Don't try crypto at home, kids: the Open Smart Grid Protocol project rolled its own crypto and ended up with something horribly insecure.
This paper at the International Association for Cryptologic Research explains big issues with the OSGP crypto protocol deployed in as many as four million smart meters and devices.
The authors, Philipp Jovanovic of Germany's University of Passau and Samuel Neves of Portugal's University of Coimbra, described the OSGP's encryption as “a non-standard composition of RC4 and a home-brewed MAC, the 'OMA digest'.”
It's the MAC that's the problem, with the crypto-boffins finding that only a handful of queries to an “OMA digest oracle” are needed to recover the keys the system generates.
The digest has a bunch of flaws, they write:
- Zero-byte message padding “results in messages with any number of trailing zeroes sharing the same tag”; and
- The relationship between the OMA digest's state and the message is fully reversible.
The upshot is that the OMA digest is “extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever”.
One attack needed just 13 queries to an OMA oracle to recover the 96-bit secret key; “a more sophisticated version breaks the OMA digest with only 4 queries and a time complexity of about 225 simple operations”; while with one valid plaintext-tag pair, the key can be recovered with 144 message verification queries, or “one ciphertext-tag pair and 168 ciphertext verification queries”.
Perhaps coincidentally, the OSGP has announced it's working on an update to its security standards. ®