1 © NOKIA
Applications of Cryptography in Wireless Communication
Bergen 18th June 2003
Kaisa NybergNokia Research Center
2 © NOKIA
OutlineMobile Networks
• GSM• 3GPP UMTS
Other RATs• Bluetooth• WLAN• Key management
“If you go underground you have got to learn to live with the rats.” — Alex Krycek (X-files)
3 © NOKIA
RAT security functions
AUTHENTICATION AND KEY AGREEMENT
SESSION KEY DERIVATION
CONFIDENTIALITY AND INTEGRITY ALGORITHMS
LINK KEY
SESSION KEYS OTHER INPUT
CONTROL DATA
USER DATA
PROTECTED CONTROL DATA
NONCES
PROTECTED USER DATA
4 © NOKIA
Lesson 1: Bluetooth
• Outline:• Bluetooth keys• Cryptographic algorithms• Bluetooth pairing, and its weaknesses• Proposed improved pairing
5 © NOKIA
Bluetooth keys
E22
PIN
LINK KEY
ENCRYPTION KEY
E3
E22
PIN
LINK KEY
ENCRYPTION KEY
E3
Encryption
Authentication
EN_RAND
First time connections
6 © NOKIA
E0—Encryption algorithm
LFSR 1
LFSR 2
LFSR 3
LFSR 4
Blend
SummationCombiner
Enc.stream
KCK’C
CLK
EN_RND
ADDR
Forminputdata
7 © NOKIA
Bluetooth Pairing • Establishing link key between two BT devices• Secret seed to the pairing procedure provided by Bluetooth PIN• If the seed (Bluetooth PIN) is given or guessed, the link key can
be derived from the public information exchanged between the devices and wire-tapped during the procedure ⇒Short or otherwise low-redundancy Bluetooth PINs
open possibilities for off-line dictionary attacks (passive attacks)
⇒ Use full length random PIN values in Bluetoothpairing !This can be facilitated by implementing PIN
generating applications in the devices; but still cumbersome !
8 © NOKIA
Bluetooth PairingCombination key
Unit A Unit B
E22
ADDR_A
PIN
RND
E22
ADDR_A
PIN
RNDADDR_A
RND
+E21
ADDR_A RND_A
E21
ADDR_B RND_B
+
+ +
+
+
KinitKinit
KAB KAB
9 © NOKIA
Using short PIN values, an attack (I)
Observing device addresses and the following communication:
RNDA1 = RND Initialisation}
}
}
Comb. Keycalculation
Authentication
Kinit + RND_AA2 = Kinit + RND_A
Kinit + RND_BA3 = Kinit + RND_B
AU_RND
SRES
A4 = AU_RND
A5 = SRES
10 © NOKIA
Using short PIN values, an attack(II)
For each possible PIN test:
E22
ADDR_A PINA1
K’init
E21
ADDR_A RND_A’
E21
RND_B’ADDR_B
RND_A’ = A2 + K’init
RND_B’ = A3 + K’init
+K’AB
Claimant ADDR
A4
E1
A5 =? SRES
SRES
11 © NOKIA
Enhanced Bluetooth PairingGehrmann-Nyberg (2000)• Use a key agreement protocol based on public key
cryptography that is secure against passive attacks such as Diffie-Hellman, RSA key transport etc…
• Protection still needed against active attacks• man-in-the-middle• impersonation
• Protection can be achieved using short passkeys!• Existing methods: password authenticated key exchange
protocols (for proposals, see IEEE P1363a study group) intended for remote client server authentication based on human memorable password
• In most Bluetooth scenarios:• passkeys are used once then discarded• devices are in close proximity
12 © NOKIA
Diffie-Hellman key exchange (non-authenticated)
Fixed public parameters: P prime and G generator
ALICE BOB
a secretA = Ga mod P
b secretB = Gb mod P
A
B
KA = Ba mod P KB = Ab mod P
KA = KB ?
