阅读说明：本技术 一种反向攻击获取gmr-2加密卫星通信密钥的方法 (A kind of method that inverse attack obtains GMR-2 encryption satellite communication key ) 是由 马丕明 韩文聪 杨勇 于 2019-08-07 设计创作，主要内容包括：一种反向攻击获取GMR-2加密卫星通信密钥的方法,属于卫星通信解密技术领域。本发明可以利用一帧密钥流建立查询表,通过查表得到有效密钥链进而得到候选密钥,最后通过找到多帧密钥流对应的候选密钥集合中唯一的公共密钥即为正确的加密密钥。具体实现过程中可以方便的对有效密钥链进行动态的增删和回溯,使得具体操作更容易实现；同时在验证时通过使用多个候选密钥集找公共密钥的方法,可以在不知道密钥器初始化方式的情况下获取加密密钥。(A kind of method that inverse attack obtains GMR-2 encryption satellite communication key, belongs to satellite communication decryption technology field.The present invention can use a frame key stream and establish inquiry table, and candidate key is obtained and then tabling look-up to obtain effective key chain, be correct encryption key finally by unique public keys in the corresponding candidate cipher key sets of multiframe key stream is found.What be can be convenient during specific implementation carries out dynamic additions and deletions and backtracking to effective key chain, so that concrete operations are easier to realize；The method for looking for public keys by using multiple candidate key sets in verifying simultaneously, can obtain encryption key in the case where not knowing key device initialization mode.)

1. a kind of method that inverse attack obtains GMR-2 encryption satellite communication key, is realized by three steps, including is generated Inquiry table, table look-up candidate key and verifying obtain correct key, the specific steps of which are as follows:

1) inquiry table is generated according to key stream

In GMR-2 standard, encryption key totally 8 bytes are expressed as (K₀,K₁,…,K₇)；One frame key stream has 15 bytes, It is expressed as (Z₀,Z₁..., Z₁₄), for key stream known to one group, analyze the c+8 clock, available 7 group key stream word Combination (the Z of section_c+8,Z_c+7,Z_c), wherein 0≤c≤6, Z_cIndicate c-th of key stream byte；In c-th of key byte K_cIt is known In the case of, according to (Z_c+8,Z_c+7,Z_c) it can uniquely determine t-th of key byte K_t, therefore every group of (Z_c+8,Z_c+7,Z_c) value is all Corresponding 256 groups of possible (K_c,K_t,t)；Define 8 structural body list [0] ..., list [7], for 0≤c≤6, (K_c,K_t, T) according to K_c0~255 sequence is taken to be stored in structural body list [c], referred to as table list [c], thus, it is possible to obtain 7 tables； When the serial number of table takes 7, corresponding K_tIt can not be obtained according to key stream with t, therefore when establishing [7] table list, wherein K₇Take 0~ 255, corresponding K_tIt is set as 0 entirely with t；8 table list [0] have thus been obtained ..., list [7]；

2) by tabling look-up to obtain candidate key

A. the effective key chain found before a vector R is used to store is defined；Vector Delta, which is used to store, currently to be searched Key chain；Array Tao1, Tao2 length is 8, and array element value is 0 or 1, and the key byte of corresponding position has been indicated when taking 1 It obtains；Vector KeyCandidate is used to store the candidate key found；The value of initialize array Tao1, Tao2 is 0, c= 0, K_c=0；

B. according to (c, K_c) look-up table list [c] K_cRow obtains and K_cCorresponding (t, K_t), judge array Tao1 or Tao2 Whether t be 1, if not 1, then go to step c；If 1, then (t, K are judged_t) whether there is in vector Delta or R, If so, going to step g；If it is not, executing function backtrack；Then go to step i；

C. judge whether t is equal to c, if so, going to step d；If it is not, going to step e；

D. judge K_tWhether K is equal to_c, if so, going to step g；If it is not, executing function backtrack；Then go to step i；

E. judge whether t is equal to 7, if so, going to step f；If it is not, going to step h；

F. it is set as 1 c and the 7th of array Tao2, while (c, K_c) and (7, K₇) be stored in vector Delta, execute letter Number Combine；Then go to step i；

G. it is set as 1 c of array Tao2, while (c, K_c) be stored in vector Delta, execute function Combine；Then Go to step i；

H. it is set as 1 c of array Tao2, while (c, K_c) be stored in vector Delta, (t, K_t) value be assigned to (c, K_c)；

I. judge c=0 and K_cWhether > 255 set up simultaneously, if it is not, going to step b；If so, in vector KeyCandidate Content is whole candidate keys；

