2. AgendaAgenda
A5 Overview :A5 Overview :
LFSR (Linear Feedback Shift Registers)LFSR (Linear Feedback Shift Registers)
A5/1 DescriptionA5/1 Description
Attack on A5 :Attack on A5 :
Space-Time Attacks Overview (Space-Time Attacks Overview (by Babbageby Babbage))
Cryptanalysis of A5/1 (Cryptanalysis of A5/1 (by Shamir, Biryukov, Wagnerby Shamir, Biryukov, Wagner))
Other Attacks on GSMOther Attacks on GSM
ConclusionConclusion
3. LFSR structureLFSR structure
PurposePurpose -- to produce pseudo random bit sequenceto produce pseudo random bit sequence
Consists of two parts :Consists of two parts :
shift register – bit sequenceshift register – bit sequence
feedback functionfeedback function
Tap Sequence :Tap Sequence :
bits that are input to the feedback functionbits that are input to the feedback function
bb11 bb22 bb33 bb44 ...... bbn-1n-1 bbnn
Feedback Function : XOR
output
new value
4. LFSR FeaturesLFSR Features
LFSR Period –LFSR Period – the length of the output sequencethe length of the output sequence
before it starts repeating itself.before it starts repeating itself.
n-bit LFSR can be in 2n-bit LFSR can be in 2nn
-1 internal states-1 internal states
the maximal period is also 2the maximal period is also 2nn
-1-1
the tap sequence determines the periodthe tap sequence determines the period
the polynomial formed by a tap sequence plusthe polynomial formed by a tap sequence plus
1 must be a primitive polynomial (mod 2)1 must be a primitive polynomial (mod 2)
6. A5/1 OverviewA5/1 Overview
A5/1 is a stream cipher, which is initialized allA5/1 is a stream cipher, which is initialized all
over again for every frame sent.over again for every frame sent.
Consists of 3 LFSRs of 19,22,23 bits length.Consists of 3 LFSRs of 19,22,23 bits length.
The 3 registers are clocked in a stop/goThe 3 registers are clocked in a stop/go
fashion using the majority rule.fashion using the majority rule.
“Cryptography is a mixture of mathematics and muddle, and without the
muddle the mathematics can be used against you.”
- Ian Cassells, a former Bletchly Park cryptanalyst.
8. A5/1 : OperationA5/1 : Operation
All 3 registers are zeroedAll 3 registers are zeroed
64 cycles (without the stop/go clock) :64 cycles (without the stop/go clock) :
Each bit of K (lsb to msb) is XOR'ed in parallel intoEach bit of K (lsb to msb) is XOR'ed in parallel into
the lsb's of the registersthe lsb's of the registers
22 cycles (without the stop/go clock) :22 cycles (without the stop/go clock) :
Each bit of FEach bit of Fnn (lsb to msb) is XOR'ed in parallel into(lsb to msb) is XOR'ed in parallel into
the lsb's of the registersthe lsb's of the registers
100 cycles with the stop/go clock control,100 cycles with the stop/go clock control,
discarding the outputdiscarding the output
228 cycles with the stop/go clock control which228 cycles with the stop/go clock control which
produce the output bit sequence.produce the output bit sequence.
9. The ModelThe Model
The internal state of A5/1 generator is the state of allThe internal state of A5/1 generator is the state of all
64 bits in the 3 registers, so there are 264 bits in the 3 registers, so there are 26464
-1 states.-1 states.
The operation of A5/1 can be viewed as a stateThe operation of A5/1 can be viewed as a state
transition :transition :
S0 S1
S2 St
k0 k2k1
kt
Standard attack assumes the knowledge of about 64Standard attack assumes the knowledge of about 64
output bits (64 bits →2output bits (64 bits →26464
different sequences).different sequences).
10. Space/Time Trade-Off AttackSpace/Time Trade-Off Attack II
Get keystream bits kGet keystream bits k11,k,k22,…,k,…,kM+nM+n and prepare Mand prepare M
subsequences :subsequences :
k1,…,kn k2,
…,kn+1
…
kM,…,kn+M
M
• generate random state Si
• generate n-bit keystream
• look for it in the prepared
keystream subsequences
11. Space/Time Trade-Off AttackSpace/Time Trade-Off Attack IIII
Select R random states SSelect R random states S11,..,S,..,SRR and for eachand for each
state generate an n-bit keystreamstate generate an n-bit keystream
S1 : k1,1 … k1,n
S2 : k2,1 … k2,n
…
SR : kR,1 … kR,n
R
• Get keystream bits k1,k2,
…,kM+n and prepare M
subsequences
• Look for a prepared state
12. Shamir/Biryukov Attack OutlineShamir/Biryukov Attack Outline
2 disks (73 GB) and 2 first minutes of the conversation2 disks (73 GB) and 2 first minutes of the conversation
are needed. Can find the key in less than a second.are needed. Can find the key in less than a second.
