f8 ppt_pdf
TRANSCRIPT
1
INTERNATIONAL WORKSHOP ON INFORMATION SECURITYIN WIRELESS NETWORKS
CONFIDENTIALITY AND INTEGRITY ALGORITHMSIN 3G MOBILE COMMUNICATIONS
CIOBANU Bogdan-Mihai
SUCEAVASEPTEMBER 4-8 2006
2
• there are two standardized algorithms: - a confidentiality algorithm, f8,- an integrity algorithm, f 9;
• each of these algorithms is based on KASUMIalgorithm;
• KASUMI – a block cipher that produces a 64-bit output from a 64-bit input under the control of a 128-bit key.
3
Confidentiality algorithm, f 8
• stream cipher that encrypts/decrypts blocks of data under a confidentiality key CK;
• the block of data may be between 1 and 20.000 bits long;
• f8 uses KASUMI algorithm in a form of output feedback mode as a keystreamgenerator.
COUNT Frame dependent inputCOUNT[0]…COUNT[31]
BEARER Bearer identity BEARER[0]…BEARER[4]
DIRECTION Direction of transmission DIRECTION[0]
CK Confidentiality key CK[0]….CK[127]
LENGTHThe number of bits to be encrypted/decrypted(1-20000)
IBS Input bit stream IBS[0]….IBS[LENGTH-1]
f8 algorithm f8 inputs
OBS Output bit stream OBS[0]…OBS[LENGTH-1]
f8 output 4
5
Architecture and components
• the keystream generator is based on the KASUMI block cipher;
• for the 64-bit A register, we set:
A=COUNT[0]...COUNT[31] BEARER[0]...BEARER[4] DIRECTION[0] 0…0
6
• we set the counter BLKCNT to 0;
• the key modifier KM will be set to 0x55555555555555555555555555555555;
• the KSB0 (the initial block of keystream produced by the keystream generator) will be set to 0;
• for the A register we apply one operation KASUMI:
A = KASUMI [A]CK ⊕ KM
7
Keystream Generation• the plaintext/ciphertext to
be encrypted/decryptedconsists of LENGTH bits(1-20.000);
• the Keystream Generatorproduces keystream bitsin multiples of 64 bits;
• let BLOCKS to be equal to LENGTH/64 rounded up to the nearest integer.
8
• for any integer n (1≤n≤BLOCKS), we obtain:
KSBn = KASUMI[A⊕BLKCNT⊕KSBn-1 ]CK,
where BLKCNT = n-1;• the individual bits of the
keystream are extracted from KSB1 to KSBBLOCKS;
• we define KSBn [i]= KS [((n – 1)*64) + i] , for any i integer with 0≤i≤63 and n=1 to BLOCKS.
9
Encryption/Decryption
• these operations are identical and are performed by the exclusive OR of the input data (IBS) with the generated keystream (KS);
• for any integer i with 0≤i≤ LENGTH–1 we have:OBS [i] = IBS [i] ⊕ KS [i]
10
Integrity algorithm f9
• compute a Message Authentication Code (MAC) for an input message under an integrity key IK;
• there is no limitation on the input message length of the f9 algorithm;
• is based on the block cipher KASUMI.
11
f9 algorithm
COUNT-I Frame dependent input COUNT-I[0]…COUNT-I[31]FRESH Random number FRESH[0]… FRESH[31]DIRECTION Direction of transmission DIRECTION[0]IK Integrity key IK[0]…IK[127]LENGTH The number of bits to be ’MAC’dMESSAGE Input bit stream
f9 inputs
MAC-I Message authentication code MAC-I[0]…MAC-I[31] f9 output
12
Initialisation• the integrity function is
initialized with the key variables before the calculation commences
• the working variable are:- A=0- B=0
• the modifier KM is set to:
KM = 0x AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
13
•we concatenate COUNT, FRESH, MESSAGE and DIRECTION;
•the total length of the resulting string PS (padded string) is an integral multiple of 64 bits;
•PS=COUNT[0]…COUNT[31]FRESH[0]…FRESH[31]MESSAGE[0]… MESSAGE[LENGTH-1] DIRECTION[0]10*
0* - indicates between 0 and 63 ”0” bits
14
Calculation
• for each integer n, we have:- A = KASUMI [A⊕PSn]IK- B = B ⊕A,where 0≤n≤BLOCKS-1
• we perform one more application of KASUMI using a modified form of the integrity key IK:
B=KASUMI[B]IK ⊕KM• the 32-bit MAC-I comprises the left
most 32 bits of the result:MAC-I=lefthalf [B]
• for each integer i, we have:MAC-I[i]=B[i]bits B[32]...B[63] are discarded
• we split the padded string PS into 64-bit blocks, PSi:PS=PS0||PS1||PS2||.||PSBLOCKS-1
15
KASUMI algorithm
• block cipher that forms the heart of the confidentiality algorithm f8, and integrity algorithm f9;
• decomposes into a number of subfunctions(FL, FO, FI) which are used in conjunction with associated subkeys (KL, KO, KI);
• block cipher with 8 rounds;• produces a 64-bit output from a 64-bit input,
I, under the control of 128-bit key, K;
16
• the input I is divided into two 32-bit strings L0 andR0, where
I = L0||R0• for each integer i, we
define:Ri = Li-1, Li = Ri-1 ⊕ fi (Li-1, RKi)
• this constitutes the ith roundfunction of KASUMI
- fi denotes the round function with Li-1 and round key RKi as inputs;
• the result OUTPUT is equal to the 64-bit string(L8||R8) offered at the end of the 8th round.
