GSM network and its privacy

Thomas Stockinger

Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation Encryption: The A5 algorithm Attacks Conclusion

Why? From technical point of view

Electromagnetic waves as communication media

From customer’s point of view Privacy Cell phone cloning

From operator’s point of view Billing fraud Loss of customer faith m-commerce applications

The GSM network 1982 – Start of design

Group Spécial Mobile 1991 – Commerical start

Global System for Mobile Communication Worldwide system Digital Cellular Subscriber Identity Module (SIM) Flexible design (SMS, MMS, 2.5G, 3G, ...)

Security services Authentication

Through challenge-response Identity protection

Through temporary identification number User data protection

Through encryption Signaling data protection

Through encryption

Mobile Equipment

A3

A5

A8SIM

GSM communication

Encrypted data

Radio Interface„over-the-air“

Base Station

A3

A5

A8

KC(64 bit)KC (64 bit)

Response SRES (32 bit)

KI (128 bit) Challenge RAND (128bit)KI (128 bit)

?

Algorithms

Purpose Algorithm Variations

Authentication A3 COMP128 ...

Key generation A8 COMP128 ...

Encryption A5 A5/0 A5/1 A5/2 ...

Optimized for hardware Never officially published („security by obscurity“)

A3 / A8 may be choosen by operator COMP128 is assumed to be only a „proof of concept“

Authentication: A3 Input: Random challenge RAND + Secret Key Ki Output: Signed response SRES Completely implemented in the SmartCard

Ki never leaves the SIM COMP128 algorithm or variations

A3

RAND (128 bit)

Ki (128 bit)

SRES (32 bit)SIM

Key generation: A8 Same algorithm as A3 Output: Cipher key Kc Only 56 bits of Kc are used

A8

RAND (128 bit)

Ki (128 bit)

Kc (64 bit)SIM

Encryption: A5 stream cipher Input:

228-bit data-frame every 4.6 ms Framecounter Fn Secret Key Kc produced by A8

Clocked linear feedback shift registers (LFSRs) generate pseudo random bits PRAND

Output: 114-bit ciphertext + 114-bit plaintext

Same PRAND used for encoding and decoding

XOR

A5

Fram e (114+114 b it)p la in text

F (22 bit)n

K (64 bit)c

Fram e (114+114 b it)ciphertext

GEN

PR AND(228 b it)

A5/1 scheme

R1 180 8 13 1716

R2 0 2110 20

R3 220 107 20 21

Output

C1

C2

C3

Clocking Unit

A5 sequence Zero registers 64 cycles: Shift-in Kc 22 cycles: Shift-in Fn 100 cycles: Diffuse, with irregular

clocking 228 cycles: Generate output, with

irregular clocking

XOR PRAND and frame-data

A5/2 scheme

R4 0 163 7 10 11

R1 180 13 171614 1512

R2 0 21209 13 16

R3 220 7 20 2113 16 18

Output

Majority

Majority

Majority

Clocking Unit

Cryptanalytical attacks Algorithms kept secret After reverse-engineering, many attacks:

Golic, 1997 (A5/1) Goldberg + Wagner, 1998 (COMP128) Goldberg + Wagner + Briceno, 1999 (A5/2) Biryukov+ Shamir + Wagner, 2000 (A5/1) Biham + Dunkelman, 2000 (A5/1) Ekdahl + Johansson, 2002 (A5/1) Barkan + Biham + Keller, 2003 (A5/2)

COMP128 and A5/2 completely broken A5/1 very weak

Attacks in real life Knowledge and hardware needed Only on short distances

More effective ways: Wiretapping Eavesdropping Microphones with directional effect ...

Conclusion„Every chain is only as strong as its weakest link“

Good design, bad implementation Tradeoff because of limited hardware

capabilities Future networks will use stronger ciphers

3G: A5/3 „Kasumi“ = „Misty“ block cipher

Enough protection for everyday-users

Thank you!

Questions?

Thomas.Stockinger@nop.athttp://www.nop.at