Breaking the A 5 Encryption Algorithm for GSM

Breaking the A 5 Encryption Algorithm for GSM Phones Matthew Flaschen David Gallmeier John Kuipers Rohit Sinha Jeff Wells

Overview of GSM – What is it? a. GSM – stands for “Global System for Mobile Communication” b. What is it? - Simply put, a standard for “Mobile Stations” to communicate with each other c. Specifications: a. Bandwidth b. Frequencies c. Encryption d. Services provided e. etc

Stages of a GSM Session a. Authentication of mobile platform (cellphone) a. A 3 encryption used to authenticate phone to service provider b. Phone call a. A 8 encryption used to generate session key, which is later used in A 5 encryption to encrypt call frames. c. Additionally, data transfers of other forms can be contained within GSM a. Text messages, Internet access, etc

A 5 Encryption a. Used to encrypt voice communication b. Provides privacy to callers against eavesdroppers c. Does not: a. b. Authenticate phones to carriers Generate key used to encrypt traffic d. Chapter 2 of book

A 5 Versions – All broken a. A 5/0 – not really a version of A 5; allows GSM to operate without encrypting call traffic b. A 5/1 – Original A 5 algorithm. Employed in Western Europe and the United States c. A 5/2 – Second version of A 5 algorithm. Employed outside of Europe and US a. Weakened due to export restrictions on encryption technology during Cold War d. A 5/3 – Stronger version of A 5, for use in 3 G networks. Not yet used. Already broken. a. Block cipher (not stream cipher, like other A 5 versions)

A 5 Details a. A 5 is a stream cipher b. Stream Ciphers a. Used to encrypt small amounts of bits/bytes at a time b. Uses keystreams combined with plaintext to produce cipher text a. Generally, ciphertext is produced by XOR'ing keystream with plaintext b. Plaintext – message before transmission

A 5 Keystreams a. Generated by A 8 b. Consists of two parts: a. Session key b. Frame key a. GSM Frames – data exchanged in blocks of 114 -bit 'frames' – similar to packets in TCP/IP

Real Time Cryptanalysis of A 5/1 on a PC Alex Biryukov, Adi Shamir, David Wagner Used a PC containing 128 MB RAM and two or four 73 GB disks to examine at the algorithm's output. Two attacks: 1. Records ciphertext for 2 minutes, then computes key in one second. a. Records for 2 seconds, then computes key in several minutes.

The Biased Birthday Attack a. One could find the A 5/1 key within a second, but needed the first 2 minutes of a conversation. b. 242 preprocessing steps with four 73 GB disks c. 248 preprocessing steps with two 73 GB disks d. Based upon direct collisions between a state in the disk and a state in the data, using approximately 71 red states.

The Random Subgraph Attack a. Only 2 seconds of data are needed, but several minutes are required for processing. b. Used 248 preprocessing steps with four 73 GB disks. c. Used indirect collisions, allowing the key to be found from the first red state in the data

Cryptanalysis with COPACOBANA Tim Güneysu, Timo Kasper, Martin Novotný, Christof Paar, and Andy Rupp Uses custom hardware called Cost-Optimized Parallel Code Breaker, which is a cluster of 120 FPGAs (field programmable gate array). Reconfigurable for different cryptanalysis tasks. One of these is an attack on A 5/1.

TMTO (Time-Memory Tradeoff Attacks) "Compromise between the two well-known extreme approaches, i. e. , performing exhaustive searches and pre-computing exhaustive tables, to solve this general problem. “ Store pre-computed, but not "too much"

Time-Memory-Data Tradeoff Methods a. TMDTOs are like TMTOs b. Rely on multiple data points. For A 5/1 you can get w - log_2(N) + 1 data points from w stream bits. c. A distinguished point (DP) is a key with a particular criterion ("e. g. the first 20 bits are 0"), which can be expressed as a mask of length d.

a. Reduction and rerandomization function R - Reduces bit length of a ciphertext C to bit length of key for cipher E. b. Start with x_1, and repeatedly do x_2 = R(E(P)), etc. c. The composition of E and R is called a step function f. d. Rainbow tables use a sequence of different R functions.

a. COPACOBANA gives a TMDTO attack on A 5/1, using DPs and Rainbow tables. b. The attack "assume[s] that a relatively small amount of only 114 consecutive bits of keystream is known. “ c. This gives 51 data points for the cipher attack. Assumes 114 consecutive bits of keystream is known. d. COPACOBANA runs at 156 MHz. Executing the step function 'f' takes 64 cycles. e. One FPGA contains 234 TMTO elements, so the overall device can do 2^36 step functions each second. f. 63% success rate; more data = better results.

GSM - SRSLY? Karsten Nohl, Chris Paget Two kinds of devices: a. Active intercept o o o Fake base station Can be detectable In practice no one is checking o o o More challenging Requires special RF setup, precomputation Can be hidden. • Passive cracking

Active a. Advertise your fake base station with a fake Mobile Country Code (MCC) and Mobile Network Code (MNC). b. Phones will connect to it if it has the strongest signal. c. Could be detected by phone, but no apps. d. Base station can choose not to use crypto.

Active a. Uses Open. BTS (open source software for running GSM) b. The Universal Software Radio Peripheral c. 52 MHz hardware clock d. Asterisk (OSS for telephony) e. Spoof MCC and MNC f. Find a clear ARFCN (Absolute Radio Frequency Channel Number).

Active a. Decode resulting data using either Wireshark (packet analyzer) or Airprobe (dedicated GSM sniffer) b. Discovered bugs in both phones and Open. BTS

Passive a. A 5/1 vulnerable to pre-computation. b. Code book maps from known output to secret state. c. Stored naively, A 5/1 book would be 128 PB (~ 128 million GB) d. Would take 100, 000 years to be calculated.

Passive a. Better ways to compute and store. b. Tools provided: a. A 5/1 software engine b. Table parameterization c. Table generation has begun. Released on Bit. Torrent d. Uses specialized processors such as graphics cards and Cell processors. e. Speedup to 3 months.

Codebook optimizations a. Uses both distinguished points and rainbow tables. b. Ideal table: a. 32 DP segments of length 2^15 b. Put into one rainbow. c. Need 380 of those tables, each 2^(28. 5) rows.

Known plaintext GSM phones disclose keystream through known or guessable plaintext: a. Empty ACKS • Connect ACK • IDLE frames • System Information • Call proceeding • Alerting

A 5/3 (Kasumi) also vulnerable a. A 5/1 and A 5/3 use same keys • Semi-active attack forces switching back to A 5/1 • Kasumi broken in past research: o o o 2^26 plaintext/ciphertext 1 GB storage 2^32 time complexity.

Potential A 5 Consequences a. Intercepting and decoding calls b. Monitoring data transfer c. Cloning of cell phones

Intercepting and Decoding Calls a. Recording of calls and decoding them later b. Listening in for personal information a. Credit card information b. Social security number c. Banking information

Monitoring Data Transfer a. Reading SMS b. Banking Information c. Payments d. Web authentication

Cloning of Cell Phones a. Stealing phone services a. Billing strangers b. Performing illegal criminal activities over cloned phones

A 5 v 3 a. Updated, stronger version of A 5 encryption presented by the 3 rd Generation Partnership Project (3 GPP) b. Used for 3 G communications a. 3 G supports voice communications and data a. Enough bandwidth to support both operations simultaneously

Block Ciphers a. A 5/3 is a block cipher b. Block Cipher Information Block ciphers encrypt 'chunks' of data, versus Stream ciphers, which encrypt only individual bits/bytes. b. Difference from stream cipher is amount encrypted per unit of time. a.

A 5/3 Compromise a. A 5/3 not yet in use, but has already been cracked. a. The A 5/3 Crack, known as the “Sandwich Attack” is not practical. b. During G 3 calls, plaintexts are transmitted every second, but millions will be required to deduce the secret key. c. "The attack should stand as a reminder that A 5/3 and any other cipher will need to be replaced eventually" - Karsten Nohl b. A 5/3 has been developed and agreed upon by GSM industry, but no timeframe for implementation has been set. c. The bottom line: nothing to worry about. a. Not feasible due to massive computation overhead and other requirements.

Sources a. "What algorithm is utilized for encryption in GSM networks? ". GSM Security. 21 Jan. 2010 <http: //www. gsmsecurity. net/faq/gsm-encryption-algorithm-a 5 -cipher. shtml>. b. "Global System for Mobile Communication (GSM)". International Engineering Consortium. 21 Jan. 2010 <http: //www. iec. org/online/tutorials/gsm/topic 05. asp>. c. "What is a stream cipher? ". RSA Laboratories. 21 Jan. 2010 <http: //www. rsa. com/rsalabs/node. asp? id=2174>. d. “What algorithm is utilized for key generation in GSM networks? ”. GSM-Security. net. 21 Jan. 2010 <http: //www. gsm-security. net/faq/gsm-key-generation-algorithm-a 8 -comp 128. shtml> e. “What algorithm is utilized for authentication in GSM networks? ”. GSM-Security. net. 21 Jan. 2010 <http: //www. gsm-security. net/faq/gsm-authentication-algorithm-a 3 -comp 128. shtml> f. Willis, Nathan. "GSM encryption crack made public". LWN. net. 21 Jan. 2010 <http: //lwn. net/Articles/368861/>.

More Sources a. "Block and Stream Ciphers". Top. Bits. com. 21 Jan. 2010 <http: //www. topbits. com/block-and-streamciphers. html>. b. Goodin, Dan. "'Sandwich attack' busts new cellphone crypto". The Register. 21 Jan. 2010 <http: //www. theregister. co. uk/2010/01/13/gsm_crypto_crack/>. c. Barkan, Elad, Eli Biham, and Nathan Keller. "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication". Department of Mathematics Technion - Israeli Institution of Technology. 21 Jan. 2010 <http: //cryptome. org/gsm-crack-bbk. pdf, p 1 -2> d. Biryukov, Alex, Adi Shamir, and David Wagner. "Real Time Cryptanalysis of A 5/1 on a PC". Cryptome. 21 Jan. 2010 <http: //cryptome. org/a 51 -bsw. htm> e. Güneysu, Timo Kasper, Martin Novotný, Christof Paar, and Andy Rupp. “Cryptanalysis with COPACOBANA". IEEE Transactions on Computers. 21 Jan. 2010 <http: //www. copacobana. org/paper/TC_COPACOBANA. pdf> f. Nohl, Karsten, and Chris Paget. "GSM: SRSLY? ". Chaos Communication Congress. 21 Jan. 2010 <http: //events. ccc. de/congress/2009/Fahrplan/events/3654. en. html>

More Sources a. Wilson, Tim. "Researchers Prepare Practical Demonstration Of GSM Encryption Cracking Technology ". Dark. Reading. <http: //www. darkreading. com/vulnerability_management/security/encryption/show. Article. jhtml? article. I D=222100242>. b. Nohl, Karsten and Sascha Krißler. "Subverting the Security Base of GSM". Hacking at Random 2009. <https: //har 2009. org/program/attachments/119_GSM. A 51. Cracking. Nohl. pdf>. c. Sorkin, Justin. " German security researcher cracks A 5/1 encryption portion of GSM ". Topnews. <http: //topnews. us/content/29401 -german-security-researcher-cracks-a 51 -encryption-portion-gsm>. d. Markoff, John. "Researchers Crack Code In Cell Phones". The New York Times. <http: //www. nytimes. com/1998/04/14/business/researchers-crack-code-in-cellphones. html? scp=2&sq=Researchers+Crack+Code+in+Cell+Phones&st=nyt>. e. "3 GPP confidentiality and integrity algorithms". 3 GPP: A Global Initiative. <http: //www. 3 gpp. org/Confidentiality-Algorithms>.