Extracting The RC4 Secret Key Of The Open Smart Grid Protocol . - ACSAC
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Industrial Control System Security Workshop (ICSS) Los Angeles, USA 8 December 2015 Linus Feiten and Matthias Sauer University of Freiburg Germany Chair of Computer Architecture
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Outline Preliminaries Smart Grid Open Smart Grid Protocol (OSGP) Security in OSGP Attack on OSGP data confidentialty Weakness of classical RC4 Adapting attack to OSGP's RC4 Practicality of attack Countermeasures? 2
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) The Smart Grid (Copyright: Portland General Electric, "Smart Grid" via Flickr, Creative Commons Attribution-NoDerivs 2.0 Generic) 3
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Open Smart Grid Protocol (OSGP) Development started 2010. Maintained by OSGP Alliance (www.osgp.org) and Networked Energy Services Corp (www.networkedenergy.com). Since 2012 freely available as European Telecommunications Standards Institute (ETSI) specification GS OSG 001. Over 3.5 million devices worldwide. (http://www.etsi.org/deliver/etsi gs/osg/001 099/001/01.01.01 60/gs osg001v010101p.pdf) 4
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP communication network Application layer (media independent) Networking layer (media independent) Physical media layer OSGP (ETSI GS OSG 001) LonWorks (ISO/IEC 14908.1) Power Line Communication (ETSI TS 103 908) Future. 5
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP communication network Power plant or grid operator (load balancing, billing). Electricity “prosumers”. Data Concentrator (DC) Device Device Device smart meters, e-cars solar panels, etc. OSGP devices also act as message repeaters. Device Device Master/slave communication only initiated by DC. Device Device 6
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP communication security Data Concentrator (DC) Device Data integrity Prevent man-in-the-middle from forging data, e.g. switch on/off devices. Data confidentiality Prevent eavesdropper from reading sensitive data on electricity consumption. 7
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP data integrity For each message, generate a digest (hash value) using the secret “Open Media Access Key” (OMAK): 12-byte OMAK plaintext message OSGP-DigestAlgorithm 8-byte digest 8
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP data integrity For each message, generate a digest (hash value) using the secret “Open Media Access Key” (OMAK): 12-byte OMAK plaintext message OSGP-DigestAlgorithm 8-byte digest Transmit message and its digest: OMAK Data Concentrator (DC) Device plaintext OMAK digest 9
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP data confidentiality For each message, generate an RC4 cipher stream using the secret “Base Encryption Key” (BEK). Encryption by xor of plaintext and cipher stream. 16-byte BEK RC4 cipher stream plaintext message XOR encrypted message 10
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP data confidentiality For each message, generate an RC4 cipher stream using the secret “Base Encryption Key” (BEK). Encryption by xor of plaintext and cipher stream. 16-byte BEK (Initialization vector) 8-byte digest RC4 cipher stream plaintext message XOR encrypted message 11
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP data confidentiality For each message, generate an RC4 cipher stream using the secret “Base Encryption Key” (BEK). Encryption by xor of plaintext and cipher stream. 16-byte BEK RC4 (Initialization vector) 8-byte digest cipher stream plaintext message XOR encrypted message Transmit encrypted message and its digest: OMAK BEK Data Concentrator (DC) Device encrypted digest OMAK BEK 12
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP communication security OMAK BEK Data Concentrator (DC) OMAK: Data integrity (prevent forging of data) Device OMAK BEK BEK: Data confidentiality (prevent reading of data) 13
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP communication security OMAK BEK Data Concentrator (DC) OMAK: Data integrity (prevent forging of data) Device OMAK BEK BEK: Data confidentiality (prevent reading of data) BEK is in fact derived from OMAK. 14
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP communication security OMAK BEK Data Concentrator (DC) OMAK: Data integrity (prevent forging of data) Device OMAK BEK BEK: Data confidentiality (prevent reading of data) BEK is in fact derived from OMAK. DC and all (!) devices share the same OMAK. 15
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP communication security OMAK BEK Data Concentrator (DC) OMAK: Data integrity (prevent forging of data) Device OMAK BEK BEK: Data confidentiality (prevent reading of data) BEK is in fact derived from OMAK. DC and all (!) devices share the same OMAK. Kursawe and Peters (2015), Jovanovic and Neves (2015) showed how to exploit the OSGP-Digest-Algorithm to derive the OMAK. 16
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) OSGP communication security OMAK BEK Data Concentrator (DC) OMAK: Data integrity (prevent forging of data) Device OMAK BEK BEK: Data confidentiality (prevent reading of data) BEK is in fact derived from OMAK. DC and all (!) devices share the same OMAK. Kursawe and Peters (2015), Jovanovic and Neves (2015) showed how to exploit the OSGP-Digest-Algorithm to derive the OMAK. Here, we show an independent attack exploiting RC4 to derive the BEK, thereby compromising OSGP's data confidentiality. 17
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Attack on RC4 16-byte BEK RC4 (Initialization vector) 8-byte digest secret BEK cipher stream plaintext message XOR secret (unless message bytes are predictable) plaintext message cipher stream encrypted message public digest encrypted message 18
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Attack on RC4 16-byte BEK RC4 cipher stream (Initialization vector) 8-byte digest secret BEK plaintext message XOR secret (unless message bytes are predictable) plaintext message cipher stream encrypted message public digest encrypted message Exploit biases in RC4 output, to derive the secret BEK! 19
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Biased output of “classical” RC4 3-byte IV (public) 13-byte key (secret) k1 k2 k3 . k13 IV1 IV2 IV3 cipher stream (predicted) RC4 z1 z2 z3 z4 z5 . 20
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Biased output of “classical” RC4 3-byte IV (public) 13-byte key (secret) k1 k2 k3 . k13 IV1 IV2 IV3 cipher stream (predicted) RC4 z1 z2 z3 z4 z5 . IV1,1 IV2,1 IV3,1 Different messages with different IVs. IV1,2 IV2,2 IV3,2 IV1,3 IV2,3 IV3,3 IV1,4 IV2,4 IV3,4 . 21
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Biased output of “classical” RC4 3-byte IV (public) 13-byte key (secret) k1 k2 k3 . k13 IV1 IV2 IV3 cipher stream (predicted) RC4 IV1,1 IV2,1 IV3,1 Different messages with different IVs. IV1,2 IV2,2 IV3,2 IV1,3 IV2,3 IV3,3 IV1,4 IV2,4 IV3,4 .different cipher streams. z1 z2 z3 z4 z5 . z1,1 z2,1 z3,1 z4,1 z5,1 . z1,2 z2,2 z3,2 z4,2 z5,2 . z1,3 z2,3 z3,3 z4,3 z5,3 . z1,4 z2,4 z3,4 z4,4 z5,4 . . . 22
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Biased output of “classical” RC4 3-byte IV (public) 13-byte key (secret) k1 k2 k3 . k13 IV1 IV2 IV3 cipher stream (predicted) RC4 IV1,1 IV2,1 IV3,1 Different messages with different IVs. IV1,2 IV2,2 IV3,2 IV1,3 IV2,3 IV3,3 .different cipher streams. IV1,4 IV2,4 IV3,4 * Roos (1995), Jenkins (1996), Klein (2006) z2 z3 z4 z5 . z1,1 z2,1 z3,1 z4,1 z5,1 . z1,2 z2,2 z3,2 z4,2 z5,2 . z1,3 z2,3 z3,3 z4,3 z5,3 . z1,4 z2,4 z3,4 z4,4 z5,4 . . . Derive k from most frequent z values.* k1 is brute-forced (256 guesses). z1 k1 k2 k1 k2 k3 k1 k2 k3 k4 23
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Biased output of “classical” RC4 3-byte IV (public) 13-byte key (secret) k1 k2 k3 . k13 IV1 IV2 IV3 cipher stream (predicted) RC4 IV1,1 IV2,1 IV3,1 Different messages with different IVs. IV1,2 IV2,2 IV3,2 IV1,3 IV2,3 IV3,3 .different cipher streams. IV1,4 IV2,4 IV3,4 * Roos (1995), Jenkins (1996), Klein (2006) z2 z3 z4 z5 . z12 z1,1 z2,1 z3,1 z4,1 z5,1 . z12,1 z1,2 z2,2 z3,2 z4,2 z5,2 . z12,2 z1,3 z2,3 z3,3 z4,3 z5,3 . z12,3 z1,4 z2,4 z3,4 z4,4 z5,4 . z12,4 . . Derive k from most frequent z values.* k1 is brute-forced (256 guesses). z1 k1 k2 k1 k2 k3 k1 k2 k3 k4 k1 k2 k3 k4 . k13 24
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Biased output of “classical” RC4 Classical RC4 Go through n recorded cipher streams once and count most frequent value for k -1 cypher bytes. For all 256 values of k1, calculate and test the key. Complexity: O(n*( k -1) 256) 25
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Classical RC4 vs. OSGP RC4 Classical RC4 13-byte key k1 k2 k3 3-byte initialisation vector . k13 IV1 IV2 IV3 Used key (concatenation): k1 k2 k3 . k13 IV1 IV2 IV3 Broken! (e.g. WEP) Roos (1995), Jenkins (1996), Klein (2006) 26
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Classical RC4 vs. OSGP RC4 OSGP RC4 16-byte key (BEK) k1 k2 k3 . 8-byte initialisation vector (message digest) k16 IV1 IV2 IV3 . IV8 Used key (xor of first 8 bytes): k1 IV1 k2 IV2 k3 IV3 . k8 IV8 k98 k10 . k16 Classical RC4 13-byte key k1 k2 k3 3-byte initialisation vector . k13 IV1 IV2 IV3 Used key (concatenation): k1 k2 k3 . k13 IV1 IV2 IV3 Broken! (e.g. WEP) Roos (1995), Jenkins (1996), Klein (2006) 27
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Classical RC4 vs. OSGP RC4 OSGP RC4 16-byte key (BEK) k1 k2 k3 . 8-byte initialisation vector (message digest) k16 IV1 IV2 IV3 . IV8 Broken? Used key (xor of first 8 bytes): k1 IV1 k2 IV2 k3 IV3 . k8 IV8 k98 k10 . k16 Classical RC4 13-byte key k1 k2 k3 3-byte initialisation vector . k13 IV1 IV2 IV3 Used key (concatenation): k1 k2 k3 . k13 IV1 IV2 IV3 Broken! (e.g. WEP) Roos (1995), Jenkins (1996), Klein (2006) 28
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Attack on OSGP RC4 k secret, IV public 1 k1 IV1,1 k2 IV2,1 k3 IV3,1 . k8 IV8,1 k98 k10 . k16 z predicted RC4 z1,1 z2,1 z3,1 z4,1 z5,1 . 2 k1 IV1,2 k2 IV2,2 k3 IV3,2 . k8 IV8,2 k98 k10 . k16 z1,2 z2,2 z3,2 z4,2 z5,2 . 3 k1 IV1,3 k2 IV2,3 k3 IV3,3 . k8 IV8,3 k98 k10 . k16 z1,3 z2,3 z3,3 z4,3 z5,3 . . 29
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Attack on OSGP RC4 k secret, IV public z predicted 1 k1 IV1,1 k2 IV2,1 k3 IV3,1 . k8 IV8,1 k98 k10 . k16 RC4 z1,1 z2,1 z3,1 z4,1 z5,1 . 2 k1 IV1,2 k2 IV2,2 k3 IV3,2 . k8 IV8,2 k98 k10 . k16 z1,2 z2,2 z3,2 z4,2 z5,2 . 3 k1 IV1,3 k2 IV2,3 k3 IV3,3 . k8 IV8,3 k98 k10 . k16 z1,3 z2,3 z3,3 z4,3 z5,3 . . Counting most frequent values is distorted by different IVs for each message. 30
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Biased output of “classical” RC4 k secret, IV public 1 k1 IV1,1 k2 IV2,1 k3 IV3,1 . k8 IV8,1 k98 k10 . k16 z predicted RC4 z1,1 z2,1 z3,1 z4,1 z5,1 . 2 k1 IV1,2 k2 IV2,2 k3 IV3,2 . k8 IV8,2 k98 k10 . k16 z1,2 z2,2 z3,2 z4,2 z5,2 . 3 k1 IV1,3 k2 IV2,3 k3 IV3,3 . k8 IV8,3 k98 k10 . k16 z1,3 z2,3 z3,3 z4,3 z5,3 . . 31
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Biased output of “classical” RC4 k secret, IV public z predicted 1 k1 IV1,1 k2 IV2,1 k3 IV3,1 . k8 IV8,1 k98 k10 . k16 RC4 z1,1 z2,1 z3,1 z4,1 z5,1 . z1,2 z2,2 z3,2 z4,2 z5,2 . z1,3 z2,3 z3,3 z4,3 z5,3 . k1 IV1,1 k2 IV2,1 2 k1 IV1,2 k2 IV2,2 k3 IV3,2 . k8 IV8,2 k98 k10 . k16 k1 IV1,2 k2 IV2,2 3 k1 IV1,3 k2 IV2,3 k3 IV3,3 . k8 IV8,3 k98 k10 . k16 . k1 IV1,3 k2 IV2,3 First, guess value of k1. Then derive most frequent k values one after the other. 32
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Biased output of “classical” RC4 k secret, IV public z predicted 1 k1 IV1,1 k2 IV2,1 k3 IV3,1 . k8 IV8,1 k98 k10 . k16 RC4 z1,1 z2,1 z3,1 z4,1 z5,1 . k1 IV1,1 k2 IV2,1 k1 IV1,1 k2 IV2,1 k3 IV3,1 2 k1 IV1,2 k2 IV2,2 k3 IV3,2 . k8 IV8,2 k98 k10 . k16 z1,2 z2,2 z3,2 z4,2 z5,2 . k1 IV1,2 k2 IV2,2 k1 IV1,2 k2 IV2,2 k3 IV3,2 3 k1 IV1,3 k2 IV2,3 k3 IV3,3 . k8 IV8,3 k98 k10 . k16 z1,3 z2,3 z3,3 z4,3 z5,3 . . k1 IV1,3 k2 IV2,3 k1 IV1,3 k2 IV2,3 k3 IV3,3 First, guess value of k1. Then derive most frequent k values one after the other. 33
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Classical RC4 vs. OSGP RC4 Classical RC4 Go through n recorded cipher streams once and count most frequent value for k -1 cypher bytes. For all 256 values of k1, calculate and test the key. Complexity: O(n*( k -1) 256) 34
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Classical RC4 vs. OSGP RC4 OSGP RC4 For all 256 values of k1: Go through n recorded cipher streams once for k -1 cypher bytes. Complexity: O(n*( k -1)*256) Count most frequent value for each ki. Test the key. Classical RC4 Go through n recorded cipher streams once and count most frequent value for k -1 cypher bytes. For all 256 values of k1, calculate and test the key. Complexity: O(n*( k -1) 256) 35
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Classical RC4 vs. OSGP RC4 OSGP RC4 For all 256 values of k1: Go through n recorded cipher streams once for k -1 cypher bytes. Count most frequent value for each ki. Test the key. Complexity: O(n*( k -1)*256) Only linear increase of complexity. Classical RC4 Go through n recorded cipher streams once and count most frequent value for k -1 cypher bytes. For all 256 values of k1, calculate and test the key. Complexity: O(n*( k -1) 256) 36
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Practicality of the attack Predicting enough cipher stream bytes. 16-byte BEK RC4 (Initialization vector) 8-byte digest cipher stream plaintext message XOR encrypted message Transmit encrypted message and its digest: OMAK BEK Data Concentrator (DC) device encrypted digest OMAK BEK 37
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Practicality of the attack predict Predicting enough cipher stream bytes. request response cipher stream E.g. OSGP message to read out device clock. (Response continues with same cipher stream after request.) public encrypted encrypted DC request: Device response: 1: 0x3F Message ID (partial table read) 13: 0x00 Device answer (“OK”) 2: 0x00 3: 0x34 4: 0x00 5: 0x00 6: 0x00 7: 0x00 8: 0x06 14: 0x00 15: 0x06 Count (Same as in request.) Table ID (device clock) Table offset (Where to start reading?) Remaining answer bytes irrelevant, as only 15 bytes are needed. Count (How many bytes to read?) 9: 0x? Message sequence number 10: 0x? (Individual for each device. 11: 0x? Hard to predict.) 12: 0x? 38
