Fcord 2016 Usim&Milenage 0x48
Fcord 2016 Usim&Milenage 0x48
Fcord 2016 Usim&Milenage 0x48
Cryptographic Embedded
Devices
USIM &
Cryptographic Embedded Devices
MILENAGE
USIM & MILENAGE (Part 2)
[1]Institute for Digital Forensics IDF; Mobile Telephone Examination Board MTEB; London, England
[3]HaystackId 205 W. Randolph, Suite 1125 Chicago, IL 60606; United States of America
Email: llieb@haystackid.com
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
For the last two years Chapter 18, Smith et al have been studying AKA
(authentication and key agreement). One candidate for AKA is
MILENAGE which, in 2014 & published 2015, was hacked using DPA (a
side channel attack). Having spent 2016 researching through a huge
range of document, presentation, test data and scripts etc., it was noted
there had been nothing written as to what to look for and how
practitioners could handle this information. It is hoped with the
discussion, embedded links and those willing to learn this presentation
goes some way to help in that regard.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
Copyright and IP
Please note images and other materials used
throughout this and other presentations may
hold copyright etc. held by their respective
owners.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
Discussion Topics
• Welcome to FCORD2016 (Chapter 18)
Discussion Topics
• Welcome to FCORD2016 (Chapter 18)
• What has happened since last Chapter event? Recap
• MILENAGE Recap – What, Where, Why
• MILENAGE Recap – Standards to read
• MILENAGE Recap – Simplified Development Tool
• USIM & MILENAGE
• USIM & MILENAGE: Attacks - Methodology for Power
Side Channels Attacks
• USIM & MILENAGE: CONCLUSION
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
Discussion Topics
Discussion Topics
• Huge body of standards, articles and reports discuss MILENAGE along with
public algorithm and development tools. Together they combine to produce a
use toolkit for those interested in cryptographic embedded device.
• DPA Attacker is not the same as the old style brute force RAND challenges
performed 1998 by SDA and UC Berkeley researchers to reveal the hidden keys
(COMP128-1) http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• What has happened since last chapter event? – Recap
The hacking community also produced a range of
tools reported in ‘SPECIAL ISSUE: B/2002
CLONING SIM CARDS’ that were shown to
successfully clone GSM SIM cards.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• What has happened since last chapter event? – Recap
• Security of devices (e.g. USIM) with cryptographic implementations can be
subjected to attacks by analysis of their Algorithms and Circuits
• A threat to the security of cryptographic implementations in smart cards that
remains today is SPA (Simple Power Analysis) and DPA (Differential Power
Analysis) originally proposed in 1999[*].
• The latest successful Differential Power Analysis attack 2014 and reported 2015
did so by directly evaluating DPA leakage from logic information emitted during
power “switching activity“ in circuits [**].
• As the authors Liu et al state in their report [**] “In its standard form..., DPA is
based on a divide-and-conquer strategy, in which the different parts of a
secret key (usually denoted as “subkeys”) are recovered separately.”
• For this training presentation it does not propose an attack or countermeasure
on the scheme in the parent node, but highlights aspect not often discussed
that could help investigations and security policies, processes and procedures.
[*] P. Kocher, J. Jaffe and B. Jun, “Differential Power Analysis,” Crypto’99, LNCS 1666, pp. 388-397, Springer-Verlag, 1999
[**]Junrong Liu, Yu Yu, Francois-Xavier Standaert, Zheng Guo, Dawu Gu, Wei Sun, Yijie Ge, and Xinjun Xie 'Small Tweaks do
Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards'
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
Discussion Topics
Discussion Topics
3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the
3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1:
General 3G TS 33.105 version 13.0.0 (2016-01). It repeats at Section 7.8 ‘Subsequent
requirements on the authentication and key generation functions’ (as in previous versions):
'It is required that the algorithm lends itself to implementations which are resistant to Simple Power
Analysis, Differential Power Analysis and other 'side-channel' attacks as appropriate when
implemented on a USIM. It is acknowledged that SAGE may need to consult with smart card experts
in order to be able to address this requirement.‘
Also 3GPP TS 35.205 V13.0.0 (2016-01) Section 9.4 Side channel attacks evaluation
In the design process it was concluded not to be feasible to design a general algorithm framework that by
itself would not be vulnerable to side channel attacks. Rijndael, as most other block ciphers, is potentially
vulnerable to simple and differential power analysis (SPA and DPA) aiming to recover the secret key. It was
also concluded that the use of operator constants, OPc, in the USIM cards can only play a limited role in
protecting against these kinds of attacks. Hardware protection measures and masking techniques, as
referenced in [6], need to be specifically implemented for protection. Also timing attacks (TA) may need
implementation specific countermeasures. Rijndael as an AES candidate has been shown to readily lend
itself to protection measures against side channel attacks.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• MILENAGE Recap – standards to read:
- For mobile standards specifications relevant to confidentiality: MILENAGE series is
available here: http://www.3gpp.org/DynaReport/35-series.htm
Example set of algorithms which may be used as the
authentication and key generation functions f1, f1*, f2, f3,
f4, f5 and f5*. (It is not mandatory that the particular
algorithms specified in this document are used — all seven
functions are operator-specifiable rather than being fully
standardised). This document is one of five, which between
them form the entire specification of the example
algorithms, entitled:
• 3GPP TS 35.205: Document 1: General".
• 3GPP TS 35.206: Document 2: Algorithm
Specification".
• 3GPP TS 35.207: Document 3: Implementors' Test
Data".
• 3GPP TS 35.208: Document 4: Design Conformance
Test Data".
• 3GPP TR 35.909: Document 5: Summary and results of
design and evaluation".
NOTE: TS = Technical Specification TR = Technical Report
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• MILENAGE Recap – standards to read:
Discussion Topics
http://1.bp.blogspot.com/-qqyhNtIf04I/TcF4b5m6NeI/AAAAAAAAADw/kYIu9Z0-dhw/s1600/umts_security_MILENAGE.JPG
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• MILENAGE Recap – simplified development tool - input:
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• MILENAGE Recap – simplified development tool - output:
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• MILENAGE Recap – simplified development tool - input:
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• MILENAGE Recap – simplified development tool:
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• MILENAGE Recap : TR 35.909 V13.0.0 (2016-01) Release 13 Page 13
Section 8 The 3GPP MILENAGE algorithm
There are, of course, many other up-to-date tools used that assist Cyber and
Security Investigations, Pen Testers and Forensics. That is why Training Course Part
1 contains extensive, historical and up-to-date research and materials as part of the
training course, which includes also identification of scripts etc.
So we can see there are standards for cryptographic algorithms for GSM/3G/LTE.
We understand the stated MILENAGE algorithm’s specifications defined in the
standards provide a useful understanding of a parameters and functions that cyber
management can consider when handling USIM/Device investigations in the
workplace and for asset management.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
Discussion Topics
http://www.quantaq.com/products/usimdetective/
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE:
The tools and software are out there to program USIMs embedded with
MILENAGE.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
Discussion Topics
The above report published in 2015 confirmed the results of the authors successful tests
obtained the year previous from certain USIM cards embedded with MILENAGE
susceptible to a DPA Attack. The report did not claim, infer or imply all USIM cards were
susceptible to DPA attacks but highlighted those USIMs that were attacked and how
quickly the secret keys were obtained (next slide). The report does not identify a
particular manufacturer, network operator or country involved.
Download report: https://perso.uclouvain.be/fstandae/PUBLIS/161.pdf
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE: Methodology for Power Side-Channels Attacks
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE: Methodology for Power Side-Channels Attacks
Summary and outcome of the attack reported at the Black Hat USA 2015 Conference
https://www.blackhat.com/us-15/briefings.html#cloning-3g-4g-sim-cards-with-a-pc-and-
an-oscilloscope-lessons-learned-in-physical-security
The DPA successful attack on the DUTs-devices under test-(chips) was possible due to
testing the encryption on the chips by observing the power levels of the chips during
switching activity. Professor Yu Yu and his team analysed the power levels to show a
correlation of the bit patterns.
The attack further involved observing differences in the encryption process, which is
then used to crack the keys. This is shown in the presentation by use of particular test
data, by presenting an arrangement of inputs to the chips, and observing the power
level variations. During each round of test attacks the power consumption levels
observed changed, depending upon the activity within the chips. This task-orientated
procedure led to the chips exposing their secrets, which enabled other chips to be
cloned from the revealed secrets.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
This successful attack affords cyber management, forensic investigators and pen
testers etc. a useful investigation and training opportunity to discover how these and
similar attacks might occur and what action may be necessary. To do that we need
not rehearse that which is already written in the report/presentation, but analyse the
components involved in the attack and other aspects identified by them to assist
investigations and security polices, practices and procedures.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE: Methodology for Power Side-Channels Attacks
Template - identities in side channel attacks - DPA
POWER TRACES
POWER MODELS
The Measurement Setup
Single Bit
The Signal Processing
Hamming Weight
Hamming Distance
DIFFERENTIAL POWER ANALYSIS
Switching Distance
Difference of Means
Toggle Count
Correlation Coefficient
Power Simulation
Profiled Model
Advanced Power Analysis Attacks
Higher-Order DPA
Collision Attacks
Profiled Attacks
Algebraic Side-Channel Attacks
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE: Methodology for Power Side-Channels Attacks
POWER TRACES POWER MODELS
The Measurement Setup Single Bit
The Signal Processing Hamming Weight
Hamming Distance
DIFFERENTIAL POWER ANALYSIS Switching Distance
Difference of Means Toggle Count
Correlation Coefficient Power Simulation
Profiled Model
Advanced Power Analysis Attacks
Higher-Order DPA Tick method denotes items used
Collision Attacks in metrics or discussed as tools of
Profiled Attacks attack.
Algebraic Side-Channel Attacks
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE: Methodology for Power Side-Channels Attacks
Question for security and forensic consideration. Does the reported attack note
countermeasure/s implemented in and on the USIM card designed to prevent attack
and revelation of secrets? If so, how was the attack successful, in other words, what
failed?
ALGORITHMIC level countermeasure CIRCUIT level countermeasure
Masked Data? DDL (Dynamic Differential Logic)?
Block Ciphers [~]? SABL (Sense Amplifier Based Logic)?
Random Delay? DCVSL (Differential Cascode Voltage Switch Logic)?
Shuffling? SDDL (Simple Dynamic Differential Logic)?
-? WDDL (Wave Dynamic Differential Logic)?
-? Double Wave Dynamic Differential Logic (DWDDL)?
-? ?
[~] Does MILENAGE use block ciphers? How would this ?
prevent DPA?
?
Masked Data > Obfuscation (blinding, masking); Cache Lockdown (static, disallow altogether caching);
Random Delay > by dummy XOR (logic gate); Shuffling > Randomization (the address-to-cacheline mapping)
like Address Space Layout Randomization ASLR; Leakage reduction Noise (injecting an unpredictable
component).
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE: Methodology for Power Side-Channels Attacks
Roman Korkikian submitted a doctoral paper (2016-10) with title: Side-Channel and
Fault Analysis in the Presence of Countermeasures: Tools, Theory and Practice
https://www.ens-paris.fr/images/RK.pdf See pages 45-46 for Side Channel Attack
Countermeasures definitions based upon the mind-map below.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE: Methodology for Power Side-Channels Attacks
1. Attack Attributes vis-à-vis Methodology
POWER TRACES
The Measurement Setup
- Self-made card reader
- CyptoMobile-Master - Py script (free on internet)
- PC – Dell or Similar
- LeCroy W waverunner Mxi-A (photo updated Oscill.)
- Card-to-Terminal Adapter
- MP300 SC2
Assessing skillsets and the actual or potential tools to breach security invariably
requires understanding if an attack could have been perpetrated by a major source
vis-à-vis person in the backroom with a PC? This type of questions is not new.
In the online news article about cyber attack at the BBC website
(http://www.bbc.co.uk/news/technology-18238326), Kaspersky's chief malware
expert Vitaly Kamluk: "Currently there are three known classes of players who
develop malware and spyware: hacktivists, cybercriminals and nation states.
Sixteen years earlier a taxonomy of attackers (classes) was defined by Ross Anderson
and Markus Kuhn in 1996, referred to back in 1998 in a series of reports published in
FEN (Forensic Expert News) into Smart Card Hacking. This was prior to the successful
1998 attack on GSM SIM Cards.
CONCLUSION
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE: CONCLUSION
- SNOW
http://www.gsma.com/aboutus/wp-content/uploads/2014/12/Doc5-UEA2-UIA2-Spec-Design-Evaluation-
Report.doc
Also, see ISG Smart Card Centre - Royal Holloway University of London, Re: Performance
Evaluation of the TUAK algorithm in support of the ETSI Sage standardisation group
31.10.2014
http://www.3gpp.org/ftp/Specs/archive/35_series/35.936/SAGE_report/Perfevaluationext.zip
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE: CONCLUSION
CONCLUSION – HARDWARE COUNTERMEASURES:
In general, to avoid Power Side-Channel Attacks (SCA) the particular USIM providers in
industry should learn, if they haven’t already, from smart card solutions e.g. to snuff out
side-channel attacks at source; a dual CPU that works on inverted logic can help do this.
One solution, of many, is the Infineon SLE77 with a dual CPU, memory, Bus and Cache
encryption:
http://www.infineon.com/cms/en/product/security-and-smart-card-solutions/security-
controllers/sle77/channel.html?channel=5546d462503812bb015066c2d8181744
http://www.infineon.com/dgdl/Infineon-
Infineon+Chip+Card+&+Security+ICs+Portfolio_10.2014-SG-v01_00-
EN.pdf?fileId=5546d4624933b875014999016c6e2bde
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
• USIM & MILENAGE: Methodology for Power Side Channels Attacks
Cyber Management
Determine possibility for attack and reducing or removing the risk could include:
- Asset management company issued devices vis-à-vis BYOD
- Selection and choice of algorithm and hardware
- BYOD: Cyber Classification
http://trewmte.blogspot.co.uk/2015/08/byod-cyber-classification.html
INVESTIGATORS
Hopefully this presentation might help; plus helpful info below:
PEN TESTERS
- Can you run tests to evaluate any rogue USIMs?
- Do you have the equipment to evaluate USIM vulnerable to side-channel attack?
FORENSIC EXAMINERS
- Is your SIM reader up-to-date and does it collect data from particular visible
elementary files (EF)?
- Particularly for law enforcement: obtain the various cryptographic algorithm
signatures identified in EFKEYS etc.?
- Link analysis to other EFs in USIM to create a profile of network activity.
FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
THANK YOU
END OF FCORD2016 CHAPTER 18
DISCUSSION CHANNEL