Showing papers on "Cipher published in 2008"

Reverse-engineering a cryptographic RFID tag

Abstract: The security of embedded devices often relies on the secrecy of proprietary cryptographic algorithms. These algorithms and their weaknesses are frequently disclosed through reverse-engineering software, but it is commonly thought to be too expensive to reconstruct designs from a hardware implementation alone. This paper challenges that belief by presenting an approach to reverse-engineering a cipher from a silicon implementation. Using this mostly automated approach, we reveal a cipher from an RFID tag that is not known to have a software or micro-code implementation. We reconstruct the cipher from the widely used Mifare Classic RFID tag by using a combination of image analysis of circuits and protocol analysis. Our analysis reveals that the security of the tag is even below the level that its 48-bit key length suggests due to a number of design flaws. Weak random numbers and a weakness in the authentication protocol allow for pre-computed rainbow tables to be used to find any key in a matter of seconds. Our approach of deducing functionality from circuit images is mostly automated, hence it is also feasible for large chips. The assumption that algorithms can be kept secret should therefore to be avoided for any type of silicon chip.

Attacks on the RC4 stream cipher

Abstract: In this article we present some weaknesses in the RC4 cipher and their cryptographic applications. Especially we improve the attack described by Fluhrer, Mantin, Shamir (In: Selected Areas in Cryptography, 2001) in such a way, that it will work, if the weak keys described in that paper are avoided. A further attack will work even if the first 256 Byte of the output remain unused. Finally we show that variants of the RC4 algorithm like NGG and RC4A are also vulnerable by these techniques.

Sosemanuk, a Fast Software-Oriented Stream Cipher

Abstract: Sosemanuk is a new synchronous software-oriented stream cipher, corresponding to Profile 1 of the ECRYPT call for stream cipher primitives. Its key length is variable between 128 and 256 bits. It accommodates a 128-bit initial value. Any key length is claimed to achieve 128-bit security. The Sosemanuk cipher uses both some basic design principles from the stream cipher SNOW 2.0 and some transformations derived from the block cipher SERPENT. Sosemanuk aims at improving SNOW 2.0 both from the security and from the efficiency points of view. Most notably, it uses a faster IV-setup procedure. It also requires a reduced amount of static data, yielding better performance on several architectures.

Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication

Abstract: In this paper we present a very practical ciphertext-only cryptanalysis of GSM (Global System for Mobile communications) encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use “unbreakable” ciphers. We first describe a ciphertext-only attack on A5/2 that requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer. We extend this attack to a (more complex) ciphertext-only attack on A5/1. We then describe new (active) attacks on the protocols of networks that use A5/1, A5/3, or even GPRS (General Packet Radio Service). These attacks exploit flaws in the GSM protocols, and they work whenever the mobile phone supports a weak cipher such as A5/2. We emphasize that these attacks are on the protocols, and are thus applicable whenever the cellular phone supports a weak cipher, for example, they are also applicable for attacking A5/3 networks using the cryptanalysis of A5/1. Unlike previous attacks on GSM that require unrealistic information, like long known-plaintext periods, our attacks are very practical and do not require any knowledge of the content of the conversation. Furthermore, we describe how to fortify the attacks to withstand reception errors. As a result, our attacks allow attackers to tap conversations and decrypt them either in real-time, or at any later time. We present several attack scenarios such as call hijacking, altering of data messages and call theft.

AES Galois Counter Mode (GCM) Cipher Suites for TLS

Abstract: This memo describes the use of the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS) authenticated encryption operation. GCM provides both confidentiality and data origin authentication, can be efficiently implemented in hardware for speeds of 10 gigabits per second and above, and is also well-suited to software implementations. This memo defines TLS ciphersuites that use AES-GCM with RSA, DSS and Diffie-Hellman based key exchange mechanisms.

When AES blinks: introducing optical side channel

Abstract: The authors present a short note describing the newly emerging optical side channel. The basic idea of the channel is very simple – many parts of the integrated circuits consist of transistors that represent one of the two logical states 0 or 1. When the state changes, there is some light that is emitted in the form of a few photons. A device employing the method which is able to detect these photons (called picosecond imaging circuit analysis) is available in several laboratories, for example, in the French space agency CNES. From the point of view of the cryptanalyst, once the optical side channel information is available for a specific cipher on a device, it is possible to identify deep inner states that should not be revealed. In fact, it turns out that for an outdated and unprotected 0.8 µm PIC16F84A microcontroller it is possible to recover the AES secret key directly during the initial AddRoundKey operation as the side channel can distinguish the individual key bits being XORed to the plaintext.

