2Agenda A5 Overview : Attack on A5 : Other Attacks on GSM Conclusion LFSR (Linear Feedback Shift Registers)A5/1 DescriptionAttack on A5 :Space-Time Attacks Overview (by Babbage)Cryptanalysis of A5/1 (by Shamir, Biryukov, Wagner)Other Attacks on GSMConclusion
3Feedback Function : XOR LFSR structureb1b2b3b4...bn-1bnoutputnew valueFeedback Function : XORPurpose - to produce pseudo random bit sequenceConsists of two parts :shift register – bit sequencefeedback functionTap Sequence :bits that are input to the feedback function
4LFSR FeaturesLFSR Period – the length of the output sequence before it starts repeating itself.n-bit LFSR can be in 2n-1 internal states the maximal period is also 2n-1the tap sequence determines the periodthe polynomial formed by a tap sequence plus 1 must be a primitive polynomial (mod 2)
5LFSR Example : b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 x12+x6+x4+x+1 corresponds to LFSR of length 12b1b2b3b4b5b6b7b8b9b10b11b12
6A5/1 Overview“Cryptography is a mixture of mathematics and muddle, and without themuddle the mathematics can be used against you.”- Ian Cassells, a former Bletchly Park cryptanalyst.A5/1 is a stream cipher, which is initialized all over again for every frame sent.Consists of 3 LFSRs of 19,22,23 bits length.The 3 registers are clocked in a stop/go fashion using the majority rule.
8A5/1 : Operation All 3 registers are zeroed 64 cycles (without the stop/go clock) :Each bit of K (lsb to msb) is XOR'ed in parallel into the lsb's of the registers22 cycles (without the stop/go clock) :Each bit of Fn (lsb to msb) is XOR'ed in parallel into the lsb's of the registers100 cycles with the stop/go clock control, discarding the output228 cycles with the stop/go clock control which produce the output bit sequence.
9The ModelThe internal state of A5/1 generator is the state of all 64 bits in the 3 registers, so there are states.The operation of A5/1 can be viewed as a state transition :S0S1S2Stk0k1k2ktStandard attack assumes the knowledge of about 64 output bits (64 bits →264 different sequences).
10Space/Time Trade-Off Attack I Get keystream bits k1,k2,…,kM+n and prepare M subsequences :k1,…,kn k2,…,kn+1…kM,…,kn+Mgenerate random state Sigenerate n-bit keystreamlook for it in the prepared keystream subsequencesM
11Space/Time Trade-Off Attack II Select R random states S1,..,SR and for each state generate an n-bit keystreamS1 : k1,1 … k1,n S2 : k2,1 … k2,n…SR : kR,1 … kR,nGet keystream bits k1,k2,…,kM+n and prepare M subsequencesLook for a prepared stateR
12Shamir/Biryukov Attack Outline 2 disks (73 GB) and 2 first minutes of the conversation are needed. Can find the key in less than a second.This attack based on the second variation of the space/time tradeoff.There are n = 264 total statesA – the set of prepared states (and relevant prefixes)B – the set of states through which the algo. proceedsThe main idea :Find state s in A∩ B (the states are identified by prefix)Run the algorithm in the reverse direction
13Biased Birthday Attack Birthday paradox : A ∩ B ≠ o if |A| ∙ |B| ≈ nEach state is chosen for A with probability PA(s) and for B with probability PB(s). Then, the intersection will not be empty if Σs PA(s) ∙ PB(s) ≈ 1The idea is to choose the states from A and B with 2 non-uniform distributions that have correlation between them
14Disk Storage (I, j, k) state prefix State Transition : But, for each state we can store only two bits : the clock bit and the output bit(I, j, k)At each step we only have to know which of the three indices should be incremented.This could be implemented by a precomputed table with 3 input bits (clocks) and the increment vector as the output.No shift operations !c1 c2 c3inc1 inc2 inc30 1 01 1 0stateprefixThe prefixes can be sorted and thus serve as indices into the states arrayThe registers are small, we can precompute all their states and store them in 3 cyclic arrays
15Special States Disk access is very time-consuming! Keep on disk (set A) only those states, which produce a sequence that starts with a certain pattern α, | α| = kAccess the disk only when α is encountered2k prefixes can start with α, so we reduce the number of total possible states (n) by 2k and the number of disk access times by 2k. The size of A, however, is unchanged, and we only insert the states that satisfy the condition there. Thus, we don't miss intersections.
16Generation of Special States Choose from all 264 states the needed 248 ?It's too time-consuming and unrealistic.The solution is to generate them :19 bitsC1241 chosen bits11 bitsC211 bitsEach register moves approximately ¾ of the cycles.11 bitsC312 bits
17Reversing A5/1 Forward state transition is deterministic … In the reverse direction could be up to 4 predecessors (majority clock control).Example :C111What was the clock majority bit at the previous round ?Here we see that there are no predecessors !C2111C3
18Estimations … We use 51 bit length prefixes (16 first bits are α) We need 5 bytes per state to store on disk (73 G), so we can afford 146 ∙ 230/5 = 235 statesWe use 51 bit length prefixes (16 first bits are α)How many times will α be encountered in the data ?there are 228 bits of data, that is, 177 (228-51) "relevant offsets"2 minutes of operation, that is, 120 ∙ 1000/4.5 frames2-16 is the fraction of all possible states which start with αso, the number of occurrences is 2-16 ∙ 177 ∙ 120 ∙ 1000/4.5 ≈ 71
19Tree ExplorationA state is red if the sequence of output bits produced from the state starts with α. There are 248 red states.A state is green if the sequence produced from the state contains an α-occurrence between bit positions 101 – 277There are 177 ∙ 248 green statesWe can assume that the short path (of length 277 ) will contain only one occurrence of α, so the mapping is many-to-1red :αgreen :α
20Tree Exploration IIThe set of relevant states can be viewed as a collection of disjoint trees with red state as the root and the rest of nodes are green states.We're interested in trees with green states at levels The weight of tree, W(s) is the number of green states at those levels.sequence generationreverse direction
21Tree Exploration IIIIt is experimentally found that W(s) has highly non-uniform distribution :85% of the trees die before reaching the level 10015% of the trees have 1 ≤ W(s) ≤ 2600Choose 235 states (biased probability) with particularly heavy trees (average weight 12500) from overall of 248 red statesThe expected number of collisions :235 ∙ ∙ 71177 ∙ 248≈ 0.61
22Tree Exploration IVHeavy trees → large number of green state candidates?We know the exact location of α in the sequence, so we know the exact depth in the tree.The trees are narrow, so the total number of states we'll have to check is less than 100 !
23Attack SummaryDue to frequent reinitialization (for every new frame), it's possible to efficiently run the algorithm backwards (328 steps).Poor choice of the clocking taps.Each one of the registers is so small that it's possible to precompute all its states.
24Attacks on Signaling Network The transmissions are encrypted only between MS and BTS. After the BTS, the protocols between MSC and BSC (BSSAP) and inside the operator's network (MAP) are unencrypted, allowing anyone who has access to the signaling system to read or modify the data on the fly !So, the SS7 signaling network is completely insecure. The attacker can gain the actual phone call, RAND & SRES…
25Attacks on Signaling Network If the attacker can access the HLR, s/he will be able to retrieve the Ki for all subscribers of that particular network.
26Retrieving Ki over AirThe Ki key can be retrieved from SIM over the air :MS is required to respond to every challenge made by GSM network (there is no authentication of BTS).Attack based on differential cryptanalysis could take 8-15 hours and require that the signal from the legitimate BTS be disabled for that time, but it's still real …The same attack could be applied to AuCIt also has to answer the requests made by the GSM networkIt's much faster than SIM
27SMS Architecture SMS is a "store and forward" message system the message is sent from the originator to SMS Center, and then on to the recipient.SMS messages can be up to 160 characters lengthSent in clear (but different formats).
28SMS AttacksInstructionsto Air InterfaceInstructionsto SMSCInstructionsto HandSetInstructionsto SIMMessage Bodysms packetBroken UDH (user data hdr) in an sms message caused crash in some Nokia phones. It required the user to put its SIM into a non-affected phone and delete the offending message.Spoofing SMS Messages : Originating Address field can be arbitrarily set to anything.The applications using sms should take care of authentication and also encrypt their messages !
29ConclusionsProsIt's the most secure cellular telecommunication system available today (2-2.5G)Good framework for reasonably secure communicationsThe security model has minimal impact on manufacturersSIM – keys,A3,A8,etcSIM Toolkit – additional SIM functionalityMobile Equipment – A5The future - 3GPP :the design is publicmutual authentication (EAP-SIM Authentication), key-length increased, security within and between networks, etc.
30Conclusions (cont.) Cons Security by Obscurity Only access security – doesn't provide end-to-end securityGSM Security is broken at many levels, vulnerable to numerous attacksEven if security algorithms are not broken, the GSM architecture will still be vulnerable to attacks from inside or attacks targeting the operator's backboneNo mutual authenticationConfidential information requires additional encryption over GSM
31References GSM Association, http://www.gsmworld.com M. Rahnema, “Overview of the GSM System and Protocol Architecture”, IEEE Communication Magazine, April 1993L. Pesonen, “GSM Interception”, November 1999J.Rao, P. Rohatgi, H. Scherzer, S. Tinguely, “Partitioning Attack: Or How to Rapidly Clone Some GSM Cards”, IEEE Symposium on Security and Privacy, May 2002.P.Kocher, J. Jaffe, “Introduction to Differential Power Analysis and Related Attacks”, Cryptography Research, 1998S. Babbage, “A Space/Time Trade-off in Exhaustive Search Attacks on Stream Ciphers”, Europian Convention on Security and Detection, IEE Conference publication, No. 408, May 1999.A. Biryukov, A. Shamir, D. Wagner, “Real Time Cryptanalysis of A5/1 on a PC”, Preproceedings of FSE ‘7, pp. 1-18, 2000ISAAC, University of California, Berkeley, “GSM Cloning”,S. Chan, “An Overview of Smart Card Security”,