Two subfunctions described in above-mentioned steps, are defined respectively as:

Function Combine:

C1. the value of vector Delta is stored in vector R, the value of array Tao1 and array Tao2 is subjected to exclusive or result and is stored to number In group Tao1, the number for the element that statistics array Tao1 intermediate value is 1 then goes to step C2 if 8；Otherwise step C3 is gone to；

C2. vector R is stored in vector KeyCandidate, in vector R the last one element delete, by array Tao1 with The value of array Tao2 carries out exclusive or result and is stored in array Tao1, executes function backtrack；Then go to step C4；

C3. if preceding 7 place value is 1 in array Tao1, last place value is 0, then enabling first 7 of array Tao2 is 0, last position It is 1；Vector Delta is emptied, K is worked as₇When successively taking 0~255, following operation is executed respectively: (7, K₇) be stored in vector Delta, Execute function Combine；If above-mentioned condition is unsatisfactory for, enable c corresponding for 0 element equal to first in array Tao1 Subscript, K_c=0；Go to step C4；

C4. the element in array Tao2 is initialized as 0, empties vector Delta, return to (c, K_c) value；

Function backtrack:

B1. the value of first structural body in amount of orientation Delta is assigned to (c, K_c), then K_cValue add 1；Judge K_c> 255 are No establishment, if so, going to step B2；If it is not, then going to step B4；

B2. judge whether c=0 is true, if so, returning to (c, K_c) value；If it is not, then going to step B3；

B3. the last one value in vector R is assigned to vector Delta, the digit of array Tao2 is indicated with s, successively vector First value of each structural body is assigned to s in Delta, and the s values of array Tao2 are set as 1；It deletes last in vector R The value of array Tao1 and array Tao2 is carried out exclusive or result and is stored in array Tao1, executes function by one element backtrack；

B4. the value of array Tao2 is initialized as 0, the value of vector Delta empties, and returns to (c, K_c) value；

3) verifying obtains correct key

In the case where not knowing key device initialization mode, encryption key is obtained in the following manner:

I. the public keys that a vector I is used to store two group key streams is defined, indicates kth frame key stream, the initial value of k with k It is 1；

Ii. for the 0th frame key stream, one group of candidate's key can be obtained by step 1) and step 2), be stored in vector In KeyCandidate [0]；For kth frame key stream, one group of candidate's key can be obtained by step 1) and step 2), be stored in In vector KeyCandidate [k]；A candidate key and vector are successively taken from vector KeyCandidate [0] Each of KeyCandidate [k] candidate's key is compared, if it is possible to the time from vector KeyCandidate [k] Select found in key one it is identical as this candidate key in vector KeyCandidate [0], then be stored in vector I；

Iii. judge the element number in vector I, if the candidate key of only one in vector I, this candidate key is exactly The encryption key to be looked for, obtaining encryption key process terminates；If there is multiple candidate keys, then k=k+1 is enabled, step iv is gone to；

Iv. for kth frame key stream, one group of candidate's key can be obtained by step 1) and step 2), be stored in vector In KeyCandidate [k]；Candidate each of a key and vector KeyCandidate [k] are successively taken from vector I Candidate key is compared, if it is possible to from found in the candidate key in vector KeyCandidate [k] one with vector I in This candidate key it is identical, then retain this candidate key in vector I, if this candidate key in vector I with to All candidate keys measured in KeyCandidate [k] are all different, then delete this candidate's key from vector I；Go to step Rapid iii.

Technical field

The present invention relates to a kind of methods that inverse attack obtains GMR-2 encryption satellite communication key, belong to satellite communication solution Close technical field.

Background technique

With the rapid development of mobile communication, people all over the world can conveniently be communicated.But it is mobile The normal work of communication system depend on base station and antenna, it is some remote districts or the length and breadth of land oceans on base station construction and There are engineering or technical difficulties for maintenance.Therefore, in the region that these traditional mobile communication system signals can not cover Satellite phone is widely used.

