Presentation is loading. Please wait.

Presentation is loading. Please wait.

GSM Security: Cryptanalysis of A5/1 Arber Ceni – 07.02.2011.

Similar presentations

Presentation on theme: "GSM Security: Cryptanalysis of A5/1 Arber Ceni – 07.02.2011."— Presentation transcript:

1 GSM Security: Cryptanalysis of A5/1 Arber Ceni – 07.02.2011

2 Overview (I) Motivation Description of A5/1 Time-memory tradeoff attacks Golic 1997 Biryukov et al. 2000 Biham and Dunkelman 2000 Barkan, Biham and Keller 2003 COPACOBANA 2008 Arber Ceni2GSM Security: Cryptanalysis of A5/1

3 Overview (II) Correlation attacks Ekdahl and Johansson 2003 Maximov, Johansson and Babbage 2005 Barkan and Biham 2006 Other attacks on GSM and A5 family ciphers Conclusions Arber Ceni3GSM Security: Cryptanalysis of A5/1

4 Motivation GSM has more than 3 billion customers and covers around 80% of the Worlds population Every over-the-air conversation is protected by A5/1 GSM is the biggest cryptosystem ever deployed A5/1 developed in 1987 (older than 20 years) Many flaws discovered Many attacks conducted Arber Ceni4GSM Security: Cryptanalysis of A5/1

5 Description of A5/1 (I) GSM uses symmetric cryptography The same key Kc is used to encrypt and decrypt the conversation How is the Kc generated? Ki – root encryption key Unique for each subscriber A3 – authenticate the user to the mobile operator A8 – Generate Kc Arber Ceni5GSM Security: Cryptanalysis of A5/1

6 Description of A5/1 (II) Invented in 1987 Partially leaked in 1994 Reverse engineered by Briceno in 1999 Idea: Conversation as frames transmitted every 4,6 ms 228 bits+Kc+Fn=228 bits cyphertext 114 up, 114 down Three LFSRs R1 – length 19; taping bits 13, 16,17,18; clocking bit 8 R2 – length 22; taping bits 20, 21; clocking bit 10 R3 – length 23; 7,20,21,22; clocking bit 10 Arber Ceni6GSM Security: Cryptanalysis of A5/1

7 Description of A5/1 (III) Clocking If the clocking bit agrees with the majority bit C1=C2=C3+1 => R1 and R2 are clocked Probability of each register to be clocked is 3/4 Arber Ceni7GSM Security: Cryptanalysis of A5/1

8 Description of A5/1 (IV) Algorithm (initial state) Zero all registers For each bit of the Kc: Rj[0]=Rj[0]+Kc[i], j=(1,2,3) Clock the registers ignoring the regular clocking mechanism For each bit of the Fn: Rj[0]=Rj[0]+Fn[i], j=(1,2,3) Clock the registers ignoring the regular clocking mechanism Clock the registers with the normal clocking mechanism for 100 rounds and discard the output Arber Ceni8GSM Security: Cryptanalysis of A5/1

9 Description of A5/1 (V) Arber CeniGSM Security: Cryptanalysis of A5/19 Algorithm (ciphertext generation) Clock the cipher 114 times using the normal stop/go fashion Produce 114 bits (keystream) by XOR-ing the MSBs of the three registers This keystream will be used to encrypt the communication between operator and mobile station XOR the keystream with the initial message to produce the ciphertext Do the same for the conversation between mobile station and operator

10 Time-memory tradeoff attacks – Golic 1997 Alleged but similar A5/1 cipher Divide and conquer Idea: Guess some bits of the state of the registers and find the others by solving linear equations Complexity: O(2 40.16 ) How many bits should we guess: nif n r i -tau i +1 n-r i +tau i -1otherwise 1+3n+4n/3 linear equations Linear independent if n< max(tau1,tau2,tau3)-1 Real A5/1: max(tau1,tau2,tau3)=10 => O(2 45.22 ) Time-memory tradeoff:102 · K · M 2 63.32 Arber Ceni10GSM Security: Cryptanalysis of A5/1

11 Time-memory tradeoff attacks – Biryukov et al. 2000 (I) Store in HDD (prefix,state) pairs for special states starting with α = 16 bits Flaw of A5/1: clocking tap doesnt affect output for 16 clocking cycles Produces 2 48 states instead of 2 64 ; further reduced to 2 40 Compare the prefix of an unknown state Red states R – special states; |R|= 2 48 Green states G – α is encountered in position 101-277; |G|= 177*2 48 2 35 stored red states with avg weight 12500 We can encounter a red state in 2 min of conversation with a probability of 61% Arber Ceni11GSM Security: Cryptanalysis of A5/1

12 Time-memory tradeoff attacks – Biryukov et al. 2000 (II) Random subgraph attack From stored special states, generate other special states A new function f makes this possible and inverting it produces the special state from an output bit. Time-memory tradeoff: M= 2 36,|U|= 2 48, T= 2 24 and preprocessing 2 48 Attack TypePreprocessing steps Available Data Number of 73GB HDD Attack Time Biased Birthday attack(1)2 42 2 minutes41 second Biased Birthday attack(2)2 48 2 minutes21 second Random subgraph attack2 48 2 seconds4minutes Arber Ceni12GSM Security: Cryptanalysis of A5/1

13 Time-memory tradeoff attacks – Biham and Dukelman 2000 (I) Wait until an event that gives a lot of information happens With some improvements to the previous attack, break A5/1 R3 not clocked for 10 consecutive times and R3[10,22] are known We get 20 clocking bits of R1 and R2 Other 11 bits from output stream Guessing 9 bits from R1 and 1 from R2, gives both registers Guessing 10 bits from R3, gives the other 11 bits of R3 Complexity: O(2 27 ) 2 20 possible starting points for R3 Complexity: O(2 47 ) Arber Ceni13GSM Security: Cryptanalysis of A5/1

14 Time-memory tradeoff attacks – Biham and Dukelman 2000 (II) Improve the techniques of the previous attack Compute two tables: next-state table – stores the states in the computed order Pointer table – stores the location of the state Total Complexity computed: 2 20 – possible start points for R3 2 12 – possible guesses each of them 2 1.53 values which cost 2 cycles ( next-state lookup) 2 4.53 – values for 10 guesses of R3 each of these clocked and checked in pointer table =>2 cycles each check needs to be clocked twice 2 20 *2 12 * 2 1.53 *2* 2 4.53 *(1+1+2*0.88)= 2 40.97 A5/1 clocking cycles Arber Ceni14GSM Security: Cryptanalysis of A5/1

15 Time-memory tradeoff attacks – Barkan, Biham and Keller 2003 Man-In-The-Middle attack 1 st attack Ask the victim to start encrypting with A5/2 Break A5/2 (which is easier) and send the authentication to the server 2 nd attack Ask the network and the victim to start a conversation with no encryption A5/0 This is probable to be discovered by the operator 3 rd attack The operator initiate the authentication procedure rarely The attacker asks the victim to encrypt with A5/2 Brake A5/2 and use it later Arber Ceni15GSM Security: Cryptanalysis of A5/1

16 Time-memory tradeoff attacks – COPACOBANA 2008 120 parallel FPGAs (Field-Programmable Gate Array) Offers better performance-cost ratio Can be connected to normal PC Using COPACOBANA: 114 known bits (1 frame) Preprocessing time: three months Memory: 4.85 TB Online phase: 10.09 s Success rate: 63% Can be increased to 96% Must increase the output stream length to 4 frames Arber Ceni16GSM Security: Cryptanalysis of A5/1

17 Correlation attacks – Ekdahl and Johansson 2003 (I) Based on correlation attacks Uses bad initialization of the cipher Key and frame number initialized linearly Is not exponential to the length of registers Assuming that the registers are clocked exactly 76 times we get a probability of knowing the first output For all the positions we can write: Arber Ceni17GSM Security: Cryptanalysis of A5/1

