GSM Security Overview

Similar documents
New Cryptanalytic Results on IDEA

Differential-Linear Cryptanalysis of Serpent

Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

New Cryptanalytic Results on IDEA

Chapter 6. Stream Cipher Design

Technion - Computer Science Department - Technical Report CS

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

GSM Open-source intelligence

The Rectangle Attack

GSM security. Christian Kröger. University of Twente P.O. Box 217, 7500AE Enschede The Netherlands

ON THE IMPACT OF GSM ENCRYPTION AND MAN-IN-THE-MIDDLE ATTACKS ON THE SECURITY OF INTEROPERATING GSM/UMTS NETWORKS

Linear Cryptanalysis of Reduced Round Serpent

Implementation and performance analysis of Barkan, Biham and Keller s attack on A5/2

ECE Lecture 2. Basic Concepts of Cryptology. Basic Vocabulary CRYPTOLOGY. Symmetric Key Public Key Protocols

Some Thoughts on Time-Memory-Data Tradeoffs

Chapter 3 GSM and Similar Architectures

Mobile Security Fall 2013

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Stream Ciphers An Overview

Cryptanalysis. Andreas Klappenecker Texas A&M University

E2-E3: CONSUMER MOBILITY. CHAPTER-5 CDMA x OVERVIEW (Date of Creation: )

Computer Security CS 526

Weak Keys. References

Security of Cellular Networks: Man-in-the Middle Attacks

CSC 474/574 Information Systems Security

Differential Fault Analysis of Trivium

Stream Ciphers. Stream Ciphers 1

GSM security country report: Estonia

Security functions in mobile communication systems

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

ECE 646 Lecture 1 CRYPTOLOGY

GPRS Intercept: Wardriving your country. Karsten Nohl, Luca Melette,

Technological foundation

Comparison Between PKI (RSA-AES) and AEAD (AES-EAX PSK) Cryptography Systems For Use in SMS-based Secure Transmissions

Real Time Cryptanalysis of A5/1 on a PC

Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

in a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a

GSM security country report: Thailand

A Review of Security Attacks on the GSM Standard

Improved Truncated Differential Attacks on SAFER

Improved Linear Sieving Techniques with Applications to Step-Reduced LED-64

A Related-Key Attack on TREYFER

Communication Networks 2 Signaling 2 (Mobile)

Real Time Cryptanalysis of A5/1 on a PC

An Efficient Stream Cipher Using Variable Sizes of Key-Streams

ETSI TS V3.4.0 ( )

Cryptanalysis of KeeLoq with COPACOBANA

Designing Authentication for Wireless Communication Security Protocol

Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

Secure Algorithms for SAKA Protocol in the GSM Network

Secure and Authentication Communication in GSM, GPRS, and UMTS Using Asymmetric Cryptography.

Semi-Active GSM Monitoring System SCL-5020SE

Mobile Security / /

2 Overview of existing cipher mode setting procedure

Evaluating GSM A5/1 security on hopping channels

UNIT-5. GSM System Operations (Traffic Cases) Registration, call setup, and location updating. Call setup. Interrogation phase

Pertemuan 7 GSM Network. DAHLAN ABDULLAH

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

GPRS and UMTS T

Content of this part

Cellular Communication

Design and Analysis of Cryptographic Algorithms for Mobile Communication Systems. Henri Gilbert Orange Labs.

Information Security CS526

GSM System Overview. Ph.D. Phone Lin.

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

An Overview of Cryptanalysis Research for the Advanced Encryption Standard

Mobile Communications

Basics of GSM in depth

Mobile network security report: Ukraine

1. Out of the 3 types of attacks an adversary can mount on a cryptographic algorithm, which ones does differential cryptanalysis utilize?

