Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
MTZ-Fachkongress

Antriebe und Energiesysteme von morgen


Austausch von Automobil- und Energiewirtschaft

Am 14./15. Mai geht es in Chemnitz um die Mobilitätswende durch Elektro- und Wasserstofffahrzeuge.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Complementing Feistel Ciphers Kapitel lesen Erstes Kapitel lesen

2014 | OriginalPaper | Buchkapitel

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

verfasst von : Ruilin Li, Heng Li, Chao Li, Bing Sun

Erschienen in: Fast Software Encryption

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

The GMR-1 and GMR-2 stream ciphers, which are used in the satellite phones, have been reconstructed by Driessen et al. recently. The GMR-1 cipher is shown to be a proprietary variant of the GSM A5/2 algorithm, thus it could be cracked using the previous known method. For the newly designed GMR-2 cipher, by observing a non-uniform behavior of its component, Driessen et al. proposed an efficient known plaintext attack to recover the encryption key (a session key with 64-bit) with approximately 5–6 frames (50–65 bytes) of keystream.
In this paper, we first revisit the properties of each component of the GMR-2 cipher, and then present a low data complexity attack on it by adopting the strategy of guess-and-determine. We call this kind of attack the dynamic guess and determine attack, since the evolution of the guessing part of the internal state of the attack is changed dynamically according to the intermediate process. Our theoretical analysis demonstrates that, using the proposed attack, the 64-bit encryption key could be recovered by guessing no more than 32 bits when 15 bytes (1 frame) of the keystream is available. Some experimental results are also performed on a single PC to confirm our analysis, and the number of candidates for exhaustive search is about \(2^{28}\) on average.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Related-Key Attacks Against Full Hummingbird-2
Nächstes Kapitel Improving Key Recovery to 784 and 799 Rounds of Trivium Using Optimized Cube Attacks
Fußnoten
1
Recently, the work in [13] shows that they can modify the firmware of a Inmarsat IsatPhonePro satellite phone using only a USB cable, which allows to read and write frames directly to any layer of the GMR-2 communication system, or even allows users to inject and/or sniff frames without the need of any additional equipment.
 
2
There is a slight difference between the notation of [7] and ours in the generation mode, in this paper, we always assume that \(Z^{(N)}_0\) is the first output byte of the keystream after the cipher is clocked eight times in the initialization phase.
 
3
We point out here that although we describe our attack in two separate steps, in fact, the second step (the exhaustive search step) can be incorporated in the first step: if a candidate is obtained from the dynamic guess-and-determine phase, it can be quickly tested to decide whether it is the right key.
 
4
As described in Sect. 5.1, in the dynamic guess-and-determine attack, if we detect some inconsistency at the \((c+8)\)-th clock, we should backtrack to the nearest clock. However, for easy programming with the recursive method, in our “non-optimized” realization, we just trace back to the \((c+7)\)-th clock, thus there maybe exist many redundant computations. We believe that using the original realization, the time complexity of the attack can be further reduced quickly.
 
Literatur
1.
Abdelraheem, M.A., Borghoff, J., Zenner, E., David, M.: Cryptanalysis of the light-weight cipher A2U2. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 375–390. Springer, Heidelberg (2011) CrossRef
2.
3.
Barkan, P., Biham, E., Keller, N.: Instant ciphertext-only cryptanalysis of GSM encrypted communication. J. Cryptol. (Springer) 21(3), 392–429 (2008)CrossRefMATHMathSciNet
4.
Biham, E., Dunkelman, O.: Cryptanalysis of the A5/1 GSM stream cipher. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 43–51. Springer, Heidelberg (2000) CrossRef
5.
Bogdanov, A., Eisenbarth, T., Rupp, A.: A hardware-assisted realtime attack on A5/2 without precomputations. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 394–412. Springer, Heidelberg (2007) CrossRef
6.
Debraize, B., Goubin, L.: Guess-and-determine algebraic attack on the self-shrinking generator. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 235–252. Springer, Heidelberg (2008) CrossRef
7.
Driessen, B., Hund, R., Willems, C., Parr, C., Holz, T.: Don’t trust satellite phones: a security analysis of two satphone standards. In: IEEE Security and Privacy 2012, pp. 128–142 (2012)
8.
9.
Golić, J.D.: Cryptanalysis of alleged A5 stream cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997) CrossRef
10.
11.
Feng, X., Liu, J., Zhou, Z., Wu, Ch., Feng, D.: A byte-based guess and determine attack on sosemanuk. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 146–157. Springer, Heidelberg (2010) CrossRef
12.
Philip, H., Gregory, G.: Guess-and-determine attack on SNOW. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 37–46. Springer, Heidelberg (2003)
13.
14.
Zeng, K., Yang, C.H., Rao, T.R.N.: On the linear consistency test (LCT) in cryptanalysis with applications. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 164–174. Springer, Heidelberg (1990)
15.
Zhang, B., Feng, D.: New guess-and-determine attack on the self-shrinking generator. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 54–68. Springer, Heidelberg (2006) CrossRef
Metadaten
Titel
A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones
verfasst von
Ruilin Li
Heng Li
Chao Li
Bing Sun
Copyright-Jahr
2014
Verlag
Springer Berlin Heidelberg
Buch
Fast Software Encryption

Print ISBN: 978-3-662-43932-6

Electronic ISBN: 978-3-662-43933-3

Copyright-Jahr: 2014

DOI
https://doi.org/10.1007/978-3-662-43933-3_25

Premium Partner

    Bildnachweise