The (In)Security of Proprietary Cryptography
Total Page:16
File Type:pdf, Size:1020Kb
The (in)security of proprietary cryptography Roel Verdult Copyright c Roel Verdult, 2015 ISBN: 978-94-6259-622-1 IPA Dissertation Series: 2015-10 URL: http://roel.verdult.xyz/publications/phd_thesis-roel_verdult.pdf Typeset using LATEX The work in this dissertation has been carried out under the auspices of the research school IPA (Institute for Programming research and Algorithmics). For more information, visit http://www.win.tue.nl/ipa/ XY-pic is used for typesetting graphs and diagrams in schematic rep- U x hx,yi resentations of logical composition of visual components. XY-pic allows X ×Z Y p X the style of pictures to match well with the exquisite quality of the y q f g surrounding TEX typeset material [RM99]. For more information, visit Y Z http://xy-pic.sourceforge.net/ msc Example User Machine 1 Machine 2 Machine 3 The message sequence diagrams, charts and protocols in this disserta- control drill test startm1 tion are facilitated by the MSC macro package [MB01, BvDKM13]. It startm2 log continue allows LATEX users to easily include Message Sequence Charts in their free output texts. For more information, visit http://satoss.uni.lu/software/mscpackage/ The graphical art of this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ The remaining part of this work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Netherlands License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/nl/ The (in)security of proprietary cryptography Proefschrift ter verkrijging van de graad van doctor aan de Radboud Universiteit Nijmegen op gezag van de rector magnificus prof. dr. Th.L.M. Engelen volgens besluit van het college van decanen en ter verkrijging van de graad van doctor in de ingenieurswetenschappen aan de KU Leuven op gezag van de rector prof. dr. R. Torfs, in het openbaar te verdedigen op dinsdag 21 april 2015 om 14:30 uur precies door Roel Verdult geboren op 20 oktober 1982 te Zevenaar, Nederland. Promotoren: Prof. dr. Bart Jacobs Prof. dr. ir. Ingrid Verbauwhede KU Leuven, Belgi¨e Copromotoren: Dr. Lejla Batina Dr. Claudia Diaz Martinez KU Leuven, Belgi¨e Manuscriptcommissie: Prof. dr. Eric Verheul Dr. Jaap-Henk Hoepman Prof. dr. Herbert Bos Vrije Universiteit Amsterdam, Nederland Prof. dr. Srdjan Capkunˇ ETH Zurich, Zwitserland Prof. dr. Thorsten Holz Ruhr-Universit¨at Bochum, Duitsland KU Leuven Examencommissie: Prof. dr. Wim Dehaene KU Leuven, Belgi¨e Prof. dr. Bart Preneel KU Leuven, Belgi¨e Prof. dr. Herman Neuckermans KU Leuven, Belgi¨e Prof. dr. Gildas Avoine Université Catholique de Louvain, Belgi¨e The (in)security of proprietary cryptography Doctoral Thesis to obtain the degree of doctor from Radboud University Nijmegen on the authority of the rector magnificus prof. dr. Th.L.M. Engelen according to the decision of the Council of Deans and to obtain the degree of doctor of Engineering Science from KU Leuven on the authority of the rector prof. dr. R. Torfs, to be defended in public on Tuesday, 21 April 2015 at exactly 14:30 hours by Roel Verdult born in Zevenaar, Nederland on 20 October 1982. Supervisors: Prof. dr. Bart Jacobs Prof. dr. ir. Ingrid Verbauwhede KU Leuven, Belgium Co-supervisors: Dr. Lejla Batina Dr. Claudia Diaz Martinez KU Leuven, Belgium Doctoral Thesis Committee: Prof. dr. Eric Verheul Dr. Jaap-Henk Hoepman Prof. dr. Herbert Bos Vrije Universiteit Amsterdam, The Netherlands Prof. dr. Srdjan Capkunˇ ETH Zurich, Switzerland Prof. dr. Thorsten Holz Ruhr-Universit¨at Bochum, Germany KU Leuven Examination Board: Prof. dr. Wim Dehaene KU Leuven, Belgium Prof. dr. Bart Preneel KU Leuven, Belgium Prof. dr. Herman Neuckermans KU Leuven, Belgium Prof. dr. Gildas Avoine Université Catholique de Louvain, Belgium A tribute to my dearest family Irma, Twan and Sten Acknowledgements It has been a great honour to work with my direct colleagues at the Digital Security group of the Radboud University, who worked with me as co-authors, but most of all, as best friends. They inspired me to explore the path of science, which enabled me to write this doctoral dissertation. I am extremely grateful for their guidance, didactics, insights and support. I would like to specially thank Flavio Garcia and Gerhard de Koning Gans, who have been working besides me from day one. Without their feedback and continuous support, I would not have realized my admiration for science and discovered the contribution that I have to offer. Furthermore, I’m grateful to my first promotor Bart Jacobs, who is an excellent example of a dedicated and outstanding scientist that is concurrently involved in society. My gratitude goes to all the members of the Radboud University reading com- mittee and KU Leuven examination board, Eric Verheul, Jaap-Henk Hoepman, Wim Dehaene, Bart Preneel, Herman Neuckermans, Gildas Avoine, Herbert Bos, Srdjan Capkunˇ and Thorsten Holz, who helped improving this doctoral dissertation a lot by their valuable and professional comments. Additionally, I would like to thank my friends and family, and