Breaking Industrial Ciphers at a Whim MATE SOOS PRESENTATION AT HES 11
Story line 1 HiTag2: reverse-engineered proprietary cipher 2 Analytic tools are needed to investigate them 3 CryptoMiniSat: free software tool to test ciphers (and to break them) 2
Philips HiTag2 Cipher For access control: cars, army buildings Proprietary: reverse-engineered by Karsten Nohl and Sean O Neil Feedback linear(!), filter non-linear 3
SAT Solvers Input: CNF, an and of or-s (x 1 x 3 ) ( x 2 x 3 ) (x 1 x 2 ) Crypto-problem needs conversion Uses DPLL(ϕ) algorithm 1 If (formula ϕ trivial) return SAT/UNSAT 2 ret DPLL(ϕ with v true) 3 If (ret = SAT) return SAT 4 ret DPLL(ϕ with v false) 5 If (ret = SAT) return SAT 6 return UNSAT 4
Toy Example ( x 1 x 2 x 3 ) ( x 1 x 2 ) ( x 1 x 2 ) Clause 1 Clause 2 Clause 3 1 Guess: x 1 = True 2 Clause 2: x 2 = True 3 Clause 3: impossible! Reverse. 4 x 1 = False 5 Good, everything is satisfied! 5
calc_s[80] - - **57 - - - - - **58 - - **59 - - - - - **61 **60 calc_s[80] - - **62 - - - - - s[80] - s[84] - s[83] - s[82] - s[81] **63 - - - **65 **64 - - - **66 - - - - - - s[86] - s[95] - s[94] - - s[92] - s[91] - s[90] - s[89] - s[88] - s[87] - - - - - - - **61 **60 - **69 **68 - calc_s[7] - **70 - - - s[97] - - calc_s[8] - **71 - s[98] - - calc_s[20] - - **65 - **69 **73 - - calc_s[7] **74 **72 - - - - - - calc_s[8] - - **76 - **75 - - calc_s[20] - - **77 - - - calc_s[8] - - - **78 - - - - - - - **80 - **81 - **76 - **71 **82 **78 - **79 - calc_s[8] - - **74 - - calc_s[7] **84 - **83 - - s[101] **85 - **77 - - - calc_s[20] **86 - - - - - - - - - - - - - **88 - - **89 - - - - **90 **87 - - - - - - - - - - **92 - **91 - - - **93 - - - **94 - - - - **83 **87 - - - - - **96 - - **97 - - - - **98 - - - - - - - - - - - **100 - - - **101 - - - - **102 - - - - - - - - **104 **103 - - - - - **105 - - - - - **106 - **99 - - - - - - **108 - - - **109 - - - - **110 **107 - - - - - - **111 - - - - - - - **112 - - - - **113 - - - - - **114 - - **101 - - - **85 **81 - **116 **113 - **101 - - **85 - - - **118 **117 - **119 **113 - - - - - **120 **115 - - - - - **87 **83 **122 **121 **111 - **105 BEGIN - **123 - - **87 - - - - - - - - - **127 **124 - - - - - - calc_s[25] - **125 - **106 - - **128 - - - **129 **126 **114 - - - - - - - calc_s[25] **131 **130 - **132 - - s[86] - - - **133 - - calc_s[25] - **135 - - - **136 - **137 **134 - - - - - - **139 **138 - - calc_s[25] **140 node66 learnt unit clause - - - - **141 - - - - - - - **142 - learnt unit clause - **143 - - - - calc_s[16] **144 - - - - - **145 **146 - - - **147 - - **148 - - - - - calc_s[92] - s[92] calc_s[18] - - calc_s[83] - s[83] calc_s[87] s[87] - calc_s[81] s[81] calc_s[97] s[97] calc_s[90] - s[90] calc_s[98] - s[98] calc_s[82] - s[82] calc_s[88] - s[88] calc_s[84] - s[84] calc_s[101] - s[101] calc_s[80] s[80] calc_s[94] - s[94] calc_s[95] - s[95] calc_s[89] s[89] calc_s[91] - s[91] calc_s[86] - s[86] MODEL Example Search Tree Guess until conflict Start - - Backtrack - - First conflict Solution Found 6
CryptoMiniSat SAT solver that excels at cryptography General purpose: won SAT Race 10 Time (s) 6000 5000 4000 3000 2000 1000 MiniSat 2.2 lingeling PrecoSat465 CryptoMiniSat SAT Comp 11 0 80 100 120 140 160 180 200 220 240 No. solved instances from SAT Comp 09 Collaborative: GPL, mailing list, regular releases 7
Demo 1 Generate HiTag2 problem: Grain-of-Salt tool 2 Solve it using CryptoMiniSat 3 Analyse results: 2 days to break 8
Conclusion SAT solvers are powerful tools to break weak cryptography CryptoMiniSat, a leading SAT solver, is waiting for your contribution Weak ciphers like HiTag2 should not be used in high-value applications 9