18 Correlation attacks – Ekdahl and Johansson 2003 (II) P((cl1,cl2, cl3) in vth position) can be computed recursively: P((cl1,cl2, cl3) in vth position) = F(cl1,cl2,cl3,v) where: Arber Ceni18GSM Security: Cryptanalysis of A5/1

19 Correlation attacks – Ekdahl and Johansson 2003 (III) Log-likelihood of all probabilities: If A>0 then the output of the cipher = 0 If A<0 then the output of the cipher = 1 This attack requires: 5 minutes of GSM conversation Less than 5 minutes to recover the key With a success rate of more than 70% Arber Ceni19GSM Security: Cryptanalysis of A5/1

20 Correlation attacks – Maximov, Johansson and Babbage 2005 Improve the attack of Ekdahl and Johansson Try to reduce the number m of needed frames Based on two new flaws of A5/1 Error-correction codes are applied before encryption During silence a special kind of frame containing a large number of zeros is sent They also make use of the log-likelihood to find the key, but they use some improved estimators Result: A few seconds of conversation (2000-5000 frames => 9-43s) Less than one minute of computation Arber Ceni20GSM Security: Cryptanalysis of A5/1

21 Correlation attacks – Barkan and Biham 2006 Based on conditional estimators Based on previous correlation attacks Exploit three new weaknesses of the R2 register Alignment property Has only two feedback taps which are adjacent Symmetry property – the clocking tap is at the middle of the register Steps: Compute conditional estimators Decode these estimators to find best candidates for S1 and S2 Modeled as a huge graph in which can be applied Dijkstra-like algorithms For each of these candidates recover candidates for S3. Recover the key from S1,S2,S3 and verify that is the correct one Results: 2000 frames; completes in tens of seconds; success rate is 91% Arber Ceni21GSM Security: Cryptanalysis of A5/1

22 Other attacks on GSM and A5 family ciphers (I) FBDD based attack Developed by Krause 2002 Complexity: n O(1) 2 (1- α)/(1+ α)n. α is a constant For A5/1 complexity: n O(1) 2 0.6403n Eavesdrop without cryptanalysis MITM attack Record RAND;record ciphertext=>output stream of the cipher Later: Send the frame number and message to the target mobile The frame number is the same so the message can be decrypted Arber Ceni22GSM Security: Cryptanalysis of A5/1

23 Other attacks on GSM and A5/1 family ciphers (II) Open source project (Nohl 2009) Precompute rainbow tables The compressed codebook of A5/1 Used parallelization (FPGA) to reduce precomputing time First public project to release the tables 1 st attack: MITM attack Fake base station Cheap radio equipment Open source software – OpenBTS 2 nd attack Passive attack Uses the precomputed rainbow tables Everybody can contribute Arber Ceni23GSM Security: Cryptanalysis of A5/1

24 Other attacks on GSM and A5/1 family ciphers (III) New A5/3 again weak Made public Based on KASUMI block cipher Modification of MISTY Also weak: By applying a sandwich attack 2 26 data, 2 30 bytes of memory, can complete in 2 32 time The authors claim this is realistic and have simulated the attack in a PC Arber Ceni24GSM Security: Cryptanalysis of A5/1

25 Conclusions Most of the attacks presented here, dont make any claim for the real implementation of A5/1 in the fielded GSM However, some of them yes Breaking A5/1 has become an open source project! The new A5/3 is also weak! The cryptosystem used in GSM should be changed It is the biggest cryptosystem ever deployed It is not used only for conversation Used for banking information, payment, bank transfer etc Arber Ceni25GSM Security: Cryptanalysis of A5/1

26 Thank you! Questions? Arber Ceni26GSM Security: Cryptanalysis of A5/1

Download ppt "GSM Security: Cryptanalysis of A5/1 Arber Ceni – 07.02.2011."

Similar presentations

Ads by Google