A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones Ruilin Li, Heng Li, Chao Li, Bing Sun National University of Defense Technology, Changsha, China FSE 2013, Singapore 11th ~13th March, 2013 Outline • Backgrounds and the GMR-2 Cipher • Revisit the Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 2 Outline • Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 3 Backgrounds and the GMR-2 Cipher • Mobile communication systems have revolutionized the way we interact with each other – GSM, UMTS, CDMA2000, 3GPP LTE • When do we need satellite based mobile system? – In some special cases • researchers on a field trip in a desert • crew on ships on open sea • people living in remote areas or areas that are affected by a natural disaster 4 Backgrounds and the GMR-2 Cipher • What is GMR? – GMR stands for GEO-Mobile Radio – GEO stands for Geostationary Earth Orbit – Design heavily inspired from GSM 5 Backgrounds and the GMR-2 Cipher • Two major GMR Standards – GMR-1 (de-facto standard, Thuraya etc) – GMR-2 (Inmarsat and AcES) • How to protect the security of the communication in GMR system? – Using symmetric cryptography – Both the authentication and encryption are similar as that of GSM A3/A5 algorithms. 6 Backgrounds and the GMR-2 Cipher • Encryption Algorithms in GMR – Stream ciphers – Reconstructed by Driessen et al. • GMR-1 Cipher – Based on A5/2 of GSM – Totally broken by ciphertext-only attack • GMR-2 Cipher – New design strategy – Can be broken by known-plaintext attack – Read-collision based technique 7 Backgrounds and the GMR-2 Cipher • In this talk, we focus on GMR-2 stream cipher – Revisit components of the GMR-2 cipher – Propose dynamic guess and determine strategy – Present a low data complexity attack 8 Outline • Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 9 Revisit each Component of the GMR-2 Cipher • Encryption mechanism of the GMR-2 cipher – Data are divided into frames identified by the frame number with 22-bits – New frame is re-initialized – Each frame contains 120-bit (15-byte) • Parameters of the GMR-2 cipher – Key length: 64-bit (Session key) – IV length: 22-bit (Frame number) – Key stream bits length within a frame: 120-bit 10 Revisit each Component of the GMR-2 Cipher K t 1 8 6 Z c F G H 8 l 3 4 6 s7 s6 …… s1 s0 8 p • An overview on the GMR-2 cipher – 8-byte shift register S, a 3-bit counter c, and a toggle bit t – byte-oriented, three major components – F combines two bytes of session key with previous output – G is a linear function for mixing purpose – H consists two DES Sboxes as a nonlinear filter 11 Revisit each Component of the GMR-2 Cipher K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – At the l-th clock, the input • 8-byte array holding the session key K, read from two sides. • a counter c ranging from 0 to 7 sequentially and repeatedly. • a toggle bit t=c mod 2. • the previous key stream byte p=Zl-1 12 Revisit each Component of the GMR-2 Cipher K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – The lower side outputs Kc with the help of the counter c. – The upper output depends on the lower output Kc , the previous key stream byte p and the toggle bit t. – t1 maps 4-bit to 3-bit which select the upper output. – t 2 maps 3-bit to 3-bit which determine the rotation. 13 Revisit each Component of the GMR-2 Cipher K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – The output is ìOK= t( t ( a )) ï 0t1 ( a )• 2 1 í îïO1 =((( Kc Å p )? 4) & 0xF) Å (( K c Å p ) & 0xF) ì(KÅ p ) & 0xF, if t = 0 a = c í 14 î((Kc Å p )? 4)&0xF, if t = 1 Revisit each Component of the GMR-2 Cipher B1 O0¢ O0 6 8 B1 O1 B3 Å 4 B2 O¢ 8 1 B2 6 S0 • The G component ìB13210:(,,,)( x x x xa x 3032031ÅÅx , x x Å x ,,); x x ï íB2:(,,,) x 3 x 2 x 1 x 0a (, x1 x 3 , x 0 , x2 ); ï îB3:(,,,)(x 3 x 2 x 1 x 0a x2, x 0, x 3Å x 1 Å x 0 , x 3 Å x 0 ). 