Don t Don t Trust Satellite Phones
|
|
- Antony Greer
- 6 years ago
- Views:
Transcription
1 Don t Don t Trust Satellite Phones Digital HGI Kolloquium, Voodoo Forensics Workshop 0x7db Benedikt Driessen, Ralf Hund, Carsten Willems, Thorsten Christof Holz Paar, and Christof Thorsten Paar Holz Horst Görtz Institute for IT-Security, Chair for Systems Security / Embedded Security
2 Mobile Satellite Telephony Why it is needed Cellphone communication not available in very remote places Crew on oil rig or ships on open sea Airplanes Research trips (desert/poles) Adventurers or extreme sportsmen Also many military applications Satellite telephony has been around since the 90s Direct communication between phones and satellites 2
3 Satellite Phones How they look like 3
4 Communication Overview Phone communicates with satellite on L-band Satellite coverage area separated into several circular spotbeams Data is forwarded to/from gateway station on C-band, which is attached to wired telephone network 4
5 Inmarsat Spotbeam Coverage 5
6 Standards and Specifications Satellite phone systems were standardized by ETSI Two major standards coexist: GMR-1: based on GSM, de-facto standard used by most providers GMR-2 (aka GMR-2+): based on GSM, used by Inmarsat (and ACeS) Specifications are publically available from ETSI Both standards are very close to GSM Cover signaling, encoding, etc. 6
7 Security Aspects Encryption only discussed as a black box: only frame size and key length given Actual algorithms (A5-GMR-1 / A5-GMR-2) are kept secret Algorithm names suggest resemblance to A5 in GSM Basically, GSM algorithms have been broken Are the GMR algorithms vulnerable to similar attacks? Our task: identify/extract the A5-GMR algorithms from the phones and perform crypto analysis 7
8 GMR-1
9 Choosing a Victim Several GMR-1 phones on the market Our victim: Thuraya SO-2510 (for no specific reason) Firmware update publically available We didn't (have to) look at any other GMR- 1 firmware Analysis was done statically only, we had no real phone at our disposal! 9
10 Phone Hardware Architecture Some General Notes Hardware has two processors: Main processor (almost always ARM) Digital signal processing (DSP) processor (many different architectures exist) Phone needs to perform a lot of speech processing, signaling, possibly encryption, etc. ARM CPU is rather inappropriate for such tasks Dedicated DSP can handle this much more efficiently ARM CPU still makes up the heart of the system Takes control in boot process and runs (most of) the OS Initializes and starts the DSP when needed 10
11 General Procedure 1) Dump firmware image from firmware updater 2) Obtain information on the phone s actual hardware architecture 3) Dump DSP code from firmware image 4) Find cipher code 5) Perform cryptanalysis 11
12 Firmware and Hardware Firmware provided unencrypted/unpacked, need to strip some meta data Thuraya SO-2510 runs on Texas Instruments OMAP1510 (aka OMAP5910): ARM + TI C55X DSP Pretty well documented platform OS is VxWorks 12
13 Memory Mappings Need correct memory addresses for correct disassembly No 1:1 mapping of firmware image in memory Find MMU initialization routine After that, we can readily disassemble the full ARM code in IDA In our case, MMU init is at the very beginning of the image Page tables are stored statically in the image 13
14
15 Strings Surpisingly, firmware image contains plenty of assertion/log strings Allows to deduce the name of some functions 15
16 Dump the DSP Code Encryption/decryption probably not implemented in ARM code for performance reasons Need to find DSP initialization Some good hints: Assertion/log strings Specific memory areas: DSP memory mapped into ARM address space Both approaches work fine 16
17 Dump the DSP Code DSP init routine Copies DSP code blocks from firmware into DSP memory Different kind of blocks exist Takes some effort to reverse We don t really need to understand it completely, just extract the resulting DSP image Use IDA + QEMU ARM emulator to run the routine and dump the extracting DSP code 17
18 Find Cipher Code Yields 240kb of DSP code TI C55x assembler Looks kind of weird Needs some initial training No strings, symbols, whatsoever How do we find the cipher code conveniently? A5-GSM relies heavily on linear feedback shift registers (LFSRs) Probably requires a lot of xor and shift operations 18
19 Find Cipher Code Idea: Rate each function by the percentage of xor/shift instructions This yields some interesting results Top 4 hits adjacent to each other Function % relevant instr. 0001D038 43% 0001CFC8 41% 0001D000 41% 0001D064 37% 00014C9C 25% 00014CAC 25% Let s have a short look at the code 19
