Skip to main content
SpringerLink
Log in

Side-Channel Analysis of the TUAK Algorithm Used for Authentication and Key Agreement in 3G/4G Networks

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10146))

  • 844 Accesses

Abstract

Side-channel attacks are nowadays well known and most designers of security embedded systems are aware of them. Yet, these attacks are still major concerns and several implementations of cryptographic algorithms are still being broken. In fact, a recent work has exhibited a successful Differential Power Attack (DPA) on the Milenage algorithm used for authentication and key agreement in UMTS/LTE networks. Surprisingly, the targeted Milenage implementations in different USIM cards, coming from several mobile network operators, didn’t systematically take advantage of the large panel of the well-known side-channel countermeasures. Recently, a new algorithm called Tuak, based on the Keccak permutation function, has been proposed as alternative to Milenage. Although Keccak was deeply analyzed in several works, the Tuak algorithm needs to be well investigated to assess its security level and to avoid inappropriate apply of Keccak. In this paper, we present a side-channel analysis of an unprotected Tuak implementation and we demonstrate that a successful side-channel attack is possible if the state-of-the-art countermeasures are not considered. Our results show that a few hundred of traces would roughly be needed to recover the subscriber key and other authentication secrets fixed by mobile operators. Actually, this work raises a warning flag to embedded systems developers alerting them to rely on adequate countermeasures, which effect shall be confirmed with thorough security analysis, when implementing cryptographic primitives in USIM cards.

This work has been partially funded by the ANR project SERTIF.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The AKA 4G protocol slightly differs from the 3G one, in particular on the way that the session keys are computed.

  2. 2.

    We refer the reader to [5, Sect. 6.2] for further information about the specifications of the INSTANCE field.

  3. 3.

    Explicitly, the successive ALGONAME field bytes are: 0x30, 0x2E, 0x31, 0x4B, 0x41, 0x55 and 0x54.

  4. 4.

    In fact, both T[4] and T[5] depend on the SQN and AMF fields which are sent in clear, so known to the adversary, since we have assumed that \(f_5\) function is not executed. Indeed, these fields vary from an authentication session to another one (e.g. the SQN is incremented by one for each authentication request) which enables performing a side-channel attack.

  5. 5.

    The pink curves describe the input/output signal.

References

  1. ETSI TS 133 105; universal mobile telelecommunications system (UMTS); LTE; 3G security; cryptographic algorithm requirements (2016). 3GPP TS 33.105 version 13.0.0 release 13, 01/2016

    Google Scholar 

  2. ETSI, TS 133 202; universal mobile telelecommunications system (UMTS); LTE; 3G security; specification of the 3GPP. Confidentiality, integrety algorithms; document 2: Kasumi specification (2016). 3GPP TS 35.202 version 13.0.0 release 13, 01/2016

    Google Scholar 

  3. ETSI, TS 135 201; universal mobile telelecommunications system (UMTS); LTE; 3G security; specification of the 3GPP. Confidentiality, integrety algorithms; document 1: \(f_8\) and \(f_9\) specification (2016). 3GPP TS 35.201 version 13.0.0 release 13, 01/2016

    Google Scholar 

  4. 3GPP specification: 135.206 (2016). Specification of the Milenage algorithm set, V13.0.0, 01/2016

    Google Scholar 

  5. 3GPP specification: 135.231 (2016). Specification of the Tuak algorithm set, V13.0.0, 01/2016

    Google Scholar 

  6. Akkar, M.-L., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001). doi:10.1007/3-540-44709-1_26

    Chapter  Google Scholar 

  7. Alt, S., Fouque, P.-A., Macario-rat, G., Onete, C., Richard, B.: A cryptographic analysis of UMTS/LTE AKA. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 18–35. Springer, Heidelberg (2016). doi:10.1007/978-3-319-39555-5_2

    Google Scholar 

  8. Barkan, E., Biham, E., Keller, N.: Instant ciphertext-only cryptanalysis of GSM encrypted communication. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 600–616. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_35

    Chapter  Google Scholar 

  9. Bertoni, G., Daemen, J., Debande, N., Le, T., Peeters, M., Assche, G.V.: Power analysis of hardware implementations protected with secret sharing. In: 45th Annual IEEE/ACM, MICRO 2012, Workshops Proceedings, Vancouver, BC, Canada, 1–5 December 2012, pp. 9–16 (2012)

    Google Scholar 

  10. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Note on side-channel attacks and their countermeasures. In: Comment on the NIST Hash Competition Forum, May 2009

    Google Scholar 

  11. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak reference, January 2011

    Google Scholar 

  12. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Keccak implementation overview, Version 3.2, 29 May 2012

    Google Scholar 

  13. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28632-5_2

    Chapter  Google Scholar 

  14. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_26. ISBN: 3-540-66347-9

    Google Scholar 

  15. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). doi:10.1007/3-540-36400-5_3

    Chapter  Google Scholar 

  16. Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)

    Book  MATH  Google Scholar 

  17. Doget, J., Prouff, E., Rivain, M., Standaert, F.-X.: Univariate side channel attacks and leakage modeling. J. Cryptogr. Eng. 1(2), 123–144 (2011)

    Article  Google Scholar 

  18. Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 426–442. Springer, Heidelberg (2008). doi:10.1007/978-3-540-85053-3_27

    Chapter  Google Scholar 

  19. Goubin, L., Patarin, J.: DES and differential power analysis the “Duplication” method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999). doi:10.1007/3-540-48059-5_15

    Chapter  Google Scholar 

  20. Homma, N., Nagashima, S., Sugawara, T., Aoki, T., Satoh, A.: A high-resolution phase-based waveform matching and its application to side-channel attacks. IEICE Trans. 91-A(1): 193–202. New Orleans. Louisiana, USA (2008). doi:10.1109/ISCAS.2007.378024

  21. Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). doi:10.1007/3-540-68697-5_9

    Google Scholar 

  22. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_25

    Google Scholar 

  23. Liu, J., Yu, Y., Standaert, F.-X., Guo, Z., Gu, D., Sun, W., Ge, Y., Xie, X.: Cloning 3G/4G sim cards with a pc and an oscilloscope: lessons learned in physical security. In: BlackHat (2015)

    Google Scholar 

  24. Liu, J., Yu, Y., Standaert, F.-X., Guo, Z., Gu, D., Sun, W., Ge, Y., Xie, X.: Small tweaks do not help: differential power analysis of MILENAGE implementations in 3G/4G USIM cards. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 468–480. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24174-6_24

    Chapter  Google Scholar 

  25. Luo, P., Fei, Y., Fang, X., Ding, A.A., Kaeli, D.R., Leeser, M.: Side-channel analysis of MAC-Keccak hardware implementations. In: Proceedings of the Fourth HASP, pp. 1:1–1:8. ACM, New York, NY, USA (2015)

    Google Scholar 

  26. Mayes, K., Babbage, S., Maximov, A.: Performance evaluation of the new Tuak mobile authentication algorithm. In: The Eleventh International Conference on Systems ICONS 2016, pp. 38–44 (2016). Related to work done in support of the ETSI SAGE group for mobile authentication standards

    Google Scholar 

  27. Messerges, T.S.: Securing the AES finalists against power analysis attacks. In: FSE 2000, pp. 150–164. Springer, New York (2000)

    Google Scholar 

  28. Rao, J.R., Rohatgi, P., Scherzer, H., Tinguely, S.: Partitioning attacks: or how to rapidly clone some GSM cards. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, SP 2002, p. 31, Washington, DC, USA (2002)

    Google Scholar 

  29. Rivain, M., Prouff, E., Doget, J.: Higher-order masking and shuffling for software implementations of block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 171–188. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04138-9_13

    Chapter  Google Scholar 

  30. Schindler, W.: Advanced stochastic methods in side channel analysis on block ciphers in the presence of masking. J. Math. Crypt. 2(3), 291–310 (2008)

    MathSciNet  MATH  Google Scholar 

  31. Schindler, W., Lemke, K., Paar, C.: A stochastic model for differential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005). doi:10.1007/11545262_3

    Chapter  Google Scholar 

  32. Taha, M.M.I., Schaumont, P.: Side-channel analysis of MAC-Keccak. In: 2013 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2013, Austin, TX, USA, 2–3 June 2013, pp. 125–130 (2013)

    Google Scholar 

  33. Veyrat-Charvillon, N., Medwed, M., Kerckhof, S., Standaert, F.-X.: Shuffling against side-channel attacks: a comprehensive study with cautionary note. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 740–757. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4_44

    Chapter  Google Scholar 

  34. Wagner, D., Schneier, B., Kelsey, J.: Cryptanalysis of the cellular message encryption algorithm. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 526–537. Springer, Heidelberg (1997). doi:10.1007/BFb0052260

    Chapter  Google Scholar 

  35. Zohner, M., Kasper, M., Stottinger, M., Huss, S.: Side channel analysis of the SHA-3 finalists. DATE 2012, 1012–1017 (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Safran Identity and Security, Paris, France

    Houssem Maghrebi & Julien Bringer

Authors
  1. Houssem Maghrebi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Julien Bringer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Houssem Maghrebi .

Editor information

Editors and Affiliations

  1. Bonn-Rhein-Sieg University of Applied Sciences, St. Augustin, Germany

    Kerstin Lemke-Rust

  2. Cryptography Research Inc. , San Francisco, California, USA

    Michael Tunstall

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Maghrebi, H., Bringer, J. (2017). Side-Channel Analysis of the TUAK Algorithm Used for Authentication and Key Agreement in 3G/4G Networks. In: Lemke-Rust, K., Tunstall, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2016. Lecture Notes in Computer Science(), vol 10146. Springer, Cham. https://doi.org/10.1007/978-3-319-54669-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-54669-8_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-54668-1

  • Online ISBN: 978-3-319-54669-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation