Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Authenticated encryption [7] (AE) is the standard technology to protect data that needs to be sent over unsecured communication channels and is deployed in countless applications and protocols, such as (D)TLS, SSH and IPSec. In comparison to regular symmetric encryption schemes, AE not only ensures privacy of the data but also guarantees integrity and authenticity. Unfortunately, failures in the design and implementation of authenticated encryption schemes are a common sight and there are numerous examples. To name just a few (see also [9]):

  • Vaudenay’s 2002 CBC padding oracle attack on MAC-then-encrypt AE modes allows an active adversary to decrypt messages without access to the secret key [30]. This attack stemmed from the authenticity verification leaking whether the decrypted message was adequately padded. Over the years, this strategy has been used quite successfully against TLS [4, 10, 12, 26].

  • In 2007, an attack [29] on the Wired Equivalent Privacy (WEP) standard, used in many 802.11 Wi-Fi networks, allowed to recover the secret key within minutes from a few thousand intercepted messages. The attack exploited weaknesses in RC4.

  • In 2009, Albrecht, Paterson, and Watson [2] exploited a flaw in the SSH protocol and its OpenSSH implementation, when coupled with a block cipher in CBC mode. The attack allowed an adversary to recover 14 plaintext bits with probability \(2^{-14}\) or 32 plaintext bits with probability \(2^{-18}\).

  • In 2012, a flaw was uncovered in EAXprime [5], an AE block cipher mode derived from EAX [8], standardized as ANSI C12.22-2008 for Smart Grid applications, and also subject of a forthcoming NIST standard. The flaw facilitates forgery, distinguishing, and message-recovery attacks [25].

In this paper, we investigate another flawed authenticated encryption scheme, which is deployed in the Open Smart Grid Protocol (OSGP) [15]. The latter is an application layer communication protocol for smart grids built on top of the ISO/IEC 14908-1 protocol stack [21], has been developed by the Energy Service Network Association (ESNA), and is a standard of the European Telecommunications Standards Institute (ETSI) since 2012 [1]. According to estimations, OSGP-based smart meters and devices are deployed in over 4 million devices worldwide as of 2015, making OSGP one of the most widely used network protocols for smart grid applications.

Our Results. Table 1 summarises the results of the different attacks on the authenticated encryption scheme of OSGP and also lists the corresponding sections where the attacks are described. While the attacks have various tradeoffs between the number of oracle queries and the computational complexity, each constitutes a complete break of the OSGP AE scheme. We also want to highlight the fact that the attacks from Sect. 3.4 are particularly powerful in the context of the protocol: verification oracles are easy to come across and the attack in its XOR variant does not need to know plaintext at all, since differences can be injected directly into the ciphertext. In other words, this is a practical attack on the AE scheme of OSGP and completely compromises its security.

Related Work. In late 2013, Kursawe and Peters independently analysed OSGP and identified several security flaws, some of which overlap with our own findings [22]. Their work gives a good overview on the various security flaws and shows how they can be exploited to mount some basic attacks on OSGP’s cryptographic infrastructure. We, on the other hand, focus on the digest function in more detail and, as a consequence, are able to further move the attacks into practicality. We note that our analysis has been performed solely against the OSGP specification [15] and not against any deployed devices.

Table 1. Required number of queries and expected complexity for the attacks of Sect. 3, with varying time-query tradeoff parameter B. The abbreviation KP+ means known-plaintext with common prefix, CP denotes chosen-plaintext, CC stands for chosen-ciphertext, and TG and TV denote tag-generation and tag-verification oracles, respectively.
Full size table

Outline. The paper is organised as follows. Section 2 introduces notation and the cryptographic infrastructure used in the Open Smart Grid Protocol. In Sect. 3, we give a detailed analysis of the said AE scheme. We start with some basic attacks that already allow recovery of the entire secret key but are not feasible within the scope of the protocol. Based on that we describe further improvements which eventually allow us to mount fast forgery attacks on the OSGP AE scheme and furthermore enable recovery of the complete secret key and in this case all within the context of the protocol. Finally, Sect. 4 concludes the paper.

2 Preliminaries

2.1 Notation

An n-bit string x is an element of \(\{0,1\}^n\). For \(n = 8\) we call x a byte. The size of x in bits is denoted by \(\vert x \vert \). Concatenation of bit strings is denoted by \(\parallel \). Given a vector of bit strings \((x_0,\dots ,x_{n-1})\), we denote by \(x_{i,j}\) the jth bit of the ith word where \(0 \le i \le n-1\). When interpreting bit strings as integers we always use little-endian format and denote them in hexadecimal format using typewriter. A bit string consisting of n zeros is denoted by \(0^{n}\). A cyclic rotation of a bit string x by m bits to the left and right is denoted by \(x \lll m\) and \(x \ggg m\), respectively. The difference of two bit strings x and \(x'\) with respect to XOR is denoted by \(\varDelta {x}\), whereas a difference with respect to addition modulo \(2^n\) is denoted by \(\varDelta ^\boxminus x\).

2.2 The Cryptographic Infrastructure of OSGP

In this paper, we focus solely on OSGP’s cryptographic infrastructure, and not on the protocol itself. The high-level structure of OSGP’s authenticated encryption (AE) scheme is depicted in Fig. 1.

Fig. 1.
figure 1

The OSGP AE scheme. Notation: \(x_0\) = {813F529A7BE389BA}, \(x_1\) = {72B0918D4405AA57}, \(k = k_1 \parallel k_0:\) Open Media Access Key (OMAK), m :  message, n :  sequence number, t :  authentication tag, \(k' = k'_1 \parallel k'_0:\) Base Encryption Key (BEK), c :  ciphertext.

Full size image

The OSGP AE scheme is based on three algorithms: the EN 14908 algorithmFootnote 1, the stream cipher RC4 and the so-called OMA digest, a message authentication code (MAC). These three algorithms are combined in a mixture of the generic composition [7] approaches MAC-and-encrypt and MAC-then-encrypt to form an authenticated encryption scheme, see again Fig. 1. We note that, while the OMA digest is described in the OSGP specification [15], public information on the EN 14908 algorithm, specified in ISO/IEC 14908-1 [21], is hard to come by. All information on the latter was retrieved from the OSGP specification [15] and the related standard ISO/IEC CD 14543-6-1 [20, p. 232] which, like ISO/IEC 14908-1 and a few other standards [6, 19, 28], is also a direct descendant of LonTalk [13].

The security of OSGP’s AE scheme depends on the 96-bit Open Media Access Key (OMAK) \(k = k_1 \parallel k_0\) from which all other key material is derived. The OMAK is usually unique to a device but not hardcoded and can be changed, often to be shared with other devices under the same concentrator [15, Sect. 7.1]. Two things are derived from the OMAK: firstly, a so-called Base Encryption Key (BEK) \(k' = k'_1 \parallel k'_0\) is computed [15, Sect. 7.3] which is a 128-bit key forming the basis for the RC4 encryption key. The BEK is constructedFootnote 2 using the EN 14908 algorithm which appears to have been the basis for the OMA digest but uses smaller 48-bit keys and processes message bytes in reversed order. The EN 14908 algorithm is applied to each of the halves \(k_0\) and \(k_1\) of the OMAK and the two constants \(x_0\) = {813F529A7BE389BA} and \(x_1\) = {72B0918D4405AA57}. The two 64-bit results are then concatenated to form \(k'\), see Fig. 1. Note that the BEK only depends on the OMAK and is thus fixed as long as k remains unchanged.

Secondly, an authentication tag t is produced using the OMA digest on the message m concatenated with a sequence number n and the OMAK k. Let l denote the size of \(m \parallel n\) in bytes. The OMA digest starts with its 8-byte internal state \(a = (a_0,\dots ,a_7)\) set to zero. First, \(m \parallel n\) is zero-padded to a multiple of 144 bytes, meaning

$$ m' = m \parallel n \parallel 0^{-l {\text { mod }} 144}. $$

Let \(m' = m'_0 \parallel \dots \parallel m'_{143}\) denote the first, and possibly only, 144-byte block of the message. The internal state is updated continuously using a nonlinear function \(f_{b,c}\) where \(b = k_{i { \text{ mod } }12,7-j}\) is a key bit and \(c = j\) is the current position in the state. Its specification is as follows:

$$ f_{b,c}(x,y,z) = {\left\{ \begin{array}{ll} y + z + (\lnot (x + c)) \lll 1 &{} \text{ if } b = 1 \\ y + z - (\lnot (x + c)) \ggg 1 &{} \text{ otherwise. } \\ \end{array}\right. } $$

In order to update state element \(a_j\), the function f takes, for \(0 \le i \le 17\) and \( 7 \ge j \ge 0\), two adjacent state elements \(a_j\) and \(a_{j+1{ \text{ mod } }8}\) and a message-byte \(m'_{8i+7-j}\) as input, i.e., \(a_j = f_{k_{i { \text{ mod } }12,7-j}, j}(a_j, a_{j+1 { \text{ mod } }8}, m_{8i+7-j})\), and depending on the value of the key bit \(k_{i { \text{ mod } }12,7-j}\) one of the two branches depicted above is evaluated. The next 144-byte message block is processed similarly, with the initial internal state carried over from the previous block. The complete pseudocode of the OMA digest is shown in Algorithm 1 and a visualisation of its innermost loop, where the message bytes are processed, is given in Fig. 2. For the reference implementation we refer to [15, Annex E].

Fig. 2.
figure 2

Data processing (right-to-left) in the OMA digest, with \(\overline{i} = i { \text{ mod } }12\).

Full size image
figure a

After the tag generation, t is XORed into the lower half of the BEK \(k'\) which then produces the final 128-bit RC4 encryption key \(k'' = k'_1 \parallel (k'_0 \oplus t)\), see again Fig. 1. This measure is intended to provide RC4 with ever-changing key material, thus producing a fresh keystream with every new message, since, according to the OSGP specification, the sequence number n, which is appended to m, is continuously increased.

Sequence numbers are shared between sender and receiver in OSGP. The receiver of a message verifies that the correct sequence number was appended to the latter. Messages with sequence numbers in the range \(\{n,\dots ,n+8\}\) are accepted as valid requests. If a message with sequence number \(n-1\) is received, then the recipient does not execute the request but instead re-sends the answer of the (previously executed) request of number \(n-1\). Sequence numbers outside of this range trigger an error and the OSGP device replies with a failure code and the correct sequence number. More details on the handling of sequence numbers can be found in [15, Sect. 9.7].

After the setup phase is finished, \(k''\) is used to encrypt \(m \parallel n\) via RC4 to obtain the ciphertext c. Finally, \(c \parallel t\) is transmitted. Messages \(m \parallel n\) processed in OSGP are allowed to have a maximum size of 114 bytes [15, Sect. 9.2]. This complicates some attacks that require up to 136-byte messages. Nevertheless, we will also describe scenarios that respect this message size limit.

3 Analysis

OSGP uses RC4 for encryption without discarding any initial bytes. RC4 has known statistical key- and plaintext-recovery attacks, and these have been shown to be practically feasible [3, 1618, 27, 29, 31]. However, in this work we do not focus on RC4, but instead on the OMA digest, see Algorithm 1.

The OMA digest algorithm presents multiple flaws. Firstly, it uses a simple zero byte message padding, which results in messages with any number of trailing zeroes sharing the same tag. Secondly, given a tuple (amk) where a is the OMA digest’s state or authentication tag, m a message and k the OMAK, the function is fully reversible (see Algorithm 2) which is a very useful property for the attacks presented in Sects. 3.1 and 3.2. Likewise, it is also possible to take an arbitrary internal state, and continue to process it as if to resume a partially digested message. This is depicted in Algorithm 3.

figure b
figure c

3.1 Chosen-Plaintext Key Recovery Attacks

Let \(a = (a_0,\dots ,a_{7})\) denote the 8-byte internal state of the OMA digest. The attacks discussed below use chosen 144-byte messages \(m = m_0 \parallel \dots \parallel m_{143}\) Footnote 3, and exploit differential weaknesses in the OMA digest.

Bitwise Key Recovery. The first attack recovers the key one bit at a time by differential cryptanalysis. Specifically, we exploit the XOR-differential \((\varDelta m_i, \varDelta a_j) = (\mathtt 80 , \mathtt 80 )\), where \(\varDelta m_i\) and \(\varDelta a_j\) denote input and output differences, respectively, for \(j = 7 - i { \text{ mod } }8\). The output difference is obtained immediately after processing message byte \(m_i\) (see Algorithm 1) and can be written as

$$\begin{aligned}&\; f_{k,j}(a_{j},a_{j+1{ \text{ mod } }8},m_i \oplus \mathtt 80 ) \\ =&\; a_{j+1{ \text{ mod } }8} + (m_i \oplus \mathtt 80 ) \pm (\mathtt FF \oplus (a_j + j) \lll r) \\ =&\; (a_{j+1{ \text{ mod } }8} + m_i \pm (\mathtt FF \oplus (a_j + j) \lll r)) \oplus \mathtt 80 \\ =&\; f_{k,j}(a_{j},a_{j+1{ \text{ mod } }8},m_i)\oplus \mathtt 80 \end{aligned}$$

where the rotation offset \(r \in \{1,7\}\) and the \(\pm \) operation depend on the value of the key bit \(k \in \{0,1\}\). This differential has probability 1, by well-known differential properties of addition modulo \(2^n\) [23], and propagates cleanly through the state a for the next 8 iterations, resulting in the following difference over the state:

$$ \varDelta a = (\mathtt 80 ,\mathtt 80 ,\mathtt 80 ,\mathtt 80 , \mathtt 80 ,\mathtt 80 ,\mathtt 80 ,\mathtt 80 ). $$

The next iteration reveals one key bit. By XOR-linearising the state update function f, the new output difference \(\varDelta {a'_j}\) is of the form

$$\begin{aligned} \varDelta {a'_j} =&\; ((a_{j+1{ \text{ mod } }8} \oplus \mathtt 80 ) \oplus m_i \oplus (\mathtt FF \oplus ((a_j \oplus \mathtt 80 ) \oplus j) \lll r)) \; \oplus \\&\; (a_{j+1{ \text{ mod } }8} \oplus m_i \oplus (\mathtt FF \oplus (a_j \oplus j) \lll r)) \end{aligned}$$

where \(r \in \{1,7\}\). As a consequence, we have \(\varDelta {a'_j} = \mathtt 81 \), if bit \(7 - i { \text{ mod } }8\) of \(k_{\lfloor i / 8 \rfloor { \text{ mod } }12}\) is 1, and \(\varDelta {a'_j} = \mathtt C0 \), if the same key bit is 0. While integer addition and XOR behave differently with respect to the propagation of XOR-differences, the least significant bit of integer addition and XOR behave identically in this case and can be used to recover the key bit with probability 1.

The above leak, combined with Algorithm 2, can be turned into a chosen-plaintext key-recovery attack retrieving the OMAK k bitwise in at most \(96+1\) queries. Algorithm 4 describes this attack in full detail. Looking at Fig. 1, we see immediately that the reconstruction of k breaks the complete OSGP AE scheme. In the following, we will explore how the attack can be further improved.

figure d

Bytewise Key Recovery. Analysing the above attack more thoroughly, we noticed that we can recover one key byte at a time by injecting the input difference \(\mathtt 80 \) into the message a couple of steps earlier. This reduces the number of queries and the work load of the attack drastically. In other words, we will show how to reconstruct the entire OMAK with only \(12+1\) chosen-plaintext queries.

Let \(k_{i { \text{ mod } }12,j}\) denote the jth bit of key byte \(i { \text{ mod } }12\), for \(i = 17,16,\dots ,6\) and \(j = 0,\dots ,7\). When injecting the message difference \(\varDelta m_{8i-8} = \mathtt 80 \) and thereupon processing 16 message bytes, we obtain an XOR-difference of the internal state of the form \(\varDelta a = (\varDelta a_0,\dots ,\varDelta a_7) = (\varDelta x_0,\dots ,\varDelta x_7)\) where \(\varDelta x_l\) are arbitrary values for \(l = 0,\dots ,7\). The evolution of the difference propagation in the internal state can be visualised as follows:

\(i = 17,\dots ,6\)

\(\varDelta a_0\)

\(\varDelta a_1\)

\(\varDelta a_2\)

\(\varDelta a_3\)

\(\varDelta a_4\)

\(\varDelta a_5\)

\(\varDelta a_6\)

\(\varDelta a_7\)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(m_{8i-9}\)

00

00

00

00

00

00

00

00

\(m_{8i-8}\)

00

00

00

00

00

00

00

80

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(m_{8i-1}\)

80

80

80

80

80

80

80

80

\(m_{8i}\)

80

80

80

80

80

80

80

\(\varDelta x_7\)

\(m_{8i+1}\)

80

80

80

80

80

80

\(\varDelta x_6\)

\(\varDelta x_7\)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(\dots \)

\(m_{8i+7}\)

\(\varDelta x_0\)

\(\varDelta x_1\)

\(\varDelta x_2\)

\(\varDelta x_3\)

\(\varDelta x_4\)

\(\varDelta x_5\)

\(\varDelta x_6\)

\(\varDelta x_7\)

By analysing again the XOR-linearisation of the state update function f, one realises that a key byte can be recovered in its entirety by exploiting, as in the case of the bitwise key recovery attack, the information on the key bits stored in the least significant bit of the output differences \(\varDelta x_0,\dots ,\varDelta x_7\). More precisely, key byte \(k_{i { \text{ mod } }12}\) can be reconstructed as follows:

1.

\(k_{i { \text{ mod } }12,0} = \text{ lsb }(\varDelta x_7) \oplus \text{ lsb }(\mathtt 80 ) \)  

5.

\(k_{i { \text{ mod } }12,4} = \text{ lsb }(\varDelta x_3) \oplus \text{ lsb }(\varDelta x_4)\)

2.

\(k_{i { \text{ mod } }12,1} = \text{ lsb }(\varDelta x_6) \oplus \text{ lsb }(\varDelta x_7)\)  

6.

\(k_{i { \text{ mod } }12,5} = \text{ lsb }(\varDelta x_2) \oplus \text{ lsb }(\varDelta x_3)\)

3.

\(k_{i { \text{ mod } }12,2} = \text{ lsb }(\varDelta x_5) \oplus \text{ lsb }(\varDelta x_6)\)  

7.

\(k_{i { \text{ mod } }12,6} = \text{ lsb }(\varDelta x_1) \oplus \text{ lsb }(\varDelta x_2)\)

4.

\(k_{i { \text{ mod } }12,3} = \text{ lsb }(\varDelta x_4) \oplus \text{ lsb }(\varDelta x_5)\)  

8.

\(k_{i { \text{ mod } }12,7} = \text{ lsb }(\varDelta x_0) \oplus \text{ lsb }(\varDelta x_1)\)

In order to verify that the above key recovery indeed works, consider the following steps. As we have already seen in the bitwise key recovery attack, the value of \(k_{i { \text{ mod } }12,0}\) can be read off right away from \(\varDelta x_7\), see step 1 above. The remaining key bits \(k_{i { \text{ mod } }12,j+1}\), for \(j = 0,\dots ,6\), can be recovered from the XOR-linearisation of f which gives us the relation

$$\varDelta x_{6-j} = \varDelta x_{7-j} \oplus (\varDelta x'_{6-j} \lll r) = \varDelta x_{7-j} \oplus (\mathtt 80 \lll r) $$

where \(\varDelta x_{7-j}\) and \(\varDelta x_{6-j}\) denote output differences and \(\varDelta x'_{6-j}\) corresponds to the difference before \(a_{6-j}\) is updated in the jth step. The latter simply has the value \(\mathtt 80 \) as can be seen in the table on the difference propagation. The above equation can be re-written as

$$\text{ lsb }(\mathtt 80 \lll r) = \text{ lsb }(\varDelta x_{6-j}) \oplus \text{ lsb }(\varDelta x_{7-j})$$

and since the rotation offset \(r \in \{1,7\}\) depends on \(k_{i { \text{ mod } }12,j+1}\), the formula above gives us the value of the latter key bit.

figure e

3.2 Known-Plaintext Key Recovery Attack

The second attack is not differential in nature and requires a weaker attacker. We only assume in the following that the attacker is able to capture plaintexts with a common prefix of various lengths. This may be feasible by, e.g., capturing repeated messages with different sequence numbers.

This attack relies uniquely on the OMA digest’s invertibility, as seen in Algorithm 2. The basic idea here is to have two messages, m and \(m'\) that are equal except in the last r bytes; partially reversing the final state of m by r iterations, then using that state to process the final bytes of \(m'\) should only happen when the (guessed) key bits used in those iterations are correct. This does not always happen, but it reduces the keyspace to virtually one or two guesses per key byte. The concrete realisation of the attack is also described in Algorithm 6.

However, due to the slow diffusion of differences already described in Sect. 3.1, to recover r bits of the key one needs more than r iterations back; this is not a problem, though, as long as the key bits corresponding to the common prefix bytes of the message are the same for the forwards and backwards processing of the message. In practice, we have found that \(r + 8\) iterations suffice to recover the key with overwhelming probability.

figure f

3.3 Optimizing the Attacks

The attacks of Sects. 3.1 and 3.2 have an obvious generalization that trades queries for computation time. This is also a consequence of the OMA digest’s reversibility.

Let \(B \ge 1\) be the number of key bytes to recover per query; the attack from Sect. 3.2 generalizes trivially to any B, by guessing B adjacent key bytes per query, at an average cost of \(\left\lceil \frac{12}{B} \right\rceil + 1\) queries and \(\left\lceil \frac{12}{B} \right\rceil 2^{8B - 1}\) operationsFootnote 4.

The method from Sect. 3.1 also generalizes well to any B, by guessing the last \(B-1\) bytes and recovering the first one by injecting a difference. Its average cost is \(\left\lceil \frac{12}{B} \right\rceil + 1\) queries and \(\left\lceil \frac{12}{B} \right\rceil 2^{8(B-1) - 1}\) operations. We note that for \(B \ge 2\) the messages used in either case need not be longer than 113 bytes, bypassing OSGP’s restriction on message sizes.

3.4 Forgeries and a Third Key-Recovery Attack

Forgeries in the OMA digest are possible by exploiting the differential properties described in Sect. 3.1. To this end, we first explore XOR differentials and afterwards describe attacks using additive differentials.

Forgeries Using XOR-Differentials. For this attack, we consider input XOR-differences of the shape \((\varDelta m_{8i+j}, \varDelta m_{8i+j+1}, \varDelta m_{8i+j+8}) = (\) 80, 80, \(\varDelta x)\) for \(i = 0,\dots ,17\) and \(j = 0,\dots ,7\). After processing message bytes \(m_{8i+j},m_{8i+j+1},\dots ,m_{8i+j+7}\), the XOR-differences in the internal state are, up to a rotation, of the form \(\varDelta a = (\) 80, 00, 00, 00, 00, 00, 00, 00). More precisely, after injecting \(\varDelta m_{8i+j} = \mathtt 80 \), the difference \(\varDelta m_{8i+j+1} = \mathtt 80 \) is used to prevent the difference of \(\varDelta m_{8i+j}\) from spreading to the rest of the state. Creating this stationary difference can be achieved with probability 1. Finally, the difference \(\varDelta m_{8i+j+8} = \varDelta x\) is used to cancel the stationary difference from above thereby creating a forgery. The success of the forgery hinges on whether the formula

$$ (m_{8i+j+8} \oplus \varDelta x) \pm (\mathtt FF \oplus ( (a_j \oplus \mathtt 80 ) + j) \lll r) = m_{8i+j+8} \pm (\mathtt FF \oplus (a_j + j) \lll r) $$

is satisfied. Note that the above formula again includes both possible cases which depend on the value of the key bit \(k \in \{0,1\}\). Using the formulas of Lipmaa and Moriai [23], we can determine the optimal value for \(\varDelta x\) with respect to its probability p and the value of the key bit \(k_{i+1 { \text{ mod } }12,j}\):

\(k_{i+1 { \text{ mod } }12,j}\)

 

0

1

\(\varDelta x\)

C0

40

 

01

03

07

0F

1F

3F

7F

FF

\(-\log _2 p\)

1

1

 

1

2

3

4

5

6

7

7

Thus, choosing \(\varDelta x \in \) {C0, 40, 01} has a probability of about 1 / 4 of creating a valid forgery, assuming a uniformly random key bit.

Forgeries Using Additive Differentials. Injecting additive differences is also useful to get a wider range of possible high-probability differences, since every operation in the OMA digest, with the exception of the cyclic rotation, has additive differential probability 1Footnote 5.

Using a similar approach as above, one can inject the additive difference \((\varDelta ^\boxminus x, -\varDelta ^\boxminus x, -\varDelta ^\boxminus y)\) at \((m_i, m_{i+1}, m_{i+8})\). The success of the forgery here depends on the quality of the approximations

$$\begin{aligned} \varDelta ^\boxminus y&= ((-a_j - j - 1) \lll 1) - ((-a_j - \varDelta ^\boxminus x - j - 1) \lll 1) \\ \varDelta ^\boxminus y&= - ((-a_j - j - 1) \ggg 1) + ((-a_j - \varDelta ^\boxminus x - j - 1) \ggg 1) \end{aligned}$$

for \(a_j\) chosen uniformly at random. Since cyclic rotation is not a deterministic operation with respect to additive differences, one cannot obtain \(\varDelta ^\boxminus y\) that works with probability 1. By replacing \(((-a_j - \varDelta ^\boxminus x - j - 1) \lll 1)\) by \(((-a_j - j - 1) \lll 1) + (-\varDelta ^\boxminus x \lll 1)\), and taking advantage of Daum’s results on the interaction of integer addition and rotation [11], we have \(\varDelta ^\boxminus y = -((-\varDelta ^\boxminus x \lll 1) -2\alpha + \beta )\), where \((\alpha , \beta )\) has, as a function of \({\varDelta ^\boxminus x}_R = \lfloor (-\varDelta ^\boxminus x) / 2 \rfloor \) and \({\varDelta ^\boxminus x}_L = (-\varDelta ^\boxminus x) { \text{ mod } }2^7\), one of the following values of probability p:

\((\alpha , \beta )\)

p

(0, 0)  

\(2^{-8}(2^7 - {\varDelta ^\boxminus x}_R)(2 + {\varDelta ^\boxminus x}_L)\)

(0, 1)  

\(2^{-8}{\varDelta ^\boxminus x}_R(2 - {\varDelta ^\boxminus x}_L - 1)\)

(1, 0)  

\(2^{-8}(2^7 - {\varDelta ^\boxminus x}_R){\varDelta ^\boxminus x}_L\)

(1, 1)  

\(2^{-8}{\varDelta ^\boxminus x}_R({\varDelta ^\boxminus x}_L + 1)\)

Similar remarks apply to the rotation by 7 case. By choosing \(\varDelta ^\boxminus x\) carefully, one can maximize the probability of \(\varDelta ^\boxminus y\) as well, as also previously exploited by Daum [11]. For instance, choosing the difference \(\varDelta ^\boxminus x = \mathtt 02 \), one obtains \(\varDelta ^\boxminus y \in \) {01, FC, 81, FB, FD}, with respective probabilities \(\{127/256,126/256,1/256,1/256,1/256\}\). Therefore, one can expect 2 queries to be sufficient in over \({\approx }98\,\%\) of the time with this method.

Using Forgeries for Key Recovery. Such a high-probability forgery attack, dependent on the value of key bits, gives us yet another attack vector for key recovery. This attack is much simpler than the previous ones, and unlike those it does not need to work “right to left” on the message bytes: given a known plaintext, inject \((\mathtt 02 , -\mathtt 02 , -\varDelta ^\boxminus y)\) and query a verification oracle. If the forged message is validated, recover the key bit corresponding to \(m_{i+8}\) by looking up which \(\varDelta ^\boxminus y\) corresponds to which key bit. This process can be repeated 96 times to recover the entire key.

Additionally, this attack can work even over ciphertext, by using the XOR-differences (80, 80, \(\varDelta x)\) with \(\varDelta x \in \){40,C0,01}. The approach here is the same, albeit requiring a few more queries, but it can be applied over unknown ciphertext encrypted with RC4, as is the case with OSGP. The attack thus completely breaks not only the OMA digest, but also the entire cryptographic security of OSGP.

The average number of queries can be reduced by using the following trick: instead of picking a difference at random from the possible set of differences, pick \(\mathtt C0 \) and \(\mathtt 40 \) in order. If none of them results in a forgery, the key bit can only be 1; this results in key recovery in an average of 168 queries. Algorithm 7 illustrates the XOR key-recovery attack on OSGP using this trick, only taking as input a valid ciphertext-tag pair and an oracle that verifies ciphertexts.

figure g

3.5 Extension of the OSGP Analysis to Other Standards

The EN 14908 algorithm, used in OSGP for key derivation and quite similar to the OMA digest, is also used in other LonTalk-derived standards for authentication [6, 13, 1921, 28]. We found evidence that the foundations of the technology (presumably also including the EN 14908 algorithm) were laid in 1988 [24, p. 3]. LonTalk was estimated to be implemented in over 90 million devices as of 2010 [14]. Given that the EN 14908 algorithm has a 48-bit key, it is already broken by design. That said, the attacks described in the previous sections can be adapted to key recovery attacks on the EN 14908 algorithm—likely present in every other LonTalk-derived standard—in much less than \(2^{48}\) work.

4 Conclusion

We have presented a thorough analysis of the OMA digest specified in OSGP. This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever. We described multiple attacks having different levels of applicability in the context of OSGP. The forgery attacks presented in Sect. 3.4 belong to the most powerful and practical, and allow to retrieve the 96-bit secret key in a mere 144 and 168 chosen-plaintext queries to a tag-verification oracle exploiting the very slow propagation of additive and XOR-differences in the OMA digest. We also described how the latter variant can work as a ciphertext-only attack, making it even more devastating. For easier verifiability, we implemented the attacks of Sect. 3 in the Python language; the code is listed in Appendix A.

In summary, the work at hand is another entry in the long list of examples of flawed authenticated encryption schemes, and shows once more how easily a determined attacker can break the security of protocols based on weak cryptography.