4
Security problems with improper implementations of improved FEA-M Shujun Li * , Kwok-Tung Lo Department of Electronic and Information Engineering, The Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong SAR, China Received 11 August 2005; received in revised form 10 January 2006; accepted 1 May 2006 Available online 14 June 2006 Abstract This paper reports security problems with improper implementations of an improved version of FEA-M (fast encryption algorithm for multimedia). It is found that an implementation-dependent differential chosen-plaintext attack or its chosen-ciphertext counterpart can reveal the secret key of the cryptosystem, if the involved (pseudo-)random process can be tampered (for example, through a public time service). The implementation-dependent differential attack is very efficient in complexity and needs only O(n 2 ) chosen plaintext or ciphertext bits. In addition, this paper also points out a minor security problem with the selection of the session key. In real implemen- tations of the cryptosystem, these security problems should be carefully avoided, or the cryptosystem has to be further enhanced to work under such weak implementations. Ó 2006 Elsevier Inc. All rights reserved. Keywords: Multimedia encryption; FEA-M; Insecure implementation; Differential attack; Chosen-plaintext attack; Chosen-ciphertext attack; Pseudo- random process 1. Introduction Multimedia data play important roles in today’s digital world. In many multimedia applications, such as pay-TV services, commercial video conferences and medical imaging systems, fast and secure encryption methods are required to protect the multimedia contents against mali- cious attackers. In recent years, many different multimedia encryption schemes have been proposed to fulfill such an increasing demand (Uhl and Pommer, 2005; Furht et al., 2004; Li et al., 2004). In Yi et al. (2001), a new fast encryp- tion algorithm for multimedia (FEA-M) was proposed, which bases the security on the complexity of solving non- linear Boolean equations. Later FEA-M was employed to construct a key agreement protocol by the same authors in Yi et al. (2002). Since then, some attacks of FEA-M have been reported (Mihaljevic ´ and Kohno, 2002; Mihaljevic ´, 2003; Wu et al., 2003; Youssef and Tavares, 2003), most of which can break the key with a smaller complexity than the simple brute force attack (Mihaljevic ´ and Kohno, 2002; Mihaljevic ´, 2003; Wu et al., 2003), and one of which can completely break the whole cryptosystem with only one known and two chosen plaintext blocks (Youssef and Tav- ares, 2003). To enhance the security and to avoid some other defects, an improved version of FEA-M was proposed in Mihalj- evic ´ (2003). This paper reports some security problems with improper implementations of the cryptosystem. We point out that the secret key of the cryptosystem can be revealed by an implementation-dependent differential attack if the involved (pseudo-)random process can be tampered. One of such situations is when the pseudo-random process is uniquely controlled by an external source (such as a public time service), though it appears that such an implemen- tation would not compromise the security of the cryptosys- tem itself. The proposed differential attack is very efficient, 0164-1212/$ - see front matter Ó 2006 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2006.05.002 * Corresponding author. Tel.: +852 27666250. E-mail address: [email protected] (S. Li). URL: http://www.hooklee.com (S. Li). www.elsevier.com/locate/jss The Journal of Systems and Software 80 (2007) 791–794

Security problems with improper implementations of improved FEA-M

Embed Size (px)

Citation preview

www.elsevier.com/locate/jss

The Journal of Systems and Software 80 (2007) 791–794

Security problems with improper implementationsof improved FEA-M

Shujun Li *, Kwok-Tung Lo

Department of Electronic and Information Engineering, The Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong SAR, China

Received 11 August 2005; received in revised form 10 January 2006; accepted 1 May 2006Available online 14 June 2006

Abstract

This paper reports security problems with improper implementations of an improved version of FEA-M (fast encryption algorithmfor multimedia). It is found that an implementation-dependent differential chosen-plaintext attack or its chosen-ciphertext counterpartcan reveal the secret key of the cryptosystem, if the involved (pseudo-)random process can be tampered (for example, through a publictime service). The implementation-dependent differential attack is very efficient in complexity and needs only O(n2) chosen plaintext orciphertext bits. In addition, this paper also points out a minor security problem with the selection of the session key. In real implemen-tations of the cryptosystem, these security problems should be carefully avoided, or the cryptosystem has to be further enhanced to workunder such weak implementations.� 2006 Elsevier Inc. All rights reserved.

Keywords: Multimedia encryption; FEA-M; Insecure implementation; Differential attack; Chosen-plaintext attack; Chosen-ciphertext attack; Pseudo-random process

1. Introduction

Multimedia data play important roles in today’s digitalworld. In many multimedia applications, such as pay-TVservices, commercial video conferences and medicalimaging systems, fast and secure encryption methods arerequired to protect the multimedia contents against mali-cious attackers. In recent years, many different multimediaencryption schemes have been proposed to fulfill such anincreasing demand (Uhl and Pommer, 2005; Furht et al.,2004; Li et al., 2004). In Yi et al. (2001), a new fast encryp-tion algorithm for multimedia (FEA-M) was proposed,which bases the security on the complexity of solving non-linear Boolean equations. Later FEA-M was employed toconstruct a key agreement protocol by the same authorsin Yi et al. (2002). Since then, some attacks of FEA-M have

0164-1212/$ - see front matter � 2006 Elsevier Inc. All rights reserved.

doi:10.1016/j.jss.2006.05.002

* Corresponding author. Tel.: +852 27666250.E-mail address: [email protected] (S. Li).URL: http://www.hooklee.com (S. Li).

been reported (Mihaljevic and Kohno, 2002; Mihaljevic,2003; Wu et al., 2003; Youssef and Tavares, 2003), mostof which can break the key with a smaller complexity thanthe simple brute force attack (Mihaljevic and Kohno, 2002;Mihaljevic, 2003; Wu et al., 2003), and one of which cancompletely break the whole cryptosystem with only oneknown and two chosen plaintext blocks (Youssef and Tav-ares, 2003).

To enhance the security and to avoid some other defects,an improved version of FEA-M was proposed in Mihalj-evic (2003). This paper reports some security problems withimproper implementations of the cryptosystem. We pointout that the secret key of the cryptosystem can be revealedby an implementation-dependent differential attack if theinvolved (pseudo-)random process can be tampered. Oneof such situations is when the pseudo-random process isuniquely controlled by an external source (such as a publictime service), though it appears that such an implemen-tation would not compromise the security of the cryptosys-tem itself. The proposed differential attack is very efficient,

792 S. Li, K.-T. Lo / The Journal of Systems and Software 80 (2007) 791–794

since only two pairs of chosen plaintext blocks areneeded to completely reveal the key. As a result, in a realimplementation of the cryptosystem, it should be ensuredthat the embedded pseudo-random process cannot be con-trolled by illegal users. Or, the improved FEA-M has to befurther enhanced to resist this implementation-dependentattack. In addition, a minor problem with the selection ofthe session key is also discussed in this paper.

2. Improved FEA-M

The original FEA-M (Yi et al., 2001) is a block cipherwith both plaintext and ciphertext feedback. It encryptsthe plaintext in the form of n · n Boolean matrices, by ann · n Boolean key matrix. The elements of the matricesare either 0 or 1 and all matrix operations are made overGF(2), i.e., modulo 2. As a result, the ciphertext is also inthe form of n · n Boolean matrices.

Previous works have shown that the original FEA-Mhas the following defects: (1) the key can be easily brokenby an adaptive chosen-plaintext attack proposed in You-ssef and Tavares (2003); (2) an efficient known-plaintextattack can break it with a complexity smaller than thebrute force attack (Mihaljevic and Kohno, 2002; Mihalj-evic, 2003; Wu et al., 2003); (3) it is sensitive to packet loss(Mihaljevic, 2003) and channel errors due to the use ofplaintext feedback.

To overcome the above-mentioned security defects,Mihaljevic (2003) proposed an improved FEA-M. Theimproved scheme contains two stages: key distributionand working stage. The first stage generates two n · n secretBoolean matrices, a session key K and an initial matrix V,generally from a master key K0, which is also an n · n Bool-ean matrix and known by both the sender and the receiver.The key distribution protocol is actually the one used in Yiet al. (2002) and can be described as follows:

• The sender selects K and V via a (pseudo-)random pro-cess, and computes

K� ¼ K0K�1K0; ð1ÞV� ¼ K0VK0; ð2Þ

then sends (K*,V*) to the receiver.• The receiver recovers K�1 and V by computing

K�1 ¼ K�10 K�K�1

0 ; ð3ÞV ¼ K�1

0 V�K�10 : ð4Þ

After the key distribution stage, the sender and the recei-ver sides can start the encryption/decryption procedurewith the session key K and the initial matrix V. Denotingthe ith n · n plain-matrix by Pi and the ith n · n cipher-matrix by Ci, the encryption procedure is as follows:

C i ¼ K Pi þ KVK i� �

Knþi þ KVK i; ð5Þ

and the decryption procedure is

Pi ¼ K�1 C i þ KVK i� �

K�ðnþiÞ þ KVK i: ð6Þ

The above procedure repeats for each plain/cipher-matrixuntil the plaintext/ciphertext exhausts.

3. Implementation-dependent differential attack

In this section, we describe an implementation-depen-dent differential attack of the improved FEA-M. Thisattack works under the conditions that one can tamperthe involved (pseudo-)random process of the improvedFEA-M to use the same K and V in two separate encryp-tion sessions.

Given two plain-matrices, Pð1Þi and P

ð2Þi , and their corre-

sponding cipher-matrices, Cð1Þi and C

ð2Þi , we can get Eq. (7)

Cð1Þi þ C

ð2Þi ¼ K P

ð1Þi þ KVK i

� �Knþi þ KVK i

� �

þ K Pð2Þi þ KVK i

� �Knþi þ KVK i

� �

¼ K Pð1Þi þ KVK i

� �Knþi

þ K Pð2Þi þ KVK i

� �Knþi

¼ K Pð1Þi þ P

ð2Þi

� �Knþi ð7Þ

Apparently, Eq. (7) means a simple relation between DC i ¼Cð1Þi þ C

ð2Þi ¼ C

ð1Þi � C

ð2Þi and DPi ¼ P

ð1Þi þ P

ð2Þi ¼ P

ð1Þi �

Pð2Þi , i.e., the plaintext and the ciphertext differentials

(sums):

DC i ¼ K DPið ÞKnþi: ð8ÞAs a result, for two consecutive plaintext-matrices, if wechoose DPi+1 = DPi, we can immediately deduce:

DC iþ1 ¼ K DPiþ1ð ÞKnþi ¼ K DPið ÞKnþi ¼ DC iK : ð9ÞThus, if DCi is invertible, the session key can be derivedeasily as follows:

K ¼ DC ið Þ�1DC iþ1: ð10ÞTo make DCi invertible, one should choose DPi to be aninvertible matrix over GF(2), where note that K is alwaysinvertible following the design of the cryptosystem.

After K is broken, one can substitute it into Eq. (5) toget a linear equation with n2 unknown variables, i.e., then2 elements of the initial matrix V:

VKnþi þ K�1V ¼ K�2 C i � KPiKnþi

� �K�i: ð11Þ

By solving this linear equation, it is easy to recover V.Actually, we can further reduce the linear equation todirectly deduce V. Choosing two continuous plaintextmatrices Pi, Pj and adding the two linear systems, one has

VKnþi I þ K j�i� �

¼ K�2 C i � KPiKnþi

� �K�i

þ K�2 C j � KPjKnþj

� �K�j: ð12Þ

When I + Kj�i is invertible, V can be immediately solved bymultiplying the right side by (I + Kj�i)�1K�(n+i) at the end.

S. Li, K.-T. Lo / The Journal of Systems and Software 80 (2007) 791–794 793

Note that I + Kj�i may never be invertible over GF(2) (forexample, when K = I), though the probability is relativelysmall when n is relatively high. Once such an event occurs,one can turn to solve Eq. (11). If V can still not be solvedfrom Eq. (11), one has to carry out the attack with someother different values of K until V can be uniquely solved.

