A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones Ruilin Li, Heng Li, Chao Li, Bing Sun National University of Defense Technology, Changsha, China FSE 2013, Singapore 11th ~13th March, 2013 Outline • Backgrounds and the GMR-2 Cipher • Revisit the Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 2 Outline • Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 3 Backgrounds and the GMR-2 Cipher • Mobile communication systems have revolutionized the way we interact with each other – GSM, UMTS, CDMA2000, 3GPP LTE • When do we need satellite based mobile system? – In some special cases • researchers on a field trip in a desert • crew on ships on open sea • people living in remote areas or areas that are affected by a natural disaster 4 Backgrounds and the GMR-2 Cipher • What is GMR? – GMR stands for GEO-Mobile Radio – GEO stands for Geostationary Earth Orbit – Design heavily inspired from GSM 5 Backgrounds and the GMR-2 Cipher • Two major GMR Standards – GMR-1 (de-facto standard, Thuraya etc) – GMR-2 (Inmarsat and AcES) • How to protect the security of the communication in GMR system? – Using symmetric cryptography – Both the authentication and encryption are similar as that of GSM A3/A5 algorithms. 6 Backgrounds and the GMR-2 Cipher • Encryption Algorithms in GMR – Stream ciphers – Reconstructed by Driessen et al. • GMR-1 Cipher – Based on A5/2 of GSM – Totally broken by ciphertext-only attack • GMR-2 Cipher – New design strategy – Can be broken by known-plaintext attack – Read-collision based technique 7 Backgrounds and the GMR-2 Cipher • In this talk, we focus on GMR-2 stream cipher – Revisit components of the GMR-2 cipher – Propose dynamic guess and determine strategy – Present a low data complexity attack 8 Outline • Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 9 Revisit each Component of the GMR-2 Cipher • Encryption mechanism of the GMR-2 cipher – Data are divided into frames identified by the frame number with 22-bits – New frame is re-initialized – Each frame contains 120-bit (15-byte) • Parameters of the GMR-2 cipher – Key length: 64-bit (Session key) – IV length: 22-bit (Frame number) – Key stream bits length within a frame: 120-bit 10 Revisit each Component of the GMR-2 Cipher K t 1 8 6 Z c F G H 8 l 3 4 6 s7 s6 …… s1 s0 8 p • An overview on the GMR-2 cipher – 8-byte shift register S, a 3-bit counter c, and a toggle bit t – byte-oriented, three major components – F combines two bytes of session key with previous output – G is a linear function for mixing purpose – H consists two DES Sboxes as a nonlinear filter 11 Revisit each Component of the GMR-2 Cipher K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – At the l-th clock, the input • 8-byte array holding the session key K, read from two sides. • a counter c ranging from 0 to 7 sequentially and repeatedly. • a toggle bit t=c mod 2. • the previous key stream byte p=Zl-1 12 Revisit each Component of the GMR-2 Cipher K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – The lower side outputs Kc with the help of the counter c. – The upper output depends on the lower output Kc , the previous key stream byte p and the toggle bit t. – t1 maps 4-bit to 3-bit which select the upper output. – t 2 maps 3-bit to 3-bit which determine the rotation. 13 Revisit each Component of the GMR-2 Cipher K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – The output is ìOK= t( t ( a )) ï 0t1 ( a )• 2 1 í îïO1 =((( Kc Å p )? 4) & 0xF) Å (( K c Å p ) & 0xF) ì(KÅ p ) & 0xF, if t = 0 a = c í 14 î((Kc Å p )? 