Transcript The corresponding presentation - Thomas Stockinger
Slide 1
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 2
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 3
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 4
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 5
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 6
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 7
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 8
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 9
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 10
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 11
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 12
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 13
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 14
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 15
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 16
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 17
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 18
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 2
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 3
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 4
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 5
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 6
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 7
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 8
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 9
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 10
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 11
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 12
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 13
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 14
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 15
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 16
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 17
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at
Slide 18
GSM network and its privacy
Thomas Stockinger
Overview
Why privacy and security?
GSM network‘s fundamentals
Basic communication
Authentication
Key generation
Encryption: The A5 algorithm
Attacks
Conclusion
Why?
From technical point of view
From customer’s point of view
Electromagnetic waves as communication media
Privacy
Cell phone cloning
From operator’s point of view
Billing fraud
Loss of customer faith
m-commerce applications
The GSM network
1982 – Start of design
1991 – Commerical start
Group Spécial Mobile
Global System for Mobile Communication
Worldwide system
Digital
Cellular
Subscriber Identity Module (SIM)
Flexible design (SMS, MMS, 2.5G, 3G, ...)
Security services
Authentication
Identity protection
Through temporary identification number
User data protection
Through challenge-response
Through encryption
Signaling data protection
Through encryption
GSM communication
Mobile Equipment
Radio Interface
„over-the-air“
KI (128 bit)
Challenge RAND (128bit)
A3
Response SRES (32 bit)
Base Station
KI (128 bit)
A3
?
A8
A8
SIM
KC (64 bit)
KC(64 bit)
Encrypted data
A5
A5
Algorithms
Purpose
Algorithm
Variations
Authentication
A3
COMP128 ...
Key generation
A8
COMP128 ...
Encryption
A5
A5/0 A5/1 A5/2 ...
Optimized for hardware
Never officially published („security by obscurity“)
A3 / A8 may be choosen by operator
COMP128 is assumed to be only a „proof of concept“
Authentication: A3
Input: Random challenge RAND + Secret Key Ki
Output: Signed response SRES
Completely implemented in the SmartCard
Ki never leaves the SIM
COMP128 algorithm or variations
SIM
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
Key generation: A8
Same algorithm as A3
Output: Cipher key Kc
Only 56 bits of Kc are used
SIM
RAND (128 bit)
Ki (128 bit)
A8
Kc (64 bit)
Encryption: A5 stream cipher
Input:
Clocked linear feedback shift registers (LFSRs) generate pseudo
random bits PRAND
Output:
228-bit data-frame every 4.6 ms
Framecounter Fn
Secret Key Kc produced by A8
114-bit ciphertext + 114-bit plaintext
Same PRAND used for encoding and decoding
A5
F ra m e (11 4 + 11 4 b it)
p la in text
XOR
PR AND
(22 8 b it)
F n (2 2 bit)
K c (6 4 bit)
GEN
F ra m e (11 4 + 11 4 b it)
cip h e rte xt
A5/1 scheme
R1 0
8
C1
13
16 17 18
Clocking Unit
R2 0
R3 0
7
10
C2
20 21
10
C3
20 21 22
Output
A5 sequence
Zero registers
64 cycles: Shift-in Kc
22 cycles: Shift-in Fn
100 cycles: Diffuse, with irregular clocking
228 cycles: Generate output, with irregular
clocking
XOR PRAND and frame-data
A5/2 scheme
Majority
R1 0
12 13 14 15 16 17 18
Majority
R2 0
9
13
16
Output
20 21
Majority
R3 0
7
13
16
Clocking Unit
R4 0
3
7
10 11
16
18
20 21 22
Cryptanalytical attacks
Algorithms kept secret
After reverse-engineering, many attacks:
Golic, 1997 (A5/1)
Goldberg + Wagner, 1998 (COMP128)
Goldberg + Wagner + Briceno, 1999 (A5/2)
Biryukov+ Shamir + Wagner, 2000 (A5/1)
Biham + Dunkelman, 2000 (A5/1)
Ekdahl + Johansson, 2002 (A5/1)
Barkan + Biham + Keller, 2003 (A5/2)
COMP128 and A5/2 completely broken
A5/1 very weak
Attacks in real life
Knowledge and hardware needed
Only on short distances
More effective ways:
Wiretapping
Eavesdropping
Microphones with directional effect
...
Conclusion
„Every chain is only as strong as its weakest link“
Good design, bad implementation
Tradeoff because of limited hardware capabilities
Future networks will use stronger ciphers
3G: A5/3 „Kasumi“ = „Misty“ block cipher
Enough protection for everyday-users
Thank you!
Questions?
[email protected]
http://www.nop.at