 . 40 6.3 MQTT publish packet in experiments 1 and 4 . 41 6.4 Bytes in the communication link for all the options studied 41 6.5 Bandwidth overhead with the different security alterna- tives . 42 6.6 MQTT overhead over the rest of the data in the MQTT publish . 43 6.7 MQTT protocol overhead MQTT publish . 44 6.8 MQTT protocol overhead MQTT publish . 44 vii Chapter 1 Introduction 1.1 Context and motivation The rapid research advancement in the field of networking has brought a new type of networks, the so-called Internet of Things namely IoT. This is a topic which is undoubtedly very trending in networking nowa- days and lots of research has been done [1]. IoT which is also called inter-machine communication over the internet or machine to machine communication , i.e. M2M, is a concept that implies the ability of phys- ical devices measuring and sensing data from the real world for then sending that data over the Internet. A couple of years ago, a new concept emerged taking two different networking technologies, namely, Cloud computing and Internet of Things. This is what we know as CloudIoT these days. Cloud comput- ing means that the group of networked elements providing services can be thought to be in a cloud and not in the end-users [2]. IoT typically involves the use of constrained devices which have not the same resources as the equipment in traditional networks. A huge variety of protocols have been implemented and are already standardized in the Internet of Things. Two examples of them are MQTT, i.e. Message Queuing Telemetry Transport and CoAP i.e. Con- 1 2 CHAPTER 1. INTRODUCTION strained Application Protocol. As it has been previously studied these IoT protocols are suitable depending the context and the specific re- quirements needed being each of them the best option depending on the scenario wanted [3]. These IoT protocols are meant to be lightweight since devices such as a watch or a sensor measuring temperature would not be able to handle heavy communications. In this thesis, we have chosen to use MQTT as the IoT communication protocol because of four main reasons: • It was designed specifically for constrained devices such as sen- sors • Its publish/subscribe pattern • It has extremely small overhead for message transmission • It provides Quality of Service, i.e. QoS MQTT operates on top of TCP and was not designed with security in mind but wanting to achieve a very simple and light protocol to mini- mize bandwidth and energy usage. Thus, security in MQTT is a major problem in terms of authentication, authorization, confidentiality and integrity. Regarding the lack of confidentiality present in MQTT we can say that packets in MQTT can be spied by an attacker because no encryption is applied. Thus a secure mechanism is needed over the transport protocol,such as TLS [4]. Some works have been done in this area and more research is ongoing to achieve a secure communication using TLS/SSL on top of MQTT or adding extra layers of security. 1.2 Problem Statement and Research Ques- tion This dissertation was carried out at Zyax AB, a startup company, in Stockholm. They expressed the need of a solution to provide a secure communication between a blasting sensor and the cloud. The research questions in this work are the following: CHAPTER 1. INTRODUCTION 3 • Are traditional security protocols a good alternative to use over the MQTT protocol to provide a secure communication between a sensor and the cloud? Why or why not? • Is payload encryption in MQTT enough to provide a secure com- munication between a blasting sensor and the cloud? 1.3 Approach Motivated by the above, the aim of this work is to provide a secure IoT system in which a constrained device sends data to a cloud using MQTT as the IoT protocol for communication. The main problem is that this has to be achieved in the most lightweight manner, i.e. a relatively small overhead. Thus, how the establishment of a secure IoT system between an IoT device and the cloud using MQTT as the IoT protocol is the main purpose of this work. Different alternatives in MQTT are evaluated to provide such a system. Thus a security framework for MQTT in IoT is explained in detailed in the following chapters. When we mention secure system we are referring to avoid different types of attacks to the MQTT broker as it is described in Chapter 2. The main goals of the thesis are detailed here: • Provide a secure system between the blasting sensor and the cloud using MQTT as the IoT protocol. • Low overhead in the communication, i.e. lightweight communi- cation, between the IoT device and the cloud. 4 CHAPTER 1. INTRODUCTION 1.4 Main contributions As mentioned above, in this work we propose a solution to provide a secure communication using MQTT protocol between a sensor and the cloud. In this work a secure architecture using MQTT as the IoT protocol with AES-GCM payload encryption has been provided. This solution has been compared along with other implementations over MQTT which will be further explained in chapter 4. With these different implemen- tations and experiments we have done a bandwidth overhead compar- ison and MQTT protocol overhead comparison.