20 Find Cipher Code Four of these functions exist Each function does exactly one LFSR clock operation 20
21 Cryptanalysis Looks familiar A5-GMR-1 is basically A5/2-GSM Feedback polynomials changed Position of output-taps changed Initialization process changed slightly 21
22 Cryptanalysis Encryption in GMR-1 Data is organized in frames of different length Frames belong to sessions Frames have a frame-number FN (19-bit) For some sessions, a key K is established to encrypt frames K is derived from a nonce and a SIM-specific secret A5-GMR-1 is re-initialized for each frame IV = K XOR FN used as initialization vector The first 250 bits are discarded 22
23 Cryptanalysis Known-Plaintext Attack 1/2 A known-plaintext attack is possible Based on ideas of Petrovic et. Al., 2000 Key Observations R4 determines the clocking behavior of the cipher completely The M-functions operate on each LFSR separately Describe the generation of keystream bits by quadratic equations The unknowns of the equations represent the initial state of R1, R2 and R3 Quadratic equations with 64 unknowns are easy to linearize 23
24 Cryptanalysis Known-Plaintext Attack 2/2 The basic attack Guess R4 and clock the cipher to obtain quadratic equations Linearize the equations to obtain A * x = z Solve x = A -1 * z to obtain a state candidate Use the candidate to generate keystream and compare it Result: For approx. 655 bits of successive keystream we need 2 16 steps on average to obtain K To be honest: one step is quite involved Generate equations Solve system in 655 unknowns Compute and the resulting keystream However, precomputations still make this attack fast (1 min) 24
25 Cryptanalysis Ciphertext-Only Attack 1/2 A ciphertext-only attack is possible Based on ideas of Barkan et. Al., 2003 Additional Observations Frames are encoded in order to add redundancy Encoding/decoding is linear in GF(2) Encoding is applied prior to encryption Consider the generator-matrix G and parity-check matrix H Encode + Encrypt: m = (d * G) and m = m + z Decrypt + Decode : r = m + z and r = H * r Due to the construction of H we have H * m = 0 iff m was received without errors H * m = H * (m + z) = H * m + H * z = H * z = H * (A * x) = S * x 25
26 Cryptanalysis Ciphertext-Only Attack 2/2 S * x = H * m is in variables of the initial state Plaintext is canceled out due to encoding Adapt attack to GMR-1 Guess parts of R1, R2 and R3 to reduce variables and equations Increases the number of guesses Result: Attack on the FACCH9 channel requires one FACCH9 frame and 2 32 steps Sadly, real-world data shows that FACCH9 is actually never used However, we can adapt this attack to the frequently used TCH3 channel.. 26
27 New results as of a photo 27
28 New results as of a screenshot 28
29 GMR-2
30 GMR-2 Next Victim GMR-2 implemented by Inmarsat Use Inmarsat IsatPhonePro (again, no specific reason) Pure static analysis only 30
31 Detecting the Phone's Hardware Firmware contains plenty of assertion/log strings again Contains some strings refering to LeMans AD6900 platform (by Analog Devices) Combines ARM CPU with Blackfin DSP Phone runs on AMX AOS Some proprietary OS, no documentationa available 31
32 Blackfin Disassembler Blackfin code is interleaved in image IDA does not support Blackfin assembler language Need to create our own tools Developed own Blackfin disassembler Recursive traversal Basic functionality to resolve string / function references and annotate the disassembly 32
33 Find Cipher Code Where do we start? Blackfin Image has some interesting strings! This seems to be a good place to begin with ;) 33
34 Find Cipher Code The Mysteries of ApplyCipher ApplyCipher takes plaintext + key as parameters and just XORs the plaintext with the key No key generation nearby But we can backtrack the parameters to see where the key memory area is actually filled Problem: This is non-trivial. Too much code involved Can only see where the key area is initialized with zeros Key generation must happen somewhere in between 34
35 Find Cipher Code Reverse Callgraph 10 different threads that eventually call ApplyCipher All threads implement a state machine at the top level Threads are large: plenty of work to reverse Can we further reduce the relevant code base? 35
36 Find Cipher Code Code Intersection Every thread must eventually call the key generation code Create (nested) call graph of each thread and intersect them: only keep functions which are called from all threads Result: 13 functions left. This looks more reasonable At first yielded function that includes the frame number in cipher key generation Also identified some generic div/rem/mul functions 36
37 Cryptanalysis Meet A5-GMR-2 Structure emerged after analysis *)!!!! The cipher operates on bytes 8-byte state array stores previous keystream* Three major function blocks F, G, H Clocking shifts register S, increments C and toggles T 37
38 Cryptanalysis Components of the cipher: F Characteristics of the F-function ( Key Schedule?) 8-byte array holding the session key K, read from two sides The lower side outputs K sequentially The upper output depends on the lower output, p and t T1 maps 4 bits to a 3-bit input for T2 (and the multiplexer) T2 determines the rotation 38
39 Cryptanalysis Components of the cipher: G Characteristics of the linear G-function ( Mixing Layer?) The inputs I 0, I 1 to G are F s outputs S 0 is one byte of the state array B1-B3 are tables implementing simple Boolean arithmetic 39
40 Cryptanalysis Components of the cipher: H Characteristics of the H-function ( Non-Linear XY??! ) The inputs I 0, I 1 to H are G s outputs S2 and S6 are (re-arranged) S-boxes from DES Z l represents one byte of keystream 40
41 Cryptanalysis Encryption in GMR-2 Frames have a fixed length of 120 bits See GMR-1 Session key K (from nonce and secret on SIM-card) Frame number FN (22-bit) A5-GMR-2 is re-initialized for each frame The key-array is loaded with K The state-array is initialized with FN The first 8 byte are discarded 41
42 Cryptanalysis Known-Plaintext Attack 1/4 An efficient known-plaintext attack is possible Observations The lower multiplexer outputs K 0, K 1, K 2.. Both multiplexers might select the same keybyte, we call this a (read) collision Sometimes, only the nibbles of the upper byte are swapped p is known keystream 42
43 Cryptanalysis Known-Plaintext Attack 2/4 Step 1: Detect read collisions in K 0 (and K 4 ) Examine keybytes Z 8,Z 16,Z 24 Output of lower multiplexer is known: K 0 for Z i*8, (K 4 for Z 4+i*8 ) Look at inputs/outputs of the S-Boxes independently Assume relations between bits of K 0 on the input-side Test for relations by mapping keybytes to potential S-Box inputs (i.e., invert S-Boxes) If relations hold, a collision may have happened Hypothesis for K 0 can be computed from keystream False-positives are possible Attempt detection for many keybytes and store hypotheses for K 0 Hypothesis which occurs most frequently is most likely correct 43
44 Cryptanalysis Known-Plaintext Attack 3/4 Step 2: Given K 0,K 4 brute-force the remaining bytes separately Examine keystream again.. Use positions for which the lower multiplexer selects a known keybyte (initially, K 0 and K 4 ) Determine which byte is selected by the upper multiplexer Avoid collisions with keybytes we already know Brute-force for the unknown keybyte Based on the known and the guessed byte, compute keystream If the keystream byte matches, our guess was correct 44
45 Cryptanalysis Known-Plaintext Attack 4/4 Result: bytes of keystream (5-6 frames) required, 2 18 steps on average to recover the full key Here, a step is guessing a byte and some XOR ing of bits easy and fast (1 second) Keystream/time tradeoff: frames, 2 10 single byte guesses From GMR-1 we know that some frames are predictable Might also apply to GMR-2?! 45
46 Thank you for your attention!
Don t Trust Satellite Phones: A Security Analysis of Two Satphone Standards
Don t Trust Satellite Phones: A Security Analysis of Two Satphone Standards Benedikt Driessen, Ralf Hund, Carsten Willems, Christof Paar, Thorsten Holz Horst-Goertz Institute for IT Security Ruhr-University
More informationA Review on Security Analysis of Satellite Phones
A Review on Security Analysis of Satellite Phones Mr. Mayur B. Kachare 1, Dr. Umesh S. Bhadade 2 1 ME-I st (Digital Electronics), 2 Prof. and Head of Electronics and Telecommunication Department 12 S.S.B.Ts
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationCRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic
CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic Özgecan Payzin, s4159721 ozgecan.payzin@student.ru.nl April 1, 2013 1 Introduction The MIFARE Classic is one of
More informationCHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS54 All bytes in odd positions of the shift register are XORed and used as an index into a f
CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS53 is 512. Λ This demonstrates the contribution to the security of RC4 made by the simple swapping of S table entries in the memory update function.
