GSM Security Overview GSM Security Overview (Part 3)(Part 3)

Gregory Greenman

AgendaAgenda

A5 Overview :A5 Overview : LFSR (Linear Feedback Shift Registers)LFSR (Linear Feedback Shift Registers) A5/1 DescriptionA5/1 Description

Attack on A5 :Attack on A5 : Space-Time Attacks Overview (Space-Time Attacks Overview (by Babbageby Babbage)) Cryptanalysis of A5/1 (Cryptanalysis of A5/1 (by Shamir, Biryukov, Wagnerby Shamir, Biryukov, Wagner))

Other Attacks on GSMOther Attacks on GSM

ConclusionConclusion

LFSR structureLFSR structure

PurposePurpose - - to produce pseudo random bit sequenceto produce pseudo random bit sequenceConsists of two parts :Consists of two parts : shift register – bit sequenceshift register – bit sequence feedback functionfeedback function

Tap Sequence : Tap Sequence : bits that are input to the feedback functionbits that are input to the feedback function

bb11 bb22 bb33 bb44 ... ...

bbn-1n-1 bbnn

Feedback Function : XOR

output

new value

LFSR FeaturesLFSR Features

LFSR Period –LFSR Period – the length of the output sequence the length of the output sequence before it starts repeating itself. before it starts repeating itself.

n-bit LFSR can be in 2n-bit LFSR can be in 2nn-1 internal states-1 internal states the maximal period is also 2 the maximal period is also 2nn-1-1

the tap sequence determines the periodthe tap sequence determines the period

the polynomial formed by a tap sequence plus the polynomial formed by a tap sequence plus 1 must be a primitive polynomial (mod 2)1 must be a primitive polynomial (mod 2)

LFSRLFSR

Example :Example : xx1212+x+x66+x+x44+x+1 corresponds to LFSR of length 12+x+1 corresponds to LFSR of length 12

bb11 b2 b3 bb44 b5 bb66 b7 b8 b9 b10 b11 bb1212

A5/1 OverviewA5/1 Overview

A5/1 is a stream cipher, which is initialized all A5/1 is a stream cipher, which is initialized all over again for every frame sent.over again for every frame sent.

Consists of 3 LFSRs of 19,22,23 bits length.Consists of 3 LFSRs of 19,22,23 bits length.

The 3 registers are clocked in a stop/go The 3 registers are clocked in a stop/go fashion using the majority rule.fashion using the majority rule.

“Cryptography is a mixture of mathematics and muddle, and without the muddle the mathematics can be used against you.” - Ian Cassells, a former Bletchly Park cryptanalyst.

1 0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0

1 0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1

1 0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1

clock control

18 17 16 0

21 20 0

02122 20

C3

C2

C1

R2

R1

R3

11

0

0

10 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0

0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1

0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1

1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0 1

1

1

0

0

1

A5/1 : OperationA5/1 : Operation

All 3 registers are zeroedAll 3 registers are zeroed

64 cycles (without the stop/go clock) :64 cycles (without the stop/go clock) : Each bit of K (lsb to msb) is XOR'ed in parallel into Each bit of K (lsb to msb) is XOR'ed in parallel into

the lsb's of the registersthe lsb's of the registers

22 cycles (without the stop/go clock) :22 cycles (without the stop/go clock) : Each bit of FEach bit of Fnn (lsb to msb) is XOR'ed in parallel into (lsb to msb) is XOR'ed in parallel into

the lsb's of the registersthe lsb's of the registers

100 cycles with the stop/go clock control, 100 cycles with the stop/go clock control, discarding the outputdiscarding the output

228 cycles with the stop/go clock control which 228 cycles with the stop/go clock control which produce the output bit sequence.produce the output bit sequence.

The ModelThe Model

The internal state of A5/1 generator is the state of all The internal state of A5/1 generator is the state of all 64 bits in the 3 registers, so there are 264 bits in the 3 registers, so there are 26464-1 states.-1 states.The operation of A5/1 can be viewed as a state The operation of A5/1 can be viewed as a state transition :transition :

S0 S1 S2 St

k0 k2k1kt

Standard attack assumes the knowledge of about 64 Standard attack assumes the knowledge of about 64 output bits (64 bits →2output bits (64 bits →26464 different sequences). different sequences).

