Zahra Ahmadian z_ahmadian@sbu.ac.ir Recursive Linear and Differential Cryptanalysis of Ultra-lightweight Authentication Protocols Zahra Ahmadian z_ahmadian@sbu.ac.ir
Overview Lightweight Systems Ultra-lightweight Authentication Protocol Recursive Linear Cryptanalysis Yeh et al. Recursive Differential Cryptanalysis SASI Protocol
RFID Technology Radio Frequency IDentification (RFID) is a technology for automatically unique identification or tracking of the objects using wireless systems. secure
RFID Technology Widespread applications regarded as the predecessor technology for ubiquitous computing technology
Security threads Two main security concerns Privacy Authentication
Ultra lightweight Protocols Ultra lightweight environments: Typical: a few cents 5-10k GE per tag (250-3000 GE for security) For comparison AES: 2400 GE MD5: 8000GE SHA-3: 3000-5500 GE
Two approaches Using ultralightweight primitives: block ciphers and hash functions, recently AE schemes. Using ultralightweight authentication protocols.
RFID authentication protocols A classification of LW prtocols (Chein 2007): full-fledged class : e.g. elliptic curve based conventional cryptographic functions (symmetric encryption, cryptographic hash function, or even the public key algorithms) Simple : e.g. challenge response based random number generator and one-way hashing function Lightweight: e.g HB family random number generator CRC checksum but not hash functions Ultra lightweight: e.g. SASI simple bitwise operations (like XOR, AND, OR, modular addition, etc.)
General View of ULW Protocols
Common features Use of Index Pseudonym IDS, the static identifier, ID , is never sent in clear. Use of T-Functions: XOR, modular addition, AND, (Rotations) Desynchronization Attack Prevention the party that first updates its state keeps a backup of its previous state as well.
Recursive Linear Cryptanalysis
Recursive Linear Cryptanalysis Determine all the unknown variables Write a linear representation for the ith bit involving known and unknown variables, then create a system of linear equations for each bit i. Solve systems of equations from LSB and retrieves all secret data bits recursively, starting from LSB.
Recursive Linear Cryptanalysis Exclusive use of T-functions T-function: This attack is completely different from linear cryptanalysis of symmetric primitives [Matsoi’93]
Yeh et al. Protocol (RFIDsec Asia’ 10) Reader: ID, Tag : ID, (IDS,K) If IDS is new: K=K, f=0 If IDS is old: K=ID, f=1
RL Cryptanalysis of Yeh et al. Determine all the unknown variables (static and dynamic secrets and nonces) for a single session.
RL Cryptanalysis of Yeh et al. 2. Find a linear representation for the ith bit of each message. Define intermediate variables (carries or barrows) . Try to find a sufficient independent linear equations. (For the case )
RL Cryptanalysis of Yeh et al.
RL Cryptanalysis of Yeh et al. 3. Solve the system of equation starting from LSB. i
Attack summary Passive Deterministic (Psuccess=1) requires only a single authentication session ( flag=1) Full disclosure of all secrets
Attack summary Attack Type Assumption Ref. Full disclosure of ID Passive , Probabilistic, An average of 250 sessions Peris-Lopez et al.(2010) Traceability Passive, Advantage = 1/2 Desynchronization Active, Man-in-the-middle Avoin et al. (2011) Passive , Probabilistic, An average of 25 sessions Full disclosure of all secrets Passive , Deterministic , a single session Our attack
Recursive Differential Cryptanalysis
number of independent equations < number of unknowns RD Cryptanalysis What should be done if Using the messages of one or more new sessions? brings new unknown variables as much as or even more than new equations. A more powerful attack that can generate enough independent equations number of independent equations < number of unknowns
RD cryptanalysis basis Attacker forces two parties to run new sessions in their previous state. giving new equations without new variables. Only new nonces are generated in each session. new nonces have (usually) a clear differential relation (xor or modular addition) with the old ones. Demands a kind of active attacker (relatively weak)
SASI Protocol (IEEE transactions on dependable an secure computing 2007) Reader : ID, (IDS, K1, K2) Tag: ID,
RD cryptanalysis of SASI Phase 1. Data gathering Allow two parties to run the first session Block the last message of the next s sessions, Save all the messages corresponding to these sessions
RD cryptanalysis of SASI Phase 2. Secret recovery. Determine all the unknown variables (static and dynamic secrets and nonces) for . Determine also new unknown variables (nonces only) for d . Express clearly the (xor or modular addition) differential relation of the nonces. 𝐼𝐷, 𝐾1, 𝐾2, 𝑛1, 𝑛2, 𝑛 1 ′ , 𝑛2′
RD cryptanalysis of SASI
RD cryptanalysis of SASI 2. Write the linear expansion of an appropriate message of d and for bit i. The differences of them results in a linear equation involving bit i-1 of secrets with random coefficients.
RD cryptanalysis of SASI Differences of Bit representations result in:
RD cryptanalysis of SASI Thus, for each differential pair of sessions Bit representation of C:
RD cryptanalysis of SASI 3. With a sufficient number of equations, there will be an overdefined system of linear equations for each bit. Solve the systems of equations starting from the LSB.
RD cryptanalysis of SASI All bits of except and MSBs are retrieved. Wrong guesses of k1 and k2 are detected due to the redundant equations (a filtering property )
RD cryptanalysis of SASI
RD cryptanalysis of SASI Probability analysis. How many sessions are required for a reliable full disclosure attack?
RD cryptanalysis of SASI Comparison of theoretical and experimental probability of success
Attack summary Active (the attacker only blocks some messages) Probabilistic requires 13 authentication sessions (for more than 96% reliability) Full disclosure of all secrets
Attack summary Attack Type Assumption Ref. Full disclosure of all secrets Active , Probabilistic, An average of 240 sessions D’ Acro et al.(2011) Desynchronisation Active, Deterministic, An average of n/2 sessions Traceability Recovers the last bit of ID, advantage =1/4. Phan (2008) Active, , Deterministic, Three sessions, Sun et al. (2009) Full disclosure of ID Passive, Probabilistic, an average of 217 sessions Avoin et al. (2010) Active , Probabilistic, An average of 13 sessions Our attack
More Results
Conclusions Two frameworks for cryptanalysis of ULW protocols were proposed. keeping the previous state + exclusive use of T- functions (ARX schemes) is not recommended Use of lightweight primitives seems safer.
Thanks for your attentions