Ralf-Philipp Weinmann

Breaking 104 Bit WEP in less than 60 seconds

We demonstrate an active attack on the WEP protocol that is able to recover a 104-bit WEP key using less than 40,000 frames with a success probability of 50%. In order to succeed in 95% of all cases, 85,000 packets are needed. The IV of these packets can be randomly chosen. This is an improvement in the number of required frames by more than an order of magnitude over the best known key-recovery attacks for WEP. On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute. The required computational effort is approximately 220 RC4 key setups, which on current desktop and laptop CPUs is negligible.

Analysis of the SMS4 block cipher

SMS4 is a 128-bit block cipher used in the WAPI standard for providing data confidentiality in wireless networks. In this paper we investigate and explain the origin of the S-Box employed by the cipher, show that an embedded cipher similar to BES can be obtained for SMS4 and demonstrate the fragility of the cipher design by giving variants that exhibit 264 weak keys. We also show attacks on reduced round versions of the cipher. The best practical attack we found is an integral attack that works on 10 rounds out of 32 rounds with a complexity of 218 operations; it can be extended to 13 rounds using round key guesses, resulting in a complexity of 2114 operations and a data complexity of 216 chosen pairs.

Block ciphers sensitive to gröbner basis attacks

We construct and analyze Feistel and SPN ciphers that have a sound design strategy against linear and differential attacks but for which the encryption process can be described by very simple polynomial equations. For a block and key size of 128 bits, we present ciphers for which practical Grobner basis attacks can recover the full cipher key requiring only a minimal number of plaintext/ciphertext pairs. We show how Grobner bases for a subset of these ciphers can be constructed with neglegible computational effort. This reduces the key–recovery problem to a Grobner basis conversion problem. By bounding the running time of a Grobner basis conversion algorithm, FGLM, we demonstrate the existence of block ciphers resistant against differential and linear cryptanalysis but vulnerable against Grobner basis attacks.

Analysis of the DVB Common Scrambling Algorithm

The Common Scrambling Algorithm (CSA) is used to encrypt streams of video data in the Digital Video Broadcasting (DVB) system. The algorithm cascades a stream and a block cipher, apparently for a larger security margin. In this paper we set out to analyze the block cipher and the stream cipher separately and give an overview of how they interact with each other. We present a practical attack on the stream cipher. Research on the block cipher so far indicates it to be resistant against linear and algebraic cryptanalysis as well as simple slide attacks.

Attacks on the DECT Authentication Mechanisms

Digital Enhanced Cordless Telecommunications (DECT) is a standard for connecting cordless telephones to a fixed telecommunications network over a short range. The cryptographic algorithms used in DECT are not publicly available. In this paper we reveal one of the two algorithms used by DECT, the DECT Standard Authentication Algorithm (DSAA). We give a very detailed security analysis of the DSAA including some very effective attacks on the building blocks used for DSAA as well as a common implementation error that can practically lead to a total break of DECT security. We also present a low cost attack on the DECT protocol, which allows an attacker to impersonate a base station and therefore listen to and reroute all phone calls made by a handset.

A zero-dimensional gröbner basis for AES-128

We demonstrate an efficient method for computing a Grobner basis of a zero-dimensional ideal describing the key-recovery problem from a single plaintext/ciphertext pair for the full AES-128. This Grobner basis is relative to a degree-lexicographical order. We investigate whether the existence of this Grobner basis has any security implications for the AES.

Meet-in-the-Middle Attacks on SHA-3 Candidates

We present preimage attacks on the SHA-3 candidates Boole, EnRUPT, Edon-R, and Sarmal, which are found to be vulnerable against a meet-in-the-middle attack. The idea is to invert (or partially invert) the compression function and to exploit its non-randomness. To launch an attack on a large internal state we manipulate the message blocks to be injected in order to fix some part of the internal state and to reduce the complexity of the attack. To lower the memory complexity of the attack we use the memoryless meet-in-the-middle approach proposed by Morita-Ohta-Miyaguchi.

Cryptanalysis of the DECT standard cipher

The DECT Standard Cipher (DSC) is a proprietary 64-bit stream cipher based on irregularly clocked LFSRs and a non-linear output combiner. The cipher is meant to provide confidentiality for cordless telephony. This paper illustrates how the DSC was reverse-engineered from a hardware implementation using custom firmware and information on the structure of the cipher gathered from a patent. Beyond disclosing the DSC, the paper proposes a practical attack against DSC that recovers the secret key from 215 keystreams on a standard PC with a success rate of 50% within hours; somewhat faster when a CUDA graphics adapter is available.

An Efficient FPGA Implementation for an DECT Brute-Force Attacking Scenario

We present a novel attacking scenario to break into secured DECT-GAP communication. To demonstrate the feasibility of our attack, we propose a brute-force architecture to efficiently recalculate all communication-related shared secrets between the DECT base station and handset. The efficiency of our architecture is demonstrated by a highly pipelined, multi-brute-force-component FPGA implementation. It exploits common weak random number generators implemented at the DECT base stations and a weak authentication scheme between the DECT base stations and their handsets.

Block Ciphers: Algebraic Cryptanalysis and Gröbner Bases

Block ciphers are one of the most important classes of cryptographic algorithms in current use. Commonly used to provide confidentiality for transmission and storage of information, they encrypt and decrypt blocks of data according to a secret key. Several recently proposed block ciphers (in particular the AES (Daemen and Rijmen in The Design of Rijndael, Springer, Berlin, 2002)) exhibit a highly algebraic structure: their round transformations are based on simple algebraic operations over a finite field of characteristic 2. This has caused an increasing amount of cryptanalytic attention to be directed to the algebraic properties of these ciphers. Of particular interest is the proposal of the so-called algebraic attacks against block ciphers. In these attacks, a cryptanalyst describes the encryption operation as a large set of multivariate polynomial equations, which—once solved—can be used to recover the secret key. Thus the difficulty of solving these systems of equations is directly related to the cipher’s security. As a result computational algebra is becoming an important tool for the cryptanalysis of block ciphers. In this paper we give an overview of block ciphers design and recall some of the work that has been developed in the area of algebraic cryptanalysis. We also consider a few computational and algebraic techniques that could be used in the analysis of block ciphers and discuss possible directions for future work.