Recent years saw a significant increase of research on GSM attacks: The weaknesses of A5/1 encryption were shown practical and open-source baseband software is being developed, granting fine-grained control over GSM messages and enabling protocol fuzzing and flooding attacks.

Despite the availability of attack methods, the tools are often hard to use for pen-testers due to their limited documentation. This one-day workshop revisits GSM’s security features and their publicly known weaknesses and introduces the various publicly available attack tools.

Countermeasures are presented, followed by a discussion of the current best practices for securing GSM networks. The target audience of this workshop are GSM network operators and IT security professionals.

Smart cards chips — originally invented as a protection for cryptographic keys — are increasingly used to keep protocols secret. This talk challenges the chips’ security measures to unlock the protocols for public analysis.

Hardened security chips are protecting secret cryptographic keys throughout the virtual and physical worlds. These smart card chips are found in banking cards, authentication tokens, encryption appliances, and master key vaults.

The protection capabilities of the chips is increasingly used to also keep secret application code running on the devices. For example, the protocols of modern EMV credit cards are not publicly known. Such obscurity is hindering analysis, hence letting logic and implementation flaws go unnoticed in widely deployed systems, including credit card systems.

We demonstrate a method of extracting application code from smart cards with simple equipment to open the application code for further analysis.

GPRS data networks provide the backbone for our mobile society. Just like their siblings, GSM phone networks, the GPRS infrastructure is often lacking an appropriate level of protection.

This talk introduces the concepts behind GPRS transmissions and illustrates how GPRS data can be sniffed. We will release tools to be used at the camp.

Smart cards chips — originally invented as a protection for cryptographic keys — are increasingly used to keep protocols secret. This talk challenges the chips’ security measures to unlock the protocols for public analysis.

Hardened security chips are protecting secret cryptographic keys throughout the virtual and physical worlds. These smart card chips are found in banking cards, authentication tokens, encryption appliances, and master key vaults.

The protection capabilities of the chips is increasingly used to also keep secret application code running on the devices. For example, the protocols of modern EMV credit cards are not publicly known. Such obscurity is hindering analysis, hence letting logic and implementation flaws go unnoticed in widely deployed systems, including credit card systems.

We demonstrate a method of extracting application code from smart cards with simple equipment to open the application code for further analysis.

Relevance. Low-complexity ciphers used in a wide range of applications ranging from public transport payment to luxury car immobilizers were developed in the 80′s and 90′s.  The proprietary ciphers typically stayed secret during their design and deployment thereby foregoing independent peer review. SAT solver programs, a specific flavor of equations solvers, can measure the complexity of such ciphers and often extract the secret keys from sniffed transactions. SAT solvers implement a ‘smart’ brute force in which only promising branches of the solution tree are tried.

Approach. The analysis process involves conversion of a cryptographic cipher into simple system of equations of CNF form and solving this system of equations to derive a secret key. Using SAT solving technology we can break low-complexity cipher such as Crypto-1 used in Mifare Classic cards in under 20 seconds on a desktop computer. A brute-force attack on Crypto-1’s 48bit key would take weeks on comparable hardware or significant investments into specialized FPGA hardware. This allows real-time attacks against access control and payment systems.

Most other cryptographic ciphers of low complexity or key lengths below 64 bits are vulnerable to this type of attack. The capabilities of SAT solvers summarize years of theoretical and practical computer science research and make them easily accessible for cryptographic analysis and optimization exercises with large output spaces.

Potential. Resistance to SAT-solver based attacks can easily be achieved by testing new cryptographic primitives in their design phase with open source SAT solvers. When using a “divide and conquer” strategy, SAT solvers can provide a measure for cryptographic hardness even when they cannot break a given function.

We understand, of course, that hardly any new cryptographic primitives are needed given the wide versatility of AES, SHA, ECC, TEA, and other established functions. Therefore, the primary use of SAT solvers in cryptography is the analysis of old proprietary ciphers.

Tools. These references provide ready-made SAT solvers and tutorials for some cryptographic functions that can easily be extended for analysis of new primitives:

• CryptoMiniSat Tutorial – To be added shortly

• CryptoMiniSat project – A general purpose SAT solver (and winner of the 2010 SAT competition)

• Grain of Salt project – Stream-cipher breaking SAT solver with models of Grain, Trivium, Bivium, HiTag2 and Crypto1

• SATLive! – Collection of SAT challenges, general SAT references

Smart grid meters are connecting consumers to utility systems thereby providing potential attack vectors into critical infrastructure. The software that runs on the meters and the data that comes out of them needs to be trustworthy.

Current meter generations do not deserve this level of trust since they are lacking even basic security best practices such as source code reviews, code signing, and unique cryptographic keys.

This talk explains vulnerabilities found in today’s meters and discusses protection measures found in other embedded devices. These measures would provide an appropriate protection level for devices interconnected through the smart grid.

The popular GSM cell phone standard uses outdated security and provides much less protection than its increasing use in security applications suggests. Our research aims to correct the disconnect between technical facts and security perception by creating GSM tools that allow users to record and analyze GSM data to see what security features were really implemented by their operator.

The talk discusses a GSM debugging tool that consists entirely of open source software and open radio hardware. We will demonstrate how to record and decode GSM calls, even encrypted ones.

Mobile payment systems are exposed to many additional risks when compared to their wired counterparts. RFID/NFC and GSM channels on phones, in particular, are vulnerable to several new attacks such as man-in-the-middle relaying and attacks on weak cryptographic ciphers. This session discusses the threats that are likely to arise from the new attack vectors and the design space for mitigation measures.

Industry’s standard ciphers tend to be weaker than “open” ciphers such as AES. This presentation discusses algebraic attacks against such ciphers. To carry out these attacks, we employ a set of tools that convert cryptographic problems into the language of SAT solvers and then execute one of the fastest SAT solvers to recover secret keys.

Study motivation. We would like for access control to become a prototype for good security reasoning built on open standards and best practice security principles. Towards this goal, the study “Establishing Security Best Practices in Access Control” provides the structure for comprehensive building access control. The design guidelines are provided as requirements such that they are directly usable in a request for proposal.

Download. “Establishing Security Best Practices in Access Control” (v1.0)