Block diagram reduction techniques in control systems.ppt
Cryptography in GSM
1. Analysis of CryptographyAnalysis of Cryptography
inin
GSM NetworksGSM Networks
Research ProjectResearch Project
Master of the Sciences Degree in Communication and Information EngineeringMaster of the Sciences Degree in Communication and Information Engineering
University of PeradeniyaUniversity of Peradeniya
By:By: Tharindu WeerasingheTharindu Weerasinghe (PG/EE/08/MSc/24)(PG/EE/08/MSc/24)
2. OutlineOutline
IntroductionIntroduction
Common Security RequirementsCommon Security Requirements
CryptographyCryptography
Symmetric KeySymmetric Key
Public keyPublic key
Cryptographic hashesCryptographic hashes
GSMGSM
Cryptography in GSM (A5/1, A5/3….)Cryptography in GSM (A5/1, A5/3….)
Their issuesTheir issues
My proposalMy proposal
ConclusionConclusion
6. What Cryptography can do?What Cryptography can do?
Encryption:Encryption: Only the authorized party can understandOnly the authorized party can understand
the message after the process of encryption.the message after the process of encryption.
Data authentication:Data authentication: Ascertain that informationAscertain that information
exchanged is indeed the one from the sender.exchanged is indeed the one from the sender.
Signature:Signature: Allow people to verify the authenticity ofAllow people to verify the authenticity of
the message or authenticate the peer user.the message or authenticate the peer user.
8. Symmetric-Key CryptographySymmetric-Key Cryptography
EncryptionEncryption
C=EC=Ekk(M)(M)
DecryptionDecryption
M=DM=Dkk(C)(C)
Encryption/Decryption uses the same or similar keyEncryption/Decryption uses the same or similar key
Ideally, a different key for each pair of usersIdeally, a different key for each pair of users
For example,For example, DESDES ((DDataata EEncryptionncryption SStandard )tandard )
9. Symmetric-Key Cryptography:Symmetric-Key Cryptography:
Encryption / DecryptionEncryption / Decryption
encoder
decoder
(plain text in -
cipher text out)
cipher textcipher text
msgmsg
(cipher text in
- plain text out)
(should understand
nothingnothing about the msg)
eavesdropper
bla-bla
cmb-cmb-
cmbcmb
bla-bla
Shared KeyAliceAlice
BobBob
How can Alice & BobHow can Alice & Bob
share the secret key inshare the secret key in
advance?advance?
11. Public Key EncryptionPublic Key Encryption
Each user has a public/private key pair. Keys areEach user has a public/private key pair. Keys are
inverses of each other.inverses of each other.
Only the owner knows the private key, but everyoneOnly the owner knows the private key, but everyone
knows the public key.knows the public key.
If the message is encrypted with the private key,If the message is encrypted with the private key,
then everyone with the public key can recover thethen everyone with the public key can recover the
message, but only the owner can generate themessage, but only the owner can generate the
encrypted message .encrypted message .
12. If the message is encrypted with the public key, onlyIf the message is encrypted with the public key, only
the owner can decrypt it using its private key.the owner can decrypt it using its private key.
The first property can be used for signature and theThe first property can be used for signature and the
second property can be used for encryption.second property can be used for encryption.
Examples: RSA, Digital SignaturesExamples: RSA, Digital Signatures
Public Key Encryption (contd.)Public Key Encryption (contd.)
13. Public Key Encryption :Public Key Encryption :
ProblemsProblems
If an Attacker can substitute their own publicIf an Attacker can substitute their own public
key for another users, the attacker can recoverkey for another users, the attacker can recover
messages intended for the other user.messages intended for the other user.
Require method of binding user’s ID withRequire method of binding user’s ID with
their public key.their public key.
14. Public Key InfrastructurePublic Key Infrastructure
User ( or entity ) gets a related key pair:User ( or entity ) gets a related key pair:
. one private key, known only to the user. one private key, known only to the user
. one public key, distributable to the user. one public key, distributable to the user
A message encrypted with one key requires the otherA message encrypted with one key requires the other
key for decryptionkey for decryption
15. Public Key InfrastructurePublic Key Infrastructure
(Contd.)(Contd.)
Need this infrastructure to prevent A fromNeed this infrastructure to prevent A from
claiming that B uses the public key that Aclaiming that B uses the public key that A
generates.generates.
