GSM Security Overview

(Part 3)
Gregory Greenman
Agenda
A5 Overview :
LFSR (Linear Feedback Shift Registers)
A5/1 Description
Attack on A5 :
Space-Time Attacks Overview (by Babbage)
Cryptanalysis of A5/1 (by Shamir, Biryukov, Wagner)
Other Attacks on GSM
Conclusion
LFSR structure
Purpose - to produce pseudo random bit sequence
Consists of two parts :
shift register bit sequence
feedback function
Tap Sequence :
bits that are input to the feedback function

b
1
b
2
b
3
b
4
... b
n-1
b
n

Feedback Function : XOR
output
new value
LFSR Features
LFSR Period the length of the output sequence
before it starts repeating itself.
n-bit LFSR can be in 2
n
-1 internal states
the maximal period is also 2
n
-1
the tap sequence determines the period
the polynomial formed by a tap sequence plus
1 must be a primitive polynomial (mod 2)
LFSR
Example :
x
12
+x
6
+x
4
+x+1 corresponds to LFSR of length 12
b
1
b
2
b
3
b
4
b
5
b
6
b
7
b
8
b
9
b
10
b
11
b
12
A5/1 Overview
A5/1 is a stream cipher, which is initialized all
over again for every frame sent.
Consists of 3 LFSRs of 19,22,23 bits length.
The 3 registers are clocked in a stop/go
fashion using the majority rule.
Cryptography is a mixture of mathematics and muddle, and without the
muddle the mathematics can be used against you.
- Ian Cassells, a former Bletchly Park cryptanalyst.

1 0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0
1 0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1
1 0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1
clock
control
18 17 16
0
21 20
0
0 21 22 20
C3
C2
C1
R2
R1
R3
1
1
0
0
1
0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0
0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1
0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1
1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0 1
1
1
0
0
1
A5/1 : Operation
All 3 registers are zeroed
64 cycles (without the stop/go clock) :
Each bit of K (lsb to msb) is XOR'ed in parallel into
the lsb's of the registers
22 cycles (without the stop/go clock) :
Each bit of F
n
(lsb to msb) is XOR'ed in parallel into
the lsb's of the registers
100 cycles with the stop/go clock control,
discarding the output
228 cycles with the stop/go clock control which
produce the output bit sequence.


The Model
The internal state of A5/1 generator is the state of all
64 bits in the 3 registers, so there are 2
64
-1 states.
The operation of A5/1 can be viewed as a state
transition :

S
0
S
1
S
2
S
t
k
0
k
2
k
1
k
t
Standard attack assumes the knowledge of about 64
output bits (64 bits 2
64
different sequences).
Space/Time Trade-Off Attack I
Get keystream bits k
1
,k
2
,,k
M+n
and prepare
M subsequences :
k
1
,,k
n
k
2
,,k
n+1

k
M
,,k
n+M

M
generate random state S
i
generate n-bit keystream
look for it in the prepared
keystream subsequences


Space/Time Trade-Off Attack II
Select R random states S
1
,..,S
R
and for each
state generate an n-bit keystream
S
1
: k
1,1
k
1,n
S
2
: k
2,1
k
2,n

S
R
: k
R,1
k
R,n

R
Get keystream bits
k
1
,k
2
,,k
M+n
and prepare M
subsequences
Look for a prepared state
Shamir/Biryukov Attack Outline
2 disks (73 GB) and 2 first minutes of the conversation
are needed. Can find the key in less than a second.
This attack based on the second variation of the
space/time tradeoff.
There are n = 2
64
total states
A the set of prepared states (and relevant prefixes)
B the set of states through which the algo. proceeds
The main idea :
Find state s in A B (the states are identified by prefix)
Run the algorithm in the reverse direction

Biased Birthday Attack
Birthday paradox : A B o if |A| |B| n
Each state is chosen for A with probability P
A
(s) and for B
with probability P
B
(s). Then, the intersection will not be
empty if

s
P
A
(s) P
B
(s) 1

The idea is to choose the states from A and B with 2
non-uniform distributions that have correlation between
them
Disk Storage

state prefix
The prefixes can be sorted and thus serve
as indices into the states array
The registers are small, we can
precompute all their states and store them
in 3 cyclic arrays
But, for each state we can store
only two bits : the clock bit and
the output bit
(I, j, k)
At each step we only have to know
which of the three indices should be
incremented.
This could be implemented by a
precomputed table with 3 input bits
(clocks) and the increment vector
as the output.
No shift operations !
c1 c2 c3 inc1 inc2 inc3
0 1 0 1 1 0
State Transition :
Special States
Disk access is very time-consuming!
Keep on disk (set A) only those states, which produce a
sequence that starts with a certain pattern , | | = k
Access the disk only when is encountered
2
k
prefixes can start with , so we reduce the number of
total possible states (n) by 2
k
and the number of disk
access times by 2
k
. The size of A, however, is unchanged,
and we only insert the states that satisfy the condition
there. Thus, we don't miss intersections.
Generation of Special States
Choose from all 2
64
states the needed 2
48
?
It's too time-consuming and unrealistic.
The solution is to generate them :
C3
C2
C1
11 bits
12 bits
19 bits
11 bits
11 bits
2
41
chosen bits
Each register
moves
approximately of
the cycles.
Reversing A5/1
Forward state transition is deterministic
In the reverse direction could be up to 4 predecessors
(majority clock control).
Example :
1 0 1
0 1 0
1 0 1
C3
C2
C1
What was the clock majority bit at the
previous round ?
Here we see that there are no
predecessors !
Estimations
We need 5 bytes per state to store on disk (73 G), so we can
afford 146 2
30
/5 = 2
35
states
We use 51 bit length prefixes (16 first bits are )
How many times will be encountered in the data ?
there are 228 bits of data, that is, 177 (228-51) "relevant offsets"
2 minutes of operation, that is, 120 1000/4.5 frames
2
-16
is the fraction of all possible states which start with
so, the number of occurrences is 2
-16
177 120 1000/4.5 71
Tree Exploration
A state is red if the sequence of output bits produced from the
state starts with . There are 2
48
red states.
A state is green if the sequence produced from the state contains
an -occurrence between bit positions 101 277



