New mobile phone algorithms a real world story

Transcription

1 New mobile phone algorithms a real world story Steve Babbage 17 February LTE algorithms, for SKEW 2011 C1 - Unrestricted

2 Standards groups 2 LTE algorithms, for SKEW 2011 C1 - Unrestricted

3 First generation 3 LTE algorithms, for SKEW 2011 C1 - Unrestricted

4 GSM security architecture SIM Visited network Home network Authentication and cipher key generation algorithm A3/A8 RAND K i AKA RAND RAND RAND, XRES, K C XRES K C K i AKA RES K C K C RES RES = XRES? Encryption algorithm A5 ENCRYPT USING K C 4 LTE algorithms, for SKEW 2011 C1 - Unrestricted

5 GSM security limitations > Key length > One-way authentication > Unprotected signalling > A5/1, A5/2 5 LTE algorithms, for SKEW 2011 C1 - Unrestricted

6 UMTS security architecture (slightly simplified) SIM Visited network Home network RAND K XRES MAC AKA SQN CK IK Check SQN Check MAC CK, IK Authentication and key agreement algorithm f1 f5 RAND, SQN, MAC RES ENCRYPT USING CK INTEGRITY PROTECT USING IK RAND, XRES, CK, IK, SQN, MAC RES = XRES? RAND K XRES MAC AKA SQN CK IK Encryption algorithm UEA, integrity algorithm UIA 6 LTE algorithms, for SKEW 2011 C1 - Unrestricted

7 First UMTS algorithms, UEA1 / UIA1 KASUMI (CK ) BLKCTR = 1 BLKCTR = 2 BLKCTR = n A BLKCTR = 0 KASUMI (CK) KASUMI (CK) KASUMI (CK) KASUMI (CK) A5/3 UEA1 (but 64-bit key) First 64 bits Second 64 bits Third 64 bits Last 64 bits KASUMI (IK) KASUMI (IK) KASUMI (IK) KASUMI (IK) KASUMI (IK ) MAC (left 32 bits) 7 LTE algorithms, for SKEW 2011 C1 - Unrestricted

8 Image from So now we can replace A5/1 with A5/3 8 LTE algorithms, for SKEW 2011 C1 - Unrestricted

9 Second UMTS algorithms, UEA2 / UIA2 > SNOW 3G Why not AES? Why not SNOW 2.0? 9 LTE algorithms, for SKEW 2011 C1 - Unrestricted

10 LTE security architecture (part 1) SIM Visited network Home network Authentication and key agreement algorithm f1 f5 RAND K AKA SQN RAND K AKA SQN RAND, SQN, MAC RAND, XRES, CK, IK, SQN, MAC, K ASME XRES MAC CK IK XRES MAC CK IK Check SQN Check MAC CK, IK RES PLMN ID RES = XRES? PLMN ID K ASME K ASME 10 LTE algorithms, for SKEW 2011 C1 - Unrestricted

11 GSM security limitations > Key length > One-way authentication > Unprotected signalling > A5/1, A5/2 > Same key regardless of algorithm choice 11 LTE algorithms, for SKEW 2011 C1 - Unrestricted

12 LTE security architecture (part 2) SIM Visited network Home network K ASME K ASME ALG ID ALG ID Kα MOBILITY SIGNALLING: K α ALG ID Kβ ENCRYPT USING K α INTEGRITY PROTECT USING K β K β ALG ID ALG ID ALG ID Kγ Kδ RADIO RESOURCE SIGNALLING: ENCRYPT USING K γ INTEGRITY PROTECT USING K δ K γ K δ ALG ID ALG ID Encryption algorithm EEA, integrity algorithm EIA ALG ID USER PLANE: ALG ID K ε ENCRYPT USING K ε K ε 12 LTE algorithms, for SKEW 2011 C1 - Unrestricted

13 Original LTE algorithms (from day one) > Based on SNOW-3G 128-EEA1: straightforward stream cipher use 128-EIA1: polynomial UHF Identical to UMTS algorithms > Could have been based on Kasumi or AES; chose AES 128-EEA2: AES in counter mode 128-EIA2: AES in CMAC mode 13 LTE algorithms, for SKEW 2011 C1 - Unrestricted

14 The designers DACAS: Data Assurance and communication security research center, Chinese Academy of Sciences Dongdai Lin Xiutao Feng 14 LTE algorithms, for SKEW 2011 C1 - Unrestricted

15 May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Plan A SAGE Paid expert team Algorithm acceptance (hopefully) Public Under NDA 15 LTE algorithms, for SKEW 2011 C1 - Unrestricted

16 May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Plan B SAGE Agree and sign NDA Paid expert team Algorithm acceptance (hopefully) Public LTE algorithms, for SKEW 2011 C1 - Unrestricted

17 Take your time Advanced Encryption Standard process From Wikipedia, the free encyclopedia Start of the process On January 2, 1997, NIST announced that they wished to choose a successor to DES to be known as AES. The result of this feedback was a call for new algorithms on September 12, 1997 Rounds one and two In the nine months that followed, fifteen different designs were created and submitted. NIST held two conferences to discuss the submissions (AES1, August 1998 and AES2, March 1999), and in August 1999 they announced that they were narrowing the field from fifteen to five. AES3 conference in April Selection of the winner On October 2, 2000, NIST announced that Rijndael had been selected as the proposed AES. 17 LTE algorithms, for SKEW 2011 C1 - Unrestricted

18 Encryption COUNT DIRECTION COUNT DIRECTION BEARER LENGTH BEARER LENGTH KEY EEA KEY EEA KEYSTREAM BLOCK KEYSTREAM BLOCK PLAINTEXT BLOCK CIPHERTEXT BLOCK PLAINTEXT BLOCK Sender Receiver 18 LTE algorithms, for SKEW 2011 C1 - Unrestricted

