gsm security: cryptanalysis of a5/1 arber ceni – 07.02.2011
TRANSCRIPT
GSM Security: Cryptanalysis of A5/1
Arber Ceni – 07.02.2011
GSM Security: Cryptanalysis of A5/12
Overview (I) Motivation Description of A5/1 Time-memory tradeoff attacks
Golic 1997 Biryukov et al. 2000 Biham and Dunkelman 2000 Barkan, Biham and Keller 2003 COPACOBANA 2008
Arber Ceni
GSM Security: Cryptanalysis of A5/13
Overview (II) Correlation attacks
Ekdahl and Johansson 2003 Maximov, Johansson and Babbage 2005 Barkan and Biham 2006
Other attacks on GSM and A5 family ciphers Conclusions
Arber Ceni
GSM Security: Cryptanalysis of A5/14
Motivation
GSM has more than 3 billion customers and covers around 80% of the World’s population
Every over-the-air conversation is protected by A5/1
GSM is the biggest cryptosystem ever deployed
A5/1 developed in 1987 (older than 20 years) Many flaws discovered Many attacks conducted
Arber Ceni
GSM Security: Cryptanalysis of A5/15
Description of A5/1 (I) GSM uses symmetric cryptography The same key Kc is used to encrypt and
decrypt the conversation How is the Kc generated?
Ki – root encryption key Unique for each subscriber
A3 – authenticate the userto the mobile operator
A8 – Generate Kc
Arber Ceni
GSM Security: Cryptanalysis of A5/16
Description of A5/1 (II) Invented in 1987 Partially leaked in 1994 Reverse engineered by Briceno in 1999 Idea:
Conversation as frames transmitted every 4,6 ms 228 bits+Kc+Fn=228 bits cyphertext 114 up, 114 down
Three LFSRs R1 – length 19; taping bits 13, 16,17,18; clocking
bit 8 R2 – length 22; taping bits 20, 21; clocking bit 10 R3 – length 23; 7,20,21,22; clocking bit 10
Arber Ceni
GSM Security: Cryptanalysis of A5/17
Description of A5/1 (III) Clocking
If the clocking bit agrees with the majority bit C1=C2=C3+1 => R1 and R2 are clocked Probability of each register to be clocked is 3/4
Arber Ceni
GSM Security: Cryptanalysis of A5/18
Description of A5/1 (IV) Algorithm (initial state)
Zero all registers For each bit of the Kc: Rj[0]=Rj[0]+Kc[i], j=(1,2,3) Clock the registers ignoring the regular clocking
mechanism For each bit of the Fn: Rj[0]=Rj[0]+Fn[i], j=(1,2,3) Clock the registers ignoring the regular clocking
mechanism Clock the registers with the
normal clocking mechanismfor 100 rounds and discardthe output
Arber Ceni
GSM Security: Cryptanalysis of A5/19
Description of A5/1 (V)
Arber Ceni
Algorithm (ciphertext generation) Clock the cipher 114 times using the normal
stop/go fashion Produce 114 bits (keystream) by XOR-ing the MSBs
of the three registers This keystream will be used to encrypt the
communication between operator and mobile station
XOR the keystream with the initial message to produce the ciphertext
Do the same for the conversation between mobile station and operator
GSM Security: Cryptanalysis of A5/110
Time-memory tradeoff attacks – Golic 1997 Alleged but similar A5/1 cipher Divide and conquer
Idea: Guess some bits of the state of the registers and find the others by solving linear equations
Complexity: O(240.16) How many bits should we guess:
n if n ≤ ri-taui+1
n-ri+taui-1 otherwise
1+3n+4n/3 linear equations Linear independent if n< max(tau1,tau2,tau3)-1 Real A5/1: max(tau1,tau2,tau3)=10 => O(245.22) Time-memory tradeoff:102·K·M≥ 263.32
Arber Ceni
GSM Security: Cryptanalysis of A5/111
Time-memory tradeoff attacks – Biryukov et al. 2000 (I) Store in HDD (prefix,state) pairs for special states
starting with α = 16 bits Flaw of A5/1: clocking tap doesn’t affect output for 16
clocking cycles Produces 248 states instead of 264; further reduced to 240
Compare the prefix of an unknown state Red states R – special states; |R|= 248
Green states G – α is encountered in position 101-277; |G|= 177*248
235 stored red states with avg weight 12500 We can encounter a red state in 2 min of
conversation with a probability of 61%
Arber Ceni
GSM Security: Cryptanalysis of A5/112
Time-memory tradeoff attacks – Biryukov et al. 2000 (II) Random subgraph attack
From stored special states, generate other special states
A new function f makes this possible and inverting it produces the special state from an output bit.