Recommended publications
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher
    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1, Thomas Peyrin2, Christian Rechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected],[email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation3 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts' disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
    [Show full text]
  • Grøstl – a SHA-3 Candidate∗
    Grøstl – a SHA-3 candidate∗ http://www.groestl.info Praveen Gauravaram1, Lars R. Knudsen1, Krystian Matusiewicz1, Florian Mendel2, Christian Rechberger2, Martin Schl¨affer2, and Søren S. Thomsen1 1Department of Mathematics, Technical University of Denmark, Matematiktorvet 303S, DK-2800 Kgs. Lyngby, Denmark 2Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria January 15, 2009 Summary Grøstl is a SHA-3 candidate proposal. Grøstl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grøstl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grøstl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grøstl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grøstl. Grøstl is a so-called wide-pipe construction where the size of the internal state is signifi- cantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult. Grøstl has good performance on a wide range of platforms, and counter-measures against side-channel attacks are well-understood from similar work on the AES.
    [Show full text]
  • Test-Beds and Guidelines for Securing Iot Products and for Secure Set-Up Production Environments
    IoT4CPS – Trustworthy IoT for CPS FFG - ICT of the Future Project No. 863129 Deliverable D7.4 Test-beds and guidelines for securing IoT products and for secure set-up production environments The IoT4CPS Consortium: AIT – Austrian Institute of Technology GmbH AVL – AVL List GmbH DUK – Donau-Universit t Krems I!AT – In"neon Technologies Austria AG #KU – JK Universit t Lin$ / Institute for &ervasive 'om(uting #) – Joanneum )esearch !orschungsgesellschaft mbH *+KIA – No,ia -olutions an. Net/or,s 0sterreich GmbH *1& – *1& -emicon.uctors Austria GmbH -2A – -2A )esearch GmbH -)!G – -al$burg )esearch !orschungsgesellschaft -''H – -oft/are 'om(etence 'enter Hagenberg GmbH -AG0 – -iemens AG 0sterreich TTTech – TTTech 'om(utertechni, AG IAIK – TU Gra$ / Institute for A((lie. Information &rocessing an. 'ommunications ITI – TU Gra$ / Institute for Technical Informatics TU3 – TU 3ien / Institute of 'om(uter 4ngineering 1*4T – 1-Net -ervices GmbH © Copyright 2020, the Members of the IoT4CPS Consortium !or more information on this .ocument or the IoT5'&- (ro6ect, (lease contact8 9ario Drobics7 AIT Austrian Institute of Technology7 mario:.robics@ait:ac:at IoT4C&- – <=>?@A Test-be.s an. guidelines for securing IoT (ro.ucts an. for secure set-up (ro.uction environments Dissemination level8 &U2LI' Document Control Title8 Test-be.s an. gui.elines for securing IoT (ro.ucts an. for secure set-u( (ro.uction environments Ty(e8 &ublic 4.itorBsC8 Katharina Kloiber 4-mail8 ,,;D-net:at AuthorBsC8 Katharina Kloiber, Ni,olaus DEr,, -ilvio -tern )evie/erBsC8 -te(hanie von )E.en, Violeta Dam6anovic, Leo Ha((-2otler Doc ID8 DF:5 Amendment History Version Date Author Description/Comments VG:? ?>:G?:@G@G -ilvio -tern Technology Analysis VG:@ ?G:G>:@G@G -ilvio -tern &ossible )esearch !iel.s for the -2I--ystem VG:> >?:G<:@G@G Katharina Kloiber Initial version (re(are.