All users have incorruptible copy ofAll users have incorruptible copy of
Certificate Authority’s (Certificate Authority’s (CACA) public key.) public key.
CA signs each users ID/Public Key pair.CA signs each users ID/Public Key pair.
However, certificate revocation list a majorHowever, certificate revocation list a major
headache.headache.
17. Cryptographic hashesCryptographic hashes
AA cryptographic hash functioncryptographic hash function is a deterministic procedureis a deterministic procedure
thatthat takes an arbitrary blocktakes an arbitrary block of data andof data and returns a fixed-sizereturns a fixed-size bitbit
string, the (string, the (cryptographiccryptographic)) hash valuehash value, such that an accidental, such that an accidental
or intentional change to the data will change the hash value. Theor intentional change to the data will change the hash value. The
data to be encoded is often called the "message", and the hashdata to be encoded is often called the "message", and the hash
value is sometimes called thevalue is sometimes called the message digestmessage digest or simplyor simply digestdigest..
The ideal cryptographic hash function has four main properties:The ideal cryptographic hash function has four main properties:
it is easy to compute the hash value for any given message,it is easy to compute the hash value for any given message,
it isit is infeasibleinfeasible to find a message that has a given hash,to find a message that has a given hash,
it is infeasible to modify a message without changing its hash,it is infeasible to modify a message without changing its hash,
it is infeasible to find two different messages with the same hash.it is infeasible to find two different messages with the same hash.
19. Well…Well…
that was Cryptography in a nut-shell….that was Cryptography in a nut-shell….
Now we will see what is GSM..?Now we will see what is GSM..?
21. GSMGSM ((Global System for Mobile communicationsGlobal System for Mobile communications: originally from: originally from
Groupe Spécial MobileGroupe Spécial Mobile) is the most popular standard for mobile phones in) is the most popular standard for mobile phones in
the world. Its promoter, the GSM Association, estimates that 80% of thethe world. Its promoter, the GSM Association, estimates that 80% of the
global mobile market uses the standard. GSM is used by over 3 billionglobal mobile market uses the standard. GSM is used by over 3 billion
people across more than 212 countries and territories.people across more than 212 countries and territories.
23. GSM was designed with a moderate level of security. The systemGSM was designed with a moderate level of security. The system
was designed to authenticate the subscriber using awas designed to authenticate the subscriber using a pre-sharedpre-shared
keykey andand challenge-responsechallenge-response..
Communications between theCommunications between the subscribersubscriber and theand the base stationbase station
can be encrypted.can be encrypted.
The development of UMTS (The development of UMTS (UUniversalniversal MMobileobile
TTelecommunicationselecommunications SSystem) introduces an optional USIMystem) introduces an optional USIM
((UUniversalniversal SSubscriberubscriber IIdentitydentity MModule, a software applicationodule, a software application
for UMTS mobile telephony, that uses a longer authenticationfor UMTS mobile telephony, that uses a longer authentication
key to give greater security, as well as mutually authenticating thekey to give greater security, as well as mutually authenticating the
network and the user - whereasnetwork and the user - whereas GSM only authenticates theGSM only authenticates the
user to the network (not vice versa).user to the network (not vice versa).
The security model therefore offers confidentiality andThe security model therefore offers confidentiality and
authentication, but limited authorization capabilities, and noauthentication, but limited authorization capabilities, and no
non-repudiation.non-repudiation.
24. GSM uses several cryptographic algorithms for security.GSM uses several cryptographic algorithms for security. A5/1A5/1 &&
A5/2A5/2 stream ciphersstream ciphers are used for ensuring “are used for ensuring “over-the-air voiceover-the-air voice””
privacy. A5/1 was developed first and it is a stronger algorithmprivacy. A5/1 was developed first and it is a stronger algorithm
used within Europe and the United States; A5/2 is weaker andused within Europe and the United States; A5/2 is weaker and
used in other countries.used in other countries.
Serious weaknesses have been found in both algorithms: it isSerious weaknesses have been found in both algorithms: it is
possible to break A5/2 in real-time with apossible to break A5/2 in real-time with a Ciphertext-OnlyCiphertext-Only
AttackAttack, and in February 2008, Pico Computing, Inc revealed its, and in February 2008, Pico Computing, Inc revealed its
ability and plans to commercializeability and plans to commercialize FPGAsFPGAs that allow A5/1 to bethat allow A5/1 to be
broken with abroken with a RRainbow Table Attackainbow Table Attack..