Enjoy satellite communication to we life bring it is many convenient while, the safety of satellite communication is also more next More is concerned by people.European Telecommunication Standardization Association (ETSI) proposes the Encryption Algorithm of two kinds of satellite phones: GMR-1 and GMR-2.The specification of GMR-1 algorithm is the extension of GSM standard, and Thuraya (shura is sub-) satellite phone has used this Encryption Algorithm；GMR-2 is a kind of stream cipher of ETSI brand-new design, is mainly used for International Maritime Satellite Organization (INMARSAT) In satellite phone.

In recent years, researcher has done very in terms of the safety using the satellite communication system of GMR-2 Encryption Algorithm More researchs." Don't Trust Satellite Phones:A Security is write by Benedikt Driessen et al. Analysis of Two Satphone Standards " (not believe satellite phone: the safety of two kinds of satellite phone standards Analysis) pass through reversed work in [IEEE Symposium on Security and Privacy, 2012, pp.128-142] text Journey is proposed the structure and ciphering process of GMR-2 encryption equipment, to crack GMR-2 algorithm.Jiao HU et al. is write “A real-time inversion attack on the GMR-2cipher used in the satellite Phones " (the real-time inverse attack to the GMR-2 encryption equipment being used in satellite phone) [Science China Information Sciences, 2018,61 (3): 032113] text is proposed by the reverse characteristic of research GMR-2 encryption equipment A kind of real-time inverse attack method using single frames key stream, including establish inquiry table, On-line Timing Plan Selection, screening, combine and test Card and etc..This method needs the initialization mode of well-known key device in verifying, therefore has some limitations.

Summary of the invention

In order to make up deficiency existing for existing research, GMR-2 is obtained the present invention provides a kind of inverse attack and encrypts satellite The method of communication key realizes the method for looking for public keys by using multiple candidate key sets in verifying, has filled up The blank of encryption key can be obtained in the case where not knowing key device initialization mode.

Technical scheme is as follows:

A kind of method that inverse attack obtains GMR-2 encryption satellite communication key, is realized, including life by three steps At inquiry table, table look-up candidate key and verifying obtain correct key, the specific steps of which are as follows:

1) inquiry table is generated according to key stream

In GMR-2 standard, encryption key totally 8 bytes are expressed as (K₀,K₁,…,K₇)；One frame key stream has 15 words Section, is expressed as (Z₀,Z₁..., Z₁₄), for key stream known to one group, analyze the c+8 clock, available 7 group key stream Combination (the Z of byte_c+8,Z_c+7,Z_c), wherein 0≤c≤6, Z_cIndicate c-th of key stream byte；In c-th of key byte K_cIt is known In the case where, according to (Z_c+8,Z_c+7,Z_c) it can uniquely determine t-th of key byte K_t, therefore every group of (Z_c+8,Z_c+7,Z_c) value All correspond to 256 groups of possible (K_c,K_t,t)；Define 8 structural body list [0] ..., list [7], for 0≤c≤6, (K_c, K_t, t) and according to K_c0~255 sequence is taken to be stored in structural body list [c], referred to as table list [c], thus, it is possible to obtain 7 Table；When the serial number of table takes 7, corresponding K_tIt can not be obtained according to key stream with t, therefore when establishing [7] table list, wherein K₇Take 0 ~255, corresponding K_tIt is set as 0 entirely with t；8 table list [0] have thus been obtained ..., list [7]；

2) by tabling look-up to obtain candidate key

A. the effective key chain found before a vector R is used to store is defined；Vector Delta is used to store currently The key chain of lookup；Array Tao1, Tao2 length is 8, and array element value is 0 or 1, and the key word of corresponding position is indicated when taking 1 Section has obtained；Vector KeyCandidate is used to store the candidate key found；The value of initialize array Tao1, Tao2 is 0, C=0, K_c=0；

B. according to (c, K_c) look-up table list [c] K_cRow obtains and K_cCorresponding (t, K_t), judge array Tao1 or Whether t of Tao2 are 1, if not 1, then go to step c；If 1, then (t, K are judged_t) with the presence or absence of in vector Delta Or in R, if so, going to step g；If it is not, executing function backtrack；Then go to step i；

C. judge whether t is equal to c, if so, going to step d；If it is not, going to step e；

D. judge K_tWhether K is equal to_c, if so, going to step g；If it is not, executing function backtrack；Then go to step i；

E. judge whether t is equal to 7, if so, going to step f；If it is not, going to step h；

F. it is set as 1 c and the 7th of array Tao2, while (c, K_c) and (7, K₇) be stored in vector Delta, it holds Line function Combine；Then go to step i；

