The (in)security of proprietary cryptography

Roel Verdult

Promotors: prof. dr. B.P.F. Jacobs (RU) and I. Verbauwhede (KU Leuven)
Copromotors: dr. L. Batina (RU) and dr. C. Diaz (KU Leuven)
Radboud Universiteit Nijmegen
Date: 21 April 2015, 14:30
Thesis: PDF


Proprietary cryptography is a term used to describe custom encryption techniques that are kept secret by its designers to add additional security. It is questionable if such an approach increases the cryptographic strength of the underlying mathematical algorithms. The security of proprietary encryption techniques relies entirely on the competence of the semi-conductor companies, which keeps after designing the technical descriptions strictly confidential. It is difficult to give a public and independent security assessment of the cryptography, without having access to the detailed information of the design.

Proprietary cryptography is currently deployed in many products which are used on a daily basis by the majority of people world-wide. It is embedded in the computational core of many wireless and contactless devices used in access control systems and vehicle immobilizers. Contactless access control cards are used in various security systems. Examples include the use in public transport, payment terminals, office buildings and even in high secure facilities such as ministries, banks, nuclear power plants and prisons. Many of these access control cards are based on proprietary encryption techniques. Prominent examples are the widely deployed contactless access control systems that use the MIFARE Classic, iClass and Cryptomemory technology.

A vehicle immobilizer is an electronic device that prevents the engine of the vehicle from starting when the corresponding transponder is not present. This transponder is a wireless radio frequency chip which is typically embedded in the plastic casing of the car key. When the driver tries to starts the vehicle, the car authenticates the transponder before starting the engine, thus preventing hot-wiring. According to European Commission directive (95/56/EC) it is mandatory that all cars, sold in the EU from 1995, are fitted with an electronic immobilizer. In practice, almost all recently sold cars in Europe are protected by transponders that embed one of the two proprietary encryption techniques Hitag2 or Megamos Crypto.

In this doctoral thesis well-known techniques are combined with novel methods to analyze the workings of the previously mentioned proprietary cryptosystems. The cryptographic strength and security features of each system is comprehensively evaluated. The technical chapters describe various weaknesses and practical cryptanalytic attacks which can be mounted by an adversary that uses only ordinary and consumer grade hardware. This emphasizes the seriousness and relevance to the level of protection that is offered. The identified vulnerabilities are often plain design mistakes, which makes the cryptosystems exploitable since their introduction.

The first part of this dissertation is dedicated to an introduction of the general field of computer security and cryptography. It includes an extensive description of the theoretical background that refers to related literature and gives a summary of well-known cryptographic attack techniques. Additionally, a broad summary of related scientific research on proprietary cryptography is given. Finally, the technical part of this doctoral dissertation presents serious weaknesses in wide deployed proprietary cryptosystems, which are still actively used by billions of consumers in their daily lives.