Time-memory tradeoff: M= 236,|U|= 248, T= 224 and preprocessing 248
|U|TM
Attack Type Preprocessing steps
Available Data
Number of 73GB HDD
Attack Time
Biased Birthday attack(1)
242 2 minutes
4 1 second
Biased Birthday attack(2)
248 2 minutes
2 1 second
Random subgraph attack
248 2 seconds
4 minutesArber Ceni
GSM Security: Cryptanalysis of A5/113
Time-memory tradeoff attacks – Biham and Dukelman 2000 (I) Wait until an event that gives a lot of information
happens With some improvements to the previous attack,
break A5/1 R3 not clocked for 10 consecutive times and R3[10,22]
are known We get 20 clocking bits of R1 and R2 Other 11 bits from output stream Guessing 9 bits from R1 and 1 from R2, gives both registers Guessing 10 bits from R3, gives the other 11 bits of R3 Complexity: O(227)
220 possible starting points for R3 Complexity: O(247)
Arber Ceni
GSM Security: Cryptanalysis of A5/114
Time-memory tradeoff attacks – Biham and Dukelman 2000 (II) Improve the techniques of the previous attack Compute two tables:
next-state table – stores the states in the computed order Pointer table – stores the location of the state
Total Complexity computed: 220 – possible start points for R3 212 – possible guesses each of them 21.53 values which cost 2 cycles (next-state
lookup) 24.53 – values for 10 guesses of R3 each of these clocked and checked in pointer table =>2
cycles each check needs to be clocked twice 220 *212 * 21.53 *2* 24.53 *(1+1+2*0.88)= 240.97 A5/1 clocking
cyclesArber Ceni
GSM Security: Cryptanalysis of A5/115
Time-memory tradeoff attacks – Barkan, Biham and Keller 2003 Man-In-The-Middle attack
1st attack Ask the victim to start encrypting with A5/2 Break A5/2 (which is easier) and send the
authentication to the server 2nd attack
Ask the network and the victim to start a conversation with no encryption A5/0
This is probable to be discovered by the operator 3rd attack
The operator initiate the authentication procedure rarely
The attacker asks the victim to encrypt with A5/2 Brake A5/2 and use it later
Arber Ceni
GSM Security: Cryptanalysis of A5/116
Time-memory tradeoff attacks –COPACOBANA 2008 120 parallel FPGAs (Field-Programmable Gate
Array) Offers better performance-cost ratio Can be connected to normal PC Using COPACOBANA:
114 known bits (1 frame) Preprocessing time: three months Memory: 4.85 TB Online phase: 10.09 s Success rate: 63%
Can be increased to 96% Must increase the output stream length to 4 frames
Arber Ceni
GSM Security: Cryptanalysis of A5/117
Correlation attacks – Ekdahl and Johansson 2003 (I) Based on correlation attacks Uses bad initialization of the cipher
Key and frame number initialized linearly Is not exponential to the length of registers Assuming that the registers are clocked
exactly 76 times we get a probability of knowing the first output
For all the positions we can write:
2/1)(1)(
)( )1,76,76,76(376
276
176
wrongassumptionPcorrectassumptionP
OsssP j
Arber Ceni
GSM Security: Cryptanalysis of A5/118
Correlation attacks – Ekdahl and Johansson 2003 (II)
P((cl1,cl2, cl3) in vth position) can be computed recursively: P((cl1,cl2, cl3) in vth position) = F(cl1,cl2,cl3,v)
where:
Iv
jvclclcl
Iv
jclclcl
positionvthinclclclP
O
positionvthinclclclPp
)),,((12/1
0
)),,((
321
)100,,,(
321),,(
321
321
)1,,1,1(25.0
)1,1,,1(25.0
)1,1,1,(25.0
)1,1,1,1(25.0),,,(
0),,,(
0000),,,(
00,00),,,(
321
321
321
321321
321321
321321
321321
vclclclF
vclclclF
vclclclF
vclclclFvclclclF
vclorvclorvclifvclclclF
clorclorclifvclclclF
clandclclifvclclclF
Arber Ceni
GSM Security: Cryptanalysis of A5/119
Correlation attacks – Ekdahl and Johansson 2003 (III) Log-likelihood of all probabilities:
If A>0 then the output of the cipher = 0 If A<0 then the output of the cipher = 1 This attack requires:
5 minutes of GSM conversation Less than 5 minutes to recover the key With a success rate of more than 70%
m
jj
clclcl
jclclcl
clclcl p
pA
1 ),,(
),,(),,(
321
321
321 1ln
Arber Ceni
GSM Security: Cryptanalysis of A5/120
Correlation attacks – Maximov, Johansson and Babbage 2005 Improve the attack of Ekdahl and Johansson Try to reduce the number m of needed frames Based on two new flaws of A5/1
Error-correction codes are applied before encryption
During silence a special kind of frame containing a large number of zeros is sent
They also make use of the log-likelihood to find the key, but they use some improved estimators
Result: A few seconds of conversation (2000-5000 frames
=> 9-43s) Less than one minute of computation
Arber Ceni
GSM Security: Cryptanalysis of A5/121
Correlation attacks – Barkan and Biham 2006 Based on conditional estimators Based on previous correlation attacks Exploit three new weaknesses of the R2 register
Alignment property Has only two feedback taps which are adjacent Symmetry property – the clocking tap is at the middle of the
register Steps:
Compute conditional estimators Decode these estimators to find best candidates for S1 and S2
Modeled as a huge graph in which can be applied Dijkstra-like algorithms
For each of these candidates recover candidates for S3. Recover the key from S1,S2,S3 and verify that is the correct one
Results: 2000 frames; completes in tens of seconds; success rate is 91%
Arber Ceni
GSM Security: Cryptanalysis of A5/122
Other attacks on GSM and A5 family ciphers (I) FBDD based attack
Developed by Krause 2002 Complexity: nO(1)2(1-α)/(1+ α)n. α is a constant For A5/1 complexity: nO(1)20.6403n
Eavesdrop without cryptanalysis MITM attack Record RAND;record ciphertext=>output stream
of the cipher Later:
Send the frame number and message to the target mobile
The frame number is the same so the message can be decrypted
Arber Ceni
GSM Security: Cryptanalysis of A5/123
Other attacks on GSM and A5/1 family ciphers (II) Open source project (Nohl 2009)
Precompute rainbow tables The compressed codebook of A5/1
Used parallelization (FPGA) to reduce precomputing time First public project to release the tables 1st attack:
MITM attack Fake base station Cheap radio equipment Open source software – OpenBTS
2nd attack Passive attack Uses the precomputed rainbow tables
Everybody can contribute
Arber Ceni
GSM Security: Cryptanalysis of A5/124
Other attacks on GSM and A5/1 family ciphers (III)
New A5/3 again weak Made public Based on KASUMI block cipher
Modification of MISTY Also weak:
By applying a sandwich attack 226 data, 230 bytes of memory, can complete in 232 time The authors claim this is realistic and have simulated
the attack in a PC
Arber Ceni
GSM Security: Cryptanalysis of A5/125
Conclusions Most of the attacks presented here, don’t
make any claim for the real implementation of A5/1 in the fielded GSM
However, some of them yes Breaking A5/1 has become an open source
project! The new A5/3 is also weak! The cryptosystem used in GSM should be
changed It is the biggest cryptosystem ever deployed It is not used only for conversation Used for banking information, payment, bank
transfer etc Arber Ceni
GSM Security: Cryptanalysis of A5/126
Thank you! Questions?
Arber Ceni