Space/Time Trade-Off Attack Space/Time Trade-Off Attack II

Get keystream bits kGet keystream bits k11,k,k22,…,k,…,kM+nM+n and prepare M and prepare M

subsequences :subsequences :

k1,…,kn k2,…,kn+1

…

kM,…,kn+M

M

• generate random state Si

• generate n-bit keystream

• look for it in the prepared keystream subsequences

Space/Time Trade-Off Attack Space/Time Trade-Off Attack IIIISelect R random states SSelect R random states S11,..,S,..,SR R and for each and for each

state generate an n-bit keystreamstate generate an n-bit keystream

S1 : k1,1 … k1,n

S2 : k2,1 … k2,n

…

SR : kR,1 … kR,n

R

• Get keystream bits k1,k2,…,kM+n and prepare M subsequences

• Look for a prepared state

Shamir/Biryukov Attack OutlineShamir/Biryukov Attack Outline

2 disks (73 GB) and 2 first minutes of the conversation 2 disks (73 GB) and 2 first minutes of the conversation are needed. Can find the key in less than a second. are needed. Can find the key in less than a second. This attack based on the second variation of the This attack based on the second variation of the space/time tradeoff.space/time tradeoff.There are n = 2There are n = 26464 total states total statesA – the set of prepared states (and relevant prefixes)A – the set of prepared states (and relevant prefixes)B – the set of states through which the algo. proceedsB – the set of states through which the algo. proceedsThe main idea :The main idea : Find state Find state ss in A∩ B (the states are identified by prefix) in A∩ B (the states are identified by prefix) Run the algorithm in the reverse directionRun the algorithm in the reverse direction

Biased Birthday AttackBiased Birthday Attack

Birthday paradox : A ∩ BBirthday paradox : A ∩ B ≠ ≠ o o if |A| ∙ |B| ≈ nif |A| ∙ |B| ≈ n

Each state is chosen for A with probability PEach state is chosen for A with probability PAA(s) and for B (s) and for B with probability Pwith probability PBB(s). Then, the intersection will not be (s). Then, the intersection will not be empty if empty if

ΣΣss P PAA(s) ∙ P(s) ∙ PBB(s) ≈ 1(s) ≈ 1

The idea is to choose the states from A and B with 2 The idea is to choose the states from A and B with 2 non-uniformnon-uniform distributions that have correlation between distributions that have correlation between themthem

Disk StorageDisk Storage

state prefix The prefixes can be sorted and thus serve as indices into the states array

The registers are small, we can precompute all their states and store them in 3 cyclic arrays

But, for each state we can store only two bits : the clock bit and the output bit

(I, j, k)At each step we only have to know which of the three indices should be incremented.

This could be implemented by a precomputed table with 3 input bits (clocks) and the increment vector as the output.

No shift operations !

c1 c2 c3 inc1 inc2 inc3

0 1 0 1 1 0

State Transition :

Special StatesSpecial States

Disk access is very time-consuming!Disk access is very time-consuming!Keep on disk (set A) only those states, which produce a Keep on disk (set A) only those states, which produce a sequence that starts with a certain pattern sequence that starts with a certain pattern αα, | , | αα| = k| = kAccess the disk only when Access the disk only when αα is encountered is encountered22kk prefixes can start with prefixes can start with αα, so we reduce the number of , so we reduce the number of total possible states (n) by 2total possible states (n) by 2kk and the number of disk and the number of disk access times by 2access times by 2kk. The size of A, however, is unchanged, . The size of A, however, is unchanged, and we only insert the states that satisfy the condition and we only insert the states that satisfy the condition there. Thus, we don't miss intersectionsthere. Thus, we don't miss intersections..

Generation of Special StatesGeneration of Special States

Choose from all 2Choose from all 26464 states the needed 2 states the needed 248 48 ?? It's too time-consuming and unrealistic.It's too time-consuming and unrealistic.

The solution is to generate them :The solution is to generate them :

C3

C2

C1

11 bits

12 bits

19 bits

11 bits

11 bits

241 chosen bits

Each register moves approximately ¾ of the cycles.

Reversing A5/1Reversing A5/1

Forward state transition is deterministic …Forward state transition is deterministic …In the reverse direction could be up to 4 predecessors In the reverse direction could be up to 4 predecessors (majority clock control).(majority clock control).Example :Example :

101

010

101C3

C2

C1

What was the clock majority bit at the previous round ?

Here we see that there are no predecessors !

Estimations …Estimations …

We need 5 bytes per state to store on disk (73 G), so we can We need 5 bytes per state to store on disk (73 G), so we can afford 146 afford 146 ∙∙ 2 23030/5 = 2/5 = 23535 states states

We use 51 bit length prefixes (16 first bits are We use 51 bit length prefixes (16 first bits are αα))How many times will How many times will αα be encountered in the data ? be encountered in the data ? there are 228 bits of data, that is, 177 (there are 228 bits of data, that is, 177 (228-51228-51) "relevant offsets") "relevant offsets" 2 minutes of operation, that is, 120 2 minutes of operation, that is, 120 ∙∙ 1000/4.5 frames 1000/4.5 frames 22-16-16 is the fraction of all possible states which start with is the fraction of all possible states which start with αα so, the number of occurrences is 2so, the number of occurrences is 2-16-16 ∙∙ 177 177 ∙∙ 120 120 ∙∙ 1000/4.5 ≈ 71 1000/4.5 ≈ 71

Tree ExplorationTree Exploration

A state isA state is redred if the sequence of output bits produced from the if the sequence of output bits produced from the state state startsstarts with with αα. There are 2. There are 24848 red states. red states.

A state isA state is greengreen if the sequence produced from the state if the sequence produced from the state containscontains an an αα--occurrence between bit positions 101 – 277occurrence between bit positions 101 – 277

There are 177 There are 177 ∙∙ 2 24848 green states green statesWe can assume that the short path (of length 277 ) will contain We can assume that the short path (of length 277 ) will contain only one occurrence of only one occurrence of αα, so the mapping is many-to-1, so the mapping is many-to-1

red : green :α α

Tree Exploration IITree Exploration II

The set of relevant states can be viewed as a collection The set of relevant states can be viewed as a collection of disjoint trees with red state as the root and the rest of of disjoint trees with red state as the root and the rest of nodes are green states.nodes are green states.

We're interested in trees with green states at levels We're interested in trees with green states at levels 101-277. The weight of tree, W(s) is the number of green 101-277. The weight of tree, W(s) is the number of green states at those levels. states at those levels.

sequence generatio

n

reverse direction

Tree Exploration IIITree Exploration III

It is experimentally found that W(s) has highly non-It is experimentally found that W(s) has highly non-uniform distribution :uniform distribution : 85% of the trees die before reaching the level 10085% of the trees die before reaching the level 100 15% of the trees have 1 ≤ W(s) ≤ 260015% of the trees have 1 ≤ W(s) ≤ 2600

Choose 2Choose 23535 states (biased probability) with particularly states (biased probability) with particularly heavy trees (average weight heavy trees (average weight 1250012500) from overall of 2) from overall of 24848 red statesred statesThe expected number of collisions :The expected number of collisions : 235 ∙ 12500 ∙ 71

177 ∙ 248 ≈ 0.61

Tree Exploration IVTree Exploration IV

Heavy trees → large number of green state candidates?Heavy trees → large number of green state candidates? We know the exact location of We know the exact location of αα in the sequence, so we know in the sequence, so we know

the exact depth in the tree.the exact depth in the tree. The trees are narrow, so the total number of states we'll have The trees are narrow, so the total number of states we'll have

to check is less than 100 !to check is less than 100 !

Attack SummaryAttack Summary

DueDue to frequent reinitialization (for every new frame), to frequent reinitialization (for every new frame), it's possible to efficiently run the algorithm backwardsit's possible to efficiently run the algorithm backwards

(328 steps). (328 steps).Poor choice of the clocking taps.Poor choice of the clocking taps.Each one of the registers is so small that it's possible to Each one of the registers is so small that it's possible to precompute all its states.precompute all its states.

Attacks on Signaling NetworkAttacks on Signaling Network

The transmissions are encrypted only between MS and The transmissions are encrypted only between MS and BTS. After the BTS, the protocols between MSC and BTS. After the BTS, the protocols between MSC and BSCBSC ( (BSSAPBSSAP) ) and inside the operator's networkand inside the operator's network ( (MAPMAP) ) are unencrypted, allowing anyone who has access to the are unencrypted, allowing anyone who has access to the signaling system to read or modify the data on the fly !signaling system to read or modify the data on the fly !

So, the SS7 signaling network is completely insecure. So, the SS7 signaling network is completely insecure. The attacker can gain the actual phone call, RAND & The attacker can gain the actual phone call, RAND & SRES…SRES…

Attacks on Signaling NetworkAttacks on Signaling Network

If the attacker can access the HLR, s/he will be able to If the attacker can access the HLR, s/he will be able to retrieve the Kretrieve the Kii for all subscribers of that particular for all subscribers of that particular network.network.

Retrieving KRetrieving Kii over Air over Air

The KThe Kii key can be retrieved from SIM over the air : key can be retrieved from SIM over the air : MS is required to respond to every challenge made by GSM MS is required to respond to every challenge made by GSM

network (there is no authentication of BTS).network (there is no authentication of BTS). Attack based on differential cryptanalysis could take 8-15 Attack based on differential cryptanalysis could take 8-15

hours and require that the signal from the legitimate BTS be hours and require that the signal from the legitimate BTS be disabled for that time, but it's still real …disabled for that time, but it's still real …

The same attack could be applied to AuCThe same attack could be applied to AuC It also has to answer the requests made by the GSM networkIt also has to answer the requests made by the GSM network It's much faster than SIMIt's much faster than SIM

SMS ArchitectureSMS Architecture

SMS is a "store and SMS is a "store and forward" message systemforward" message system the message is sent from the message is sent from

the originator to SMS the originator to SMS Center, and then on to the Center, and then on to the recipient.recipient.

