1 / 18

GSM network and its privacy

GSM network and its privacy. Thomas Stockinger. Overview. Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation Encryption: The A5 algorithm Attacks Conclusion. Why?. From technical point of view

Download Presentation

GSM network and its privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. GSM network and its privacy Thomas Stockinger

  2. Overview • Why privacy and security? • GSM network‘s fundamentals • Basic communication • Authentication • Key generation • Encryption: The A5 algorithm • Attacks • Conclusion

  3. Why? • From technical point of view • Electromagnetic waves as communication media • From customer’s point of view • Privacy • Cell phone cloning • From operator’s point of view • Billing fraud • Loss of customer faith • m-commerce applications

  4. The GSM network • 1982 – Start of design • Group Spécial Mobile • 1991 – Commerical start • Global System for Mobile Communication • Worldwide system • Digital • Cellular • Subscriber Identity Module (SIM) • Flexible design (SMS, MMS, 2.5G, 3G, ...)

  5. Security services • Authentication • Through challenge-response • Identity protection • Through temporary identification number • User data protection • Through encryption • Signaling data protection • Through encryption

  6. Radio Interface „over-the-air“ Base Station Mobile Equipment Challenge RAND (128bit) KI(128 bit) KI(128 bit) A3 A3 Response SRES (32 bit) ? A8 A8 SIM KC (64 bit) KC(64 bit) Encrypted data A5 A5 GSM communication

  7. Algorithms • Optimized for hardware • Never officially published („security by obscurity“) • A3 / A8 may be choosen by operator • COMP128 is assumed to be only a „proof of concept“

  8. SIM RAND (128 bit) SRES (32 bit) A3 Ki (128 bit) Authentication: A3 • Input: Random challenge RAND + Secret Key Ki • Output: Signed response SRES • Completely implemented in the SmartCard • Ki never leaves the SIM • COMP128 algorithm or variations

  9. SIM RAND (128 bit) Kc (64 bit) A8 Ki (128 bit) Key generation: A8 • Same algorithm as A3 • Output: Cipher key Kc • Only 56 bits of Kc are used

  10. Encryption: A5 stream cipher • Input: • 228-bit data-frame every 4.6 ms • Framecounter Fn • Secret Key Kc produced by A8 • Clocked linear feedback shift registers (LFSRs) generate pseudo random bits PRAND • Output: • 114-bit ciphertext + 114-bit plaintext • Same PRAND used for encoding and decoding

  11. R 1 0 8 13 16 17 18 C 1 Clocking Unit Output R 2 0 10 20 21 C 2 R 3 0 7 10 20 21 22 C 3 A5/1 scheme

  12. A5 sequence • Zero registers • 64 cycles: Shift-in Kc • 22 cycles: Shift-in Fn • 100 cycles: Diffuse, with irregular clocking • 228 cycles: Generate output, with irregular clocking • XOR PRAND and frame-data

  13. Majority R 1 0 12 13 14 15 16 17 18 Majority Output R 2 0 9 13 16 20 21 Majority R 3 0 7 13 16 18 20 21 22 Clocking Unit R 4 0 3 7 10 11 16 A5/2 scheme

  14. Cryptanalytical attacks • Algorithms kept secret • After reverse-engineering, many attacks: • Golic, 1997 (A5/1) • Goldberg + Wagner, 1998 (COMP128) • Goldberg + Wagner + Briceno, 1999 (A5/2) • Biryukov+ Shamir + Wagner, 2000 (A5/1) • Biham + Dunkelman, 2000 (A5/1) • Ekdahl + Johansson, 2002 (A5/1) • Barkan + Biham + Keller, 2003 (A5/2) • COMP128 and A5/2 completely broken • A5/1 very weak

  15. Attacks in real life • Knowledge and hardware needed • Only on short distances • More effective ways: • Wiretapping • Eavesdropping • Microphones with directional effect • ...

  16. Conclusion „Every chain is only as strong as its weakest link“ • Good design, bad implementation • Tradeoff because of limited hardware capabilities • Future networks will use stronger ciphers • 3G: A5/3 „Kasumi“ = „Misty“ block cipher • Enough protection for everyday-users

  17. Thank you! Questions? Thomas.Stockinger@nop.at http://www.nop.at

More Related