Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Cryptanalysis of the “Kindle” Cipher Alex Biryukov, Gaëtan Leurent, Arnab Roy University of Luxembourg SAC 2012 A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 1 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Cryptography: theory and practice In theory In practice ▶ Random Oracle ▶ Algorithms ▶ ▶ Ideal Cipher AES ▶ SHA2 ▶ Perfect source of ▶ RSA randomness ▶ Modes of operation ▶ CBC ▶ OAEP ▶ ... ▶ . Random Number Generators ▶ Hardware RNG ▶ PRNG A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 2 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Cryptography in the real world Several examples of flaws in industrial cryptography: ▶ Bad random source ▶ SLL with 16bit entropy (Debian) ▶ ECDSA with fixed k (Sony) ▶ Bad key size ▶ RSA512 (TI) ▶ Export restrictions... ▶ Bad mode of operation ▶ CBCMAC with the RC4 streamcipher (Microsoft) ▶ TEA with DaviesMeyer (Microsoft) ▶ Bad (proprietary) algorithm ▶ A5/1 (GSM) ▶ CSS (DVD forum) ▶ Crypto1 (MIFARE/NXP) ▶ KeeLoq (Microchip) A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 3 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Amazon Kindle ▶ Ebook reader by Amazon ▶ Most popular ebook reader (≈ 50% share) ▶ 4 generations, 7 devices ▶ Software reader for 7 OS, plus cloud reader ▶ Several million devices sold ▶ Amazon sells more ebooks than paper books ▶ Uses crypto for DRM (Digital Rights Management) A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 4 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Digital Rights Management ▶ Company sells media (music, video, ebook, game, ...) ▶ Wants to prevent sharing . ▶ Customer should read but not copy Charly DRM scheme ▶ Encipher media ▶ Bob Give player to users ▶ Hardware or software Alice ▶ Player contains the key A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 5 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Digital Rights Management ▶ Company sells media (music, video, ebook, game, ...) ▶ Wants to prevent sharing . ▶ Customer should read but not copy Charly DRM scheme ▶ Encipher media ▶ ? Bob Give player to users ▶ Hardware or software Alice ▶ Player contains the key A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 5 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Breaking DRM ▶ Copy the media while being played . ▶ Extract the key from the player, decipher media . Tamperproof hardware? Obfuscation? Whitebox crypto? ▶ No need to break the crypto! ▶ Pirates break once, copy... A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 6 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Digital Rights Management Legal User ▶ Can only use authorized player ▶ Collection lockedin . ▶ DRM can restrict user rights ▶ Lending, reselling, ... Charly ▶ No format shifting: ▶ play DVD on tablet ▶ read ebook w/ speech synth. Bob Illegal User Alice ▶ Can still find illegal copies ▶ Can do anything with the media A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 7 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . DRM on the Kindle ▶ Kindle ebooks use DRM ▶ Like any DRM system, it is bound to fail ▶ In practice, it is easy to extract the key (Google for details...) Overview ▶ In this talk, we study the cipher used in this DRM system We don’t study the DRM system itself ▶ The DRM system uses a cipher called PC1 ▶ It’s a really weak cipher... A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 8 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Outline Introduction Cryptography in the real world Digital Rights Management The PC1 Cipher Description Weaknesses Known-plaintext key-recovery Collision detection Key recovery Ciphertext only key-recovery Bias with independent keys Recovering the plaintext A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 9 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . The PC1 Cipher ▶ Designed by Pukall in 1991 ▶ Posted on Usenet p π s 8 ▶ Kindle DRM based on PC1 8 16 ▶ Selfsynchronizing stream cipher No IV! w . ▶ k 128 햪향 8 × 16 햲향 16bit arithmetic: add, mult, xor Main loop (햪향 and 햲향) σk σs 16 16 for 0 ≤ i < 8 do 16 w ← w ⊕ ki ⊕ (π × 257) 햿허헅햽 x ← 346 × w 8 σ w ← 20021 × w + 1 p c s ← s + x σ ← σ ⊕ w ⊕ s s ← 20021 × (s + (i+1 mod 8)) + x A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 10 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Weakness 1: T-functions Weakness This is a Tfunction p π s 8 ▶ Low bits of the output 8 16 depend only on the low bits of the input . w ▶ Add, mult, xor k 8 × 16 햪향 8 × 16 햲향 ▶ Guess 8 × 9 bits of the key σk σs 16 16 ▶ Get 9 bits before the fold 16 ▶ Get 1 bit after the fold 햿허헅햽 ▶ Verify with known plaintext 8 σ p c ▶ Complexity: 272 some bytes of known plaintext A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 11 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Weakness 2: small state Weakness The state is very small p π s 8 s 16bit 8 16 π 8bit, keyindependent . w k 8 × 16 햪향 8 × 16 햲향 ▶ Build a set of plaintexts xi‖y, xi’s with fixed xorsum σk σs ▶ With high probability the 16 16 16 state collides after xi and xj 햿허헅햽 ▶ Same encryption of y 8 σ p c ▶ Complexity: 28 CP (distinguisher) A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 12 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Outline Introduction Cryptography in the real world Digital Rights Management The PC1 Cipher Description Weaknesses Known-plaintext key-recovery Collision detection Key recovery Ciphertext only key-recovery Bias with independent keys Recovering the plaintext A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 13 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Collision detection Can we use state collisions in a knownplaintext attack? How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf ▶ In a natural language text, some words will be repeated. ▶ With some probability (p ≈ 2−24), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding. A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 14 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Collision detection Can we use state collisions in a knownplaintext attack? How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf ▶ In a natural language text, some words will be repeated. ▶ With some probability (p ≈ 2−24), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding. A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 14 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Collision detection Can we use state collisions in a knownplaintext attack? How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf ▶ In a natural language text, some words will be repeated. ▶ With some probability (p ≈ 2−24), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding. A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 14 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Collision detection Can we use state collisions in a knownplaintext attack? How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf ▶ In a natural language text, some words will be repeated. ▶ With some probability (p ≈ 2−24), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext. ▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding. A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 14 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Collision Based Key-recovery p π s ▶ Use state collisions to 8 8 16 test key guess ▶ Skip output part . w k 8 × 16 햪향 8 × 16 햲향 Weakness This is a Tfunction σk σs ▶ 16 16 Guess 8 × 1 bits of the key 16 ▶ Compute 1 bit of s, 햿허헅햽 check collisions in s 8 σ ▶ Repeat with 2nd bit, ... p c A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 15 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Collision Based Key-recovery p π s ▶ Use state collisions to 8 8 16 test key guess ▶ Skip output part .