SMS messages can be up SMS messages can be up to 160 characters length to 160 characters length Sent in clear (but different Sent in clear (but different formats).formats).

SMS AttacksSMS Attacks

Instructions to SIM Message BodyInstructions

to HandSetInstructions

to SMSCInstructions

to Air Interface

sms packet

Broken UDHBroken UDH ( (user data hdr) in an sms message caused crash in user data hdr) in an sms message caused crash in some Nokia phones. It required the user to put its SIM into a non-some Nokia phones. It required the user to put its SIM into a non-affected phone and delete the offending message.affected phone and delete the offending message.

Spoofing SMS MessagesSpoofing SMS Messages : : Originating Address field can be Originating Address field can be arbitrarily set to anything.arbitrarily set to anything.The applications using sms should take care of authentication The applications using sms should take care of authentication and also encrypt their messages !and also encrypt their messages !

ConclusionsConclusions

ProsPros It's the most secure cellular telecommunication system available It's the most secure cellular telecommunication system available

today today (2-2.5G)(2-2.5G) Good framework for reasonably secure communicationsGood framework for reasonably secure communications The security model has minimal impact on manufacturersThe security model has minimal impact on manufacturers

SIM – keys,A3,A8,etcSIM – keys,A3,A8,etcSIM Toolkit – additional SIM functionalitySIM Toolkit – additional SIM functionalityMobile Equipment – A5Mobile Equipment – A5

The future - 3GPP :The future - 3GPP : the design is publicthe design is publicmutual authentication (EAP-SIM Authentication), key-length increased, mutual authentication (EAP-SIM Authentication), key-length increased, security within and between networks, etc.security within and between networks, etc.

Conclusions (cont.)Conclusions (cont.)

ConsCons Security by ObscuritySecurity by Obscurity Only access security – doesn't provide end-to-end securityOnly access security – doesn't provide end-to-end security GSM Security is broken at many levels, vulnerable to GSM Security is broken at many levels, vulnerable to

numerous attacksnumerous attacks Even if security algorithms are not broken, the GSM Even if security algorithms are not broken, the GSM

architecture will still be vulnerable to attacks from inside or architecture will still be vulnerable to attacks from inside or attacks targeting the operator's backboneattacks targeting the operator's backbone

No mutual authenticationNo mutual authentication Confidential information requires additional encryption Confidential information requires additional encryption

over GSMover GSM

ReferencesReferencesGSM Association, http://www.gsmworld.comGSM Association, http://www.gsmworld.comM. Rahnema, “Overview of the GSM System and Protocol Architecture”, M. Rahnema, “Overview of the GSM System and Protocol Architecture”, IEEE Communication Magazine, April 1993IEEE Communication Magazine, April 1993L. Pesonen, “GSM Interception”, November 1999 L. Pesonen, “GSM Interception”, November 1999 J.Rao, P. Rohatgi, H. Scherzer, S. Tinguely, “Partitioning Attack: Or How to J.Rao, P. Rohatgi, H. Scherzer, S. Tinguely, “Partitioning Attack: Or How to Rapidly Clone Some GSM Cards”, IEEE Symposium on Security and Rapidly Clone Some GSM Cards”, IEEE Symposium on Security and Privacy, May 2002.Privacy, May 2002.P.Kocher, J. Jaffe, “Introduction to Differential Power Analysis and Related P.Kocher, J. Jaffe, “Introduction to Differential Power Analysis and Related Attacks”, Cryptography Research, 1998 Attacks”, Cryptography Research, 1998 S. Babbage, “A Space/Time Trade-off in Exhaustive Search Attacks on S. Babbage, “A Space/Time Trade-off in Exhaustive Search Attacks on Stream Ciphers”, Europian Convention on Security and Detection, IEE Stream Ciphers”, Europian Convention on Security and Detection, IEE Conference publication, No. 408, May 1999.Conference publication, No. 408, May 1999.A. Biryukov, A. Shamir, D. Wagner, “Real Time Cryptanalysis of A5/1 on a A. Biryukov, A. Shamir, D. Wagner, “Real Time Cryptanalysis of A5/1 on a PC”, Preproceedings of FSE ‘7, pp. 1-18, 2000PC”, Preproceedings of FSE ‘7, pp. 1-18, 2000ISAAC, University of California, Berkeley, “GSM Cloning”, ISAAC, University of California, Berkeley, “GSM Cloning”, http://www.isaac.cs.berkeley.edu/iChansaac/gsm-faq.htmlhttp://www.isaac.cs.berkeley.edu/iChansaac/gsm-faq.htmlS. Chan, “An Overview of Smart Card Security”, S. Chan, “An Overview of Smart Card Security”, http://home.hkstar.com/~alanchan/papers/smartCardSecurity/ http://home.hkstar.com/~alanchan/papers/smartCardSecurity/

Thank You !