User's Manual

ManualsBrandsSchweitzer Engineering Laboratories ManualsElectronicsSEL-3022

100

Table Of Contents

SEL-3022 Transceiver Instruction Manual Date Code 20050615

Wireless Operator Interface Security

The SEL Security Application

C.12

Cryptographic Manual—Do Not Copy

HMAC SHA-1 keyed hash value over the payload (message) portion of the received

frame. If the calculated HMAC SHA-1 hash output does not match the received

message fingerprint, the SEL-3022 rejects the message and terminates the session.

This arrangement protects the original frame data payload from malicious alteration,

authenticates the origin of the frame as a device with knowledge of both the encryption

and authentication keys, and protects the contents of the frame data payload from theft.

SEL Security Application Analysis

Cryptographic experts have analyzed the AES and HMAC SHA-1 cryptographic

functions. This analysis process began before NIST accepted each of the functions as

standards, and it will continue as long as these standards remain in use. To date, the

AES encryption and HMAC SHA-1 authentication algorithms have withstood all

public scrutiny in the sense that they provide the advertised level of security. In other

words, an AES encryption function with a 128-bit key will, by all analysis to date,

provide data confidentiality at a cryptographic strength of 128 bits (the discussion in

the following text addresses this concept). Cryptographically sound hash functions,

such as SHA-1, are expected to provide message integrity functionality at a strength

equal to half the size of the hash output. Because SHA-1 has a hash output length of

160 bits, it should produce message integrity functionality at a cryptographic strength

of 80 bits. To date, SHA-1 has maintained the expected cryptographic strength. Finally,

the HMAC function has also withstood all cryptographic analysis, in the sense that it

has proven to be an effective and secure method of mixing a secret authentication key

into the SHA-1 hash output. We will analyze the implications of these statements in the

following text.

As stated previously, the AES encryption function has, thus far, provided data

confidentiality at a cryptographic strength equal to the size of the encryption key. To

successfully guess a 128-bit key, such as the key the SEL-3022 uses, an attacker would

have to try an average of 2

127

= 1.7 • 10

keys before finding the correct value

(assuming that all key values are equally likely). This is a staggering number of

potential key values! If an attacker could test one million potential keys per second, it

would take more than 5.39 • 10

years, on average, to guess the correct key value

(note that the universe is estimated to be only 10

years old)! In reality, the time that it

would take to launch an effective key guessing attack against the SEL-3022 would be

even longer, because the wireless interface on the SEL-3022 times out briefly when an

authentication failure occurs. Because of the wireless interface timeout, the maximum

rate of a key guessing attack against the SEL-3022 is much less than one million keys

per second.

Because the SEL Security Application AES encrypts the HMAC-keyed authentication

digest in every frame, both the AES encryption key and the HMAC SHA-1

authentication key must be compromised simultaneously to send data to the SEL-3022.

For such a situation, an attacker would have to guess two independent 128-bit key

values, which is the same as guessing a single, 256-bit key. To guess a key of this size,

an attacker would, on average, have to make 2

255

= 5.79 • 10

key guessing attempts.

If an attacker could test one million potential keys per second, it would take more than

Preliminary Copy