19 Integrity COUNT DIRECTION MESSAGE COUNT DIRECTION MESSAGE BEARER LENGTH BEARER LENGTH KEY EIA KEY EIA Sender MAC-I Receiver XMAC-I 19 LTE algorithms, for SKEW 2011 C1 - Unrestricted

20 ZUC named after Zu Chongzhi 20 LTE algorithms, for SKEW 2011 C1 - Unrestricted

21 ZUC One of these words mixed into LFSR during nonlinear initialisation 21 LTE algorithms, for SKEW 2011 C1 - Unrestricted

22 Encryption algorithm 128-EEA3 22 LTE algorithms, for SKEW 2011 C1 - Unrestricted

23 Integrity algorithm 128-EIA3 Universal Hash Function 23 LTE algorithms, for SKEW 2011 C1 - Unrestricted

24 Initial SAGE > Fit for purpose > Smells OK Must be not just strong, but free of suspicion 24 LTE algorithms, for SKEW 2011 C1 - Unrestricted

25 May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Plan B SAGE Agree and sign NDA Paid expert team Algorithm acceptance (hopefully) Public LTE algorithms, for SKEW 2011 C1 - Unrestricted

26 May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Plan C SAGE Agree and sign NDA Expert team contract Paid expert team Algorithm acceptance (hopefully) Public LTE algorithms, for SKEW 2011 C1 - Unrestricted

27 External expert team > Codes and Ciphers Limited Carlos Cid, Sean Murphy, Fred Piper, Matthew Dodd > Alice and Bob Technologies Lars Knudsen, Bart Preneel, Vincent Rijmen > Several corrections / improvements to existing > All standard attack types considered all seem unlikely to succeed > Strength inherited from SNOW-like construction > Some components not fully explained > Like most UHF MACs not robust against nonce reuse 27 LTE algorithms, for SKEW 2011 C1 - Unrestricted

28 Conclusion of the SAGE and paid > Transparency is vital nothing suspicious 28 LTE algorithms, for SKEW 2011 C1 - Unrestricted

29 May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Plan C SAGE Agree and sign NDA Expert team contract Paid expert team Algorithm acceptance (hopefully) Public LTE algorithms, for SKEW 2011 C1 - Unrestricted

30 May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Plan D SAGE Agree and sign NDA Expert team contract Paid expert team Go public Public Algorithm acceptance (hopefully) LTE algorithms, for SKEW 2011 C1 - Unrestricted

31 Crypto rump session 31 LTE algorithms, for SKEW 2011 C1 - Unrestricted

32 IACR newsletter 32 LTE algorithms, for SKEW 2011 C1 - Unrestricted

33 The ZUC Forum 33 LTE algorithms, for SKEW 2011 C1 - Unrestricted

34 The first post 34 LTE algorithms, for SKEW 2011 C1 - Unrestricted

35 Questions > Why not AES? > Why not estream? > Chinese algorithm means China can break it? > Is there something wrong with the other LTE algorithms? > What happens now to the other LTE algorithms? > Why does China get this special privilege? > If every other country insists on a home-grown algorithm, will every LTE phone have to support 200 algorithms? > Authenticated encryption? 35 LTE algorithms, for SKEW 2011 C1 - Unrestricted

36 ZUC-10 Workshop 36 LTE algorithms, for SKEW 2011 C1 - Unrestricted

37 Loss of entropy in initialisation (1) Z mixed into LFSR during nonlinear initialisation Matthew Dodd (private communication) Bing Sun et al (ZUC workshop) 37 LTE algorithms, for SKEW 2011 C1 - Unrestricted

38 Loss of entropy in initialisation (2) z f s 16 = f z If s 16 = 0, set s 16 = Whatever f is z = f gives the same result as z = f Two IVs colliding state 38 LTE algorithms, for SKEW 2011 C1 - Unrestricted Hongjun Wu et al (AsiaCrypt rump session, IACR eprint archive)

39 Forgery attack on EIA3 0 Fuhr/Gilbert/Reinhard/Videau (ZUC workshop, IACR eprint archive) 39 LTE algorithms, for SKEW 2011 C1 - Unrestricted

40 New versions 40 LTE algorithms, for SKEW 2011 C1 - Unrestricted

41 May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Plan D SAGE Agree and sign NDA Expert team contract Paid expert team Go public Public Algorithm acceptance (hopefully) LTE algorithms, for SKEW 2011 C1 - Unrestricted

42 May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Aug Sep Oct Nov Dec Jan Feb Mar Apr May Plan E SAGE Agree and sign NDA Expert team contract Paid expert team Go public Public Algorithm revision Algorithm Algorithm acceptance acceptance (hopefully) (hopefully) Public LTE algorithms, for SKEW 2011 C1 - Unrestricted

43 Thank you or 43 LTE algorithms, for SKEW 2011 C1 - Unrestricted

44 f8 construction for UMTS > Note: a single frame of UMTS keystream will contain no more than bits (so bit blocks) Pre-whitening constant is fixed within a frame, different for different frames > Pre-whitening constant prevents known input/output pairs for single KASUMI > Simple OFB mode allows short cycles unlikely, but bad if they do happen > Pre-whitening plus simple counter mode gives distinguisher with 2 32 keystream blocks: e.g. if A is pre-whitening constant and C is block counter, if [A C] = [A C ] then likely that [A (C + d)] = [A (C + d)] for some small d > Simple counter mode without pre-whitening also gives block distinguisher: No collisions > With the f8 construction, and individual frames limited to bit blocks, the only distinguishers we found needed substantially more than 2 32 blocks In fact, more than 2 32 frames and frame counter COUNT is only 32 bits anyway 44 LTE algorithms, for SKEW 2011 C1 - Unrestricted