This attack based on the second variation of theThis attack based on the second variation of the
space/time tradeoff.space/time tradeoff.
There are n = 2There are n = 26464
total statestotal states
A – the set of prepared states (and relevant prefixes)A – the set of prepared states (and relevant prefixes)
B – the set of states through which the algo. proceedsB – the set of states through which the algo. proceeds
The main idea :The main idea :
Find stateFind state ss in A∩ B (the states are identified by prefix)in A∩ B (the states are identified by prefix)
Run the algorithm in the reverse directionRun the algorithm in the reverse direction
13. Biased Birthday AttackBiased Birthday Attack
Birthday paradox : A ∩ BBirthday paradox : A ∩ B ≠≠ oo if |A| ∙ |B| ≈ nif |A| ∙ |B| ≈ n
Each state is chosen for A with probability PEach state is chosen for A with probability PAA(s) and for B(s) and for B
with probability Pwith probability PBB(s). Then, the intersection will not be(s). Then, the intersection will not be
empty ifempty if
ΣΣss PPAA(s) ∙ P(s) ∙ PBB(s) ≈ 1(s) ≈ 1
The idea is to choose the states from A and B with 2The idea is to choose the states from A and B with 2
non-uniformnon-uniform distributions that have correlation betweendistributions that have correlation between
themthem
14. Disk StorageDisk Storage
state prefix The prefixes can be sorted and thus serve
as indices into the states array
The registers are small, we can
precompute all their states and store them
in 3 cyclic arrays
But, for each state we can store
only two bits : the clock bit and
the output bit
(I, j, k)
At each step we only have to know
which of the three indices should be
incremented.
This could be implemented by a
precomputed table with 3 input bits
(clocks) and the increment vector
as the output.
No shift operations !
c1 c2 c3 inc1 inc2 inc3
0 1 0 1 1 0
State Transition :
15. Special StatesSpecial States
Disk access is very time-consuming!Disk access is very time-consuming!
Keep on disk (set A) only those states, which produce aKeep on disk (set A) only those states, which produce a
sequence that starts with a certain patternsequence that starts with a certain pattern αα, |, | αα| = k| = k
Access the disk only whenAccess the disk only when αα is encounteredis encountered
22kk
prefixes can start withprefixes can start with αα, so we reduce the number of, so we reduce the number of
total possible states (n) by 2total possible states (n) by 2kk
and the number of diskand the number of disk
access times by 2access times by 2kk
. The size of A, however, is unchanged,. The size of A, however, is unchanged,
and we only insert the states that satisfy the conditionand we only insert the states that satisfy the condition
there. Thus, we don't miss intersectionsthere. Thus, we don't miss intersections..
16. Generation of Special StatesGeneration of Special States
Choose from all 2Choose from all 26464
states the needed 2states the needed 24848
??
It's too time-consuming and unrealistic.It's too time-consuming and unrealistic.
The solution is to generate them :The solution is to generate them :
C3
C2
C1
11 bits
12 bits
19 bits
11 bits
11 bits
241
chosen bits
Each register
moves
approximately ¾ of
the cycles.
17. Reversing A5/1Reversing A5/1
Forward state transition is deterministic …Forward state transition is deterministic …
In the reverse direction could be up to 4 predecessorsIn the reverse direction could be up to 4 predecessors
(majority clock control).(majority clock control).
Example :Example :
101
010
101
C3
C2
C1
What was the clock majority bit at the
previous round ?
Here we see that there are no
predecessors !
18. Estimations …Estimations …
We need 5 bytes per state to store on disk (73 G), so we canWe need 5 bytes per state to store on disk (73 G), so we can
afford 146afford 146 ∙∙ 223030
/5 = 2/5 = 23535
statesstates
We use 51 bit length prefixes (16 first bits areWe use 51 bit length prefixes (16 first bits are αα))
How many times willHow many times will αα be encountered in the data ?be encountered in the data ?
there are 228 bits of data, that is, 177 (there are 228 bits of data, that is, 177 (228-51228-51) "relevant offsets") "relevant offsets"
2 minutes of operation, that is, 1202 minutes of operation, that is, 120 ∙∙ 1000/4.5 frames1000/4.5 frames
22-16-16
is the fraction of all possible states which start withis the fraction of all possible states which start with αα
so, the number of occurrences is 2so, the number of occurrences is 2-16-16
∙∙ 177177 ∙∙ 120120 ∙∙ 1000/4.5 ≈ 711000/4.5 ≈ 71
19. Tree ExplorationTree Exploration
A state isA state is redred if the sequence of output bits produced from theif the sequence of output bits produced from the
statestate startsstarts withwith αα. There are 2. There are 24848
red states.red states.
A state isA state is greengreen if the sequence produced from the stateif the sequence produced from the state containscontains
anan αα--occurrence between bit positions 101 – 277occurrence between bit positions 101 – 277
There are 177There are 177 ∙∙ 224848
green statesgreen states
We can assume that the short path (of length 277 ) will containWe can assume that the short path (of length 277 ) will contain
only one occurrence ofonly one occurrence of αα, so the mapping is many-to-1, so the mapping is many-to-1
red : green :α α
20. Tree Exploration IITree Exploration II
The set of relevant states can be viewed as a collectionThe set of relevant states can be viewed as a collection
of disjoint trees with red state as the root and the rest ofof disjoint trees with red state as the root and the rest of
nodes are green states.nodes are green states.
We're interested in trees with green states at levelsWe're interested in trees with green states at levels
101-277. The weight of tree, W(s) is the number of green101-277. The weight of tree, W(s) is the number of green
states at those levels.states at those levels.
sequence
generatio
n
reverse
direction
21. Tree Exploration IIITree Exploration III
It is experimentally found that W(s) has highly non-It is experimentally found that W(s) has highly non-
uniform distribution :uniform distribution :
85% of the trees die before reaching the level 10085% of the trees die before reaching the level 100
15% of the trees have 1 ≤ W(s) ≤ 260015% of the trees have 1 ≤ W(s) ≤ 2600
Choose 2Choose 23535
states (biased probability) with particularlystates (biased probability) with particularly
heavy trees (average weightheavy trees (average weight 1250012500) from overall of 2) from overall of 24848
red statesred states
The expected number of collisions :The expected number of collisions : 235
∙ 12500 ∙ 71
177 ∙ 248
≈ 0.61
22. Tree Exploration IVTree Exploration IV
Heavy trees → large number of green state candidates?Heavy trees → large number of green state candidates?
We know the exact location ofWe know the exact location of αα in the sequence, so we knowin the sequence, so we know
the exact depth in the tree.the exact depth in the tree.
The trees are narrow, so the total number of states we'll haveThe trees are narrow, so the total number of states we'll have
to check is less than 100 !to check is less than 100 !
23. Attack SummaryAttack Summary
DueDue to frequent reinitialization (for every new frame),to frequent reinitialization (for every new frame),
it's possible to efficiently run the algorithm backwardsit's possible to efficiently run the algorithm backwards
(328 steps).(328 steps).
Poor choice of the clocking taps.Poor choice of the clocking taps.
Each one of the registers is so small that it's possible toEach one of the registers is so small that it's possible to
precompute all its states.precompute all its states.
24. Attacks on Signaling NetworkAttacks on Signaling Network
The transmissions are encrypted only between MS andThe transmissions are encrypted only between MS and
BTS. After the BTS, the protocols between MSC andBTS. After the BTS, the protocols between MSC and
BSCBSC ((BSSAPBSSAP)) and inside the operator's networkand inside the operator's network ((MAPMAP))
are unencrypted, allowing anyone who has access to theare unencrypted, allowing anyone who has access to the
signaling system to read or modify the data on the fly !signaling system to read or modify the data on the fly !
So, the SS7 signaling network is completely insecure.So, the SS7 signaling network is completely insecure.
The attacker can gain the actual phone call, RAND &The attacker can gain the actual phone call, RAND &
SRES…SRES…
25. Attacks on Signaling NetworkAttacks on Signaling Network
If the attacker can access the HLR, s/he will be able toIf the attacker can access the HLR, s/he will be able to
retrieve the Kretrieve the Kii for all subscribers of that particularfor all subscribers of that particular
network.network.
26. Retrieving KRetrieving Kii over Airover Air
The KThe Kii key can be retrieved from SIM over the air :key can be retrieved from SIM over the air :
MS is required to respond to every challenge made by GSMMS is required to respond to every challenge made by GSM
network (there is no authentication of BTS).network (there is no authentication of BTS).
Attack based on differential cryptanalysis could take 8-15Attack based on differential cryptanalysis could take 8-15
hours and require that the signal from the legitimate BTS behours and require that the signal from the legitimate BTS be
disabled for that time, but it's still real …disabled for that time, but it's still real …
The same attack could be applied to AuCThe same attack could be applied to AuC
It also has to answer the requests made by the GSM networkIt also has to answer the requests made by the GSM network
It's much faster than SIMIt's much faster than SIM
27. SMS ArchitectureSMS Architecture
SMS is a "store andSMS is a "store and
forward" message systemforward" message system
the message is sent fromthe message is sent from
the originator to SMSthe originator to SMS
Center, and then on to theCenter, and then on to the
recipient.recipient.
SMS messages can be upSMS messages can be up
to 160 characters lengthto 160 characters length
Sent in clear (but differentSent in clear (but different
formats).formats).
28. SMS AttacksSMS Attacks
Instructions
to SIM
Message Body
Instructions
to HandSet
Instructions
to SMSC
Instructions
to Air Interface
sms packet
Broken UDHBroken UDH ((user data hdr) in an sms message caused crash inuser data hdr) in an sms message caused crash in
some Nokia phones. It required the user to put its SIM into a non-some Nokia phones. It required the user to put its SIM into a non-
affected phone and delete the offending message.affected phone and delete the offending message.
Spoofing SMS MessagesSpoofing SMS Messages :: Originating Address field can beOriginating Address field can be
arbitrarily set to anything.arbitrarily set to anything.
The applications using sms should take care of authenticationThe applications using sms should take care of authentication
and also encrypt their messages !and also encrypt their messages !
29. ConclusionsConclusions
ProsPros
It's the most secure cellular telecommunication system availableIt's the most secure cellular telecommunication system available
todaytoday (2-2.5G)(2-2.5G)
Good framework for reasonably secure communicationsGood framework for reasonably secure communications
The security model has minimal impact on manufacturersThe security model has minimal impact on manufacturers
SIM – keys,A3,A8,etcSIM – keys,A3,A8,etc
SIM Toolkit – additional SIM functionalitySIM Toolkit – additional SIM functionality
Mobile Equipment – A5Mobile Equipment – A5
The future - 3GPP :The future - 3GPP :
the design is publicthe design is public
mutual authentication (EAP-SIM Authentication), key-length increased,mutual authentication (EAP-SIM Authentication), key-length increased,
security within and between networks, etc.security within and between networks, etc.
30. Conclusions (cont.)Conclusions (cont.)
ConsCons
Security by ObscuritySecurity by Obscurity
Only access security – doesn't provide end-to-end securityOnly access security – doesn't provide end-to-end security
GSM Security is broken at many levels, vulnerable toGSM Security is broken at many levels, vulnerable to
numerous attacksnumerous attacks
Even if security algorithms are not broken, the GSMEven if security algorithms are not broken, the GSM
architecture will still be vulnerable to attacks from inside orarchitecture will still be vulnerable to attacks from inside or
attacks targeting the operator's backboneattacks targeting the operator's backbone
No mutual authenticationNo mutual authentication
Confidential information requires additional encryptionConfidential information requires additional encryption
over GSMover GSM
31. ReferencesReferences
GSM Association, http://www.gsmworld.comGSM Association, http://www.gsmworld.com
M. Rahnema, “Overview of the GSM System and Protocol Architecture”,M. Rahnema, “Overview of the GSM System and Protocol Architecture”,
IEEE Communication Magazine, April 1993IEEE Communication Magazine, April 1993
L. Pesonen, “GSM Interception”, November 1999L. Pesonen, “GSM Interception”, November 1999
J.Rao, P. Rohatgi, H. Scherzer, S. Tinguely, “Partitioning Attack: Or How toJ.Rao, P. Rohatgi, H. Scherzer, S. Tinguely, “Partitioning Attack: Or How to
Rapidly Clone Some GSM Cards”, IEEE Symposium on Security andRapidly Clone Some GSM Cards”, IEEE Symposium on Security and
Privacy, May 2002.Privacy, May 2002.
P.Kocher, J. Jaffe, “Introduction to Differential Power Analysis and RelatedP.Kocher, J. Jaffe, “Introduction to Differential Power Analysis and Related
Attacks”, Cryptography Research, 1998Attacks”, Cryptography Research, 1998
S. Babbage, “A Space/Time Trade-off in Exhaustive Search Attacks onS. Babbage, “A Space/Time Trade-off in Exhaustive Search Attacks on
Stream Ciphers”, Europian Convention on Security and Detection, IEEStream Ciphers”, Europian Convention on Security and Detection, IEE
Conference publication, No. 408, May 1999.Conference publication, No. 408, May 1999.
A. Biryukov, A. Shamir, D. Wagner, “Real Time Cryptanalysis of A5/1 on aA. Biryukov, A. Shamir, D. Wagner, “Real Time Cryptanalysis of A5/1 on a
PC”, Preproceedings of FSE ‘7, pp. 1-18, 2000PC”, Preproceedings of FSE ‘7, pp. 1-18, 2000
ISAAC, University of California, Berkeley, “GSM Cloning”,ISAAC, University of California, Berkeley, “GSM Cloning”,
http://www.isaac.cs.berkeley.edu/iChansaac/gsm-faq.htmlhttp://www.isaac.cs.berkeley.edu/iChansaac/gsm-faq.html
S. Chan, “An Overview of Smart Card Security”,S. Chan, “An Overview of Smart Card Security”,
http://home.hkstar.com/~alanchan/papers/smartCardSecurity/http://home.hkstar.com/~alanchan/papers/smartCardSecurity/