On Jul 22, 2013, at 7:48 , ianG <i...@iang.org> wrote:
> On 22/07/13 02:27 AM, James A. Donald wrote:
>> On 2013-07-22 9:01 AM, Randall Webmail wrote:
>>>
>>> [SNIP]
>>> To derive a DES OTA key, an attacker starts by sending a binary SMS to
>>> a target device. The SIM does not execute the improperly signed OTA
>>> command, but does in many cases respond to the attacker with an error
>>> code carrying a cryptographic signature, once again sent over binary
>>> SMS.
>
> Wait -- using the same signing DES key as that which it uses to accept the
> OTA (over-the-air) java applet???
The key use is indeed fully symmetric -- the same key is used to sign messages
in both directions.
>>> A rainbow table resolves this plaintext-signature tuple to a
>>> 56-bit DES key within two minutes on a standard computer.
>
> OK, but how does one acquire the rainbow table? Does one have to send 2^64
> attempts to the SMS, and does it shut down after the 3rd ... or did they
> forget that part too?
The plaintext of the error messages is predictable among a small set of
possible values. A rainbow table computes the signature one one of these texts
for (some of) the 2^56 possible keys. Computing tables for the relevant
plaintexts with reasonable coverage after removing mergers takes the equivalent
computing time of a handful of brute force computations. Each lookup thereafter
is on the order of a few billion DES operations.
Cheers,
-Karsten
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
