Practical Cryptanalysis of Real-World Systems

This thesis is dedicated to the analysis of symmetric cryptographic algorithms. More specifically, this document focuses on proprietary constructions found in four globally distributed systems. All of these constructions were uncovered by means of reverse engineering, three of them while working on this thesis, but only one by the author of this document. The recovered designs were subsequently analyzed and attacked. Targeted systems range from the GSM standard for mobile communication to the two major standards for satellite communication (GMR-1 and GMR-2) and finally a widely deployed digital locking system. Surprisingly, although much progress has been made in the area of specialized cryptography, our attacks on the newly reverse engineered systems show that even younger designs still suffer from severe design flaws. The GSM stream ciphers A5/1 and A5/2 were reverse engineered and cryptanalyzed more than a decade ago. While the published attacks can nowadays be implemented and executed in practice, they also inspired our research into alternative, more efficient hardware architectures. In this work, we first propose a design to solve linear equation systems with binary coefficients in an unconventional, but supposedly fast way. Solving many of these equations is a fundamental step in most of the attacks developed for A5/2 and A5/1. Based on the proposed device, which solves equation systems over the rationals, we present a method to convert these solutions to solutions over the binaries. Secondly, we describe the stream cipher A5-GMR-1, used in the GMR-1 satellite telecommunication standard, which was uncovered by reverse engineering. Then, the security of this cipher is analyzed and a highly practical ciphertext-only attack is developed. In a final step, the proposed attack is implemented and executed on the Thuraya satellite network. Together with the description of the equipment necessary for this operation, it is shown that voice privacy in GMR-1 cannot be trusted. Extending the analysis of satellite phone communication standards to GMR-2 was only natural. The process of reverse engineering the stream cipher A5-GMR-2 is described, together with the design principles of a recursive disassembler for Blackfin DSPs. Then, the recovered cipher is described and a very efficient known-plaintext attack, which can be adjusted by means of a keystream/time trade-off, is presented. Finally, an authentication scheme for digital locks is analyzed and broken with two distinct attacks. The SimonsVoss 3060 system is widely deployed and uses two proprietary constructions (key derivation and response computation) to authenticate transponders against digital locks. The designs include modifications to the well-known block cipher DES, but also a module that resembles a T-function. Combining a total of four weaknesses in key derivation and response computation with differential cryptanalysis and a recursive attack procedure on T-functions allows to open locks in practice. In terms of insights offered due to the interdisciplinary nature of this thesis, the first part shows a creative effort to improve existing attacks. The second perspective highlights how practical cryptanalysis can be turned into a real-world attack on a global system. The chapter on GMR-2 is a detailed account of reverse engineering algorithms from complex embedded systems, while the final perspective documents the evolution of a practical cryptographic attack over a period of time—in parallel to the reverse engineering process itself.