research-article

An Attack Against Message Authentication in the ERTMS Train to Trackside Communication Protocols

Authors:

Joeri de Ruiter,

Richard J. ThomasAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 743 - 756

https://doi.org/10.1145/3052973.3053027

Published: 02 April 2017 Publication History

Abstract

This paper presents the results of a cryptographic analysis of the protocols used by the European Rail Traffic Management System (ERTMS). A stack of three protocols secures the communication between trains and trackside equipment; encrypted radio communication is provided by the GSM-R protocol, on top of this the EuroRadio protocol provides authentication for a train control application-level protocol. We present an attack which exploits weaknesses in all three protocols: GSM-R has the same well known weaknesses as the GSM protocol, and we present a new collision attack against the EuroRadio protocol. Combined with design weaknesses in the application-level protocol, these vulnerabilities allow an attacker, who observes a MAC collision, to forge train control messages. We demonstrate this attack with a proof of concept using train control messages we have generated ourselves. Currently, ERTMS is only used to send small amounts of data for short sessions, therefore this attack does not present an immediate danger. However, if EuroRadio was to be used to transfer larger amounts of data trains would become vulnerable to this attack. Additionally, we calculate that, under reasonable assumptions, an attacker who could monitor all backend control centres in a country the size of the UK for 45 days would have a 1% chance of being able to take control of a train.

References

[1]

ANSI. ANSI X9.19:1998 Financial Institution Retail Message Authentication. Technical report, ANSI, 1998.

[2]

E. Barkan, E. Biham, and N. Keller. Instant ciphertext-only cryptanalysis of GSM encrypted communication. In D. Boneh, editor, Advances in Cryptology - CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 600--616. Springer Berlin Heidelberg, 2003.

[3]

R. Bloomfield, R. Bloomfield, I. Gashi, and R. Stroud. How secure is ERTMS? In F. Ortmeier and P. Daniel, editors, Computer Safety, Reliability, and Security, volume 7613 of Lecture Notes in Computer Science, pages 247--258. Springer Berlin Heidelberg, 2012.

Digital Library

[4]

A. Dabrowski, N. Pianta, T. Klepp, M. Mulazzani, and E. Weippl. Imsi-catch me if you can: Imsi-catcher-catchers. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC '14, pages 246--255, New York, NY, USA, 2014. ACM.

Digital Library

[5]

A. DasGupta. The matching, birthday and the strong birthday problem: a contemporary review. Journal of Statistical Planning and Inference, 130(1):377--389, 2005.

[6]

J. de Ruiter, R. J. Thomas, and T. Chothia. A formal security analysis of ERTMS train to trackside protocols. In A. R. Thierry Lecomte, Ralf Pinger, editor, Reliability, Safety and Security of Railway Systems: Modelling, Analysis, Verification and Certification. International Conference, Paris, France, June 28--30, 2016, Proceedings, Lecture Notes in Computer Science, 2016.

[7]

ERA. SUBSET-026: System requirements specification, version 3.5.0. Technical report, 2015.

[8]

M. Franekova and P. Chrtiansky. Key Management System in ETCS. Transport System Telematics, 2009.

[9]

M. Franekova, K. Rastocny, A. Janota, and P. Chrtiansky. Safety Analysis of Cryptography Mechanisms used in GSM for Railway. International Journal of Engineering, 11(1):207--212, 2011. http://annals.fih.upt.ro/pdf-full/2011/ANNALS-2011--1--34.pdf.

[10]

GSM-R Functional Group. EIRENE Functional Requirements Specification, version 7.4.0. Technical report, 2014.

[11]

GSM-R Functional Group. EIRENE System Requirements Specification, version 15.4.0. Technical report, 2014.

[12]

H. Handschuh and B. Preneel. Minding your MAC algorithms. Information Security Bulletin, 9(6):213--221, 2004.

[13]

ISO/IEC. ISO/IEC 9797--1:2011 -- Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 1: Mechanisms using a block cipher. Technical report, ISO/IEC, 2011.

[14]

M. Kalenderi, D. Pnevmatikatos, I. Papaefstathiou, and C. Manifavas. Breaking the GSM A5/1 cryptography algorithm with rainbow tables and high-end FPGAS. In 22nd International Conference on Field Programmable Logic and Applications (FPL), pages 747--753. IEEE, 2012.

[15]

L. Karstensen. GSM A5/1 rainbow tables in Oslo, Norway. Available:\\ https://lassekarstensen.wordpress.com/2013/08/08/gsm-a51-rainbow-tables-in-oslo-norway/, 2015. Online.

[16]

J. Lu, Z. Li, and M. Henricksen. Time-Memory Trade-off Attack on the GSM A5/1 Stream Cipher Using Commodity GPGPU. In 13th International Conference on Applied Cryptography and Network Security (ACNS 2015), 2015.

[17]

C. J. Mitchell. Key recovery attack on ANSI retail MAC. Electronics Letters, 39(4):361--362, 2003.

[18]

F. Pépin and M. G. Vigliotti. Risk Assessment of the 3Des in ERTMS, pages 79--92. Springer International Publishing, Cham, 2016.

[19]

S. Petrovic and A. Fùster-Sabater. CRYPTANALYSIS OF THE A5/2 ALGORITHM. Cryptology ePrint Archive, Report 2000/052, 2000. http://eprint.iacr.org/.

[20]

B. Preneel and P. Van Oorschot. On the security of iterated message authentication codes. Information Theory, IEEE Transactions on, 45(1):188--199, Jan 1999.

