2. Security in GSM
Why Security
GSM security is provided for gsm network subscribers to
communicate securely without any intrusion.The security here is
covered for the air interface part and not for the fixed network part.
The authentication center (AuC) is a function to authenticate each
SIM card that attempts to connect to the GSM core network
(typically when the phone is powered on). Once the authentication is
successful, the HLR is allowed to manage the SIM and services
described above. An encryption key is also generated that is
subsequently used to encrypt all wireless communications (voice,
SMS, etc.) between the mobile phone and the GSM core network.
www.rsmangrulkar.com Security in GSM January 30, 2018 2 / 18
3. Figure 1: Types of Handover
www.rsmangrulkar.com Security in GSM January 30, 2018 3 / 18
4. Figure 2: Types of Handover
www.rsmangrulkar.com Security in GSM January 30, 2018 4 / 18
5. GSM Authentication
the MS will send either an IMSI or a TMSI to the BSS.
The BSS forwards the MSC/VLR
The MSC/VLR forwards the IMSI to the HLR and requests
verification of the IMSI as well as Authentication Triplets.
The HLR will forward the IMSI to the Authentication Center
(AUC) and request authentication triplets.
The AUC generates the triplets and sends them along with the
IMSI, back to the HLR.
www.rsmangrulkar.com Security in GSM January 30, 2018 5 / 18
6. GSM Authentication cont...
The HLR validates the IMSI by ensuring it is allowed on the
network and is allowed subscriber services. It then forwards the
IMSI and Triplets to the MSC/VLR.
The MSC/VLR stores the SRES and the Kc and forwards the
RAND to the BSS and orders the BSS to authenticate the MS.
The MS uses the RAND to calculate the SRES and sends the
SRES back to the BSS.
The BSS forwards the SRES up to the MSC/VLR.
The MSC/VLR compares the SRES generated by the AUC with
the SRES generated by the MS. If they match, then
authentication is completed successfully.
www.rsmangrulkar.com Security in GSM January 30, 2018 6 / 18
11. A3- Authentication
A3 Input: 128-bit RAND random, Ki 128-bit private key
32-bit SRES signed response
www.rsmangrulkar.com Security in GSM January 30, 2018 11 / 18
12. A8 Key Generator
A8 128-bit RAND random, Ki 128-bit private key
62-bit KC Cipher Key
www.rsmangrulkar.com Security in GSM January 30, 2018 12 / 18
13. COMP128
Comp 128 is MAC function (Message Authentication Codes)
We have 5 secret tables T0-512 Byte,T1-256 Byte,T2-128
Byte,T3-64 Byte and T4 -32 Byte
Then there are 8 loops of the following compression function :
Apply 5 rounds of table lookups and substitution using table T0
to T4.
Perform a permutation on the 128 output bits before next loop
,except in the last loop.
www.rsmangrulkar.com Security in GSM January 30, 2018 13 / 18
14. The COMP1281
algorithms are implementations of the A3 and A8
algorithms defined in the GSM standard. The A3algorithm is used
to authenticate the mobile station to the network. The A8
algorithm is used to generate the session key used by A5to encrypt
the data transmitted between the mobile station and the BTS.
In GSM, A5 was publicly available whereas A3 and A8 were secret.
1
SIM cards are manufactured based on three algorithms COMP128v1,
COMP128v2 and COMP128v3. It is important to note currently only
COMP128v1 version SIM cards can be cloned, since this is the only algorithm,
which has been cracked, bear in mind that 70% of all the SIM cards we use are
COMP128v1 https://www.tech2hack.com/how-to-clone-sim-card-easily/
www.rsmangrulkar.com Security in GSM January 30, 2018 14 / 18