1. Breaking the A5 Encryption Algorithm for GSM Phones Matthew Flaschen David Gallmeier John Kuipers Rohit Sinha Jeff Wells

2. Overview of GSM – What is it? GSM – stands for “Global System for Mobile Communication” What is it? - Simply put, a standard for “Mobile Stations” to communicate with each other Specifications: o Bandwidth o Frequencies o Encryption o Services provided o etc

3. Stages of a GSM Session Authentication of mobile platform (cellphone) o A3 encryption used to authenticate phone to service provider Phone call o A8 encryption used to generate session key, which is later used in A5 encryption to encrypt call frames. Additionally, data transfers of other forms can be contained within GSM o Text messages, Internet access, etc

4. A5 Encryption Used to encrypt voice communication Provides privacy to callers against eavesdroppers Does not: o Authenticate phones to carriers o Generate key used to encrypt traffic Chapter 2 of book

5. A5 Versions – All broken A5/0 – not really a version of A5; allows GSM to operate without encrypting call traffic A5/1 – Original A5 algorithm. Employed in Western Europe and the United States A5/2 – Second version of A5 algorithm. Employed outside of Europe and US o Weakened due to export restrictions on encryption technology during Cold War A5/3 – Stronger version of A5, for use in 3G networks. Not yet used. Already broken. o Block cipher (not stream cipher, like other A5 versions)

6. A5 Details A5 is a stream cipher Stream Ciphers o Used to encrypt small amounts of bits/bytes at a time o Uses keystreams combined with plaintext to produce cipher text  Generally, ciphertext is produced by XOR'ing keystream with plaintext  Plaintext – message before transmission

7. A5 Keystreams Generated by A8 Consists of two parts: o Session key o Frame key  GSM Frames – data exchanged in blocks of 114-bit 'frames' – similar to packets in TCP/IP

8. Used a PC containing 128 MB RAM and two or four 73 GB disks to examine at the algorithm's output. Two attacks: 1.Records ciphertext for 2 minutes, then computes key in one second. Records for 2 seconds, then computes key in several minutes. Real Time Cryptanalysis of A5/1 on a PC Alex Biryukov, Adi Shamir, David Wagner

9. One could find the A5/1 key within a second, but needed the first 2 minutes of a conversation. 242 preprocessing steps with four 73GB disks 248 preprocessing steps with two 73GB disks Based upon direct collisions between a state in the disk and a state in the data, using approximately 71 red states. The Biased Birthday Attack

10. Only 2 seconds of data are needed, but several minutes are required for processing. Used 248 preprocessing steps with four 73GB disks. Used indirect collisions, allowing the key to be found from the first red state in the data The Random Subgraph Attack

11. Cryptanalysis with COPACOBANA Tim Güneysu, Timo Kasper, Martin Novotný, Christof Paar, and Andy Rupp Uses custom hardware called Cost-Optimized Parallel Code Breaker, which is a cluster of 120 FPGAs (field programmable gate array). Reconfigurable for different cryptanalysis tasks. One of these is an attack on A5/1.

12. TMTO (Time-Memory Tradeoff Attacks) "Compromise between the two well-known extreme approaches, i.e., performing exhaustive searches and pre-computing exhaustive tables, to solve this general problem.“ Store pre-computed, but not "too much"

13. TMDTOs are like TMTOs Rely on multiple data points. For A5/1 you can get w - log_2(N) + 1 data points from w stream bits. A distinguished point (DP) is a key with a particular criterion ("e.g. the first 20 bits are 0"), which can be expressed as a mask of length d. Time-Memory-Data Tradeoff Methods

14. Reduction and rerandomization function R - Reduces bit length of a ciphertext C to bit length of key for cipher E. Start with x_1, and repeatedly do x_2 = R(E(P)), etc. The composition of E and R is called a step function f. Rainbow tables use a sequence of different R functions.

15. COPACOBANA gives a TMDTO attack on A5/1, using DPs and Rainbow tables. The attack "assume[s] that a relatively small amount of only 114 consecutive bits of keystream is known.“ This gives 51 data points for the cipher attack. Assumes 114 consecutive bits of keystream is known. COPACOBANA runs at 156 MHz. Executing the step function 'f' takes 64 cycles. One FPGA contains 234 TMTO elements, so the overall device can do 2^36 step functions each second. 63% success rate; more data = better results.

16. Two kinds of devices: Active intercept o Fake base station o Can be detectable o In practice no one is checking Passive cracking o More challenging o Requires special RF setup, precomputation o Can be hidden. GSM - SRSLY? Karsten Nohl, Chris Paget

17. Advertise your fake base station with a fake Mobile Country Code (MCC) and Mobile Network Code (MNC). Phones will connect to it if it has the strongest signal. Could be detected by phone, but no apps. Base station can choose not to use crypto. Active

18. Uses OpenBTS (open source software for running GSM) The Universal Software Radio Peripheral 52 MHz hardware clock Asterisk (OSS for telephony) Spoof MCC and MNC Find a clear ARFCN (Absolute Radio Frequency Channel Number). Active

19. Decode resulting data using either Wireshark (packet analyzer) or Airprobe (dedicated GSM sniffer) Discovered bugs in both phones and OpenBTS Active

20. A5/1 vulnerable to pre-computation. Code book maps from known output to secret state. Stored naively, A5/1 book would be 128 PB (~ 128 million GB) Would take 100,000 years to be calculated. Passive

21. Better ways to compute and store. Tools provided: o A5/1 software engine o Table parameterization Table generation has begun. Released on BitTorrent Uses specialized processors such as graphics cards and Cell processors. Speedup to 3 months. Passive

22. Uses both distinguished points and rainbow tables. Ideal table: o 32 DP segments of length 2^15 o Put into one rainbow. Need 380 of those tables, each 2^(28.5) rows. Codebook optimizations

23. GSM phones disclose keystream through known or guessable plaintext: Empty ACKS Connect ACK IDLE frames System Information Call proceeding Alerting Known plaintext

24. A5/1 and A5/3 use same keys Semi-active attack forces switching back to A5/1 Kasumi broken in past research: o 2^26 plaintext/ciphertext o 1 GB storage o 2^32 time complexity. A5/3 (Kasumi) also vulnerable

25. Potential A5 Consequences Intercepting and decoding calls Monitoring data transfer Cloning of cell phones

26. Intercepting and Decoding Calls Recording of calls and decoding them later Listening in for personal information o Credit card information o Social security number o Banking information

27. Monitoring Data Transfer Reading SMS Banking Information Payments Web authentication

28. Cloning of Cell Phones Stealing phone services o Billing strangers o Performing illegal criminal activities over cloned phones

29. A5 v3 Updated, stronger version of A5 encryption presented by the 3rd Generation Partnership Project (3GPP) Used for 3G communications o 3G supports voice communications and data  Enough bandwidth to support both operations simultaneously

30. Block Ciphers A5/3 is a block cipher Block Cipher Information o Block ciphers encrypt 'chunks' of data, versus Stream ciphers, which encrypt only individual bits/bytes. o Difference from stream cipher is amount encrypted per unit of time.

31. A5/3 Compromise A5/3 not yet in use, but has already been cracked. o The A5/3 Crack, known as the “Sandwich Attack” is not practical. o During G3 calls, plaintexts are transmitted every second, but millions will be required to deduce the secret key. o "The attack should stand as a reminder that A5/3 and any other cipher will need to be replaced eventually" - Karsten Nohl A5/3 has been developed and agreed upon by GSM industry, but no timeframe for implementation has been set. The bottom line: nothing to worry about. o Not feasible due to massive computation overhead and other requirements.

32. Sources "What algorithm is utilized for encryption in GSM networks?". GSM Security. 21 Jan. 2010. "Global System for Mobile Communication (GSM)". International Engineering Consortium. 21 Jan. 2010. "What is a stream cipher?". RSA Laboratories. 21 Jan. 2010. “What algorithm is utilized for key generation in GSM networks?”. GSM-Security.net. 21 Jan. 2010 “What algorithm is utilized for authentication in GSM networks?”. GSM-Security.net. 21 Jan. 2010 Willis, Nathan. "GSM encryption crack made public". LWN.net. 21 Jan. 2010.

33. More Sources "Block and Stream Ciphers". TopBits.com. 21 Jan. 2010. Goodin, Dan. "'Sandwich attack' busts new cellphone crypto". The Register. 21 Jan. 2010. Barkan, Elad, Eli Biham, and Nathan Keller. "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication". Department of Mathematics Technion - Israeli Institution of Technology. 21 Jan. 2010 Biryukov, Alex, Adi Shamir, and David Wagner. "Real Time Cryptanalysis of A5/1 on a PC". Cryptome. 21 Jan. 2010 Güneysu, Tim, Timo Kasper, Martin Novotný, Christof Paar, and Andy Rupp. “Cryptanalysis with COPACOBANA". IEEE Transactions on Computers. 21 Jan. 2010 Nohl, Karsten, and Chris Paget. "GSM: SRSLY?". Chaos Communication Congress. 21 Jan. 2010

34. More Sources Wilson, Tim. "Researchers Prepare Practical Demonstration Of GSM Encryption Cracking Technology ". DarkReading.. Nohl, Karsten and Sascha Krißler. "Subverting the Security Base of GSM". Hacking at Random 2009.. Sorkin, Justin. " German security researcher cracks A5/1 encryption portion of GSM ". Topnews.. Markoff, John. "Researchers Crack Code In Cell Phones". The New York Times.. "3GPP confidentiality and integrity algorithms". 3GPP: A Global Initiative..