15 Revisit each Component of the GMR-2 Cipher t O¢ 2 Z 0 6 S 4 l 8 O¢ 6 1 S 4 6 • The H component ( (O¢ ), ( O ¢ )) if t = 0 ì SS2 1 6 0 8 Zl =í ( (O¢ ), ( O ¢ )) if t = 1 î SS2 0 6 1 8 where and are the two sboxes of DES. Assume the input of SS2 6 is (x , x , x , x , x , x ), then ( x , x ) selects the row index, and S 5 4 3 2 1 0 1 0 16 (x5 , x 4 , x3 , x 2 ) selects the column index. Revisit each Component of the GMR-2 Cipher F G H • Initialization Mode – Set c=0, t=0, and initialize S with frame number N – 8-byte key is written into the resister in F – Clock the cipher 8 times and discard the output Zl 17 Revisit each Component of the GMR-2 Cipher F G H • Generation Mode – For each frame number N, further clock the cipher 15 times, and the output keystream is ¢ (0) (0) (0) (1) (1) (1) (2) ZZZZZZZZ=(,,,;,,;,)0 1LLL 14 0 1 14 0 ()N Zl denotes the l-th byte of keystream generated after initialization with N 18 Revisit each Component of the GMR-2 Cipher • Property of F ì(Kc Å p ) & 0xF, if t = 0 a = í î((Kc Å p )? 4)&0xF, if t = 1 – If p is known, then we can get the value of a only by the most/least significant four bits of Kc K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 19 p Revisit each Component of the GMR-2 Cipher • Property of H – We can “invert ” / SS2 6 • Given the row index and the output, the column index can be uniquely obtained. • Given the column index and the output, the row index can be uniquely obtained, except for when the column index is 4 and S 6 the output is 9, the row index can be either 0 or 3. • Given the outputs of both S-boxes, there will be 16 possible inputs. 2 O0¢ S Z l ¢ O1 S6 20 Revisit each Component of the GMR-2 Cipher • Property of G – The key point – The links between the input and output of the G component can be expressed by a well-structured matrix B1 O0¢ O0 6 8 B1 O1 B3 Å 4 B2 O¢ 8 1 B2 6 21 S0 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ ' ê ú çO 0 , 2 ÷ çO ÷ ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 S 0 , 6 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1 0 0 ç ÷ ç ÷ ê ú çO ÷ ç 0 ÷ ' ê ú 1 ,1 çO 1,1 ÷ 0 0 0 0 0 0 0 0 0 0 0 1 ç ÷ ç ÷ ë û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø 22 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ ' ê ú çO 0 , 2 ÷ çO ÷ ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 S 0 , 6 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1 0 0 ç ÷ ç ÷ ê ú çO ÷ ç 0 ÷ ' ê ú 1 ,1 çO 1,1 ÷ 0 0 0 0 0 0 0 0 0 0 0 1 ç ÷ ç ÷ ë û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø 23 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ A ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ y ' ê ú 1 çO 0 , 2 ÷ çO ÷ x ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 1 S 0 , 6 v1 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê A ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 y ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1B 0 0 ç ÷ 2 ç ÷ ê ú çO ÷ x ç 0 ÷ ' ê ú 1 ,1 2 v2 çO 1,1 ÷ 0 0 0 0 0 0 0 0 0 0 0 1 ç ÷ ç ÷ ë û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø 24 Revisit each Component of the GMR-2 Cipher • Three linear systems 25 Revisit each Component of the GMR-2 Cipher • Another linear system – Let then thus from we obtain 26 Revisit each Component of the GMR-2 Cipher ìy =W· x Å v ï ïy1 =W1· x1 Å v 1 ï íy2 =W2· x2 Å v 2 ïy =W· kÅ W· k Å W· uÅ v ï 2 2h 2 l 2 2 ïx = K t(() t a ) î 1 t1 ( a )• 2 1 • W,,, W1 W 2, v v 1, v 2 u are known values.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    45 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us