Crypt Analysis of the Cellular Message Encryption Algorithm

8/7/2019 Crypt Analysis of the Cellular Message Encryption Algorithm

1/12

C r y p t a n a l y s i s o f t h e C e l l u l a r M e s s a g e E n c r y p t i o nA l g o r i t h mD a v i d W a g n e rUniversity of California, Berkeley

d a w @ c s, b e r k e l e y , e d uB r u c e S c h n e ie r J o h n K e l s e yCounterpane Systems{ s c h n e i e r , k e l s e y } 9 e r p a n e , c o m

A b s t r a c t . This paper analyzes the Telecomm unications In dus try Asso-ciation's Cellular Message Encryption Algorithm (CMEA), which is usedfor confidentiality of the contro l channel in the m os t recent A merican di-gital cellular telephony systems. We describe an attack on CMEA whichrequ ires 40-80 known plaintexts, has time com plexity ab ou t 224-232, an dfinishes in minutes or hours of computat ion on a s tandard workstat ion.This demo nst ra tes tha t CM EA is deeply f lawed.

K e yw ords : c ryp ta na lys i s , b loc k c iphe rs , c e l lu l a r t e l e phone1 I n t r o d u c t i o nA s t h e U S c e l l u l a r t e l e p h o n y i n d u s t r y h a s b o o m e d , t h e n e e d f o r s e c u r i t y h a si n c r e a s e d : b o t h f o r p r i v a c y a n d f r a u d p r e v e n t i o n . B e c a u s e a l l c e l l u l a r c o m m u -n i c a t i o n s a r e s e n t o v e r a r a d i o l i n k , a n y o n e w i t h t h e a p p r o p r i a t e r e c e i v e r c a np a s s i v e l y e a v e s d r o p o n a l l c e l l p h o n e t r a n s m i s s i o n s i n t h e a r e a w i t h o u t f e a r o fde t e c t ion . The e a r l i e s t U . S . c e l lu l a r t e l e phony sys t e ms re l i e d on the h igh c os t o fc e l lu l a r -c a pa b le re c e ive rs (o r s c a nne rs ) fo r s e c ur i ty . Whe n suc h sc a nne rs be c omea f fo rda b le a nd w ide ly a va i l ab l e , t he c e l lphone indus t ry lobb ie d fo r p ro t e c t ive l e g i s-l a ti on . B u t t he se l e ga l p roh ib i t i ons ha ve fa il e d to so lve the p rob le m , a nd sys t e m sa r c h i t e c ts h a v e b e e n f o r c e d t o t u r n i n c r ea s in g l y t o c r y p t o g r a p h y f o r m o r e r o b u s tse c ur i ty .

T h e c e l l u l a r t e l e p h o n y i n d u s t r y p l a y e r s a r e e s p e c i a l l y c o n c e r n e d w i t h f r a u dp r e v e n t i o n . T h e F C C e s t i m a t e s t h a t t h e c e l l u l a r i n d u s t r y l o s e s m o r e t h a n $ 4 0 0m i l l i o n p e r y e a r t o f r a u d [ F C C 9 7 ] . C e l l p h o n e c l o n i n g i s p r o b a b l y t h e f o r e m o s tf o r m o f t h i s p r o b l e m . B e c a u s e m o s t o f t o d a y ' s c e l l p h o n e s i d e n t i f y t h e m s e l v e sove r pub l i c r a d io l i nks by se nd ing the i r i de n t i t y i n fo rma t ion in t he c l e a r , e a ve s -d r o p p e r s c a n ( a n d d o ) e a s i l y m i s a p p r o p r i a t e o t h e r s ' i d e n t it y i n f o r m a t io n t o m a k ef ra udu le n t phone c a l l s . Whi l e t he l a t e s t d ig i t a l c e l lphone s c u r re n t ly o f fe r somew e a k p r o t e c t i o n a g a i n s t c a s u a l e a v e s d r o p p e r s b e c a u s e d i g i t a l t e c h n o l o ~ y i s s on e w t h a t i n e x p e n s iv e d i g i ta l s c a n n e r s h a v e n o t y e t b e c o m e w i d e ly a v a il a bl e , t h ep r e s i d e n t o f t h e C e l l u l a r T e l e c o m m u n i c a t i o n s I n d u s t r y A s s o c i a t i o n t e s t i f i e d i nre c e n t Congre s s iona l he a r ings [Whe 97] t ha t " h i s to ry w i l l l i ke ly re pe a t i t s e l f a sd ig i t a l s c a nne rs a nd de c ode rs , t hou gh e x pe ns ive now , d rop in p r i c e i n the fu tu re . "C r y p t o g r a p h i c m e c h a n i s m s a r e o n e o b v i o u s w a y t o c o m b a t c lo n i n g f r a u d , a n di n d e e d , t h e i n d u s t r y i s t u r n i n g t o c r y p t o g r a p h y f o r p r o t e c t i o n . I n 1 9 9 2 , t h e T R -4 5 w o r k i n g g r o u p w i t h i n t h e T e l e c o m m u n i c a t i o n s I n d u s t r y A s s o c i a t i o n ( T I A )


2/12

527

developed a standard for integration of cryptographic technology into tomor-row's digital cellular systems [TIA92], which has been updated at least once[TIA95]. Some of the most recent cellphones to hit the market already includethese cryptographic protection mechanisms [Nok96].The TIA standard [TIA95] describes four cryptographic primitives for use inNorth American digital cellular systems:- CAVE, a mixing function, is intended for challenge-response authenticationprotocols and for key generation.- A repeated xoR mask is applied to voice data for voice privacy1.- ORYX, a LSFR-based stream cipher intended for wireless data services.- CMEA (Control Message Encryption Algorithm), a simple block cipher, isused to encrypt the control channel [Ree91].

