new mobile phone algorithms a real ... - skew2011.mat.dtu…skew2011.mat.dtu.dk/slides/steve...
TRANSCRIPT
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
1 LTE algorithms, for SKEW 2011 17 Feb 2011
New mobile phone algorithms –a real world story
Steve Babbage
Vodafone Group R&D
17 February 2011
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
2 LTE algorithms, for SKEW 2011 17 Feb 2011
Standards groups
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
3 LTE algorithms, for SKEW 2011 17 Feb 2011
First generation
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
4 LTE algorithms, for SKEW 2011 17 Feb 2011
GSM security architecture
SIM
RAND, XRES, KCRAND
AKA
KCXRES
RESRES = XRES? Encryption
algorithm
A5
KC
RAND
AKA
RES
Ki
Home
network
Visited
network
KC
ENCRYPT USING KC
Ki
RANDAuthentication
and cipher key
generation algorithm
A3/A8
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
5 LTE algorithms, for SKEW 2011 17 Feb 2011
GSM security limitations
> Key length
> One-way authentication
> Unprotected signalling
> A5/1, A5/2
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
6 LTE algorithms, for SKEW 2011 17 Feb 2011
UMTS security architecture (slightly simplified)
SIM
RAND, XRES, CK,
IK, SQN, MACRAND, SQN, MAC
CKXRES
RESRES = XRES?
CK, IK
Authentication
and key agreement
algorithm f1–f5
Encryption algorithm UEA,
integrity algorithm UIA
Home
network
Visited
network
ENCRYPT USING CK
INTEGRITY PROTECT USING IK
RAND SQN
IKMAC
CKXRES
RAND SQN
IKMAC
K
K
Check SQN
Check MAC
AKA
AKA
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
7 LTE algorithms, for SKEW 2011 17 Feb 2011
First UMTS algorithms, UEA1 / UIA1
KASUMI
(CK)
BLKCTR = 0
BLKCTR = 1 BLKCTR = 2 BLKCTR = n
A
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(CK)
BLKCTR = 0
BLKCTR = 1 BLKCTR = 2 BLKCTR = n
A
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(CK)
KASUMI
(IK)
KASUMI
(IK)
First 64 bits Second 64 bits Last 64 bits
KASUMI
(IK)
KASUMI
(IK)
KASUMI
(IK)
KASUMI
(IK)
Third 64 bits
KASUMI
(IK)
KASUMI
(IK)
KASUMI
(IK)
KASUMI
(IK)
MAC (left 32 bits)
A5/3 ≈ UEA1(but 64-bit key)
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
8 LTE algorithms, for SKEW 2011 17 Feb 2011
So now we can replace A5/1 with A5/3 …Im
age fro
m h
ttp://w
ww
.elk
om
as.lt/
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
9 LTE algorithms, for SKEW 2011 17 Feb 2011
Second UMTS algorithms, UEA2 / UIA2
> SNOW 3G
– Why not AES?
– Why not SNOW 2.0?
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
10 LTE algorithms, for SKEW 2011 17 Feb 2011
LTE security architecture (part 1)
SIM
RAND, XRES, CK, IK,
SQN, MAC, KASMERAND, SQN, MAC
CK
AKA
XRES
RESRES = XRES?
CK, IK
Authentication
and key agreement
algorithm f1–f5
Home
network
Visited
network
RAND SQN
IKMAC
CK
AKA
XRES
RAND SQN
IKMAC
K
K
Check SQN
Check MAC
PLMNID
KASMEPLMNID
KASME
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
11 LTE algorithms, for SKEW 2011 17 Feb 2011
GSM security limitations
> Key length
> One-way authentication
> Unprotected signalling
> A5/1, A5/2
> Same key regardless of algorithm choice
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
12 LTE algorithms, for SKEW 2011 17 Feb 2011
LTE security architecture (part 2)
SIM
Home
network
Visited
network
KASME
ALGID
Kα
ALGID
Kβ
ALGID
Kγ
ALGID
Kδ
Kε
ALGID
KASME
ALGID
Kα
ALGID
Kβ
ALGID
Kγ
ALGID
Kδ
Kε
ALGID
MOBILITY
SIGNALLING:
ENCRYPT USING Kα
INTEGRITY PROTECT
USING Kβ
RADIO RESOURCE
SIGNALLING:
ENCRYPT USING Kγ
INTEGRITY PROTECT
USING Kδ
USER PLANE:
ENCRYPT USING Kε
Encryption
algorithm EEA,
integrity
algorithm EIA
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
13 LTE algorithms, for SKEW 2011 17 Feb 2011
Original LTE algorithms (from day one)
> Based on SNOW-3G
– 128-EEA1: straightforward stream cipher use
– 128-EIA1: polynomial evaluation UHF
– Identical to UMTS algorithms
> Could have been based on Kasumi or AES; chose AES
– 128-EEA2: AES in counter mode
– 128-EIA2: AES in CMAC mode
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
14 LTE algorithms, for SKEW 2011 17 Feb 2011
The designers
DACAS:
Data Assurance and communication
security research center,
Chinese Academy of Sciences
Dongdai Lin
Xiutao Feng
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
15 LTE algorithms, for SKEW 2011 17 Feb 2011
Plan AM
ay
Jun
Ju
l
Aug
Se
p
Oct
Nov
De
c
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
2009 2010
Mar
Apr
May
Jun
Jul
2011
SAGE
evaluation
Paid expert
team
evaluationAlgorithm
acceptance
(hopefully)
Public
evaluation
Under NDA
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
16 LTE algorithms, for SKEW 2011 17 Feb 2011
Plan BM
ay
Jun
Ju
l
Aug
Se
p
Oct
Nov
De
c
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
2009 2010
Mar
Apr
May
Jun
Jul
2011
SAGE
evaluation
Paid expert
team
evaluationAlgorithm
acceptance
(hopefully)
Public
evaluation
Agree and
sign NDA
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
17 LTE algorithms, for SKEW 2011 17 Feb 2011
Take your time
Advanced Encryption Standard process
From Wikipedia, the free encyclopedia
Start of the process
On January 2, 1997, NIST announced that they wished to choose a successor to DES to be known as AES ….
The result of this feedback was a call for new algorithms on September 12, 1997
Rounds one and two
In the nine months that followed, fifteen different designs were created and submitted ….
NIST held two conferences to discuss the submissions (AES1, August 1998 and AES2, March 1999), and in August 1999 they announced that they were narrowing the field from fifteen to five ….
… AES3 conference in April 2000 ….
Selection of the winner
On October 2, 2000, NIST announced that Rijndael had been selected as the proposed AES ….
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
18 LTE algorithms, for SKEW 2011 17 Feb 2011
Encryption
PLAINTEXT
BLOCK
EEA
COUNT DIRECTION
BEARER LENGTH
KEY
KEYSTREAM
BLOCK
CIPHERTEXT
BLOCK
EEA
COUNT DIRECTION
BEARER LENGTH
KEY
KEYSTREAM
BLOCK
PLAINTEXT
BLOCK
Sender
Receiver
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
19 LTE algorithms, for SKEW 2011 17 Feb 2011
Integrity
EIAKEY
COUNT
BEARER
DIRECTION
LENGTH
MESSAGE
MAC-ISender
EIAKEY
COUNT
BEARER
DIRECTION
LENGTH
MESSAGE
XMAC-IReceiver
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
20 LTE algorithms, for SKEW 2011 17 Feb 2011
ZUC – named after Zu Chongzhi
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
21 LTE algorithms, for SKEW 2011 17 Feb 2011
ZUC
One of these words
mixed into LFSR
during nonlinear
initialisation
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
22 LTE algorithms, for SKEW 2011 17 Feb 2011
Encryption algorithm 128-EEA3
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
23 LTE algorithms, for SKEW 2011 17 Feb 2011
Integrity algorithm 128-EIA3
Universal
Hash Function
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
24 LTE algorithms, for SKEW 2011 17 Feb 2011
Initial SAGE evaluation
> Fit for purpose
> Smells OK
– Must be not just strong, but free of suspicion
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
25 LTE algorithms, for SKEW 2011 17 Feb 2011
Plan BM
ay
Jun
Ju
l
Aug
Se
p
Oct
Nov
De
c
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
2009 2010
Mar
Apr
May
Jun
Jul
2011
SAGE
evaluation
Paid expert
team
evaluationAlgorithm
acceptance
(hopefully)
Public
evaluation
Agree and
sign NDA
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
26 LTE algorithms, for SKEW 2011 17 Feb 2011
Plan CM
ay
Jun
Ju
l
Aug
Se
p
Oct
Nov
De
c
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
2009 2010
Mar
Apr
May
Jun
Jul
2011
Paid expert
team
evaluationAlgorithm
acceptance
(hopefully)
Public
evaluation
Agree and
sign NDA
Expert team
contract
SAGE
evaluation
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
27 LTE algorithms, for SKEW 2011 17 Feb 2011
External expert team evaluation
> Codes and Ciphers Limited
– Carlos Cid, Sean Murphy, Fred Piper, Matthew Dodd
> Alice and Bob Technologies
– Lars Knudsen, Bart Preneel, Vincent Rijmen
> Several corrections / improvements to existing evaluation
> All standard attack types considered – all seem unlikely to succeed
> Strength inherited from SNOW-like construction
> Some components not fully explained
> Like most UHF MACs – not robust against nonce reuse
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
28 LTE algorithms, for SKEW 2011 17 Feb 2011
Conclusion of the SAGE and paid evaluation
> Transparency is vital –nothing suspicious
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
29 LTE algorithms, for SKEW 2011 17 Feb 2011
Plan CM
ay
Jun
Ju
l
Aug
Se
p
Oct
Nov
De
c
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
2009 2010
Mar
Apr
May
Jun
Jul
2011
Paid expert
team
evaluationAlgorithm
acceptance
(hopefully)
Public
evaluation
Agree and
sign NDA
Expert team
contract
SAGE
evaluation
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
30 LTE algorithms, for SKEW 2011 17 Feb 2011
Plan DM
ay
Jun
Ju
l
Aug
Se
p
Oct
Nov
De
c
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
2009 2010
Mar
Apr
May
Jun
Jul
2011
Paid expert
team
evaluation
Go
public
Public
evaluation
Agree and
sign NDA
Expert team
contractAlgorithm
acceptance
(hopefully)SAGE
evaluation
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
31 LTE algorithms, for SKEW 2011 17 Feb 2011
Crypto rump session
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
32 LTE algorithms, for SKEW 2011 17 Feb 2011
IACR newsletter
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
33 LTE algorithms, for SKEW 2011 17 Feb 2011
The ZUC Forum
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
34 LTE algorithms, for SKEW 2011 17 Feb 2011
The first post
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
35 LTE algorithms, for SKEW 2011 17 Feb 2011
Questions
> Why not AES?
