This paper analyses the cryptography used in the Open Smart Grid Protocol
(OSGP). The authenticated encryption (AE) scheme deployed by OSGP is a
non-standard composition of RC4 and a home-brewed MAC, the ``OMA digest''.
We present several practical key-recovery attacks against the OMA digest. The
first and basic variant can achieve this with a mere $13$ queries to an OMA
digest oracle and negligible time complexity. A more sophisticated version
breaks the OMA digest with only $4$ queries and a time complexity of about
$2^{25}$ simple operations. A different approach only requires one arbitrary
valid plaintext-tag pair, and recovers the key in an average of $144$
\emph{message verification} queries, or one ciphertext-tag pair and $168$
\emph{ciphertext verification} queries.
Since the encryption key is derived from the key used by the OMA digest, our
attacks break both confidentiality and authenticity of OSGP.
↧