Presentation is loading. Please wait.

Presentation is loading. Please wait.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

Similar presentations


Presentation on theme: "GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation."— Presentation transcript:

1 GSM network and its privacy Thomas Stockinger

2 Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation Encryption: The A5 algorithm Attacks Conclusion

3 Why? From technical point of view Electromagnetic waves as communication media From customer’s point of view Privacy Cell phone cloning From operator’s point of view Billing fraud Loss of customer faith m-commerce applications

4 The GSM network 1982 – Start of design Group Spécial Mobile 1991 – Commerical start Global System for Mobile Communication Worldwide system Digital Cellular Subscriber Identity Module (SIM) Flexible design (SMS, MMS, 2.5G, 3G,...)

5

6 Security services Authentication Through challenge-response Identity protection Through temporary identification number User data protection Through encryption Signaling data protection Through encryption

7 Mobile Equipment A3 A5 A8 SIM GSM communication Encrypted data Radio Interface „over-the-air“ Base Station A3 A5 A8 K C (64 bit) Response SRES (32 bit) K I (128 bit) Challenge RAND (128bit) K I (128 bit) ?

8 Algorithms PurposeAlgorithmVariations AuthenticationA3COMP Key generationA8COMP EncryptionA5A5/0 A5/1 A5/2... Optimized for hardware Never officially published („security by obscurity“) A3 / A8 may be choosen by operator COMP128 is assumed to be only a „proof of concept“

9 Authentication: A3 Input: Random challenge RAND + Secret Key Ki Output: Signed response SRES Completely implemented in the SmartCard Ki never leaves the SIM COMP128 algorithm or variations A3 RAND (128 bit) Ki (128 bit) SRES (32 bit) SIM

10 Key generation: A8 Same algorithm as A3 Output: Cipher key Kc Only 56 bits of Kc are used A8 RAND (128 bit) Ki (128 bit) Kc (64 bit) SIM

11 Encryption: A5 stream cipher Input: 228-bit data-frame every 4.6 ms Framecounter Fn Secret Key Kc produced by A8 Clocked linear feedback shift registers (LFSRs) generate pseudo random bits PRAND Output: 114-bit ciphertext bit plaintext Same PRAND used for encoding and decoding

12 A5/1 scheme R R R Output C1 C2 C3 Clocking Unit

13 A5 sequence Zero registers 64 cycles: Shift-in Kc 22 cycles: Shift-in Fn 100 cycles: Diffuse, with irregular clocking 228 cycles: Generate output, with irregular clocking XOR PRAND and frame-data

14 A5/2 scheme R R R R Output Majority Clocking Unit

15 Cryptanalytical attacks Algorithms kept secret After reverse-engineering, many attacks: Golic, 1997 (A5/1) Goldberg + Wagner, 1998 (COMP128) Goldberg + Wagner + Briceno, 1999 (A5/2) Biryukov+ Shamir + Wagner, 2000 (A5/1) Biham + Dunkelman, 2000 (A5/1) Ekdahl + Johansson, 2002 (A5/1) Barkan + Biham + Keller, 2003 (A5/2) COMP128 and A5/2 completely broken A5/1 very weak

16 Attacks in real life Knowledge and hardware needed Only on short distances More effective ways: Wiretapping Eavesdropping Microphones with directional effect...

17 Conclusion „Every chain is only as strong as its weakest link“ Good design, bad implementation Tradeoff because of limited hardware capabilities Future networks will use stronger ciphers 3G: A5/3 „Kasumi“ = „Misty“ block cipher Enough protection for everyday-users

18 Thank you! Questions?


Download ppt "GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation."

Similar presentations


Ads by Google