The voice privacy algorithms has long been known to be insecure [Bar92, CFP93].Recent work by the authors has shown that ORYX is insecure as well [WSK97].This paper focuses on the security of CMEA.Note that CMEA is not used to protect voice communications. Instead, itis intended to protect sensitive control data, such as the digits dialed by thecellphone user. A successful break of CMEA might reveal user calling patterns.Also sent CMEA-encrypted are digits dialed (all DTMF tones) by the remoteendpoint and alphanumeric personal pages recieved by the cellphone user. Fi-nally, compromise of the control channel contents could lead to any confidentialdata the user types on the keypad: calling card PIN numbers may be an espe-cially widespread concern, and credit card numbers, bank account numbers, andvoicemall PIN numbers are also at risk.This paper is organized as follows. We describe CMEA in Section 2 for refer-ence. Next, Section 3 lists some observations that form a foundation for our lateranalysis. Then we give effective chosen- and known-plaintext attacks on CMEAin Sections 4 and 5. Finally, Section 6 concludes.

2 A d e s c r i p t io n o f C M E AWe describe the CMEA specification fully here for reference. CMEA is a byte-oriented variable-width block cipher with a 64 bit key. Block sizes may beany number of bytes; in practice, US cellular telephony systems typically ap-ply CMEA to 2-6 byte blocks, with the block size potentially varying withoutany key changes. CMEA is quite simple, and appears to be optimized for 8-bitmicroprocessors with severe resource limitations.CMEA consists of three layers. The first layer performs one non-linear passon the block; this effects left-to-right diffusion. The second layer is a purely linear,unkeyed operation intended to make changes propagate in the opposite direction.1 The situation is more complicated: time-division multiple access (TDMA) systems usea straight XOR mask, while code-division multiple access (CDMA) systems insteaduse keyed spread spectrum techniques for security.


3/12

528

One can think of the second step as (roughly speaking) xoRing the right half ofthe block onto the left half. The third layer performs a final non-linear pass onthe block from left to right; in fact, it is the inverse of the first layer.CMEA obtains the non-linearity in the first and third layer from a 8-bit keyedlookup table known as the T-box. The T-box calculates its 8-bit output asT ( x ) = C ( ( ( C ( ( ( C ( ( ( C ( ( x ~ g o ) + gl) + x) $ g2) +/(3) + x) $ g4) +/(5)

+=) ~ Ks) + KT) + =given input byte x and 8-byte key Ko...7. In this equation C is an unkeyed 8-bitlookup table known as the CaveTable; all operations are performed using 8-bitarithmetic. The CaveTable is given in Figure i,

We now provide a specification of CMEA. The algorithm encrypts a n-bytemessage Po....., - i to a ciphertext Co.....,-1 under the key Ko...7 as follows:

yo~-0for i +- 0 , . . . ,n- 1

P~ +- P~ + T (y i 9 i)Yi+l ~ Yi + P[

f o r i ~ - 0 , . . . , L ~ J - 1P~" < - P " 9 (P~_~_~ v 1 )z0 +--0for i~0 , . . . , n -1

Z i+ l ~._ Zi .~_ p~tc ~ ~ p " - T ( z ~ 9 i)

Here all operations are byte-wide arithmetic: + and - are addition and subtrac-tion modulo 256, $ stands for a logical bitwise exclusive or, V represents a logicalbitwise or, and the keyed T function is as described previously.CMEA is specified in [TIA92, TIA95]; it is also described in U.S. Patent5,159,634 [Ree91], though a different T-box method is listed.

3 P r e l i m i n a r i e sFirst, we list some preliminary observations:

- CMEA is it's own inverse. In other words, every key is a "weak key" (inthe strict sense, from the DES nomenclature, of being self-inverse). This wasapparently originally a design goal, for unknown reasons.- CMEA is typically used to encrypt short blocks. Because the cellular tele-phony specification does not use random IVs, does not use block chainingmodes, and encrypts short blocks under CMEA, codebook attacks could bea threat. On the other hand, the cellphone specifications require the CMEAkey to be re-derived (using CAVE as a pseudo-random generator) for every


4/12

h i \ I ~

0.1.2 .3 .4 .5 .6 .7.8 .9 .a .b.C.d.e .f .

5 2 9

Fig. 1. The CaveTable.0.1 .2 .3 .4 .5 .6 .7 .8 .9.a .b.c.d.e.fd 9 2 3 5 f e 6 c a 6 8 9 7 bO 7 b f 2 0 c 3 4 1 1 a 5 8 d 4 eO a 4 6 7 7 8 d 1 0 9 f 5 e 6 2 f l 3 4 e c a 5 c 9 b 3 d 8 2 b5 9 4 7 e 3 d 2 f f a e 6 4 c a 1 5 8 b 7 d 3 8 2 1 b c 9 6 O 04 9 5 6 2 3 1 5 9 7 e 4 c b 6 f f 2 7 0 3 c 8 8 b a d l O d a ee 2 3 8 b a 4 4 9 f 8 3 5 d l c d e a b c 7 6 5 f l 7 6 0 9 2 08 6 b d O a f l 3 c a 7 2 9 9 3 c b 4 5 5 f e 8 1 0 7 4 6 2 d eb 8 7 7 8 0 d l 1 2 2 6 a c 6 d e 9 c f f 3 5 4 3 a Ob 9 5 4 eb l 3 0 a 4 9 6 f 8 5 7 4 9 8 e 0 5 I f 6 2 7 c c 3 2 b d a e db b 8 6 O d 7 a 9 7 1 3 6 c 4 e 5 1 3 0 e 5 f2 2f d 8 c 4 a 99 1 7 6 f O 1 7 4 3 3 8 2 9 8 4 a 2 d b e f 6 5 5 e c a O d b ce 7 f a d 8 8 1 6 f O 0 1 4 4 2 2 5 7 c 5 d c 9 9 e b 6 3 3 a b5 a 6 f 9 b d9 f e 7 1 4 4 c 5 3 7 a 2 8 8 2 d O0 b 6 1 3 e c4 e 9 6 a 8 5 a b5 d7 c 3 8 d 3 f f 2 e c 0 4 6 0 7 1 l b 2 90 4 7 9 e 3 c 7 l b 6 6 8 1 4 a 2 5 9 d d c 5 f 3 e b O f 8 a 29 1 3 4 f 6 5 c 6 7 8 9 7 3 0 5 2 2 a a c b e e b f 1 8 d O 4 df 5 3 6 a e 0 1 2 :f 9 4 c 3 4 9 8 b b d 5 8 1 2 eO 7 7 6 c d a

call, so the amount of text required for a codebook attack may often be un-available. (In a codebook attack, one obtains the encryption of every possibleplaintext, records those pairs in a lookup table, and uses it to completelydecrypt future messages without needing to know the key.)J. Hillyard [Hi197] has noted that codebook attacks may still be possible inpractice. In some contexts, each digit dialed will be encrypted in a separateCMEA block (with fixed padding); because CMEA is used in ECB mode,the result is a simple substitution cipher on the digits 0-9. Techniques fromclassical cryptography may well suffice to recover useful information aboutthe dialed digits, especially when side information is available.

- One bit of the plaintext leaks. The LSB (least-significant bit) of the ciphertextis the complement of the LSB of the plaintext.- The T-box has some key equivalence classes. Simultaneously complementingthe MSB (most significant bit) of Ko and K1 leaves the action of the T-boxunchanged; the same holds for K2i and g 2 i - t - 1 for i = 0, 1, 2, 3. Therefore forthe rest of the paper we take the MSBs of K0, K2, K4, and K6 to all be 0,without loss of generality, and we see tha t the effective key length of CMEAis at most 60 bits.- Recovering the value of all 256 of the T-box entries suffices to break CMEA,

even if the key K0...7 is never recovered.- The value of T(0) occupies a position of special importance. T(0) is alwaysused to obtain Co from P0; one cannot trivially predict where other T-boxentries are likely to be used. Knowing T(0) lets one learn the inputs to theT-box lookups tha t modify the second byte in the message.


5/12

530

- T h e C a v e T a b l e h a s a v e r y sk e w e d s ta t i s t i c a l d i s t r ib u t i o n . I t is n o t a p e r m u t a -t io n ; 9 2 o f t h e 2 5 6 p o s s ib l e 8 - b i t v a lu e s n e v e r a p p e a r ; s o m e v a l u e s a p p e a r a sm a n y a s f o u r ti m e s . T h e d i s t r i b u t i o n a p p e a r s t o b e c o n s is t e n t w i t h t h a t o f ar a n d o m f u n c t i o n .T h e s k ew i n th e C a v e T a b l e m e a n s t h a t t h e T - b o x v a l u es a r e s k ew e d , to o : w ek n o w T ( i ) - i m u s t a p p e a r i n t h e C a v e T a b l e , s o f o r a n y i n p u t t o t h e T - b o x ,w e c a n i m m e d i a t e l y r u l e o u t 9 2 p o s s i b i l i t i e s f o r t h e c o r r e s p o n d i n g T - b o xo u t p u t w i t h o u t n e e d i n g a n y k n o w l ed g e o f t h e C M E A k ey .

3 . 1 A c h o s e n - p l a i n t e x t a t t a c kC M E A i s w e a k a g a i n s t c h o s e n - p l a i n t e x t a t t a c k s : o n e c a n r e c o v e r al l o f t h e T -b o x e n t r i e s w i t h a b o u t 3 3 8 c h o s e n t e x t s ( o n a v e r a g e ) a n d v e r y l i t t l e w o r k . T h i sa t t a c k w o r k s o n a n y f i x e d b l o c k l e n g t h n > 2 ; t h e a t t a c k e r i s n o t a s s u m e d t oh a v e c o n t r o l o v e r n . W e h a v e i m p l e m e n t e d t h e a t t a c k t o e m p i r i c a l l y v e r i f y i t fo rc o r r e c t n e s s ; t h e a t t a c k i s e x t r e m e l y s u c c e s s f u l in o u r t e s t s 2 .

T h e a t t a c k p r o c e e d s i n t w o s t a g e s , f i r s t r e c o v e r i n g T ( 0 ) , a n d t h e n r e c o v e r i n gt h e r e m a i n d e r o f t h e T - b o x e n t r i e s ; t h e C M E A k e y i t s e l f i s n e v e r i d e n t i f i e d .F i r s t , o n e l e a r n s T ( 0 ) w i t h ( 2 56 - 9 2 ) / 2 = 8 2 c h o s e n p l a i n t e x t s ( o n a v e r a g e ) .F o r e a c h g u e s s x a t t h e v a l u e o f T ( 0 ) , o b t a i n t h e e n c r y p t i o n o f t h e m e s s a g eP = (1 - x , 1 - x , 1 - x , . . . ) , e .g . t h e m e s s a g e P w h e r e e a c h b y t e h a s t h e v a l u e1 - x ; i f t h e r e s u l t is o f t h e f o r m C = ( - x , . . . ) t h e n w e c a n c o n c l u d e w i t hh i g h p r o b a b i l i t y t h a t i n d e e d T ( 0 ) = x . F a l se a l a r m s o c c a s i o n a l l y o c c u r , b u t t h e yc a n b e r u l e d o u t q u i c k l y i n t h e s e c o n d p h a s e b e c a u s e o f t h e s k e w e d C a v e T a b l ed i s t r i b u t i o n . N o t e t h a t t h e r e a r e o n l y 2 56 - 9 2 - - 1 64 p o s s ib l e v a l u e s o f T ( 0 ) ,s in c e T ( 0 ) m u s t a p p e a r i n th e C a v e T a b l e , a n d t h e r e f o r e w e e x p e c t t o i d e n ti f y t h ec o r r e c t v a l u e a f t e r a b o u t 1 6 4 / 2 - - 8 2 tr i a ls , o n a v e r a g e .

