Ignacio Sanchez

Experimental passive eavesdropping of Digital Enhanced Cordless Telecommunication voice communications through low-cost software-defined radios

The flexibility of software-defined radio SDR technology has been proposed to support various applications from the dynamic usage of the radio frequency spectrum to the implementation of radio access technologies in the commercial and military domain. A new generation of low-cost SDR devices has emerged in the last few years, opening new possibilities to implement inexpensive security attacks against radio protocols and systems. Digital Enhanced Cordless Telecommunication DECT is a European Telecommunications Standards Institute standard for short-range cordless communications with a worldwide installed base. In this paper, we survey the state of art for the application of low-cost SDRs to the security domain, and we describe a complete implementation of a passive eavesdropping attack against DECT digital voice communication, where the DECT communication is not encrypted. The framework, which implements the attack, has been deployed on two different types of low-cost SDR platforms to show the flexibility and extendibility of the implementation. The performance of the framework has been evaluated on the basis of different parameters and different approaches, and the experimental results are presented in the paper. The framework has demonstrated its effectiveness to implement an eavesdropping attack against DECT even at great distances with low-cost equipment.Copyright

Practical Interception of DECT Encrypted Voice Communication in Unified Communications Environments

Digital Enhanced Cordless Telephony, DECT, is a worldwide standard for cordless telephony that is frequently integrated into Unified Communications systems both in enterprise and residential environments. DECT supports encryption to protect the confidentiality of the communications whilst allowing the interoperability between products from different models and manufacturers. In this paper we explore, from both a theoretical and a practical standpoint, the security of the DECT cryptographic pairing process which plays a vital role in the security chain of Unified Communications systems involving DECT technology. We demonstrate a practical security attack against the DECT pairing process that is able to retrieve the cryptographic keys and decrypt in real-time any subsequent encrypted voice communication. We also present suggestions for a more secure alternative pairing process that is not vulnerable to this type of passive attack.

Technical recommendations for improving security of email communications

With billions of emails exchanged worldwide on a daily basis, email is nowadays considered to be one of the most widespread forms of digital communications. The massive deployment of this technology is certainly due to its ease of use and interoperability. This advantageous ubiquity of email communications comes nonetheless at the cost of security, which is often side-lined in favour of maintaining backwards compatibility with older versions of the protocols and considering security features as optional to ensure compatibility between providers. As a consequence, email communications often fall short of protecting the privacy and the authenticity of the information exchanged. Taking into account the fact that email is used to exchange private and personal information, the latter risks become extremely prominent. We review here the outstanding privacy and security risks in worldwide email communications and we describe a set of practical countermeasures, based on combinations of existing standards, which are capable of effectively mitigating the identified risks. Based on this analysis we provide a set of technical recommendations to be followed by email providers in order to enhance security, whilst preserving compatibility in the ecosystem.

Physical attacks against the lack of perfect forward secrecy in DECT encrypted communications and possible countermeasures

Digital Enhanced Cordless Telecommunications (DECT) is a world-wide wireless standard sustained by ETSI and widely used in cordless telephony. Whilst domestic DECT cordless phones were primarily designed to be used in connection with the Public Switched Telephone Network, their presence in Unified Communications systems has become increasingly common given their reliability, flexibility and interoperability. The DECT protocol foresees the usage of authentication and encryption in order to protect the privacy of the voice communications. Unfortunately, the cryptographic mechanisms envisaged by the standard do not provide support for forward secrecy. As a consequence, the compromise of the long-term secret cryptographic key leads to the decryption of any previous, present and future encrypted communication. In this paper, we describe and demonstrate experimentally a new physical attack, able to recover the long-term cryptographic key from the memory of DECT devices and use it to decrypt voice communications previously intercepted in encrypted form. In order to mitigate this threat to the privacy of the DECT communications, we propose a set of countermeasures and proposals for modification of the standards to provide forward secrecy in the communications.

A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms

After more than two decades of research in the field of password strength estimation, one clear conclusion may be drawn: no password strength metric by itself is better than all other metrics for every possible password. Building upon this certainty and also taking advantage of the knowledge gained in the area of information fusion, in this paper, we propose a novel multimodal strength metric that combines several imperfect individual metrics to benefit from their strong points in order to overcome many of their weaknesses. The final multimodal metric comprises different modules based both on heuristics and statistics, which, after their fusion, succeed to provide in real time a realistic and reliable feedback regarding the “guessability” of passwords. The validation protocol and the test results are presented and discussed in a companion paper.

