|
|
|
|
|
|
|
ETSI TETRA TAA TEA TEA2 → ← TEA
|
The algorithm was developed in 1996/97 at
Philips Crypto BV in Eindhoven
(Netherlands) as a consultancy job for ETSI-SAGE. As the algorithm is
secret, it has never been submitted for peer-review or in-depth security
analysis. Instead it was evaluated by other ETSI-SAGE members before
being submitted as a formal ETSI standard.
All members of the TEA family, use an 80-bit key, but in the
case of TEA1 it is effectively reduced to 32 bits, which makes it
vulnerable to a brute-force attack.
According to one of the developers, this was mandatory to get the algorithm
approved for export. It was part of the ETSI specification
and was clearly visible in the code [3].
|
-
Not to be confused with Tiny Encryption Algorithm.
➤ Wikipedia
|
In July 2023, Dutch cyber security firm
Midnight Blue publicly disclosed the
reduced key length and identified it as an intentional
backdoor. As part of their research program
TETRA:BURST they had reverse-engineered
the source code of a commercially available TETRA radio,
and were able to isolate the algorithm, after which it could be analysed [2].
In addition, they demonstrated the weakness in a real life hack.
In the event, it took approx. one minute on a commercial laptop to
break the key, after which all past and future traffic (on the same key)
could be read instantly.
|
The diagram below shows how the initial 80-bit key (K) is reduced to
a 32-bit key (K'). The 80-bit key consists of 10 bytes and is loaded
into registers K0 to K9. It is then shifted left
10 times, one byte at a time. On each shift, the output byte is mixed
with the output from the key register (K'), fed through an
S-box lookup table (S) and shifted into the key register (K'). In
itself this is a genuine operation, but as the K' register is just 32 bits
wide, the remaining 48 bits are lost.
|
| |
TEA1 key compression function
|
|
The diagram below shows the structure of the TEA1 key stream generator
which consists of two parts: a 64-bit state register (R) and an 32-bit
key register (K').
The state register (R) is initialised with the Initialisation Vector (IV),
whilst the key registeris derived from the original key (K').
The key register is basically a Linear Feedback Shift Register (LFSR)
with an S-box lookup table (S).
It is only fed with data from itself and produces a
key-dependent output, independent from the IV.
|
| |
Structure of the TEA1 stream cipher
|
The state register (R) is also a Linear Feedback Shift Register (LFSR)
that produces the output key stream byte at the top left (R0).
It consists of two parts (R0-R3
and R4-R7) with an XOR inbetween.
F1 is a non-linear function that takes two input bytes
(R5, R6) and produces one output byte that is
mixed in the middle of the state register (R3-R4).
F2 is also a non-linear function that takes two input bytes
(R1, R2) and produces one output byte that is
mixed with the feedback loop. (B) is a simple bit permutation of which the
output is also mixed with the feedback loop.
For a more detailed description of the cipher, please refer to the paper
'All cops are broadcasting: TETRA under scrutiny'
by Carlo Meijer, Wouter Bokslag and Jos Wetzels, published in August 2023
in relation to the TETRA:BURST vulnerability
disclosures [4].
➤ Read the paper
➤ More about TETRA:BURST
|
|
As part of the TETRA:BURST project,
Midnight Blue researchers managed to
extract and reverse-engineer the firmware from an operational TETRA radio,
and construct an equivalent of the code in the C programming language.
This source code is now available to researchers [II].
The source code snippet below shows the implementation of the
key reduction function.
|
int32_t tea1_init_key_register(const uint8_t *lpKey) {
int32_t dwResult = 0;
for (int i = 0; i < 10; i++) {
dwResult = (dwResult << 8) |
g_abTea1Sbox[((dwResult >> 24) ^ lpKey[i] ^ dwResult) & 0xff];
}
return dwResult;
}
|
|
The key consists of 80 bits, which is equal to 10 bytes.
In the above code, the 10 bytes are processed one at a time, and then shifted
into the result ( dwResult ) register. However, as the dwResult
register is only 32 bits wide, the first 48 bits are shifted out
and the key consists of the last 32 bits only, which is trivially
short for a brute-force attack.
➤ Download the full source code
|
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Wednesday 09 August 2023. Last changed: Saturday, 12 August 2023 - 14:01 CET.
|
 |
|
|
|
