Seminar Security

1
Partitioning Attacks

• Seminar Security
• EJ Sanjuanelo Robles

2
Agenda

• Introduction
• GSM Architecture/Security
• COMP128
• Partitioning Attacks
• Countermeasures
• Questions

3
Agenda

• Introduction
• GSM Architecture/Security
• COMP128
• Partitioning Attacks
• Countermeasures
• Questions

4
Introduction

• Cardinal principle
• Relevant bits and their values should be
  statistically independent of the inputs, outputs
  and sensitive information

5
Agenda

• Introduction
• GSM Architecture/Security
• COMP128
• Partitioning Attacks
• Countermeasures
• Questions

6
GSM Architecture
Mobile Stations
Base Station Subsystem
Network Center
HLR
MSC
BSC
7
GSM Security
Base Station Subsystem
Network Center
Mobile Station
IMSI Ki
HLR
IMSI
RAND, SRES, Kc
RAND,
MSC
BSC
SIM A3/A8/A5 Algorithms Ki
SRES Kc
CHECK ?
Encrypted Data
Ki Subscriber Authentication Key (shared by the
operator)
8
Logical Implementation of A3 and A8

• COMP128 is used for both A3 and A8 in most GSM
  networks.
• COMP128 is a keyed hash function

RAND (128 bit)
COMP128
Ki (128 bit)
96 bit output SRES 32 bit and KC (64 bit)
9
Actual Information Available
10
Agenda

• Introduction
• GSM Architecture/Security
• COMP128
• Partitioning Attacks
• Countermeasures
• Questions

11
COMP128 Algorithm

• Input RAND, Ki and 5 Lookup Tables
• X0..15 Ki X16..31 RAND
• Lookup tables T0512, T1256, T2128, T364,
  T432
• T0 (512 bytes) is basically split in T00 and T01
  of 256 bytes each due to 8 bits processor.

• for j 0 to 4 do
• for k 0 to 2j-1 do
• for l0 to 2(4-j)-1 do
• m l k2(5-j)
• n m 2(4-j)
• y (Xm 2Xn) mod 2(9-j)
• z (2Xm Xn) mod 2(9-j)
• Xm Tjy
• Xn Tjz

12
Agenda

• Introduction
• GSM Architecture/Security
• COMP128
• Partitioning Attacks
• Countermeasures
• Questions

13
Partitioning Attack on COMP128
0
15
16
32
K0
K1
K15
R0
R15


R0
X
T0y
K1
K15
T0z
R15


R0
y (K0 2R0)
z (2K0 R0)

• Original DPA attack failed.
• Values of y and z depend on the first bytes of K
  and R
• Its possible to detect via side channels whether
  values of y and z are within 0..255 or
  256..511.
• Look up on T00 and T01 tables are different.

14
COMP128 - Partitioning

• Lookup tables T00 and T01 give different signals
  to the attacker.
• Play with the RAND Most Significant Bit (MSB)

MSB0
MSB1
Ri
Access T01
Access T00
15
COMP128 Partitioning Attack

• Lookup tables T00 and T01 give different signals
  to the attacker.
• Power signals.
• Electromagnetic emanation also shows 2 different
  signals.
• The key-byte is always uniquely determined from
  partitioning information
• 1000 samples (RAND inputs) is needed.

16
Partitioning Attacks

• Knowledge of the partitions
• Values that fall into each partition
• Leak information about the processing

17
Partitioning Attacks

• Dependent on the algorithm being implemented.
• The attacker must play around (to guess) what is
  going around in the implementation.
• Cardinal principle is the key.
• Statistical dependency.

18
Countermeasures

• Table lookup in some cryptographic algorithms
  DES, AES.
• Alternatives
• Table masking bit index permutation (randomly)
• Table split using different index for splitting
  tables and loading some of them in memory.
• Algebraic combination of splitting tables.

19
Questions