GSM Security: Cryptanalysis of
A5/1
Arber Ceni – 07.02.2011
Overview (I)
Motivation
Description of A5/1
Time-memory tradeoff attacks








2
Golic 1997
Biryukov et al. 2000
Biham and Dunkelman 2000
Barkan, Biham and Keller 2003
COPACOBANA 2008
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Overview (II)
Correlation attacks




Ekdahl and Johansson 2003
Maximov, Johansson and Babbage 2005
Barkan and Biham 2006
Other attacks on GSM and A5 family ciphers
Conclusions


3
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Motivation
GSM has more than 3 billion customers and covers
around 80% of the World’s population
Every over-the-air conversation is protected by A5/1
GSM is the biggest cryptosystem ever deployed
A5/1 developed in 1987 (older than 20 years)
Many flaws discovered
Many attacks conducted






4
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Description of A5/1 (I)

GSM uses symmetric cryptography
The same key Kc is used to encrypt and decrypt the
conversation
How is the Kc generated?

Ki – root encryption key



Unique for each subscriber
A3 – authenticate the user
to the mobile operator
A8 – Generate Kc


5
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Description of A5/1 (II)
Invented in 1987
Partially leaked in 1994
Reverse engineered by Briceno in 1999
Idea:







Conversation as frames transmitted every 4,6 ms
228 bits+Kc+Fn=228 bits cyphertext
114 up, 114 down
Three LFSRs




6
R1 – length 19; taping bits 13, 16,17,18; clocking bit 8
R2 – length 22; taping bits 20, 21; clocking bit 10
R3 – length 23; 7,20,21,22; clocking bit 10
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Description of A5/1 (III)
Clocking




7
If the clocking bit agrees with the majority bit
C1=C2=C3+1 => R1 and R2 are clocked
Probability of each register to be clocked is 3/4
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Description of A5/1 (IV)
Algorithm (initial state)







8
Zero all registers
For each bit of the Kc: Rj[0]=Rj[0]+Kc[i], j=(1,2,3)
Clock the registers ignoring the regular clocking mechanism
For each bit of the Fn: Rj[0]=Rj[0]+Fn[i], j=(1,2,3)
Clock the registers ignoring the regular clocking mechanism
Clock the registers with the
normal clocking mechanism
for 100 rounds and discard
the output
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Description of A5/1 (V)
Algorithm (ciphertext generation)






9
Clock the cipher 114 times using the normal stop/go fashion
Produce 114 bits (keystream) by XOR-ing the MSBs of the
three registers
This keystream will be used to encrypt the communication
between operator and mobile station
XOR the keystream with the initial message to produce the
ciphertext
Do the same for the
conversation between
mobile station and
operator
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Time-memory tradeoff attacks – Golic 1997


Alleged but similar A5/1 cipher
Divide and conquer



Idea: Guess some bits of the state of the registers and find the
others by solving linear equations
Complexity: O(240.16)
How many bits should we guess:






10
n
n-ri+taui-1
if n ≤ ri-taui+1
otherwise
1+3n+4n/3 linear equations
Linear independent if n< max(tau1,tau2,tau3)-1
Real A5/1: max(tau1,tau2,tau3)=10 => O(245.22)
Time-memory tradeoff:102·K·M≥ 263.32
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Time-memory tradeoff attacks – Biryukov et
al. 2000 (I)

Store in HDD (prefix,state) pairs for special states
starting with α = 16 bits







Flaw of A5/1: clocking tap doesn’t affect output for 16 clocking
cycles
Produces 248 states instead of 264; further reduced to 240
Compare the prefix of an unknown state
Red states R – special states; |R|= 248
Green states G – α is encountered in position 101-277;
|G|= 177*248
235 stored red states with avg weight 12500
We can encounter a red state in 2 min of conversation
with a probability of 61%
11
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Time-memory tradeoff attacks – Biryukov et
al. 2000 (II)

Random subgraph attack



From stored special states, generate other special states
A new function f makes this possible and inverting it
produces the special state from an output bit.
Time-memory tradeoff:
 M T | U |

M= 236,|U|= 248, T= 224 and preprocessing 248
Attack Type
Preprocessing
steps
Available
Data
Number of
73GB HDD
Attack
Time
Biased Birthday attack(1)
242
2 minutes
4
1 second
Biased Birthday attack(2)
248
2 minutes
2
1 second
Random subgraph attack
248
2 seconds
4
minutes
12
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Time-memory tradeoff attacks – Biham and
Dukelman 2000 (I)



Wait until an event that gives a lot of information happens
With some improvements to the previous attack, break
A5/1
R3 not clocked for 10 consecutive times and R3[10,22]
are known






We get 20 clocking bits of R1 and R2
Other 11 bits from output stream
Guessing 9 bits from R1 and 1 from R2, gives both registers
Guessing 10 bits from R3, gives the other 11 bits of R3
Complexity: O(227)
220 possible starting points for R3

13
Complexity: O(247)
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Time-memory tradeoff attacks – Biham and
Dukelman 2000 (II)


Improve the techniques of the previous attack
Compute two tables:



next-state table – stores the states in the computed order
Pointer table – stores the location of the state
Total Complexity computed:







14
220 – possible start points for R3
212 – possible guesses
each of them 21.53 values which cost 2 cycles (next-state lookup)
24.53 – values for 10 guesses of R3
each of these clocked and checked in pointer table =>2 cycles
each check needs to be clocked twice
220 *212 * 21.53 *2* 24.53 *(1+1+2*0.88)= 240.97 A5/1 clocking cycles
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Time-memory tradeoff attacks – Barkan,
Biham and Keller 2003

Man-In-The-Middle attack

1st attack



2nd attack



Ask the network and the victim to start a conversation with no
encryption A5/0
This is probable to be discovered by the operator
3rd attack



15
Ask the victim to start encrypting with A5/2
Break A5/2 (which is easier) and send the authentication to the server
The operator initiate the authentication procedure rarely
The attacker asks the victim to encrypt with A5/2
Brake A5/2 and use it later
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Time-memory tradeoff attacks –
COPACOBANA 2008




120 parallel FPGAs (Field-Programmable Gate Array)
Offers better performance-cost ratio
Can be connected to normal PC
Using COPACOBANA:





114 known bits (1 frame)
Preprocessing time: three months
Memory: 4.85 TB
Online phase: 10.09 s
Success rate: 63%


16
Can be increased to 96%
Must increase the output stream length to 4 frames
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Correlation attacks – Ekdahl and
Johansson 2003 (I)


Based on correlation attacks
Uses bad initialization of the cipher



Key and frame number initialized linearly
Is not exponential to the length of registers
Assuming that the registers are clocked exactly 76 times
we get a probability of knowing the first output
1
2
3
P( s76
 s76
 s76
 O(j76,76,76,1) ) 
P(assum ptioncorrect) 1  P(assum ptionwrong) 1 / 2

For all the positions we can write:
17
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Correlation attacks – Ekdahl and
Johansson 2003 (II)
p(jcl1 ,cl2 ,cl3 )   P((cl1 , cl2 , cl3 ) in vth position)

vI
 O(jcl1 ,cl2 ,cl3 ,v 100 )  0



 1 / 21   P((cl1 , cl2 , cl3 ) in vth position) 
 vI


P((cl1,cl2, cl3) in vth position) can be computed
recursively:

P((cl1,cl2, cl3) in vth position) = F(cl1,cl2,cl3,v) where:
F (cl1 , cl2 , cl3 , v)  0 if cl1  0, cl2  0 and cl3  0
F (cl1 , cl2 , cl3 , v)  0 if cl1  0 or cl2  0 or cl3  0
F (cl1 , cl2 , cl3 , v)  0 if cl1  v or cl2  v or cl3  v
F (cl1 , cl2 , cl3 , v)  0.25F (cl1  1, cl2  1, cl3  1, v  1)
 0.25F (cl1 , cl2  1, cl3  1, v  1)
 0.25F (cl1  1, cl2 , cl3  1, v  1)
 0.25F (cl1  1, cl2  1, cl3 , v  1)
18
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Correlation attacks – Ekdahl and
Johansson 2003 (III)

Log-likelihood of all probabilities:
m
p(jcl1 ,cl2 ,cl3 )
j 1
1  p(jcl1 ,cl2 ,cl3 )
A( cl1 ,cl2 ,cl3 )   ln



If A>0 then the output of the cipher = 0
If A<0 then the output of the cipher = 1
This attack requires:



19
5 minutes of GSM conversation
Less than 5 minutes to recover the key
With a success rate of more than 70%
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Correlation attacks – Maximov, Johansson
and Babbage 2005



Improve the attack of Ekdahl and Johansson
Try to reduce the number m of needed frames
Based on two new flaws of A5/1




Error-correction codes are applied before encryption
During silence a special kind of frame containing a large
number of zeros is sent
They also make use of the log-likelihood to find the key,
but they use some improved estimators
Result:


20
A few seconds of conversation (2000-5000 frames => 9-43s)
Less than one minute of computation
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Correlation attacks – Barkan and Biham
2006



Based on conditional estimators
Based on previous correlation attacks
Exploit three new weaknesses of the R2 register




Alignment property
Has only two feedback taps which are adjacent
Symmetry property – the clocking tap is at the middle of the register
Steps:


Compute conditional estimators
Decode these estimators to find best candidates for S1 and S2



Modeled as a huge graph in which can be applied Dijkstra-like algorithms
For each of these candidates recover candidates for S3. Recover the
key from S1,S2,S3 and verify that is the correct one
Results:

21
2000 frames; completes in tens of seconds; success rate is 91%
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Other attacks on GSM and A5 family
ciphers (I)

FBDD based attack




Developed by Krause 2002
Complexity: nO(1)2(1-α)/(1+ α)n. α is a constant
For A5/1 complexity: nO(1)20.6403n
Eavesdrop without cryptanalysis



MITM attack
Record RAND;record ciphertext=>output stream of the
cipher
Later:


22
Send the frame number and message to the target mobile
The frame number is the same so the message can be decrypted
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Other attacks on GSM and A5/1 family
ciphers (II)

Open source project (Nohl 2009)

Precompute rainbow tables




The compressed codebook of A5/1
Used parallelization (FPGA) to reduce precomputing time
First public project to release the tables
1st attack:



MITM attack
Fake base station
Cheap radio equipment
Open source software – OpenBTS

 2nd



23
attack
Passive attack
Uses the precomputed rainbow tables
Everybody can contribute
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Other attacks on GSM and A5/1 family
ciphers (III)

New A5/3 again weak


Made public
Based on KASUMI block cipher


Also weak:



24
Modification of MISTY
By applying a sandwich attack
226 data, 230 bytes of memory, can complete in 232 time
The authors claim this is realistic and have simulated the attack in a
PC
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Conclusions





Most of the attacks presented here, don’t make any claim
for the real implementation of A5/1 in the fielded GSM
However, some of them yes
Breaking A5/1 has become an open source project!
The new A5/3 is also weak!
The cryptosystem used in GSM should be changed



25
It is the biggest cryptosystem ever deployed
It is not used only for conversation
Used for banking information, payment, bank transfer etc
GSM Security: Cryptanalysis of A5/1
Arber Ceni
Thank you!

Questions?
26
GSM Security: Cryptanalysis of A5/1
Arber Ceni