Once K and V are both known, one can use the methodproposed in Section 3 of Youssef and Tavares (2003) torecover the master key K0.

To carry out a successful attack, in most cases, theattacker only needs to choose two plaintexts with four cho-sen plaintext matrices, P

ð1Þi ; P

ð1Þiþ1; P

ð2Þi and P

ð2Þiþ1, which sat-

isfy Pð1Þiþ1 � P

ð2Þiþ1 ¼ P

ð1Þi � P

ð2Þi ¼ DP and DP is an invertible

matrix. Considering each matrix is a n · n Boolean matrix,4n2 chosen plain-bits are required in total. When n = 64, assuggested in Yi et al. (2001, 2002), only 2048 plain-bytesare needed. In addition, the complexity of the proposedattack is very small, actually it is of the same order as theone proposed in Youssef and Tavares (2003). In the casethat V cannot be solved with four chosen plaintext matri-ces, more plaintext matrices have to be chosen, but thenumber of chosen plaintext bits is still of the same order– O(n2).

Next, let us see in which improper implementations anattacker can manage to tamper the involved (pseudo-)ran-dom process to activate the above differential attack.Apparently, the above attack requires two encryptionsessions with the same session key K and the same initialmatrix V, one for encrypting the first plaintext

. . . ;Pð1Þi ;P

ð1Þiþ1

n oand the other for encrypting the second

plaintext . . . ;Pð2Þi ;P

ð2Þiþ1

n o. However, in each encryption ses-

sion, K and V have to be reset at the sender side via a(pseudo-)random process and distributed to the receiverside via the key distribution protocol. As a result, generallytwo different sessions use different K and V. However, inreal world the encryption scheme may be improperly imple-mented such that the attacker can tamper the (pseudo-)ran-dom process. As a typical example, let us assume that theprocess is uniquely determined by the system clock.1 In cho-sen-plaintext attacks, the attacker has a temporary access tothe encryption machine, so he/she can intentionally alter thesystem clock to control the (pseudo-)random process beforerunning each session to get the same K and V for two sepa-rate sessions. In addition, if the improved FEA-M is imple-mented in such an insecure way that the second stage canrestart without running the key distribution stage, theattack becomes straightforward.

1 In Yi et al. (2001, 2002) and Mihaljevic (2003), it is not mentioned howto realize the random process. One of the simplest (though maybe lessfrequently used) method to realize a pseudo-random process is to initializethe seed of the pseudo-random number generator using the current timestamp. A list of some other more complicated ways can be found inSection ‘‘The Collection of Data Used to Create a Seed for RandomNumber’’ of Microsoft Corporation (2005).

At last, it deserves mentioned that the above differentialchosen-plaintext attack can be easily to generalize to a dif-ferential chosen-ciphertext attack, provided that the(pseudo-)random process at the decryption machine canbe tampered. Rewrite Eq. (8) into the following form:

DPi ¼ K�1 DC ið ÞK�ðnþiÞ: ð13Þ

Then, by choosing DCi+1 = DCi, one has

DPiþ1 ¼ K�1 DC iþ1ð ÞK�ðnþiþ1Þ

¼ K�1 DC ið ÞK�ðnþiÞ�1 ¼ DPiK�1: ð14Þ

Other steps are identical with the above differential chosen-plaintext attack.

4. A minor problem with selection of session key

It is noticed that K cannot be selected at random fromall invertible matrices over GF(2). Since all n · n invertiblematrices form a general linear group GL(n, 2), whose orderis O ¼

Qn�1i¼0 ð2

n � 2iÞ (Wikipedia, 2005). So, denoting theorder of K over GL(n,2) by o(K), it is true that o(K)jO,i.e., Ko(K) = I, where I is the identity Boolean matrix (Gil-bert and Gilbert, 2005). It is obvious that o(K) actually cor-responds to the periodicity of the encryption/decryptionfunction with respect to the plaintext/ciphertext index i.Generally speaking, the periodicity should not be too smallto maintain an acceptable security level. As an extremeexample, when K = I, o(K) = 1 and the encryption proce-dure becomes Ci = Pi (the cipher vanishes). Thus, K shouldbe selected randomly from all invertible Boolean matriceswith sufficiently large orders, which means a significantreduction of the session key space.