Components of KASUMIfi function
• this function takes a 32-bit input, I, and returns a 32-bit output, O, under the control of a round key RKi, where the round key comprises the subkey triplet of (KLi, KOi, KIi).
• the function itself is constructed from two subfunctions:FL and FO with associated subkeys KLi (used with FL) and subkeys KOi şi KIi (used with FO);
• it has two different forms depending on whether it is an even round or an odd round;
17
18
• for rounds 1,3,5 and 7, we define:f i (I, RKi) = FO (FL (I, KLi), KOi, KIi)
• for rounds 2, 4, 6, and 8, we definef i (I, RKi) = FL (FO (I, KOi, KIi), KLi)
• for odd rounds the round data is passed through FL function and then FO function;
• for even rounds it is passed through FO function and then FL function.
19
Function FL • comprises a 32-bit data input I and a 32-bit subkey KLi;
• the subkey is split into two 16 bit subkeys, KLi,1and KLi,2, where:KLi = Kli,1 || KLi,2
• the input data is split in two 16-bit halves, L and R, where I = L||R.
• now we have:R' = R ⊕ ROL(L ∩ KLi,1)L' = L ⊕ ROL(R' U KLi,2)• the output value is (L'||R')
- 32 bits
∩ - bitwise AND operation
U - bitwise OR operation
<<< - one bit left rotation
20
Function FO • comprises a 32-bit data input, I, and two sets of subkeys, KOi and KIi (both of 48 bits)
• the 32-bit data input is split in two halves, L0 and R0, where I = L0||R0;
• the 48-bit subkeys are subdivided intothree 16-bit subkeys:
KOi = KOi,1||KOi,2||KOi,3 andKIi = KIi 1||KIi 2||KIi 3
• now we define:RJ = FI (LJ-1 ⊕ KOi, J, KIi, J) ⊕ RJ-1
and LJ = RJ-1, for each integer j, where 1 ≤ j ≤ 3
• finally we obtain the output value, (L3||R3)-32 bits
21
• takes a 16-bit data input I and 16-bit subkey KIi,j;
• the input I is split in two unequal components: L0 (9bits) and R0 (7bits),where I=L0||R0;
• the key KIi,j is split into a 7-bit component KIi,j,1 and a 9-bitcomponent KIi,j,2, where
KIi,j = KIi,j,1||KIi,j,2;• uses two S boxes S7 and S9;• S7 transforms a 7-bit input to a 7-bit
output;• S9 transforms a 9-bit input to a 9-bit
output;
Function FI
* the thick and thin lines are used to make the difference between the 9-bit and 7-bit data paths
22
• we have two additional functions:- ZE (x) converts a 7-bit value
x into a 9-bit value (by adding two 0 bits to the most significant end);
- TR (x) converts a 9-bit valuex into a 7-bit value (by discarding the two most significant bits);
• to obtain the output, we apply these operations:
L1= R0; R1= S9 [L0] ⊕ ZE (R0)L2 = R1 ⊕ KIi,j,2; R2 = S7[ L1] ⊕TR(R1) ⊕KIi,j,1L3 = R2;R3 = S9[L2] ⊕ZE(R2)L4 = S7[L3] ⊕TR(R3)R4= R3
• the output has this form: (L4||R4)-16bits.
23
S boxes• they may be easily implemented in combinational logic;• the input x comprises either 7 or 9 bits with a coresponding number of bits in the output y• x = x8||x7||x6||x5||x4||x3||x2||x1||x0
andy = y8||y7||y6||y5||y4||y3||y2||y1||y0,
- the x8, y8 and x7, y7 only apply to S9, and x0 and y0 bits are the least significant bits.
24
Key Schedule
• KASUMI has a 128-bit key K;• each round of KASUMI uses 128 bits of key, that are derived from K;• before the round keys, are calculated two 16-bit arrays Kj andKj' (j = 1 to 8) in the following manner:
- the 128-bit key K is subdivided into eight 16-bit values,K1,…, K8, where
K = K1||K2||K3|| ........... ||K8
- a second array of subkeys Kj' is derived from Kj by applying:
Kj' = Kj⊕ Cj, for 1 ≤ j ≤ 8Cj are predefined constants.