Breaking the A5 Encryption Algorithm for GSM Phones

advertisement
Breaking the A5 Encryption Algorithm for GSM
Phones
Matthew Flaschen
David Gallmeier
John Kuipers
Rohit Sinha
Jeff Wells
Overview of GSM – What is
it?
• GSM – stands for “Global System for Mobile
Communication”
• What is it? - Simply put, a standard for “Mobile
Stations” to communicate with each other
• Specifications:
o
o
o
o
o
Bandwidth
Frequencies
Encryption
Services provided
etc
Stages of a GSM Session
• Authentication of mobile platform (cellphone)
o
A3 encryption used to authenticate phone to service
provider
• Phone call
o
A8 encryption used to generate session key, which is
later used in A5 encryption to encrypt call frames.
• Additionally, data transfers of other forms can be
contained within GSM
o
Text messages, Internet access, etc
A5 Encryption
• Used to encrypt voice communication
• Provides privacy to callers against eavesdroppers
• Does not:
o
o
Authenticate phones to carriers
Generate key used to encrypt traffic
• Chapter 2 of book
A5 Versions – All broken
• A5/0 – not really a version of A5; allows GSM to operate without
encrypting call traffic
• A5/1 – Original A5 algorithm. Employed in Western Europe and
the United States
• A5/2 – Second version of A5 algorithm. Employed outside of
Europe and US
o Weakened due to export restrictions on encryption
technology during Cold War
• A5/3 – Stronger version of A5, for use in 3G networks. Not yet
used. Already broken.
o Block cipher (not stream cipher, like other A5 versions)
A5 Details
• A5 is a stream cipher
• Stream Ciphers
o
o
Used to encrypt small amounts of bits/bytes at a time
Uses keystreams combined with plaintext to produce
cipher text
 Generally, ciphertext is produced by XOR'ing keystream with
plaintext
 Plaintext – message before transmission
A5 Keystreams
• Generated by A8
• Consists of two parts:
o
o
Session key
Frame key
 GSM Frames – data exchanged in blocks of 114-bit 'frames'
– similar to packets in TCP/IP
Real Time Cryptanalysis of A5/1 on a PC
Alex Biryukov, Adi Shamir, David Wagner
Used a PC containing 128 MB RAM and two or four 73
GB disks to examine at the algorithm's output.
Two attacks:
1.Records ciphertext for 2 minutes, then computes key
in one second.
• Records for 2 seconds, then computes key in several
minutes.
The Biased Birthday Attack
• One could find the A5/1 key within a second, but needed the
first 2 minutes of a conversation.
• 242 preprocessing steps with four 73GB disks
• 248 preprocessing steps with two 73GB disks
• Based upon direct collisions between a state in the disk and a
state in the data, using approximately 71 red states.
The Random Subgraph Attack
• Only 2 seconds of data are needed, but several
minutes are required for processing.
• Used 248 preprocessing steps with four 73GB
disks.
• Used indirect collisions, allowing the key to be
found from the first red state in the data
Cryptanalysis with COPACOBANA
Tim Güneysu, Timo Kasper, Martin Novotný,
Christof Paar, and Andy Rupp
Uses custom hardware called Cost-Optimized Parallel Code
Breaker, which is a cluster of 120 FPGAs (field programmable
gate array). Reconfigurable for different cryptanalysis tasks.
One of these is an attack on A5/1.
TMTO (Time-Memory Tradeoff Attacks)
"Compromise between the two well-known extreme
approaches, i.e., performing exhaustive searches and
pre-computing exhaustive tables, to solve this general
problem.“
Store pre-computed, but not "too much"
Time-Memory-Data Tradeoff Methods
• TMDTOs are like TMTOs
• Rely on multiple data points. For A5/1 you can get w log_2(N) + 1 data points from w stream bits.
• A distinguished point (DP) is a key with a particular
criterion ("e.g. the first 20 bits are 0"), which can be
expressed as a mask of length d.
• Reduction and rerandomization function R - Reduces
bit length of a ciphertext C to bit length of key for
cipher E.
• Start with x_1, and repeatedly do x_2 = R(E(P)), etc.
• The composition of E and R is called a step function f.
• Rainbow tables use a sequence of different R
functions.
• COPACOBANA gives a TMDTO attack on A5/1, using DPs and
Rainbow tables.
• The attack "assume[s] that a relatively small amount of only 114
consecutive bits of keystream is known.“
• This gives 51 data points for the cipher attack. Assumes 114
consecutive bits of keystream is known.
• COPACOBANA runs at 156 MHz. Executing the step function 'f'
takes 64 cycles.
• One FPGA contains 234 TMTO elements, so the overall device
can do 2^36 step functions each second.
• 63% success rate; more data = better results.
GSM - SRSLY?
Karsten Nohl, Chris Paget
Two kinds of devices:
• Active intercept
o
o
o
Fake base station
Can be detectable
In practice no one is checking
• Passive cracking
o
o
o
More challenging
Requires special RF setup, precomputation
Can be hidden.
Active
• Advertise your fake base station with a fake Mobile
Country Code (MCC) and Mobile Network Code
(MNC).
• Phones will connect to it if it has the strongest signal.
• Could be detected by phone, but no apps.
• Base station can choose not to use crypto.
Active
• Uses OpenBTS (open source software for running
GSM)
• The Universal Software Radio Peripheral
• 52 MHz hardware clock
• Asterisk (OSS for telephony)
• Spoof MCC and MNC
• Find a clear ARFCN (Absolute Radio Frequency
Channel Number).
Active
• Decode resulting data using either Wireshark (packet
analyzer) or Airprobe (dedicated GSM sniffer)
• Discovered bugs in both phones and OpenBTS
Passive
• A5/1 vulnerable to pre-computation.
• Code book maps from known output to secret state.
• Stored naively, A5/1 book would be 128 PB (~ 128
million GB)
• Would take 100,000 years to be calculated.
Passive
• Better ways to compute and store.
• Tools provided:
o
o
A5/1 software engine
Table parameterization
• Table generation has begun. Released on BitTorrent
• Uses specialized processors such as graphics cards
and Cell processors.
• Speedup to 3 months.
Codebook optimizations
• Uses both distinguished points and rainbow tables.
• Ideal table:
o
o
32 DP segments of length 2^15
Put into one rainbow.
• Need 380 of those tables, each 2^(28.5) rows.
Known plaintext
GSM phones disclose keystream through known or
guessable plaintext:
•
•
•
•
•
•
Empty ACKS
Connect ACK
IDLE frames
System Information
Call proceeding
Alerting
A5/3 (Kasumi) also vulnerable
• A5/1 and A5/3 use same keys
• Semi-active attack forces switching back to A5/1
• Kasumi broken in past research:
o
o
o
2^26 plaintext/ciphertext
1 GB storage
2^32 time complexity.
Potential A5 Consequences
• Intercepting and decoding calls
• Monitoring data transfer
• Cloning of cell phones
Intercepting and Decoding
Calls
• Recording of calls and decoding them later
• Listening in for personal information
o
o
o
Credit card information
Social security number
Banking information
Monitoring Data Transfer
•
•
•
•
Reading SMS
Banking Information
Payments
Web authentication
Cloning of Cell Phones
• Stealing phone services
o
o
Billing strangers
Performing illegal criminal activities over cloned phones
A5 v3
• Updated, stronger version of A5 encryption presented
by the 3rd Generation Partnership Project (3GPP)
• Used for 3G communications
o
3G supports voice communications and data
 Enough bandwidth to support both operations
simultaneously
Block Ciphers
• A5/3 is a block cipher
• Block Cipher Information
o
o
Block ciphers encrypt 'chunks' of data, versus Stream
ciphers, which encrypt only individual bits/bytes.
Difference from stream cipher is amount encrypted per unit of
time.
A5/3 Compromise
•
•
•
A5/3 not yet in use, but has already been cracked.
o The A5/3 Crack, known as the “Sandwich Attack” is not practical.
o During G3 calls, plaintexts are transmitted every second, but millions will be
required to deduce the secret key.
o "The attack should stand as a reminder that A5/3 and any other cipher will
need to be replaced eventually"
- Karsten Nohl
A5/3 has been developed and agreed upon by GSM industry, but no timeframe
for implementation has been set.
The bottom line: nothing to worry about.
o Not feasible due to massive computation overhead and other requirements.
Sources
•
•
•
•
•
•
"What algorithm is utilized for encryption in GSM networks?". GSM Security. 21 Jan. 2010 <http://www.gsmsecurity.net/faq/gsm-encryption-algorithm-a5-cipher.shtml>.
"Global System for Mobile Communication (GSM)". International Engineering Consortium. 21 Jan. 2010
<http://www.iec.org/online/tutorials/gsm/topic05.asp>.
"What is a stream cipher?". RSA Laboratories. 21 Jan. 2010
<http://www.rsa.com/rsalabs/node.asp?id=2174>.
“What algorithm is utilized for key generation in GSM networks?”. GSM-Security.net. 21 Jan. 2010
<http://www.gsm-security.net/faq/gsm-key-generation-algorithm-a8-comp128.shtml>
“What algorithm is utilized for authentication in GSM networks?”. GSM-Security.net. 21 Jan. 2010
<http://www.gsm-security.net/faq/gsm-authentication-algorithm-a3-comp128.shtml>
Willis, Nathan. "GSM encryption crack made public". LWN.net. 21 Jan. 2010
<http://lwn.net/Articles/368861/>.
More Sources
•
•
•
•
•
•
"Block and Stream Ciphers". TopBits.com. 21 Jan. 2010 <http://www.topbits.com/block-and-streamciphers.html>.
Goodin, Dan. "'Sandwich attack' busts new cellphone crypto". The Register. 21 Jan. 2010
<http://www.theregister.co.uk/2010/01/13/gsm_crypto_crack/>.
Barkan, Elad, Eli Biham, and Nathan Keller. "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted
Communication". Department of Mathematics Technion - Israeli Institution of Technology. 21 Jan. 2010
<http://cryptome.org/gsm-crack-bbk.pdf, p1-2>
Biryukov, Alex, Adi Shamir, and David Wagner. "Real Time Cryptanalysis of A5/1 on a PC". Cryptome.
21 Jan. 2010 <http://cryptome.org/a51-bsw.htm>
Güneysu, Tim, Timo Kasper, Martin Novotný, Christof Paar, and Andy Rupp. “Cryptanalysis with
COPACOBANA". IEEE Transactions on Computers. 21 Jan. 2010
<http://www.copacobana.org/paper/TC_COPACOBANA.pdf>
Nohl, Karsten, and Chris Paget. "GSM: SRSLY?". Chaos Communication Congress. 21 Jan. 2010
<http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html>
More Sources
•
•
•
•
•
Wilson, Tim. "Researchers Prepare Practical Demonstration Of GSM Encryption Cracking Technology
". DarkReading.
<http://www.darkreading.com/vulnerability_management/security/encryption/showArticle.jhtml?articleI
D=222100242>.
Nohl, Karsten and Sascha Krißler. "Subverting the Security Base of GSM". Hacking at Random 2009.
<https://har2009.org/program/attachments/119_GSM.A51.Cracking.Nohl.pdf>.
Sorkin, Justin. " German security researcher cracks A5/1 encryption portion of GSM ". Topnews.
<http://topnews.us/content/29401-german-security-researcher-cracks-a51-encryption-portion-gsm>.
Markoff, John. "Researchers Crack Code In Cell Phones". The New York Times.
<http://www.nytimes.com/1998/04/14/business/researchers-crack-code-in-cellphones.html?scp=2&sq=Researchers+Crack+Code+in+Cell+Phones&st=nyt>.
"3GPP confidentiality and integrity algorithms". 3GPP: A Global Initiative.
<http://www.3gpp.org/Confidentiality-Algorithms>.
Download