Cryptography Reference
In-Depth Information
First attacks on DECT [2,3] showed that some devices do not use encryption
and authentication at all and can easily be eavesdropped on. Even if encryption
is used and long-term and session keys are generated in a secure manner, it
is still possible to decipher phone calls. In 2009, the DECT Standard Cipher
was reverse-engineered and a correlation attack on the cipher was published [4]
by Nohl, Tews and Weinmann (NTW-attack). With 2
15
available keystreams
generated with different initialization vectors (IVs), it is possible to recover the
session key within minutes to hours on a fast PC or Server. Different tradeoffs
are possible. This allows decryption of the call recorded, but does not reveal the
long-term keys or keys for the previous or next call.
In this paper, we present an optimized NTW-attack, which reduces the time to
recover the key or the number of keystreams required. The optimizations are of
general nature and can be used in conjunction with optimized implementations
of the attack for CUDA graphics cards or the PS3 cell processor [4] or any other
kind of parallel processing hardware. In the second part of the paper we present
an optimized FPGA implementation of our optimized NTW-attack, which is
currently the most cost-ecient way of searching through the remaining key
space the NTW-attack determines.
In Section 2 we describe the attack scenario and point out where our work can
be applied. In Section 3, we give an introduction to DSC and the original attack
on DSC developed by Nohl, Tews, and Weinmann. Knowledge of the structure of
the original attack is essential to understand our improvements. In Section 4, we
present our improvements of the first phase of the NTW attack. In a nutshell we
introduce a key ranking method making the correct key more likely to be found
earlier in the second phase of the attack. In Section 5 we present an FPGA
implementation which can be used in conjunction with our improvements from
Section 4 to execute the second phase of the attack in the most cost-ecient
way currently known. Section 6 concludes our work.
2 Attack Scenario
In this paper, we show that an attacker who is able to eavesdrop on DECT
communication can decrypt the encrypted payload faster and more eciently
than previously known. In contrast to some other attack scenarios [2], our attack
is passive, i.e. no data needs to be sent by an attacker. Therefore, a victim is not
able to detect the presence of an attacker.
At first, the attacker needs to record the raw DECT data being sent over the
wireless interface. He can do so, for example, by using a DECT PC-Card using
amodifiedfirmware
2
or a generic software radio like USRP
3
.
Using the recorded data, the attacker has several options depending on the
type of communication and the security services being applied. If the attacker is
able to listen to the pairing process between the base station and the handset,
he needs at most 10
4
2
13
.
3
tries to recover the resulting long-term key (UAK).
≈
2
https://dedected.org/trac/attachment/wiki/25C3/talk-25c3
3
http://www.ettus.com/
Search WWH ::
Custom Search