Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | felix-august-ball |
View: | 239 times |
Download: | 2 times |
Applied Cryptography
Spring 2015
GSM and cryptography
Frequency planning
[From C.Chang]
A cluster is a group of cells which uses the entire radio spectrum.
The cluster size N is the number of cells in each cluster.Each cell within a cluster is allocated a distinct set of frequencies (channels) and cells labeled with a given number – i.e. co-channels reuse the same channel set. As the cell size decreases, traffic carrier capacity increases, and thus cells start big and split as system grows.
Frequency planning
f1
f2
f3
f2
f1
f1
f2
f3
f2
f3
f1
f2
f1
f3f3
f3f3
f3
f4
f5
f1
f3
f2
f6
f7
f3
f2
f4
f5
f1
f3
f5f6
f7f2
f2
f1f1 f1
f2
f3
f2
f3
f2
f3h1
h2
h3g1
g2
g3
h1
h2
h3g1
g2
g3g1
g2
g3
3 cell cluster
7 cell cluster
3 cell clusterwith 3 sector antennas
[From C.Chang]
Handoffs
When a user moves from the coverage area of one BS to the adjacent one, a handoff (handover) has to be executed to continue the call. A handoff contains two main parts:– Find an uplink-downlink channel pair from the new cell to carry on
the call– Drop the link form the original BS.
Issues involved in Handoffs:– Optimal BS selection– Ping-pong effect: The call gets bounced back and forth in the
boundaries between different cells. This should be avoided.– Data loss– Detection of handoff requirement: Three handoff schemes:
• Mobile-initiated: An MT monitors the signal strength and requests a handoff when the strength drops below a threshold.
• Network-initiated handoff: The BS forces a handoff if the signals from an MT weaken.
• Mobile-assisted handoff: An MT evaluates the signal strength and the BS decides the handoff.
[From C.Chang]
Cellular Architecture
Every cell has a Base Station (BS) to which all Mobile Terminals (MTs) in the cell communicate.
A Base Station Controller (BSC) controls a set group of BTSs. Together the BTS and BSC systems are known as the BSS or Base Station System (BSS) . The BSC is vital to the BSS system in that it ensures that subscribers can move freely from one cell to another with no loss in signal strength
A BSC is then connected to a Mobile Switching Center (MSC). The MSC acts as an interface between the cellular radio system and the public switched telephone network (PSTN).
The Authentication Center (AuC) validates the MTs by verifying their identity with the Equipment Identity Register (EIR).
The MSCs are linked through a signaling system 7 (SS7) network, which controls setting up, managing, and releasing of telephone calls.
[From C.Chang]
Cellular Architecture
The SS7 protocol introduces certain nodes called Signal Transfer Points (STPs) which help in call routing.
A MT or a mobile station (MS) reports their location to the network periodically. Each user is permanently associated with the home location register (HLR) in his/her subscribed cellular network.
This HLR contains the user profile consisting of the services subscribed by the user, billing information, and location information.
The Visitor Location Register (VLR) maintains the information regarding roaming users in the cell. VLRs download the information from the users’ respective HLRs.
[From C.Chang]
Cellular Architecture
PSTN
BSC
BSC
MSC MSC
GMSC
AuC
HLR
VLREIR
VLR
STP
MT Mobile Terminal BS Base StationHLR Home Location RegisterVLR Visitor Location Register EIR Equipment Identity
RegisterAuC Authentication CenterMSC Mobile Switching Center STP Signal Transfer PointPSTN Public Switched Telephone Network BSC Base Station Controller
SS7 Network
[From C.Chang]
Mobile Phone Systems History
[From S.Nguyen]
1st Generation• First commercial cellular telephone system began operation in Tokyo in 1979• AMPS (Advance Mobile Phone System)
• Available in Chicago by Ameritech in 1983• 8oo MHz, FDMA 395 voice and 21 control channels• Digital AMPS (often referred to as TDMA), currently being phased out (GSM, CDMA2000)
• NMT (Nordic Mobile Telephony)• Opened for service in 1981 in Saudi Arabia:), next in Sweden• Large cells, up to 30 km (still operates in Iceland), in Sweden willbe suspended at 31.12.2007• 150, 450, 900 MHz• Non-encrypted, newer versions support scrambling• Basic but robust messaging services• FFSK modulation (characteristic noises during handovers)
Mobile Phone Systems History
[From S.Nguyen]
2nd Generation• TDMA Interim Standard 54 (TDMA IS-54) in 1991
• TDMA IS-136 (updated version) •GSM (Global System for Mobile Communications) In 1987, standard created with hybrid of FDMA and TDMA technologies
Accepted in the United States in 1995 Operated in 1996
Major carriers of GSM 1900: Omnipoint, Pacific Bell, BellSouth, Sprint Spectrum, Microcell, Western Wireless, Powertel and Aerial
• CDMA IS-95 (Code Division Multiple Access)Developing by Qualcomm corporation in late 1980s Operated in 1996
• CDMA2000 (2.5G/3G protocol), incompatible with UMTS (a majorcompetitor)
Used in a number of weird countries - Venezuela, Latvia (?!)(Triatel, 450MHz)
Analog Voice: AMPS
AMPS (Advanced Mobile Phone System) is the analog system (1G) first developed and used in the U.S. Nordic mobile telephony (NMT) is a 1G system developed in Europe.
The cellular structure uses a cluster size of seven, and each cell is roughly 10 – 20 Km across.
The AMPS system uses FDM to separate 832 full-duplex channels.– 832 simplex transmission channels from 824 to 849 MHz– 832 simplex receive channels from 869 to 894 MHz– Each simplex channel is 30 kHz wide.
These channels are divided into four categories:– Control (base to mobile) to manage the system (21 channels)– Paging (base to mobile) to alert users to calls for them– Access (bidirectional) for call setup and channel assignment– Data (bidirectional) for voice, fax, or data (45 channels)
AMPS provides a maximum data transmission rate of 10 Kbps.
[From C.Chang]
TDMA (IS-136)
Uses FDMA and TDMA Channels that are each 30 kHz wide
– Cellular (850 band) – uplink/downlink channels separated by 45 MHz– PCS (1900 band) – uplink/downlink channels separated by 80 MHz
Each channel is further divided using TDMA into 6 time slots Each time slot lasts 6.66 ms and contains 324 bits Voice call uses 2 times slots in every frame 20 ms speech sample interleaved over two consecutive bursts
timeslot = 6.66 ms
A B C A B C30 kHz
frame = 40 ms
[FromD.Watkins]
CDMA
CDMA (Code Division Multiple Access) is a standard using spread spectrum transmission (2G). – The original CDMA standard, also known as cdmaOne and still common
in cellular telephones in the U.S., offers a transmission speed of up to 14.4 Kbps in its single channel form and up to 115 Kbps in an eight-channel form.
– It operates in the 800 and 1900 MHz bands.– Each simplex channel is 1.25 MHz wide.– It can carry data at rates up to 115 kbps.
Operation of CDMA: – In CDMA, the input signals are digitized and transmitted in coded,
spread-spectrum mode over a broad range of frequencies. – In CDMA, each bit time is subdivided into m short intervals called
chips. Typically, there are 64 or 128 chips per bit.– Each station is assigned a unique m-bit code called a chip sequence.– To transmit a 1 bit, a station sends its chip sequence. To transmit a 0
bit, the station sends the one’s complement of its chip sequence.– The receiver can “tune” into this signal if it knows the chip sequence
(pseudo random number), tuning is done via a correlation function
[From C.Chang]
CDMA
Synchronous CDMA, also known as Code Division Multiplexing (CDM), exploits at its core mathematical properties of orthogonality.
Suppose we represent data signals as vectors. For example, the binarystring "1011" would be represented by the vector (1, 0, 1, 1). We also use an operation on vectors, known as the dot product,to "multiply" vectors, by summing the product of the components.
For the special case when the dot product of two vectors is identically 0, the two vectors are said to be orthogonal to each other.
For orthogonal vectors:
CDMA
Example of set of orthogonalvectors:
To transmit "1", transmit yourchip code.
To transmit "0", transmit the complement of your chip code (vector multiplied by -1).
Asynchronous CDMA: use"pseudo-random" sequences,that are "close to orthogonal",independently from their starting points...
PDC
Personal Digital Cellular (PDC) is a 2G mobile phone standard developed and used exclusively in Japan
Like D-AMPS and GSM, PDC uses TDMA. The standard was defined by the RCRin April 1991, and NTT DoCoMo launched its Digital MOVA service in March 1993. PDC uses 25 kHz carrier, 3 time slots, pi/4-DQPSK modulation and low bit-rate 11.2 kbit/s and 5.6 kbit/s (half-rate) voice codecs.
PDC is implemented in the 800 MHz (downlink 810-888 MHz, uplink 893-958 MHz), and 1.5 GHz (downlink 1477-1501 MHz, uplink 1429-1453 MHz) bands. The air interface is defined in RCR STD-27 and the core network MAP by JJ-70.10. NEC and Ericsson are the major network equipment manufacturers.
PDC
Personal Digital Cellular (PDC)
The services include voice (full and half-rate), supplementary services (call waiting, voice mail, three-way calling, call forwarding, and so on), data service (up to 9.6 kbit/s CSD), and packet-switched wireless data (up to 28.8 kbit/s PDC-P).Compared to GSM, PDC's weak broadcast strength allows small, portable phones with light batteries at the expense of substandard voice quality and problems maintaining the connection, particularly in enclosed spaces like elevators.After a peak of nearly 80 million subscriber to PDC, it now has 45.856 million subscribers (December 2005) and is slowly being phased out in favor of 3G technologies like W-CDMA and CDMA2000.
GSM
GSM– formerly: Groupe Spéciale Mobile (founded 1982)– now: Global System for Mobile Communication– Pan-European standard (ETSI, European Telecommunications
Standardization Institute)– simultaneous introduction of essential services in three phases (1991,
1994, 1996) by the European telecommunication administrations (Germany: D1 and D2) seamless roaming within Europe possible
– today many providers all over the world use GSM (more than 200 countries in Asia, Africa, Europe, Australia, America)
– more than 1.3 billion subscribers in more than 630 networks– more than 75% of all digital mobile phones use GSM (74% total)– over 200 million SMS per month in Germany, > 550 billion/year
worldwide(> 10% of the revenues for many operators)[be aware: these are only rough numbers…]
[From C.Chang]
Performance of GSM
Communication: mobile, wireless communication; support for voice and data services
Total mobility: international access, chip-card enables use of access points of different providers
Worldwide connectivity: one number, the network handles localization High capacity: better frequency efficiency, smaller cells, more
customers per cell High transmission quality: high audio quality and reliability for
wireless, uninterrupted phone calls at higher speeds (e.g., from cars, trains)
Security functions: access control, authentication via chip-card and PIN
[From C.Chang]
Latest Global Cellular Statistics (end of 2004)
[From S.Nguyen]
Global Mobile Users: 1.57 billion GSM: 1.25 billion CDMA: 202m TDMA: 120m
Facts#1 Mobile Country: China (300m)Total European users: 342.43mUS Mobile users: 140mTotal African users: 53m1.87 billion mobile users by 2007 (27.4% of the world’s population)
GPRS: General Packet Radio Service
Properties
– Packet mode service (end-to-end)– Data rates up to 171,2 kbit/s (theoretical), effectively up
to 115 Kbit/s– Effektive und flexible Verwaltung der Luftschnittstelle– Adaptive channel coding– Standardised interworking with IP- and X.25 networks– dynamic resource sharing with the „classic“ GSM voice
services– advantage: billing per volume, not per connection time
[From W.Schneider]
GPRS Security Mechanisms
Security in GPRS is very similar to GSM
• Authentication through SGSN with Challenge-Response• Use of temporary identities (managed through SGSN)• Encryption algorithm A5/3 (GEA3) • But: no end-to-end encryption• Key generation and managment as in GSM • No authentication and confidentiality of signalling
messages within the signalling network
[From W.Schneider]
UMTS
Universal Mobile Telecommunications System (UMTS) is oneof the third-generation (3G) mobile phone technologies. It uses W-CDMA as the underlying standard, is standardized by the 3GPP, and is the European answer to the ITU IMT-2000 requirements for 3G Cellular radio systems.
To differentiate UMTS from competing network technologies, UMTS is sometimes marketed as 3GSM, emphasizing the combination of the 3G nature of the technology and the GSM standard which it was designed to succeed.
Migration to 3G
4G in Latvia (LMT)
GSM security
Use of a smart card SIM – Subscriber Identity Module, tamper resistant device containing critical subscriber information, e.g. 128-bit key shared with Home Operator
SIM is the entity which is authenticated, basis for roaming Initial GSM algorithms (were) not publicly available and
under the control of GSM-A, new (3G) algorithms are open GSM ciphering on “first hop” only: stream ciphers using
54/64 bit keys, future 128 bits One-sided challenge-response authentication Basic user privacy support (“pseudonyms”) No integrity/replay protection
GSM crypto is probably (one of) the mostfrequently used crypto in the world.
[From M.Näslund]
Cryptographic features of wireless
Wireless is subject to
• limited bandwidth• bit-errors (up to 1% RBER)
As consequence, most protocols:
• use stream ciphers (no padding, no error-propagation)
• do not use integrity protection (data expansion, loss)
[From M.Näslund]
GSM architecture
GSM - establishing communication
[From Barkan et al]
Immediate assignment procedure:
Service Request and Contention Resolution:
GSM - establishing communication
[From Barkan et al]
Authentication:
GSM security
Radio Base Station
RBS
MSC
SGSN
Base Station Controller
CS - Confidentiality, A5/1A5/2A5/3 (new, open)
GPRS - Confidentiality:GEA1GEA2GEA3 (new, open)
Authentication:A3 Algorithm
[From M.Näslund]
54 bits is the effective key length of the A5/1 algorithm.40 bits is the effective key lengthof the GEA algorithm.Both algorithm employ (“ineffective”)64-bit keys.
A3
Mobile Station Radio Link GSM Operator
A8
A5
A3
A8
A5
Ki Ki
Challenge RAND
KcKc
mi Encrypted Data mi
SIM
Signed response (SRES) SRESSRES
Fn Fn
Authentication: are SRES values equal?
GSM security
[From S.Farrell]
GPRS security
Subscriber Identity Module
C1: Supply voltage– (4.5 to 5.5 volts DC).
C2: Reset signal C3: Clock signal
– (1 to 5 MHz, external) C4: Reserved C5: Ground C6: Programming voltage
– (if available) C7: Input/Output
– Baudrate is (clock frequency) / 372.
C8: Reserved
[From D.Veeneman]
SIM attacks
Repeated authenticate, leaks Ki– (New SIMs have a limit (about 50k) on the number of times
the authentication algorithm can be run)
Side-channel attacks– Power consumption– Timing– Electromagnetic emanations
[From D.Veeneman]
GSM authentication
A random challenge is issued to the mobile
Mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile (Ki)
Mobile sends response back (SRES)
Network checks that the response to the challenge is correct.
[From D.Veeneman]
GSM authentication
A3 and A8: Authentication and key derivation (proprietary)A5: encryption (A5/1-4, standardized)
Ki(128)
rand (128)
res (32)
Kc (64)
A5/x
PhoneSIM
encr frame
Radio i/f
Rad
io B
ase
Sta
t ion
A3A8
(No netw auth, no integrity/replay protection)
data/speech
frame#
[From M.Näslund]
GSM authentication
RBSMSC/VLR
AuC/HLR
Visited Network
Home Network
Req(IMSI)
RAND, XRES, KcRES
RES = XRES ?
RAND RAND, Kc
Ki
Ki
[From M.Näslund]
GSM authentication
GSM authentication - algorithms
A3 and A8 are in the SIM
– Operators can choose their own A3/A8– COMP-128 provided as example algorithm– Can securely pass (RAND,SRES,Kc) while roaming
[From D.Veeneman]
COMP128 updates
COMP128-2– 54-bit Kc– Secret algorithm
COMP128-3– 64-bit Kc– Secret algorithm
Proposal for new A3/A8 based on MILENAGE– Milenage based on Rijndael (AES)– Algorithm will be public
New A3/A8 requires– AuC software upgrade– New SIMs
[From D.Veeneman]
COMP128 - history
[From Barkan et al]
A8: Session Key
COMP128: SRES, Session Key
A3: Signature Response
COMP128
COMP128 pseudocode
Input: 16 byte secret key, 16 byte RAND Output: 4 byte SRES, 8 byte session key
(simoutput[12]) Load RAND into x[16…31] Perform the following 8 times
– Load secret key into x[0…15]– Compression– Bits to Bytes– Permutation (only on first 7 rounds)
Compress 16 bytes to 12 bytes (simoutput) Return simoutput[ ]
COMP128
COMP128
0 17 34 51 68 85 102 119… … … … … … … …Bits:
Bytes:
x[0] x[1] x[2]
Permutation:- Bits to Bytes- Only 4 bits in each entry- Example shows bits for x[0], x[1] gets bits 8,25,42,59,76,93,110,127
COMP128
COMP128
COMP128 - what went wrong?
Design of a security cryptosystem should be
under the Kerckhoffs’ principle.
GSM design committee kept all security
specifications secret.
Attacks on COMP128
April 13, 1998: Marc Briceno (Director of the
Smartcard Developer Association and two
U.C.Berkeley researchers-David Wagner and
Ian Goldberg The 128bit Ki could be deduced by collecting around 150,000
chosen RAND-SRES pairs.
May 2002:IBM Side-Channel attack
(Partitioning Attack) 1000 random inputs, or 255 chosen inputs, or only 8 adaptively
chosen inputs.
Cryptanalysis of COMP128
Is it secure?– Well, it has lots of rounds…
– The keyed map fk : r | r'is applied 8 times
But: beware collisions!– Attempt #2: Modify both
r0 and r8, and look for aninternal collision [BGW98]
r'16
k0 k16 r0 r16
repeat 8 times
r1k1
…
k0 r'0 r'1k16
It works!It works!
r8
[From D.Wagner]
A narrow “pipe” exists in COMP128.
bytes i, i+8, i+16, i+24 at the output of the 2nd
level depend only on bytes i, i+8, i+16, i+24
of the initial input.
Cryptanalysis of COMP128
Cryptanalysis of COMP128
Cryptanalysis of COMP128
Cryptanalysis of COMP128
Cryptanalysis of COMP128
Cryptanalysis of COMP128
Cryptanalysis of COMP128
How to clone SIM card
How to clone SIM card
How to clone SIM card
GSM - voice encoding
In the 900 MHz band the uplink frequency band is 890-915 MHz, and the downlink frequency band is 935-960 MHz. This 25 MHz bandwidth is subdivided into 124 carrier frequency channels, each spaced 200 kHz apart. Time division multiplexing is used to allow eight full-rate or sixteen half-rate speech channels per radio frequency channel. There are eight radio timeslots (giving eight burst periods) grouped into what is called a TDMA frame. Half rate channels use alternate frames in the same timeslot. The channel data rate is 270.833 kbit/s, and the frame duration is 4.615 ms.
GSM - voice encoding
GSM has used a variety of voice codecs to squeeze 3.1kHz audio into between 6 and 13kbps. Originally, two codecs, named after the types of data channel they were allocated, were used, called "Full Rate" (13kbps) and "Half Rate" (6kbps). These used a system based uponlinear predictive coding (LPC). In addition to being efficient with bitrates, these codecs also made it easier to identify more important parts of the audio, allowing the air interface layer to prioritize and better protect these parts of the signal.
GSM was further enhanced in the mid-nineties with the GSM-EFR codec, a 12.2kbps codec that uses a full rate channel. Finally, with the development of UMTS, EFR was refactored into a variable-rate codec called AMR-Narrowband, which is high quality and robust against interference when used on full rate channels, and less robust but still relatively high quality when used in good radio conditions on half-rate channels.
GSM - frames
[From Barkan et al]
GSM encryption - algorithms
A5 is built into the hardware
– A5/1 - more secure– A5/2 - less secure– Unencrypted
[From D.Veeneman]
A5 was deliberately weakened by zeroing 10 key bits
Even where providers don’t use COMP128, all shorten the key
GSM encryption -algorithms
[From Barkan et al]
Status of A5
All Ax algorithms initially secret.
A5/1 ”leaked” in mid 90’s. A few attacks found.
[Biryukov, Wagner, Shamir 01]: 300Gb precomputed data and 2s known plaintext retrieve Kc 1min.
Little “sister”, A5/2 (reverse-engineered @Berkeley)
[From M.Näslund]
A5 A5
Kc
144 Bit
NetworkMobile
TDMA-Frame #
Kc
TDMA
Ciphering Mode Command
64 Bit22 Bit
Cipher textClear text
(Voice, data)Clear text
Frame #
Z(t)Z(t)
22 Bit 64 Bit
The GSM Secret Stream Cipher The GSM Secret Stream Cipher A5A5
[From W.Adi]
GSM encryption - A5/2
majority(a, b, c) = ab + bc + ca
Developed in 1989
GSM encryption - A5/2
[From Barkan et al]
Kc - keyf - IV, depends from frame number
GSM encryption - A5/2
[From Barkan et al]
COUNT is derived from the TDMA frame number as shown in Figure 5, where T1 is the quotient of the frame number divided by 51 · 26 = 1326, T2 is theremainder of the frame number divided by 26, and T3 is the remainder of the frame number divided by 51.
It should be noted that many times in our attacks, we know in advance the additive difference between two frame numbers, but we do not know in advance (with 100% certainty) the XOR-difference between the COUNT values of the two frames.
The above description is true only when the mobile is allocated a single time slot. When the mobile is allocated several time slots (or in GPRS), a different method is used.
One evaluation of A5/2...
``The resource budget for the project was 15.75 man-months …
The results of the mathematical analysis did not identify any features of [A5/2] which could be exploited as the basis for a practical eavesdropping attack on the GSM radio path …
All members of SAGE stated that they were satisfied that [A5/2] was suitable to protect against eavesdropping on the GSM radio path’’
-- ETSI TR 278
[From D.Wagner]
Attacking A5/2
If you can get keystreamfrom two frames 211 apart:– R4 will be the same for both,
due to the clobbered bit (hmm…)– Guess R4; then the clocking for
R1, R2, R3 is known (double hmm…) Now solve for R1, R2, R3
– Keystream difference is a linear function of R1, R2, R3 difference, so can solve using linear algebra
– This reveals the key Complexity: 216 simple dot-products realtime!
– Our code breaks A5/2 in ~ 10 milliseconds [BGW99]
[From D.Wagner]
A5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknowns 0/1 variables, of which 64 are Kc
If plaintext known, each 114-bit frame gives 114 equations
Only difference between frames is that frame numberincreases by one.
After 6 frames (in reality only 4) we have > 660 equations can solve!
If plaintext unknown, can still attack thanks to redundancyof channel coding (SACCH has 227 redundant bits per each 4-frame message).
Idea behind the attack
Off-line stage (done once):
Storage for ”matrices”: approx 200MB
Pre-processing time: less than 3 hrs on a PC
On-line attack stage:
Requires 4-7 frames sent from UE on SACCH.
Retrieving Kc then takes less than 1 second.
Hardware requirement: normal PC and GSM capable receiver
Attack efficiency
GSM encryption - A5/1
output
cc
L1
L2
L3
“shift Li if middle bit of Li agrees with majority of middle bits in L1 L2 L3”
Sizes: 23, 22, 19 bit (i.e. 64 bit keys)
[From M.Näslund]
Developed in 1987
GSM encryption - A5/1
A register is clocked if its clocking bit (orange) agrees with the majority of the clocking bits of all three registers
GSM encryption - A5/1
Initially, the registers are set to zero. Then for 64 cycles, the 64-bit secret key is mixed in according to the following scheme:
in cycle i=0...63, the ith key bit is added to the least significant bit ofeach register using XOR
Each register is then clocked.
Similarly, the 22-bits of the frame number are added in 22 cycles.
Then the entire system is clocked using the normal majority clocking mechanism for 100 cycles, with the output discarded. After this is completed, the cipher is ready to produce two 114 bit sequences of output key-stream, one for each direction.
LFSR1
LFSR2
LFSR3
Clock Control
De-linearizer
C
C
C
Stop/go-1
Stop/go-2
Stop/go-3
Z(t)
length = 23 Bits
length = 22 Bits
length = 19 Bits
Effective key length = 40 Bits ?
/1
/1
/1
Linear Feedback Shift Register
Published by Berkely Students, Effectively attacked by A. Shamir 1999/2000
The attack can find the key in less than a second on a single PC with 128 MB RAM and two 73 GB hard disks, by analysing the output of the A5/1 algorithm in the first two minutes of the conversation
Attacking A5/1
[From W.Adi]
GSM encryption - A5/3
Based on the Kasumi algorithm– 3GPP confidentiality and integrity algorithms.
Kasumi derived from the MISTY algorithm, created by Mitsubishi.
Specifications are publicly available on the 3GPP web site (www.3gpp.org).
[From D.Veeneman]
GSM encryption - A5/3 (KASUMI)
Feistel cipher with 8 rounds.
Operates on 64 bit data blocks using 128 bit key.
Basic operation :
- Input data block I (64 bit), Key K (128 bit) and
64 bit output OUTPUT.
- Input I divided into 32 bit strings L0 and R0.
- Ri = Li-1, Li = Ri-1 XOR fi (Li-1, RKi).
- OUTPUT = L8 || R8.
- fi is the round function.
GSM encryption - A5/3 (KASUMI)
GSM encryption - A5/3 (KASUMI)
Attacking A5/3?
In 2005, Israeli researchers Eli Biham, Orr Dunkelman and Nathan Keller published a related-key rectangle (boomerang) attack on KASUMI that can break all 8 rounds faster than exhaustive search. The attack requires 254.6 chosen plaintexts, each of which has been encrypted under one of four related keys, and has a time complexity equivalent to 276.1 KASUMI encryptions. While this is not a practical attack, it invalidates some proofs about the security of the 3GPP protocols that had relied on the presumed strength of KASUMI.
In 2006 Elad Barkan, Eli Biham and Nathan Keller demonstrated attacks against A5/1 and A5/2, that allow attackers to tap GSM mobile phone conversations and decrypt them either in real-time, or at any later time. Protocol weaknesses allow recovery of the key, but the KASUMI algorithm is unaffected in itself.
Cellular Crypto Algorithms
Confidentiality Authentication Keying
US Analog None None None
US Digital XOR mask & CMEA (ORYX)
CAVE CAVE
GSM A5/0, A5/2, or A5/1 (soon: A5/3)
COMP128 (COMP128-2, 3DES-CBC-MAC)
COMP128 (same)
Key: = insecure
UMTS Security
Adaptation of GSM security
– Confidentiality of the user identity– Authentication of the user towards the network– Encrypted communication over the radio link,– SIM card as personal security module with authentication
of the user towards the SIM card USIM (UMTS Subscriber Identity Module)
[From W.Schneider]
UMTS Security
UMTS Extensions
– extended UMTS Authentification and key agreementhome network authenticated towards the user,sequence numbers: prevents replay of authentication data, keyed MAC
– Integrity of control data:control data during connection establishment are secured with MAC
– USIM controlled use of keysthe USIM provides new authentication if the encrypted data exceed a certain volume
– Periodic key renewal– Integrity and confidentiality of communication data:
128-bit communication key, MACs for integrity
[From W.Schneider]