G. it is set as 1 c of array Tao2, while (c, K_c) be stored in vector Delta, execute function Combine； Then go to step i；

H. it is set as 1 c of array Tao2, while (c, K_c) be stored in vector Delta, (t, K_t) value be assigned to (c,K_c)；

I. judge c=0 and K_cWhether > 255 set up simultaneously, if it is not, going to step b；If so, vector KeyCandidate In content be whole candidate keys；

Two subfunctions described in above-mentioned steps, are defined respectively as:

Function Combine:

C1. the value of vector Delta is stored in vector R, the value of array Tao1 and array Tao2 is subjected to exclusive or result and is deposited Into array Tao1, the number for the element that statistics array Tao1 intermediate value is 1 then goes to step C2 if 8；Otherwise step is gone to C3；

C2. vector R is stored in vector KeyCandidate, the last one element in vector R is deleted, by array The value of Tao1 and array Tao2 carries out exclusive or result and is stored in array Tao1, executes function backtrack；Then go to step C4；

C3. if preceding 7 place value is 1 in array Tao1, last place value is 0, then enabling first 7 of array Tao2 is 0, finally One is 1；Vector Delta is emptied, K is worked as₇When successively taking 0~255, following operation is executed respectively: (7, K₇) deposit vector In Delta, function Combine is executed；If above-mentioned condition is unsatisfactory for, enable c be equal to array Tao1 in first be 0 member The corresponding subscript of element, K_c=0；Go to step C4；

C4. the element in array Tao2 is initialized as 0, empties vector Delta, return to (c, K_c) value；

Function backtrack:

B1. the value of first structural body in amount of orientation Delta is assigned to (c, K_c), then K_cValue add 1；Judge K_c> Whether 255 is true, if so, going to step B2；If it is not, then going to step B4；

B2. judge whether c=0 is true, if so, returning to (c, K_c) value；If it is not, then going to step B3；

B3. the last one value in vector R is assigned to vector Delta, the digit of array Tao2 is indicated with s, successively to First value of each structural body is assigned to s in amount Delta, and the s values of array Tao2 are set as 1；It deletes in vector R most The value of array Tao1 and array Tao2 is carried out exclusive or result and is stored in array Tao1, executes function by the latter element backtrack；

B4. the value of array Tao2 is initialized as 0, the value of vector Delta empties, and returns to (c, K_c) value；

3) verifying obtains correct key

In the case where not knowing key device initialization mode, encryption key is obtained in the following manner:

I. the public keys that a vector I is used to store two group key streams is defined, indicates kth frame key stream with k, k's is first Initial value is 1；

Ii. for the 0th frame key stream, one group of candidate's key can be obtained by step 1) and step 2), be stored in vector In KeyCandidate [0]；For kth frame key stream, one group of candidate's key can be obtained by step 1) and step 2), be stored in In vector KeyCandidate [k]；A candidate key and vector are successively taken from vector KeyCandidate [0] Each of KeyCandidate [k] candidate's key is compared, if it is possible to the time from vector KeyCandidate [k] Select found in key one it is identical as this candidate key in vector KeyCandidate [0], then be stored in vector I；

Iii. judge the element number in vector I, if the candidate key of only one in vector I, this candidate key The encryption key looked for is sought to, obtaining encryption key process terminates；If there is multiple candidate keys, then k=k+1 is enabled, step is gone to Rapid iv；

Iv. for kth frame key stream, one group of candidate's key can be obtained by step 1) and step 2), be stored in vector In KeyCandidate [k]；Candidate each of a key and vector KeyCandidate [k] are successively taken from vector I Candidate key is compared, if it is possible to from found in the candidate key in vector KeyCandidate [k] one with vector I in This candidate key it is identical, then retain this candidate key in vector I, if this candidate key in vector I with to All candidate keys measured in KeyCandidate [k] are all different, then delete this candidate's key from vector I；Go to step Rapid iii.

The present invention provides a kind of methods that inverse attack obtains GMR-2 encryption satellite communication key, it may be convenient to right Effective key chain is dynamically deleted and is recalled, and has the characteristics that be easily achieved；Simultaneously in verifying by using multiple times The method for selecting key set to look for public keys has been filled up and has obtained encryption key in the case where not knowing key device initialization mode Blank.

Specific embodiment

Below with reference to embodiment, the invention will be further described, but not limited to this.