Dumb Crypto in Smart Grids

Transcription

1 Dumb Crypto in Smart Grids Practical Cryptanalysis of the Open Smart Grid Protocol Philipp Jovanovic 1 (@daeinar) Samuel Neves 2 (@sevenps) 1 University of Passau, Germany 2 University of Coimbra, Portugal

2 Smart Grids Definition from Wikipedia: A smart grid is a modernized electrical grid that uses analog or digital information and communications technology to gather and act on information [...] in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity. Fast-growing technology. Critical infrastructure: communication needs protection. 1

3 Open Smart Grid Protocol (OSGP) ETSI GS OSG 001 V1.1.1 ( ) Group Specific ation Open Smart Grid Protocol (OSGP) Source: Application layer communication protocol for smart grids. Developed by the Energy Service Network Association (ESNA) around Disclaimer Standardised This by document the has been European produced and approved by the Open Telecommunications Smart Grid (OSG) ETSI Industry Specification Group (ISG) and Standards represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. Institute (ETSI) in Used in devices sold by members of the OSGP Alliance. 2

4 Open Smart Grid Protocol (OSGP) Source: Deployed in over 4 million devices world-wide. Customers/Members/Partners of OSGP Alliance: Networked Energy Services, E.ON, Vattenfall, Ericsson AB, Mitsubishi Electric, LG CNS, Oracle,... 3

5 Open Smart Grid Protocol (OSGP) PLC Segment data concentrator Encrypted repeater repeater repeater smart-meter smart-meter smart-meter smart-meter OSGP s Network Topology Encrypted communication between smart-meters and data concentrators. Authenticated encryption scheme: - RC4 (encryption) - OMADigest (authentication) - EN14908 (key derivation) 4

6 Open Smart Grid Protocol (OSGP) PLC Segment data concentrator Encrypted repeater repeater repeater smart-meter smart-meter smart-meter smart-meter OSGP s Network Topology Encrypted communication between smart-meters and data concentrators. Authenticated encryption scheme: - RC4 (encryption) - OMADigest (authentication) - EN14908 (key derivation) 4

7 Open Smart Grid Protocol (OSGP) PLC Segment data concentrator Encrypted repeater repeater repeater smart-meter smart-meter smart-meter smart-meter OSGP s Network Topology Encrypted communication between smart-meters and data concentrators. Authenticated encryption scheme: - RC4 (encryption) - OMADigest (authentication) - EN14908 (key derivation) 4

8 Our Work Overview Cryptanalysis of the OMADigest. Key recovery attacks using: 1. Differentials. 2. Bruteforce. 3. Differential-based forgeries. Based on publicly available documents. No experiments on actual (proprietary) OSGP hardware. Disclosed to OSGP Alliance/NES in November Published at IACR Workshop on Fast Software Encryption Paper available at 5

9 Related Work Structural Weaknesses in the Open Smart Grid Protocol By K. Kursawe and C. Peters (European Network for Cyber Security, the Netherlands). Overview article on security in OSGP. Presents basic attacks. Paper available at Disclosed to OSGP Alliance/NES in late Cryptanalysis of RC4 in OSGP By L. Feiten and M. Sauer (University of Freiburg, Germany). Transfers WEP attack on RC4 to the case of OSGP. Under submission. Draft shared privately. Disclosed to OSGP Alliance/NES in November

10 Related Work Structural Weaknesses in the Open Smart Grid Protocol By K. Kursawe and C. Peters (European Network for Cyber Security, the Netherlands). Overview article on security in OSGP. Presents basic attacks. Paper available at Disclosed to OSGP Alliance/NES in late Cryptanalysis of RC4 in OSGP By L. Feiten and M. Sauer (University of Freiburg, Germany). Transfers WEP attack on RC4 to the case of OSGP. Under submission. Draft shared privately. Disclosed to OSGP Alliance/NES in November

11 OSGP s Cryptographic Infrastructure

12 OSGP s Cryptographic Infrastructure k 1 x 1 k 0 x 0 k 1 k 0 m n / 48 / 64 / 48 / 64 / 96 EN14908 EN14908 OMADigest / 64 / 64 / 64 k 1 k 0 / 128 / RC / 0 64 t k 1 k 0 : Open Media Access Key (OMAK). k 1 k 0 : Base Encryption Key (BEK). x 0, x 1 : constants. c t m n: message and counter. c, t: ciphertext and tag. 8

13 The EN14908 Encryption Algorithm Source: The OMADigest is an improved version of the EN14908 encryption algorithm. 9

14 The EN14908 Encryption Algorithm Source: The OMADigest is an improved version of the EN14908 encryption algorithm. 9

15 OMADigest Function OMADigest(m,k) a (0, 0, 0, 0, 0, 0, 0, 0) m mod 144 m m 0 foreach 144-byte block b of m do for i 0 to 17 do for j 7 to 0 do if k i mod 12,7 j = 1 then a j a (j+1) mod 8 + b 8i+(7 j) + ( (a j + j)) 1 else a j a (j+1) mod 8 + b 8i+(7 j) ( (a j + j)) 1 end end end return a Observations 64-bit state a. Message is zero-padded: m m 0 m mod 144. Key extension: k 0 k 11 k 0 k 11 k 0 k 5. Processing of a message byte depends exactly on one key bit. State update is almost linear. Algorithm is fully reversible. 10

16 OMADigest Data processing: m 8i f ki,0,7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1,6 m 8i+7 m 8i+6 m 8i+5 m 8i+4 m 8i+3 m 8i+2 m 8i+1 data flow The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. Note: i = 0,..., 17 and i = i mod

17 Crash Course: Differential Cryptanalysis Idea inputs x crypto function F outputs y x y x F y XOR-differential x p y of probability p in F. Applications Detect non-randomness. Key recovery. Collisions. Forgeries

18 Crash Course: Differential Cryptanalysis Idea inputs x crypto function F outputs y x y x F y XOR-differential x p y of probability p in F. Applications Detect non-randomness. Key recovery. Collisions. Forgeries

19 Crash Course: Differential Cryptanalysis Idea inputs x crypto function F outputs y x y x F y XOR-differential x p y of probability p in F. Applications Detect non-randomness. Key recovery. Collisions. Forgeries

20 Attack #1

21 Bitwise Key Recovery Injecting XOR-difference m 8i = 80: 80 f ki,0,7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 80 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. Note: i = 0,..., 17 and i = i mod

22 Bitwise Key Recovery Difference prop. after 8 msg. bytes m 8i,..., m 8i+7 : 80 f ki,0, f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. Difference propagates with probability 1 to the full state! 15

23 Bitwise Key Recovery Difference prop. after 9 msg. bytes m 8i,..., m 8i+7, m 8i+8 : 00 f ki,0, a 7 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow Possible output differences for the XOR-linearisation of f : { 81 = = 80 (80 1) if k a 7 = i,0 = 1 C0 = = 80 (80 7) if k i,0 = 0 Equal behaviour of lsb for and +: k i,0 = lsb( a 7 ). 16

24 Bitwise Key Recovery Full Key Recovery In 96+1 queries with 144-byte chosen-plaintexts. 17

25 Can we do better?

26 Improving Bitwise Key Recovery Setting m 8i 8 = 80 (eight steps earlier as bitwise attack) gives: i = 17,..., 6 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a m 8i m 8i m 8i m 8i a 7 m 8i a 6 a m 8i+7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 Analysing the XOR-linearisation of f shows... 19

27 Improving Bitwise Key Recovery Setting m 8i 8 = 80 (eight steps earlier as bitwise attack) gives: i = 17,..., 6 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a m 8i m 8i m 8i m 8i a 7 m 8i a 6 a m 8i+7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 Analysing the XOR-linearisation of f shows... 19

28 Bytewise Key Recovery Key bits can be recovered iteratively k i,0 = lsb( a 7 ) lsb(80) k i,4 = lsb( a 3 ) lsb( a 4 ) k i,1 = lsb( a 6 ) lsb( a 7 ) k i,5 = lsb( a 2 ) lsb( a 3 ) k i,2 = lsb( a 5 ) lsb( a 6 ) k i,6 = lsb( a 1 ) lsb( a 2 ) k i,3 = lsb( a 4 ) lsb( a 5 ) k i,7 = lsb( a 0 ) lsb( a 1 ) for all i = 17,..., 6 and i = i mod 12. Conclusion: Setting m 8i 8 = 80 leaks complete key byte k i. 20