    [Show full text]
  • An Iot-Based Mobile System for Safety Monitoring of Lone Workers
    IoT Article An IoT-Based Mobile System for Safety Monitoring of Lone Workers Pietro Battistoni * , Monica Sebillo and Giuliana Vitiello LabGis Laboratory, Computer Science Department, University of Salerno, 84084 Fisciano, Italy; [email protected] (M.S.); [email protected] (G.V.) * Correspondence: [email protected] Abstract: The European Agency for Safety and Health at Work considers Smart Personal Protective Equipment as “Intelligent Protection For The Future”. It mainly consists of electronic components that collect data about their use, the workers who wear them, and the working environment. This paper proposes a distributed solution of Smart Personal Protective Equipment for the safety monitoring of Lone Workers by adopting low-cost electronic devices. In addition to the same hazards as anyone else, Lone Workers need additional and specific systems due to the higher risk they run on a work site. To this end, the Edge-Computing paradigm can be adopted to deploy an architecture embedding wearable devices, which alerts safety managers when workers do not wear the prescribed Personal Protective Equipment and supports a fast rescue when a worker seeks help or an accidental fall is automatically detected. The proposed system is a work-in-progress which provides an architecture design to accommodate different requirements, namely the deployment difficulties at temporary and large working sites, the maintenance and connectivity recurring cost issues, the respect for the workers’ privacy, and the simplicity of use for workers and their supervisors. Citation: Battistoni, P.; Sebillo, M.; Keywords: IoT mobile solution; Edge-Computing paradigm; wearable devices; MQTT protocol; safety Vitiello, G. An IoT-Based Mobile monitoring; Smart Personal Protective Equipment; Fog-Computing System for Safety Monitoring of Lone Workers.
    [Show full text]
  • Mqtt-V5.0-Cs02.Pdf
    MQTT Version 5.0 Committee Specification 02 15 May 2018 Specification URIs This version: http://docs.oasis-open.org/mqtt/mqtt/v5.0/cs02/mqtt-v5.0-cs02.docx (Authoritative) http://docs.oasis-open.org/mqtt/mqtt/v5.0/cs02/mqtt-v5.0-cs02.html http://docs.oasis-open.org/mqtt/mqtt/v5.0/cs02/mqtt-v5.0-cs02.pdf Previous version: http://docs.oasis-open.org/mqtt/mqtt/v5.0/cs01/mqtt-v5.0-cs01.docx (Authoritative) http://docs.oasis-open.org/mqtt/mqtt/v5.0/cs01/mqtt-v5.0-cs01.html http://docs.oasis-open.org/mqtt/mqtt/v5.0/cs01/mqtt-v5.0-cs01.pdf Latest version: http://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.docx (Authoritative) http://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html http://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.pdf Technical Committee: OASIS Message Queuing Telemetry Transport (MQTT) TC Chairs: Brian Raymor ([email protected]), Microsoft Richard Coppen ([email protected]), IBM Editors: Andrew Banks ([email protected]), IBM Ed Briggs ([email protected]), Microsoft Ken Borgendale ([email protected]), IBM Rahul Gupta ([email protected]), IBM Related work: This specification replaces or supersedes: • MQTT Version 3.1.1. Edited by Andrew Banks and Rahul Gupta. 29 October 2014. OASIS Standard. http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html. This specification is related to: • MQTT and the NIST Cybersecurity Framework Version 1.0. Edited by Geoff Brown and Louis-Philippe Lamoureux.
    [Show full text]
  • Synergy MQTT/TLS AWS Cloud Connectivity Solution
    Application Note Renesas Synergy™ Platform Synergy MQTT/TLS AWS Cloud Connectivity Solution Introduction This application note describes IoT Cloud connectivity solution in general, introduces you briefly to IoT Cloud providers, like Amazon Web Services (AWS), and covers the Synergy MQTT/TLS module, its features, and operational flow sequence (Initialization/Data flow). The application example provided in the package uses AWS IoT Core. The detailed steps in this document show first-time AWS IoT Core users how to configure the AWS IoT Core platform to run this application example demonstration. This application note enables you to effectively use the Synergy MQTT/TLS modules in your own design. Upon completion of this guide, you will be able to add the MQTT/TLS module to your own design, configure it correctly for the target application, and write code using the included application example code as a reference and efficient starting point. References to detailed API descriptions, and other application projects that demonstrate more advanced uses of the module, are in the Synergy Software Package (SSP) User’s Manual, which serves as a valuable resource in creating more complex designs. This Synergy MQTT/TLS AWS Cloud Connectivity solution is supported on AE-CLOUD1 and AE-CLOUD2 kits. Required Resources To build and run the MQTT/TLS application example, you need: Development tools and software • e2 studio ISDE v7.5.1 or later, or IAR Embedded Workbench® for Renesas Synergy™ v8.23.3 or later, available at www.renesas.com/synergy/tools . • Synergy Software Package (SSP) 1.7.8 or later (www.renesas.com/synergy/ssp) • Synergy Standalone Configurator (SSC) 7_3_0 or later (www.renesas.com/synergy/ssc) • SEGGER J-link® USB driver (www.renesas.com/synergy/jlinksynergy) Hardware • Renesas Synergy™ AE-CLOUD1 kit (www.renesas.com/synergy/ae-cloud1), which includes Wi-Fi board; and, AE-CLOUD2 kit (www.renesas.com/synergy/ae-cloud2), which includes a Pillar board, Wi-Fi board and BG96 Cellular shield.
    [Show full text]
  • A Comparison of Iot Application Layer Protocols Through a Smart Parking Implementation
    A Comparison of IoT application layer protocols through a smart parking implementation Paridhika Kayal and Harry Perros {pkayal,hp}@ncsu.edu Computer Science Department North Carolina State University Abstract—Several IoT protocols have been introduced in order to high performance, real-time data sharing or real-time device provide an efficient communication for resource-constrained control. In many cases data is collected for subsequent applications. However, their performance is not as yet well “offline” processing. The WebSocket (WS) standard provides understood. To address this issue, we evaluated and compared bi-directional Web communication and connection four communication protocols, namely, CoAP, MQTT, XMPP, management. WebSocket is a good IoT solution if the devices and WebSocket. For this, we implemented a smart parking application using open source software for these protocols and can afford the WebSocket payload. Other protocols, such as, measured their response time by varying the traffic load. SMQ and CoSIP are also gaining traction. All these protocols Keywords—CoAP, MQTT, XMPP, WebSocket, smart parking, are positioned as real-time publish-subscribe IoT protocols, response time. with support for millions of devices. Depending on how you define “real time” (seconds, milliseconds or microseconds) I. INTRODUCTION and “things” (WSN node, multimedia device, personal An IoT application typically involves a large number of wearable device, medical scanner, engine control, etc.), the deployed and interconnected sensors and gateways. The protocol selection for an application is critical. sensors measure the physical environment and send the data to II. RELATED WORK a gateway. The gateway aggregates the data from various sensors and then sends it to a server/broker.
    [Show full text]
  • MQTT in Internet of Things
    International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 12 | Dec 2019 www.irjet.net p-ISSN: 2395-0072 MQTT in Internet of Things Shiva Shankar J1, Dr. S. Palanivel2, Dr. S. China Venkateswarlu3, M. Sowmya4 1SDET, QA, Mevatron Solutions Pvt. Limited, Hyderabad, Telangana, India. 2Associate Professor, Dept. of EIE, Annamalai University, Chidambaram, Tamil Nadu, India. 3Professor, Dept. of ECE, Institute of Aeronautical Engineering, Hyderabad, Telangana, India. 4Asst. Professor, Dept. of CSE, Stanley College of Engineering and Technology for Women, Hyderabad, India. ---------------------------------------------------------------------***---------------------------------------------------------------------- Abstract - With the advancements in the technology in (MQTT), Constrained Application Protocol (CoAP), Advanced various areas like Electronics, Communications, Message Queuing Protocol (AMQP), Machine-to-Machine Instrumentation, etc., there is a tremendous change in the (M2M) Communication Protocol , Extensible Messaging and applications as well as appliances that are being produced by Presence Protocol (XMPP),etc., The embedded devices will the Industrial markets all over the world. A new term is coined have constrained resources in terms of memory, named as Internet of Things (IoT) which is a revolution in computational power, battery etc. As a relief, certain light terms of technology. Internet of Things (IoT) is based on a weight protocols such as MQTT, CoAP etc., are being wireless network that connects a huge number of smart developed especially for the devices that are part of Internet objects, products, smart devices, and people. IoT uses of Things network. In this paper, the details of Message standards and protocols that are proposed by different Queuing Telemetry Transportation (MQTT) are presented. standardization organizations in message passing within The Applications of IoT includes Smart Cities, Smart session layer.
    [Show full text]
  • Slowtt: a Slow Denial of Service Against Iot Networks
    information Article SlowTT: A Slow Denial of Service Against IoT Networks Ivan Vaccari 1,2,* , Maurizio Aiello 1 and Enrico Cambiaso 1 1 Consiglio Nazionale delle Ricerche (CNR), IEIIT Institute, 16149 Genoa, Italy; [email protected] (M.A.); [email protected] (E.C.) 2 Department of Informatics, Bioengineering, Robotics and System Engineering (DIBRIS), University of Genoa, 16145 Genoa, Italy * Correspondence: [email protected]; Tel.: +39-010-6475-215 Received: 18 August 2020; Accepted: 15 September 2020; Published: 18 September 2020 Abstract: The security of Internet of Things environments is a critical and trending topic, due to the nature of the networks and the sensitivity of the exchanged information. In this paper, we investigate the security of the Message Queue Telemetry Transport (MQTT) protocol, widely adopted in IoT infrastructures. We exploit two specific weaknesses of MQTT, identified during our research activities, allowing the client to configure the KeepAlive parameter and MQTT packets to execute an innovative cyber threat against the MQTT broker. In order to validate the exploitation of such vulnerabilities, we propose SlowTT, a novel “Slow” denial of service attack aimed at targeting MQTT through low-rate techniques, characterized by minimum attack bandwidth and computational power requirements. We validate SlowTT against real MQTT services, by considering both plaintext and encrypted communications and by comparing the effects of the attack when targeting different application daemons and protocol versions. Results show that SlowTT is extremely successful, and it can exploit the identified vulnerability to execute a denial of service against the IoT network by keeping the connection alive for a long time.
    [Show full text]
  • A (Second) Preimage Attack on the GOST Hash Function
    A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria [email protected] Abstract. In this article, we analyze the security of the GOST hash function with respect to (second) preimage resistance. The GOST hash function, defined in the Russian standard GOST-R 34.11-94, is an iter- ated hash function producing a 256-bit hash value. As opposed to most commonly used hash functions such as MD5 and SHA-1, the GOST hash function defines, in addition to the common iterated structure, a check- sum computed over all input message blocks. This checksum is then part of the final hash value computation. For this hash function, we show how to construct second preimages and preimages with a complexity of about 2225 compression function evaluations and a memory requirement of about 238 bytes. First, we show how to construct a pseudo-preimage for the compression function of GOST based on its structural properties. Second, this pseudo- preimage attack on the compression function is extended to a (second) preimage attack on the GOST hash function. The extension is possible by combining a multicollision attack and a meet-in-the-middle attack on the checksum. Keywords: cryptanalysis, hash functions, preimage attack 1 Introduction A cryptographic hash function H maps a message M of arbitrary length to a fixed-length hash value h. A cryptographic hash function has to fulfill the following security requirements: – Collision resistance: it is practically infeasible to find two messages M and M ∗, with M ∗ 6= M, such that H(M) = H(M ∗).
    [Show full text]
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher
    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1,ThomasPeyrin2,ChristianRechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected], [email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl,andECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation1 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher. 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts’ disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
    [Show full text]
  • Advanced Meet-In-The-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2
    Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 Jian Guo1, San Ling1, Christian Rechberger2, and Huaxiong Wang1 1 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore 2 Dept. of Electrical Engineering ESAT/COSIC, K.U.Leuven, and Interdisciplinary Institute for BroadBand Technology (IBBT), Kasteelpark Arenberg 10, B–3001 Heverlee, Belgium. [email protected] Abstract. We revisit narrow-pipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2188.8 for finding preimages, and 2188.2 for second-preimages. Both have memory requirement of order 28, which is much less than in any other recent preimage attacks on reduced Tiger. Using pre-computation techniques, the time complexity for finding a new preimage or second-preimage for MD4 can now be as low as 278.4 and 269.4 MD4 computations, respectively. The second-preimage attack works for all messages longer than 2 blocks. To obtain these results, we extend the meet-in-the-middle framework recently developed by Aoki and Sasaki in a series of papers. In addition to various algorithm-specific techniques, we use a number of conceptually new ideas that are applicable to a larger class of constructions. Among them are (1) incorporating multi-target scenarios into the MITM framework, leading to faster preimages from pseudo-preimages, (2) a simple precomputation technique that allows for finding new preimages at the cost of a single pseudo-preimage, and (3) probabilistic initial structures, to reduce the attack time complexity.
    [Show full text]