GSM Security Overview (part3) docx

A5/1 : OperationAll 3 registers are zeroed 64 cycles without the stop/go clock :  Each bit of K lsb to msb is XOR'ed in parallel into the lsb's of the registers 22 cycles without the st

GSM Security Overview

(Part 3)

Gregory Greenman

 Space-Time Attacks Overview ( by Babbage )

 Cryptanalysis of A5/1 ( by Shamir, Biryukov, Wagner )

Other Attacks on GSM

Conclusion

LFSR structure

Purpose - to produce pseudo random bit sequence

Consists of two parts :

 shift register – bit sequence

LFSR Features

LFSR Period – the length of the output sequence

before it starts repeating itself.

n-bit LFSR can be in 2n-1 internal states  the maximal period is also 2 n -1

the tap sequence determines the period

the polynomial formed by a tap sequence plus 1 must be

a primitive polynomial (mod 2)

Example :

x 12 +x 6 +x 4 +x+1 corresponds to LFSR of length 12

b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12

A5/1 Overview

A5/1 is a stream cipher, which is initialized all over again for every frame sent

Consists of 3 LFSRs of 19,22,23 bits length

The 3 registers are clocked in a stop/go fashion using the majority rule

“Cryptography is a mixture of mathematics and muddle, and without the

muddle the mathematics can be used against you.”

- Ian Cassells, a former Bletchly Park cryptanalyst.

1 0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0

1 0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1

1 0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1

clock control

0 21

22 20

C3 C2

C1

R2 R1

1

A5/1 : Operation

All 3 registers are zeroed

64 cycles (without the stop/go clock) :

 Each bit of K (lsb to msb) is XOR'ed in parallel into the lsb's of the registers

22 cycles (without the stop/go clock) :

 Each bit of F n (lsb to msb) is XOR'ed in parallel into the lsb's of the registers

100 cycles with the stop/go clock control, discarding the

output

228 cycles with the stop/go clock control which produce the output bit sequence.

The Model

The internal state of A5/1 generator is the state of all 64 bits in the

3 registers, so there are 2 64 -1 states.

The operation of A5/1 can be viewed as a state transition :

Standard attack assumes the knowledge of about 64 output bits (64 bits →2 64 different sequences)

Space/Time Trade-Off Attack I

Get keystream bits k1,k2,…,kM+nand prepare M

• generate random state Si

• generate n-bit keystream

• look for it in the prepared keystream subsequences

Space/Time Trade-Off Attack II

Select R random states S1, ,SR and for each state

generate an n-bit keystream

• Look for a prepared state

Shamir/Biryukov Attack Outline

2 disks (73 GB) and 2 first minutes of the conversation are needed Can find the key in less than a second This attack based on the second variation of the

space/time tradeoff

There are n = 264 total states

A – the set of prepared states (and relevant prefixes)

B – the set of states through which the algo proceedsThe main idea :

Biased Birthday Attack

Birthday paradox : A ∩ B ≠ o if |A| ∙ |B| ≈ n

Each state is chosen for A with probability PA(s) and for B with probability PB(s) Then, the intersection will not be empty if

Σs PA(s) ∙ PB(s) ≈ 1

The idea is to choose the states from A and B with 2

them

Disk Storage

as indices into the states array

The registers are small, we can precompute all their states and store them

in 3 cyclic arrays

But, for each state we can store only two bits : the clock bit and the output bit

Special States

Disk access is very time-consuming!

Keep on disk (set A) only those states, which produce a sequence that starts with a certain pattern α, | α| = k

Access the disk only when α is encountered

2k prefixes can start with α, so we reduce the number of total possible states (n) by 2k and the number of disk

access times by 2k The size of A, however, is unchanged, and we only insert the states that satisfy the condition

there Thus, we don't miss intersections.

Generation of Special States

Choose from all 264 states the needed 248 ?

 It's too time-consuming and unrealistic.

The solution is to generate them :

C3 C2

Reversing A5/1

Forward state transition is deterministic …

In the reverse direction could be up to 4 predecessors (majority clock control)

Example :

1 0 1

0 1 0

1 0

Estimations …

We need 5 bytes per state to store on disk (73 G), so we can afford 146 ∙ 2 30 /5 = 2 35 states

We use 51 bit length prefixes (16 first bits are α)

How many times will α be encountered in the data ?

 there are 228 bits of data, that is, 177 (228-51) "relevant offsets"

 2 minutes of operation, that is, 120 ∙ 1000/4.5 frames

 2 -16 is the fraction of all possible states which start with α

 so, the number of occurrences is 2 -16 ∙ 177 ∙ 120 ∙ 1000/4.5 ≈ 71

Tree Exploration

A state is red if the sequence of output bits produced from the

state starts with α There are 2 48 red states.

