Professional Documents
Culture Documents
org/cracking_a5
cracking a5
NEWS: We have created a PRIVATE A5 mailinglist. If you feel you have something
to contribute to the project please contact steve [at] segfault.net. The reason for this
has been explained on the public mailinglist a5 [at] lists.segfault.net.
NEW: The CCC Camp07 GSM Software Project and A5 Cracking Talk video is
available. The final attack and a live demonstration will be given at a selected
security conference in March 2008.
Powered by EFF.
Contenuti
1. LICENSE
2. About
3. How you can help
4. TODO
5. Requirements
6. A5 weakness
7. A5/GSM encryption example
8. Misc Ideas
1. FPGA Ideas
1. Brute Force
2. Brute Force II
3. possible boards
1 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
2. Rainbow Table
1. Idea I
2. Idea II
3. Idea III
4. Idea IV
5. Idea V
6. Idea VI
3. TMTO modified for A5/1
1. Verbal Description
2. C Reference Implementation
3. Pseudocode
9. Resources
1. List of used encryption around the World
2. How to check if A5/1 is used
3. HD Random Access Time
10. Links
1. LICENSE
2. About
We are security enthusiasts. Our goal is to implement a system that can crack A5/1. Our
results will be used with the GSM Software Project to demonstrate weaknesses in GSM.
The A5 algorithm has been broken (in theory) in 1998 but it's still widely used. The
mobile operators still insist that the GSM customers (that's you and me!) are protected and
that our data is safe.
We want to bring together all the folks who worked on the theory of cracking A5/1.
2 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
4. TODO
1. Come up with example data (e.g. first encrypted burst from BTS to MS and first
burst from MS to BTS).
2. Enhance the attack on A5/1
3. Implement a A5/2 crack.
5. Requirements
The project comes in stages.
6. A5 weakness
A5 is weak. That's A5/1 and A5/2. When you look at the algorithm it just gives you a bad
feeling.
I did a quick example to visualize the entroypy. Crypto people love entropy. An easy way
to visualize the entropy is to generate a picture of the relationship between two, three or
four successive numbers generated by the algorithm. Ideally we should not see any
structure. All pixels should be distributed randomly. lcamtufs ISN analyzsis explains more
details about this method.
I use a matlab script to generate the graphics. x.txt contains the output of the a5/1 key
3 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
initialization algorithm.
a = 0;
b = 0;
c = 0;
d = 0;
XD = 256;
YD = 256;
ZD = 256;
imshow(I);
4 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
The Frame Number (FN) wrapps around every 3h 28min 53 sec and 750ms.
A layer 1 GSM message is 23 octet long. It is padded with 0x2b if less than 23 octet
content data are to be send.
1. 23 * 8 = 184 bit content data per GSM message. [Output: 184 bit]
2. Add 40 bit fire code (crc) and 4 bit tail (0x00). [Output: 228 bit]
3. Convolutional encode the 228 bit. This duplicates the number of (known) bits.
[Output: 456 bit]
4. Interleave the 456 bit. [Output: 456 bit]
5. Chop the 456 bit into 8 packs, each 57 bit long. Take the first two 57 bit chunks and
send them in the first GSM burst. The 3rd and 4th are send in the second GSM burst
and so on and so on.[Output: 4x114 bit]
6. The frame number is known and incremented for each GSM burst. A5 is
reinitialized for _each_ burst. This means each burst is encoded under the same Kc
but under a different frame number. The A5 state is thus different for each GSM
burst.
000: ?? ?? ?? 06 32 2b 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: ?? -------1 Extended Address: 1 octet long
0: ?? ------0- C/R: Response
0: ?? ---000-- SAPI: RR, MM and CC
0: ?? -00----- Link Protocol Disciminator: GSM (not
Cell Broadcasting)
1: ?? ------01 Supvervisory Frame
1: ?? ----00-- RR Frame (Receive ready)
1: ?? ---0---- Poll/Final bit (P/F)
1: ?? 000----- N(R), Retransmission counter: 0
2: ?? -------0 EL, Extended Length: n
2: ?? ------0- M, segmentation: N
2: ?? 000010-- Length: 2
3: 06 0------- Direction: From originating site
3: 06 -000---- 0 TransactionID
3: 06 ----0110 Radio Resouce Management
4: 32 00110010 RR Cipher Mode Complete
This message tells the BTS to start ciphering. The first encrypted message send from the
BTS to the MS is either a MMIdentityRequest followed by a empty GSM message or a
empty GSM message. Both of them contain plenty known plaintext: The 0x2b GSM
5 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
000: 03 42 0d 05 18 03 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 03 -------1 Extended Address: 1 octet long
0: 03 ------1- C/R: Command
0: 03 ---000-- SAPI: RR, MM and CC
0: 03 -00----- Link Protocol Disciminator: GSM (not
Cell Broadcasting)
1: 42 -------0 Information Frame
1: 42 ----001- N(S), Sequence counter: 1
1: 42 ---0---- P
1: 42 010----- N(R), Retransmission counter: 2
2: 0d -------1 EL, Extended Length: y
2: 0d ------0- M, segmentation: N
2: 0d 000011-- Length: 3
3: 05 0------- Direction: From originating site
3: 05 -000---- 0 TransactionID
3: 05 ----0101 Mobile Management Message (non GPRS)
4: 18 00------ SendSequenceNumber: 0
4: 18 --011000 MMIdentidyRequest
5: 03 -----011 IMEISV
or
000: 03 03 01 2b 2b 2b 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 03 -------1 Extended Address: 1 octet long
0: 03 ------1- C/R: Command
0: 03 ---000-- SAPI: RR, MM and CC
0: 03 -00----- Link Protocol Disciminator: GSM (not
Cell Broadcasting)
1: 03 ------11 Unnumbered Frame
1: 03 ---0---- P
1: 03 000-00-- UI frame (Unnumbered information)
2: 01 -------1 EL, Extended Length: y
2: 01 ------0- M, segmentation: N
2: 01 000000-- Length: 0
8. Misc Ideas
1. Shall we do a brute force with FPGA or do a smart attack as outlined in the 2001
paper?
2. Can we use the weakness in A8/A3 to calculate Kc for A5/1?
3. What happened to the cypherpunks mailinglist? The LNE links seem to be down!
Anyone?
4. I'm not concerned if we need 50 FPGA's or 4TB or harddrives. Some people say that
it's not practical to carry 4TB of harddrives in a rucksack. We can always host the
solution and when on a cracking mission the challenge can be send (via sms?) to the
6 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
hosted Cracking Server which sends the results back after a couple of seconds.
5. Can we devide the A5/1 cracking problems into smaller problems and solve each on
its own? This means finding a new attack against A5/1.
Some initial thoughts on A5/1 and FPGA. All this needs to be calculated more precisely.
Each clock cycle the A5 implementation should output 64 bit of streamcipher. We can put
multiple A5 implementations on the same FPGA chip. The calculation is based on a
pipelined implementation of A5.
The three LSFR registers are in total 19 + 22 + 23 = 64bit long. The first LSFR requires 5
Logical Units (LU's, e.g xor). The second requires 3 LU's and the last one requires 5 LU's.
All together 13 LU's and 64 bit. The Trap register add's 1 LU per LSFR. Makes 16 LU's
and 64bit.
Generating the state (with key and FrameNumber (FN)) requires 64 + 22 = 88 steps. This
is followed by another 100 cycles. Each of the 100 cycles requires 1 LU less per LSFR.
After these 100 cycles we want to generate about 64 bit of output (e.g. enother 64 cycles).
After 88 + 100 + 64 cycles we will start seeing 64 bit of stream cipher output for each
cycle.
This is all not optimized. We do not need the first 9 steps because the Tap register only
start at bit 8. we also do not need all the LU's or registers for the first 18 steps because the
first LSFR is not fully used until step 18. Same for the last 64 steps. For each of the last 64
steps we only need 2 LU's and 1 register less for each step.
We decided to use Xilinx. Altera is a good choice as well but at the moment most of us
worked with xilinx before.
The Virtex-5 from Xilinx LX330 has 330.000 LU's and runs at 500 Mhz. That brings us
down to 4 days per development board?! But the boards and chips are to expensive. Better
to stick with LX50.
Some more precise calculation by David Hulton:[[BR]] The LX50 can run at 200-300Mhz
and cost $300 each (just the chip, without dev board). I pipelined my version of A5/1 and
came up with some rough numbers on the Virtex-5 LX50. This is purely just computing
the 186 clock cycles for setup and only computing a single bit of output from the pipeline
on each clock cycle. I'm sure we could optimize it a little bit but once we factor in the
overhead of doing the key compares and other bridge code it probably won't be much less
than the numbers here..
7 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
With this design, we will probably only be able to fit 4 fully pipelined instances of A5/1
on here unless we can hand-optimize the placement better than the Xilinx tools and code
in some of the shortcuts that you mentioned on the a5 cracking page. I'll work on this a bit
more and see if I can reduce the logic down.