13 © NOKIA
• Device generates challenge P• Device computes response CA =
h(KA,P)• Device displays check value CV
= P || CA to Alice
• Bob enters CV = P || CA into his device
• Device computes response CB= h(KB,P)
• Device compares CB = CA ? and displays the result (yes or no) to Bob
Alice tells CV to Bob
anonymous Diffie-Hellman protocol
Alice has KA – Bob has KBIs KA = KB?
KA KB
Bob tells the result to Alice
14 © NOKIA
Further MANA Developments
• A further variant recently presented by J-O Larsson, RSA (OpenGroup Conference, Amsterdam 24 Oct 2001)• only the challenge is transmitted to the devices using
human channel• verification step is automated, and consists of an
interactive proof protocol with commitments and proofs. • the method is also applicable when only keypads are
used. But it is not applicable if only displays are used.
• International Standard ISO/IEC JTC1 SC27 FCD 9798-6 (see RSA Cryptobytes, Spring 2004)
15 © NOKIA
MANA I Protocol
User reads K and MAC
Generate K , compute MAC, and output K and MAC
Output Accept or Reject
Recompute MAC and compare
User enters K and MAC
Receive Data D
Output: Data D ready
User enters: Start
16 © NOKIA
MANA II Protocol
R eceive K
O utput: D ata D ready
U ser verifies: Both components ready
G enerate K , and transmit K to second component
O utput: D ata D ready
C ompute M A C O utput K and M A C
C ompute M A C O utput K and M A C
U ser compares the tw o M A C values. U ser and enters O K or R EJECT in both components.
U ser enters: Start
17 © NOKIA
Security of MANA ProtocolsThe security of MANA protocols depends on the probability for an attacker to
replace the observed data d with some other data d’. The attacker succeeds if is accepted by the component as valid data. Since
we assume that both components are physically close to each other and we do not accept any data unless both devices actually signals that they are ready, the impersonation attack does not apply to the MANA scenario.
Only the data is sent over public channel and the attacker does not know the output of the MAC. Hence, the probability of successful substitution attack for MANA I and II can be expressed as
PS = maxd≠d’ P{ f (d,k) = f (d’,k) | d is observed}Thus, given that the key is chosen uniformly at random from the key space, K,
the probability above can be expressed asPS = maxd≠d’ (1/|K|) ⋅|{ k∈K | f (d,k) = f (d’,k)}|
where |K| denotes the cardinality of the set K.
18 © NOKIA
MANA using Reed-Solomon codes
.)()(),( 11
2210
)( −−++++=== t
td
k kdkdkddkpdvkdf K
The data (message) to be encoded as t-tuple of elements in Fq, d = d0, d1, ..dt-1, where di ∈ Fq.
Then, the RS-encoding polynomial is given by
11
2210
)( )( −−++++= t
td xdxdxddxp K
MAC function is given by the evaluating the polynomial at point k∈ Fq
19 © NOKIA
Substitution probabilities for the MANA construction using Reed-Solomon codes
log2|D| log2(n) PS
128 16 2-13-2-16
256 16 2-12-2-16 128 20 2-17-2-20 256 20 2-16-2-20
n = q = |K|
20 © NOKIA
Lesson 2: WLAN
• Outline:
• Security Extensions in IEEE 802.11i
• RSNA Establishment
• Data Encryption and Authentication
21 © NOKIA
Security Extensions in IEEE 802.11i
• allows establishment of Robust Security Network Associations (RSNAs) between Wireless Local Area Network (WLAN) stations
• RSNA enables stations to
• use the Extensible Authentication Protocol (EAP) to authenticate the peer station instead of using a pre-shared key (PSK)
• establish fresh cryptographic keys
• use better cryptographic methods for data authentication and encryption
22 © NOKIA
4-Way Handshake• both supplicant and authenticator
generate nonces (ANonce and SNonce) and exchange them
• both parties derive the same Pairwise Transient Key (PTK) from the PMK, their MAC addresses and the nonces by using a SHA-1-based algorithm
• PTK is divided into Key Confirmation Key (KCK), Key Encryption Key (KEK) and Temporal Key (TK)
• the MICs shown in the figure are based on the KCK
• TK is used to protect unicast traffic between the parties