I n t h e s e c o n d p h a s e o f t h e a t t a c k , o n e l e a r n s a l l o f t h e r e m a i n i n g T - b o x e n t r i e sw i t h 2 5 6 m o r e c h o s e n p l a i n t e x t s . F o r e a c h b y t e j , t o l e a r n t h e v a l u e o f T ( / ) . l e tk - - ( ( n - 1 ) ( 9 j ) - ( n - 2 ) , w h e r e t h e d e s i r e d b l o c k s a r e n b y t e s l o n g . O i~, " (~hee n c r y p t i o n o f t h e m e s s a g e P - - (1 - T ( O ) , 1 - T ( O ) , . . . , 1 - T ( O ) , k - T ( O ) , ~ ) ; i ft h e re s u l t is o f t h e f o r m C = ( t - T ( 0 ) , . . . ) , t h e n w e m a y c o n c l u d e t h a t T ( j ) = t ,e x c e p t f o r a p o s s i b le e r r o r in t h e L S B . A m o r e s o p h i s t i c a t e d a n a l y s i s c a n r e s o l v et h e u n c e r t a i n t y i n t h e L S B o f t h e T - b o x e n t r ie s , a

I n p r a c t i c e , c h o s e n - p l a i n t e x t q u e r i e s m a y b e a v a i l a b l e i n s o m e s p e c i a l s i t u -a t i o n s . S u p p o s e t h e t a r g e t e d c e l l p h o n e u s e r c a n b e p e r s u a d e d t o a c a l l a p h o n e2 M . B a n n e r t h a s i n d e p e n d e n t i m p l e m e n t e d o u r a t ta c k , a n d a ls o r e p o r t s s u c c e ss[ Ba n9 7] ; h i s m a n u s c r i p t a l s o d o c u m e n t s s o m e a s p e c t s o f t h e c h o s e n - p l a i n t e x t a t t a c ki n g r e a t e r d e t a i l t h a n i s p o s s i b l e here.3 U s e t h e s k e w e d C a v e T a b l e to r e d u c e t h e n u m b e r o f a m b i g u o u s C a v e T a b l e e n tr i e s t o1 6 4 p o s s i b i l i t i e s . N o w f o r e a c h k n o w n t e x t o b t a i n e d i n t h e s e c o n d p h a s e , w e k n o wb o t h t h e i n p u t P " a n d t h e o u t p u t C t o t h e t h i r d C M E A l a y e r ; s i m u l a t e t h a t l a y e rw i t h o u t t h e d e r i v e d T - b o x v a l u e s , u s i n g t r i a l - a n d - e r r o r f o r e a c h a m b i g u o u s T - b o xva lue : o n e n e e d s a t m o s t 2 n t r i a l s p e r t e x t ( a n d i n p r a c t i c e f a r f e w e r) , a n d w r o n gt r i a l s a r e q u i c k l y e l im i n a t e d .


6/12

53 1

number under the attacker's cont rol--perhaps a menuized survey, answering ma-chine, or operator. The phone message the user receives might prompt the user toenter digits (chosen in advance by the attacker), thus silently enabling a chosen-plaintext attack on CMEA. Alternatively, the phone message might send chosenDTMF tones to the targetted cellphone user, thus mounting chosen-plaintextqueries at will.

4 A k n o w n - p l a i n t e x t a t t a c k o n 3 - b y t e b l o c k sWe now describe a known plaintext attack on CMEA needing about 40-80 knowntexts. The attack assumes that each known plaintext is enciphered with a 3-byteblock width. Our (unoptimized) implementation has a time complexity of 224 to232, and can be easily parallelized.Our cryptanalysis has two phases. The first phase gathers information aboutthe T-box entries from the known CMEA encryptions, eliminating many possib-ilities for the values of each T-box output. In this way we reduce the problemto that of cryptanalysis of the T-box algorithm, given some partial informationabout T-box input/output pairs. In the second phase, we take advantage of thestatistical biases in the CaveTable to cryptanalyze the T-box and recover theCMEA key K0...7, using pruned search and meet-in-the-middle techniques toenhance performance.

The first phase is implemented as follows. Because T(0) occupies a positionof special importance, we exhaustively search over the 164 possibilities for T(0).(Remember that T(0) must appear in the CaveTable, and so there are only 25 6-92 = 164 possibilities for it.) For each guess at T(0), we set up a 256 x 256array Pi,j which records for each i , j whether T ( i ) = j is possible. All values forT ( i ) , i > 0 are initially listed as possible. Since T ( i ) - i is a CaveTable outputand the CaveTable has an uneven distribution, we can immediately rule out 92values for T ( i ) .Next, we gradually eliminate impossible values using the known texts as fol-lows. The general idea is that each known plaintext/ciphertext pair lets us es-tablish several implications of the form

T ( O ) = t o , T ( i ) = j =~ T ( i ' ) = j ' . (1)If we have already eliminated T(i ') = j ' as impossible, then we can concludethat T ( i ) = j is also impossible via the contrapositive of (1). In this way, wesuccessively rule out more and more possibilities in the Pi,j array, until we eitherreach a contradiction (in which case we start over with another guess at T(0))or until we run out of logical deductions to make (in which case we proceed tothe second phase).The second phase recovers the CMEA key from the information about Tpreviously accumulated in the Pi,j array. Our simplest key recovery algorithmis based on pruned search. First, one guesses K6 and Kr. Then, we peel off theeffect of the last 1/4 of the T-box, and check whether the intermediate valueis a possible CaveTable output. The intermediate value must always be one of


7/12

532

the 164 possible CaveTable outputs when we find the correct K6, KT; becausethe CaveTable is so heavily skewed, incorrect K 6 , K 7 guesses will usually bequickly identified by this test, if we have knowledge about a number of T-boxentries. Next, one continues by guessing K4,/(5, pruning the search as before,and continuing the pruned search until the entire key is recovered. This techniqueis very effective if enough information is available in the Pi,j array.Unfortunately, pruned search very quickly becomes extremely computation-ally intensive if too few known texts are available: at each stage, too many can-didates survive the pruning, and the search complexity grows exponentially. Wehave a more sophisticated key recovery algorithm which can reduce the compu-tation workload dramatically in these instances. The basic idea is that the T-boxis subject to a classic meet-in-the-middle optimization: one can work halfwaythrough the T-box given only K0...3, and one can work backwards up to themiddle given just K4...7. This enables us to precompute a lookup table that con-tains the intermediate value corresponding to each K0...3 value. Then, we tryeach possible K4...7 value, work backwards through some known T-box outputs,and look for a match in the precomputed lookup table. Of course the searchpruning techniques can be applied to K4...7 to further reduce the complexity ofthe meet-in-the-middle algorithm. The combination of pruned search and meet-in-the-middle cryptanalysis allows us to efficiently recover the entire CMEA keywith as few as 40-80 known plaintexts.

4 . 1 T h e f i r s t p h a s e : m o r e d e t a i l sWe describe how to derive implications of the form (1) from some known CMEAencryptions for the first phase. Knowing T(0) lets us recover (for each plain-tex t/c iphertext pair P, C) yl, zl and thus we learn the inputs to the two T-boxeslookups used to modify C1. We make a guess (e.g. T ( i ) = j ) about the output ofthe first aforementioned T-box lookup. We can derive the (implied) output of thesecond T-box lookup by using the known text pair. Then we deduce the (implied)values of Y2, z2 and thus the inputs to the two T-box lookups used to modify C2.Next we derive the quantity xoRed into Co in the second CMEA layer, whichlets us calculate the (implied) outputs of the two T-box lookups that modify C24.Therefore our assumption T ( i ) = j implies three other derived equations of theform T ( i ' ) = jl; if any of those three derived input/output pairs r is listedas impossible in pi , j , , then we have found a contradiction, and we may concludethat our original assumption was wrong--namely, that the assumed value of theT-box entry was in fact impossible, and that value may be marked as impossiblein P i j .In this way, we can gradually rule out many entries Pi,j as impossible. Weloop over all i , j and all known texts, until no more deductions can be made.If our guess at T(0) was incorrect, then there will probably be a T-box input4 T h e t r u e s it u a t i o n i s s l ig h t ly m o r e c o m p l i c a te d . T h e L S B r e m a i n s u n k n o w n , s o w e

h a v e t o t r y t w o p o s s i b i l i t i e s ; o n l y i f b o t h p o s s i b i l i t i e s l e a d t o a c o n t r a d i c t i o n c a n w er u l e o u t t h e e q u a t i o n T ( i ) = j a s i m p o s s i b l e .


8/12

533

f o r w h i c h n o p o s s i b l e o u t p u t v a l u e s r e m a i n , a n d i n t h i s c a s e w e w i l l b e a b l e t od i s c a r d o u r i n c o r r e c t g u e s s a t T ( 0 ) . O t h e r w i s e , w e t e n t a t i v e l y c o n c l u d e t h a t o u rg u e s s a t T ( 0 ) w a s c o r r e c t , a n d w e c a n u s u a l l y i d e n t i f y s e v e r a l o t h e r k n o w n T -b o x i n p u t / o u t p u t p a ir s ; w i t h t h is i n f o r m a t i o n i n ha n d , w e p r o c e e d t o t h e s e c o n dp h a s e . T y p i c a l l y t h e f i rs t p h a s e w i ll id e n t i f y T ( 0 ) u n i q u e l y w h e n s u f fi c ie n t ly m a n yk n o w n p l a i n t e x t s ( a b o u t 5 0 o r m o r e ) a r e a v a il ab le S ; if m o r e p o s s ib i li t ie s f o r T ( 0 )a r e f o u n d , t h e s e c o n d p h a s e w i l l b e i n v o k e d f o r s u c h p o s s i b i l i t y .4 .2 T h e s e c o n d p h a s e : m o r e d e t a i l sF i r s t , w e d e s c r i b e h o w t o p r u n e k e y t r i a ls d u r i n g t h e k e y r e c o v e r y s e a r c h . N o t et h a t a T - b o x o u t p u t is o f t h e f o rm

T ( i ) = C( ( (O + i ) ( 9 K 6 ) + K T ) + if o r s o m e u n k n o w n C a v e T a b l e o u t p u t O . W e c a n c a l c u la t e j = C ( ( ( O + i ) @K 6 ) + K T ) + i fo r a ll C a v e T a b l e o u t p u t s a n d c h e c k w h e t h e r e a c h s u c h j i s l i s t e da s p o s s i b l e i n P i j ; i f e v e r y s u c h j i s l i s t e d a s i m p o s s i b l e , t h e n w e c a n r e c o g n i z eo u r g u e s s a t K ~ , / ( 7 a s in c o r r e c t . B e c a u s e th e r e a r e o n l y 1 64 p o s s i b le C a v e T a b l eo u t p u t s , i n c o r r e c t g u e s s e s a t K ~ , / ( 7 w i l l u s u a l l y b e r u l e d o u t b y s o m e i a s l o n ga s t h e r e i s e n o u g h i n f o r m a t i o n in t h e P i j a r ra y . T h e s e i n c o r r e c t g u e s se s a t / ( 6 , / ( 7c a n t h u s b e p r u n e d f r o m t h e s e a r c h t r e e w i t h o u t a n y f u r t h e r w o r k .

N e x t , w e g i v e s o m e m o r e d e t a i l s o n t h e m e e t - i n - t h e - m i d d l e a p p r o a c h . T h i sa p p r o a c h i s o n l y a p p li c a b le w h e n w e h a v e e n o u g h k n o w n p l a i n t e x t s t o i d e n t i f y 4k n o w n T - b o x i n p u t / o u t p u t v a lu e s ( a, T ( a ) ), ( b , T ( b ) ) , ( c, T ( c) ) , ( d , T ( d ) ) f r o m t h eP i j a r r a y . F o r e a c h K 0 , K 1 , K 2 , w e c o m p u t e t h e i n t e r m e d i a t e v a l u es a ' , bI, c ' , d If o r m e d a f t e r c o m p u t i n g T t h r o u g h t h e k n o w n k e y b y t es ; f or e x a m p l e , a I = C( (a @K o ) + K 1 ) + a ) ( g K 2 . N e x t w e f o r m t h e 2 4 - b i t i n d e x n = ( a ' - d ' , b ~ - d ' , c ' - d t ) , a n di n s e r t t h e p a i r ( n , K 0 . . . 2 ) i n t o a l a r g e h a s h t a b l e k e y e d o n n . A f t e r r e p e a t i n g f o ra l l 2 2 2 p o s s i b l e K o . . . 2 v a l u e s , w e h a v e b u i l t a p r e c o m p u t e d l o o k u p t a b l e s u i t a b l ef o r u s e i n t h e m e e t - i n - t h e - m i d d l e o p t i m i z a t i o n . T o c h e c k a t r i a l K 4 . . . 7 v a l u e , w ew o r k b a c k w a r d s f r o m T ( a ) , T ( b ) , T ( c ) , T ( d ) a s f a r p o s s i b l e g i v e n o n l y K 4 . ..7 a n di d e n t i f y th e i n t e r m e d i a t e v a l u e s a " , b ", c " , d " . T h e i n t e r m e d i a t e v a l u e s r e f l e c t t h ev a lu e s o f t h e T - b o x c o m p u t a t io n s j u s t a f t e r a d d it i o n o f K 3 : f o r e x a m p l e ,

C( ( (C ( ( ( C( a " ) + a ) (B / ( 4 ) + K 5 ) + a ) (9 K6 ) + K T) + a = T(a) .W e s e e t h a t a " c a n b e i d e n ti f ie d f r o m a , T(a ) b y w o r k in g b a c k w a r d s t h r o u g h t h eT - b o x c o m p u t a t i o n a n d i n v e rt in g t h e C a v e T a b l e w h e r e n e c e s s a r y 6, a n d b " , c " , d "5 T he d ens i ty o fp . ,, a f t e r a ll deduc t ions tu rn s o u t to b e a poo r es t imato r fo r success . Fo ra n y f i x e d n u m b e r o f k n o wn t e x t s , t h e d e n s i t y s e e m s t o b e q u i t e c o n s t a n t - -h o v e r i n garound 0 .5 fo r 40 tex t s and a round 0 .35 fo r 80 tex t s - -and var ia t ions don ' t s eem to

be v ery s t rong ly co r re la ted to success in e i ther phase o f the a t t ack .6 Coll is ions in the C aveT able ma y cause m ult ip le poss ib i l it ies for a " , b " , c " , d " t o b eiden t i f i ed ; we s imply search th rough them a l l exhaus t ive ly . On the o ther hand , be-cause some ou tpu ts never appear in the CaveTab le , somet imes no poss ib i l i t i es wi l lbe iden t i f i ed , wh ich le t s u s immedia te ly p rune away K4 . . .7 . In p rac t ice , the numberof possibili t ies is usually small .


9/12

534

c a n b e f o u n d s i m i la r ly . T h e n w e fo r m t h e 2 4 - b i t in d e x m = ( a ' - d ' , b ' - d ' , c ' -d ' ) , s e a r c h i n t h e p r e c o m p u t e d h a s h t a b l e f o r a m a t c h i n g e n t r y ( n , K 0 ...2 ) w i t hn - -- m , a n d u s e t r i a l e n c r y p t i o n t o c h e c k t h e r e s u l t i n g K 0 ...7 v a l u e . N o t e t h a t i fo u r g u e s s a t K 4 ...7 w a s c o r r e c t , w e h a v e a " = a ~ + K 3 e t c . , s o t h a t t h e c o r r e c tv a l u e o f K 0...2 w i ll s h o w u p i n o u r s e a r c h o f t h e p r e c o m p u t e d h a s h t a b l e a n d t h ec o r r e c t v a l u e o f K 3 c a n b e d e r i v e d a s a " - a~; t h i s e n s u r e s t h a t w e w i ll i d e n t i f yK0 . .. v c o r r e c t l y .

P r u n e d s e a r c h l e ts u s d r a m a t i c a l l y r e d u c e th e n u m b e r o f k e y c a n d i d a te s t r i e d ,i f t h e r e is e n o u g h i n f o r m a t i o n i n t h e p .,. a r r a y . T h e m e e t - i n - t h e - m i d d l e o p t i m i z -a t i o n i s a t i m e - s p a c e t r a d e o f f t h a t f u r t h e r r e d u c e s t h e c o m p u t a t i o n a l w o r k l o a dw h e n 4 k n o w n T - b o x i n p u t / o u t p u t v a lu e s a r e a v ai la b le . C o m b i n i n g t h e t w o a p -p r o a c h e s y i e l d s a k e y r e c o v e r y a l g o r i t h m f o r t h e s e c o n d p h a s e t h a t i s v e r y e f -f ic ie n t o n a s t a n d a r d 1 00 M H z P e n t i u m w i t h 4 0 M b o f m e m o r y . F u r t h e r m o r e ,t h e s e a r c h a l g o r i t h m c a n e a s i l y b e p a r a l l e l i z e d f o r e v e n g r e a t e r p e r f o r m a n c e i fn e c e ss a r y. N o t e t h a t w e m a k e h e a v y u s e o f t h e n o n - u n i f o r m o u t p u t d i s t r ib u t i o no f t h e C a v e T a b l e , a n d t h e s e a n a l y s is t e c h n i q u e s w o u l d n o t w o r k if t h e C a v e T a b l ew e r e u n b i a s e d .

