Modified Cellular Message Encryption Algorithm

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)

274

Modified Cellular Message Encryption Algorithm

Ravindra Kumar Gupta

, Subhash Chandra Gupta

1

Assistant Professor, Department of Computer Science & Engineering, SSSIST, Bhopal, M.P. 2_{Student, M.Tech. (Software Engineering), Sri Satya Sai Institute of Science & Technology, Bhopal, M.P.}

Abstract - This paper analyzes the Modified Cellular Message Encryption Algorithm (M-CMEA) which is an enhanced version of the Telecommunication Industry Association’s Cellular Message Encryption Algorithm. We analyzed more properties to, “Why is CMEA weak?” and modification required to secure the CMEA.

Keywords - Cryptanalysis, CMEA, Wireless Security.

I. INTRODUCTION

The cellular Message Encryption Algorithm (CMEA) has been designed by the TIA (Telecommunication Industry Association) to protect the control data of cellular phone communication. As cellular telephony industry has boomed, the need for security has increased: both for privacy and fraud prevention. Because all cellular communications are sent over a radio link, anyone with the appropriate receiver can passively eavesdrop on all cell phone transmissions in the area without fear of detection. The cellular telephony industry players in particular are especially concerned with fraud prevention.

The aim of the paper is to improve the security of the CMEA algorithm. This paper performs a thorough analysis of the weaknesses identified in the CMEA [1,2] and proposes a modified version of the algorithm which we shall call the “Modified-CMEA” or “M-CMEA”. Thus the paper focuses on the following:

Identifying the properties of the CMEA leading to its inherent insecurity.Modify the algorithm so as to remove the causes of the easy cryptanalysis of the CMEA: The paper focuses on the parts of the CMEA that lead to the cryptanalysis of the algorithm as given in [3]. The steps that cause these weaknesses have been studied, and accordingly the algorithm is modified so that these weaknesses are rectified. An effort has been made to ensure that the algorithm retains its original structure and only necessary changes have been made.

Carrying out the cryptanalysis of the M-CMEA against specialized attacks [2] as well as standard cryptanalytic attacks: Proving the security of any new algorithm is a difficult task. First we verified both logically as well as computationally that the M-CMEA is indeed resistant to the types of attacks discussed in [3].

The next logical step was to test the algorithm‟s strength against standard attacks like linear and differential cryptanalysis. The confusion and diffusion properties were checked to make sure that the algorithm provided sufficient amount of confusion as well as diffusion as required by any good cryptographic algorithm. Also finer issues were kept in mind against future attacks like Meet in the Middle attack.

We discussed the original CMEA and attacks against it in section 2. In section 3, we describe the properties of CMEA and analyze these properties. In section 5, we discussed detail modification required to CMEA to become more secure.

II. CELLULAR MESSAGE ENCRYPTION ALGORITHM (CMEA)

2.1 Description of CMEA

We describe the CMEA specification in brief for reference. CMEA is a byte oriented variable-width block cipher with a 64 bit key. Block sizes may be any number of bytes. In practice, US cellular telephony systems typically apply CMEA to 2-6 byte blocks, with the block size potentially varying without any key changes. CMEA is quite simple, and appears to be optimized for 8-bit microprocessors with severe resource limitations.

CMEA consists of three layers. The first layer performs one non-linear pass on the block, this effects left-to-right diffusion. The second layer is a purely linear, unkeyed operation intended to make changes propagate in the opposite direction. One can think of the second step as (roughly speaking) XORing the right half of the block onto the left half. The third layer performs a final nonlinear pass on the block from left to right; in fact, it is the inverse of the first layer.

CMEA obtains the non-linearity in the first and third layer from an 8-bit keyed lookup table known as the T -box. The T-box calculates its 8-bit output as

T(X)=C(((C(((C(((C((X K0)+K1)+X) K2)+K3)+x)

K4)+K5)+X) K6)+K7)+X,

Given input byte x and 8-byte key K0…7. In this

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)

275

Cave - Table

We now provide a specification of CMEA. The algorithm encrypts an n-byte message P0…..n-1 to a

ciphertext C0….,n-1 under the key K0….7 as follows:

y0 0

for i  0,…., n – 1 P‟i  Pi + T(yi i )

yi+1  yi + P‟i

for i  0,…., |_ n/2_| - 1 P”i  P‟i ( P‟n-i-1 V 1 )

z0  0

for i  0,…., n – 1 zi+1  zi + P”i

Ci  P”i - T(zi i )

Here all operations are byte-wide arithmetic: + and - are addition and subtraction modulo 256, represents a logical bitwise exclusive or, V represents a logical bitwise or, and the keyed T function is as described previously.

2.2 Observations :

First, we list some preliminary observations made in [2]:

 CMEA is its own inverse.

 CMEA is typically used to encrypt short blocks.

 One bit of the plaintext leaks. The LSB (least-significant bit) of the cipher text is the complement of the LSB of the plaintext.

 The T-box has some key equivalence classes. Simultaneously complementing the MSB (most significant bit) of K0 and K1 leaves the action of the

T-box unchanged; the same holds for K2i and K2i+1

for i = 0, 1, 2, 3. Therefore for the rest of the paper we take the MSBs of K0, K2, K4,and K6 to all be 0,

without loss of generality, and we see that the effective key length of CMEA is at most 60 bits.

 Recovering the value of all 256 of the T-box entries suffices to break CMEA, even if the key K0…7 is

never recovered.

 The value of T(0) occupies a position of special importance. T(0) is always used to obtain C0 from

P0.

 The Cave-Table has a much skewed statistical distribution. It is not a permutation; 92 of the 256 possible 8-bit values never appear.

2.3 Attacks on CMEA 2.3.1 A chosen-plaintext attack

In practice, chosen-plaintext queries may be available in some special situations. Suppose the targeted cell phone user can be persuaded to a call a phone number under the attacker's control perhaps a memorized survey, answering machine, or operator. The phone message the user receives might prompt the user to enter digits (chosen in advance by the attacker), thus silently enabling a chosen plaintext attack on CMEA. Alternatively, the phone message might send chosen DTMF tones to the targeted cell phone user, thus mounting chosen-plaintext queries at will.

The attack has two steps:

Recovery of T(0)

Recovery of the remaining T-box entries

2.3.2 A known-plaintext attack

We have a more sophisticated key recovery algorithm. This can reduce the computation workload dramatically in these instances. The basic idea is that the T-box is subject to a classic meet-in-the-middle optimization: one can work halfway through the T-box given only K0…3,

and one can work backwards up to the middle given just K4…7. This enables us to pre-compute a lookup table that

contains the intermediate value corresponding to each K0…3 value. Then, we try each possible K4…7 value, work

backwards through some known T-box outputs, and look for a match in the pre-computed lookup table. Of course the search pruning techniques can be applied to K4…7 to

further reduce the complexity of the meet-in-the-middle algorithm. The combination of pruned search and meet-in-the-middle cryptanalysis allows us to efficiently recover the entire CMEA key with as few as 40-80 known plaintexts.

III. WHY IS CMEAWEAK?

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)

276

It should be noted that some of the properties lead to the successful breaking of the cipher, whereas others, though they give away some information do not contribute to the success of the two types of attacks given in Section 2.3. First let us consider the properties that lead to the successful cryptanalysis of the cipher.

3.1 Property 1:

If the plaintext is of the form : P = {1-x,1-x,…1-x}

and the cipher-text is of the from : C = {-x,...}

Then there is a very high probability that T(0)=x, where T(i) is the output of the T-Box corresponding to input „i‟.

Analysis:

P‟0 = P0 + T(0) = 1 – x + T(0).

If T(0) = x , we have P‟0 = 1

Thus , y1 = y0 + P‟0 = 0 + 1=1

Likewise,

P‟1 = P1 + T(1 1) = 1 – x + T(0),

If T(0) = x, we have P‟1 = 1

Thus , y2 = y1 + P‟1 = 1 + 1 = 2.

Thus continuing we have P‟n-1 = 1

So, P‟‟ = P‟0 (P‟n-1 V 1) = 1 1 = 0

Hence,

C0 = P‟‟0 – T(0) = - T(0) = - x

The probability when using the Cave-Table is dependent on the fact that the initial guess for T(0) is correct and the possible number of trails is thus only (256-92)/2 = 82 on the average.

3.2 Property 2:

If the plaintext is of the form :

P = {1-T(0), 1-T(0),….., 1-T(0), k-T(0),0} and the ciphertext is

C = {t-T(0),…},

Where k = ((n-1) j) – (n-2), then there is a very high probability that t = T(j).

Analysis:

It has been shown that P‟i = 1 and yi+1 = ( i + 1 ),

where 0 <= i <= (n-3).

Now P‟n-2 = Pn-2 + T(y n-2 n-2)

= Pn-2 + T(0) , since yn-2 = n-2

= k – T(0) + T(0) = k Using this fact, y n-1 = yn-2 +P‟n-2

= (n-2) + k

= (n-1) j. Therefore,

P‟n-1 = Pn-1 +T(yn-1 (n-1))

= 0 + T(j).

Thus, C0 = t – T(0) = P‟‟0 – T(0)

= P‟0 (P‟n-1 V 1) – T(0)

Thus, t = 1 (T(j) V1)

= T(j) , with very high probability, with some confusion in the LSB.

3.3 Property 3:

The CMEA algorithm uses a very skewed Cave-Table[2]. The Cave-Table is not a permutation and 92 of the 256 values never occur. The Cave-Table was shown in Section 2.1. The frequency distribution of the Cave-Table entries is given in figure 1.

Figure 1 : frequency distribution of Cave-Table

We see that some of the values occur as many as 3 and 4 times. For every repeated value some value has to be missing. This property of the Cave-Table considerably reduces the number of plain texts needed in both the attacks given in Section 2.3.

3.4 Property 4:

The CMEA algorithm uses a four round T-Box which can be subjected to a meet in the middle attack [3].

3.5 Property 5:

The Least Significant Bit of the cipher-text is always the complement of the Least Significant Bit of the plaintext. i.e. one bit always leaks.

Analysis:

Using original CMEA algorithm we get:

C0=((P0 + T(0) (P’2 OR 1)) – T(0)

Table 1 Truth table for LSB of P0

P0 T0 (P0 + T0) 1 C0

0 0 1 1

0 1 0 1

1 0 0 0

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)

277

Consider LSB‟s: As far as (P(0)+T(0))‟s LSB is concerned it is an equivalent exclusive or operation on P(0) and T(0)‟s LSB‟s (neglecting carry). The LSB output can be obtained as shown in Table-1. We see that the LSB of cipher-text is always the complement of the LSB of plaintext,

3.6 Property 6:

The T-Box has some Key-Equivalence classes. As mentioned in Section 2.2, simultaneously complementing the Most Significant Bits of K2i and K2i+1 for i = 0,1,2

leaves the action of the T-Box unchanged. This reduces the key length of the CMEA to 60 bits instead of 64 bits since we can assume the Most Significant Bits of K0, K2 ,

K4 and K6 to all be 0 or 1.

Analysis :

In the T-Box Function :

T(X)=C(((C(((C(((C((X K0)+K1)+X) K2)+K3)+x)

K4)+K5)+X) K6)+K7)+X,

Consider the function : f(X)=((X K0)+K1). Let us consider the Most Significant Bits of all the three terms. In order to consider the effect of the other Least Significant Bits., we include a carry term which can be zero or one. The invariance after simultaneous complementing the Most Significant Bits of the pairs of keys is because the carry is not being accounted for. In f(x), the MSB is being neglected. This can be seen from the Table 2. In case of both a1 and a2 after complementing the Most Significant Bits of K0 and K1

the difference is in the New Carry which is being neglected irrespective of the Carry (which is due the other less significant bit operations).

Table 2 Truth table for MSB

CARRY = 0

CARRY = 1 X K0 K1 f(X) f(X)

a1 0 0 0 0 1

0 0 1 1 0

0 1 0 1 0

a2 0 1 1 0 1

1 0 0 1 0

1 0 1 0 1

1 1 0 0 1

1 1 1 1 0

3.7 Analysis of the properties

Using the above properties one can explain why the CMEA algorithm is weak against the chosen plaintext and the known plain text attacks. The causes of the attacks are enlisted below:

 Chosen Plain Text Attack: The CMEA is weak against this attack because of properties 1 and 2 (and to an extent property 3).

 Known Plain Text Attack: The CMEA is weak against this attack because of properties 3 and 4.

Properties 5 and 6 give away some information to the attacker which though not used in the cryptanalysis of the algorithm as described in Section 3.1-3.6, can be possible weak points of the algorithm. The next section deals with ways of overcoming some of these weaknesses in the CMEA.

IV. MODIFIED CELLULAR MESSAGE ENCRYPTION ALGORITHM

Introduction

In this section the weaknesses that are given in Section 2 will be removed by elimination their causes as identified in Section 3.1-3.6. Each property that causes a dent in the CMEA‟s weakness will be dealt with so that none of the attacks that have been described in Section 2 work against the algorithm. In addition, ways to deal with some of the properties that could be weak points in the CMEA but are not used explicitly in the two attacks are also covered in this section.

4.1 Modifications in the CMEA

In this section the modifications needed in the CMEA corresponding to each of the Properties identified in Section 4.1 are presented.

4.1.1 Modification 1:

The update equation of P‟ needs to be changed so that Properties 1 and 2 do not work. Thus the modified equation is of the form:

P‟i = Pi + T(yi f(i,n)

Such that as we vary i from 0 to n-1 (where n is the number of byte blocks in the plaintext) the T-Box is not predictably accessed. In the original CMEA property 1 exists because for a particular nature of the input plaintext and the key the T-Box was always referred at the point 0. So, the function f(i,n) should be such that the T-Box is accessed at different points. After considering several forms of the function f(i,n) the proposed function is f(i,n) = 2i%n, hence the update equation becomes :

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)

278

Thus the algorithm is transferred to:

4.1.2 Modification 2:

The Cave-Table is replaced with the Advanced Encryption Standard‟s (AES) S-Box which can be efficiently implemented. Thus the distribution is no more skewed and all the possible 256 values appear as a possibility.

After modifications 1 and 2 the Chosen Plain text attack is nullified and the Known Plain text attack is also evaded easily. The following is the explanation:

For 50,000 variations of the key, plaintexts of the form (1 – T(0), 1 – T(0),…..,1 – T(0)) gives cipher-text of the form (-T(0),….) only 0.766 % of the time .However to prove that no similar attack of the same type is possible, we need a more rigorous approach :

Let the P0 block of plain text be (1-x).

Thus P‟0 = P0 + T(y0 0)

= 1 – x + T(0 0) = 1- x + T(0)

Let x = T(0). So P‟0 = 1 and y1 = y0 + P‟0 =1

Similarly ,

P‟1 = P1 + T(1 2)

= P1 + T(3).

Hence if we have P1 = 1 – x1 and let x1 = T(3).

So, P‟1 = 1 and y2 = y1 + P‟1 =1 + 1 = 2

Likewise,

P‟2 = P2 + T(y 2 4)

= P 2 + T(2 4)

= 1 – x + T(6), if P2 = 1- x

= 1 , using the guess that x = T(6). y3 = y2 + P‟2 = 2 + 1 =3

For the fourth block, P‟3 = P3 + T(y3 6)

= P3 + T(3 6)

= 1 – x2 + T(5), if P3 =1- x2

= 1, using the guess x2 = T(5).

Thus if we have four blocks in the plaintext (without loss generality) then

P‟‟0 = P‟0 P‟3 V 1) = 0 and hence,

C0 = 0 – T(0) = - T(0)

Thus for four input blocks if one obtains chosen plaintexts of the form

P = (1-T(0), 1 – T(3), 1 – T(6), 1- T(5))

Then the cipher-text is of the form C = (-T(0),….)

The number of trials on an average required is (2564 )/2 which is equivalent to a brute force search on

the entire plain text space and is much larger than that required for original CMEA. Note that as the Cave-Table has been replaced by the S-Box of the Rijndael-AES the number of possible values of each T-Box access is 256.

The above proof for block four length plaintext can be extended to plaintext of any length. In order to reduce the order of the plaintext required in the modified CMEA to carry out the above attacks, there should be a repetition in the point at which the T-Box is accessed . Supposed we have i = i1 and i = i2 for which the T-Box is accessed at the same point. Thus

i1 2i%n = i2 2i % n or (i1 i2) = 2(i1 i2) %n

If, 2(i1 i2) < n, then the equation is possible only if i1 = i2, contradicting our initial assumption.

Also, if 2(i1 i2) = kn + r > n (where k >= 1 and r < n), we have

(kn + r)/2 = (kn + r) % n = r, or kn = r,

Which is not possible as r<n. Thus we have a contradiction and hence the T-Box is not accessed at the same point. Thus the attack does not work against the modified CMEA.

Also the number of plaintexts grows exponentially with the number of blocks. For an n byte block the number of chosen plaintexts is of the order of 256n. Thus the number of plaintexts to be investigated is equal to that in a brute force search on the entire plaintext space. Such a large number of plaintext requirements make the attack ineffective against the modified CMEA.

As the Cave-Table has been replaces by the AES S-Box the skewness of the Cave-Table no longer exists. All of the 256 values may appear.

4.1.3 Modification 3:

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)

279

For this purpose, the output of the four round T-Box is recycled again through the T-Box.

4.1.4 Modification 4:

The or with 1 in the second stage of the CMEA is removed. This removes the property that the LSB of the cipher-text is always the complement of the LSB of the plaintext. This can be explained by using the modified version and resorting to its truth table.

Using the modified version:

C0 = ((P0 +T(0)) P’2)-T(0)

From the truth table (TABLE 5.1) we see that the Least Significant Bits of the plaintext and the cipher text are no longer related.

Table 3

Truth Table for LSB of plaintext and ciphertext

P[0] T[0] P’[2] (P[0] OR T[0]) XOR P’[2] C[0]

0 0 0 0 0

0 0 1 1 1

0 1 0 1 0

0 1 1 0 1

1 0 0 1 1

1 0 1 0 0

1 1 0 0 1

1 1 1 1 0

4.1.5 Modification 5:

From Table 2 we saw that by complementing the Most Significant Bits of K0 and K1 or a similar pair of odd and

even keys, the output does not change. However the Carry out in the 2 cases is different. In order to incorporate the effect of the carry from the MSB, it was exclusive or-ed with the Least Significant Bit of the resultant f(X). The Truth Table showing the carry over is given in Table 4.

For 50,000 random combination of data and keys, we get the average number of changes in cipher texts (byte wise) by simultaneously changing the Most Significant Bits of all four pairs of Equivalence Class Keys as approximately 99.5 % as opposed to 0% of the times earlier.

Table 4 Truth table with Carry Over

CARRY = 0 CARRY = 1

X K0 K1 f(X) New

Carry f(X) New Carry

a1 0 0 0 0 0 1 0

0 0 1 1 0 0 1

0 1 0 1 0 0 1

a2 0 1 1 0 1 1 1

1 0 0 1 0 0 1

1 0 1 0 1 1 1

1 1 0 0 0 1 0

1 1 1 1 0 0 1

4.2 Modifications to be kept

It was mentioned that the fourth and fifth modifications in the CMEA did not contribute towards preventing the Chosen plain text and the Known Plain text attacks. So it was decided to not include these changes while performing dedicated cryptanalysis of the new algorithm so as to not change the algorithm more than absolutely necessary.

In a nutshell, the first three modifications are absolutely necessary in order that the CMEA‟s use in CDMA2000 systems is continued without compromising with the customer‟s privacy, while the other modifications might be used in case an attack exploiting these properties is devised in the future. Also, since we have carried out dedicated cryptanalysis of the modified algorithm, we ourselves have checked that the properties do not make the cipher insecure. A reduction in the Key set from 264 to 260 does not make much difference practically and by knowing the Least Significant Bit of the ciphertext and hence the plaintext the attacker will not be able to break the algorithm.

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)

280

For this purpose, the algorithm has been subjected to Avalanche Attack. A function has good Avalanche effect when a change in one bit of the input results in a change in half of the output bits.

Diffusion criteria require that a change in a single bit of the plain text should cause a change in several bits of the cipher text, keeping the key constant. In order to test the diffusion property the customized CMEA has been subjected on pairs of plain texts that differ by one bit. The number of bits affected should have a mean of n/2 where n is the number of bits in the cipher. In other words it is expected that for a good cipher approximately half of the output bits should be affected. The experiments have been performed on block size of three bytes (24bits). In Figure 2, the frequency of the number of bits affected has been plotted versus the number of bits affected. The plot shows that around 12 bits are affected for a maximum number of cases. Also the computed average is around 11.98. The plot shows that the algorithm provides sufficient diffusion property.

Figure 2 : Diffusion in Modified CMEA

A confusion criterion requires that a change in a single bit in the key should cause a change in several bits of the ciphertext, keeping the plaintext constant. In order to test the confusion property of the customized CMEA has been used to encrypt plaintexts with pair of keys which differ in only one bit. The number of output bits affected according to the Avalanche Criterion should be around n/2 where n is the number of bits of the cipher. The experiments have been performed again on block size of three-bytes (twenty four bits). In Figure 3, the frequency of the number of bits affected has been plotted versus the number of bits affected. The plot shows that around 12 bits are affected for a maximum number of cases.

Also, the computed average is around 11.91. Thus the plots show that the confusion property is satisfied by the Modified CMEA.

Figure 3 : Confusion in Modified CMEA

V. CONCLUSION

In the present paper the original CMEA algorithm has been modified into M-CMEA. Research work is going to find out causes of weakness in CMEA, and their customization through some newly defined properties. It will describe several possible properties that lead to the successful cryptanalysis of the cipher. Although there could be other possible weakness in CMEA, at a minimum, those properties will illuminate fundamental certification weaknesses in CMEA. Then the modification of CMEA will give us new refined version. It can be made strong and hence can be suitable for wireless security.

REFERENCES

[1 ] Thomas Chardin and Raphael Marinier “Improved Cellular Message Encryption Algorithm” International Journal of Network Security, vol.9, no.2, pp.173-179, sep. 2009.

[2 ] D. Mukhopadhyay and D. RoyChowdhury, “Customizing cellular message encryption algorithm,” International journal of Network Security, vol. 7, no. 2, pp. 194–202, Sep. 2008.

[3 ] D. Wagner, B. Schneier, and J. Kelsey, “Cryptanalysis of the cellular message encryption algorithm,” Proceedings of the Annual International Cryptology Conference, pp. 526537, 1997. [4 ] TIA telecommunication Industry Association, Common