• authenticator provides the supplicant with an additional key, Group Temporal Key (GTK) that is used to protect multicast and broadcast traffic
• GTK is encrypted using the KEK
23 © NOKIA
Data Encryption and Authentication
• IEEE 802.11i defines one mandatory data encryption and authentication mode for RSNAs: the Counter-Mode/CBC-MAC Protocol (CCMP)
• CCMP uses AES in CCM mode, providing both encryption and strong authentication
• TK and GTK obtained during the 4-way handshake are used as keys
24 © NOKIA
CBC-MAC Calculation
25 © NOKIA
Counter Mode Encryption and MIC Calculation
26 © NOKIA
Link Key Management with EAP
• Outline• EAP• Tunnelled EAP• Man-in-the-Middle problems and solutions
27 © NOKIA
Remote MN Authentication Methods -EAP
• Extensible Authentication Protocol (EAP) is a general protocol framework that supports
• multiple authentication mechanisms • allows a back-end server to implement the actual mechanism
• authenticator simply passes authentication signaling through
• EAP was initially designed for use with PPP network access
• But has been adapted by for other types of access authentication
• WLAN (IEEE 802.1X)
• EAP consists of several Request/Response pairs; Requests are sent by network
28 © NOKIA
Station Authentication with EAP• EAP supports various authentication
mechanisms, e.g. passwords, public keys and token cards
• if authentication is performed with an AP, the other station always acts as the supplicant
• after EAP authentication, the supplicant and the authenticator share a common secret value, the Pairwise Master Key (PMK)
• using EAP is not obligatory, a PSK may also be used as the PMK (since the possession of the correct PMK is verified during the 4-way handshake)
29 © NOKIA
Protecting EAP – the PEAP approach
+ - + - + - + - + - + + - + - + - + - + - + | | | | | | | | | C i p h e r - | | C i p h e r - | | S u i t e | | S u i t e | | | | | + - + - + - + - + - + + - + - + - + - + - + ^ ^ | | | | | | V V + - + - + - + - + - + + - + - + - + - + - + T r u s t + - + - + - + - + - + | | E A P | | < = = = = = = > | | | | C o n v e r s a t i o n | | | | | | < = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = > | B a c k e n d | | C l i e n t | ( o v e r P P P , | | | S e r v e r | | | 8 0 2 . 1 1 , e t c . ) | | < = = = = = = = | | | | | N A S | K e y s | | | | | | | | + - + - + - + - + - + + - + - + - + - + - + + - + - + - + - + - + ^ ^ | | | E A P A P I | E A P A P I | | V V + - + - + - + - + - + + - + - + - + - + - + | | | | | | | | | E A P | | E A P | | M e t h o d | | M e t h o d | | | | | + - + - + - + - + - + + - + - + - + - + - +
������������ ���� �������� �������������������� ������������������������������������������� �� ���� ����� �!���� ������� �"#��!���� ���$��%""%�
30 © NOKIA
PEAP/AKA- How it works
Secured by TLS tunnel
2. TLS(EAP-Response/AKA-challenge (RES))
Establishing a PEAP tunnel (server authenticated)
Term inal W LAN Server
HSS
2. TLS(EAP-Response/Identity (IMSI))
1. (… , EAP-Request/Identity message, )
2a. MAP(Send_Auth Params: IMSI) [or DIAMETER]
2b. MAP (AKA authentication quintuplets) 3. TLS(EAP-Request/AKA-challenge (RAND, AUTN))
TLS-protocol based on network certificate
AP
W LAN_Master_session_keys (based on TLS tunnel keys)
31 © NOKIA
PEAP/AKA- How it can fail
Secured by TLS tunnel (only server authenticated)
2. TLS(EAP-Response/AKA-challenge (RES))
Establishing a PEAP tunnel (server authenticated)
Terminal W LAN Server
HSS
2. TLS(EAP-Response/Identity (IMSI))
1. (… , EAP-Request/Identity message, )
2a. MAP(Send_Auth Params: IMSI) [or DIAMETER]
2b. MAP (AKA authentication quintuplets) 3. TLS(EAP-Request/AKA-challenge (RAND, AUTN))
MitM
3. RAND, AUTN
2. RES
TLS-protocol based on network certificate
IMSI_Request
IMSI
AP
W LAN_Master_session_keys (based on TLS tunnel keys)
Stolen W LAN link
32 © NOKIA
Analysis of the problem• Inner protocol is a legacy remote client authentication protocol
(EAP/SIM, EAP/AKA) –typically used also without TLS tunnelling, also without ANY tunnelling
• MitM can set up a false cellular base station to ask for IMSI and subsequently, for RES.