A probabilistic framework for improved password strength metrics

Passwords are still the most widely deployed form of authentication for both local applications and on-line services. For several decades, password policies have aimed at measuring password strength using simple sets of rules in an attempt to guide the users towards the selection of stronger passwords. In this paper, we provide an alternative vision to the existing password strength metrics by proposing a new statistical approach that is better aligned with the actual resistance of passwords to guessing attacks. The proposed probabilistic framework is able to objectively measure the strength of a given password taking advantage of the information available in the several public datasets of passwords.

A New Multimodal Approach for Password Strength Estimation—Part II: Experimental Evaluation

A novel multimodal method for the estimation of password strength was presented in Part I of this series of two papers. In this paper, the experimental framework used for the evaluation of the novel approach is described. The method is evaluated following a reproducible protocol, which includes a three-dimensional approach: 1) deterministic assessment; 2) statistical assessment; and 3) third parties assessment (thanks to the availability upon request of an executable application that integrates the multimodal meter). The key experiment of the protocol compares, from a probabilistic point of view, the strength distributions assigned to passwords broken with increasingly complex attacking approaches, following a common strategy in a typical password cracking session. The experimental evaluation is carried out not only for the new meter, but also for other strength estimators from the state of the art, comparing their overall performance. In addition to its consistent results, the proposed method is highly flexible and can be adjusted to specific environments or to a certain password policy. Furthermore, it can also evolve over time in order to naturally adjust to new password selection trends followed by users.

Detection of DECT identity spoofing through radio frequency fingerprinting

Digital Enhanced Cordless Telecommunications (DECT) is an European Telecommunications Standards Institute (ETSI) standard for short-range cordless communications with a large worldwide installed customer base, both in residential and enterprise environments. As in other wireless standards, the existence of active attacks against the security and privacy of the communications, involving identity spoofing, is well documented in the literature. Although the detection of spoofing attacks has been extensively investigated in the literature for other wireless protocols, such as Wi-Fi and GSM, very limited research has been conducted on their detection in DECT communications. In this paper, we describe an effective method for the detection of identity spoofing attacks on DECT communications, using a radio frequency fingerprinting technique. Our approach uses intrinsic features of the front end of DECT base stations as device fingerprints and uses them to distinguish between legitimate and spoofing devices. The results of measurement campaigns and the related analysis are presented and discussed.

Improved Cryptanalysis of the DECT Standard Cipher

The DECT Standard Cipher (DSC) is a 64-bit key stream cipher used in the Digital Enhanced Cordless Telecommunications (DECT) standard to protect the confidentiality of the communications. In this paper we present an improved cryptanalysis approach which is more effective than the Nohl-Tews-Weinmann (NTW) attack and requires four times less plaintext material. Under the best conditions, our known plaintext attack requires only 3 min of communication compared to 10 min for the NTW attack. Our approach is able to quickly recover the secret key with a success rate of more than 50 % by analysing \(2^{13}\) keystreams and performing an exhaustive search over \(2^{31}\) keys. Additionally, the attack was successfully conducted against real intercepted DECT traffic where the plaintext was only 90 % accurate. To the best of our knowledge, the approach we present in this paper is the most effective cryptanalysis published so far against the DSC cipher.

Divide, recombine and conquer: Syntactic patterns-reassembly algorithm applied to password guessing process

This work proposes a novel password guessing approach based on the identification, extraction and recombination of meaningful syntactic patterns present in human-chosen passwords. The proposed method exploits the existence of these patterns across user-selected passwords in order to effectively reduce the search space to be explored during the password guessing process. The password guessing scheme follows a two stage strategy. In the first step, a novel algorithm based on machine learning principles, identifies and extracts the syntactic meaningful patterns from a dataset of passwords. Then, in a second stage, these parts-of-passwords previously segmented are recombined in order to generate new statistically relevant password candidates that are used against a blind evaluation set. The experimental results show that this novel approach is able to guess complex passwords usually robust to traditional password guessing techniques.