Activation protocol for tracking devices

Jerry Leichter leichter at lrw.com
Mon Mar 2 12:21:07 EST 2009 

On Feb 27, 2009, at 2:13 PM, Santiago Aguiar wrote:
> * Is there any standard cryptographic hash function with an output  
> of about 64 bits? It's OK for our scenario if finding a preimage for  
> a particular signature takes 5 days. Not if it takes 5 minutes.
Not specifically, but you can simply take the first 64 bits from a  
larger cryptographically secure hash function.  If the nature of your  
usage is that an attack requires finding a preimage to an externally  
specified hash value, 64 bits is reasonably secure.  (If being able to  
find a pair of values with the same hash value, 64 bits is way too  
short.)

> * Suppose a cryptographically secure random number is stored on the  
> device from factory, could I use the output of a block cipher  
> applied to this number as a way to generate new random numbers  
> (since the output from the cipher should not be distinguishable from  
> random data)? In case yes, could I do this with a hash instead of a  
> cipher?
Both of these techniques have been used.  If you want a simple  
security argument for the block cipher case, use the pre-stored random  
number as the key and encrypt 0, 1, 2, and so on.  If some can use  
this output to get the key; or if given encryptions up to n, they can  
guess the encryption at n+1, then the cipher could not be used in  
counter mode (since what you are getting is exactly the counter-mode  
encryption of an all-0-bits message).  Obviously, you'll have to store  
the counter across boots, since otherwise you repeat values.

With a hash, you need to be a bit fancier since, in and of itself, the  
hash has no secret information.  This can be done, but it would be  
trickier; I'd go with the block cipher.

Note that there are published algorithms - even part of FIPS standards  
- that do exactly what you need:  Take a single random seed and safely  
stretch it into a large number of random values.  The ones in the  
standards - and perhaps most of the ones out there - are old and  
probably not up to contemporary standards.

> For those interested, this is what we are proposing at the time:
>
> Every TCU (the device) comes pre-installed from factory with a Kt  
> known to the device and DENATRAN.
>
> SO-> TCU (device): sends a SMS with GPRS connection information  
> (apn, user, pass, server IPs/ports). The mechanism so that this  
> first SMS is not a big issue have been, reasonably, covered.
> TCU->SO: challenge
> SO->DENATRAN: challenge, SO_id
> DENATRAN->SO: H(Kt, challenge, SO_id), Kc=H(Kt, challenge)
> SO->TCU: H(Kt, challenge, SO_id), SO_id
You're trying to produce a keyed hash function (or MAC) from a non- 
keyed hash function.  Just pre-pending the secret key is not  
necessarily secure.  I'd suggest using HMAC (with Kt the key, of  
course).

> From that point, Kc is stored in SO and TCU, and every message  
> interchanged between the SO and TCU goes signed with Kc (for this we  
> need a H with max. 64 bits output...).
Signed?  How?  I don't understand the 64-bit limitation.  I'm not sure  
a 64-bit signing key is sufficient these days.
                                                         -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list