Breaking the A5 Encryption Algorithm for GSM Phones Matthew Flaschen David Gallmeier John Kuipers Rohit Sinha Jeff Wells.

Slides:



Advertisements
Similar presentations
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
Advertisements

GSM Security and Encryption
GSM: SRSLY?. What’s coming up Overview of GSM arch & crypto –Hacking as we go... OpenBootTS-1.0 –GSM Base Station LiveCD Demo BTS is live – feel free.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
GSM cracking ● Introduction. GSM cracking Scope of this lecture ● A (very) brief tour of GSM ● The Cryptography ● How it's possible to crack it ● What's.
GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol WEP Dan Petro.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Wired Equivalent Privacy (WEP)
TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.
Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.
Lecture 23 Symmetric Encryption
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Calculating Discrete Logarithms John Hawley Nicolette Nicolosi Ryan Rivard.
GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
CHAPTER 6 Cryptography. An Overview It is origin from the Greek word kruptos which means hidden. The objective is to hide information so that only the.
Chapter 20 Symmetric Encryption and Message Confidentiality.
Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented.
Chapter 20 Symmetric Encryption and Message Confidentiality.
Cellular Mobile Communication Systems Lecture 8
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Based on Bruce Schneier Chapter 7: Key Length Dulal C. Kar.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
Mobile Telephone System And GSM Security. The Mobile Telephone System First-Generation Mobile Phones First-Generation Mobile Phones Analog Voice Analog.
Encryption No. 1  Seattle Pacific University Encryption: Protecting Your Data While in Transit Kevin Bolding Electrical Engineering Seattle Pacific University.
無線網路安全 WEP. Requirements of Network Security Information Security Confidentiality Integrity Availability Non-repudiation Attack defense Passive Attack.
Intercepting Mobiles Communications: The Insecurity of ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson.
Lecture 23 Symmetric Encryption
Cracking the DES Encryption
Focus On Bluetooth Security Presented by Kanij Fatema Sharme.
1 Wireless Threats 1 – Cracking WEP Cracking WEP in Chapter 5 of Wireless Maximum Security by Peikari, C. and Fogie, S.
CIS 325: Data Communications1 Chapter Seventeen Network Security.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
1 The Data Encryption Standard. 2 Outline 4.1 Introduction 4.4 DES 4.5 Modes of Operation 4.6 Breaking DES 4.7 Meet-in-the-Middle Attacks.
Wireless Security John Himmelein Erick Andrew Christian Adam Varun Bapna.
DES: Data Encryption Standard
Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
WLAN Security1 Security of WLAN Máté Szalay
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.
Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Lecture-7 Secret-Key Ciphers.
Fundamentals of Cellular and Wireless Networks
By Theodora Kontogianni
Wireless Security Ian Bodley.
Security through Encryption
Security in Wide Area Networks
Presentation transcript:

Breaking the A5 Encryption Algorithm for GSM Phones Matthew Flaschen David Gallmeier John Kuipers Rohit Sinha Jeff Wells

Overview of GSM – What is it? GSM – stands for “Global System for Mobile Communication” What is it? - Simply put, a standard for “Mobile Stations” to communicate with each other Specifications: o Bandwidth o Frequencies o Encryption o Services provided o etc

Stages of a GSM Session Authentication of mobile platform (cellphone) o A3 encryption used to authenticate phone to service provider Phone call o A8 encryption used to generate session key, which is later used in A5 encryption to encrypt call frames. Additionally, data transfers of other forms can be contained within GSM o Text messages, Internet access, etc

A5 Encryption Used to encrypt voice communication Provides privacy to callers against eavesdroppers Does not: o Authenticate phones to carriers o Generate key used to encrypt traffic Chapter 2 of book

A5 Versions – All broken A5/0 – not really a version of A5; allows GSM to operate without encrypting call traffic A5/1 – Original A5 algorithm. Employed in Western Europe and the United States A5/2 – Second version of A5 algorithm. Employed outside of Europe and US o Weakened due to export restrictions on encryption technology during Cold War A5/3 – Stronger version of A5, for use in 3G networks. Not yet used. Already broken. o Block cipher (not stream cipher, like other A5 versions)

A5 Details A5 is a stream cipher Stream Ciphers o Used to encrypt small amounts of bits/bytes at a time o Uses keystreams combined with plaintext to produce cipher text  Generally, ciphertext is produced by XOR'ing keystream with plaintext  Plaintext – message before transmission

A5 Keystreams Generated by A8 Consists of two parts: o Session key o Frame key  GSM Frames – data exchanged in blocks of 114-bit 'frames' – similar to packets in TCP/IP

Used a PC containing 128 MB RAM and two or four 73 GB disks to examine at the algorithm's output. Two attacks: 1.Records ciphertext for 2 minutes, then computes key in one second. Records for 2 seconds, then computes key in several minutes. Real Time Cryptanalysis of A5/1 on a PC Alex Biryukov, Adi Shamir, David Wagner

One could find the A5/1 key within a second, but needed the first 2 minutes of a conversation. 242 preprocessing steps with four 73GB disks 248 preprocessing steps with two 73GB disks Based upon direct collisions between a state in the disk and a state in the data, using approximately 71 red states. The Biased Birthday Attack

Only 2 seconds of data are needed, but several minutes are required for processing. Used 248 preprocessing steps with four 73GB disks. Used indirect collisions, allowing the key to be found from the first red state in the data The Random Subgraph Attack

Cryptanalysis with COPACOBANA Tim Güneysu, Timo Kasper, Martin Novotný, Christof Paar, and Andy Rupp Uses custom hardware called Cost-Optimized Parallel Code Breaker, which is a cluster of 120 FPGAs (field programmable gate array). Reconfigurable for different cryptanalysis tasks. One of these is an attack on A5/1.

TMTO (Time-Memory Tradeoff Attacks) "Compromise between the two well-known extreme approaches, i.e., performing exhaustive searches and pre-computing exhaustive tables, to solve this general problem.“ Store pre-computed, but not "too much"

TMDTOs are like TMTOs Rely on multiple data points. For A5/1 you can get w - log_2(N) + 1 data points from w stream bits. A distinguished point (DP) is a key with a particular criterion ("e.g. the first 20 bits are 0"), which can be expressed as a mask of length d. Time-Memory-Data Tradeoff Methods

Reduction and rerandomization function R - Reduces bit length of a ciphertext C to bit length of key for cipher E. Start with x_1, and repeatedly do x_2 = R(E(P)), etc. The composition of E and R is called a step function f. Rainbow tables use a sequence of different R functions.

COPACOBANA gives a TMDTO attack on A5/1, using DPs and Rainbow tables. The attack "assume[s] that a relatively small amount of only 114 consecutive bits of keystream is known.“ This gives 51 data points for the cipher attack. Assumes 114 consecutive bits of keystream is known. COPACOBANA runs at 156 MHz. Executing the step function 'f' takes 64 cycles. One FPGA contains 234 TMTO elements, so the overall device can do 2^36 step functions each second. 63% success rate; more data = better results.

Two kinds of devices: Active intercept o Fake base station o Can be detectable o In practice no one is checking Passive cracking o More challenging o Requires special RF setup, precomputation o Can be hidden. GSM - SRSLY? Karsten Nohl, Chris Paget

Advertise your fake base station with a fake Mobile Country Code (MCC) and Mobile Network Code (MNC). Phones will connect to it if it has the strongest signal. Could be detected by phone, but no apps. Base station can choose not to use crypto. Active

Uses OpenBTS (open source software for running GSM) The Universal Software Radio Peripheral 52 MHz hardware clock Asterisk (OSS for telephony) Spoof MCC and MNC Find a clear ARFCN (Absolute Radio Frequency Channel Number). Active

Decode resulting data using either Wireshark (packet analyzer) or Airprobe (dedicated GSM sniffer) Discovered bugs in both phones and OpenBTS Active

A5/1 vulnerable to pre-computation. Code book maps from known output to secret state. Stored naively, A5/1 book would be 128 PB (~ 128 million GB) Would take 100,000 years to be calculated. Passive

Better ways to compute and store. Tools provided: o A5/1 software engine o Table parameterization Table generation has begun. Released on BitTorrent Uses specialized processors such as graphics cards and Cell processors. Speedup to 3 months. Passive

Uses both distinguished points and rainbow tables. Ideal table: o 32 DP segments of length 2^15 o Put into one rainbow. Need 380 of those tables, each 2^(28.5) rows. Codebook optimizations

GSM phones disclose keystream through known or guessable plaintext: Empty ACKS Connect ACK IDLE frames System Information Call proceeding Alerting Known plaintext

A5/1 and A5/3 use same keys Semi-active attack forces switching back to A5/1 Kasumi broken in past research: o 2^26 plaintext/ciphertext o 1 GB storage o 2^32 time complexity. A5/3 (Kasumi) also vulnerable

Potential A5 Consequences Intercepting and decoding calls Monitoring data transfer Cloning of cell phones

Intercepting and Decoding Calls Recording of calls and decoding them later Listening in for personal information o Credit card information o Social security number o Banking information

Monitoring Data Transfer Reading SMS Banking Information Payments Web authentication

Cloning of Cell Phones Stealing phone services o Billing strangers o Performing illegal criminal activities over cloned phones

A5 v3 Updated, stronger version of A5 encryption presented by the 3rd Generation Partnership Project (3GPP) Used for 3G communications o 3G supports voice communications and data  Enough bandwidth to support both operations simultaneously

Block Ciphers A5/3 is a block cipher Block Cipher Information o Block ciphers encrypt 'chunks' of data, versus Stream ciphers, which encrypt only individual bits/bytes. o Difference from stream cipher is amount encrypted per unit of time.

A5/3 Compromise A5/3 not yet in use, but has already been cracked. o The A5/3 Crack, known as the “Sandwich Attack” is not practical. o During G3 calls, plaintexts are transmitted every second, but millions will be required to deduce the secret key. o "The attack should stand as a reminder that A5/3 and any other cipher will need to be replaced eventually" - Karsten Nohl A5/3 has been developed and agreed upon by GSM industry, but no timeframe for implementation has been set. The bottom line: nothing to worry about. o Not feasible due to massive computation overhead and other requirements.

Sources "What algorithm is utilized for encryption in GSM networks?". GSM Security. 21 Jan "Global System for Mobile Communication (GSM)". International Engineering Consortium. 21 Jan "What is a stream cipher?". RSA Laboratories. 21 Jan “What algorithm is utilized for key generation in GSM networks?”. GSM-Security.net. 21 Jan “What algorithm is utilized for authentication in GSM networks?”. GSM-Security.net. 21 Jan Willis, Nathan. "GSM encryption crack made public". LWN.net. 21 Jan

More Sources "Block and Stream Ciphers". TopBits.com. 21 Jan Goodin, Dan. "'Sandwich attack' busts new cellphone crypto". The Register. 21 Jan Barkan, Elad, Eli Biham, and Nathan Keller. "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication". Department of Mathematics Technion - Israeli Institution of Technology. 21 Jan Biryukov, Alex, Adi Shamir, and David Wagner. "Real Time Cryptanalysis of A5/1 on a PC". Cryptome. 21 Jan Güneysu, Tim, Timo Kasper, Martin Novotný, Christof Paar, and Andy Rupp. “Cryptanalysis with COPACOBANA". IEEE Transactions on Computers. 21 Jan Nohl, Karsten, and Chris Paget. "GSM: SRSLY?". Chaos Communication Congress. 21 Jan. 2010

More Sources Wilson, Tim. "Researchers Prepare Practical Demonstration Of GSM Encryption Cracking Technology ". DarkReading.. Nohl, Karsten and Sascha Krißler. "Subverting the Security Base of GSM". Hacking at Random Sorkin, Justin. " German security researcher cracks A5/1 encryption portion of GSM ". Topnews.. Markoff, John. "Researchers Crack Code In Cell Phones". The New York Times.. "3GPP confidentiality and integrity algorithms". 3GPP: A Global Initiative..