Hacking the Xbox
Hacking the Xbox
Hacking the Xbox
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter 7 - A Brief Primer on Security 111<br />
for encrypting real-time data streams and embedded applications where<br />
processor performance and storage space is tight. TEA has a 128-bit key<br />
and it operates on 64-bits of data at a time, and each of its 32 rounds<br />
uses only shifts, XORs and additions. (The algorithm, given in Listing 7-1<br />
and Figure 7-2, is optimized for implementation on 32-bit generalpurpose<br />
processors.)<br />
The bantam TEA algorithm is believed to be quite secure when used to<br />
encrypt and decrypt data. However, TEA is not used for encryption in<br />
<strong>the</strong> <strong>Xbox</strong>; it is actually used as a hash function by operating <strong>the</strong> cipher in<br />
a modified Davies-Meyer mode. The region to be hashed is divided into<br />
64-bit blocks. These source data blocks are used as half of <strong>the</strong> key input<br />
to TEA. The o<strong>the</strong>r half of <strong>the</strong> key input comes from <strong>the</strong> result of <strong>the</strong><br />
previous TEA operation, and <strong>the</strong> first TEA operation uses a magic<br />
number as its input.<br />
The result is a 64-bit hash function, as depicted in Figure 7-1. This hash is<br />
weak against birthday attacks, especially given <strong>the</strong> computational efficiency<br />
of TEA, as only 2 32 message pairs need to be tested on average to<br />
find a collision. Even though a birthday attack does not apply in <strong>the</strong><br />
<strong>Xbox</strong>’s usage scenario, <strong>the</strong> <strong>Xbox</strong> runs <strong>the</strong> hash twice, each time with a<br />
different magic number seed, and concatenates <strong>the</strong> results to generate a<br />
single 128-bit hash value — probably in an attempt to foil brute-force<br />
attacks.<br />
Unfortunately, TEA has a weakness in its key schedule: every TEA key<br />
has four related keys. In o<strong>the</strong>r words, for every key, you can generate<br />
three o<strong>the</strong>r keys that produce <strong>the</strong> same ciphertext result with <strong>the</strong> same<br />
input data. Related-key generation is as simple as complementing pairs of<br />
key bits (bits 31 and 63 is one pair, bits 95 and 127 are <strong>the</strong> o<strong>the</strong>r pair).<br />
This makes TEA unsuitable for use as a hash function, and this weakness<br />
is well documented in <strong>the</strong> paper “Key-schedule cryptanalysis of IDEA,<br />
G-DES, GOST, SAFER, and triple-DES,” by John Kelsey, Bruce<br />
Schneier, and David Wagner, presented many years ago at CRYPTO<br />
1996. This weakness was later leveraged by a team headed by Andy<br />
Green to break <strong>the</strong> second version of <strong>the</strong> <strong>Xbox</strong> security scheme.<br />
RC-4<br />
RC-4 (Ron’s Code or Rivest Cipher 4) is a variable key-length stream<br />
cipher by Ron Rivest. The heart of RC-4 is <strong>the</strong> keystream generator. It<br />
can be thought of as a cryptographic pseudo-random number generator<br />
(CPRNG). The output of <strong>the</strong> CPRNG is XOR’d one byte at a time with a<br />
plaintext stream to generate <strong>the</strong> ciphertext. Decryption is accomplished in a<br />
similar fashion. Loosely speaking, <strong>the</strong> generator is “seeded” with a value<br />
(<strong>the</strong> key) of up to 256 bytes (2048 bits) long. If <strong>the</strong> key is shorter than 256<br />
bytes, it is repeated to fill out <strong>the</strong> 256 bytes before use as a seed; this enables<br />
variable-length keys. In <strong>the</strong> <strong>Xbox</strong>, <strong>the</strong> key is 16 bytes (128 bits) in length,<br />
and thus <strong>the</strong> cipher is dubbed RC-4/128.