Attacking Bivium using SAT solvers

Abstract: In this paper we present experimental results of an application of SAT solvers in current cryptography. Trivium is a very promising stream cipher candidate in the final phase of the eSTREAM project. We use the fastest industrial SAT solvers to attack a reduced version of Trivium - called Bivium. Our experimental attack time using the SAT solver is the best attack time that we are aware of, it is faster than the following attacks: exhaustive search, a BDD based attack, a graph theoretic approach and an attack based on Grobner bases. The attack recovers the internal state of the cipher by first setting up an equation system describing the internal state, then transforming it into CNF and then solving it. When one implements this attack, several questions have to be answered and several parameters have to be optimised.

A Buyer–Seller Watermarking Protocol Based on Secure Embedding

Abstract: In a forensic watermarking architecture, a buyer-seller protocol protects the watermark secrets from the buyer and prevents false infringement accusations by the seller. Existing protocols encrypt the watermark and the content with a homomorphic public-key cipher and perform embedding under encryption. When used for multimedia data, these protocols create a large computation and bandwidth overhead. In this correspondence, we show that the same functionality can be achieved efficiently using recently proposed secure watermark embedding algorithms.

FPGA Implementation(s) of a Scalable Encryption Algorithm

Abstract: SEA is a scalable encryption algorithm targeted for small embedded applications. It was initially designed for software implementations in controllers, smart cards, or processors. In this letter, we investigate its performances in field-programmable gate array (FPGA) devices. For this purpose, a loop architecture of the block cipher is presented. Beyond its low cost performances, a significant advantage of the proposed architecture is its full flexibility for any parameter of the scalable encryption algorithm, taking advantage of generic VHDL coding. The letter also carefully describes the implementation details allowing us to keep small area requirements. Finally, a comparative performance discussion of SEA with the advanced encryption standard Rijndael and (a cipher purposed for efficient FPGA implementations) is proposed. It illustrates the interest of platform/context-oriented block cipher design and, as far as SEA is concerned, its low area requirements and reasonable efficiency.

PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems

Abstract: In this paper, we examine the digital hardware design and implementation of a novel compact block cipher, referred to as PUFFIN, that is suitable for embedded applications. An implementation of PUFFIN targeted to ASIC technology is considered. The proposed block cipher is designed to have a 64-bit block size, a 128-bit key, and is capable of both encryption and decryption operations. The cipher structure is based on the following features: a simple encryption process composed of permutations and substitutions based on 4 times 4 S-boxes, an identical datapath for both encryption and decryption facilitated by involutional operations, and a straightforward on-the-fly subkey generation composed of only a permutation and bit inversions. PUFFIN is found to perform well for implementations based on 0.18-micron CMOS technology. In comparison to other lightweight ciphers, PUFFIN has preferred features, low hardware complexity, and good throughput.

TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)

Abstract: RFC 4492 describes elliptic curve cipher suites for Transport Layer Security (TLS). However, all those cipher suites use SHA-1 as their MAC algorithm. This document describes sixteen new CipherSuites for TLS/DTLS which specify stronger digest algorithms. Eight use HMAC with SHA-256 or SHA-384 and eight use AES in Galois Counter Mode (GCM).

Floating Fault Analysis of Trivium

Abstract: One of the eSTREAM final portfolio ciphers is the hardware-oriented stream cipher Trivium. It is based on 3 nonlinear feedback shift registers with a linear output function. Although Trivium has attached a lot of interest, it remains unbroken by passive attacks. At FSE 2008 a differential fault analysis of Trivium was presented. It is based on the fact that one-bit fault induction reveals many polynomial equations among which a few are linear and a few quadratic in the inner state bits. The attack needs roughly 43 induced one-bit random faults and uses only linear and quadratic equations. In this paper we present an improvement of this attack. It requires only 3.2 one-bit fault injections in average to recover the Trivium inner state (and consequently its key) while in the best case it succeeds after 2 fault injections. We termed this attack floating fault analysis since it exploits the floating model of the cipher. The use of this model leads to the transformation of many obtained high-degree equations into linear equations. The presented work shows how a change of the cipher representation may result in much better attack.

A Novel Image Encryption Algorithm Based on Improved 3D Chaotic Cat Map

Abstract: In this paper, an image encryption algorithm based on improved 3D cat map is proposed. The new algorithm employs Henon map chaotic sequence to generate control parameters of shuffling and uses improved 2D Logistic map sequence to substitute grey values. It cannot only effectively encrypt images, but also can resist cipher analyzers' attack by periodicity of cat map. Experimental results and security analysis show that the algorithm can be easily implemented and its encryption effect is satisfactory. Moreover, the algorithm possesses high security in terms of the resistance to exhaustive attack, statistical attack and cipher-text-only attack..

