Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zahra Ahmadian z_ahmadian@sbu.ac.ir Recursive Linear and Differential Cryptanalysis of Ultra-lightweight Authentication Protocols Zahra Ahmadian z_ahmadian@sbu.ac.ir.

Published byLora Thomas Modified over 6 years ago

Similar presentations

Presentation on theme: "Zahra Ahmadian z_ahmadian@sbu.ac.ir Recursive Linear and Differential Cryptanalysis of Ultra-lightweight Authentication Protocols Zahra Ahmadian z_ahmadian@sbu.ac.ir."— Presentation transcript:

1 Zahra Ahmadian z_ahmadian@sbu.ac.ir
Recursive Linear and Differential Cryptanalysis of Ultra-lightweight Authentication Protocols Zahra Ahmadian

2 Overview Lightweight Systems Ultra-lightweight Authentication Protocol
Recursive Linear Cryptanalysis Yeh et al. Recursive Differential Cryptanalysis SASI Protocol

3 RFID Technology Radio Frequency IDentification (RFID) is a technology for automatically unique identification or tracking of the objects using wireless systems. secure

4 RFID Technology Widespread applications
regarded as the predecessor technology for ubiquitous computing technology

5 Security threads Two main security concerns Privacy Authentication

6 Ultra lightweight Protocols
Ultra lightweight environments: Typical: a few cents 5-10k GE per tag ( GE for security) For comparison AES: 2400 GE MD5: 8000GE SHA-3: GE

7 Two approaches Using ultralightweight primitives: block ciphers and hash functions, recently AE schemes. Using ultralightweight authentication protocols.

8 RFID authentication protocols
A classification of LW prtocols (Chein 2007): full-fledged class : e.g. elliptic curve based conventional cryptographic functions (symmetric encryption, cryptographic hash function, or even the public key algorithms) Simple : e.g. challenge response based random number generator and one-way hashing function Lightweight: e.g HB family random number generator CRC checksum but not hash functions Ultra lightweight: e.g. SASI simple bitwise operations (like XOR, AND, OR, modular addition, etc.)

9 General View of ULW Protocols

10 Common features Use of Index Pseudonym IDS, the static identifier, ID , is never sent in clear. Use of T-Functions: XOR, modular addition, AND, (Rotations) Desynchronization Attack Prevention the party that first updates its state keeps a backup of its previous state as well.

11 Recursive Linear Cryptanalysis

12 Recursive Linear Cryptanalysis
Determine all the unknown variables Write a linear representation for the ith bit involving known and unknown variables, then create a system of linear equations for each bit i. Solve systems of equations from LSB and retrieves all secret data bits recursively, starting from LSB.

13 Recursive Linear Cryptanalysis
Exclusive use of T-functions T-function: This attack is completely different from linear cryptanalysis of symmetric primitives [Matsoi’93]

14 Yeh et al. Protocol (RFIDsec Asia’ 10)
Reader: ID, Tag : ID, (IDS,K) If IDS is new: K=K, f=0 If IDS is old: K=ID, f=1

15 RL Cryptanalysis of Yeh et al.
Determine all the unknown variables (static and dynamic secrets and nonces) for a single session.

16 RL Cryptanalysis of Yeh et al.
2. Find a linear representation for the ith bit of each message. Define intermediate variables (carries or barrows) . Try to find a sufficient independent linear equations. (For the case )

17 RL Cryptanalysis of Yeh et al.

18 RL Cryptanalysis of Yeh et al.
3. Solve the system of equation starting from LSB. i

19 Attack summary Passive Deterministic (Psuccess=1)
requires only a single authentication session ( flag=1) Full disclosure of all secrets

20 Attack summary Attack Type Assumption Ref. Full disclosure of ID
Passive , Probabilistic, An average of 250 sessions Peris-Lopez et al.(2010) Traceability Passive, Advantage = 1/2 Desynchronization Active, Man-in-the-middle Avoin et al. (2011) Passive , Probabilistic, An average of 25 sessions Full disclosure of all secrets Passive , Deterministic , a single session Our attack

21 Recursive Differential Cryptanalysis

22 number of independent equations < number of unknowns 
RD Cryptanalysis What should be done if Using the messages of one or more new sessions?  brings new unknown variables as much as or even more than new equations. A more powerful attack that can generate enough independent equations  number of independent equations < number of unknowns 

23 RD cryptanalysis basis
Attacker forces two parties to run new sessions in their previous state. giving new equations without new variables. Only new nonces are generated in each session. new nonces have (usually) a clear differential relation (xor or modular addition) with the old ones. Demands a kind of active attacker (relatively weak)

24 SASI Protocol (IEEE transactions on dependable an secure computing 2007)
Reader : ID, (IDS, K1, K2) Tag: ID,

25 RD cryptanalysis of SASI
Phase 1. Data gathering Allow two parties to run the first session Block the last message of the next s sessions, Save all the messages corresponding to these sessions

26 RD cryptanalysis of SASI
Phase 2. Secret recovery. Determine all the unknown variables (static and dynamic secrets and nonces) for Determine also new unknown variables (nonces only) for d Express clearly the (xor or modular addition) differential relation of the nonces. 𝐼𝐷, 𝐾1, 𝐾2, 𝑛1, 𝑛2, 𝑛 1 ′ , 𝑛2′

27 RD cryptanalysis of SASI

28 RD cryptanalysis of SASI
2. Write the linear expansion of an appropriate message of d and for bit i. The differences of them results in a linear equation involving bit i-1 of secrets with random coefficients.

29 RD cryptanalysis of SASI
Differences of Bit representations result in:

30 RD cryptanalysis of SASI
Thus, for each differential pair of sessions Bit representation of C:

31 RD cryptanalysis of SASI
3. With a sufficient number of equations, there will be an overdefined system of linear equations for each bit. Solve the systems of equations starting from the LSB.

32 RD cryptanalysis of SASI
All bits of except and MSBs are retrieved. Wrong guesses of k1 and k2 are detected due to the redundant equations (a filtering property  )

33 RD cryptanalysis of SASI

34 RD cryptanalysis of SASI
Probability analysis. How many sessions are required for a reliable full disclosure attack?

35 RD cryptanalysis of SASI
Comparison of theoretical and experimental probability of success

36 Attack summary Active (the attacker only blocks some messages)
Probabilistic requires 13 authentication sessions (for more than 96% reliability) Full disclosure of all secrets

37 Attack summary Attack Type Assumption Ref.
Full disclosure of all secrets Active , Probabilistic, An average of 240 sessions D’ Acro et al.(2011) Desynchronisation Active, Deterministic, An average of n/2 sessions Traceability Recovers the last bit of ID, advantage =1/4. Phan (2008) Active, , Deterministic, Three sessions, Sun et al. (2009) Full disclosure of ID Passive, Probabilistic, an average of 217 sessions Avoin et al. (2010) Active , Probabilistic, An average of 13 sessions Our attack

38 More Results

39 Conclusions Two frameworks for cryptanalysis of ULW protocols were proposed. keeping the previous state + exclusive use of T- functions (ARX schemes) is not recommended Use of lightweight primitives seems safer.

40 Thanks for your attentions

Download ppt "Zahra Ahmadian z_ahmadian@sbu.ac.ir Recursive Linear and Differential Cryptanalysis of Ultra-lightweight Authentication Protocols Zahra Ahmadian z_ahmadian@sbu.ac.ir."

Similar presentations

“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠.

1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Every Bit Counts – Fast and Scalable RFID Estimation Muhammad Shahzad and Alex X. Liu Dept. of Computer Science and Engineering Michigan State University.

Every Bit Counts – Fast and Scalable RFID Estimation Muhammad Shahzad and Alex X. Liu Dept. of Computer Science and Engineering Michigan State University.
A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.

A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
FEAL FEAL 1.

FEAL FEAL 1.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
RFID Security and Privacy Part 2: security example.

RFID Security and Privacy Part 2: security example.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Panagiotis Rizomiliotis and Stefanos Gritzalis Dept. of Information and Communication Systems Engineering University of the Aegean, Greece GHB#: A Provably.

Panagiotis Rizomiliotis and Stefanos Gritzalis Dept. of Information and Communication Systems Engineering University of the Aegean, Greece GHB#: A Provably.
KAIS T A lightweight secure protocol for wireless sensor networks 윤주범 2007.12. 4 ELSEVIER Mar. 2006.

KAIS T A lightweight secure protocol for wireless sensor networks 윤주범 ELSEVIER Mar

Similar presentations

Ads by Google