Presentation is loading. Please wait.

Presentation is loading. Please wait.

GSM CLONING. GSM (Global System for Mobile Communication) Most widely used cellular mobile phone system. First digital system to follow analog era. Specification.

Published byDina Hodge Modified over 8 years ago

Similar presentations

Presentation on theme: "GSM CLONING. GSM (Global System for Mobile Communication) Most widely used cellular mobile phone system. First digital system to follow analog era. Specification."— Presentation transcript:

1 GSM CLONING

2 GSM (Global System for Mobile Communication) Most widely used cellular mobile phone system. First digital system to follow analog era. Specification designed by GSM Consortium in secrecy. Relied on Security by Obscurity. Distributed on need-to-know basis. Eventually leaked out and researchers have found many ways to break the GSM algorithms. One way was breaking COMP128 to retrieve the secret key from a SIM card.

3

4

5 A8: Session Key COMP128: SRES, Session Key A3: Signature Response

6 COMP128 Pseudocode: Input: 16 byte secret key, 16 byte RAND Output: 4 byte SRES, 8 byte session key (simoutput[12]) Load RAND into x[16…31] Perform the following 8 times –Load secret key into x[0…15] –Compression –Bits to Bytes –Permutation (only on first 7 rounds) Compress 16 bytes to 12 bytes (simoutput) Return simoutput[ ]

7

8 0 173451 68 85 102119 … ………………… Bits: Bytes: x[0]x[1] x[2] Permutation: - Bits to Bytes - Only 4 bits in each entry - Example shows bits for x[0], x[1] gets bits 8,25,42,59,76,93,110,127

9

10 What went wrong? Design of a security cryptosystem should be under the Kerckhoffs’ principle. GSM design committee kept all security specifications secret.

11 Attacks on COMP128 April 13, 1998: Marc Briceno (Director of the Smartcard Developer Association and two U.C.Berkeley researchers-David Wagner and Ian Goldberg The 128bit Ki could be deduced by collecting around 150,000 chosen RAND-SRES pairs. May 2002:IBM Side-Channel attack (Partitioning Attack) 1000 random inputs, or 255 chosen inputs, or only 8 adaptively chosen inputs.

12 128-bit Ki128-bit RAND

13 Crypto-attack by B. and G. Information leaking. A narrow “pipe” exists in COMP128. bytes i, i+8, i+16, i+24 at the output of the 2 nd level depend only on bytes i, i+8, i+16, i+24 of the initial input. Birthday paradox. Differential technique.

14 128-bit Ki128-bit RAND 8bits 7bits 6bits 5bits 4bits Back

15 Crypto-attack cont. After the compression at level 1, The correlated 32 bits  28 bits. Transfer problem to Collision Attack. Alg. in the Random Oracle Model FINDCOLLISION 1.Choose 2.For each 3. do 4.If for some 5. then return 6. else return (failure)

16 Crypto-attack cont.2 The birthday paradox tells us if let our, we have probability at least 1/2 to get a collision. The expectation of the number of queries: How many chances can we have The total expected queries to recover the entire 128 bit Ki is How fast can we get? Computational ability of IC 6.25 queries/s Totally recovery period: 7.3 hours.

17 Improvement on B. and G. Pre-compute 8 tables each has entries. Every time we find a collision, just look up the corresponding tables to find the key. Space requirements: GB Limitation: The bottle-neck of recovery time is dominated by computational time of IC. This technique could decrease computational requirement of PC, but the whole time won’t decrease so much.

18 Evaluation of B. G.’s Method Pros: Easily to implement. High accuracy. Doesn’t have to physical access to the SIM card. Cons: Slow: 7.3 hours Spurious key Assumption Avoidance

19 Gains from B.G.’s Attack Necessity of the open design process Importance of the first round Aftermath of collisions

20 Partitioning Attack Side channels:  Timing of operations  Power consumption  Electromagnetic emanations Cardinal Principle: Relevant bits of intermediate cycles and their values should be statistically independent of the inputs, outputs and sensitive information.

21 Partitioning Attack cont. Problems in COMP128:  Huge correlation between MSB of R[0] and the beginning of the first compression.  Substitution. Table look up operation.  Implementation in IC. Figure

22 Partitioning Attack cont.2 Explanation for the correlation. X[i]=T0[K[i]+2*R[i]] and X[i+16]=T0[2K[i]+R[i]] Example: Byte1:All signals with R[0] in the range[0-26] and [155-255] fell in one category and all signals with R[0] in the range[27-154] fell into the other. Byte2: R[0] in the range[0-105] signals fell in one category a nd [106-255] signals fell into the other. Graph K+2*26<256 K+2*27>=256 K=? K=202 or 203 2*K+105 =512 K=203

23 Partitioning Attack cont.3 Efficiency  1000 samples with random inputs  256 chosen inputs  8 adaptively chosen inputs

24 Future Improvements COMP128-2 has replaced the COMP128 to overcome some weakness COMP128-3 is develop to generate 64 bits for Kc. COMP128-4 is underdevelopment based on the 3GPP(3 rd Generation Partnership Project) algorithm. (AES)

25 Input correlation for MSB of R[0]

Download ppt "GSM CLONING. GSM (Global System for Mobile Communication) Most widely used cellular mobile phone system. First digital system to follow analog era. Specification."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
GSM Security Overview (Part 3)

GSM Security Overview (Part 3)
CELLULAR TELEPHONE NETWORK SECURITY Ari Vesanen, Department of Information Processing Sciences, University of Oulu.

CELLULAR TELEPHONE NETWORK SECURITY Ari Vesanen, Department of Information Processing Sciences, University of Oulu.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Query Optimization CS634 Lecture 12, Mar 12, 2014 Slides based on “Database Management Systems” 3 rd ed, Ramakrishnan and Gehrke.

Query Optimization CS634 Lecture 12, Mar 12, 2014 Slides based on “Database Management Systems” 3 rd ed, Ramakrishnan and Gehrke.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.

Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

Similar presentations

Ads by Google