The system supports multiple algorithms so operators mayThe system supports multiple algorithms so operators may
replace that cipher with a stronger one.replace that cipher with a stronger one.
25. How do Authentication & Key generationHow do Authentication & Key generation
work in a GSM network?work in a GSM network?
Encryption in the GSM network utilizes a Challenge/Response mechanism.Encryption in the GSM network utilizes a Challenge/Response mechanism.
The Mobile Station (The Mobile Station (MSMS) signs into the network.) signs into the network.
The Mobile Services Switching Center (The Mobile Services Switching Center (MSCMSC) requests 5 triples from the) requests 5 triples from the
Home Location Register (Home Location Register (HLRHLR).).
The Home Location Register creates five triples utilizing theThe Home Location Register creates five triples utilizing the A8A8 algorithm.algorithm.
These five triples each contain:These five triples each contain:
A 128-bit Random Challenge (A 128-bit Random Challenge (RANDRAND))
A 32-bit matching Signed Response (A 32-bit matching Signed Response (SRESSRES))
A 64-bit ciphering key used as a Session Key (A 64-bit ciphering key used as a Session Key (KcKc).).
The Home Location Register sends the Mobile Services Switching Center theThe Home Location Register sends the Mobile Services Switching Center the
five triples.five triples.
The Mobile Services Switching Center sends the Random Challenge from theThe Mobile Services Switching Center sends the Random Challenge from the
first triple to the Base Transceiver Station (first triple to the Base Transceiver Station (BTSBTS).).
26. The Base Transceiver Station sends the random challenge from the first tripleThe Base Transceiver Station sends the random challenge from the first triple
to the Mobile Station.to the Mobile Station.
The Mobile Station receives the random challenge from the Base TransceiverThe Mobile Station receives the random challenge from the Base Transceiver
Station and encrypts it with the Individual Subscriber Authentication KeyStation and encrypts it with the Individual Subscriber Authentication Key
(Ki) assigned to the Mobile Station utilizing the A3 algorithm.(Ki) assigned to the Mobile Station utilizing the A3 algorithm.
The Mobile Station sends the Signed Response to the Base TransceiverThe Mobile Station sends the Signed Response to the Base Transceiver
Station.Station.
The Base Transceiver Station sends the Signed Response to the MobileThe Base Transceiver Station sends the Signed Response to the Mobile
Services Switching Center.Services Switching Center.
The Mobile Services Switching Center verifies the Signed Response.The Mobile Services Switching Center verifies the Signed Response.
The Mobile Station generates a Session Key (Kc) utilizing the A8 algorithm,The Mobile Station generates a Session Key (Kc) utilizing the A8 algorithm,
the Individual Subscriber Authentication Key (Ki) assigned to the Mobilethe Individual Subscriber Authentication Key (Ki) assigned to the Mobile
Station, and the random challenge received from the Base TransceiverStation, and the random challenge received from the Base Transceiver
Station.Station.
27. The Mobile Station sends the Session Key (Kc) to the Base TransceiverThe Mobile Station sends the Session Key (Kc) to the Base Transceiver
Station.Station.
The Mobile Services Switching Center sends the Session Key (Kc) to the BaseThe Mobile Services Switching Center sends the Session Key (Kc) to the Base
Transceiver Station.Transceiver Station.
The Base Transceiver Station receives the Session Key (Kc) from the MobileThe Base Transceiver Station receives the Session Key (Kc) from the Mobile
Services Switching Center.Services Switching Center.
The Base Transceiver Station receives the Session Key (Kc) from the MobileThe Base Transceiver Station receives the Session Key (Kc) from the Mobile
Station.Station.
The Base Transceiver Station verifies the Session Keys from the MobileThe Base Transceiver Station verifies the Session Keys from the Mobile
Station and the Mobile Services switching Center.Station and the Mobile Services switching Center.
28. The A5 algorithm is initialized with the Session Key (Kc) and the number ofThe A5 algorithm is initialized with the Session Key (Kc) and the number of
the frame to be encrypted.the frame to be encrypted.
Over-the-air communication channel between the Mobile Station and BaseOver-the-air communication channel between the Mobile Station and Base
Transceiver Station can now be encrypted utilizing the A5 algorithm.Transceiver Station can now be encrypted utilizing the A5 algorithm.
