GSM CLONING. GSM (Global System for Mobile Communication) Most widely used cellular mobile phone system. First digital system to follow analog era. Specification.

Slides:



Advertisements
Similar presentations
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Advertisements

Lecture 5: Cryptographic Hashes
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
GSM Security Overview (Part 3)
CELLULAR TELEPHONE NETWORK SECURITY Ari Vesanen, Department of Information Processing Sciences, University of Oulu.
Modern Symmetric-Key Ciphers
Query Optimization CS634 Lecture 12, Mar 12, 2014 Slides based on “Database Management Systems” 3 rd ed, Ramakrishnan and Gehrke.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
Block Ciphers and the Data Encryption Standard
Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.
Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.
Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …
1 An Empirical Study on Large-Scale Content-Based Image Retrieval Group Meeting Presented by Wyman
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Chapter 3 – Block Ciphers and the Data Encryption Standard
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Cryptanalysis. The Speaker  Chuck Easttom  
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.
9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.
1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.
CSCE 201 Introduction to Information Security Fall 2010 Data Protection.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
13. Other Block Ciphers 13.1 LUCIFER 13.2 MADRYGA 13.3 NEWDES 13.4 FEAL 13.5 REDOC 13.6 LOKI.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
Description of a New Variable-Length Key, 64-Bit Block Cipher (BLOWFISH) Bruce Schneier BY Sunitha Thodupunuri.
Mobile Telephone System And GSM Security. The Mobile Telephone System First-Generation Mobile Phones First-Generation Mobile Phones Analog Voice Analog.
Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)
Alternative Wide Block Encryption For Discussion Only.
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Lecture 23 Symmetric Encryption
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
K. Salah1 Cryptography Module I. K. Salah2 Cryptographic Protocols  Messages should be transmitted to destination  Only the recipient should see it.
© Information Security Group, ICU1 Block Cipher- introduction  DES Description: Feistel, S-box Exhaustive Search, DC and LC Modes of Operation  AES Description:
David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 4: Dissin’ DES The design took.
Network Security. Three tools Hash Function Block Cipher Public Key / Private Key.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.
Module :MA3036NI Symmetric Encryption -3 Lecture Week 4.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
COM 5336 Lecture 8 Digital Signatures
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Mobile Telephone System And GSM Security. The Mobile Telephone System First-Generation Mobile Phones First-Generation Mobile Phones Analog Voice Analog.
Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser
Outline Desirable characteristics of ciphers Uses of cryptography
A way to detect a collision…
By Theodora Kontogianni
Cryptography Lecture 19.
Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.
Presentation transcript:

GSM CLONING

GSM (Global System for Mobile Communication) Most widely used cellular mobile phone system. First digital system to follow analog era. Specification designed by GSM Consortium in secrecy. Relied on Security by Obscurity. Distributed on need-to-know basis. Eventually leaked out and researchers have found many ways to break the GSM algorithms. One way was breaking COMP128 to retrieve the secret key from a SIM card.

A8: Session Key COMP128: SRES, Session Key A3: Signature Response

COMP128 Pseudocode: Input: 16 byte secret key, 16 byte RAND Output: 4 byte SRES, 8 byte session key (simoutput[12]) Load RAND into x[16…31] Perform the following 8 times –Load secret key into x[0…15] –Compression –Bits to Bytes –Permutation (only on first 7 rounds) Compress 16 bytes to 12 bytes (simoutput) Return simoutput[ ]

… ………………… Bits: Bytes: x[0]x[1] x[2] Permutation: - Bits to Bytes - Only 4 bits in each entry - Example shows bits for x[0], x[1] gets bits 8,25,42,59,76,93,110,127

What went wrong? Design of a security cryptosystem should be under the Kerckhoffs’ principle. GSM design committee kept all security specifications secret.

Attacks on COMP128 April 13, 1998: Marc Briceno (Director of the Smartcard Developer Association and two U.C.Berkeley researchers-David Wagner and Ian Goldberg The 128bit Ki could be deduced by collecting around 150,000 chosen RAND-SRES pairs. May 2002:IBM Side-Channel attack (Partitioning Attack) 1000 random inputs, or 255 chosen inputs, or only 8 adaptively chosen inputs.

128-bit Ki128-bit RAND

Crypto-attack by B. and G. Information leaking. A narrow “pipe” exists in COMP128. bytes i, i+8, i+16, i+24 at the output of the 2 nd level depend only on bytes i, i+8, i+16, i+24 of the initial input. Birthday paradox. Differential technique.

128-bit Ki128-bit RAND 8bits 7bits 6bits 5bits 4bits Back

Crypto-attack cont. After the compression at level 1, The correlated 32 bits  28 bits. Transfer problem to Collision Attack. Alg. in the Random Oracle Model FINDCOLLISION 1.Choose 2.For each 3. do 4.If for some 5. then return 6. else return (failure)

Crypto-attack cont.2 The birthday paradox tells us if let our, we have probability at least 1/2 to get a collision. The expectation of the number of queries: How many chances can we have The total expected queries to recover the entire 128 bit Ki is How fast can we get? Computational ability of IC 6.25 queries/s Totally recovery period: 7.3 hours.

Improvement on B. and G. Pre-compute 8 tables each has entries. Every time we find a collision, just look up the corresponding tables to find the key. Space requirements: GB Limitation: The bottle-neck of recovery time is dominated by computational time of IC. This technique could decrease computational requirement of PC, but the whole time won’t decrease so much.

Evaluation of B. G.’s Method Pros: Easily to implement. High accuracy. Doesn’t have to physical access to the SIM card. Cons: Slow: 7.3 hours Spurious key Assumption Avoidance

Gains from B.G.’s Attack Necessity of the open design process Importance of the first round Aftermath of collisions

Partitioning Attack Side channels:  Timing of operations  Power consumption  Electromagnetic emanations Cardinal Principle: Relevant bits of intermediate cycles and their values should be statistically independent of the inputs, outputs and sensitive information.

Partitioning Attack cont. Problems in COMP128:  Huge correlation between MSB of R[0] and the beginning of the first compression.  Substitution. Table look up operation.  Implementation in IC. Figure

Partitioning Attack cont.2 Explanation for the correlation. X[i]=T0[K[i]+2*R[i]] and X[i+16]=T0[2K[i]+R[i]] Example: Byte1:All signals with R[0] in the range[0-26] and [ ] fell in one category and all signals with R[0] in the range[27-154] fell into the other. Byte2: R[0] in the range[0-105] signals fell in one category a nd [ ] signals fell into the other. Graph K+2*26<256 K+2*27>=256 K=? K=202 or 203 2*K+105 =512 K=203

Partitioning Attack cont.3 Efficiency  1000 samples with random inputs  256 chosen inputs  8 adaptively chosen inputs

Future Improvements COMP128-2 has replaced the COMP128 to overcome some weakness COMP128-3 is develop to generate 64 bits for Kc. COMP128-4 is underdevelopment based on the 3GPP(3 rd Generation Partnership Project) algorithm. (AES)

Input correlation for MSB of R[0]

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.