Agenda A5 Overview : LFSR (Linear Feedback Shift Registers) LFSR (Linear Feedback Shift Registers) A5/1 Description A5/1 Description Attack on A5 : Space-Time Attacks Overview ( by Babbage ) Space-Time Attacks Overview ( by Babbage ) Cryptanalysis of A5/1 ( by Shamir, Biryukov, Wagner ) Cryptanalysis of A5/1 ( by Shamir, Biryukov, Wagner ) Other Attacks on GSM Conclusion
LFSR structure Purpose - to produce pseudo random bit sequence Consists of two parts : shift register – bit sequence shift register – bit sequence feedback function feedback function Tap Sequence : bits that are input to the feedback function bits that are input to the feedback function b1b1b1b1 b2b2b2b2 b3b3b3b3 b4b4b4b b n-1 bnbnbnbn Feedback Function : XOR output new value
LFSR Features LFSR Period – the length of the output sequence before it starts repeating itself. n-bit LFSR can be in 2 n -1 internal states the maximal period is also 2 n -1 the tap sequence determines the period the polynomial formed by a tap sequence plus 1 must be a primitive polynomial (mod 2)
LFSR Example : x 12 +x 6 +x 4 +x+1 corresponds to LFSR of length 12 b1b1b1b1 b2b2 b3b3 b4b4b4b4 b5b5 b6b6b6b6 b7b7 b8b8 b9b9 b 10 b 11 b 12
A5/1 Overview A5/1 is a stream cipher, which is initialized all over again for every frame sent. Consists of 3 LFSRs of 19,22,23 bits length. The 3 registers are clocked in a stop/go fashion using the majority rule. “ Cryptography is a mixture of mathematics and muddle, and without the muddle the mathematics can be used against you.” - Ian Cassells, a former Bletchly Park cryptanalyst.
clock control C3 C2 C1 R2 R1 R
A5/1 : Operation All 3 registers are zeroed 64 cycles (without the stop/go clock) : Each bit of K (lsb to msb) is XOR'ed in parallel into the lsb's of the registers Each bit of K (lsb to msb) is XOR'ed in parallel into the lsb's of the registers 22 cycles (without the stop/go clock) : Each bit of F n (lsb to msb) is XOR'ed in parallel into the lsb's of the registers Each bit of F n (lsb to msb) is XOR'ed in parallel into the lsb's of the registers 100 cycles with the stop/go clock control, discarding the output 228 cycles with the stop/go clock control which produce the output bit sequence.
The Model The internal state of A5/1 generator is the state of all 64 bits in the 3 registers, so there are states. The operation of A5/1 can be viewed as a state transition : S0S0 S1S1 S2S2 StSt k0k0 k2k2 k1k1 ktkt Standard attack assumes the knowledge of about 64 output bits (64 bits →2 64 different sequences).
Space/Time Trade-Off Attack I Get keystream bits k 1,k 2,…,k M+n and prepare M subsequences : k 1,…,k n k 2,…,k n+1 … k M,…,k n+M M generate random state S i generate n-bit keystream look for it in the prepared keystream subsequences
Space/Time Trade-Off Attack II Select R random states S 1,..,S R and for each state generate an n-bit keystream S 1 : k 1,1 … k 1,n S 2 : k 2,1 … k 2,n … S R : k R,1 … k R,n R Get keystream bits k 1,k 2,…,k M+n and prepare M subsequences Look for a prepared state
Shamir/Biryukov Attack Outline 2 disks (73 GB) and 2 first minutes of the conversation are needed. Can find the key in less than a second. This attack based on the second variation of the space/time tradeoff. There are n = 2 64 total states A – the set of prepared states (and relevant prefixes) B – the set of states through which the algo. proceeds The main idea : Find state s in A∩ B (the states are identified by prefix) Find state s in A∩ B (the states are identified by prefix) Run the algorithm in the reverse direction Run the algorithm in the reverse direction
Biased Birthday Attack Birthday paradox : A ∩ B ≠ o if |A| ∙ |B| ≈ n Each state is chosen for A with probability P A (s) and for B with probability P B (s). Then, the intersection will not be empty if Σ s P A (s) ∙ P B (s) ≈ 1 The idea is to choose the states from A and B with 2 non-uniform distributions that have correlation between them
Disk Storage stateprefix The prefixes can be sorted and thus serve as indices into the states array The registers are small, we can precompute all their states and store them in 3 cyclic arrays But, for each state we can store only two bits : the clock bit and the output bit (I, j, k) At each step we only have to know which of the three indices should be incremented. This could be implemented by a precomputed table with 3 input bits (clocks) and the increment vector as the output. No shift operations ! c1 c2 c3inc1 inc2 inc State Transition :
Special States Disk access is very time-consuming! Keep on disk (set A) only those states, which produce a sequence that starts with a certain pattern α, | α| = k Access the disk only when α is encountered 2 k prefixes can start with α, so we reduce the number of total possible states (n) by 2 k and the number of disk access times by 2 k. The size of A, however, is unchanged, and we only insert the states that satisfy the condition there. Thus, we don't miss intersections.
Generation of Special States Choose from all 2 64 states the needed 2 48 ? It's too time-consuming and unrealistic. It's too time-consuming and unrealistic. The solution is to generate them : C3 C2 C1 11 bits 12 bits 19 bits 11 bits 2 41 chosen bits Each register moves approximately ¾ of the cycles.
Reversing A5/1 Forward state transition is deterministic … In the reverse direction could be up to 4 predecessors (majority clock control). Example : C3 C2 C1 What was the clock majority bit at the previous round ? Here we see that there are no predecessors !
Estimations … We need 5 bytes per state to store on disk (73 G), so we can afford 146 ∙ 2 30 /5 = 2 35 states We use 51 bit length prefixes (16 first bits are α ) How many times will α be encountered in the data ? there are 228 bits of data, that is, 177 ( ) "relevant offsets" there are 228 bits of data, that is, 177 ( ) "relevant offsets" 2 minutes of operation, that is, 120 ∙ 1000/4.5 frames 2 minutes of operation, that is, 120 ∙ 1000/4.5 frames is the fraction of all possible states which start with α is the fraction of all possible states which start with α so, the number of occurrences is ∙ 177 ∙ 120 ∙ 1000/4.5 ≈ 71 so, the number of occurrences is ∙ 177 ∙ 120 ∙ 1000/4.5 ≈ 71
Tree Exploration A state is red if the sequence of output bits produced from the state starts with α. There are 2 48 red states. A state is green if the sequence produced from the state contains an α- occurrence between bit positions 101 – 277 There are 177 ∙ 2 48 green states We can assume that the short path (of length 277 ) will contain only one occurrence of α, so the mapping is many-to-1 red :green : αα
Tree Exploration II The set of relevant states can be viewed as a collection of disjoint trees with red state as the root and the rest of nodes are green states. We're interested in trees with green states at levels The weight of tree, W(s) is the number of green states at those levels. sequence generatio n reverse direction
Tree Exploration III It is experimentally found that W(s) has highly non- uniform distribution : 85% of the trees die before reaching the level % of the trees die before reaching the level % of the trees have 1 ≤ W(s) ≤ % of the trees have 1 ≤ W(s) ≤ 2600 Choose 2 35 states (biased probability) with particularly heavy trees (average weight 12500) from overall of 2 48 red states The expected number of collisions : 2 35 ∙ ∙ ∙ 2 48 ≈ 0.61
Tree Exploration IV Heavy trees → large number of green state candidates? We know the exact location of α in the sequence, so we know the exact depth in the tree. We know the exact location of α in the sequence, so we know the exact depth in the tree. The trees are narrow, so the total number of states we'll have to check is less than 100 ! The trees are narrow, so the total number of states we'll have to check is less than 100 !
Attack Summary Due to frequent reinitialization (for every new frame), it's possible to efficiently run the algorithm backwards (328 steps). Poor choice of the clocking taps. Each one of the registers is so small that it's possible to precompute all its states.
Attacks on Signaling Network The transmissions are encrypted only between MS and BTS. After the BTS, the protocols between MSC and BSC (BSSAP) and inside the operator's network (MAP) are unencrypted, allowing anyone who has access to the signaling system to read or modify the data on the fly ! So, the SS7 signaling network is completely insecure. The attacker can gain the actual phone call, RAND & SRES…
Attacks on Signaling Network If the attacker can access the HLR, s/he will be able to retrieve the K i for all subscribers of that particular network.
Retrieving K i over Air The K i key can be retrieved from SIM over the air : MS is required to respond to every challenge made by GSM network (there is no authentication of BTS). MS is required to respond to every challenge made by GSM network (there is no authentication of BTS). Attack based on differential cryptanalysis could take 8-15 hours and require that the signal from the legitimate BTS be disabled for that time, but it's still real … Attack based on differential cryptanalysis could take 8-15 hours and require that the signal from the legitimate BTS be disabled for that time, but it's still real … The same attack could be applied to AuC It also has to answer the requests made by the GSM network It also has to answer the requests made by the GSM network It's much faster than SIM It's much faster than SIM
SMS Architecture SMS is a "store and forward" message system the message is sent from the originator to SMS Center, and then on to the recipient. the message is sent from the originator to SMS Center, and then on to the recipient. SMS messages can be up to 160 characters length Sent in clear (but different formats).
SMS Attacks Instructions to SIM Message Body Instructions to HandSet Instructions to SMSC Instructions to Air Interface sms packet Broken UDH (user data hdr) in an sms message caused crash in some Nokia phones. It required the user to put its SIM into a non- affected phone and delete the offending message. Spoofing SMS Messages : Originating Address field can be arbitrarily set to anything. The applications using sms should take care of authentication and also encrypt their messages !
Conclusions Pros It's the most secure cellular telecommunication system available today (2-2.5G) It's the most secure cellular telecommunication system available today (2-2.5G) Good framework for reasonably secure communications Good framework for reasonably secure communications The security model has minimal impact on manufacturers The security model has minimal impact on manufacturers SIM – keys,A3,A8,etc SIM Toolkit – additional SIM functionality Mobile Equipment – A5 The future - 3GPP : The future - 3GPP : the design is public mutual authentication (EAP-SIM Authentication), key-length increased, security within and between networks, etc.
Conclusions (cont.) Cons Security by Obscurity Security by Obscurity Only access security – doesn't provide end-to-end security Only access security – doesn't provide end-to-end security GSM Security is broken at many levels, vulnerable to numerous attacks GSM Security is broken at many levels, vulnerable to numerous attacks Even if security algorithms are not broken, the GSM architecture will still be vulnerable to attacks from inside or attacks targeting the operator's backbone Even if security algorithms are not broken, the GSM architecture will still be vulnerable to attacks from inside or attacks targeting the operator's backbone No mutual authentication No mutual authentication Confidential information requires additional encryption over GSM Confidential information requires additional encryption over GSM
References GSM Association, M. Rahnema, “Overview of the GSM System and Protocol Architecture”, IEEE Communication Magazine, April 1993 L. Pesonen, “GSM Interception”, November 1999 J.Rao, P. Rohatgi, H. Scherzer, S. Tinguely, “Partitioning Attack: Or How to Rapidly Clone Some GSM Cards”, IEEE Symposium on Security and Privacy, May P.Kocher, J. Jaffe, “Introduction to Differential Power Analysis and Related Attacks”, Cryptography Research, 1998 S. Babbage, “A Space/Time Trade-off in Exhaustive Search Attacks on Stream Ciphers”, Europian Convention on Security and Detection, IEE Conference publication, No. 408, May A. Biryukov, A. Shamir, D. Wagner, “Real Time Cryptanalysis of A5/1 on a PC”, Preproceedings of FSE ‘7, pp. 1-18, 2000 ISAAC, University of California, Berkeley, “GSM Cloning”, S. Chan, “An Overview of Smart Card Security”,