Block 8: GSM (2G) Security

Objectives:
To introduce the basic principles of GSM security
To show why GSM security is broken on many levels

GSM Mobile Telecommunications Security

Global Systems for Mobile Communications (GSM)
constitutes about 70% of the world mobile
telecommunications market.
Since 1989 GSM has been the responsibility of the
European Telecommunications Standards Institute (ETSI)
which published PhaseI of the GSM specifications in
1990.
The GSM specifications were designed in secrecy and
distributed on a strictly need-to-know basis to industrial
participants in the value chain.
However, information about the GSM security algorithms
started to leak into the public domain in the middle of the
1990s.

General architecture of a GSM network

SIM
MS

VLR

HLR
PSTN

MSC

BTS

ISDN
EIR

AuC

BSC

Base Station
Subsystem

Network Subsystem

The Base Station Subsystem (BSS) controls the radio link

with the Mobile Station (MS).
It comprises Base Transceiver Stations (BTSs) and Base
Station Controllers (BSCs).
o Many BTSs connect to a single BSC.

The Network Subsystem contains the Mobile Services

Switching Centre (MSC):
o Switches calls between mobile users and between
mobile and fixed network users
o Handles mobility management operations
The Mobile Station consists of the terminal and a smart
card called the Subscriber Identity Module (SIM).
The SIM enables the user to receive subscribed services
without being tied to one particular terminal:
o Contains the International Mobile Subscriber
Identity (IMSI) used to uniquely identify the user
(subscriber) to the system
This makes the user and their terminal
independent
The terminal used is uniquely identified by the
International Mobile Equipment Identity (IMEI)
o Removing the SIM from your GSM terminal and
placing it in another you are able to make and

receive calls and other subscribed services on the

terminal
The SIM card contains a secret authentication key and
other information.
The SIM card may be protected by a password or Personal
Identity Number (PIN).
The BSS contains BTSs connected to its BSCs.
The BTS contains the radio transceivers that determine a
cell and handles the radio-link protocols with the MS.
The BSC manages the radio resources for one or more
BTSs by handling radio-channel setup, frequency hopping
and handovers.
The MSC is the main component of the Network
Subsystem:
o Acts like a switching node of the PSTN or ISDN
o Provides all the functionality needed to manage a
mobile subscriber: authentication, registration,
location updating, handovers, call routing, etc.

o Provides the connection to fixed networks, e.g.,

PSTN or ISDN
The Home Location Register (HLR) and Visitor Location
Register (VLR), together with the MSC, provide the callrouting capabilities of GSM.
The HLR and VLR are used for authentication and security
purposes.
The Equipment Identity Register (EIR) is a list of the IMEI
of cell phones reported stolen and subsequently placed on
the EIR.
When a terminal connects to the network its IMEI is read
by the network:
o A terminal is on the EIR can be disabled electronically
and is then be unusable on many GSM networks.
The Authentication Server (AuC) stores a copy of the
secret key stored on each subscribers SIM card:
o The key is used for authentication and encryption over
the radio channel
o The AuC is a protected database
6

Security Features of GSM

The security of GSM is designed to protect the radio link:
o No attempt is made to address the security of any
fixed part of the network
Security in GSM tries to address:
o Subscriber identity authentication
o User and signalling data confidentiality
o Subscriber identity confidentiality
The IMSI uniquely identifies the subscriber.
The IMSI and the individual subscriber authentication key
Ki are sensitive identification credentials:
o The IMSI and the Ki are never transmitted in the clear
The mobile station identifies itself using a
Temporary Mobile Subscriber Identity (TMSI)
issued by the network and which may be
changed periodically, e.g. during handoffs, for
additional security.
8

A challenge-response mechanism is used to authenticate

the user to the BTS.
The BTS is not authenticated to the user.
Conversations are encrypted with a temporary, randomly
generated key Kc.
The GSM security mechanisms are implemented in three
different system elements:
o The SIM
o The terminal
o The GSM network
The SIM contains:

The IMSI

The individual subscriber authentication key Ki

The encryption key generating algorithm A8

The authentication algorithm A3

9

A PIN

The GSM terminal (the MS) contains:

The encryption algorithm A5 (strictly A5/1)
The GSM network contains:
Algorithms A3, A5 and A8
Network security information is distributed among the AuC,
the HLR and VLR.
The AuC is part of the Operation and Maintenance
subsystem (OMS) of the GSM network:
o It is a database of identification and authentication
information of subscribers
o The IMSI and Ki for each user are stored in the AuC
as well as algorithms A3 and A8
o It generates the sets of triplets (RAND, SRES, Kc) that
are stored in the HLR and VLR for use in the
authentication and encryption processes.

10

11

Subscriber Identity Authentication

The subscriber authentication service is used by the fixed
network:
o To authenticate a mobile subscriber
o Create and manage the encryption keys
o Is supported by all networks and all mobile terminals
The frequency with which a user is authenticated is at the
discretion of the network.
Authentication is initiated by the fixed network and is based
on a simple challenge-response protocol.
When a mobile terminal needs to authenticate itself to a
serving network one of the following cases applies:

12

Case 1: The cell belongs to a network the mobile terminal

has not visited in the recent past then,
The mobile terminal sends its IMSI to the serving
network
The serving network MSC finds the terminals home
network and asks the HLR of that network to send an
authentication vector that is stored in the serving
networks VLR together with the IMSI of the terminal
Case 2: The cell belongs to the home network of the
terminal or to a network the terminal has visited in the
recent past and to which it has authenticated itself then,
If the authentication vector is still in the VLR and there
are some triplets left unused then the HLR of the
visiting terminal does not need to be contacted
In both cases a random challenge (nonce) RAND is sent to
the terminal.

13

The terminal computes a response SRES to RAND using

A3 and the subscriber authentication key Ki
Ki is unique and shared only with the AuC of the users
home network
Algorithm A3 takes RAND and Ki and generates
SRES as output
RAND and Ki are 128 bits long
SRES is 32 bits long
The value of SRES computed by the terminal is signalled
to the network where it is compared with the stored precomputed value:
If the two values agree the user is authenticated and
the call is allowed to proceed
If the values are different access is denied
The terminal uses Algorithm A8 to generate a session key
Kc from RAND and Ki
Kc is 64 bits long.
14

The BTS receives the same session key Kc from the MSC.
The AuC of the users home network can
generate Kc because the HLR knows RAND
and Ki
In practice Kc is pre-computed by the AuC
At the end of a successful authentication exchange both
the MS and BTS possess Kc.
The Kc is used until the network decides to authenticate the
user again which may be several days later.
The pre-computed triplets (RAND, SRES, Kc), held by the
HLR on behalf of a subscriber are passed by the home
networks AuC on demand to networks visited by the
subscriber.
COMP128 is an algorithm that combines A3 and A8 and
generates SRES and Kc together:
It takes RAND and Ki as input which are both 128 bits
long and generates a 128 bit output
The first 32 bits of the output are taken to be SRES
15

 The last 54 bits of the output form the session key

Ten zero bits are added to the session key to give a
64 bit key
The keyspace is effectively only 54 bits
COMP128 or both A3 and A8 are stored in the SIM card to
prevent tampering.
This authentication works abroad because the local
network does not have to know anything about these
algorithms; it obtains the triplets (RAND, SRES, Kc) from
the subscribers home network.

16

User and signalling data confidentiality

This service has three components:
1. Confidentiality of user data and signalling information
on physical connections
Provides privacy for all user generated data
(voice and non-voice) transferred over traffic
channels
2. Connectionless user data confidentiality
Provides privacy for all user data transferred in
packet mode on a dedicated signalling channel
3. Signalling information element confidentiality
Provides privacy for user related signalling
elements transferred on a dedicated signalling
channel
All three components use the same encryption mechanism
and must be supported by all networks and mobile
terminals.

17

Encryption is done using algorithm A5 which produces a

key stream under control of Kc the session key established
as part of the authentication procedure.
It is essential that the MS and BTS synchronize the start of
their encryption algorithms:
Synchronization of the key stream is maintained using
the TDMA frame structure of the radio subsystem
The TDMA frame number is used as a message key
for encryption algorithm A5
A5 produces a synchronized key stream for
enciphering and deciphering the data bits in the frame
Two versions of A5 are currently used: A5/1 is the stronger
export limited version and A5/2 is a weak version that has
no export limitation.

18

19

Subscriber Identity Confidentiality

This service allows subscribers to make calls and update
their location without revealing their IMSI on the radio path:
It prevents location tracking of subscribers
All GSM networks and terminals must be able to
support the service
Use of this service is not mandatory
The temporary mobile subscriber identity (TMSI) is
used to provide the service
The TMSI is securely updated after each successful
access to the system
Signalling elements that convey information about the
IMSI are sent encrypted
In principle, the IMSI need only be transmitted in the clear
on registration.

20

The mechanism works as follows:

Assume the MS has been allocated a TMSI denoted

by TMSI0 and that the network knows the relationship
between TMSI0 and the subscribers IMSI.
The MS identifies itself to the network by sending
TMSI0
After authentication (if this takes place), the network
generates a new TMSI denoted by TMSI1 and sends
this to the MS encrypted using Kc
The MS decrypts TMSI1 and replaces TMSI0 with
TMSI1

21

Attacks on GSM Security

Microwave links
In many cases the base transceiver station to base station
controller link is a point-to-point microwave link:
This is a potential security hole in the GSM system
Data at this point is generally unencrypted because
when GSM was designed it was expected that this link
would be a fixed link
Some operators implement lower layer bulk encryption
to protect data in the microwave link.

22

Attacks on the Algorithm A3/8

The Smart Card Developer Association and the ISAAC
security research group found a flaw in the COMP128
algorithm in 1998.
This flaw can be used to find the secret key Ki from the SIM
card if approximately 160,000 chosen RAND-SRES pairs
can be collected:
If the users mobile phone is stolen and the SIM card
removed and connected to a phone emulator the
emulator can be used to send 160,000 chosen RAND
to the SIM card and receive the SRES
This can take up to 10 hours
Alternatively, a false BTS could be used to send the chosen
RAND over the air interface:
This could take days but the attacker does not need
possession of the SIM card
One the attacker has the key Ki they can eavesdrop on the
subscribers calls and run up calls on the subscribers bill.

23

Partition Attack
Side channel attacks are indirect attacks that determine the
relationship between input-output information from power
consumption, timing of operations, etc.
With physical access to the SIM card it is possible to
extract Ki by a side channel attack called the partition
attack developed by IBM researchers:
It can be applied where large table lookups are used
or where countermeasures against differential side
channel analysis have not been properly applied
COMP128 uses a large table lookup and can be
broken by partition attack that with 255 chosen inputs
or 8 adaptively chosen inputs can extract Ki in less
than a minute
GSM network operators are slowly migrating from
COMP128 (also known as COMP128-1) to COMP128-2 or
COMP128-3. Because the A3 and A8 algorithms are stored
in the Subscriber Identity Module, this requires changing
the GSM subscribers SIM cards.

24

Attacks on A5 algorithm
If an attacker obtains the session key Kc they can find the
key stream used for encryption/decryption of data as the
frame numbers are assigned in a predictable way.
Although real time cryptanalysis to obtain Kc is infeasible
the attacker can record data frames and decrypt them later
after a successful brute force attack.
New methods are being developed to find the session key
Kc in less time than a brute force attack.
The divide and conquer attack (due to Golic) reduces the
search space to 240.16 if plaintext is known and an attempt is
made to determine the initial states of the LFSRs from a
known key stream sequence.

25

Biruykov, Shamir, and Wagner attacked A5/1 on a single

PC and extracted the session key in real-time from a small
amount of generated output.
The technique is known as time-memory trade-off.
In a pre-processing phase a large database of
algorithm states and related key stream sequences
are created
In the attack phase, the data base is searched for a
match with sub-sequences of the known key stream. If
a match is found it is very likely that the database will
give the correct algorithm state.
o From there it is simple to compute the session
key and decipher the rest of the call
The A5/1 key can be found in less than a second on a
single PC with 128 MB RAM and two 73 GB hard disks, by
analyzing the output of the A5/1 algorithm in the first two
minutes of the conversation.
References
Hideki Imai, Wireless Communications Security, Artech
House, 2006.
26

27