4 . 3 D i s c u s s i o nT h i s k n o w n p l a i n t e x t a t t a c k i s m u c h m o r e d e v a s t a t i n g t h a n t h e c h o s e n p l a i n t e x ta t t a c k d e s c r i b e d i n S e c t i o n 3 .1 . C h o s e n p l a i n t e x t m a y b e d i f fi c u lt t o o b t a i n i np r a c t i c e , b u t k n o w n p l a i n t e x t i s l ik e ly t o b e m u c h e a s i e r t o a c q u i r e .

T h e r e a r e a n u m b e r o f r e a li s ti c w a y s t h a t t h e r e q u i r e d k n o w n p l a i n t e x t c a nb e c o l l e c t e d i n p r a c t i c e . D i a l e d d i g i t s a r e t y p i c a l l y C M E A - e n c r y p t e d w i t h 3 -b y t e b l o c k s ; t y p i c a l l y e a c h b l o c k w i l l c o n t a i n o n l y o n e d i g i t , a n d o f t e n t h e t e l e -p h o n e n u m b e r d i a l e d w i l l b e k n o w n . D T M F t o n e s s e n t o n t h e l i n e w i l l u s u a l l yb e C M E A - e n c r y p t e d . I f t h e u se r c a n b e p e r s u a d e d t o d ia l a n u m b e r u n d e r a d -v e r s a r i a l c o n t r o l, u s i n g t h e i r c a ll in g c a r d , t h e n t h e D T M F t o n e s a n d u s e r - d i a l e dd i g it s w i ll b e k n o w n t o t h e a t t a c k e r , p r o v i d i n g a r e a d y s o u r c e o f k n o w n p l a i n t e x t ;a f t e r r e c o v e r in g t h e C M E A k e y in a k n o w n - p l a i n t e x t a t ta c k , t h e a t t a c k e r c o u l dd e c r y p t t h e c a l li n g c a r d n u m b e r a n d m a k e f a l s e ca ll s b i ll e d to t h e v i c t i m ' s n a m e .F u r t h e r m o r e , a l p h a n u m e r i c p a g e s s e n t t o c e l l u l a r p h o n e s a r e b e c o m i n g i n c r e a s -i n g l y c o m m o n , a n d a l p h a n u m e r i c p a g e s a r e s e n t o v e r t h e c o n t r o l c h a n n e l . T h e s ep a g e s m a y h a v e a l a r g e k n o w n c o m p o n e n t , w h i ch w i ll p r o v id e s o m e k n o w n p l ai n -t e x t . I t s h o u l d b e c l e a r t h a t k n o w n p l a i n t e x t m a y b e a v a i l a b l e f r o m a n u m b e r o fp o t e n t i a l s o u r c e s .

I n t h i s s e c t i o n , w e h a v e d i s c u s s e d c r y p t a n a l y s i s o f C M E A w i t h 3 - b y t e b l o c kw i d t h s . A b l o c k w i d t h o f 3 b y t e s i s a n a t u r a l c h o ic e t o e x a m i n e . K n o w n p l a i n -t e x t w i t h 3 - b y t e b l o c k w i d t h s i s o f t e n r e a d i l y a v a i l a b l e i n p r a c t i c e ; f o r i n s t a n c e ,d i a l e d d i g i t s a r e t y p i c a l l y e n c r y p t e d a n d t r a n s m i t t e d u s i n g 3 - b y t e b l o c k w i d t h si n n e a r l y a l l d i g i t a l c e l l u l a r a r c h i t e c t u r e s . M o r e o v e r , C M E A a p p e a r s t o b e e a s i -e s t t o a n a l y z e f o r s h o r t b l o c k w i d t h s , a n d m o s t c e l l u l a r s t a n d a r d s a v o i d b l o c kw i d t h s s h o r t e r t h a n 3 b y t e s 7. T h e r e f o r e , 3 - b y t e b l oc k s a r e a g o o d i n d i c a t o r o f t h e7 IS-95 i s a no tab le excep t ion ; see Sec t ion 5 fo r a be t te r a t t ack on the 2 -by te b lockwi d t hs t h a t a r e u s e d i n so m e IS -9 5 m e s s a g e s .


10/12

535strength of CMEA as used in phone systems; by giving a known-plaintext attackon CMEA with 3-byte blocks, we show that the control channel is not protectedadequately in nearly all of the North American digital cellular phone systems.

5 A k n o w n - p l a i n t e x t a t t a c k o n 2 - b y t e b l o c k sWe saw above that CMEA is insecure when used with a 3-byte block width;now we show that the situation is even worse for 2-byte blocks. In this section,we present an attack on CMEA needing just 4 known plaintexts when 2-byteblocks are in use. Most cellular standards avoid using CMEA with 2-byte blocks.However, this is not just a theoretical attack: a few cellular systems, such as IS-95(CDMA), do apply CMEA with a 2-byte block width to protect dialed digits,and they will be vulnerable to the improved attack.The known-plaintext attack on 2-byte blocks follows immediately from ourearlier discussion. First, we guess T(0); that lets us recover 4 more T-box valuesfrom the first two known texts. (There is no need for a stage corresponding tothe first phase of the attack on 3-byte blocks, as we can trivially derive 4 knowninput/ output pairs for the T-box from the known texts.) With those known T-box input /output pairs, we perform a pruned meet-in-the-middle search to derivea number of possibilities for the full CMEA key, as described in Section 4.2. Thecorrect CMEA key can be quickly recognized by trial decryption. The prunedmeet-in-the-middle search has work factor 224-232 , and we will need to do about30 iterations of the search to handle each of the possibilities for T(0). In sum,this at tack requires just 4 known 2-byte plaintexts and has time complexity about229_237"

In fact, the plaintext requirements can be reduced even further, to just twoknown 2-byte plaintexts and some extra ciphertexts. We don't need to knowthe decryption of the extra ciphertexts: the extra ciphertexts must merely beenough to information-theoretically determine the CMEA key, so that all incor-rect key trials can be recognized and discarded. Note the plaintext often containsredundancy--for instance, when it contains dialed digits, there are only 10 pos-sible values for each nibble, and often much of the input is a public fixed value soin practice obtaining the necessary extra ciphertexts should be very easy.

6 C o n c l u s i o n sWe have presented several attacks on CMEA, and some of them may be real-istically exploitable in practice. We described several possible ways to obtainknown plaintext information. One attack that applies to nearly all North Amer-ican digital cellular standards needs about 40-80 known plaintexts; that manyknown texts may be available in some situations, although availability is likelyto depend on subtleties of the cellular phone system implementation. Though i tdoes not apply to most digital cellphone standards, another attack needs just 4


11/12

536

known plaintexts, which is a much more realistic assumption. At a minimum,these attacks illuminate fundamental certificational weaknesses in CMEA. Atworst, widespread attacks on CMEA might be possible in practice.Our cryptanalysis of CMEA underscores the need for an open cryptographicreview process. Betting on new algorithms is always dangerous, and closed-doordesign and proprietary standards are not conducive to the best odds.Since being exposed to public scrutiny, three of the four proprietary TIAcryptographic algorithms have been broken: the voice privacy protection wasshown to be insecure as early as 1992 [Bar92, CFP93], this paper cryptanalyzesCMEA, and ORYX was recently broken by the authors [WSK97]. This poorsuccess rate provides a strong argument against closed-door design.In addition, our analysis also shows the importance of explicitly stating se-curity assumptions during every step of the design and development process,

and of not reusing security components without throroughly examining the im-plications of reuse. The CaveTable was designed to have the security propertiesCAVE needed. Designers reused it for CMEA because they were low on space;this turned out to be a bad idea. CMEA requires different properties from theCaveTable than CAVE does.In short, CMEA is deeply flawed, and should be carefully reconsidered.

7 A c k n o w l e d g e m e n t sGreg Rose first pointed out the insecurity of CMEA, and he deserves the creditfor that discovery. We were not aware of serious flaws in CMEA until we heardover the grapevine that he had found an effective known-plaintext attack onCMEA; this tip provided the motivation to look more closely at CMEA until wemanaged to independently re-derive the attack described in this paper. Unfor-tunately he is not free to publish his analysis, so we offer ours instead. We areextremely grateful to Greg Rose for his immeasurable help.Also, we thank an anonymous party (for scanning the cellphone cryptographystandard and posting it to the Internet [TIA92]), John Young (for acting as aclearinghouse for resources on cellphone crypto), Ron Rivest (for many helpfulcomments on the presentation of our results), Steve Schear (for some assistancenavigating the maze of cellular standards), Niels Ferguson (for useful feedback),and all those early readers who independently pointed out that the number ofpossibilities for T(0) could be reduced from 256 to 164 in the known plaintextattack.

R e f e r e n c e s[Ban97][Bax92]

M. Bannert, "Cryptanalysis of the Cellular Message Encryption Algorithm,"unpublished manuscript, 1 May 1997.J.P. Barlow, "Decrypting the Puzzle Palace," Communications of the ACM,July 1992.


12/12

537

[CFP93]

[FCC97][ H i 1 9 7 ][ N o k 9 6 ]

[Ree91][TIA92]

[TIA95][Whe97]

[WSK9~

R. Mechaley, Speaker, Digital telephony and cryptography policy session.The Th ird Con ference on Compu ters , b '~eedom and Pr ivacy , Burlingame, CA,1993, Bruce Koball, General Chair.FCC Wireless Telecommunications Bureau, "FCC-WTB Information of Cel-lular Fraud," hZtp://maw, fcc. gov/~rtb/cellfrd, html, Feb 1997.J. Hillyard, personal communication, 21 May 1997.Nokia Mobile Phones, "Nokia Announces Anti-Fraud Protection Op-tion for All Models Marketed in 1996," 5 Jan 1996, Tampa Fla.,h t t p : / / w w w . n o k i a , e o m / n e w s / n e w s _ h t m l s / n m p _ 9 6 0 I O f b , h t m l , p r e s s r e le as e.J.A. Reeds III, "Cryptosystem for Cellular Telephony," U.S. Patent 5,159,634,Sep 1991.TIA IS-54 Appendix A, "Dual-mode Cellular System: Authentication, MessageEncryption, Voice Privacy Mask Generation, Shared Secret Data Generation,A-Key Verification, and Test Data," Feb 1992, Rev B.TIA TR45.0.A, "Common Cryptographic Algorithms," June 1995, Rev B."Summary of Testimony of Thomas E. Wheeler," Oversight Hearing on Cel-lular Privacy, 5 Feb 1997, House Commerce Committee, Subcommittee onTelecommunications, Trade, and Consumer Protection.h t t p : / / w w w . h o u s e , g o v / c o m m e r c e / t e l e c o m / h e a r i n g s / 0 2 0 5 9 7 / w h e e l e r , p d fD. Wagner, B. Schneier, J. Kelsey, "Cryptanalysis of ORYX," unpublishedmanuscript, 4 May 1997.

Documents

Crypt Analysis of the Cellular Message Encryption Algorithm