More informationStream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91
Stream ciphers Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 91 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 92 Stream Cipher Suppose you want to encrypt
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationThe Salsa20 Family of Stream Ciphers
The Salsa20 Family of Stream Ciphers Based on [Bernstein, 2008] Erin Hales, Gregor Matl, Simon-Philipp Merz Introduction to Cryptology November 13, 2017 From a security perspective, if you re connected,
More informationConditional Multiple Differential Attack on MiFare Classic
Conditional Multiple Differential Attack on MiFare Classic or How to Steal Train Passes and Break into Buildings Worldwide Nicolas T. Courtois University College London, UK MiFare Classic Crypto-1 Stream
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationCryptanalysis of ORYX
Cryptanalysis of ORYX D. Wagner 1, L. Simpson 2, E. Dawson 2, J. Kelsey 3, W. Millan 2, and B. Schneier 3 1 University of California, Berkeley daw@cs.berkeley.edu 2 Information Security Research Centre,
More informationBasic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline
CSC/ECE 574 Computer and Network Security Topic 2. Introduction to Cryptography 1 Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationFPGA Implementation of an Improved Attack Against the DECT Standard Cipher
FPGA Implementation of an Improved Attack Against the DECT Standard Cipher Michael Weiner, Erik Tews, Benedikt Heinz, Johann Heyszl , , ,
More informationPRNGs & DES. Luke Anderson. 16 th March University Of Sydney.
PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.1 Introduction to Cryptography CSC 474/574 By Dr. Peng Ning 1 Cryptography Cryptography Original meaning: The art of secret writing Becoming a science that
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationOnce upon a time... A first-order chosen-plaintext DPA attack on the third round of DES
A first-order chosen-plaintext DPA attack on the third round of DES Oscar Reparaz, Benedikt Gierlichs KU Leuven, imec - COSIC CARDIS 2017 Once upon a time... 14 November 2017 Benedikt Gierlichs - DPA on
More informationCUBE-TYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS
CUBE-TYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS George W. Dinolt, James Bret Michael, Nikolaos Petrakos, Pantelimon Stanica Short-range (Bluetooth) and to so extent medium-range (WiFi) wireless
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationCSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms
CSCI 454/554 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms? Security by
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationPerformance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers
Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers Sören Rinne, Thomas Eisenbarth, and Christof Paar Horst Görtz Institute for IT Security Ruhr-Universität Bochum,
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationFundamentals of Computer Security
Fundamentals of Computer Security Spring 2015 Radu Sion Ciphers 2005-15 Portions copyright by Matt Bishop and Wikipedia. Used with permission Overview m 3 m 2 m 1 cipher c i Bob Alice cipher -1 m 1 m 2
More informationAssignment 3: Block Ciphers
Assignment 3: Block Ciphers CSCI3381-Cryptography Due October 3, 2014 1 Solutions to the Written Problems 1. Block Cipher Modes of Operation 6 points per part, 30 total. Parts (a)-(d) refer to the cipherblock
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 3.1 Secret Key Cryptography Algorithms Instructor: Dr. Kun Sun Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms?
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationAn Efficient Stream Cipher Using Variable Sizes of Key-Streams
An Efficient Stream Cipher Using Variable Sizes of Key-Streams Hui-Mei Chao, Chin-Ming Hsu Department of Electronic Engineering, Kao Yuan University, #1821 Jhongshan Rd., Lujhu Township, Kao-Hsiung County,
More informationNetwork Security Essentials
Network Security Essentials Applications and Standards Third Edition William Stallings Chapter 2 Symmetric Encryption and Message Confidentiality Dr. BHARGAVI H. GOSWAMI Department of Computer Science
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationSNOW 3G Stream Cipher Operation and Complexity Study
Contemporary Engineering Sciences, Vol. 3, 2010, no. 3, 97-111 SNOW 3G Stream Cipher Operation and Complexity Study Ghizlane ORHANOU ghizlane.orhanou@gmail.com Said EL HAJJI elhajji@fsr.ac.ma Youssef BENTALEB
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations: Secret Key Systems Encrypting a small block of text (say 64 bits) General Considerations: 1. Encrypted
More informationAEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds 1 AEGIS: A shield carried by Athena and Zeus 2 Different Design Approaches:
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationPARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE
PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University
More informationChapter 6: Contemporary Symmetric Ciphers
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 6: Contemporary Symmetric Ciphers Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Why Triple-DES?