SMS Encryption for Mobile Communication

Abstract: This paper deals with an SMS encryption for mobile communication. The transmission of an SMS in GSM network is not secure, therefore it is desirable to secure SMS by additional encryption. In the following text, there are compared differences in the use of symmetric and asymmetric cryptography for SMS transfer securing. In the next part, there is the description of design and implementation of the application for mobile phones, which encrypts and signs SMS using an asymmetric RSA cipher. At the end, there are described attacks on secured SMS and future extension of the application.

Analysis of RC4 and Proposal of Additional Layers for Better Security Margin.

Abstract: In this paper, the RC4 Key Scheduling Algorithm (KSA) is theoretically studied to reveal non-uniformity in the expected number of times each value of the permutation is touched by the indices i, j. Based on our analysis and the results available in literature regarding the existing weaknesses of RC4, few additional layers over the RC4 KSA and RC4 Pseudo-Random Generation Algorithm (PRGA) are proposed. Analysis of the modified cipher (we call it RC4) shows that this new strategy avoids existing weaknesses of RC4.

Analysis of RC4 and Proposal of Additional Layers for Better Security Margin

Abstract: In this paper, the RC4 Key Scheduling Algorithm (KSA) is theoretically studied to reveal non-uniformity in the expected number of times each value of the permutation is touched by the indices i , j . Based on our analysis and the results available in the literature regarding the existing weaknesses of RC4, few additional layers over the RC4 KSA and RC4 Pseudo-Random Generation Algorithm (PRGA) are proposed. Analysis of the modified cipher (we call it RC4 + ) shows that this new strategy avoids existing weaknesses of RC4.

Efficient implementation of eSTREAM ciphers on 8-bit AVR microcontrollers

Abstract: This work is motivated by the question of how efficient modern stream ciphers in the eSTREAM project (Profile I) can be implemented on small embedded microcontrollers that are also constrained in memory resources. In response to this question, we present the first implementation results for Dragon, HC-128, LEX, Salsa20, Salsa20/12, and Sosemanuk on 8-bit microcontrollers. These ciphers are definitively free for any use, i.e., their use is not covered by intellectual property rights. For the evaluation process, we follow a two-stage approach and compare with efficient implementations of the AES block cipher. First, the C code implementation provided by the cipherspsila designers was ported to an 8-bit AVR microcontroller and the suitability of these stream ciphers for the use in embedded systems was assessed. In the second stage we implemented Dragon, LEX, Salsa20, Salsa20/12, and Sosemanuk in assembler to tap the full potential of an embedded implementation. Our efficiency metrics are memory usage in flash and SRAM and performance of keystream generation, key setup, and IV setup. Regarding encryption speed, all stream ciphers except for Salsa20 turned out to outperform AES. In terms of memory needs, Salsa20, Salsa20/12, and LEX are almost as compact as AES. In view of the final eSTREAM portfolio (Profile I), Salsa20/12 is the only promising alternative for the AES cipher on memory constrained 8-bit embedded microcontrollers. For embedded applications with high throughput requirements, Sosemanuk is the most suitable cipher if its considerable higher memory needs can be tolerated.

Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards.

Abstract: MiFare Crypto 1 is a lightweight stream cipher used in London’s Oyster card, Netherland’s OV-Chipcard, US Boston’s CharlieCard, and in numerous wireless access control and ticketing systems worldwide. Recently, researchers have been able to recover this algorithm by reverse engineering [11, 13]. We have examined MiFare from the point of view of the so called algebraic attacks. We can recover the full 48-bit key of the MiFare algorithm in 200 seconds on a PC, given 1 known IV (from one single encryption). The security of this cipher is therefore close to zero. This is particularly shocking, given the fact that, according to the Dutch press, 1 billion of MiFare Classic chips are used worldwide, including many government security systems.

Attacking Decipherment Problems Optimally with Low-Order N-gram Models

Abstract: We introduce a method for solving substitution ciphers using low-order letter n-gram models. This method enforces global constraints using integer programming, and it guarantees that no decipherment key is overlooked. We carry out extensive empirical experiments showing how decipherment accuracy varies as a function of cipher length and n-gram order. We also make an empirical investigation of Shannon's (1949) theory of uncertainty in decipherment.

Fault Analysis Study of IDEA

Abstract: We present a study of several fault attacks against the block cipher IDEA. Such a study is particularly interesting because of the target cipher's specific property to employ operations on three different algebraic groups while not using substitution tables. We observe that the attacks perform very different in terms of efficiency. Although requiring a restrictive fault model, the first attack can not reveal a sufficient amount of key material to pose a real threat, while the second attack requires a large number of faults in the same model to achieve this goal. In the general random fault model, i.e. we assume that the fault has a random and a priori unknown effect on the target value, the third attack, which is the first Differential Fault Analysis of IDEA to the best of our knowledge, recovers 93 out of 128 key bits exploiting about only 10 faults. For this particular attack, we can also relax the assumption of cycle accurate fault injection to a certain extend.

A Differential-Linear Attack on 12-Round Serpent

Abstract: Serpent is an SP Network block cipher submitted to the AES competition and chosen as one of its five finalists. The security of Serpent is widely acknowledged, especially as the best known attack so far is a differential-linear attack on only 11 rounds out of the 32 rounds of the cipher. In this paper we introduce a more accurate analysis of the differential-linear attack on 11-round Serpent. The analysis involves both theoretical aspects as well as experimental results which suggest that previous attacks had overestimated complexities. Following our findings we are able to suggest an improved 11-round attack with a lower data complexity. Using the new results, we are able to devise the first known attack on 12-round Serpent.

A Real-World Attack Breaking A5/1 within Hours

Abstract: In this paper we present a real-world hardware-assisted attack on the well-known A5/1 stream cipher which is (still) used to secure GSM communication in most countries all over the world. During the last ten years A5/1 has been intensively analyzed [1,2,3,4,5,6,7]. However, most of the proposed attacks are just of theoretical interest since they lack from practicability -- due to strong preconditions, high computational demands and/or huge storage requirements -- or have never been fully implemented. In contrast to these attacks, our attack which is based on the work by Keller and Seitz [8] is running on an existing special-purpose hardware device, called COPACOBANA [9]. With the knowledge of only 64 bits of keystream the machine is able to reveal the corresponding internal 64-bit state of the cipher in about 6 hours on average. We provide a detailed description of our attack architecture as well as implementation results.

Secure disposal of storage data

Abstract: A data storage device (such as a magnetic disk drive), which has a built-in encryption function using a self generated cipher key. The data storage device uses the cipher key to routinely encrypt the incoming data without instruction and/or control by the host system or other components that are external to the device and its dedicated controls (e.g., a disk drive controller card). The encryption function is a built-in function or self-contained function of the drive and/or it dedicated controller. To permanently delete the entire content of the drive, the cipher key is located and erased to render the ciphertext that is stored in the storage device unusable. In another embodiment of the present invention, the data disposal is managed on a file basis through the use of a plurality of internally generated file-specific cipher keys, which are managed through the aid of an internal key library.

The Self-synchronizing Stream Cipher Moustique

Abstract: We present a design approach for hardware-oriented self-synchronizing stream ciphers and illustrate it with a concrete design called Moustique . The latter is intended as a research cipher: it proves that the design approach can lead to concrete results and will serve as a target for cryptanalysis where new attacks may lead to improvements in the design approach such as new criteria for the cipher building blocks.

A Unified Approach to Related-Key Attacks

Abstract: This paper introduces a new framework and a generalization of the various flavors of related-key attacks. The new framework allows for combining all the previous related-key attacks into a complex, but much more powerful attack. The new attack is independent of the number of rounds of the cipher. This property holds even when the round functions of the cipher use different subkeys. The strength of our new method is demonstrated by an attack on 4r-round IDEA, for any r. This attack is the first attack on a widely deployed block cipher which is independent of the number of rounds. The variant of the attack with r= 2 is the first known attack on 8-round IDEA.

An Improved Impossible Differential Attack on MISTY1

Abstract: MISTY1 is a Feistel block cipher that received a great deal of cryptographic attention. Its recursive structure, as well as the added FL layers, have been successful in thwarting various cryptanalytic techniques. The best known attacks on reduced variants of the cipher are on either a 4-round variant with the FL functions, or a 6-round variant without the FL functions (out of the 8 rounds of the cipher). In this paper we combine the generic impossible differential attack against 5-round Feistel ciphers with the dedicated Slicing attack to mount an attack on 5-round MISTY1 with all the FL functions with time complexity of 246.45 simple operations. We then extend the attack to 6-round MISTY1 with the FL functions present, leading to the best known cryptanalytic result on the cipher. We also present an attack on 7-round MISTY1 without the FL layers.

ASIC Hardware Performance

Abstract: This chapter presents detailed hardware implementation results and performance metrics for the eSTREAM candidate stream ciphers remaining in the Phase 3 hardware profile. Performance assessment has been made in accordance with the eSTREAM hardware testing framework in terms of power, area and speed. An attempt has been made to quantify the flexibility and scalability dimensions of performance. The results are presented in tabular and graphical format together with summarising the utility of the candidates against two notional applications: one for 10Mbps wireless network and a second for 100kHz RFID. Where applicable to a particular cipher, guidance on any limitations on the choice of key or IV is given. The chapter concludes with a summary of the performance of each of the candidates and some general guidance for future low resource hardware stream cipher development.