5. Conclusions

This paper reports an implementation-dependent differ-ential attack of an improved fast encryption algorithm formultimedia (FEA-M) proposed in Mihaljevic (2003). Theattack works under the condition where the involved(pseudo-)random process can be tampered by the attacker.In this case, the attack can reveal the key with four or morechosen plaintext/ciphertext matrices, i.e., 4n2 chosen plain/ciphertext bits, in two or more separate encryption ses-sions. The result shows that a secure cryptosystem maybecome totally insecure with seemingly harmless implemen-tation details in real world (Schneier, 2000). In addition, aminor problem with the selection of the session key is alsodiscussed in this paper.

Acknowledgements

This research was supported by The Hong Kong Poly-technic University’s Postdoctoral Fellowships Schemeunder grant no. G-YX63. The authors thank the anony-mous reviewers for their valuable comments to enhancethe quality of this paper.

794 S. Li, K.-T. Lo / The Journal of Systems and Software 80 (2007) 791–794

References

Furht, B., Socek, D., Eskicioglu, A.M., 2004. Fundamentals of multimediaencryption techniques. In: Furht, B., Kirovski, D. (Eds.), MultimediaSecurity Handbook. CRC Press, LLC, pp. 93–131 (Chapter 3).

Gilbert, J., Gilbert, L., 2005. Elements of Modern Algebra, sixth ed.Thomson Brook/Cole, Pacific Grove, California, USA.

Li, S., Chen, G., Zheng, X., 2004. Chaos-based encryption for digitalimages and videos. In: Furht, B., Kirovski, D. (Eds.), MultimediaSecurity Handbook. CRC Press, LLC, pp. 133–167 (Chapter 4).

Microsoft Corporation, 2005. Microsoft enhanced cryptographic provider– FIPS 140-1 documentation: security policy. Available from: <http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf>.

Mihaljevic, M.J., 2003. On vulnerabilities and improvements of fastencryption algorithm for multimedia FEA-M. IEEE Trans. ConsumerElectron. 49 (4), 1199–1207.

Mihaljevic, M.J., Kohno, R., 2002. Cryptanalysis of fast encryption algorithmfor multimedia FEA-M. IEEE Trans. Commun. Lett. 6 (9), 382–384.

Schneier, B., 2000. Secrets and Lies: Digital Security in a NetworkedWorld. John Wiley & Sons, Inc., New York.

Uhl, A., Pommer, A., 2005. Image and Video Encryption: From DigitalRights Management to Secured Personal Communication, Advancesin Information Security, vol. 15. Springer Science + Business Media,Inc., Boston, USA.

Wikipedia, 2005. General linear group. Available from: <http://en.wiki-pedia.org/wiki/General_linear_group>.

Wu, H., Bao, F., Deng, R.H., 2003. An efficient known plaintext attack onFEA-M. In: Qing, S., Gollmann, D., Zhou, J. (Eds.), Information andCommunications Security: Proceedings of the 5th InternationalConference, ICICS 2003, Huhehaote, China, 10–13 October 2003,Lecture Notes in Computer Science, vol. 2836. Springer-Verlag, Berlin,Heidelberg, pp. 84–87.

Yi, X., Tan, C.H., Siew, C.K., Syed, M.R., 2001. Fast encryption formultimedia. IEEE Trans. Consumer Electron. 47 (1), 101–107.

Yi, X., Tan, C.H., Siew, C.K., Syed, M.R., 2002. ID-based key agreementfor multimedia encryption. IEEE Trans. Consumer Electron. 48 (2),298–302.

Youssef, A.M., Tavares, S.E., 2003. Comments on the security of fastencryption algorithm for multimedia (FEA-M). IEEE Trans. Con-sumer Electron. 49 (1), 168–170.