29 Bytewise Key Recovery Key bits can be recovered iteratively k i,0 = lsb( a 7 ) lsb(80) k i,4 = lsb( a 3 ) lsb( a 4 ) k i,1 = lsb( a 6 ) lsb( a 7 ) k i,5 = lsb( a 2 ) lsb( a 3 ) k i,2 = lsb( a 5 ) lsb( a 6 ) k i,6 = lsb( a 1 ) lsb( a 2 ) k i,3 = lsb( a 4 ) lsb( a 5 ) k i,7 = lsb( a 0 ) lsb( a 1 ) for all i = 17,..., 6 and i = i mod 12. Conclusion: Setting m 8i 8 = 80 leaks complete key byte k i. 20

30 Bytewise Key Recovery Full Key Recovery In 12+1 queries with 144-byte chosen-plaintexts. 21

31 Attack #2

32 Known-Plaintext Key Recovery Prerequisites Two 144-byte messages m = x y and m = x y with y = y = r bytes and y y. Authentication tags: a = OMADigest(m) and a = OMADigest(m ) 23

33 Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24

34 Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24

35 Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24

36 Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24

37 Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24

38 Known-Plaintext Key Recovery Full Key Recovery In 24 queries of 144-byte known-plaintexts with common prefix. In queries of 144-byte chosen plaintexts. 25

39 Attack #3

40 Forgery Attacks Injecting XOR-differences m 8i+j = 80 and m 8i+j+1 = f ki,0,7 a 0 a 1 a 2 a 3 a 4 a f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow for i = 0,..., 17, i = i mod 12, and j = 0,..., 7 (here: j = 0). The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. 27

41 Forgery Attacks Difference prop. after 8 msg. bytes m 8i+j,..., m 8i+j+7 : 80 f ki,0, f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow No further propagation, stationary difference a 7 =

42 Forgery Attacks Difference prop. after 9 msg. bytes m 8i+j,..., m 8i+j+7, m 8i+j+8 : x f ki,0, a 7 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow Inject XOR-difference m 8i+j+8 = x s.t. a 7 = 00 forgery! How do we choose x? 29

43 From Forgeries... Options for x: k i+1,j = 0 k i+1,j = 1 x C0 40 p 1/2 1/2 x F 1F 3F 7F FF p 1/2 1/4 1/8 1/16 1/32 1/64 1/128 1/128 Using ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, x) with x {C0, 40, 01} has probability 1/4 to create a forgery. 30

44 From Forgeries... Options for x: k i+1,j = 0 k i+1,j = 1 x C0 40 p 1/2 1/2 x F 1F 3F 7F FF p 1/2 1/4 1/8 1/16 1/32 1/64 1/128 1/128 Using ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, x) with x {C0, 40, 01} has probability 1/4 to create a forgery. 30

45 ... to Key Recovery 1. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, C0). Forgery? Yes: ki+1 mod 12,j = 0. No: Continue. 2. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, 40). Forgery? Yes: ki+1 mod 12,j = 0. No: ki+1 mod 12,j = 1. 31

46 ... to Key Recovery 1. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, C0). Forgery? Yes: ki+1 mod 12,j = 0. No: Continue. 2. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, 40). Forgery? Yes: ki+1 mod 12,j = 0. No: ki+1 mod 12,j = 1. 31

47 Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32

48 Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32

49 Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32

50 Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32

51 Conclusion

52 Overview on Digest Attacks Attack Type B Queries Complexity Oracle #1 #2 #3 CP Tag-generation CP Tag-generation CP Tag-generation CP Tag-generation CP Tag-generation CP Tag-generation KP+ / CP 1 24/ Tag-generation KP+ / CP 2 12 / Tag-generation KP+ / CP 3 8 / Tag-generation KP+ / CP 4 6 / Tag-generation KP+ / CP 5 6 / Tag-generation KP+ / CP 6 4 / Tag-generation Forgeries (CP / CC, XOR) Tag-verification Forgeries (CP, Additive) Tag-verification B: time-query trade-off parameter. KP+: known-plaintext with common prefix. CP: chosen-plaintext. CC: chosen-cipertext. 34

53 Fin We think: OSGP s cryptographic scheme offers no protection whatsoever. (assuming it is implemented as in the specification) Secure communication in OSGP highly doubtful as long as any of RC4, EN14908 or OMADigest is used. Thank you! 35

54 Fin We think: OSGP s cryptographic scheme offers no protection whatsoever. (assuming it is implemented as in the specification) Secure communication in OSGP highly doubtful as long as any of RC4, EN14908 or OMADigest is used. Thank you! 35