Satellite phone communications encrypted with the GMR-2 cipher can be decrypted in mere fractions of a second, two Chinese researchers have proved.
The vulnerable cipher
The GMR-2 is a stream cipher with 64-bit key-length.
“Generally speaking, stream ciphers firstly generate keystreams by implementing a series of complex cryptographic transformation on the initial vectors and the encryption-key, and then XOR the keystreams with plaintexts to obtain the ciphertexts. Therefore, to resist known plaintext attack, a vital requirement of stream ciphers is the one-way property, i.e., it must be difficult for the adversary to derive the encryption-key from the keystream through inversion procedure,” the researchers explained.
Currently, the phones of British satellite telecom Inmarsat use the GMR-2 standard, and those of United Arab Emirates-based satellite phone provider Thuraya use the (competing) GMR-1 standard.
It used to be that details about the GMR-1 and the GMR-2 cipher were not publicly known, but in 2012, a group of German researchers managed to reverse engineer them both, and concluded that they are considerably weaker than state-of-the-art ciphers such as AES, or even lightweight block ciphers such as PRESENT.
“With respect to the GMR-2 cipher, in a known-plaintext setting where approximately 50–65 bytes plaintext are known to the attacker, it is possible to recover a session key with a moderate computational complexity, allowing the attack to be easily performed with a current PC,” they demonstrated at the time.
The real-time inversion attack against GMR-2
The Chinese researchers approached the matter from a different perspective, and did even better – their attack allows de facto real-time decryption of target communications.
They did not opt for a known plaintext attack to recover the encryption key – instead, they tried, and succeeded, to reverse the encryption procedure so that they could extrapolate the encryption key directly from the output keystream.
“Our analysis shows that, using the proposed attack, the exhaustive search space for the 64-bit encryption key can be reduced to about 2(13) when one frame (15 bytes) keystream is available,” they pointed out. “(…) the proposed attack are carried out on a 3.3GHz platform, and the experimental results demonstrate that the 64-bit encryption key could be recovered in around 0.02s on average.”
“Given that the confidentiality is a very crucial aspect in satellite communications, the encryption algorithms in the satellite phones should be strong enough to withstand various eavesdropping risks,” they noted, and concluded that the serious flaws found in the GMR-2 cipher should spur satellite phone providers to upgrade to more secure cryptographic modules.