Cryptoppt

542 views

Published on

Cryptanalysis of GSM stream cipher A5/1

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
542
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cryptoppt

  1. 1. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only CRYPTANALYSIS OF A5/1 Submitted by: Meenakshi Tripathi(113350005) Guide: Prof. Saravanan Vijayakumaran Electrical Engineering Indian Institute of Technology Bombay Mumbai-400076 Meenakshi Tripathi IIT Bombay
  2. 2. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only CONTENTS Overview Of A5/1 GSM Cipher 1 LFSR(Linear Feedback Shift Register) 2 A5/1 Description Man in the middle Attack: Barkan,Biham Time Memory Tradeoff: Golic Real Time cryptanalysis on PC: Biryukov, Shamir, Wagner Correlation Attack: Ekdahl and Johansson Comparison References Meenakshi Tripathi IIT Bombay
  3. 3. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only LFSR of A5/1 The LFSR Structure used in GSM is as shown. Figure: LFSR of A5/1 Meenakshi Tripathi IIT Bombay
  4. 4. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only A5/1 Description LFSR number Length in bits Feedback Poly- nomial Clocking Bit Tapped Bits 1 19 x19 + x18 + x17 + x14 + 1 8 13, 16, 17, 18 2 22 x22 + x21 + 1 10 20, 21 3 23 x23 + x22 + x21 + x8 + 1 10 7, 20, 21, 22 Meenakshi Tripathi IIT Bombay
  5. 5. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Steps for Key Generation All 3 registers are zeroed. 64 cycles (regular clocking): R[0] = R[0] ⊗ Kc [i] 22 cycles (regular clocking): R[0] = R[0] ⊗ Fc [i]. 100 cycles (majority rule clocking), output discarded. 228 cycles (majority rule clocking) to produce the output bit sequence. Meenakshi Tripathi IIT Bombay
  6. 6. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Keystream Generation Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
  7. 7. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Keystream Generation Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
  8. 8. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Keystream Generation Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
  9. 9. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Keystream Generation Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
  10. 10. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Instant Ciphertext only Attack on A5/1 Based on flaw in GSM Protocol- same key for A5/1, A5/2 and GPRS. Attack on A5/1 by three attacks- Man-in the middle attack -attacker impersonates as network to the user and as user to the network. Classmark attack-By changing the classmark bit information sent by the mobile by Man-in the middle attack. Impersonating the network for a short radio session with the mobile. Meenakshi Tripathi IIT Bombay
  11. 11. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Instant Ciphertext only Attack on A5/1 The Attack has 3 main steps- 1 Known plaintext attack on A5/2-to recover the initial key. Algebraic in nature.By solving an overdefined system of quadratic equations. 2 Improving Plaintext attack to Cipher-text only attack-Based on fact that GSM employs ECC before encrytion. 3 Active attack on A5/1- Leveraging of attack on A5/2 to an active attack on A5/1. Meenakshi Tripathi IIT Bombay
  12. 12. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Structure of A5/2 A5/2 is much weaker cipher, used as base for man in the middle attack on A5/1 A5/2 has 4 LFSRs -R1, R2, R3 and R4 of length 19, 22, 23, 17. R4 Controls the clocking of the other three registers with bits R4[3], R4[7] and R4[10]. Output is: XOR of majority output of 3 registers and the MSB of each register. One bit of each register is forced to be 1 after initialisation. Meenakshi Tripathi IIT Bombay
  13. 13. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only LFSR of A5/2 The LFSR Structure of A5/2 is as shown.maj(a, b, c) = a.b + b.c + c.a Meenakshi Tripathi IIT Bombay
  14. 14. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Known plaintext attack on A5/2 Total no of equations required -R1- 18 variables and (17 ∗ 18)/2 = 153 quadratic terms. R2 21 + (21 ∗ 20)/2 = 220 and R3 22 + (22 ∗ 21)/2 = 253, in all 655 variables. 61 variables form the initial state of R1, R2 and R3. Each frame gives 114 equations and few such frames can give 655 equations. Frame number differs in just one bit - formulate the required no of equations i.t.o initial state of one frame say Vf . Meenakshi Tripathi IIT Bombay
  15. 15. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Steps to Determine Initial State All the 216 possible values of R4 are tried and for each the system of equations is solved to get the internal state of R1,R2 and R3. R4 known, so the number of times a register needs to be clocked to produce the output bit known. 216 − 1 wrong states are identified by inconsistencies in Gauss elimination. Result is verified by trial encryptions. Meenakshi Tripathi IIT Bombay
  16. 16. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Optimise Optimise - using pre-computed system of equations for each value of R4. For a given R4 value store the LD rows by Gauss elimination. Check in the data for the same and discard R4 values which dont have the same LD rows. Meenakshi Tripathi IIT Bombay
  17. 17. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Cryptanalysis of alleged A5 Stream cipher-Golic Based on solving system of linear equations. Guess n clock controlling bits from each of the LFSR (3n equations) 4n/3 clocking sequence on average known hence 4n/3 equations of registers content. First O/P bit = parity of MSB of 3 LFSR , therefore 1 more equation obtained. Max possible n=10, hence 30+40/3+1 = 44.33 equations known. Meenakshi Tripathi IIT Bombay
  18. 18. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Cryptanalysis of alleged A5 Stream cipher-Golic Build a tree with valid options corresponding to 3 inputs to majority clock control function. 5 branches per node so on avg. 2.5 valid options for each path. By exhaustive search, on average consider 1/2 of the values to get the remaining bits . Initial state s[0] from s[101] by guessing the number of 1’s in the clocking sequence. Check the state by generating s[101] again. Meenakshi Tripathi IIT Bombay
  19. 19. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Time-memory Tradeoff -Golic Time-memory Tradeoff -Golic Known plaintext case- each sequence gives 102, 64 bit blocks(228 bits). K frames give 102 K keystream blocks. M 64-bit initial states stored in a table, sorted w.r.t. output bits produced. Precomputation time O(M) required for sorting is MlogM approx. M Meenakshi Tripathi IIT Bombay
  20. 20. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Time-memory Tradeoff -Golic Time-memory Tradeoff -Golic By B’Day paradox the probability of atleast one of the 102 K keystream blocks in the sample to coincide with one of the output block in the table- 102.K.M > 263.32. Time T to find the keystream block be 102.K then TMTO is possible if T.M > 263.32 and T < 102.222. Meenakshi Tripathi IIT Bombay
  21. 21. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner Real Time cryptanalysis of A51 on PC Disk access is time consuming-So store only Special states on disk which produce output bits with a particular pattern alpha of length k=16 States which produce the output sequence starting with given alpha are easily generated. Meenakshi Tripathi IIT Bombay
  22. 22. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner Real Time cryptanalysis of A51 on PC During precomputation store (prefix, state) pair in sorted order for subset of chosen states. Total number of states which generate this alpha as output prefix is - 264 ∗ 2−16 = 248. Search Output for the occurence of output prefixes in all partially overlapping prefixs. In a frame bit positions 1 to 177 are taken to get sufficiently long prefix of say 35 bits after alpha. Meenakshi Tripathi IIT Bombay
  23. 23. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner Real Time cryptanalysis of A51 on PC Red State - the states which produce the output bits starting with alpha. R is approx 248. Green State - the states which produce the output bits with alpha anywhere in between 101 to 277 bits. G is 177 ∗ 248. Weight W (s) of tree with root as red state is defined as the number of green states in its belt. Meenakshi Tripathi IIT Bombay
  24. 24. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner Trees of Red and Green states Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
  25. 25. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner Real Time cryptanalysis of A51 on PC Red states are kept on the disk and the collision with their prefixes is checked for. Green states contain alpha and can act as the initial state in that frame. Store only heavy trees and discard the parasitic red states by comparing the sequence produced with the output beyond occurence of alpha -reduced candidate states. Further reduction by using the exact depth of occurence of alpha. Meenakshi Tripathi IIT Bombay
  26. 26. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Basic Correlation Attack Known Plaintext Attack- N bits known from m frames. Independent of length of LFSRs Depends on number of clockings before O/P generated. Exploits bad key initialisation-key and frame counter initialised in linear fashion. Breaks A5/1 in 5 few minutes with 2-5 min of plaintext. Meenakshi Tripathi IIT Bombay
  27. 27. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Notation ui t = si t + ¯f i t , t ≥ 0. P(s1 76 + s2 76 + s3 76 = Oj (76,76,76,1)) = P(assumption correct) ∗ 1 + P(assumption not correct) ∗ 1/2. Generalising over m frames gives one bit of information one bit of Information. Meenakshi Tripathi IIT Bombay
  28. 28. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Steps of Attack Calculate probability of clocking (cl1, cl2, cl3) in v:th position. Consider an interval I for v, where probability of occurrence of v is non-zero. Enhance estimate by generalising the value of linear combination using m frames. Finally estimate the LinearCombination of keybits with simple Hard Decision. One interval of 8 bits eg (79, 80, 81, .., 86) gives 8 + 8 + 8 = 24 bit information of key K. Consider 3 such sub-intervals to get 72 bits more than needed i.e. 64. Meenakshi Tripathi IIT Bombay
  29. 29. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Comparison of Various Attacks Attack Type Pre compu- tation Analysis Com- plexity Data Com- plexity Memory Complexi Golic [1] TMTO 235.65 227.67 228.8 862 GB Barkan,Biham [4] Man in the middle Nil 247 Ciphertext only M = 228.8 Biryukov, Shamir [3] TMTO 248 2 minutes 214.7 146 GB Biham, Dulkelman[2] TMTO 238 239.91 220.8 32 GB Meenakshi Tripathi IIT Bombay
  30. 30. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only References J. Golic. Cryptanalysis of Alleged A5 Stream Cipher. Biham and Dunkelman. Cryptanalysis of the A5/1 GSM Stream Cipher. Biryukov,Shamir, and Wagner. Real Time Cryptanalysis of A5/1 on a PC. Barkan, Biham, and Keller. Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Commu- nications. Ekdahl and Johansson. Another Attack on A5/1. Maximov, Johansson, and Babbage. An Improved Correlation Attack on A5/1. Barkan and Biham. Conditional Estimators: An effective Attack on A5/1. Wikipedia-http://www.wikipedia.org. Meenakshi Tripathi IIT Bombay
  31. 31. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Thank You Meenakshi Tripathi IIT Bombay

×