4)&0xF, if t = 1 Revisit each Component of the GMR-2 Cipher B1 O0¢ O0 6 8 B1 O1 B3 Å 4 B2 O¢ 8 1 B2 6 S0 • The G component ìB13210:(,,,)( x x x xa x 3032031ÅÅx , x x Å x ,,); x x ï íB2:(,,,) x 3 x 2 x 1 x 0a (, x1 x 3 , x 0 , x2 ); ï îB3:(,,,)(x 3 x 2 x 1 x 0a x2, x 0, x 3Å x 1 Å x 0 , x 3 Å x 0 ). 15 Revisit each Component of the GMR-2 Cipher t O¢ 2 Z 0 6 S 4 l 8 O¢ 6 1 S 4 6 • The H component ( (O¢ ), ( O ¢ )) if t = 0 ì SS2 1 6 0 8 Zl =í ( (O¢ ), ( O ¢ )) if t = 1 î SS2 0 6 1 8 where and are the two sboxes of DES. Assume the input of SS2 6 is (x , x , x , x , x , x ), then ( x , x ) selects the row index, and S 5 4 3 2 1 0 1 0 16 (x5 , x 4 , x3 , x 2 ) selects the column index. Revisit each Component of the GMR-2 Cipher F G H • Initialization Mode – Set c=0, t=0, and initialize S with frame number N – 8-byte key is written into the resister in F – Clock the cipher 8 times and discard the output Zl 17 Revisit each Component of the GMR-2 Cipher F G H • Generation Mode – For each frame number N, further clock the cipher 15 times, and the output keystream is ¢ (0) (0) (0) (1) (1) (1) (2) ZZZZZZZZ=(,,,;,,;,)0 1LLL 14 0 1 14 0 ()N Zl denotes the l-th byte of keystream generated after initialization with N 18 Revisit each Component of the GMR-2 Cipher • Property of F ì(Kc Å p ) & 0xF, if t = 0 a = í î((Kc Å p )? 4)&0xF, if t = 1 – If p is known, then we can get the value of a only by the most/least significant four bits of Kc K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 19 p Revisit each Component of the GMR-2 Cipher • Property of H – We can “invert ” / SS2 6 • Given the row index and the output, the column index can be uniquely obtained. • Given the column index and the output, the row index can be uniquely obtained, except for when the column index is 4 and S 6 the output is 9, the row index can be either 0 or 3. • Given the outputs of both S-boxes, there will be 16 possible inputs. 2 O0¢ S Z l ¢ O1 S6 20 Revisit each Component of the GMR-2 Cipher • Property of G – The key point – The links between the input and output of the G component can be expressed by a well-structured matrix B1 O0¢ O0 6 8 B1 O1 B3 Å 4 B2 O¢ 8 1 B2 6 21 S0 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ ' ê ú çO 0 , 2 ÷ çO ÷ ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 S 0 , 6 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1 0 0 ç ÷ ç ÷ ê ú çO ÷ ç 0 ÷ ' ê ú 1 ,1 çO 1,1 ÷ 0 0 0 0 0 0 0 0 0 0 0 1 ç ÷ ç ÷ ë û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø 22 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ ' ê ú çO 0 , 2 ÷ çO ÷ ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 S 0 , 6 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1 0 0 ç ÷ ç ÷ ê ú çO ÷ ç 0 ÷ ' ê ú 1 ,1 çO 1,1 ÷ 0 0 0 0 0 0 0 0 0 0 0 1 ç ÷ ç ÷ ë û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø 23 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ A ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ y ' ê ú 1 çO 0 , 2 ÷ çO ÷ x ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 1 S 0 , 6 v1 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê A ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 y ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1B 0 0 ç ÷ 2 ç ÷ ê ú çO ÷ x ç 0 ÷ ' ê ú 1 ,1 2 v2 çO 1,1 ÷ 0 0 0 0 0 0 0 0 0 0 0 1 ç ÷ ç ÷ ë û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø 24 Revisit each Component of the GMR-2 Cipher • Three linear systems 25 Revisit each Component of the GMR-2 Cipher • Another linear system – Let then thus from we obtain 26 Revisit each Component of the GMR-2 Cipher ìy =W· x Å v ï ïy1 =W1· x1 Å v 1 ï íy2 =W2· x2 Å v 2 ïy =W· kÅ W· k Å W· uÅ v ï 2 2h 2 l 2 2 ïx = K t(() t a ) î 1 t1 ( a )• 2 1 • W,,, W1 W 2, v v 1, v 2 u are known values.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages45 Page
-
File Size-