especially my father Ad Verdult, for helping me improving the language of this thesis. It was pleasant to work with my second promotor Ingrid Verbauwhede and her research group at the KU Leuven. Specifically, I would like to thank my direct colleague from Belgium, Josep Balasch. Besides our scientific collaboration, he also assisted me numerous times to comply with rules and administrative protocols of the KU Leuven. During the security research that I performed with my colleagues, several friendly and prominent contacts were established. We collaborated extensively with govern- ments, secret services, nation wide police forces and large corporations. However, despite our efforts to carefully disclose sensitive information in a responsible way, there were a few unfortunate events where we faced legal pressure that tried to re- ix strain us from publishing the details of our work. During such an event we have always been firmly supported by the legal department and executive board of the Radboud University. My gratitude goes especially to Bas Kortmann, former rector magnificus of the Radboud University, and Dorine Gebbink, head of legal affairs. Although it is impossible to name every person, I would like to show my gratitude to all the people who supported me in many ways over the last years. During this period I have acquired a lot of knowledge, skills and experience. I’m very thankful for that. Finally, I would like to express my admiration, gratitude and love to my wife and children. They have always supported me during my research and the long days that I’ve spent writing of this thesis. I will be forever grateful for their love and care. Roel Verdult Oosterbeek, March 2015 Abstract Proprietary cryptography is a term used to describe custom encryption techniques that are kept secret by its designers to add additional security. It is questionable if such an approach increases the cryptographic strength of the underlying mathematical algorithms. The security of proprietary encryption techniques relies entirely on the competence of the semi-conductor companies, which keep the technical description strictly confidential after designing. It is difficult to give a public and independent security assessment of the cryptography, without having access to the detailed infor- mation of the design. Proprietary cryptography is currently deployed in many products which are used on a daily basis by the majority of people world-wide. It is embedded in the compu- tational core of many wireless and contactless devices used in access control systems and vehicle immobilizers. Contactless access control cards are used in various security systems. Examples include the use in public transport, payment terminals, office buildings and even in highly secure facilities such as ministries, banks, nuclear power plants and prisons. Many of these access control cards are based on proprietary encryption techniques. Prominent examples are the widely deployed contactless access control systems that use the MIFARE Classic, iClass and Cryptomemory technology. A vehicle immobilizer is an electronic device that prevents the engine of the vehicle from starting when the corresponding transponder is not present. This transponder is a wireless radio frequency chip which is typically embedded in the plastic casing of the car key. When the driver tries to start the vehicle, the car authenticates the transponder before starting the engine, thus preventing hot-wiring. According to European Commission directive (95/56/EC) it is mandatory that all cars, sold in the EU from 1995 onwards, are fitted with an electronic immobilizer. In practice, almost all recently sold cars in Europe are protected by transponders that embed one of the two proprietary encryption techniques Hitag2 or Megamos Crypto. In this doctoral thesis well-known techniques are combined with novel methods xi to analyze the workings of the previously mentioned proprietary cryptosystems. The cryptographic strength and security features of each system are comprehensively eval- uated. The technical chapters describe various weaknesses and practical cryptanalytic attacks which can be mounted by an adversary that uses only ordinary and consumer grade hardware. This emphasizes the seriousness and relevance to the level of pro- tection that is offered. The identified vulnerabilities are often plain design mistakes, which makes the cryptosystems exploitable since their introduction. The first part of this dissertation is dedicated to an introduction of the general field of computer security and cryptography. It includes an extensive description of the theoretical background that refers to related literature and gives a summary of well- known cryptographic attack techniques. Additionally, a broad summary of related scientific research on proprietary cryptography is given. Finally, the technical part of this doctoral dissertation presents serious weaknesses in widely deployed proprietary cryptosystems, which are still actively used by billions of consumers in their daily lives.