A state is green if the sequence produced from the state contains

an α- occurrence between bit positions 101 – 277

There are 177 ∙ 2 48 green states

We can assume that the short path (of length 277 ) will contain only one occurrence of α, so the mapping is many-to-1

Tree Exploration II

The set of relevant states can be viewed as a collection

of disjoint trees with red state as the root and the rest of nodes are green states

We're interested in trees with green states at levels

101-277 The weight of tree, W(s) is the number of green states at those levels

sequence

generatio

n

reverse direction

Tree Exploration III

It is experimentally found that W(s) has highly

non-uniform distribution :

 85% of the trees die before reaching the level 100

 15% of the trees have 1 ≤ W(s) ≤ 2600

Choose 235 states (biased probability) with particularly heavy trees (average weight 12500) from overall of 248

red states

The expected number of collisions : 2 35 ∙ 12500 ∙ 71 177 ∙ 2 48 ≈ 0.61

Tree Exploration IV

Heavy trees → large number of green state candidates?

 We know the exact location of α in the sequence, so we know the exact depth in the tree.

 The trees are narrow, so the total number of states we'll have

to check is less than 100 !

Attack Summary

Due to frequent reinitialization (for every new frame), it's possible to efficiently run the algorithm backwards (328 steps)

Poor choice of the clocking taps

Each one of the registers is so small that it's possible to precompute all its states

Attacks on Signaling Network

The transmissions are encrypted only between MS and BTS After the BTS, the protocols between MSC and

BSC (BSSAP) ) and inside the operator's network (MAP)

are unencrypted, allowing anyone who has access to the signaling system to read or modify the data on the fly !

So, the SS7 signaling network is completely insecure

The attacker can gain the actual phone call, RAND &

SRES…

Attacks on Signaling Network

If the attacker can access the HLR, s/he will be able to retrieve the Ki for all subscribers of that particular

network

Retrieving Ki over Air

The Ki key can be retrieved from SIM over the air :

 MS is required to respond to every challenge made by GSM network (there is no authentication of BTS).

 Attack based on differential cryptanalysis could take 8-15 hours and require that the signal from the legitimate BTS be disabled for that time, but it's still real …

The same attack could be applied to AuC

 It also has to answer the requests made by the GSM network

 It's much faster than SIM

SMS Architecture

SMS is a "store and

forward" message system

Spoofing SMS Messages : Originating Address field can be arbitrarily set to anything.

The applications using sms should take care of authentication and also encrypt their messages !

Pros

 It's the most secure cellular telecommunication system available

 Good framework for reasonably secure communications

 The security model has minimal impact on manufacturers

SIM – keys,A3,A8,etc

SIM Toolkit – additional SIM functionality

Mobile Equipment – A5

 The future - 3GPP :

the design is public

mutual authentication (EAP-SIM Authentication), key-length increased, security within and between networks, etc.

Conclusions (cont.)

Cons

 Security by Obscurity

 Only access security – doesn't provide end-to-end security

 GSM Security is broken at many levels, vulnerable to

numerous attacks

 Even if security algorithms are not broken, the GSM

architecture will still be vulnerable to attacks from inside or attacks targeting the operator's backbone

 No mutual authentication

 Confidential information requires additional encryption over GSM

GSM Association, http://www.gsmworld.com

M Rahnema, “Overview of the GSM System and Protocol Architecture”, IEEE

Communication Magazine, April 1993

L Pesonen, “GSM Interception”, November 1999

J.Rao, P Rohatgi, H Scherzer, S Tinguely, “Partitioning Attack: Or How to Rapidly Clone Some GSM Cards”, IEEE Symposium on Security and Privacy, May 2002.

P.Kocher, J Jaffe, “Introduction to Differential Power Analysis and Related Attacks”,

Cryptography Research, 1998

S Babbage, “A Space/Time Trade-off in Exhaustive Search Attacks on Stream Ciphers”, Europian Convention on Security and Detection, IEE Conference publication, No 408, May 1999.

A Biryukov, A Shamir, D Wagner, “Real Time Cryptanalysis of A5/1 on a PC”,

Thank You !