Data and Voice Signal Intelligence Interception Over The GSM Um Interface

Improved Integral Attacks on MISTY1

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security 3/23/18

INSTITUTO DE MATEMÁTICA E ESTATÍSTICA UNIVERSIDADE DE SÃO PAULO. GSM Security. MAC Computação Móvel

Data Encryption Standard (DES)

Wireless Security Security problems in Wireless Networks

The GSM Standard (An overview of its security)

New Attacks on Feistel Structures with Improved Memory Complexities

New mobile phone algorithms a real world story

Differential Cryptanalysis

Practical Operator Considerations Cellular Analog Cellular Rogue Base Station Tumbling Cloning

Cellular Mobile Systems and Services (TCOM1010) GSM Architecture

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Lecture 2: Secret Key Cryptography

CHAPTER 4 SYSTEM IMPLEMENTATION 4.1 INTRODUCTION

3 rd SKINNY Breaking Competition

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Private-Key Encryption

Information Technology Mobile Computing Module: GSM Handovers

Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

Nexus8610 Traffic Simulation System. Intersystem Handover Simulation. White Paper

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Threat patterns in GSM system. Basic threat patterns:

Transcription:

GSM Security Overview Mehdi Hassanzadeh Mehdi.Hassanzadeh@ii.uib.no Selmer Center, University of Bergen, Norway Norsk ryptoseminar, Bergen, November 9-10, 2011

Agenda A5 Overview : Attack History on A5/1 Rainbow Tables Attack on A5/1 Data Collection and Frequency Hopping Third Generation Telephony Security Attack History on asumi

GSM is global and insecure 200+ countries 4 billion users! GSM encryption introduced in 1987 Disclosed and shown insecure in 1994 However, GSM is used in a growing number of sensitive applications: Voice calls, obviously SMS for banking Seeding RFID/NFC secure elements for access control, payment and authentication GSM is constantly under attack

GSM Architecture Mobile Stations Base Station Subsystem Network Management Subscriber and terminal equipment databases BTS Exchange System OMC BTS BSC MSC VLR HLR AUC BTS EIR

Authentication and Encryption Scheme Mobile Station Radio Link GSM Operator SIM Challenge RAND i A3 A3 i SRES Signed response (SRES) SRES A8 Authentication: are SRES values equal? A8 F n c c F n m i Encrypted Data m i A5 A5

A5 Encryption Algorithm A5 is a stream cipher Implemented very efficiently on hardware Consists of 3 LFSRs of 19,22,23 bits length Registers are clocked in a stop/go fashion using the majority rule. Variants A5/1 the strong version A5/2 the weak version A5/3 GSM Association Security Group and 3GPP design Based on asumi algorithm used in 3G mobile systems

A5/1 Operation All 3 registers set to zero 64 cycles (without the stop/go clock) : Each bit of c (lsb to msb) is XOR'ed in parallel into the lsb's of the registers 22 cycles (without the stop/go clock) : Each bit of F n (lsb to msb) is XOR'ed in parallel into the lsb's of the registers 100 cycles with the stop/go clock control, discarding the output 228 cycles with the stop/go clock control which produce the output bit sequence.

A5/1 Structure 1 1 18 17 16 0 1 0 10 1 1 10 01 10 1 0 01 1 0 0 1 01 1 0 0 1 1 0 0 1 1 0 0 110 C1 21 20 10 01 1 1 10 001 10 001 10 01 10 01 10 01 1 110 001 1 C2 0 R1 1 R2 0 1 clock control 22 21 20 01 10 01 10 01 10 01 0 10 1 01 10 1 1 01 10 1 01 0 10 01 1 01 C3 0 R3 0

Attack History 1991: First GSM implementation. 1997: Golic presented an attack based on solving sets of linear equations. Time complexity of 2^40.16 1999: Alex Biryukov, Adi Shamir and David Wagner Two minutes of intercepted call The attack time was only 1 second. 2^48 Steps 300 GB of data 1999: Eli Biham and Orr Dunkelman total work complexity of 2^39.91 A5/1 clockings 2^20.8 given bits of known plaintext 32 GB of data storage after a precomputation stage of 2^38

Attack History 2003: Ekdahl and Johannson published an attack on the initialisation procedure Using two to five minutes of conversation plaintext. No preprocessing stage. In 2004, Maximov et al. improved this attack Less than one minute of computations A few seconds of known conversation in 2005,, improved by Elad Barkan and Eli Biham

Rainbow Tables Presented In 2009 The 2009 Black Hat security conference By cryptographers arsten Nohl and Sascha rißler Using look-up tables 2TB hard disk ATI GPU

Code book attacks For ciphers with small keys, code books allow decryption Code book provides a mapping from known output to secret state An A5/1 code book is 128 Petabyte and takes 100,000+ years to be computed on a PC

Optimization 1: Chain A3D51 D139F 29A4D D6A32 34F52 DA5F9 352CF D492A F5291 72F81 239D4 239D4 23E45 38194 39A31 25ADF Longer chains := a) less storage, b) longer attack time

Optimization 2: Distinguishing points A3D51 D139F D6AD4 34F52 352CF F5291 239D4 DA5F9 239D4 23E45 38194 39A31 25AD4 Hard disk access only needed at distinguished points

Optimization 3: Rainbow tables A3D51 1 D139F 2 29A4D 3 D6A32 34F52 DA5F9 1 1 352CF D492A 2 2 D139F 72F81 3 3 201FE 239D4 23E45 1 38194 2 39A31 3 25ADF Rainbow tables have no mergers, but an exponentially higher attack time

Optimizations Original format: 2x64 bits for each chain Start values are 34 bits instead of 64 bit Tables are sorted by end values. Only the first values in each block are stored in full. Since neighboring values only differ in the last bits, a complete chain can be encoded in 52 to 72 bits. An average: 54 bits per chain Effectively compressing the tables by 42% 40 tables for a total of 2TB

Rainbow Tables 2^12 elements per color 2^5 color per chain 2^30 chains per table 2^8 tables In total, we have 2^54.6 eys pre-calculated Distinguishing Points-12 bits

Probability of Attack Our Tables cover 1/64 of key space 2 plaintext messages= 4 bursts= 4*114 bits We apply this attack on each 64 bits For each burst the probability of cracking: 1-(63/64) (114 64 + 1) = 55.2% (114-64 + 1) Total probability: : 1-(11 (1-0.552) 4 = 95.97%

ey Cracking Given two encrypted known plaintext messages (ie. Cipher mode complete and a System Information message) The table set finds a secret key with almost 96% probability. The cracking takes about five seconds on two GPUs. Roughly 100,000 look-ups are required which fast SSD disks can provide within five seconds.

Data Collection Cipher Mode Complete message is available: which is the first encrypted message in an encrypted transaction and usually contains the same data, mostly empty padding bytes Cipher Mode Complete message is not available: the System Information messages also carry highly-predictable data that can be used for known plaintext where.

Frequency Hopping Hardware: USRP2 Capture 25 MHz of GSM spectrum Typically enough for one operator Need separate boards for up-and down-link Software: OpenBTS Decode and record one GSM channel Interpret control channel data

Third Generation Telephony Security ASUMI: Encryption Algorithm Used in Third Generation Telephony ASUMI is a block cipher It is used in UMTS, GSM,, and GPRS In UMTS,, ASUMI is used in the confidentiality (f8) and integrity algorithms (f9) with names UEA1 and UIA1, respectively In GSM,, ASUMI is used in the A5/3 key stream generator in GPRS, It is used in the GEA3 key stream generator.

Security of ASUMI In 2001,, an impossible differential attack on six rounds of ASUMI was presented by ühn In 2005,, Eli Biham,, Orr Dunkelman and Nathan eller published a related-key rectangle (boomerang) attack on ASUMI that can break all 8 rounds faster than exhaustive search. The attack requires 2^54.6 chosen plaintexts The time complexity = 2^76.1 ASUMI encryptions

Attack on asumi Dunkelman, eller, Shamir. Asiacrypt Rump session. Dec. 2009 Data complexity: 2^26 plaintexts/ciphertexts Space complexity: 2^30 bytes (one gigabyte) Time complexity: 2^32 Completely practical complexities Attack verified by actual software simulation

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback