GSM Security Overview GSM Security Overview (Part 3) (Part 3) Gregory Greenman Agenda Agenda A5 Overview : A5 Overview :  LFSR (Linear Feedback Shift Registers) LFSR (Linear Feedback Shift Registers)  A5/1 Description A5/1 Description Attack on A5 : Attack on A5 :  Space-Time Attacks Overview ( Space-Time Attacks Overview ( by Babbage by Babbage ) )  Cryptanalysis of A5/1 ( Cryptanalysis of A5/1 ( by Shamir, Biryukov, Wagner by Shamir, Biryukov, Wagner ) ) Other Attacks on GSM Other Attacks on GSM Conclusion Conclusion LFSR structure LFSR structure Purpose Purpose - - to produce pseudo random bit sequence to produce pseudo random bit sequence Consists of two parts : Consists of two parts :  shift register – bit sequence shift register – bit sequence  feedback function feedback function Tap Sequence : Tap Sequence :  bits that are input to the feedback function bits that are input to the feedback function b b 1 1 b b 2 2 b b 3 3 b b 4 4 b b n-1 n-1 b b n n Feedback Function : XOR output new value LFSR Features LFSR Features LFSR Period – LFSR Period – the length of the output sequence the length of the output sequence before it starts repeating itself. before it starts repeating itself. n-bit LFSR can be in 2 n-bit LFSR can be in 2 n n -1 internal states -1 internal states   the maximal the maximal period is also 2 period is also 2 n n -1 -1 the tap sequence determines the period the tap sequence determines the period the polynomial formed by a tap sequence plus 1 must be the polynomial formed by a tap sequence plus 1 must be a primitive polynomial (mod 2) a primitive polynomial (mod 2) LFSR LFSR Example : Example : x x 12 12 +x +x 6 6 +x +x 4 4 +x+1 corresponds to LFSR of length 12 +x+1 corresponds to LFSR of length 12 b b 1 1 b 2 b 3 b b 4 4 b 5 b b 6 6 b 7 b 8 b 9 b 10 b 11 b b 12 12 A5/1 Overview A5/1 Overview A5/1 is a stream cipher, which is initialized all over again A5/1 is a stream cipher, which is initialized all over again for every frame sent. for every frame sent. Consists of 3 LFSRs of 19,22,23 bits length. Consists of 3 LFSRs of 19,22,23 bits length. The 3 registers are clocked in a stop/go fashion using The 3 registers are clocked in a stop/go fashion using the majority rule. the majority rule. “Cryptography is a mixture of mathematics and muddle, and without the muddle the mathematics can be used against you.” - Ian Cassells, a former Bletchly Park cryptanalyst. 1 0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0 1 0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1 1 0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1 clock control 18 17 16 0 21 20 0 0 21 22 20 C3 C2 C1 R2 R1 R3 1 1 0 0 1 0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0 0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1 0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0 1 1 1 0 0 1 A5/1 : Operation A5/1 : Operation All 3 registers are zeroed All 3 registers are zeroed 64 cycles (without the stop/go clock) : 64 cycles (without the stop/go clock) :  Each bit of K (lsb to msb) is XOR'ed in parallel into the lsb's of the Each bit of K (lsb to msb) is XOR'ed in parallel into the lsb's of the registers registers 22 cycles (without the stop/go clock) : 22 cycles (without the stop/go clock) :  Each bit of F Each bit of F n n (lsb to msb) is XOR'ed in parallel into the lsb's of (lsb to msb) is XOR'ed in parallel into the lsb's of the registers the registers 100 cycles with the stop/go clock control, discarding the 100 cycles with the stop/go clock control, discarding the output output 228 cycles with the stop/go clock control which produce the 228 cycles with the stop/go clock control which produce the output bit sequence. output bit sequence. The Model The Model The internal state of A5/1 generator is the state of all 64 bits in the The internal state of A5/1 generator is the state of all 64 bits in the 3 registers, so there are 2 3 registers, so there are 2 64 64 -1 states. -1 states. The operation of A5/1 can be viewed as a state transition : The operation of A5/1 can be viewed as a state transition : S 0 S 1 S 2 S t k 0 k 2 k 1 k t Standard attack assumes the knowledge of about 64 Standard attack assumes the knowledge of about 64 output bits (64 bits →2 output bits (64 bits →2 64 64 different sequences). different sequences). Space/Time Trade-Off Attack Space/Time Trade-Off Attack I I Get keystream bits k Get keystream bits k 1 1 ,k ,k 2 2 ,…,k ,…,k M+n M+n and prepare M and prepare M subsequences : subsequences : k 1 ,…,k n k 2 , …,k n+1 … k M ,…,k n+M M • generate random state S i • generate n-bit keystream • look for it in the prepared keystream subsequences [...]... end-to-end security GSM Security is broken at many levels, vulnerable to numerous attacks Even if security algorithms are not broken, the GSM architecture will still be vulnerable to attacks from inside or attacks targeting the operator's backbone No mutual authentication Confidential information requires additional encryption over GSM References GSM Association, http://www.gsmworld.com M Rahnema, Overview. .. Convention on Security and Detection, IEE Conference publication, No 408, May 1999 A Biryukov, A Shamir, D Wagner, “Real Time Cryptanalysis of A5/1 on a PC”, Preproceedings of FSE ‘7, pp 1-18, 2000 ISAAC, University of California, Berkeley, GSM Cloning”, http://www.isaac.cs.berkeley.edu/iChansaac /gsm- faq.html S Chan, “An Overview of Smart Card Security , http://home.hkstar.com/~alanchan/papers/smartCardSecurity/... References GSM Association, http://www.gsmworld.com M Rahnema, Overview of the GSM System and Protocol Architecture”, IEEE Communication Magazine, April 1993 L Pesonen, GSM Interception”, November 1999 J.Rao, P Rohatgi, H Scherzer, S Tinguely, “Partitioning Attack: Or How to Rapidly Clone Some GSM Cards”, IEEE Symposium on Security and Privacy, May 2002 P.Kocher, J Jaffe, “Introduction to Differential... communications The security model has minimal impact on manufacturers SIM – keys,A3,A8,etc SIM Toolkit – additional SIM functionality Mobile Equipment – A5  The future - 3GPP : the design is public mutual authentication (EAP-SIM Authentication), key-length increased, security within and between networks, etc Conclusions (cont.) Cons       Security by Obscurity Only access security – doesn't... is required to respond to every challenge made by GSM network (there is no authentication of BTS) Attack based on differential cryptanalysis could take 8-15 hours and require that the signal from the legitimate BTS be disabled for that time, but it's still real … The same attack could be applied to AuC   It also has to answer the requests made by the GSM network It's much faster than SIM SMS Architecture . GSM Security Overview GSM Security Overview (Part 3) (Part 3) Gregory Greenman Agenda Agenda A5 Overview : A5 Overview :  LFSR (Linear Feedback Shift. Description A5/1 Description Attack on A5 : Attack on A5 :  Space-Time Attacks Overview ( Space-Time Attacks Overview ( by Babbage by Babbage ) )  Cryptanalysis of A5/1 ( Cryptanalysis of A5/1. of A5/1 ( by Shamir, Biryukov, Wagner by Shamir, Biryukov, Wagner ) ) Other Attacks on GSM Other Attacks on GSM Conclusion Conclusion LFSR structure LFSR structure Purpose Purpose - - to