Digital Library

[21]

B. Preneel and P. C. van Oorschot. Key recovery attack on ANSI X9. 19 retail MAC. Electronics Letters, 32(17):1568--1569, 1996.

[22]

SR Labs. Decrypting GSM phone calls. Available:\\ https://srlabs.de/decrypting_gsm/, 2010. Online.

[23]

UNISIG. SUBSET-037 - EuroRadio FIS, version 3.2.0. Technical report, 2015.

[24]

J. Wolff. What is the value of preventing a fatality? In T. Lewens, editor, Risk: Philosophical Perspectives. Routledge, 2007.

Cited By

Dansarie M(2024)Security Issues in Special-Purpose Digital Radio Communication Systems: A Systematic ReviewIEEE Access10.1109/ACCESS.2024.342009112(91101-91126)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3420091
Soderi SMasti DLun Y(2023)Railway Cyber-Security in the Era of Interconnected Systems: A SurveyIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2023.325444224:7(6764-6779)Online publication date: Jul-2023
https://doi.org/10.1109/TITS.2023.3254442
Poorhadi ETroubitsyna E(2023)Automating an Analysis of Safety-Security Interactions for Railway SystemsReliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification10.1007/978-3-031-43366-5_1(3-21)Online publication date: 27-Sep-2023
https://doi.org/10.1007/978-3-031-43366-5_1
Show More Cited By

Index Terms

An Attack Against Message Authentication in the ERTMS Train to Trackside Communication Protocols
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
    2. Symmetric cryptography and hash functions
      1. Hash functions and message authentication codes

Recommendations

How secure is ERTMS?
SAFECOMP'12: Proceedings of the 2012 international conference on Computer Safety, Reliability, and Security

This paper reports on the results of a security analysis of the European Railway Traffic Management System (ERTMS) specifications. ERTMS is designed to be fail-safe and the general philosophy of 'if in doubt, stop the train' makes it difficult to ...
Attack Potential in Impact and Complexity
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Vulnerability exploitation is reportedly one of the main attack vectors against computer systems. Yet, most vulnerabilities remain unexploited by attackers. It is therefore of central importance to identify vulnerabilities that carry a high 'potential ...
Security and efficiency in authentication protocols resistant to password guessing attack
LCN '97: Proceedings of the 22nd Annual IEEE Conference on Local Computer Networks

Cryptographic protocols for authentication and key exchange are necessary for secure communications. Most protocols have assumed that a strong secret for authentication should be shared between communicating participants in the light of a threat of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Engineering and Physical Sciences Research Council

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
261
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dansarie M(2024)Security Issues in Special-Purpose Digital Radio Communication Systems: A Systematic ReviewIEEE Access10.1109/ACCESS.2024.342009112(91101-91126)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3420091
Soderi SMasti DLun Y(2023)Railway Cyber-Security in the Era of Interconnected Systems: A SurveyIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2023.325444224:7(6764-6779)Online publication date: Jul-2023
https://doi.org/10.1109/TITS.2023.3254442
Poorhadi ETroubitsyna E(2023)Automating an Analysis of Safety-Security Interactions for Railway SystemsReliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification10.1007/978-3-031-43366-5_1(3-21)Online publication date: 27-Sep-2023
https://doi.org/10.1007/978-3-031-43366-5_1
Kiviharju MLassfolk CRikkonen SKari H(2022)A Cryptographic and Key Management Glance at Cybersecurity Challenges of the Future European Railway System2022 14th International Conference on Cyber Conflict: Keep Moving! (CyCon)10.23919/CyCon55549.2022.9811081(265-284)Online publication date: 31-May-2022
https://doi.org/10.23919/CyCon55549.2022.9811081
Wang YZhang WWang XGuo WKhan MFan P(2022)Improving the Security of LTE-R for High-Speed Railway: From the Access Authentication ViewIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2020.302468423:2(1332-1346)Online publication date: Feb-2022
https://doi.org/10.1109/TITS.2020.3024684
Kour RThaduri AKarim R(2022)Operational Security in the Railway - The ChallengeInternational Congress and Workshop on Industrial AI 202110.1007/978-3-030-93639-6_22(266-277)Online publication date: 7-Feb-2022
https://doi.org/10.1007/978-3-030-93639-6_22
Poorhadi ETroubitysna EDán G(2021)Formal Modelling of the Impact of Cyber Attacks on Railway SafetyComputer Safety, Reliability, and Security. SAFECOMP 2021 Workshops10.1007/978-3-030-83906-2_9(117-127)Online publication date: 25-Aug-2021
https://doi.org/10.1007/978-3-030-83906-2_9
Mugarza IParra JJacob E(2020)Cetratus: A framework for zero downtime secure software updates in safety‐critical systemsSoftware: Practice and Experience10.1002/spe.282050:8(1399-1424)Online publication date: 20-Mar-2020
https://doi.org/10.1002/spe.2820
Najoua THabiba CMohamed S(2019)The Integrity of Encryption Keys of European Train Control System Sessions During an Offline Loading2019 7th Mediterranean Congress of Telecommunications (CMT)10.1109/CMT.2019.8931324(1-6)Online publication date: Oct-2019
https://doi.org/10.1109/CMT.2019.8931324
Arsuaga IToledo NLopez IAguado M(2018)A Framework for Vulnerability Detection in European Train Control Railway CommunicationsSecurity and Communication Networks10.1155/2018/56341812018Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1155/2018/5634181
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten