Analysis of the Initial and Modified Versions of the Candidate 3GPP Integrity Algorithm 128-EIA3

Abstract: In this paper we investigate the security of the two most recent versions of the message authentication code 128-EIA3, which is considered for adoption as a third integrity algorithm in the emerging 3GPP standard LTE. We first present an efficient existential forgery attack against the June 2010 version of the algorithm. This attack allows, given any message and the associated MAC value under an unknown integrity key and an initial vector, to predict the MAC value of a related message under the same key and th… Show more

“…From Section 4 it is clear that X 0 , the output from the accumulation process for M 0 , is related to the value X for the accumulation of the original message M by the sliding relationship, so X 0 D OEx 1 ; x 2 ; : : : ; x d 1 ;˛. Since F also slides by one bit when a zero is appended to the message, the entire MAC has this property, as noted in [12]. The attacker need only guess one bit,˛, to form a valid MAC for M 0 .…”

“…Therefore an attacker can provide a valid X 00 for M 00 lCi with probability 2 i , for 1 Ä i Ä d . This is the basis of the previously reported attack on 128-EIA3 version 1.4 [12].…”

“…Specifically, we discuss the feasibility of applying forgery attacks, side channel attacks and statistical analysis to each of these algorithms. A forgery attack on 128-EIA3 version 1.4 presented by Fuhr et al [12] describes how a message, M , can be modified by inserting additional bits of value zero at the beginning of M . The attacker makes use of the sliding property between the keystream sequence used in the accumulation process and the final mask to compute a valid MAC for the modified message.…”

“…The final mask consists of 32 consecutive bits from the sequence y, beginning at y lC32 . The final 128-EIA3 version 1.4 MAC tag is given by MAC.M p / 128-EIA3 was proposed in response to a successful forgery attack[12] on version 1.4. We discuss this attack in more detail in Section 4.…”

Indirect message injection for MAC generation

“…From Section 4 it is clear that X 0 , the output from the accumulation process for M 0 , is related to the value X for the accumulation of the original message M by the sliding relationship, so X 0 D OEx 1 ; x 2 ; : : : ; x d 1 ;˛. Since F also slides by one bit when a zero is appended to the message, the entire MAC has this property, as noted in [12]. The attacker need only guess one bit,˛, to form a valid MAC for M 0 .…”

“…Therefore an attacker can provide a valid X 00 for M 00 lCi with probability 2 i , for 1 Ä i Ä d . This is the basis of the previously reported attack on 128-EIA3 version 1.4 [12].…”

“…Specifically, we discuss the feasibility of applying forgery attacks, side channel attacks and statistical analysis to each of these algorithms. A forgery attack on 128-EIA3 version 1.4 presented by Fuhr et al [12] describes how a message, M , can be modified by inserting additional bits of value zero at the beginning of M . The attacker makes use of the sliding property between the keystream sequence used in the accumulation process and the final mask to compute a valid MAC for the modified message.…”

“…The final mask consists of 32 consecutive bits from the sequence y, beginning at y lC32 . The final 128-EIA3 version 1.4 MAC tag is given by MAC.M p / 128-EIA3 was proposed in response to a successful forgery attack[12] on version 1.4. We discuss this attack in more detail in Section 4.…”

Indirect message injection for MAC generation

“…Génération de paramètres et de clésVoir[7] afin d'avoir les détails sur le fonctionnement des fonctions (f1, f2, f3, f3, f4).Confidentialité et intégrité de données :Une fois que l'authentification mutuelle et l'association sont établies, la confidentialité et l'intégrité de données sont assurées en utilisant les clés générés. Le LTE utilise un standard de confidentialité appelé Evolved Packet System Encryption Algorithm (128-EEA3) et un autre pour l'intégrité appelé Evolved Packet System Integrity Algorithm (128-EIA3)[60]. Les deux standards sont basés sur le flux de chiffrement SNOW 3G[5].…”

Securing the Internet of Things

Analysis of Indirect Message Injection for MAC Generation Using Stream Ciphers