Practical Algebraic Attacks on the Hitag2 Stream Cipher

Courtois, Nicolas T.; O'Neil, Sean; Quisquater, Jean-Jacques

doi:10.1007/978-3-642-04474-8_14

Cited by 37 publications

(21 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It was initially formulated as early as 1949 by Shannon [29]. Algebraic attacks, since the controversial paper of [11], have been applied to several stream ciphers [1,9,10] and is able to break some of them but it has not been successful in breaking real-life block ciphers, except Keeloq [7,21]. Compared to statistical analysis, such as linear and differential cryptanalysis, algebraic attacks require a comparatively small number of text pairs.…”

Section: Algebraic Attacks Using Sat Solversmentioning

confidence: 99%

Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers

Bard

Courtois

Nakahara

et al. 2010

Progress in Cryptology - INDOCRYPT 2010

Self Cite

View full text Add to dashboard Cite

Abstract. This paper presents the first results on AIDA/cube, algebraic and sidechannel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

show abstract

Section: Algebraic Attacks Using Sat Solversmentioning

confidence: 99%

Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers

Bard

Courtois

Nakahara

et al. 2010

Progress in Cryptology - INDOCRYPT 2010

Self Cite

View full text Add to dashboard Cite

show abstract

“…Their results concluded that the initial state of the cipher is recovered and the using of SAT solver is faster than the other attacks. The full key of Hitage2 stream cipher is recovered in a few hours by using MiniSat 2.0 [18]. In [19], the full 48-bit key of the MiFare Crypto 1 algorithm was recovered in 200 seconds on a PC, given 1 known IV (from one single encryption).…”

Section: Sat Solvers and Its Applications To Cryptanalysismentioning

confidence: 99%

Applications of SAT Solvers to AES Key Recovery from Decayed Key Schedule Images

Kamal

Youssef

2010

2010 Fourth International Conference on Emerging Security Information, Systems and Technologies

View full text Add to dashboard Cite

Abstract-Cold boot attack is a side channel attack which exploits the data remanence property of random access memory (RAM) to retrieve its contents which remain readable shortly after its power has been removed. Given the nature of the cold boot attack, only a corrupted image of the memory contents will be available to the attacker. In this paper, we investigate the use of an off-the-shelf SAT solver, CryptoMinSat, to improve the key recovery of the AES-128 key schedules from its corresponding decayed memory images. By exploiting the asymmetric decay of the memory images and the redundancy of key material inherent in the AES key schedule, rectifying the faults in the corrupted memory images of the AES-128 key schedule is formulated as a Boolean satisfiability problem which can be solved efficiently for relatively very large decay factors. Our experimental results show that this approach improves upon the previously known results.

show abstract

“…Most notably the Mifare Classic, which has been thoroughly broken in the last few years [NESP08], [dKGHG08], [GdKGM + 08], [GvRVWS09], [Cou09]. Other prominent examples include KeeLoq [Bog07], [KKMP09], Megamos [VGE13] and Hitag2 [COQ09], [SNC09], [vN11], [SHXZ11], [VGB12] used in car keys, CryptoRF [GvRVWS10], [BKZ11], [BGV + 12] used in access control and payment systems and the A5/1 [Gol97], DECT [LST + 09] and GMR [DHW + 12] ciphers used in cordless/GSM phones. HID proposes iClass as a migration option for systems using Mifare Classic, boosting that iClass provides "improved security, performance and data integrity" 1 .…”

Section: Research Context and Related Workmentioning

confidence: 99%

Wirelessly lockpicking a smart card reader

Garcia

Gans

Verdult

2014

Int. J. Inf. Secur.

View full text Add to dashboard Cite

With more than 300 million cards sold, HID iClass is one of the most popular contactless smart cards on the market. It is widely used for access control, secure login and payment systems. The card uses 64-bit keys to provide authenticity and integrity. The cipher and key diversification algorithms used in iClass are proprietary and little information about them is publicly available. In this paper we have reverse engineered all security mechanisms in the card including cipher, authentication protocol and also key diversification algorithms, which we publish in full detail. Furthermore, we have found six critical weaknesses that we exploit in two attacks, one against iClass Standard and one against iClass Elite (a.k.a., iClass High Security). In order to recover a secret card key, the first attack requires one authentication attempt with a legitimate reader and 2 22 queries to a card. This attack has a computational complexity of 2 40 MAC computations. The whole attack can be executed within a day on ordinary hardware. Remarkably, the second attack which is against iClass Elite is significantly faster. It directly recovers the system wide master key from only 15 authentication attempts with a legitimate reader. The computational complexity of this attack is lower than 2 25 MAC computations, which means that it can be fully executed within 5 seconds on an ordinary laptop.

show abstract

Practical Algebraic Attacks on the Hitag2 Stream Cipher

Cited by 37 publications

References 19 publications

Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers

Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers

Applications of SAT Solvers to AES Key Recovery from Decayed Key Schedule Images

Wirelessly lockpicking a smart card reader

Contact Info

Product

Resources

About