breaking)the)gsma5/1)cryptography) …a5/1)structure)&)operafon) • 64...
TRANSCRIPT
![Page 1: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/1.jpg)
Breaking The GSM A5/1 Cryptography Algorithm with Rainbow Tables
and High-‐end FPGAs
Maria Kalenderi1, Dionisios Pnevma3katos1, Ioannis Papaefstathiou1,2, Charalampos Manifavas3
1ECE Department, Technical University of Crete
2Synelixis Solu3ons Ltd 3Applied Informa3cs & Mul3media Department, Technological Educa3onal
Ins3tute of Crete
FPL 2012
![Page 2: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/2.jpg)
PresentaFon Overview • Mo$va$on • A5/1 Cryptographic algorithm • Crypto-‐a8ack with Rainbow Tables • Our Rainbow Table Crea$on Engine • Conclusions
2 FPL 2012
![Page 3: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/3.jpg)
MoFvaFon: Why the A5/1 Alg? • Cell-‐phone privacy is obviously important • A5/1 is used in mobile cell phones (GSM) for the encryp$on of the exchanged informa$on (voice/SMS) between mobile and base sta$ons
• It is a stream cipher • Op$mized for efficient and cheap hardware implementa$on
• A5/1 used only for encryp$on, authen$ca$on in GSM phones is handled with other algorithm
3 FPL 2012
![Page 4: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/4.jpg)
MoFvaFon: Why Rainbow Tables? • Rainbow tables are one of the most efficient methods for cracking passwords, encrypted by different cryptographic algorithms
• They trade online computa$on for one-‐$me offline computa$on + storage
• One-‐$me computa$on is s$ll expensive! We exploit parallelism and high-‐end FPGAs to construct Rainbow tables up to thousand of $mes faster than single threaded soVware.
4 FPL 2012
![Page 5: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/5.jpg)
A5/1 structure & operaFon • 64 bit state, 3 LFSRs, 3 designated “clock” bits. Their majority generates a “clock” signal
• Process: – Ini$alize all 3 LFSRs to zero – Serially put in the encryp$on key (64 bits) – Serially put in the Frame Number (22 bits) – Now at “IniFal State” – Clock 100 cycles and discard output – Next 228 clocks produce two 114 bit values to be used encryp$ng the uplink and decryp$ng the downlink (reverse use in the Base sta$on)
– XOR data and key to produce output
5 FPL 2012
![Page 6: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/6.jpg)
A5/1 structure (LFSRs)
6
“Clock” Rule = Majority (C18, C210, C310) Controls when keystream bits are generated
LSB
Total: 64 bits
FPL 2012
![Page 7: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/7.jpg)
7
Crypto-‐aWack approaches • Cryptography is used to protect sensi$ve informa$on
• Since the introduc$on of cryptography, we have a8ack efforts
• Crypto a8ack: reverse the mapping of the key to the ciphertext. For n-‐bit func$ons we can: • Use an exhaus1ve search compu$ng an average of 2n−1 values un$l the target is reached
• Precompute and store a table of 2n input/output pairs. Then, to invert a par$cular value, we only need a single table lookup
FPL 2012
![Page 8: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/8.jpg)
8
Space-‐Time tradeoff • Lies in-‐between those two previous op$ons (Originally proposed by Hellman)
• Idea: Do not store the en$re table, but star$ng points from which we can re-‐compute at run-‐$me several other points (for a chain)
• Precomputa$on $me of this approach is s$ll in the order of 2n
• Memory complexity is 22n/3 and the inversion of a single value requires only 22n/3 func$on evalua$ons.
FPL 2012
![Page 9: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/9.jpg)
Rainbow Tables • Oechslin improved Hellman’s approach (in 2003 & 2008) • More compact representa$on (less memory!!!) • Use a reduc$on func$on aVer each hash as the input for the
next chain link (not needed in this work) • The ini$al and final passwords of the chain comprise a
rainbow table entry and they are called Startpoint (SP) and Endpoints (EP) respec$vely.