This process authenticates the GSM Mobile Station (MS) to the GSMThis process authenticates the GSM Mobile Station (MS) to the GSM
network. One known security limitation of GSM networks is that the GSMnetwork. One known security limitation of GSM networks is that the GSM
network is never authenticated by the GSM Mobile Station (MS).network is never authenticated by the GSM Mobile Station (MS).
This one-way authentication makes it possible for an attacker to pretend to beThis one-way authentication makes it possible for an attacker to pretend to be
a GSM network provider.a GSM network provider.
29. Authentication in GSMAuthentication in GSM
Home Location Register (HLR)Home Location Register (HLR)
Visitor Location Register (VLR)Visitor Location Register (VLR)
MS (Mobile Station)MS (Mobile Station)
AP (Access Point or Base Station)AP (Access Point or Base Station)
MSC (Mobile Exchange Center)MSC (Mobile Exchange Center)
31. Let us talk aboutLet us talk about
the algorithms used…the algorithms used…
There are 3 main types:There are 3 main types:
A5 – A stream cipher used for encryptionaA5 – A stream cipher used for encryptiona
A3 – An authentication algorithmA3 – An authentication algorithm
A8 – A key agreement algorithmA8 – A key agreement algorithm
From those A3 and A8 areFrom those A3 and A8 are NOTNOT specified in GSM. Yet they arespecified in GSM. Yet they are
used in some occasions.used in some occasions.
So I pay my attention more on A5 (A5/1, A5/2 and A5/3, ButSo I pay my attention more on A5 (A5/1, A5/2 and A5/3, But
the most famous and widely used one is A5/1)the most famous and widely used one is A5/1)
32. Let us talk about A5/1Let us talk about A5/1
A5/1A5/1
A5/1 is aA5/1 is a stream cipherstream cipher used to provideused to provide over-the-airover-the-air communicationcommunication
privacy in the GSM cellular telephone standard. It was initially keptprivacy in the GSM cellular telephone standard. It was initially kept
secret, but became public knowledge through leaks and reversesecret, but became public knowledge through leaks and reverse
engineering. A number of serious weaknesses in the cipher have beenengineering. A number of serious weaknesses in the cipher have been
identified.identified.
Stream Cipher:Stream Cipher:
In cryptography, aIn cryptography, a stream cipherstream cipher is a symmetric key cipher where plaintext bitsis a symmetric key cipher where plaintext bits
are combined with a pseudorandom cipher bit stream (keystream), typically by anare combined with a pseudorandom cipher bit stream (keystream), typically by an
exclusive-or (exclusive-or (xorxor) operation. In a stream cipher the plaintext digits are encrypted) operation. In a stream cipher the plaintext digits are encrypted
one at a time, and the transformation of successive digits varies during theone at a time, and the transformation of successive digits varies during the
encryption.encryption.
A5/1 is used in Europe and the United States. It was developed in 1987,A5/1 is used in Europe and the United States. It was developed in 1987,
when GSM was not yet considered for use outside Europe, and A5/2 waswhen GSM was not yet considered for use outside Europe, and A5/2 was
developed in 1989. Both were initially kept secret. However, the generaldeveloped in 1989. Both were initially kept secret. However, the general
design was leaked in 1994, and the algorithms were entirely reversedesign was leaked in 1994, and the algorithms were entirely reverse
engineered in 1999 by Marc Briceno from a GSM telephone. In 2000,engineered in 1999 by Marc Briceno from a GSM telephone. In 2000,
around 130 million GSM customers relied on A5/1 to protect thearound 130 million GSM customers relied on A5/1 to protect the
confidentiality of their voice communications.confidentiality of their voice communications.
33. Description of A5/1Description of A5/1
A GSM transmission is organized as sequences ofA GSM transmission is organized as sequences of burstsbursts. In a typical. In a typical
channel and in one direction, one burst is sent everychannel and in one direction, one burst is sent every 4.615ms4.615ms andand
containscontains 114 bits114 bits available for information.available for information.
A5/1 is used to produce for each burst aA5/1 is used to produce for each burst a 114 bit sequence of keystream114 bit sequence of keystream
which iswhich is XORXORed with the 114 bits prior to modulation.ed with the 114 bits prior to modulation.
A5/1 is initialized using aA5/1 is initialized using a 64-bit key64-bit key together with atogether with a publicly-knownpublicly-known
22-bit frame number22-bit frame number. In fielded GSM implementations 10 of the key. In fielded GSM implementations 10 of the key
bits are fixed at zero, resulting in anbits are fixed at zero, resulting in an effective key length of 54 bitseffective key length of 54 bits..
A5/1 can also be used for data encryptions in EDGE, in which case upA5/1 can also be used for data encryptions in EDGE, in which case up
to eight bursts are sent every 4.615 ms, each containingto eight bursts are sent every 4.615 ms, each containing 348 data bits348 data bits..
34. A5/1 is based around a combination of threeA5/1 is based around a combination of three LLinearinear
FFeedbackeedback SShifthift RRegisters (egisters (LFSRLFSRs) with irregular clocking.s) with irregular clocking.
The three shift registers are specified as follows:The three shift registers are specified as follows:
35. The bits are indexed with the least significant bit (LSB) as 0.The bits are indexed with the least significant bit (LSB) as 0.
The registers are clocked in a stop/go fashion using a majority rule. EachThe registers are clocked in a stop/go fashion using a majority rule. Each
register has an associated clocking bit. At each cycle, the clocking bit ofregister has an associated clocking bit. At each cycle, the clocking bit of
all three registers is examined and the majority bit is determined.all three registers is examined and the majority bit is determined.
A register is clocked if the clocking bit agrees with the majority bit. HenceA register is clocked if the clocking bit agrees with the majority bit. Hence
at each step two or three registers are clocked, and each register stepsat each step two or three registers are clocked, and each register steps
with probability 3/4.with probability 3/4.
Initially, the registers are set to zero. Then for 64 cycles, the 64-bit secretInitially, the registers are set to zero. Then for 64 cycles, the 64-bit secret
key is mixed in according to the following scheme: in cycle , thekey is mixed in according to the following scheme: in cycle , the iith keyth key
bit is added to the least significant bit of each register using XOR —bit is added to the least significant bit of each register using XOR —
Each register is then clocked.Each register is then clocked.
Similarly, the 22-bits of the frame number are added in 22 cycles. ThenSimilarly, the 22-bits of the frame number are added in 22 cycles. Then
the entire system is clocked using the normal majority clockingthe entire system is clocked using the normal majority clocking
mechanism for 100 cycles, with the output discarded. After this ismechanism for 100 cycles, with the output discarded. After this is
completed, the cipher is ready to produce two 114 bit sequences ofcompleted, the cipher is ready to produce two 114 bit sequences of
output keystream, first 114 for downlink, last 114 for uplink.output keystream, first 114 for downlink, last 114 for uplink.
37. Some Attacks on A5/1Some Attacks on A5/1
Passive Ciphertext-Only Attack[1]Passive Ciphertext-Only Attack[1]
Biased Birthday Attack[2]Biased Birthday Attack[2]
Random Subgraph Attack[2]Random Subgraph Attack[2]
38. Possible Attack ScenariosPossible Attack Scenarios
Attacks on A5 can be in the following forms:[1]Attacks on A5 can be in the following forms:[1]
Call wire-tappingCall wire-tapping
Call HijackingCall Hijacking
Altering of SMSAltering of SMS
Call theft – Dynamic CloningCall theft – Dynamic Cloning
39. What I Propose?What I Propose?
(STREAM & BLOCK CIPHER) COMBINED(STREAM & BLOCK CIPHER) COMBINED
ALGORITHM FOR DATA ENCRYPTION &ALGORITHM FOR DATA ENCRYPTION &
DECRYPTIONDECRYPTION
Provides more security to data, making it hardProvides more security to data, making it hard
to cryptanalysis the cipher textto cryptanalysis the cipher text
42. My Next StepMy Next Step
Implementation of the above mentionedImplementation of the above mentioned
algorithm in a normal PCalgorithm in a normal PC
Verify it is better than A5/1Verify it is better than A5/1
43. Reference:Reference:
[1]
[2]
[3] Lecture Notes of Haojin Zhu and Xiaodong Lin of the Department of Electrical and
Computer Engineering, University of Waterloo, Canada.
[4] Types & modes combined algorithm for data encryption and decryption by[4] Types & modes combined algorithm for data encryption and decryption by
D.M.A.B MailewaD.M.A.B Mailewa,, T.D.B WeerasingheT.D.B Weerasinghe,, C.A MunasingheC.A Munasinghe,, Piyal J. PereraPiyal J. Perera of theof the
Department of Computer Engineering, University of Peradeniya.Department of Computer Engineering, University of Peradeniya.