outline - COSIC€¦ · motivation: standard CBC-MAC would have resulted in a forgery attack after 232 messages development of 3G algorithms (16) research & development Orange Group

research & development

Design and Analysis of Cryptographic Algorithms

for Mobile Communication Systems

Henri GilbertOrange Labs

{[email protected]}

research & development Orange Groupdevelopment of 3G algorithms (2)

outline development of cryptographic algorithms for a real life application

introductioncryptographic features of 2G and 3G systems

algorithms development process within ETSI/SAGE

approach to design / specification / evaluation

links with academic research

case studies1999: KASUMI block cipher + resulting encryption (UEA1, A5/3) and MAC (UIA1)

2005: SNOW 3G stream cipher + resulting encryption (UEA2) and MAC (UIA2)

2000: MILENAGE authentication and key generation algorithm


security in mobile systems

security aspects:

Radio access network

MS = ME + (U)SIM

Core Network External networks(PSTN, IP…)

radio accessterminal core network e2e transactions


cryptographic algorithms of GSM

subscriber authentication

authentication & key generation algorithms A3/A8permanent subscriber key Ki (SIM & HLR)A3/A8 is not standardized (operator dependent)

traffic and signalling encryption

circuit switched GSM: standard A5 algorithms A5/1, A5/2, A5/3

packet oriented GSM (GPRS):standard GEA algorithms GEA1, GEA2, GEA3

RAND (challenge)

A3/A8

KcSRES

Ki

Kc

IV (frame nb.)

A5

114-bit keystream

128

6432

128

Kc*

IV

GEA

5 to 1600-byte keystream

22

33

64

64

(counter, dir.)


HLR/AuCMSC/VLRBTS

RANDKi

A3/A8SRES

Kc

checksSRES

Kc, start enc.start enc.

ACK

IV(frame nb.) A5 A5

114-bit keystream 114-bit keystream

+ +plain traffic &sig.

Kc

SIM

encrypted traffic & sig.

visited network

homenetwork

RAND

A3/A8

KcSRES

n triplets (RAND, SRES, Kc)

KiME

GSM SECURITY: OVERVIEW

IV(frame nb.)

plain traffic& sig.

off lineon line


limitations of GSM security

no network authentication and no explicit integrity protectionmoreover encryption initiative is left up to the network

eavesdropping attacks using false base stations turned out to be a reality…

⇒ UMTS: network authentication and signalling messages auth.

⇒ GSM and UMTS: encryption indicator (in some mobiles)

limitations of GSM encryptionencryption ends at the base station => vulnerability of the BTS-BSC interface

efficient attack on A5/2, gradual erosion of the protection offered by A5/1 [Biham et al.]

⇒ UMTS: strong encryption (128-bit key, hopefully full strength), ends at RNC

⇒ GSM: move to A5/3 (derived from 3G algorithm KASUMI)


cryptographic features of UMTS mutual authentication (slightly simplified)

subscriber auth. ≈ GSM authgeneration of session keys CK and IK network auth. ≈ MAC of sequence nb. SQNSQN anonymization: mask AK

f1-f5 also named AKA (auth. & key agreement)no standard AKA; example AKA: MILENAGE

traffic and signalling encryptiontwo standard f8 algorithms

• UEA1 derived from KASUMI• UEA2 derived from SNOW 3G

message authenticationtwo standard f9 algorithms

• UEA1 derived from KASUMI• UEA2 derived from SNOW 3G

RAND SQN AMF

K

RES CK IK AK MAC-A64 128 128 48 64

f1f2 f3 f4 f5

48 16128

CK f8

IV (count-c, bearer, dir.)

keystream

f9IK

MAC

message+ (count, fresh, direction)

128

128

128

128

32


HLR/AuC

MSC/VLR

RAND, AUTNK

f1-f5RES

CK

checks RES

start enc., CK, IKstart enc.ACK

IV IVf8 f8

+ +{ DATA || MAC }

CK

USIM RAND, SQN

home

network

f1-f5

RES IK CK AUTN

n quintets(RAND,RES,IK,CK, AUTN)

KRNC

checks AUTN

f9count, fresh

IK

{ DATA || MAC }

f9count, freshchecks

MAC

ME

UMTS SECURITY: OVERVIEW

encrypted traffic & sig.

Node-B


ETSI/SAGEwhat's that?

security algorithms group of experts of European Telecommunication Standard Institute

in charge of security algorithms standardisation for telecommunications

‒ mobile communication systems: 2G (GSM/GPRS), 3G (UMTS) …

‒ other systems: radio lans, teleconferencing, smart cards, inter-PNO exchanges, TETRA

created in the early 90's

initial mandate included liaison with national authorities to get export approval

membershipclosed group: no longer for secrecy reasons, for efficiency reasons

～ 10 telecom. operators or manufacturers with strong cryptography expertise

chaired by Gert Roelofsen until he left KPN research

and since then by Steve Babbage, Vodafone


export controls before 98

strong export restrictions on encryption, in particular for mobile systems ‒A5/1 was much stronger than ciphers that were freely exportable at that time

no transparent rules, case by case approvalSAGE algorithms were not published ‒ this was needed to get export approval ‒ however, for massively deployed algorithms, secrecy does not last long…

since 98 (Wassenaar agreements)export controls still exist…… but have been considerably eased and are no longer a real issue for mobilesSAGE moved to public algorithms soon after 98‒☺ increase public confidence‒☺ take advantage from publicly available designs‒ other less decisive pros & cons: ☺ public evaluation after deployment, increased vulnerability to side channel attacks


SAGE approach to algorithms development "balance the benefits of public evaluation against industry timescales" [S. Babbage]1. take the best from available research results

investigate most promising public designsadapt design to specific requirements of the intended application taking most recent advances in cryptanalysis into account

2. algorithm design /specification / evaluation workset-up a project team with clear timescales and allocation of taskssplit participants into separate design and evaluation teams‒ requirements capture (all)‒ design team: 1st design, 2nd design, final design‒ evaluation team: mathematical evaluation, statistical testing

output: specification, ref. implementation and spec.testing, design & eval. report

3. Independent evaluation and follow-on researchevaluation reports by well known academic expert teams (limited evaluation time)monitoring of (and often contribution to) follow-on public research


Case study 1: KASUMI, UEA1, UIA1 (1999)requirements (in brief)

stream cipher f8 and MAC f9‒ security: full strength‒ low H/W complexity‒ good H/W and S/W performance‒ f8: good IV agility

⇒ block cipher with stream cipher & MAC modes ‒ for flexibility reasons

available research results to start from strategies to thwart statistical attacks:‒ [Daemen-Rijmen]: wide trail strategy‒ [Vaudenay]: decorrelation theory and resulting block ciphers‒ [Nyberg-Knudsen, Aoki]: differential & linear bounds on 3R-Feistel schemes

[Matsui]: application to the embedded construction of MISTY block cipher⇒ MISTY (a 64-bit block cipher) was selected as the starting point for the design

‒ MISTY's designer, M. Matsui (Mitsubishi) joined SAGE ‒ KASUMI (≈ "misty" in Japanese) was designed

CK f8

IV count-c bearer dir.

keystream

f9IK

MAC

message, count, fresh, dir.

128

128


KASUMIS9

S7

S9

zero-extend

zero-extend

truncate

KIij1 KIij2

169 7

FO FI

bitwise AND operationbitwise OR operationone bit left rotation

3216 16

KLi1

KLi2

S7truncate

FIi1 KIi1KOi1

FIi2 KIi2KOi2

FIi3 KIi3KOi3

16 1632

FL

FO1FL1

FO3FL3

FO5FL5

FO7FL7

FO2 FL2

FO4 FL4

FO6 FL6

FO8 FL8

KL1 KO1, KI132 3264

KL6

KL8

KL7

KL2

KL5

KL4

KL3

KO2, KI2

KO3, KI3

KO4, KI4

KO5, KI5

KO6, KI6

KO7, KI7

KO8, KI8

plaintext (64 bits)

ciphertext (64 bits)

Main changes from MISTY1- 4th round in FI- FL: modified location, rotation - new S-boxes S7 and S9- simplified key schedule

↓≈ same conjectured securityslightly lower H/W complexity

F


KASUMI-based f8: UEA1

CK(128 bits)

IV(64 bits)

keystream KS

non-standard mode, combination of:-"prewhitening" (computation of secret A),- CNT mode- OFB mode

64-bit blocksize => standard modes would have resulted in strong 232-block distinguishers


KASUMI-based f9: UIA1

data

IK(128 bits)

auth. tag (32 bits)

non-standard mode again - CBC-MAC variant - 128-bit "chaining variable" instead of 64

motivation: standard CBC-MAC would have resulted in a forgery attack after 232 messages


KASUMI, UEA1, UIA1 (end)

independent evaluationfrom three well known academic teams coordinated by leading ECRYPT partners…in overall, confirmed soundness of proposed algorithms(some suggested variations not supported by strong cryptanalytic arguments against the evaluated specification were not retained)

follow on researchf9 forgery from 248 chosen message MACs [Knudsen-Mitchell]whether forgery from 232 chosen message MACs feasible as for standard modes is still opensuper-pseudo-randomness of 5-round MISTY [2 ind. papers at FSE 00]pseudo-randomness of expanding functions inspired from f8 and MILENAGE [Gilbert]algebraic interpretation of higher order differential properties of MISTY [Babbage-Frisch]research on modes of operation…


Case study 2: SNOW 3G, UEA2, UIA2 (2005)

requirements (in brief)same as UEA1, UIA1, but fallback algorithms set‒ maximize "cryptographic distance" from KASUMI‒ minimize potential vulnerability to algebraic attacks

⇒ stream cipher + UH MAC approach seemed worth being investigated

available research results to start from (stream ciphers)NESSIE had failed selecting a stream cipher, but:‒ had stimulated the design of IV-dependent stream ciphers‒ had resulted in cryptanalytic advances, e.g. linear masking attacks [Coppersmith et al.]

ECRYPT / eSTREAM stream ciphers project had just started‒ SASC workshop gave an accurate picture of the state of the art

⇒ SNOW 2.0 [Ekdahl-Johansson] was retained as a starting point for the design with permission

of its authors. ‒ its resistance to linear masking & algebraic attacks had been analysed

[Watanabe et al., Billet-Gilbert]


from SNOW 2.0 …

R1 R2S

α-1 α

s0s2s5s11s15

current state: - LFSR: 16 32-bit words- FSM memory: 2 32-bit words

32x32 S-box S- based on AES


to SNOW 3G

R1 R2S1

α-1 α

R3S2

s0s2s5s11s15

Main changes from SNOW 2.0:-additional memory word R3-additional 32x32 S-box S2based on Dickson polynomials

=> extra security margin against algebraic & linear masking attacks


SNOW 3G, UEA2, UIA2 (cont.)

available research results to start from: UH function-based MACs

Wegman-Carter paradigm: MAC(M) = hk(M) ⊕ OTP,

where {hk} is an almost 2-universal family of hash functions

many efficient UH MACs based on polynomials had been recently proposed hk(M) = PolyM(k), typically over GF(2n)

how to best derive k and OTP from IK using a streamcipher was unclear


message authentication f9: UIA2

SNOW 3G

IV

IK

128

128

COUNT-CBEARERDIRECTION

M = (M0,..,Mt) PolyM(P)

P Q

OTP

MAC

64 64 32

computations are done over GF(264)

• 32–bit OTP, but also 128-bit hash key (P,Q), is

derived fom IK using SNOW 3G

(conservative choice)

MAC = hPQ(M) ⊕ OTPwhere hPQ(M) = (PolyM(P) •Q) truncated to 32 bits

multiplication by Q allows to keep forgery proba.

close to ideal value 2-32, even for long messages:

2-stage MAC construction [Stinson 92, Bierbrauer

et al. 93, Neversteen-Preneel 99, Bernstein 05]

Truncate

hPQ

32 bits


SNOW 3G, UEA2, and UIA2 (end)

independent evaluationtwo well known academic teams (coordinated by leading ECRYPT partners…)

various potential lines of attack were investigated

in overall, confirmed SAGE confidence in proposed design

follow on researchimproved linear masking on SNOW 2.0 [Nyberg-Wallen]

note about how to improve truncated G-MAC [Nyberg-Gilbert-Robshaw]

warning about key recovery attacks on some polynomial based UH MACs

when unlike in UIA2 hash key is not renewed [Handschuh-Preneel, Crypto 08]


conclusion

cryptographic research and standardisation are distinct processes…distinct objectives, distinct timescalesresearch must not be entirely driven by the requirements of applicationsstandardisation may have to deal with problems research did not / cannot solve

…but they must interact closely standardisation groups and the research community must not be disjointthe research and scientific exchanges promoted by ECRYPT and ECRYPT II in the future are quite useful to achieve this kind of interaction

next cryptography standardization challenges in mobiles?other security aspects (underway)massively deployed public key cryptography in (U)SIMs?

Documents

outline - COSIC€¦ · motivation: standard CBC-MAC would have resulted in a forgery attack after 232 messages development of 3G algorithms (16) research & development Orange Group