GSM network and its privacy
-
Upload
germane-olson -
Category
Documents
-
view
25 -
download
0
description
Transcript of GSM network and its privacy
GSM network and its privacy
Thomas Stockinger
Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation Encryption: The A5 algorithm Attacks Conclusion
Why? From technical point of view
Electromagnetic waves as communication media
From customer’s point of view Privacy Cell phone cloning
From operator’s point of view Billing fraud Loss of customer faith m-commerce applications
The GSM network 1982 – Start of design
Group Spécial Mobile 1991 – Commerical start
Global System for Mobile Communication Worldwide system Digital Cellular Subscriber Identity Module (SIM) Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services Authentication
Through challenge-response Identity protection
Through temporary identification number User data protection
Through encryption Signaling data protection
Through encryption
Mobile Equipment
A3
A5
A8SIM
GSM communication
Encrypted data
Radio Interface„over-the-air“
Base Station
A3
A5
A8
KC(64 bit)KC (64 bit)
Response SRES (32 bit)
KI (128 bit) Challenge RAND (128bit)KI (128 bit)
?
Algorithms
Purpose Algorithm Variations
Authentication A3 COMP128 ...
Key generation A8 COMP128 ...
Encryption A5 A5/0 A5/1 A5/2 ...
Optimized for hardware Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator COMP128 is assumed to be only a „proof of concept“
Authentication: A3 Input: Random challenge RAND + Secret Key Ki Output: Signed response SRES Completely implemented in the SmartCard
Ki never leaves the SIM COMP128 algorithm or variations
A3
RAND (128 bit)
Ki (128 bit)
SRES (32 bit)SIM
Key generation: A8 Same algorithm as A3 Output: Cipher key Kc Only 56 bits of Kc are used
A8
RAND (128 bit)
Ki (128 bit)
Kc (64 bit)SIM
Encryption: A5 stream cipher Input:
228-bit data-frame every 4.6 ms Framecounter Fn Secret Key Kc produced by A8
Clocked linear feedback shift registers (LFSRs) generate pseudo random bits PRAND
Output: 114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
XOR
A5
Fram e (114+114 b it)p la in text
F (22 bit)n
K (64 bit)c
Fram e (114+114 b it)ciphertext
GEN
PR AND(228 b it)
A5/1 scheme
R1 180 8 13 1716
R2 0 2110 20
R3 220 107 20 21
Output
C1
C2
C3
Clocking Unit
A5 sequence Zero registers 64 cycles: Shift-in Kc 22 cycles: Shift-in Fn 100 cycles: Diffuse, with irregular
clocking 228 cycles: Generate output, with
irregular clocking
XOR PRAND and frame-data
A5/2 scheme
R4 0 163 7 10 11
R1 180 13 171614 1512
R2 0 21209 13 16
R3 220 7 20 2113 16 18
Output
Majority
Majority
Majority
Clocking Unit
Cryptanalytical attacks Algorithms kept secret After reverse-engineering, many attacks:
Golic, 1997 (A5/1) Goldberg + Wagner, 1998 (COMP128) Goldberg + Wagner + Briceno, 1999 (A5/2) Biryukov+ Shamir + Wagner, 2000 (A5/1) Biham + Dunkelman, 2000 (A5/1) Ekdahl + Johansson, 2002 (A5/1) Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken A5/1 very weak
Attacks in real life Knowledge and hardware needed Only on short distances
More effective ways: Wiretapping Eavesdropping Microphones with directional effect ...
Conclusion„Every chain is only as strong as its weakest link“
Good design, bad implementation Tradeoff because of limited hardware
capabilities Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users