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Practicality of the attack predict Predicting enough cipher stream bytes. request response cipher stream E.g. OSGP message to read out device clock. (Response continues with same cipher stream after request.) public encrypted encrypted DC request: Device response: 1: 0x3F Message ID (partial table read) 13: 0x00 Device answer (“OK”) 2: 0x00 3: 0x34 4: 0x00 5: 0x00 6: 0x00 7: 0x00 8: 0x06 14: 0x00 15: 0x06 Count (Same as in request.) Table ID (device clock) Table offset (Where to start reading?) Count (How many bytes to read?) 9: 0x? Message sequence number 10: 0x? (Individual for each device. 11: 0x? Hard to predict.) 12: 0x? Remaining answer bytes irrelevant, as only 15 bytes are needed. Five bytes must be brute-forced, taking about 2 weeks on a single 3.40 GHz Intel i7-4770. 256 cores only take 1.5 hours. 39
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Practicality of the attack How many eavesdropped messages? Simulated 145,000 random BEKs, and for each up to 300,000 messages with random sequence numbers. Processing 50,000 messages per second on single CPU. Success rate to derive BEK after x messages 100% 10% 90% 8% 6% 60% Percent of BEKs needing x messages 4% 2% 20% 0% 30,000 65,000 90,000 125,000 180,000 235,000 Number of messages 40
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Practicality of the attack How many eavesdropped messages? Simulated 145,000 random BEKs, and for each up to 300,000 messages with random sequence numbers. Processing 50,000 messages per second on single CPU. Success rate to derive BEK after x messages 100% 10% 90% 8% 6% 60% Percent of BEKs needing x messages 4% 2% 20% 0% 30,000 65,000 90,000 125,000 180,000 235,000 Number of messages (Attack was refined to derive all possible BEKs; simple version only gets 85%.) 41
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) Countermeasures? OSGP LonWorks . PLC Do not rely on OSGP encryption for security! If possible use encryption on lower layers. Do not let an attacker eavesdrop 90,000 messages! DC (1 day 86,400 seconds) If possible reduce traffic or often update the secret OMAK. The OSGP Alliance has been informed. They are working on a complete overhaul of OSGP. Device Device Device Device Device Device 42
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) RC4 in detail Key scheduling algorithm (KSA) Pseudo-Random Generation Algorithm (PRGA) 43
Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP) 9 OSGP data integrity For each message, generate a digest (hash value) using the secret "Open Media Access Key" (OMAK): OSGP-Digest-plaintext message Algorithm 12-byte OMAK 8-byte digest Data Concentrator (DC) Device Transmit message and its digest: plaintext digest OMAK OMAK
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
THE SECRET SEVEN is the first adventure of the SECRET SEVEN SOCIETY The other books are called: SECOND The Secret Seven Adventure THIRD Well Done Secret Seven! FOURTH Secret Seven on the Trail FIFTH Go Ahead Secret Seven SIXTH Good Work Secret Seven SEVENTH Secret Seven Win Through EIGHTH Three Cheers Secret Seven NINTH Secret Seven Mystery
Bar Mitzvah Attack Breaking SSL with a 13-year old RC4 Weakness Abstract RC4 is the most popular stream cipher in the world. In fact, as of March 2015, RC4 is estimated to protect as much as 30% of SSL traffic, likely amounting to billions of TLS connections every day. Yet it
3. grade 4. swim 5. place 6. last 7. test 8. skin 9. drag 10. glide 11. just 12. stage Review Words 13. slip 14. drive Challenge Words 15. climb 16. price Teacher’s Pets Unit 1 Lesson 5 Spelling List Week Of: _ Consonant Blends with r, l, s 1. spin 2. clap 3. grade 4. swim 5. place 6. last 7. test 8. skin 9. drag 10. glide 11. just 12. stage Review Words 13. slip 14. drive Challenge .
