Cryptography Reference
In-Depth Information
Further decryption is trivial as all other keys are derived from the UAK. However,
regular pairing only takes place once when a handset is being installed to a
base station and only if the handset is not pre-paired to the station by the
manufacturer.
Therefore, we assume that an attacker is only able to eavesdrop on a regular
DECT call. In this case, if encryption is enabled, he can either attack the key
derivation scheme of DSAA [2,3] that generates the session keys, or he can attack
the payload encryption algorithm DSC. Attacking DSAA is especially suitable
if the attacked devices have a weak PRNG.
When attacking DSC, the attacker must be able to extract valid DSC key-
streams from the recorded data. This is possible because some messages can be
predicted - for example, the call duration counter is implemented on the base
station for several DECT phones, and the counter value is sent to the handset
once per second using a control message. An attacker can predict messages of
that type when he knows the start time of the call.
An attack against DSC requires a relatively large number of known keystreams
for a reasonable success probability. In this paper, we introduce two means to
increase the performance of a DSC attack, which can be applied independent
from each other: On the one hand, we provide an algorithmic improvement, and
on the other hand, we provide a very ecient implementation on an FPGA.
3 Cryptanalysis of the DECT Standard Cipher
The DECT Standard Cipher is a proprietary stream cipher designed for DECT.
It takes a 64 bit key and a 35 bit initialization vector (IV) and generates a
keystream of variable length. DECT supports frames of different lengths and
formats. For common voice calls, a keystream of 720 bits is generated and split
into two keystream segments. The first 360 bits of the output of DSC are used
to encrypt tra
c from the base station (Fixed Part, FP) to the phone (Portable
Part, PP). The first 40 bits can be used to encrypt control tra
c (C-channel
tra
c). If a frame contains no C-channel data, the first 40 bits are discarded.
The remaining 320 bits are used to encrypt the actual voice data (B-field). The
second part of the keystream is used to encrypt frames sent from the PP to the
FP. Again, the first 40 bits are used to encrypt C-channel trac if present. The
remaining 320 bits are used to encrypt the voice data.
The internal design of DSC consists of 4 linear feedback shift registers R1,
R2, R3, and R4 of length 17, 19, 21, and 23 bits. Three of them are irregularly
clocked, the last one with a length of 23 bits is regularly clocked. A non-linear
output combiner is used to generate the output using six bits from the three
irregularly clocked registers. Initially, the 35 bit IV is zero-extended to 64 bit
and prepended to the 64 bit cipher key resulting in an 128 bit input to the
cipher. The input is then clocked into the most significant bit of each register
using regular clocking. After the key loading, every bit of every register is just
a linear combination of key and IV bits. After key loading, 40 blank rounds are
performed using irregular clocking.
Search WWH ::
Custom Search