Академический Документы
Профессиональный Документы
Культура Документы
Objectives:
To introduce the basic principles of GSM security
To show why GSM security is broken on many levels
SIM
MS
VLR
HLR
PSTN
MSC
BTS
ISDN
EIR
AuC
BSC
Base Station
Subsystem
Network Subsystem
The IMSI
A PIN
10
11
12
13
The BTS receives the same session key Kc from the MSC.
The AuC of the users home network can
generate Kc because the HLR knows RAND
and Ki
In practice Kc is pre-computed by the AuC
At the end of a successful authentication exchange both
the MS and BTS possess Kc.
The Kc is used until the network decides to authenticate the
user again which may be several days later.
The pre-computed triplets (RAND, SRES, Kc), held by the
HLR on behalf of a subscriber are passed by the home
networks AuC on demand to networks visited by the
subscriber.
COMP128 is an algorithm that combines A3 and A8 and
generates SRES and Kc together:
It takes RAND and Ki as input which are both 128 bits
long and generates a 128 bit output
The first 32 bits of the output are taken to be SRES
15
16
17
18
19
20
21
22
23
Partition Attack
Side channel attacks are indirect attacks that determine the
relationship between input-output information from power
consumption, timing of operations, etc.
With physical access to the SIM card it is possible to
extract Ki by a side channel attack called the partition
attack developed by IBM researchers:
It can be applied where large table lookups are used
or where countermeasures against differential side
channel analysis have not been properly applied
COMP128 uses a large table lookup and can be
broken by partition attack that with 255 chosen inputs
or 8 adaptively chosen inputs can extract Ki in less
than a minute
GSM network operators are slowly migrating from
COMP128 (also known as COMP128-1) to COMP128-2 or
COMP128-3. Because the A3 and A8 algorithms are stored
in the Subscriber Identity Module, this requires changing
the GSM subscribers SIM cards.
24
Attacks on A5 algorithm
If an attacker obtains the session key Kc they can find the
key stream used for encryption/decryption of data as the
frame numbers are assigned in a predictable way.
Although real time cryptanalysis to obtain Kc is infeasible
the attacker can record data frames and decrypt them later
after a successful brute force attack.
New methods are being developed to find the session key
Kc in less time than a brute force attack.
The divide and conquer attack (due to Golic) reduces the
search space to 240.16 if plaintext is known and an attempt is
made to determine the initial states of the LFSRs from a
known key stream sequence.
25
27