• Even if EAP protocol is used exclusively in tunnelled mode, authentication of tunnel relies solely upon the terminal. Terminal user may accept an unknown certificate! This is not acceptable to network operators.
• Session keys are derived from TLS Master Key generated using tunnel protocol (same key as used to create tunnel).
• Keys derived in the EAP protocol (EAP SIM or UMTS AKA Master Keys) are not used.
33 © NOKIA
Lessions learnt• Composing two secure protocols may result in an insecure
protocol• Using tunnelling to “improve” a remote authentication protocol
is very common• Known vulnerable combinations:
• HTTP Digest authentication and TLS• PEAP and any EAP subtype• PIC and any EAP subtype• …
• There are solutions that can be used to fix the problem• the exact fix needs to be tailored to the specific protocols
�����������N. Asokan, V. Niemi, K. Nyberg, Man-in-the-Middle inTunnelled Authentication Protocols, International Workshop on Security Protocols 2-4 April 2003, Cambridge, England
34 © NOKIA
Some solutions• Create cryptographic binding between tunneling protocol and
MN authentication protocol:METHOD 1: Use a one-way function to compute session keys
from tunnel secrets (e.g.TLS master key) and EAP secrets (e.g. IK,CK).
METHOD 2: Compute a MAC over the protected EAP-response and credential request, using a MAC key derived as session key in Method 1. MAC is verified by AAAL or AAAH. Now tunnel is secure for handling of session keys or credentials.
• In both methods, EAP secrets must be sent from AAAH to AAAL (or tunnel secrets must be sent from AAAL to AAAH)
• Both methods rely on the MN authentication protocol producing a session key as well.
35 © NOKIA
Lesson 3: Cryptography in GSM
OutlineSecurity goals in GSM NetworksAuthentication and Key AgreementCryptographic algorithmsAttacks and countermeasures
36 © NOKIA
Trust model
• Each operator shares long term security association (SA) with its subscriber
• Security association credentials stored in tamper-resistant identity module issued to subscriber called the UICC ( = SIM or USIM)
• Operators may enter roaming agreements with other operators in which case a certain level of trust exists between the respective domains
37 © NOKIA
Security goals in GSM• Secure business for operators
• subscribers pay their bills • subscribers do not avoid using GSM because of privacy threats
• accommodate to regulators’ and LEAs’ requirements
⇒ System requirements:
• call authentication and integrity• privacy protection over the air interface• support for LI
38 © NOKIA
Mobile Network
MOBILE TERMINAL BASE STATION HOME LOCATION REGISTER
39 © NOKIA
GSM – Securing access and radio path MOBILE (SIM) VISITOR LOCATION REGISTER HOME LOCATION
IMSI, K AND BASE STATION REGISTER {IMSI,K}
IMSI IMSI
RAND RAND, XRES, Kc
SRESSRES=XRES ?
radio path encrypted using Kc
K RAND
Kc SRES
K RAND
Kc XRES
40 © NOKIA
One-way function on the SIM cardfor authentication and key agreement
K RAND
SRES / XRES Kc
41 © NOKIA
Authentication and Key Agreement
SRES/XRES Kc
RAND Ki
A8A3
42 © NOKIA
A3/A8 Algorithms
Operator specific – need not be standardized
• COMP128-1 • Originally secret, completely reverse-engineered, subsequently
broken, instant cloning devices known to exist
• COMP128-2 and COMP128-3 • secret, strength not known, cloning devises not known
• GSM-MILENAGE • Published by GSM Association• based on 3G MILENAGE and AES
• Operator and manufacturer algorithms
43 © NOKIA
A5 and GEA AlgorithmsAir interface encryption – must be standardized• A5/1
• originally secret• moderate strength (online breaking devices not known to exist)
• A5/2 • originally secret• weak and broken (online breaking devices known to exist)
• A5/3 • Published by GSM Association• Based on 3GPP f8 encryption algorithm
• GEA1 and GEA2• Secret
• GEA3• Published by GSM Association• Based on 3GPP f8 encryption algorithm
44 © NOKIA
Lack of confidence in GSM Security • lack of openness in design and publication of A5/1• misplaced belief by regulators in the effectiveness of control
on the export or (in some countries) the use of cryptography• key length too short, but implementation faults make increase
of encryption key length difficult• need to replace A5/1, but poor design of support for
simultaneous use of more than one encryption algorithm is making replacement difficult
• ill advised use of COMP 128
Source: Mike Walker (Vodafone and RH, chair of SA3 of 3GPP) Invited talk at Eurocrypt 2000
45 © NOKIA
Magic Sim
• A smart design of the MAGIC SIM can now solve problems for people who own several mobile numbers. With the MAGIC SIM, you can integrate all your mobile numbers in only one card.
• The operating process is very easy, with the software and the manual provided, you will be able to operate it and switch it to the number or network that you wish. This way, the problem of changing SIM cards and paying large amount of phone bill will both be avoided.
• With an exclusive “look up table”, Magic Sim can make 100% successful in cracking COMP128-1 SIM cards. Currently Magic Sim is planning to develop COMP128 V2 cracking algorithm for future applications.
�������������� �����������������������
46 © NOKIA
GSM System $420,000.00 GSM Interceptor Pro
FeaturesThe system can target specific numbers or randomly screen GSM mobile Communication. Conversations are monitored and logged simultaneously to voice and data logger for storage and retrieval.Works with identificators IMSI, TMSI, IMEI, and MSISDN.
����������� ���������������������������������
An advanced monitoring system designed to intercept GSM cellular traffic. It is the most sophisticated - advanced state of the art equipment of it's kind. It is custom made to certain specifications according to the cellular system in your country.
47 © NOKIA
GSM Interceptor Pro
Encryption Modes:• A5/2 cooperation with network operator is not needed,
the system works in real time. • A5/1 If cooperation with network operator is possible, the
system works in real time. • If cooperation with network operator is not possible but there
is an access to mobile phone, information can be extracted directly from SIM card, Extraction time – 15 Min., SIM card scanner should be added to the system.
• With special hardware and software module A5/1 Decoderthe interceptor works without cooperation with network operator. Item: 4001-D.
48 © NOKIA
Spyphone
• The Cellular Spy Phone may look like a regularNokia Cellular phone, however this Supertechnology goes beyond its standard capabilities. It operates as a normal cellular phone - but when the phone is called in on a special "Spy" mode (from anywhere in the world).It will automatically answer without any ringing or lights coming on and the display stays thesame as if it is on a "Standby Mode". While on the "Standby mode" it will pickup the soundsnearby and transmit them back to you (the caller).
• Great for surveillance and covert operations.
