Presentation on theme: "GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation."— Presentation transcript:
GSM network and its privacy Thomas Stockinger
Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation Encryption: The A5 algorithm Attacks Conclusion
Why? From technical point of view Electromagnetic waves as communication media From customer’s point of view Privacy Cell phone cloning From operator’s point of view Billing fraud Loss of customer faith m-commerce applications
The GSM network 1982 – Start of design Group Spécial Mobile 1991 – Commerical start Global System for Mobile Communication Worldwide system Digital Cellular Subscriber Identity Module (SIM) Flexible design (SMS, MMS, 2.5G, 3G,...)
Security services Authentication Through challenge-response Identity protection Through temporary identification number User data protection Through encryption Signaling data protection Through encryption
Mobile Equipment A3 A5 A8 SIM GSM communication Encrypted data Radio Interface „over-the-air“ Base Station A3 A5 A8 K C (64 bit) Response SRES (32 bit) K I (128 bit) Challenge RAND (128bit) K I (128 bit) ?
Algorithms PurposeAlgorithmVariations AuthenticationA3COMP Key generationA8COMP EncryptionA5A5/0 A5/1 A5/2... Optimized for hardware Never officially published („security by obscurity“) A3 / A8 may be choosen by operator COMP128 is assumed to be only a „proof of concept“
Authentication: A3 Input: Random challenge RAND + Secret Key Ki Output: Signed response SRES Completely implemented in the SmartCard Ki never leaves the SIM COMP128 algorithm or variations A3 RAND (128 bit) Ki (128 bit) SRES (32 bit) SIM
Key generation: A8 Same algorithm as A3 Output: Cipher key Kc Only 56 bits of Kc are used A8 RAND (128 bit) Ki (128 bit) Kc (64 bit) SIM
Encryption: A5 stream cipher Input: 228-bit data-frame every 4.6 ms Framecounter Fn Secret Key Kc produced by A8 Clocked linear feedback shift registers (LFSRs) generate pseudo random bits PRAND Output: 114-bit ciphertext bit plaintext Same PRAND used for encoding and decoding
A5/1 scheme R R R Output C1 C2 C3 Clocking Unit
A5 sequence Zero registers 64 cycles: Shift-in Kc 22 cycles: Shift-in Fn 100 cycles: Diffuse, with irregular clocking 228 cycles: Generate output, with irregular clocking XOR PRAND and frame-data
A5/2 scheme R R R R Output Majority Clocking Unit
Attacks in real life Knowledge and hardware needed Only on short distances More effective ways: Wiretapping Eavesdropping Microphones with directional effect...
Conclusion „Every chain is only as strong as its weakest link“ Good design, bad implementation Tradeoff because of limited hardware capabilities Future networks will use stronger ciphers 3G: A5/3 „Kasumi“ = „Misty“ block cipher Enough protection for everyday-users