A group of security researchers detailed a real-time inversion attack against the GMR-2 stream cipher used in satellite phone communication, claiming it is much more efficient than previously devised attacks.
In a research paper (PDF), Jiao Hu, Ruilin Li, and Chaojing Tang from the School of Electronic Science and Engineering at the National University of Defense Technology in China, explain that the real-time inversion attack uses one frame keystream and contains three phrases.
One of the two widely deployed variants of GMR (GEO-Mobile Radio Interface), the GMR-2 cipher has been found vulnerable to two types of plaintext attacks. A read-collision technique was presented in 2012, when the details of the satellite cipher algorithms were made public, and a dynamic guess-and-determine attack was devised in 2013.
“In this paper, we study the inverse properties of the GMR-2 cipher to show a bad one-way character of such cipher, then by introducing a new concept “valid key chain”, we propose what we call the inversion attack against the GMR-2 cipher. This attack can reduce the exhaustive search space from 264 to about 213 on average when one frame (15 bytes) keystream is available,” the researchers explain.
Because of this, the inversion attack is very efficient and practical, and could be used to perform real-time decryption on the GMR-2 cipher, the security researchers argue. When carried out on a 3.3GHz platform, the attack can completely retrieve the 64-bit encryption-key in around 0.02 seconds, the researchers say.
The technique contains three phases, namely table generation; dynamic table looks-up, filtration and combination; and verification. The attack can be used to “retrieve the complete 8-byte encryption-key from only 1 frame (15 bytes) of keystream on average.” It also significantly reduces the exhaustive search space, and requires only 6KB of extra storage space.
The security researchers reveal that, in 10,000 experiments, the newly devised technique was able to uniquely determine 97.2% of the encryption-keys by the 15 bytes of keystream. The remaining 2.8% of the keys needed an extra keystream byte to retrieve.
According to the paper, not only does the proposed inversion attack prove more efficient than the previously detailed dynamic guess-and-determine method and the read-collision based technique, but it also proves that serious security flaws exist in the GMR-2 cipher.
“Compared with previous known attacks, this inversion attack is much more efficient. It is crucial for service providers to upgrade the cryptographic modules of the system in order to provide confidential communication,” the researchers say.
Related: Wi-Fi Flaws Expose iPhone, Nexus Phones to Attacks
Related: Vulnerability in Mobile Networks Allows Easy Phone Tracking