����������� ����������� ������������
49 © NOKIA
Weaknesses in GSM authenticationActive attacks by network node not taken seriously
• Unilateral authentication: network not authenticated• Session key freshness provided only by network
• “IMSI Catching”
• Encryption algorithm in use selected by BSS • When to authenticate, or if authenticate at all, decided by the
serving network
⇒ session key replay by network possible
50 © NOKIA
Barkan–Biham-Keller Attack (2003)Exploits weaknesses in cryptographic algorithms:
• A5/2 can be instantly broken… AND other fundamental flaws in the GSM security system:
• A5/2 mandatory feature in handsets• Call integrity based on an (weak) encryption algorithm• The same Kc is used in different algorithms• Attacker can force the victim MS to use the same Kc by RAND replay
Two types of attacks:1. Decryption of encrypted call using ciphertext only
• Catch a RAND and record the call encrypted with Kc and A5/3• Replay the RAND and tell the MS to use A5/2• Analyse Kc from the received encrypted uplink signal
2. Call hi-jacking• Relay RAND to victim MS and tell it to use A5/2• Analyse Kc from the received signal encrypted by the victim MS• Take Kc into use and insert your own call on the line
51 © NOKIA
Proposed CountermeasureAmendment to the GSM security architecture: Special RANDs• RAND is the only variable information sent from Home to MS in the
authentication• Divide the space of all 128-bit RANDs into different classes with
respect to which encryption algorithm is allowed to be used withthe Kc derived from this RAND.
• 32-bit flag to indicate to the MS that a special RAND is in use• 16-bits to indicate which algorithms out of 8 GSM (and ECSD) and
8 GPRS encryption algorithms are allowed to be used with the keyderived from this special RAND
• Effective RAND reduced from 128 bits to 80 bits. Remains to be judged if acceptable.
• Special RANDs trigged by the visited network identity. Requires careful configuration in the HLR/AuC.
• Solution assumes that HLR gets the correct VLR identifier.
52 © NOKIA
Lesson 4: Cryptography in UMTSOutline:
Authentication and Key AgreementEncryption Algorithm in UMTS
» KASUMI» PSEUDORANDOMNESS BY CONSTRUCTION» DISTINGUISHING ATTACKS» NONLINEARITY IN KASUMI
KASUMI in UMTS integrity algorithm
Reference:Valtteri Niemi, Kaisa Nyberg. UMTS Security. Wiley & Sons,
Chichester 2003.
53 © NOKIA
VLR AuC
RAND K SQN
XRES AUTN CK IK
IMSI
RAND, AUTN, XRES, CK, IK
SGSN
54 © NOKIA
VLR
RAND, AUTN
RES
RAND K AUTN
RES SQN CK IK
UE SGSN
VLR/SGSN checkswhether RES = XRES
UE checks whether theSQN is big enough
55 © NOKIA
f2 f3 f4 f5f1 K
AMF SQN RAND
Generate
MAC XRES CK IK AK
AuC
56 © NOKIA
MILENAGE RAND
EKSQN||AMF||SQN||AMF
rotateby r1
EK
rotateby r3
EK
rotateby r2
EK
rotateby r5
EK
rotateby r4
EK
OPC
c1
f1 f1* f5 f2 f3 f4 f5*
OPC OPC OPC OPC
c2 c3 c4 c5
OPC OPC OPC OPC OPC
OPCEKOP OPC
Authentication function in UMTS
57 © NOKIA
KASUMICK
COUNT || BEARER || DIRECTION || 0...0
CKCKCK
KS[0] ... KS[63] KS[64] ... KS[127] KS[128] ... KS[191]
BLKCTR = 0
BLKCTR = 1 BLKCTR = 2 BLKCTR = n
CT[ i ] = PT[ i ] XOR KS[ i ]
KASUMICK’
KASUMIKASUMIKASUMI
������������������������������������ ������������������������ � � ����� � ����� � ����� � ����
58 © NOKIA
KASUMI- the first draft
59 © NOKIA
C
Fig. 1: KASUMI
P
FO1FL1
FO3FL3
FO5FL5
FO7FL7
FO2 FL2
FO4 FL4
FO6 FL6
FO8 FL8
KL1 KO1, KI1
FIi1 KIi1
KOi1
FIi2 KIi2
KOi2
FIi3 KIi3
KOi3
S9
S7
S9
zero-extend
zero-extend
truncate
KIij1 KIij2
32 3264
16 1632 16
9 7
Fig.2: FO Function Fig.3: FI Function
Fig.4: FL Function
bitwise AND operation
bitwise OR operat ion
one bi t left rotation
3216 16
KLi1
KLi2
KL6
KL8
KL7
KL2
KL5
KL4
KL3
KO2, KI2
KO3, KI3
KO4, KI4
KO5, KI5
KO6, KI6
KO7, KI7
KO8, KI8
S7
truncate
60 © NOKIA
KASUMI
C
Fig. 1: KASUMI
P
FO1FL1
FO3FL3
FO5FL5
FO7FL7
FO2 FL2
FO4 FL4
FO6 FL6
FO8 FL8
KL1 KO1, KI1
FIi1 KIi1
KOi1
FIi2 KIi2
KOi2
FIi3 KIi3
KOi3
S9
S7
S9
zero-extend
zero-extend
truncate
KIij1 KIij2
32 3264
16 1632 16
9 7
Fig.2: FO Function Fig.3: FI Function
Fig.4: FL Function
bitwise AND o peration
bitwise OR operation
one bi t left rotation
3216 16
KLi1
KLi2
KL6
KL8
KL7
KL2
KL5
KL4
KL3
KO2, KI2
KO3, KI3
KO4, KI4
KO5, KI5
KO6, KI6
KO7, KI7
KO8, KI8
S7
truncate
61 © NOKIA
Adversary model for distinguishability
Deterministic adaptive adversary with q queries
Adversary with memoryY0,Y1,…,Y i-1
Oracle Black BoxXi Yi
query response
X0 fixed, Y0 = (X0), i= 1,…,q-1
62 © NOKIA
DistinguisherPerfect random family of functions *= {F*: Vn → Vm} is a set of
all functions drawn uniformly at random
Remark: To code an element in * takes m⋅2n bits = entropy of F*
Let be any set of functions = {F: Vn → Vm} with a certain probability distribution
A distinguisher is an algorithm which takes the queries and oracle responses as input and gives 0 or 1 as output
X0,X1,…,Xq-1
Y0,Y1,…,Yq-1
0 or 1
63 © NOKIA
Distinguishing advantageAdvantage of an adversary using distinguisher is defined as
ADV = | Pr ( outputs 1 | implements *)
– Pr ( outputs 1 | implements ) |
Oracle first selects the set of functions, and then the function from the set according to the probability distribution.
If ADV is “small” we say that is indistinguishable from * .
64 © NOKIA
Luby – Rackoff (1988)How to construct pseudorandom permutations V2n → V2n
given three random functions F1*, F2*, F3* :Vn → Vn
F1*
F2*
F3*
pseudorandom = indistinguishable from random
also knownas Feistel networkused in the DES encryption algorithm
65 © NOKIA
Pseudorandomness of Kasumi1616
9 7
66 © NOKIA
Distinguisher of three-round structure a ba’b
F1(a)⊕F2(b)⊕b
• the xor of the right outputs is independent of b !• distinguisher makes use of four chosen plaintext pairs: (a,b) and (a’,b) (a,b’) and (a’,b’)
F2
F1 F1
F2
F1(a’)⊕F2(b)⊕b
67 © NOKIA C
Fig. 1: KASUMI
P
FO1FL1
FO3FL3
FO5FL5
FO7FL7
FO2 FL2
FO4 FL4
FO6 FL6
FO8 FL8
KL1 KO1, KI1
FIi1 KIi1
KOi1
FIi2 KIi2
KOi2
FIi3 KIi3
KOi3
S9
S7
S9
zero-extend
zero-extend
truncate
KIij1 KIij2
32 3264
16 1632 16
9 7
Fig.2: FO Function Fig.3: FI Function
Fig.4: FL Function
bitwise AND operation
bitwise OR operat ion
one bi t left rotation
3216 16
KLi1
KLi2
KL6
KL8
KL7
KL2
KL5
KL4
KL3
KO2, KI2
KO3, KI3
KO4, KI4
KO5, KI5
KO6, KI6
KO7, KI7
KO8, KI8
S7
truncate
an eight-round Feistel network
68 © NOKIA
Pseudorandomness of Kasumi• Luby – Rackoff approach allows constructions of large
pseudorandom functions starting from smaller random functions.
• Distinguishing attacks just one type (although a very general type) of cryptanalytic attacks.
• Other strong analysis methods: • Differential cryptanalysis (Biham - Shamir 1989)• Linear cryptanalysis (Matsui 1993)
Theorem (Nyberg-Knudsen 1993): If a function F: Vn → Vn has small differential probabilities, then the four round Feistel network V2n → V2n has small differential probabilities, and is therefore resistant against differential cryptanalysis. If F is bijective then three rounds is sufficient.
If F is bijective, then distinguishing attacks still possible upto five rounds !
69 © NOKIA
5 round Feistel network with bijective F0 α
F bijectionα ≠ 0⇓ β γ
β ≠ 0⇓
γ ≠ 0
0 α
F
F
F
F
F
70 © NOKIA
Kasumi substitution boxes
x → x81 in GF(27 )x → x5 in GF(29 )
x → x-1 in GF(28)
The approach proposed by Nyberg-Knudsen (1993) is to select the small initial functions to have optimal linearity and differential properties.Kasumi functions are
Note: The same approach was adopted in the design of the new AES encryption standard (Rijndael) which has eight small substitution transformations defined as
71 © NOKIA
Non-linearity and CorrelationDefinition: Correlation of two Boolean functions f and g is
defined ascorr(f ,g ) = 2-n (#{x | f (x) = g(x)} - #{x | f (x) = g(x)})
= 2-n Σx (-1) f (x) ⊕ g (x)
= 2-nf ⊕ g (0)
where the Walsh transform is defined as
h (w) = Σx (-1) h(x) ⊕ w·x
Definition: Linearity of Boolean function f is defined as Λf = max w| f (w) |
f is said to be perfect nonlinear if Λf = 2 n /2 . Then n must be even.
72 © NOKIA
Nonlinearity – results and open problemsProblem: What is min Λf when f is a balanced Boolean function
of n variables? It is known that min Λf < 2 (n+1) /2 , for n ≥ 29 (Patterson-
Wiedemann 1983).Definition: Linearity of a Boolean function Vn → Vm is defined asΛf = max u,w | u⋅f (w) |.Theorem: If f : Vn → Vn is a bijection, then min Λf = 2 (n+1) /2 and it
can be achieved if and only if n is odd. Such f has a three-valued Walsh transform.
Examples: Functions f : x → x3 , f : x → x5 and f : x → x81 in GF(2n ) (considered as Boolean functions) have minimum linearity 2 (n+1) /2 , for n odd.
H. Dobbertin (1997,1999), T. Helleseth (1998,1999) investigated the following related problem: For which exponent d the function f (x) = xd in GF(2n ) is almost perfect nonlinear ?
73 © NOKIA
Linearity and elliptic curve point counting
Elliptic curvey2 + y = bx3 + ax
over the field GF(2n ), where n is odd.The number of points of the curve is
= 1 + 2 #{x |Tr(bx3 + ax ) = 0}
= 1 + 2[2n-1 + ½ f (a,b)]
= 1+ 2n ± 2 (n+1) /2 or = 1+ 2n ,
where f (a,b) = b⋅f (a) and f : x → x3 in GF(2n ).
74 © NOKIA
KASUMI KASUMIKASUMI KASUMI
KASUMI
MAC (left 32 bits)
Final Message BlockPadded with Method 2
IK’
IKIK IKIK
MESSAGE[64]. . . MESSAGE[127]
MESSAGE[0]. . . MESSAGE[63]COUNT || FRESH
Integrity function f9
75 © NOKIA
Conclusion• An example of industrial cryptography presented• Generic cryptographic principles discussed
• distinguishability and pseudorandomness• constructions of pseudorandom functions• nonlinearity properties• constructions of nonlinear functions
• Design of KASUMI block cipher discussed• based on MISTY design (Matsui, 1997)• nonlinearity as basic design principle• pseudorandomness for KASUMI structure proved later (2001)
• Use of KASUMI in UMTS encryption function f8 and integrity function f9 presented