1 / 25

GSM CLONING

GSM CLONING. GSM (Global System for Mobile Communication). Most widely used cellular mobile phone system. First digital system to follow analog era. Specification designed by GSM Consortium in secrecy. Relied on Security by Obscurity. Distributed on need-to-know basis.

derick
Download Presentation

GSM CLONING

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GSM CLONING

  2. GSM (Global System for Mobile Communication) • Most widely used cellular mobile phone system. • First digital system to follow analog era. • Specification designed by GSM Consortium in secrecy. • Relied on Security by Obscurity. • Distributed on need-to-know basis. • Eventually leaked out and researchers have found many ways to break the GSM algorithms. • One way was breaking COMP128 to retrieve the secret key from a SIM card.

  3. A3: Signature Response A8: Session Key COMP128: SRES, Session Key

  4. COMP128 Pseudocode: • Input: 16 byte secret key, 16 byte RAND • Output: 4 byte SRES, 8 byte session key (simoutput[12]) • Load RAND into x[16…31] • Perform the following 8 times • Load secret key into x[0…15] • Compression • Bits to Bytes • Permutation (only on first 7 rounds) • Compress 16 bytes to 12 bytes (simoutput) • Return simoutput[ ]

  5. Permutation: • Bits to Bytes • Only 4 bits in each entry • Example shows bits for x[0], x[1] gets bits 8,25,42,59,76,93,110,127 … … … … … … … … 17 34 51 102 119 0 85 68 Bits: Bytes: x[2] x[0] x[1]

  6. What went wrong? • Design of a security cryptosystem should be under the Kerckhoffs’ principle. • GSM design committee kept all security specifications secret.

  7. Attacks on COMP128 • April 13, 1998: Marc Briceno (Director of the Smartcard Developer Association and two U.C.Berkeley researchers-David Wagner and Ian Goldberg The 128bit Ki could be deduced by collecting around 150,000 chosen RAND-SRES pairs. • May 2002:IBM Side-Channel attack (Partitioning Attack) 1000 random inputs, or 255 chosen inputs, or only 8 adaptively chosen inputs.

  8. 128-bit Ki 128-bit RAND

  9. Crypto-attack by B. and G. • Information leaking. • A narrow “pipe” exists in COMP128. bytes i, i+8, i+16, i+24 at the output of the 2nd level depend only on bytes i, i+8, i+16, i+24 of the initial input. • Birthday paradox. • Differential technique.

  10. 128-bit Ki 128-bit RAND 8bits 8bits 7bits 6bits 5bits 4bits Back

  11. Crypto-attack cont. • After the compression at level 1, • The correlated 32 bits 28 bits. • Transfer problem to Collision Attack. • Alg. in the Random Oracle Model FINDCOLLISION • Choose • For each • do • If for some • then return • else return (failure)

  12. Crypto-attack cont.2 • The birthday paradox tells us if let our , we have probability at least 1/2 to get a collision. • The expectation of the number of queries: • How many chances can we have • The total expected queries to recover the entire 128 bit Ki is • How fast can we get? Computational ability of IC 6.25 queries/s Totally recovery period: 7.3 hours.

  13. Improvement on B. and G. • Pre-compute 8 tables each has entries. • Every time we find a collision, just look up the corresponding tables to find the key. • Space requirements: GB • Limitation: The bottle-neck of recovery time is dominated by computational time of IC. This technique could decrease computational requirement of PC, but the whole time won’t decrease so much.

  14. Evaluation of B. G.’s Method • Pros: Easily to implement. High accuracy. Doesn’t have to physical access to the SIM card. • Cons: Slow: 7.3 hours Spurious key Assumption Avoidance

  15. Gains from B.G.’s Attack • Necessity of the open design process • Importance of the first round • Aftermath of collisions

  16. Partitioning Attack • Side channels: • Timing of operations • Power consumption • Electromagnetic emanations • Cardinal Principle: Relevant bits of intermediate cycles and their values should be statistically independent of the inputs, outputs and sensitive information.

  17. Partitioning Attack cont. • Problems in COMP128: • Huge correlation between MSB of R[0] and the beginning of the first compression. • Substitution. Table look up operation. • Implementation in IC. Figure

  18. Partitioning Attack cont.2 • Explanation for the correlation. X[i]=T0[K[i]+2*R[i]] and X[i+16]=T0[2K[i]+R[i]] • Example: Byte1:All signals with R[0] in the range[0-26] and [155-255] fell in one category and all signals with R[0] in the range[27-154] fell into the other. Byte2: R[0] in the range[0-105] signals fell in one category and [106-255] signals fell into the other. Graph K+2*26<256 K+2*27>=256 K=? K=202 or 203 2*K+105<512 and 2*K+106>=512 K=203

  19. Partitioning Attack cont.3 • Efficiency • 1000 samples with random inputs • 256 chosen inputs • 8 adaptively chosen inputs

  20. Future Improvements • COMP128-2 has replaced the COMP128 to overcome some weakness • COMP128-3 is develop to generate 64 bits for Kc. • COMP128-4 is underdevelopment based on the 3GPP(3rd Generation Partnership Project) algorithm. (AES)

  21. Input correlation for MSB of R[0]

More Related