38C3: NATO shortwave radio with half-loop encryption is insecure
The Halfloop encryption algorithm used by the US military and NATO to protect shortwave radios contains serious IT security flaws.
(Image: Jackie Niam/Shutterstock.com)
Shortwave radio is often used by the military, emergency services and industries that require extremely robust long-distance communication without external infrastructure. But the half-loop encryption algorithm, which is supposed to protect an important protocol for automatically establishing a connection, is considered broken. Lukas Stennes, a doctoral student at the Chair of Symmetric Cryptography at Ruhr University Bochum, presented comparatively simple attacks on Halfloop at the 38th Chaos Communications Congress (38C3) in Hamburg on Friday. According to the study, two hours of intercepted radio traffic is enough to recover the secret key, identify participants and listen in.
On shortwave, devices operate at frequencies between 3 and 30 MHz. This spectrum, which lies below ultra-short wave (VHF), enables the propagation of space waves in which the radio signals are reflected by electrically charged particles in the upper atmosphere. This effect allows communication over very long distances without additional infrastructure such as radio masts. Initially, experienced operators were required to establish such a radio link in the first place.
This dependency was reduced by the introduction of the automatic link establishment (ALE) protocol. An ALE-enabled radio initiates a connection to another by selecting a suitable frequency according to a propagation model and then transmitting a framework for a call. If the frequency is good, the other radio receives it and the two terminals perform a "handshake" to establish a connection.
Halfloop predecessor SoDark was very easy to crack
The encryption of these ALE frames serves to protect the connection. It is primarily intended to prevent unauthorized users from establishing connections with wireless devices in a network or interfering with existing connections. Encryption also protects the network from certain types of traffic analysis, in which operating data such as network structure, frequencies, callsigns and schedules are evaluated. The SoDark encryption method is regarded as a comparatively early standard, but it only used keys with a length of 56 bits. This has long been considered too little to survive even crude brute force attacks. Scientific papers on how to break SoDark have existed since 2007.
As a direct successor, the Pentagon and NATO standardized the family of half-loop algorithms (MIL-STD-188-14D) in 2017. The specification is public. At its core, Halfloop is a reduced version of the Advanced Encryption Standard (AES) with 128 bits. AES is currently the most commonly used encryption algorithm and has survived over two decades of studies and attacks.
Videos by heise
Crypto tweak leads to the secret key
According to Stennes, downsizing led to many robust components in Halfloop, which enabled very fast decryption, for example. However, he and his colleagues –, SoDark analyst Marcus Dansarie, Patrick Derbez and Gregor Leander – had discovered a "fatal flaw" in the use of a so-called tweak that prepared the ground for "devastating attacks". The supposed optimization consists of the current time, a word counter and the frequency used, which in principle is a "nice idea" – inspired by AES –. The half-loop tweak even uses the same S-box as its big role model. However, not everything worked out in the details of the implementation.
S-boxes are basic components of symmetric cryptosystems. They are used in block ciphers such as DES and Blowfish to blur the relationship between plaintext and ciphertext (confusion). However, S-boxes must be created very carefully in order to withstand cryptanalysis. This was not the case with the half-loop tweak, where the S-box ultimately consists of a look-up table. Using differential analysis, in which plaintext pairs with certain differences are encrypted, the researchers were able to derive the secret key of the symmetric cryptosystem from these differences in the cipher rate.
NATO is informed, but does not respond
With this method, an attacker can skip large parts of the encryption process. In the case of Halfloop, the research team found that they were able to skip the first five of ten lookup rounds and only had to attack the remaining ones. Nevertheless, 500 years of intercepted radio traffic would still have been necessary to recover the secret key using this method. Although Halfloop was already considered to be broken, the practical feasibility of an attack was still lacking, explained Stennes. Together with their colleague Shahram Rasoolzadeh, they had therefore improved the attack. The whole thing now also works with computers with a manageable 5 gigabytes of RAM.
The scientists carried out the attacks themselves, but without spying on real military data, and described them in two research papers. They warn against continuing to use Halfloop. This also applies to the variants with buck sizes of 48 and 96 bits. NATO was confronted with the results prior to the publications, but no response was received, explained Stennes. The military apparently considered the alternative AES block length to be too large. However, there is no real reason not to use AES for shortwave encryption. Additional authentication could also be added. In response to the rather ironic question of whether Halfloop could be a "gift from the NSA", the encryption expert reported that the design came "from the radio frequency community".
(nie)
