Algebraic and Slide Attacks on KeeLoq
Fast Software Encryption
A Practical Attack on the MIFARE Classic
CARDIS '08 Proceedings of the 8th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Reverse-engineering a cryptographic RFID tag
SS'08 Proceedings of the 17th conference on Security symposium
Cube Attacks on Tweakable Black Box Polynomials
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium
Fast Software Encryption
Practical Algebraic Attacks on the Hitag2 Stream Cipher
ISC '09 Proceedings of the 12th International Conference on Information Security
Algebraic attacks on stream ciphers with linear feedback
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Gone in 360 seconds: Hijacking with Hitag2
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Hi-index | 0.00 |
Hitag2 is a lightweight LFSR-based stream cipher with a 48-bit key and a 48-bit internal state. As a more secure version of the Crypto-1 cipher which has been employed in many Mifare Classic RFID products, Hitag2 is used by many car manufacturers for unlocking car doors remotely. Until now, except the brute force attack, only one cryptanalysis on this cipher was released by Courtois, O'Neil and Quisquater, which broke Hitag2 by an SAT solver within several hours. However, little theoretical analysis and explanation were given in their work. In this paper, we show that there exist many low dimensional cubes of the initialization vectors such that the sums of the outputs of Hitag2 for the corresponding initialization vectors are linear expressions in secret key bits, and hence propose an efficient black- and white-box hybrid cube attack on Hitag2. Our attack experiments show that the cipher can be broken within one minute on a PC. The attack is composed of three phases: a black-box attack of extracting 32 bits of the secret key, a white-box attack to get several other key bits, and a brute force search for the remaining key bits.