1 / 26

GSM Security: Cryptanalysis of A5/1

GSM Security: Cryptanalysis of A5/1. Arber Ceni – 07.02.2011. Overview (I). Motivation Description of A5/1 Time-memory tradeoff attacks Golic 1997 Biryukov et al. 2000 Biham and Dunkelman 2000 Barkan , Biham and Keller 2003 COPACOBANA 2008. Overview (II). Correlation attacks

prema
Download Presentation

GSM Security: Cryptanalysis of A5/1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GSM Security: Cryptanalysis of A5/1 Arber Ceni – 07.02.2011

  2. Overview (I) • Motivation • Description of A5/1 • Time-memory tradeoff attacks • Golic 1997 • Biryukov et al. 2000 • Biham and Dunkelman 2000 • Barkan, Biham and Keller 2003 • COPACOBANA 2008 GSM Security: Cryptanalysis of A5/1

  3. Overview (II) • Correlation attacks • Ekdahl and Johansson 2003 • Maximov, Johansson and Babbage 2005 • Barkan and Biham 2006 • Other attacks on GSM and A5 family ciphers • Conclusions GSM Security: Cryptanalysis of A5/1

  4. Motivation • GSM has more than 3 billion customers and covers around 80% of the World’s population • Every over-the-air conversation is protected by A5/1 • GSM is the biggest cryptosystem ever deployed • A5/1 developed in 1987 (older than 20 years) • Many flaws discovered • Many attacks conducted GSM Security: Cryptanalysis of A5/1

  5. Description of A5/1 (I) • GSM uses symmetric cryptography • The same key Kc is used to encrypt and decrypt the conversation • How is the Kc generated? • Ki – root encryption key • Unique for each subscriber • A3 – authenticate the userto the mobile operator • A8 – Generate Kc GSM Security: Cryptanalysis of A5/1

  6. Description of A5/1 (II) • Invented in 1987 • Partially leaked in 1994 • Reverse engineered by Briceno in 1999 • Idea: • Conversation as frames transmitted every 4,6 ms • 228 bits+Kc+Fn=228 bits cyphertext • 114 up, 114 down • Three LFSRs • R1 – length 19; taping bits 13, 16,17,18; clocking bit 8 • R2 – length 22; taping bits 20, 21; clocking bit 10 • R3 – length 23; 7,20,21,22; clocking bit 10 GSM Security: Cryptanalysis of A5/1

  7. Description of A5/1 (III) • Clocking • If the clocking bit agrees with the majority bit • C1=C2=C3+1 => R1 and R2 are clocked • Probability of each register to be clocked is 3/4 GSM Security: Cryptanalysis of A5/1

  8. Description of A5/1 (IV) • Algorithm (initial state) • Zero all registers • For each bit of the Kc: Rj[0]=Rj[0]+Kc[i], j=(1,2,3) • Clock the registers ignoring the regular clocking mechanism • For each bit of the Fn: Rj[0]=Rj[0]+Fn[i], j=(1,2,3) • Clock the registers ignoring the regular clocking mechanism • Clock the registers with thenormal clocking mechanismfor 100 rounds and discardthe output GSM Security: Cryptanalysis of A5/1

  9. Description of A5/1 (V) • Algorithm (ciphertext generation) • Clock the cipher 114 times using the normal stop/go fashion • Produce 114 bits (keystream) by XOR-ing the MSBs of the three registers • This keystream will be used to encrypt the communication between operator and mobile station • XOR the keystream with the initial message to produce the ciphertext • Do the same for the conversation between mobile station and operator GSM Security: Cryptanalysis of A5/1

  10. Time-memory tradeoff attacks – Golic 1997 • Alleged but similar A5/1 cipher • Divide and conquer • Idea: Guess some bits of the state of the registers and find the others by solving linear equations • Complexity: O(240.16) • How many bits should we guess: • n if n ≤ ri-taui+1 • n-ri+taui-1 otherwise • 1+3n+4n/3 linear equations • Linear independent if n< max(tau1,tau2,tau3)-1 • Real A5/1: max(tau1,tau2,tau3)=10 => O(245.22) • Time-memory tradeoff:102·K·M≥ 263.32 GSM Security: Cryptanalysis of A5/1

  11. Time-memory tradeoff attacks – Biryukov et al. 2000 (I) • Store in HDD (prefix,state) pairs for special states starting with α = 16 bits • Flaw of A5/1: clocking tap doesn’t affect output for 16 clocking cycles • Produces 248 states instead of 264; further reduced to 240 • Compare the prefix of an unknown state • Red states R – special states; |R|= 248 • Green states G – αis encountered in position 101-277; |G|= 177*248 • 235 stored red states with avg weight 12500 • We can encounter a red state in 2 min of conversation with a probability of 61% GSM Security: Cryptanalysis of A5/1

  12. Time-memory tradeoff attacks – Biryukov et al. 2000 (II) • Random subgraph attack • From stored special states, generate other special states • A new function f makes this possible and inverting it produces the special state from an output bit. • Time-memory tradeoff: • M= 236,|U|= 248, T= 224 and preprocessing 248 GSM Security: Cryptanalysis of A5/1

  13. Time-memory tradeoff attacks – Biham and Dukelman 2000 (I) • Wait until an event that gives a lot of information happens • With some improvements to the previous attack, break A5/1 • R3 not clocked for 10 consecutive times and R3[10,22] are known • We get 20 clocking bits of R1 and R2 • Other 11 bits from output stream • Guessing 9 bits from R1 and 1 from R2, gives both registers • Guessing 10 bits from R3, gives the other 11 bits of R3 • Complexity: O(227) • 220 possible starting points for R3 • Complexity: O(247) GSM Security: Cryptanalysis of A5/1

  14. Time-memory tradeoff attacks – Biham and Dukelman 2000 (II) • Improve the techniques of the previous attack • Compute two tables: • next-state table – stores the states in the computed order • Pointer table – stores the location of the state • Total Complexity computed: • 220 – possible start points for R3 • 212 – possible guesses • each of them 21.53 values which cost 2 cycles (next-state lookup) • 24.53 – values for 10 guesses of R3 • each of these clocked and checked in pointer table =>2 cycles • each check needs to be clocked twice • 220 *212 * 21.53 *2* 24.53 *(1+1+2*0.88)= 240.97 A5/1 clocking cycles GSM Security: Cryptanalysis of A5/1

  15. Time-memory tradeoff attacks – Barkan, Biham and Keller 2003 • Man-In-The-Middle attack • 1st attack • Ask the victim to start encrypting with A5/2 • Break A5/2 (which is easier) and send the authentication to the server • 2nd attack • Ask the network and the victim to start a conversation with no encryption A5/0 • This is probable to be discovered by the operator • 3rd attack • The operator initiate the authentication procedure rarely • The attacker asks the victim to encrypt with A5/2 • Brake A5/2 and use it later GSM Security: Cryptanalysis of A5/1

  16. Time-memory tradeoff attacks –COPACOBANA 2008 • 120 parallel FPGAs (Field-Programmable Gate Array) • Offers better performance-cost ratio • Can be connected to normal PC • Using COPACOBANA: • 114 known bits (1 frame) • Preprocessing time: three months • Memory: 4.85 TB • Online phase: 10.09 s • Success rate: 63% • Can be increased to 96% • Must increase the output stream length to 4 frames GSM Security: Cryptanalysis of A5/1

  17. Correlation attacks – Ekdahl and Johansson 2003 (I) • Based on correlation attacks • Uses bad initialization of the cipher • Key and frame number initialized linearly • Is not exponential to the length of registers • Assuming that the registers are clocked exactly 76 times we get a probability of knowing the first output • For all the positions we can write: GSM Security: Cryptanalysis of A5/1

  18. Correlation attacks – Ekdahl and Johansson 2003 (II) • P((cl1,cl2, cl3) in vth position) can be computed recursively: • P((cl1,cl2, cl3) in vth position) = F(cl1,cl2,cl3,v) where: GSM Security: Cryptanalysis of A5/1

  19. Correlation attacks – Ekdahl and Johansson 2003 (III) • Log-likelihood of all probabilities: • If A>0 then the output of the cipher = 0 • If A<0 then the output of the cipher = 1 • This attack requires: • 5 minutes of GSM conversation • Less than 5 minutes to recover the key • With a success rate of more than 70% GSM Security: Cryptanalysis of A5/1

  20. Correlation attacks – Maximov, Johansson and Babbage 2005 • Improve the attack of Ekdahl and Johansson • Try to reduce the number m of needed frames • Based on two new flaws of A5/1 • Error-correction codes are applied before encryption • During silence a special kind of frame containing a large number of zeros is sent • They also make use of the log-likelihood to find the key, but they use some improved estimators • Result: • A few seconds of conversation (2000-5000 frames => 9-43s) • Less than one minute of computation GSM Security: Cryptanalysis of A5/1

  21. Correlation attacks – Barkan and Biham 2006 • Based on conditional estimators • Based on previous correlation attacks • Exploit three new weaknesses of the R2 register • Alignment property • Has only two feedback taps which are adjacent • Symmetry property – the clocking tap is at the middle of the register • Steps: • Compute conditional estimators • Decode these estimators to find best candidates for S1 and S2 • Modeled as a huge graph in which can be applied Dijkstra-like algorithms • For each of these candidates recover candidates for S3. Recover the key from S1,S2,S3 and verify that is the correct one • Results: • 2000 frames; completes in tens of seconds; success rate is 91% GSM Security: Cryptanalysis of A5/1

  22. Other attacks on GSM and A5 family ciphers (I) • FBDD based attack • Developed by Krause 2002 • Complexity: nO(1)2(1-α)/(1+ α)n.α is a constant • For A5/1 complexity: nO(1)20.6403n • Eavesdrop without cryptanalysis • MITM attack • Record RAND;recordciphertext=>output stream of the cipher • Later: • Send the frame number and message to the target mobile • The frame number is the same so the message can be decrypted GSM Security: Cryptanalysis of A5/1

  23. Other attacks on GSM and A5/1 family ciphers (II) • Open source project (Nohl 2009) • Precompute rainbow tables • The compressed codebook of A5/1 • Used parallelization (FPGA) to reduce precomputing time • First public project to release the tables • 1st attack: • MITM attack • Fake base station • Cheap radio equipment • Open source software – OpenBTS • 2nd attack • Passive attack • Uses the precomputed rainbow tables • Everybody can contribute GSM Security: Cryptanalysis of A5/1

  24. Other attacks on GSM and A5/1 family ciphers (III) • New A5/3 again weak • Made public • Based on KASUMI block cipher • Modification of MISTY • Also weak: • By applying a sandwich attack • 226 data, 230 bytes of memory, can complete in 232 time • The authors claim this is realistic and have simulated the attack in a PC GSM Security: Cryptanalysis of A5/1

  25. Conclusions • Most of the attacks presented here, don’t make any claim for the real implementation of A5/1 in the fielded GSM • However, some of them yes • Breaking A5/1 has become an open source project! • The new A5/3 is also weak! • The cryptosystem used in GSM should be changed • It is the biggest cryptosystem ever deployed • It is not used only for conversation • Used for banking information, payment, bank transfer etc GSM Security: Cryptanalysis of A5/1

  26. Thank you! • Questions? GSM Security: Cryptanalysis of A5/1

More Related