Advertisement

Small Tweaks Do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards

  • Junrong Liu
  • Yu Yu
  • François-Xavier Standaert
  • Zheng Guo
  • Dawu Gu
  • Wei Sun
  • Yijie Ge
  • Xinjun Xie
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9326)

Abstract

Side-channel attacks are an increasingly important concern for the security of cryptographic embedded devices, such as the SIM cards used in mobile phones. Previous works have exhibited such attacks against implementations of the 2G GSM algorithms (COMP-128, A5). In this paper, we show that they remain an important issue for USIM cards implementing the AES-based MILENAGE algorithm used in 3G/4G communications. In particular, we analyze instances of cards from a variety of operators and manufacturers, and describe successful Differential Power Analysis attacks that recover encryption keys and other secrets (needed to clone the USIM cards) within a few minutes. Further, we discuss the impact of the operator-defined secret parameters in MILENAGE on the difficulty to perform Differential Power Analysis, and show that they do not improve implementation security. Our results back up the observation that physical security issues raise long-term challenges that should be solved early in the development of cryptographic implementations, with adequate countermeasures.

Keywords

Side-channel attacks Mobile network security SIM cards cloning 

Notes

Acknowledgments

This research work was supported in parts by the National Basic Research Program of China (Grant 2013CB338004) and the European Commission through the ERC project 280141 (CRASH). Yu Yu was supported by the National Natural Science Foundation of China Grant (Nos. 61472249, 61103221). F.-X. Standaert is a research associate of the Belgian Fund for Scientific Research (FNRS-F.R.S.). Zheng Guo was supported by the National Natural Science Foundation of China Grant (Nos. 61402286, 61202371). Dawu Gu was supported by the National Natural Science Foundation of China Grant (No. 61472250), the Doctoral Fund of Ministry of Education of China (No. 20120073110094), the Innovation Program by Shanghai Municipal Science and Technology Commission (No. 14511100300), and Special Fund Task for Enterprise Innovation Cooperation from Shanghai Municipal Commission of Economy and Informatization (No. CXY-2013-35).

References

  1. 1.
    3GPP specification: 35.206 (Specification of the MILENAGE algorithm set). http://www.3gpp.org/DynaReport/35206.htm
  2. 2.
    Cryptography for mobile network - C implementation and Python bindings. https://github.com/mitshell/CryptoMobile
  3. 3.
  4. 4.
  5. 5.
  6. 6.
    Barkan, E., Biham, E., Keller, N.: Instant ciphertext-only cryptanalysis of GSM encrypted communication. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 600–616. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  7. 7.
    Biham, E., Dunkelman, O.: Cryptanalysis of the A5/1 GSM stream cipher. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 43–51. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  8. 8.
    Biryukov, A., Shamir, A., Wagner, D.: Real time cryptanalysis of A5/1 on a PC. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 1–18. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  9. 9.
    Bogdanov, A., Eisenbarth, T., Rupp, A.: A hardware-assisted realtime attack on A5/2 without precomputations. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 394–412. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  10. 10.
    Briceno, M., Goldberg, I., Wagner, D.: GSM Cloning (1998). http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html. Accessed 6 January 2015
  11. 11.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  12. 12.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Gindraux, S.: From 2G to 3G: a guide to mobile security. In: 3rd International Conference on 3G Mobile Communication Technologies, pp. 308–311 (2002)Google Scholar
  14. 14.
    Mangard, S., Oswald, E., Standaert, F.: One for all - all for one: unifying standard differential power analysis attacks. IET Inform. Secur. 5(2), 100–110 (2011)CrossRefGoogle Scholar
  15. 15.
    Maximov, A., Johansson, T., Babbage, S.: An improved correlation attack on A5/1. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 1–18. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  16. 16.
    Niemi, V., Nyberg, K.: UMTS Security. Wiley Online Library (2003)Google Scholar
  17. 17.
    Prouff, E.: DPA attacks and S-boxes. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 424–441. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  18. 18.
    Rao, J.R., Rohatgi, P., Scherzer, H., Tinguely, S.: Partitioning attacks: or how to rapidly clone some GSM cards. In: 2002 IEEE Symposium on Security and Privacy, Berkeley, California, USA, pp. 31–41 (2002)Google Scholar
  19. 19.
    Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An optimal key enumeration algorithm and its application to side-channel attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  20. 20.
    Zhou, Y., Yu, Y., Standaert, F.-X., Quisquater, J.-J.: On the need of physical security for small embedded devices: a case study with COMP128-1 implementations in SIM cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 230–238. Springer, Heidelberg (2013) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Open Access This chapter is distributed under the terms of the Creative Commons Attribution Noncommercial License, which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.

Authors and Affiliations

  • Junrong Liu
    • 1
  • Yu Yu
    • 1
    • 2
    • 3
  • François-Xavier Standaert
    • 4
  • Zheng Guo
    • 1
    • 5
  • Dawu Gu
    • 1
  • Wei Sun
    • 1
  • Yijie Ge
    • 1
  • Xinjun Xie
    • 6
  1. 1.School of Electronic Information and Electrical EngineeringShanghai Jiao Tong UniversityShanghaiChina
  2. 2.State Key Laboratory of Information SecurityInstitute of Information Engineering, Chinese Academy of SciencesBeijingChina
  3. 3.State Key Laboratory of CryptologyBeijingChina
  4. 4.ICTEAM/ELEN/Crypto GroupUniversité catholique de LouvainLouvain-la-NeuveBelgium
  5. 5.Shanghai Viewsource Information Science and Technology Co., LtdShanghaiChina
  6. 6.Shanghai Modern General Recognition Technology CorporationShanghaiChina

Personalised recommendations