More informationOutline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing
Outline CSCI 454/554 Computer and Network Security Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues Topic 2. Introduction to Cryptography 2 Cryptography Basic Concepts
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationComputer and Data Security. Lecture 3 Block cipher and DES
Computer and Data Security Lecture 3 Block cipher and DES Stream Ciphers l Encrypts a digital data stream one bit or one byte at a time l One time pad is example; but practical limitations l Typical approach
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationSIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017
SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationc Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)
Single Modes: the S Modes of Operation Modes of Operation are used to hide patterns in the plaintexts, protect against chosen plaintext attacks, and to support fast on-line encryption with precomputation.
More informationIntroduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014
Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014 Page 1 Outline What is data encryption? Cryptanalysis Basic encryption methods Substitution ciphers Permutation ciphers
More informationStream Ciphers. Stream Ciphers 1
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generate a pseudo-random key stream & xor to the plaintext. Key: The seed of the PRNG Traditional PRNGs (e.g. those used for simulations) are not secure.
More informationCryptography BITS F463 S.K. Sahay
Cryptography BITS F463 S.K. Sahay BITS-Pilani, K.K. Birla Goa Campus, Goa S.K. Sahay Cryptography 1 Terminology Cryptography: science of secret writing with the goal of hiding the meaning of a message.
More informationImplementation and performance analysis of Barkan, Biham and Keller s attack on A5/2
Implementation and performance analysis of Barkan, Biham and Keller s attack on A5/2 Nicolas Paglieri, Olivier Benjamin Ensimag, Grenoble Institute of Technology, INP June 8, 2011 Abstract Barkan, Biham
More informationIntroduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee
Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee Lecture 09 Cryptanalysis and its variants, linear attack Welcome
More informationSome Aspects of Block Ciphers
Some Aspects of Block Ciphers Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in CU-ISI Tutorial Workshop on Cryptology, 17 th July 2011 Palash Sarkar
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationHitag 2 Hell Brutally Optimizing Guess-and-Determine Attacks
Hitag 2 Hell Brutally Optimizing Guess-and-Determine Attacks Aram Verstegen and Roel Verdult and Wouter Bokslag FactorIT B.V. August 14th 2018 Verstegen, Verdult, Bokslag (FactorIT) Hitag 2 hell August
More informationCENG 520 Lecture Note III
CENG 520 Lecture Note III Symmetric Ciphers block ciphers process messages in blocks, each of which is then en/decrypted like a substitution on very big characters 64-bits or more stream ciphers process
More informationSAT Solvers in the Context of Cryptography
SAT Solvers in the Context of Cryptography v2.0 Presentation at Montpellier Mate Soos UPMC LIP6, PLANETE team INRIA, SALSA Team INRIA 10th of June 2010 Mate Soos (UPMC LIP6, PLANETE team SAT INRIA, solvers
More informationICT 6541 Applied Cryptography. Hossen Asiful Mustafa
ICT 6541 Applied Cryptography Hossen Asiful Mustafa Encryption & Decryption Key (K) Plaintext (P) Encrypt (E) Ciphertext (C) C = E K (P) Same Key (K) Ciphertext (C) Decrypt (D) Plaintext (P) P = D K (C)
More informationCPS2323. Symmetric Ciphers: Stream Ciphers
Symmetric Ciphers: Stream Ciphers Content Stream and Block Ciphers True Random (Stream) Generators, Perfectly Secure Ciphers and the One Time Pad Cryptographically Strong Pseudo Random Generators: Practical
More informationDouble-DES, Triple-DES & Modes of Operation
Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationBlock Cipher Modes of Operation
Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 23 rd March 2018 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book
More informationBlock Cipher Modes of Operation
Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 24th March 2016 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book
More informationPASSWORDS & ENCRYPTION
PASSWORDS & ENCRYPTION Villanova University Department of Computing Sciences D. Justin Price Fall 2014 CRYPTOGRAPHY Hiding the meaning of a message from unintended recipients. Open source algorithms are
More informationAnalysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner
Analysis of 802.11 Security or Wired Equivalent Privacy Isn t Nikita Borisov, Ian Goldberg, and David Wagner WEP Protocol Wired Equivalent Privacy Part of the 802.11 Link-layer security protocol Security
More informationClassic Cryptography: From Caesar to the Hot Line
Classic Cryptography: From Caesar to the Hot Line Wenyuan Xu Department of Computer Science and Engineering University of South Carolina Overview of the Lecture Overview of Cryptography and Security Classical
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working on Stern's code, principally with
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationUNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan
UNIT - II Traditional Symmetric-Key Ciphers 1 Objectives To define the terms and the concepts of symmetric key ciphers To emphasize the two categories of traditional ciphers: substitution and transposition
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationPGP: An Algorithmic Overview
PGP: An Algorithmic Overview David Yaw 11/6/2001 VCSG-482 Introduction The purpose of this paper is not to act as a manual for PGP, nor is it an in-depth analysis of its cryptographic algorithms. It is
More informationLecture 2. Cryptography: History + Simple Encryption,Methods & Preliminaries. Cryptography can be used at different levels
Lecture 2 Cryptography: History + Simple Encryption,Methods & Preliminaries 1 Cryptography can be used at different levels algorithms: encryption, signatures, hashing, RNG protocols (2 or more parties):
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationCSE509: (Intro to) Systems Security
CSE509: (Intro to) Systems Security Fall 2012 Radu Sion Ciphers 2005-12 Portions copyright by Matt Bishop. Used with permission Ciphers Overview Naïve Usage Types of Ciphers Systems Security September
More informationThe Caesar Cipher Informatics 1 Functional Programming: Tutorial 3
The Caesar Cipher Informatics 1 Functional Programming: Tutorial 3 Heijltjes, Wadler Due: The tutorial of week 5 (23/24 Oct.) Reading assignment: Chapters 8 and 9 (pp. 135-166) Please attempt the entire
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory {shahram,haavardr}@simula.no Abstract. We study multidimensional meet-in-the-middle
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 February 5, 2013 CPSC 467b, Lecture 7 1/45 Stream cipher from block cipher Review of OFB and CFB chaining modes Extending chaining
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard
Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 9 Encryption and Firewalls By Whitman, Mattord & Austin 2008 Course Technology Learning Objectives Describe the role encryption
More informationDifferential Cryptanalysis of Madryga
Differential Cryptanalysis of Madryga Ken Shirriff Address: Sun Microsystems Labs, 2550 Garcia Ave., MS UMTV29-112, Mountain View, CA 94043. Ken.Shirriff@eng.sun.com Abstract: The Madryga encryption algorithm
More informationFull Plaintext Recovery Attack on Broadcast RC4
11 March, 2013 FSE 2013 @ Singapore Full Plaintext Recovery Attack on Broadcast RC4 Takanori Isobe () Toshihiro Ohigashi (Hiroshima University) Yuhei Watanabe () Masakatu Morii () Target Broadcast setting
More informationTWO GENERIC METHODS OF. Chinese Academy of Sciences
TWO GENERIC METHODS OF ANALYZING STREAM CIPHERS Lin Jiao, Bin Zhang, Mingsheng Wang Chinese Academy of Sciences Outline Introduction Time Memory Data Tradeoff Attack against Grain v1 Security Evaluation
More informationMidterm Exam. CS381-Cryptography. October 30, 2014
Midterm Exam CS381-Cryptography October 30, 2014 Useful Items denotes exclusive-or, applied either to individual bits or to sequences of bits. The same operation in Python is denoted ˆ. 2 10 10 3 = 1000,
More informationSecret Key Cryptography
Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:
More informationCache Timing Attacks on estream Finalists
Cache Timing Attacks on estream Finalists Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk Echternach, Jan. 9, 2008 Erik Zenner (DTU-MAT) Cache Timing Attacks
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 January 30, 2012 CPSC 467b, Lecture 7 1/44 Public-key cryptography RSA Factoring Assumption Computing with Big Numbers Fast Exponentiation
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationMicro-Architectural Attacks and Countermeasures
Micro-Architectural Attacks and Countermeasures Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 25 Contents Micro-Architectural Attacks Cache Attacks Branch Prediction Attack
More informationBlock Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2... M N. Then, each block M i is encrypted to the ciphertext block C i = K (M i ), and
More informationCryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers
Cryptography Dr. Michael Schneider michael.schneider@h-da.de Chapter 10: Pseudorandom Bit Generators and Stream Ciphers December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Random and Pseudorandom
More informationRC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step
RC4 RC4 1 RC4 Invented by Ron Rivest o RC is Ron s Code or Rivest Cipher A stream cipher Generate keystream byte at a step o Efficient in software o Simple and elegant o Diffie: RC4 is too good to be true
More informationSOLUTIONS FOR HOMEWORK # 1 ANSWERS TO QUESTIONS
SOLUTIONS OR HOMEWORK # 1 ANSWERS TO QUESTIONS 2.4 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A block cipher is one in which a block of plaintext is treated
More information