There are 177 2
48
green states
We can assume that the short path (of length 277 ) will contain
only one occurrence of , so the mapping is many-to-1
red : green :
Tree Exploration II
The set of relevant states can be viewed as a collection
of disjoint trees with red state as the root and the rest of
nodes are green states.



We're interested in trees with green states at levels
101-277. The weight of tree, W(s) is the number of green
states at those levels.
sequence
generatio
n
reverse
direction
Tree Exploration III
It is experimentally found that W(s) has highly non-
uniform distribution :
85% of the trees die before reaching the level 100
15% of the trees have 1 W(s) 2600
Choose 2
35
states (biased probability) with particularly
heavy trees (average weight 12500) from overall of 2
48

red states
The expected number of collisions :
2
35
12500 71
177 2
48
0.61
Tree Exploration IV
Heavy trees large number of green state candidates?
We know the exact location of in the sequence, so we know
the exact depth in the tree.
The trees are narrow, so the total number of states we'll have
to check is less than 100 !
Attack Summary
Due to frequent reinitialization (for every new frame),
it's possible to efficiently run the algorithm backwards
(328 steps).
Poor choice of the clocking taps.
Each one of the registers is so small that it's possible to
precompute all its states.
Attacks on Signaling Network
The transmissions are encrypted only between MS and
BTS. After the BTS, the protocols between MSC and
BSC (BSSAP) and inside the operator's network (MAP)
are unencrypted, allowing anyone who has access to the
signaling system to read or modify the data on the fly !

So, the SS7 signaling network is completely insecure.
The attacker can gain the actual phone call, RAND &
SRES
Attacks on Signaling Network
If the attacker can access the HLR, s/he will be able to
retrieve the K
i
for all subscribers of that particular
network.

Retrieving K
i
over Air
The K
i
key can be retrieved from SIM over the air :
MS is required to respond to every challenge made by GSM
network (there is no authentication of BTS).
Attack based on differential cryptanalysis could take 8-15
hours and require that the signal from the legitimate BTS be
disabled for that time, but it's still real
The same attack could be applied to AuC
It also has to answer the requests made by the GSM network
It's much faster than SIM

SMS Architecture
SMS is a "store and
forward" message system
the message is sent from
the originator to SMS
Center, and then on to the
recipient.
SMS messages can be up
to 160 characters length
Sent in clear (but different
formats).
SMS Attacks
Instructions
to SIM
Message Body
Instructions
to HandSet
Instructions
to SMSC
Instructions
to Air Interface
sms packet
Broken UDH (user data hdr) in an sms message caused crash in
some Nokia phones. It required the user to put its SIM into a non-
affected phone and delete the offending message.
Spoofing SMS Messages : Originating Address field can be
arbitrarily set to anything.
The applications using sms should take care of authentication
and also encrypt their messages !

Conclusions
Pros
It's the most secure cellular telecommunication system available
today (2-2.5G)
Good framework for reasonably secure communications
The security model has minimal impact on manufacturers
SIM keys,A3,A8,etc
SIM Toolkit additional SIM functionality
Mobile Equipment A5
The future - 3GPP :
the design is public
mutual authentication (EAP-SIM Authentication), key-length increased,
security within and between networks, etc.
Conclusions (cont.)
Cons
Security by Obscurity
Only access security doesn't provide end-to-end security
GSM Security is broken at many levels, vulnerable to
numerous attacks
Even if security algorithms are not broken, the GSM
architecture will still be vulnerable to attacks from inside or
attacks targeting the operator's backbone
No mutual authentication
Confidential information requires additional encryption
over GSM
References
GSM Association, http://www.gsmworld.com
M. Rahnema, Overview of the GSM System and Protocol Architecture,
IEEE Communication Magazine, April 1993
L. Pesonen, GSM Interception, November 1999
J.Rao, P. Rohatgi, H. Scherzer, S. Tinguely, Partitioning Attack: Or How to
Rapidly Clone Some GSM Cards, IEEE Symposium on Security and
Privacy, May 2002.
P.Kocher, J. Jaffe, Introduction to Differential Power Analysis and Related
Attacks, Cryptography Research, 1998
S. Babbage, A Space/Time Trade-off in Exhaustive Search Attacks on
Stream Ciphers, Europian Convention on Security and Detection, IEE
Conference publication, No. 408, May 1999.
A. Biryukov, A. Shamir, D. Wagner, Real Time Cryptanalysis of A5/1 on a
PC, Preproceedings of FSE 7, pp. 1-18, 2000
ISAAC, University of California, Berkeley, GSM Cloning,
http://www.isaac.cs.berkeley.edu/iChansaac/gsm-faq.html
S. Chan, An Overview of Smart Card Security,
http://home.hkstar.com/~alanchan/papers/smartCardSecurity/

Thank You !