IO Utilization:
Number of bonded IOBs: 88 out of
220 40%
8 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
32 3%
Number used as BUFGs: 1
The LX330 boards cost $5.000. Because we can put 4x more a5/1 implementations on
them and they run 6.6x faster it might be worth it.
8.2.1. Idea I
The state table of all 3 LSFR's combined is just 64 bit. The A5 initialization process (e.g.
seeding in key + FN and mixing it 100 cycles) is reverseable. Thus once we know the key
state we can compute the key easily. Generating rainbow tables for 64 bit keys is difficult
(TODO: calculate how difficult and how many FPGA's required).
This attack would work regardless of the frame number and regardless of the key length
(54, 64 or 128 bit). It also uses less LU's than the normal key brute force implementation.
All 3 LSFR can be stuck together to get one 64bit register: | R1 19bit | R2 22bit | R3 23bit |
1. Start with key state bit 35..0 is set to 0000..001. Bit 63..36 is set to 0.
2. RainbowtableNumber++; Entries = 0;
3. Calculate 64bit output from this keystate. Entries++;
4. If output's bit 63..36 are all 0 then stop this rainbow table. Otherwise take 64 bit
usefull output and use this output as state. Repeat 3.
5. Increment value in bit 35..0 by 1 (e.g. start next rainbow table). Repeast 2.
Problems:
1. What happens if we never hit a state that has bit 63..36 to all 0s (e.g. if we are stuck
in a loop)? Break loop after a maximum number of iterations and call it an 'unlucky'
rainbow table which is handles specially?
2. Using bit 63..36 is just an example. In fact any number of bits (in sequence or not in
sequence) can be used.
9 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
8.2.2. Idea II
Is it possible to reduce a LSFR register? By this i mean exist there a shorter LSFR register
that would produce the same output (for a certain class of keys)?
8.2.4. Idea IV
We do not need to generate rainbow tables for all possible keystates. Let's assume we
generate rainbow tables for 1/4 of all keystates (e.g 62bit). If we sniff 64 bit known
plaintext our chances that we can crack it with the rainbow table is 25%.
A5 is reversable: Let N be the index of current working bit of the A5 algorithm (e.g. after
N bits of output have been produced and N bit of plaintext have been encrypted). Let
keystate(N) be the state of the keystate after N bits have been produced. Let plaintext(N)
be the N-th bit of the plaintext. It is possible to calculate keystate(N-1) if keystate(N) and
plaintext(0..N) is known.
Let's assume we know 65 bit of plaintext. We first try to find a match in the rainbow table
for bit 0..63 and then we try to find a match for bit 1..64. The probability for 65 bit known
plaintext it is already 1 - (3/4)**(65 - 64 + 1) = 43.75%. For 80 bit known plaintext it is 1 -
(3/4)**(80 - 64 + 1) = 98.997%.
Let's get this further down: Generate 1/64 of all rainbow tables (which makes it a 58bit
problem): If we get 128 bit of known plaintext our chances of decoding it are 1 -
(63/64)**(128 - 64 + 1) == 64% or 95% if 256 bit of plaintext are known.
The maximum number of bits that are encrypted under the same keystate is 114. There are
4 bursts of 114 bit and the plaintext of each of the bursts is known. For each burst the
propability of cracking it with only 1/64th of the rainbow table is:
1-(63/64)^(114 - 64 + 1) = 55.2%
Considering that we have a 55.2% chance for each of the 4 burst:
1 - (1 - 0.552)**4 = 95.97%
Limitation: It is obivous that this is working if we are dealing with successive bits of
plaintext. It is less obvious that this also works as long as the 65 bit plaintext as distributed
equaly (FIXME: can we optimize this?).
1. Does NOT work: bit 0..63 in one sequence followed by some unknown plaintext
followed by bit 64 of known plaintext.
2. DOES work: plaintext bit 0 followed by 1 unknown plaintext bit followed by known
plaintext bit 1, followed by unknown plaintext bit followed by known plaintext bit 2,
10 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
Further optimization:
1. Do this over multiple messages (e.g. if we know 128 bit in the first packet and
another 128 bit in the second message it dramaticaly increases our chances of
finding the key state in one of our rainbow tables).
2. Remember that for each message the BTS sends the MS also sends a message.
Again, increasing our chances.
8.2.5. Idea V
We have known plaintext. The first encrypted message send from the BTS to the MS is
amost all 0x2b (except for the first three octets). This means we can implement the attack
by Anderson and Roe: Guessing the 41 bit in the shorter R1 and R2 registers, and deriving
the 23bit of the longer R3 register from the output.
Calculating Rainbow tables for this is the next challenge. Combing this with Idea IV
makes it a 41-6 = 35 bit problem.
