scispace - formally typeset
Search or ask a question
Author

Karsten Nohl

Bio: Karsten Nohl is an academic researcher from University of Virginia. The author has contributed to research in topics: Cipher & Cryptography. The author has an hindex of 8, co-authored 13 publications receiving 850 citations.

Papers
More filters
Book ChapterDOI
29 Jun 2009
TL;DR: A new approach to solving cryptographic problems by adapting both the problem description and the solver synchronously instead of tweaking just one of them is presented, which was able to solve a well-researched stream cipher 26 times faster than was previously possible.
Abstract: Cryptography ensures the confidentiality and authenticity of information but often relies on unproven assumptions. SAT solvers are a powerful tool to test the hardness of certain problems and have successfully been used to test hardness assumptions. This paper extends a SAT solver to efficiently work on cryptographic problems. The paper further illustrates how SAT solvers process cryptographic functions using automatically generated visualizations, introduces techniques for simplifying the solving process by modifying cipher representations, and demonstrates the feasibility of the approach by solving three stream ciphers. To optimize a SAT solver for cryptographic problems, we extended the solver's input language to support the XOR operation that is common in cryptography. To better understand the inner workings of the adapted solver and to identify bottlenecks, we visualize its execution. Finally, to improve the solving time significantly, we remove these bottlenecks by altering the function representation and by pre-parsing the resulting system of equations. The main contribution of this paper is a new approach to solving cryptographic problems by adapting both the problem description and the solver synchronously instead of tweaking just one of them. Using these techniques, we were able to solve a well-researched stream cipher 26 times faster than was previously possible.

478 citations

Proceedings Article
28 Jul 2008
TL;DR: This paper reconstructs the cipher from the widely used Mifare Classic RFID tag by using a combination of image analysis of circuits and protocol analysis, and reveals that the security of the tag is even below the level that its 48-bit key length suggests due to a number of design flaws.
Abstract: The security of embedded devices often relies on the secrecy of proprietary cryptographic algorithms. These algorithms and their weaknesses are frequently disclosed through reverse-engineering software, but it is commonly thought to be too expensive to reconstruct designs from a hardware implementation alone. This paper challenges that belief by presenting an approach to reverse-engineering a cipher from a silicon implementation. Using this mostly automated approach, we reveal a cipher from an RFID tag that is not known to have a software or micro-code implementation. We reconstruct the cipher from the widely used Mifare Classic RFID tag by using a combination of image analysis of circuits and protocol analysis. Our analysis reveals that the security of the tag is even below the level that its 48-bit key length suggests due to a number of design flaws. Weak random numbers and a weakness in the authentication protocol allow for pre-computed rainbow tables to be used to find any key in a matter of seconds. Our approach of deducing functionality from circuit images is mostly automated, hence it is also feasible for large chips. The assumption that algorithms can be kept secret should therefore to be avoided for any type of silicon chip.

272 citations

Posted Content
TL;DR: In this paper, the full 48-bit key of the MiFare algorithm in 200 seconds on a PC, given 1 known IV (from one single encryption), was shown to be close to zero.
Abstract: MiFare Crypto 1 is a lightweight stream cipher used in London’s Oyster card, Netherland’s OV-Chipcard, US Boston’s CharlieCard, and in numerous wireless access control and ticketing systems worldwide. Recently, researchers have been able to recover this algorithm by reverse engineering [11, 13]. We have examined MiFare from the point of view of the so called algebraic attacks. We can recover the full 48-bit key of the MiFare algorithm in 200 seconds on a PC, given 1 known IV (from one single encryption). The security of this cipher is therefore close to zero. This is particularly shocking, given the fact that, according to the Dutch press, 1 billion of MiFare Classic chips are used worldwide, including many government security systems.

50 citations

Book ChapterDOI
07 Feb 2010
TL;DR: A practical attack against DSC is proposed that recovers the secret key from 215 keystreams on a standard PC with a success rate of 50% within hours; somewhat faster when a CUDA graphics adapter is available.
Abstract: The DECT Standard Cipher (DSC) is a proprietary 64-bit stream cipher based on irregularly clocked LFSRs and a non-linear output combiner. The cipher is meant to provide confidentiality for cordless telephony. This paper illustrates how the DSC was reverse-engineered from a hardware implementation using custom firmware and information on the structure of the cipher gathered from a patent. Beyond disclosing the DSC, the paper proposes a practical attack against DSC that recovers the secret key from 215 keystreams on a standard PC with a success rate of 50% within hours; somewhat faster when a CUDA graphics adapter is available.

39 citations

Book ChapterDOI
04 Dec 2006
TL;DR: This work proposes a new metric for information leakage in RFID protocols along with a threat model that more realistically captures the goals and capabilities of potential attackers and concludes that an attacker has a reasonable chance of tracking tags when the tree-based hash protocol is used.
Abstract: Radio Frequency Identification (RFID) systems promise large scale, automated tracking solutions but also pose a threat to customer privacy. The tree-based hash protocol proposed by Molnar and Wagner presents a scalable, privacy-preserving solution. Previous analyses of this protocol concluded that an attacker who can extract secrets from a large number of tags can compromise privacy of other tags. We propose a new metric for information leakage in RFID protocols along with a threat model that more realistically captures the goals and capabilities of potential attackers. Using this metric, we measure the information leakage in the tree-based hash protocol and estimate an attacker's probability of success in tracking targeted individuals, considering scenarios in which multiple information sources can be combined to track an individual. We conclude that an attacker has a reasonable chance of tracking tags when the tree-based hash protocol is used.

36 citations


Cited by
More filters
Proceedings ArticleDOI
05 May 2015
TL;DR: A SAT-based algorithm is presented which allows an attacker to “decrypt” an encrypted netlist using a small number of carefully-selected input patterns and their corresponding output observations and a “partial-break” algorithm that can reveal some of the key inputs even when the attack is not fully successful.
Abstract: Contemporary integrated circuits are designed and manufactured in a globalized environment leading to concerns of piracy, overproduction and counterfeiting. One class of techniques to combat these threats is logic encryption. Logic encryption modifies an IC design such that it operates correctly only when a set of newly introduced inputs, called key inputs, are set to the correct values. In this paper, we use algorithms based on satisfiability checking (SAT) to investigate the security of logic encryption. We present a SAT-based algorithm which allows an attacker to “decrypt” an encrypted netlist using a small number of carefully-selected input patterns and their corresponding output observations. We also present a “partial-break” algorithm that can reveal some of the key inputs even when the attack is not fully successful. We conduct a thorough evaluation of our attack by examining six proposals for logic encryption from the literature. We find that all of these are vulnerable to our attack. Among the 441 encrypted circuits we examined, we were able to decrypt 418 (95%). We discuss the strengths and limitations of our attack and suggest directions that may lead to improved logic encryption algorithms.

664 citations

Book ChapterDOI
29 Jun 2009
TL;DR: A new approach to solving cryptographic problems by adapting both the problem description and the solver synchronously instead of tweaking just one of them is presented, which was able to solve a well-researched stream cipher 26 times faster than was previously possible.
Abstract: Cryptography ensures the confidentiality and authenticity of information but often relies on unproven assumptions. SAT solvers are a powerful tool to test the hardness of certain problems and have successfully been used to test hardness assumptions. This paper extends a SAT solver to efficiently work on cryptographic problems. The paper further illustrates how SAT solvers process cryptographic functions using automatically generated visualizations, introduces techniques for simplifying the solving process by modifying cipher representations, and demonstrates the feasibility of the approach by solving three stream ciphers. To optimize a SAT solver for cryptographic problems, we extended the solver's input language to support the XOR operation that is common in cryptography. To better understand the inner workings of the adapted solver and to identify bottlenecks, we visualize its execution. Finally, to improve the solving time significantly, we remove these bottlenecks by altering the function representation and by pre-parsing the resulting system of equations. The main contribution of this paper is a new approach to solving cryptographic problems by adapting both the problem description and the solver synchronously instead of tweaking just one of them. Using these techniques, we were able to solve a well-researched stream cipher 26 times faster than was previously possible.

478 citations

Journal ArticleDOI
TL;DR: This review discusses the current status of devices that generate quantum random numbers, and discusses the most fundamental processes based on elementary quantum mechanical processes.
Abstract: In mathematics and computer science, random numbers have the role of a resource for assisting proofs, making cryptography secure, and enabling computational protocols. This role motivates efforts to produce random numbers as a physical process. Potential physical sources abound, but arguably the most fundamental are those based on elementary quantum mechanical processes. This review discusses the current status of devices that generate quantum random numbers.

446 citations

Journal ArticleDOI
TL;DR: The present study makes the first step towards understanding the underlying evaluation metric for anonymous two-factor authentication, which is believed to facilitate better design of anonymousTwo-factor protocols that offer acceptable trade-offs among usability, security and privacy.
Abstract: Despite two decades of intensive research, it remains a challenge to design a practical anonymous two-factor authentication scheme, for the designers are confronted with an impressive list of security requirements (e.g., resistance to smart card loss attack) and desirable attributes (e.g., local password update). Numerous solutions have been proposed, yet most of them are shortly found either unable to satisfy some critical security requirements or short of a few important features. To overcome this unsatisfactory situation, researchers often work around it in hopes of a new proposal (but no one has succeeded so far), while paying little attention to the fundamental question: whether or not there are inherent limitations that prevent us from designing an “ideal” scheme that satisfies all the desirable goals? In this work, we aim to provide a definite answer to this question. We first revisit two foremost proposals, i.e. Tsai et al.’s scheme and Li’s scheme, revealing some subtleties and challenges in designing such schemes. Then, we systematically explore the inherent conflicts and unavoidable trade-offs among the design criteria. Our results indicate that, under the current widely accepted adversarial model, certain goals are beyond attainment. This also suggests a negative answer to the open problem left by Huang et al. in 2014. To the best of knowledge, the present study makes the first step towards understanding the underlying evaluation metric for anonymous two-factor authentication, which we believe will facilitate better design of anonymous two-factor protocols that offer acceptable trade-offs among usability, security and privacy.

355 citations

Journal ArticleDOI
Ding Wang1, Ping Wang1
TL;DR: In this paper, a security model that can accurately capture the practical capabilities of an adversary is defined and a broad set of twelve properties framed as a systematic methodology for comparative evaluation, allowing schemes to be rated across a common spectrum.
Abstract: As the most prevailing two-factor authentication mechanism, smart-card-based password authentication has been a subject of intensive research in the past two decades, and hundreds of this type of schemes have wave upon wave been proposed. In most of these studies, there is no comprehensive and systematical metric available for schemes to be assessed objectively, and the authors present new schemes with assertions of the superior aspects over previous ones, while overlooking dimensions on which their schemes fare poorly. Unsurprisingly, most of them are far from satisfactory—either are found short of important security goals or lack of critical properties, especially being stuck with the security-usability tension. To overcome this issue, in this work we first explicitly define a security model that can accurately capture the practical capabilities of an adversary and then suggest a broad set of twelve properties framed as a systematic methodology for comparative evaluation, allowing schemes to be rated across a common spectrum. As our main contribution, a new scheme is advanced to resolve the various issues arising from user corruption and server compromise, and it is formally proved secure under the harshest adversary model so far. In particular, by integrating “honeywords”, traditionally the purview of system security, with a “fuzzy-verifier”, our scheme hits “two birds”: it not only eliminates the long-standing security-usability conflict that is considered intractable in the literature, but also achieves security guarantees beyond the conventional optimal security bound.

323 citations