• Chains contain only Dis1nguished Points (DPs) to further improve efficiency (only keep results with a specific property)
• Used in many a8acks (Nohl used it for breaking A5/1 using GPUs)
9 FPL 2012
![Page 10: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/10.jpg)
Rainbow Table IllustraFon
10
{SP,EP} pairs stored, the intermediate entries are re-‐computed!
FPL 2012
![Page 11: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/11.jpg)
Our Rainbow Table creaFon approach
• Use a hardware implementa$on of A5/1 • Sequen$al but small! • Exploit parallelism in crea$ng different chains – Start with random Start-‐Points (A5/1 ini$al state) – Produce 32-‐entry chains (count only DPs) – Use as many parallel chain engines as can fit in FPGA – Deal with memory access problem (write results) Compare with S/W running the same algorithm
• Extrapolate/compare w/ published GPU results
11 FPL 2012
![Page 12: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/12.jpg)
A5/1 Chain creaFon engine
12
NOTE: Variable $ming for each result
FPL 2012
![Page 13: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/13.jpg)
ConnecFng MulFple Parallel Engines
13
Mem size: 64Kx128bit (SP + EP). Controller produces addresses and coordinates Writes
FPL 2012
![Page 14: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/14.jpg)
Results
• Used a Virtex5 LX330T
• Max throughput (345 engines): 415 chains/sec • Power consump$on 4.2 Wa8s • S/W measured with Vtune on a P4@3GHz: 0.14 chains/sec
NOTE: each chain takes different amount of processing
# Engines Frequency Slice Registers (207360)
Slice LUTs (207360)
Block RAM (324)
1 178$ 488$(0%)$ 507$(0%)$ 2$(0%)$250 150$ 122802$(59%)$ 154103$(74%)$ 228$(70%)$345 146$ 165386$(79%)$ 206911$(99%)$ 228$(70%)$
$
14 FPL 2012
![Page 15: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/15.jpg)
ExecuFon Times (FPGA/SW)
15 FPL 2012
![Page 16: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/16.jpg)
Speedup FPGA/SW
16 FPL 2012
![Page 17: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/17.jpg)
Comparison w/ GPUs • Published GPU results: – 162 chains/sec for GTX260 – ~500 chains/sec for GTX280 – Result quality is lower for GPU (cannot adjust)
• Performance: – 2.5x over GTX260, slightly slower than GTX280 (-‐17%)
• Power consump$on: – GPU ~250W, FPGA ~4.2W (~60 $mes be8er)
• Es$mate adjus$ng result quality: – 150x energy efficiency for roughly similar performance
17 FPL 2012
![Page 18: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/18.jpg)
Improvements/Extensions
• Current design is not very pipelined => we can further improve the opera$ng frequency
• Use larger FPGA (V6, Kintex7, V7) • Use an array of devices for more throughput – Op$mize the cost/performance and/or power efficiency – Have to coordinate the devices – Have to measure the impact on result quality
18 FPL 2012
![Page 19: Breaking)The)GSMA5/1)Cryptography) …A5/1)structure)&)operaFon) • 64 bitstate,!3!LFSRs,!3!designated!“clock”!bits.! Their!majority!generates!a“clock”!signal! • Process:](https://reader034.vdocuments.us/reader034/viewer/2022051809/6011aecdfa8675793e457680/html5/thumbnails/19.jpg)
Conclusions • We exploit parallelism to create Rainbow table entries for A5/1 • The proposed system is quite simple and scalable to larger
FPGA devices (or to mul$ple ones) • We are almost 3,000 $mes faster than single threaded S/W
running on a P4@3GHz • Speed is roughly similar to a GTS280 GPU but at 60 $mes lower
power and giving be8er quality results • FPGAs prove both quite fast and extremely power efficient for
this type of applica$on
19 FPL 2012