> Why not eStream?
> ―Chinese algorithm‖ means China can break it?
> Is there something wrong with the other LTE algorithms?
> What happens now to the other LTE algorithms?
> Why does China get this special privilege?
> If every other country insists on a home-grown algorithm, will every LTE phone have to support 200 algorithms?
> Authenticated encryption?
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
36 LTE algorithms, for SKEW 2011 17 Feb 2011
ZUC-10 Workshop
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
37 LTE algorithms, for SKEW 2011 17 Feb 2011
Loss of entropy in initialisation (1)
Z mixed into LFSR
during nonlinear
initialisation
Matthew Dodd (private communication)
Bing Sun et al (ZUC workshop)
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
38 LTE algorithms, for SKEW 2011 17 Feb 2011
Loss of entropy in initialisation (2)
Hongjun Wu et al (AsiaCrypt rump
session, IACR ePrint archive)
s16 = f z
If s16 = 0, set s16 = 231-1
Whatever f is …
… z = 231-1-f gives the same result as z = f
Two IVs → colliding state
z
f
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
39 LTE algorithms, for SKEW 2011 17 Feb 2011
Forgery attack on EIA3
0
Fuhr/Gilbert/Reinhard/Videau (ZUC
workshop, IACR ePrint archive)
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
40 LTE algorithms, for SKEW 2011 17 Feb 2011
New versions
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
41 LTE algorithms, for SKEW 2011 17 Feb 2011
Plan DM
ay
Jun
Ju
l
Aug
Se
p
Oct
Nov
De
c
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
2009 2010
Mar
Apr
May
Jun
Jul
2011
Paid expert
team
evaluation
Go
public
Public
evaluation
Agree and
sign NDA
Expert team
contractAlgorithm
acceptance
(hopefully)SAGE
evaluation
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
42 LTE algorithms, for SKEW 2011 17 Feb 2011
Plan EM
ay
Jun
Ju
l
Aug
Se
p
Oct
Nov
De
c
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
2009 2010
Mar
Apr
May
Jun
Jul
2011
Paid expert
team
evaluation
Go
public
Public
evaluation
Agree and
sign NDA
Expert team
contract
Algorithm
revision
Algorithm
acceptance
(hopefully)
Public
evaluation
Algorithm
acceptance
(hopefully)SAGE
evaluation
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
43 LTE algorithms, for SKEW 2011 17 Feb 2011
Thank you
http://zucalg.forumotion.net/
http://gsmworld.com/our-work/programmes-and-initiatives/fraud-and-security/gsm_security_algorithms.htm
or http://tinyurl.com/33ezbmj
C1 - UnrestrictedVersion 1.0Vodafone Group R&D
44 LTE algorithms, for SKEW 2011 17 Feb 2011
f8 construction for UMTS
> Note: a single frame of UMTS keystream will contain no more than 20000 bits (so 312 64-bit blocks)
– Pre-whitening constant is fixed within a frame, different for different frames
> Pre-whitening constant prevents known input/output pairs for single KASUMI
> Simple OFB mode allows short cycles — unlikely, but bad if they do happen
> Pre-whitening plus simple counter mode gives distinguisher with 232 keystream blocks:
– e.g. if A is pre-whitening constant and C is block counter, if [A C] = [A’ C’] then likely that [A (C + d)] = [A’ (C’ + d)] for some small d
> Simple counter mode without pre-whitening also gives 232-block distinguisher:
– No collisions
> With the f8 construction, and individual frames limited to 312 64-bit blocks, the only distinguishers we found needed substantially more than 232 blocks
– In fact, more than 232 frames — and frame counter COUNT is only 32 bits anyway