CS261Scribe: Raluca SauciucNovember 25, 2008Security is a systems problem. The easiest route is not to attack crypto, butbypass it altogether. Paper exemplifies this within the banking industry. Tosummarize:• ”crypto is not magic pixie dust”• Roger Needham: ”if you think crypto will solve your security problem,you don’t understand crypto and you don’t understand your problem.”1 Cellphone SecurityAT & T invented them in the late 70’s. First generation:Each cellphone has a 32-bit ID (Electronic Serial Number) which is sent to thebase station. Telco has a DB mapping ID’s to accounts, so they know who tobill. Attacks:• cellphone cloning• trivial to eavesdrop (scanners)Cloning was a big deal - you could hack your own phone and change the IDto a random number. The base station would allow calls anyway while checkingwith the DB in the background (waiting for the DB check was considered tooexpensive to perform synchronously before the call). If the ID turned out to beinvalid, there was no mechanism for tearing down the connection. There was avery popular scheme for selling cheap international calls by performing a 3-waycall: first call would be kept alive for 12h (the maximum time, since the basestation couldn’t tear down this call with an invalid ID), while the second onedials international numbers on demand. The companies’ response was to keepcached blacklists to detect invalid IDs . But blacklists had to be propagated fast1enough between base stations, and even then the first fraudulent call would gothrough.An improvement to this basic cloning was tumbling: the phone picks a newrandom ESN each time. The companies upgraded to tear down calls in progress.The next attack was to use valid ESNs. The only problem was to not set offthe fraud alarms (otherwise use some ESNs for just a month, until the phonebill comes out).Eavesdropping was very easy (you could even use old TVs for that!). Pre-ferred places were airports or highways (just s it in the car and listen...)Companies reportedly lost $500 mil. annually to fraud. But they alreadyhad the infrastructure in place, so they couldn’t afford a complete redesign(changing all base stations), they had to stay backwards-compatible. Their fixwas to switch to digital + add security mechanisms.1.1 DigitalThe phone has a 64-bit key K, shared with the phone company. A sess ionkey skof 500 random bits, constructed by sk= F0k(N), is used as a many-timepad to encrypt the data (XOR).But silence frames would be like known plain text and would allow therecovery of the session key. Therefore, all phones had an all 0’s key installedas a default key. This would be the long lifetime key, with no entropy. Asecond, medium lifetime key would be generated and evolved from all noncesseen, and this key would be used for encryption. This way, you would need tosee all nonces to intercept a call – otherwise the medium lifetime key is randomenough.1.2 GSMEurop e also had export control issues for crypto, just as US. The GSM standarddefines 3 levels of security, in increasing order of security against eavesdropping:• A5/0 – no security at all• A5/2 – 40-bit key, eliminates ordinary eavesdroppers• A5/1 – full strength crypto algorithm2The session key skis constructed sim ilarly (sk= F0k(N)). The difference is thatnow a list of supported ciphers is sent to the base station, which selects whichcipher to use.• Authentication algorithms have to be full-strength, otherwise money islost due to fake calls / cloning fraud• Voice confidentiality can be flakyThe ”you’re now in France” attack: you set up a fake base station and claimto only support A5/2 (no strong crypto allowed). Repeat the nonce N for apreviously-recorded call that you wish to decrypt, so the session key stays thesame. Then you c rack the crypto and reconstruct the session key:Man-in-the-middle attack:Mallory breaks A5/2 and recovers the session key sk, then places fake calls overthe authenticated base station.New versions of GSM fix this by choosing sk= F0k(N, which− cipher − you−use)To summarize, these attacks are kind of rare – you need to fake base stations,etc. The easy path for fraud is more into the economic landscape: identity theftor prepaid cards with fraudulent (stolen) cards.32 Banks & ATMs1. First version, magnetic stripe has (account#, DESk(P IN )).But DES is breakable. Plus, there’s no connection between the accountnumber and the PIN, so you can change DESk(P IN ) and put your en-crypted PIN. Receipts also listed the full account number, which madethis attack easy.2. The magnetic stripe only has (account#). The PIN is derived from theaccount number: P IN = FK(account#). After the DES encryption, thePIN is derived from the first four digits, by choosing for instance a modulo10 representation.This scheme makes some numbers more likely to show up than others(frequency of digits is not the same). Plus, since the PIN number isassigned it’s more likely to b e written up somewhere; if not, the attackercan just snoop over your shoulder and see the PIN, then get the account# from the receipt.3. The magnetic stripe has (account#, of f set), with P IN = offset+FK(P IN ).Now you can use your own PIN and the bank w ill choose appropriate