8.2.6. Idea VI
Are there 'useless' bits in R2? It only has two trap registers. Does this help us calculating
the value of others?
11 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
number of
links is also called the 'chain length'.
Summary:
Many links make up a chain. Many chains make up a table.
Many tables make up
a A5 TMTO attack.
Notes:
- One core generates one table
- Multiple cores fit onto 1 FPGA
- A chain is considered looping if the chain length gets
longer than 10 times
the expected chain length and still no $EndPoint was
found.
- Each table is sorted by $EndPoint and then compressed.
The reference implementation computes 1 table. This version is around 6000 times slower
than the FPGA implementation.
Download: A5DemoBusterTableGen.c
Compile:
8.3.3. Pseudocode
/* Parameter */
$EndPoint_Bit = 19
12 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
$max_tables = 7956
$max_number_chains = 2^26
/*
* A Table contains multiple chains. Each chains consists
of
* 1 Start Point and 1 End Point.
*/
FUNCTION table_gen()
{
FOR $number_chain==0 TO $max_number_chains - 1 DO
/* At the moment the Start Point for each
chain is the
* current chain number.
*/
$StartPoint = $number_chain
$looping = a5_until_endpoint($StartPoint,
&$EndPoint, &$Len)
IF $looping == FALSE
OUTPUT($StartPoint $EndPoint,
$Len);
DONE
}
FUNCTION table_start_point($number_chain)
{
/* At the moment the start point of each chain is
the Chain Number */
RETURN $number_chain
}
/*
* INPUT:
* - $StartPoint
* RETURN:
13 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
WHILE TRUE DO
$output = a5_clock($state);
IF is_endpoint($output) THEN
&$EndPoint = $output
&$Len = $chain_links
RETURN FALSE
/* Check if we are looping */
$chain_links = $chain_links + 1
IF ($chain_links > $g_ChainLinks_Max * 10)
RETURN TRUE
/* If not looping apply reduction function
and generate
* new state.
*/
$state = $output XOR $g_ReductionFunction
DONE
}
FUNCTION a5_clock($state)
{
/* Clock state for 64 clocks */
/* Store output in $output and return $output */
RETURN $output
}
/*
* Return true if the last $g_EndPoint_Bit of $EndPoint
are
* all 0
*/
FUCTION is_endpoint($EndPoint)
{
IF $EndPoint & $g_EndPoint_Mask == 0
RETURN TRUE
RETURN FALSE
}
9. Resources
14 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
15 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
16 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
United Arab
424 2 Du A5/1 Dubai
Emirates
505 Australia 1 Telstra A5/1
505 Australia 2 Optus A5/1
505 Australia 3 Vodafone A5/1
515 Philippines 2 Globe A5/1
515 Philippines 3 Smart A5/1
515 Philippines 5 Sun A5/1
639 Kenya 2 Safaricom A5/2
639 Kenya 3 Celtel A5/2
History:
When A5/1 came out mostly germany (as the bordering country to the soviet block)
wanted to implement strong encryption. Other Nato members (led by france) were worried
that the middle east would use strong encryption. Thus they cut a deal to come up with a
weaker version, A5/2. These days both (A5/1 and A5/2) have been broken. A5/3 has not
been seen in the wild yet.
Other comments:
1. Make sure your phone is using GSM (and not 3G/UMTS or DUAL). Go to Menu ->
Tools -> Settings -> Network -> Network mode and switch to GSM.
2. Install the netmonitor by connecting your phone to the PC (via usb cable).
3. Launch netmonitor
4. Go to screen 1.10. Send a SMS to the phone. See if the 'Ciphering val' changes from
OFF to something else.
5. Go to screen 1.10. Call the mobile phone. See if the 'Ciphering val' changes from
17 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
The other method is by using gammu and a dct3 trace mobile (like the nokia 3310)
connected to the PC. Start a trace, make a phonecall and send in the out.xml file that
gammu produces. See our main project page on how to use gammu and dct3 trace mobiles.
Check the GSMSP Project for more infos on how to use gammu.
Send results.txt, the type of raid and the number of harddrives in the raid to steve [at]
segfault.net.
18 di 19 01/01/2008 11.12
cracking a5 - THC Wiki http://wiki.thc.org/cracking_a5
10. Links
1. http://www.dia.unisa.it/professori/ads/corso-security/www/CORSO-9900/a5/Netsec/netsec.htm
2. http://jya.com/crack-a5.htm local mirror
3. http://cryptome.org/a51-crack.htm
4. http://www.copacobana.org/
5. Program to benchmark Harddrive Random Access time: random_access.c
19 di 19 01/01/2008 11.12