Dumb Crypto in Smart Grids

Similar documents
9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Block Cipher Modes of Operation

External Encodings Do not Prevent Transient Fault Analysis

Attacks on Advanced Encryption Standard: Results and Perspectives

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Double-DES, Triple-DES & Modes of Operation

CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS54 All bytes in odd positions of the shift register are XORed and used as an index into a f

CSE 127: Computer Security Cryptography. Kirill Levchenko

S. Erfani, ECE Dept., University of Windsor Network Security. All hash functions operate using the following general principles:

Winter 2011 Josh Benaloh Brian LaMacchia

Encryption. INST 346, Section 0201 April 3, 2018

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Secret Key Algorithms (DES)

Multiple forgery attacks against Message Authentication Codes

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Cryptographic Concepts

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Chapter 3 Block Ciphers and the Data Encryption Standard

Information Security CS526

APNIC elearning: Cryptography Basics

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Network Security Essentials Chapter 2

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Computer Security CS 526

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Cryptographic hash functions and MACs

Kurose & Ross, Chapters (5 th ed.)

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Chapter 6 Contemporary Symmetric Ciphers

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Breaking Korea Transit Card with Side-Channel Attack

Lecture 4: Authentication and Hashing

S. Erfani, ECE Dept., University of Windsor Network Security

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Information Security CS526

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

A Class of Weak Keys in the RC4 Stream Cipher Preliminary Draft

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Computational Security, Stream and Block Cipher Functions

Security guide for Industrial Protocols Smart Grid

Practical Aspects of Modern Cryptography

Fundamentals of Cryptography

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

Message Authentication and Hash function

CSC 474/574 Information Systems Security

CSCE 715: Network Systems Security

Cryptographic Hash Functions

Stream Ciphers An Overview

Cryptography and Network Security Chapter 7

Block Cipher Operation. CS 6313 Fall ASU

New Cryptanalytic Results on IDEA

Misuse-resistant crypto for JOSE/JWT

Block Cipher Modes of Operation

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Full Plaintext Recovery Attack on Broadcast RC4

Secret Key Cryptography (Spring 2004)

Accredited Standards Committee X9, Incorporated

Security Requirements

Lecture 1 Applied Cryptography (Part 1)

Attack on DES. Jing Li

SOLUTIONS FOR HOMEWORK # 1 ANSWERS TO QUESTIONS

TLS Security Where Do We Stand? Kenny Paterson

Mike Hamburg. August 1, Abstract

Solutions to exam in Cryptography December 17, 2013

Data Integrity & Authentication. Message Authentication Codes (MACs)

Security: Cryptography

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Stream Ciphers. Stream Ciphers 1

An Introduction to new Stream Cipher Designs

CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

Public-key Cryptography: Theory and Practice

3 Symmetric Cryptography

1 Defining Message authentication

Cryptography Functions

A Cache Timing Analysis of HC-256

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

How crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov

New Cryptanalytic Results on IDEA

Part VI. Public-key cryptography

Encryption and Forensics/Data Hiding

Content of this part

Chapter 6: Contemporary Symmetric Ciphers

PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE

Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005

Public-Key Cryptography

Block Ciphers. Secure Software Systems

CS 495 Cryptography Lecture 6

Symmetric Encryption Algorithms

CSC 474/574 Information Systems Security

Symmetric Encryption 2: Integrity

Transcription:

Dumb Crypto in Smart Grids Practical Cryptanalysis of the Open Smart Grid Protocol Philipp Jovanovic 1 (@daeinar) Samuel Neves 2 (@sevenps) 1 University of Passau, Germany 2 University of Coimbra, Portugal

Smart Grids Definition from Wikipedia: A smart grid is a modernized electrical grid that uses analog or digital information and communications technology to gather and act on information [...] in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity. Fast-growing technology. Critical infrastructure: communication needs protection. 1

Open Smart Grid Protocol (OSGP) ETSI GS OSG 001 V1.1.1 (2012-01) Group Specific ation Open Smart Grid Protocol (OSGP) Source: http://www.osgp.org Application layer communication protocol for smart grids. Developed by the Energy Service Network Association (ESNA) around 2010. Disclaimer Standardised This by document the has been European produced and approved by the Open Telecommunications Smart Grid (OSG) ETSI Industry Specification Group (ISG) and Standards represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. Institute (ETSI) in 2012. Used in devices sold by members of the OSGP Alliance. 2

Open Smart Grid Protocol (OSGP) Source: http://www.networkedenergy.com/nesworldwide.php Deployed in over 4 million devices world-wide. Customers/Members/Partners of OSGP Alliance: Networked Energy Services, E.ON, Vattenfall, Ericsson AB, Mitsubishi Electric, LG CNS, Oracle,... 3

Open Smart Grid Protocol (OSGP) PLC Segment data concentrator Encrypted repeater repeater repeater smart-meter smart-meter smart-meter smart-meter OSGP s Network Topology Encrypted communication between smart-meters and data concentrators. Authenticated encryption scheme: - RC4 (encryption) - OMADigest (authentication) - EN14908 (key derivation) 4

Open Smart Grid Protocol (OSGP) PLC Segment data concentrator Encrypted repeater repeater repeater smart-meter smart-meter smart-meter smart-meter OSGP s Network Topology Encrypted communication between smart-meters and data concentrators. Authenticated encryption scheme: - RC4 (encryption) - OMADigest (authentication) - EN14908 (key derivation) 4

Open Smart Grid Protocol (OSGP) PLC Segment data concentrator Encrypted repeater repeater repeater smart-meter smart-meter smart-meter smart-meter OSGP s Network Topology Encrypted communication between smart-meters and data concentrators. Authenticated encryption scheme: - RC4 (encryption) - OMADigest (authentication) - EN14908 (key derivation) 4

Our Work Overview Cryptanalysis of the OMADigest. Key recovery attacks using: 1. Differentials. 2. Bruteforce. 3. Differential-based forgeries. Based on publicly available documents. No experiments on actual (proprietary) OSGP hardware. Disclosed to OSGP Alliance/NES in November 2014. Published at IACR Workshop on Fast Software Encryption 2015. Paper available at https://eprint.iacr.org/2015/428. 5

Related Work Structural Weaknesses in the Open Smart Grid Protocol By K. Kursawe and C. Peters (European Network for Cyber Security, the Netherlands). Overview article on security in OSGP. Presents basic attacks. Paper available at https://eprint.iacr.org/2015/088. Disclosed to OSGP Alliance/NES in late 2013. Cryptanalysis of RC4 in OSGP By L. Feiten and M. Sauer (University of Freiburg, Germany). Transfers WEP attack on RC4 to the case of OSGP. Under submission. Draft shared privately. Disclosed to OSGP Alliance/NES in November 2014. 6

Related Work Structural Weaknesses in the Open Smart Grid Protocol By K. Kursawe and C. Peters (European Network for Cyber Security, the Netherlands). Overview article on security in OSGP. Presents basic attacks. Paper available at https://eprint.iacr.org/2015/088. Disclosed to OSGP Alliance/NES in late 2013. Cryptanalysis of RC4 in OSGP By L. Feiten and M. Sauer (University of Freiburg, Germany). Transfers WEP attack on RC4 to the case of OSGP. Under submission. Draft shared privately. Disclosed to OSGP Alliance/NES in November 2014. 6

OSGP s Cryptographic Infrastructure

OSGP s Cryptographic Infrastructure k 1 x 1 k 0 x 0 k 1 k 0 m n / 48 / 64 / 48 / 64 / 96 EN14908 EN14908 OMADigest / 64 / 64 / 64 k 1 k 0 / 128 / RC4 128 128 / 0 64 t k 1 k 0 : Open Media Access Key (OMAK). k 1 k 0 : Base Encryption Key (BEK). x 0, x 1 : constants. c t m n: message and counter. c, t: ciphertext and tag. 8

The EN14908 Encryption Algorithm Source: http://www.lonworks.org.cn/en/lonworks/lontalk%20protocol%20spec.pdf The OMADigest is an improved version of the EN14908 encryption algorithm. 9

The EN14908 Encryption Algorithm Source: http://www.lonworks.org.cn/en/lonworks/lontalk%20protocol%20spec.pdf The OMADigest is an improved version of the EN14908 encryption algorithm. 9

OMADigest Function OMADigest(m,k) a (0, 0, 0, 0, 0, 0, 0, 0) m mod 144 m m 0 foreach 144-byte block b of m do for i 0 to 17 do for j 7 to 0 do if k i mod 12,7 j = 1 then a j a (j+1) mod 8 + b 8i+(7 j) + ( (a j + j)) 1 else a j a (j+1) mod 8 + b 8i+(7 j) ( (a j + j)) 1 end end end return a Observations 64-bit state a. Message is zero-padded: m m 0 m mod 144. Key extension: k 0 k 11 k 0 k 11 k 0 k 5. Processing of a message byte depends exactly on one key bit. State update is almost linear. Algorithm is fully reversible. 10

OMADigest Data processing: m 8i f ki,0,7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1,6 m 8i+7 m 8i+6 m 8i+5 m 8i+4 m 8i+3 m 8i+2 m 8i+1 data flow The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. Note: i = 0,..., 17 and i = i mod 12. 11

Crash Course: Differential Cryptanalysis Idea inputs x crypto function F outputs y x y x F y XOR-differential x p y of probability p in F. Applications Detect non-randomness. Key recovery. Collisions. Forgeries.... 12

Crash Course: Differential Cryptanalysis Idea inputs x crypto function F outputs y x y x F y XOR-differential x p y of probability p in F. Applications Detect non-randomness. Key recovery. Collisions. Forgeries.... 12

Crash Course: Differential Cryptanalysis Idea inputs x crypto function F outputs y x y x F y XOR-differential x p y of probability p in F. Applications Detect non-randomness. Key recovery. Collisions. Forgeries.... 12

Attack #1

Bitwise Key Recovery Injecting XOR-difference m 8i = 80: 80 f ki,0,7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 80 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1,6 00 00 00 00 00 00 00 data flow The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. Note: i = 0,..., 17 and i = i mod 12. 14

Bitwise Key Recovery Difference prop. after 8 msg. bytes m 8i,..., m 8i+7 : 80 f ki,0,7 80 80 80 80 80 80 80 80 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1,6 00 00 00 00 00 00 00 data flow The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. Difference propagates with probability 1 to the full state! 15

Bitwise Key Recovery Difference prop. after 9 msg. bytes m 8i,..., m 8i+7, m 8i+8 : 00 f ki,0,7 80 80 80 80 80 80 80 a 7 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1,6 00 00 00 00 00 00 00 data flow Possible output differences for the XOR-linearisation of f : { 81 = 80 01 = 80 (80 1) if k a 7 = i,0 = 1 C0 = 80 40 = 80 (80 7) if k i,0 = 0 Equal behaviour of lsb for and +: k i,0 = lsb( a 7 ). 16

Bitwise Key Recovery Full Key Recovery In 96+1 queries with 144-byte chosen-plaintexts. 17

Can we do better?

Improving Bitwise Key Recovery Setting m 8i 8 = 80 (eight steps earlier as bitwise attack) gives: i = 17,..., 6 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7........................... m 8i 9 00 00 00 00 00 00 00 00 m 8i 8 00 00 00 00 00 00 00 80........................... m 8i 1 80 80 80 80 80 80 80 80 m 8i 80 80 80 80 80 80 80 a 7 m 8i+1 80 80 80 80 80 80 a 6 a 7........................... m 8i+7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 Analysing the XOR-linearisation of f shows... 19

Improving Bitwise Key Recovery Setting m 8i 8 = 80 (eight steps earlier as bitwise attack) gives: i = 17,..., 6 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7........................... m 8i 9 00 00 00 00 00 00 00 00 m 8i 8 00 00 00 00 00 00 00 80........................... m 8i 1 80 80 80 80 80 80 80 80 m 8i 80 80 80 80 80 80 80 a 7 m 8i+1 80 80 80 80 80 80 a 6 a 7........................... m 8i+7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 Analysing the XOR-linearisation of f shows... 19

Bytewise Key Recovery Key bits can be recovered iteratively k i,0 = lsb( a 7 ) lsb(80) k i,4 = lsb( a 3 ) lsb( a 4 ) k i,1 = lsb( a 6 ) lsb( a 7 ) k i,5 = lsb( a 2 ) lsb( a 3 ) k i,2 = lsb( a 5 ) lsb( a 6 ) k i,6 = lsb( a 1 ) lsb( a 2 ) k i,3 = lsb( a 4 ) lsb( a 5 ) k i,7 = lsb( a 0 ) lsb( a 1 ) for all i = 17,..., 6 and i = i mod 12. Conclusion: Setting m 8i 8 = 80 leaks complete key byte k i. 20

Bytewise Key Recovery Key bits can be recovered iteratively k i,0 = lsb( a 7 ) lsb(80) k i,4 = lsb( a 3 ) lsb( a 4 ) k i,1 = lsb( a 6 ) lsb( a 7 ) k i,5 = lsb( a 2 ) lsb( a 3 ) k i,2 = lsb( a 5 ) lsb( a 6 ) k i,6 = lsb( a 1 ) lsb( a 2 ) k i,3 = lsb( a 4 ) lsb( a 5 ) k i,7 = lsb( a 0 ) lsb( a 1 ) for all i = 17,..., 6 and i = i mod 12. Conclusion: Setting m 8i 8 = 80 leaks complete key byte k i. 20

Bytewise Key Recovery Full Key Recovery In 12+1 queries with 144-byte chosen-plaintexts. 21

Attack #2

Known-Plaintext Key Recovery Prerequisites Two 144-byte messages m = x y and m = x y with y = y = r bytes and y y. Authentication tags: a = OMADigest(m) and a = OMADigest(m ) 23

Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i + 16. Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24

Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i + 16. Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24

Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i + 16. Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24

Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i + 16. Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24

Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i + 16. Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24

Known-Plaintext Key Recovery Full Key Recovery In 24 queries of 144-byte known-plaintexts with common prefix. In 12 + 1 queries of 144-byte chosen plaintexts. 25

Attack #3

Forgery Attacks Injecting XOR-differences m 8i+j = 80 and m 8i+j+1 = 80 80 f ki,0,7 a 0 a 1 a 2 a 3 a 4 a 5 00 80 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1,6 00 00 00 00 00 00 80 data flow for i = 0,..., 17, i = i mod 12, and j = 0,..., 7 (here: j = 0). The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. 27

Forgery Attacks Difference prop. after 8 msg. bytes m 8i+j,..., m 8i+j+7 : 80 f ki,0,7 00 00 00 00 00 00 00 80 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1,6 00 00 00 00 00 00 80 data flow No further propagation, stationary difference a 7 = 80. 28

Forgery Attacks Difference prop. after 9 msg. bytes m 8i+j,..., m 8i+j+7, m 8i+j+8 : x f ki,0,7 00 00 00 00 00 00 00 a 7 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1,6 00 00 00 00 00 00 00 data flow Inject XOR-difference m 8i+j+8 = x s.t. a 7 = 00 forgery! How do we choose x? 29

From Forgeries... Options for x: k i+1,j = 0 k i+1,j = 1 x C0 40 p 1/2 1/2 x 01 03 07 0F 1F 3F 7F FF p 1/2 1/4 1/8 1/16 1/32 1/64 1/128 1/128 Using ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, x) with x {C0, 40, 01} has probability 1/4 to create a forgery. 30

From Forgeries... Options for x: k i+1,j = 0 k i+1,j = 1 x C0 40 p 1/2 1/2 x 01 03 07 0F 1F 3F 7F FF p 1/2 1/4 1/8 1/16 1/32 1/64 1/128 1/128 Using ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, x) with x {C0, 40, 01} has probability 1/4 to create a forgery. 30

... to Key Recovery 1. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, C0). Forgery? Yes: ki+1 mod 12,j = 0. No: Continue. 2. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, 40). Forgery? Yes: ki+1 mod 12,j = 0. No: ki+1 mod 12,j = 1. 31

... to Key Recovery 1. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, C0). Forgery? Yes: ki+1 mod 12,j = 0. No: Continue. 2. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, 40). Forgery? Yes: ki+1 mod 12,j = 0. No: ki+1 mod 12,j = 1. 31

Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32

Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32

Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32

Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32

Conclusion

Overview on Digest Attacks Attack Type B Queries Complexity Oracle #1 #2 #3 CP 1 13 2 3.58 Tag-generation CP 2 7 2 10.58 Tag-generation CP 3 5 2 18.00 Tag-generation CP 4 4 2 25.58 Tag-generation CP 5 4 2 33.58 Tag-generation CP 6 3 2 41.00 Tag-generation KP+ / CP 1 24/13 2 10.58 Tag-generation KP+ / CP 2 12 / 7 2 17.58 Tag-generation KP+ / CP 3 8 / 5 2 25.00 Tag-generation KP+ / CP 4 6 / 4 2 32.58 Tag-generation KP+ / CP 5 6 / 4 2 40.32 Tag-generation KP+ / CP 6 4 / 3 2 48.58 Tag-generation Forgeries (CP / CC, XOR) 168 168 Tag-verification Forgeries (CP, Additive) 144 144 Tag-verification B: time-query trade-off parameter. KP+: known-plaintext with common prefix. CP: chosen-plaintext. CC: chosen-cipertext. 34

Fin We think: OSGP s cryptographic scheme offers no protection whatsoever. (assuming it is implemented as in the specification) Secure communication in OSGP highly doubtful as long as any of RC4, EN14908 or OMADigest is used. Thank you! 35

Fin We think: OSGP s cryptographic scheme offers no protection whatsoever. (assuming it is implemented as in the specification) Secure communication in OSGP highly doubtful as long as any of RC4, EN14908 or OMADigest is used. Thank you! 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback