Presentation is loading. Please wait.

Presentation is loading. Please wait.

By Theodora Kontogianni

Published byAntoine Beauséjour Modified over 6 years ago

Similar presentations

Presentation on theme: "By Theodora Kontogianni"— Presentation transcript:

1 By Theodora Kontogianni 18.09.2018
Seminar Mobile Security SIM CARDS By Theodora Kontogianni Assigned tutor: Daniel Loebenberger

2 SECURITY OF SIM CARDS = SECURITY OF CRYPTOGRAPHIC ALGORITHMS
GOAL SECURITY OF SIM CARDS = SECURITY OF CRYPTOGRAPHIC ALGORITHMS

3 OVERVIEW Definition and structure of SIM cards. A3 A8
COMP128 implementation A5 Attacks

4 Definition and key points
Subscriber Identity Module Cards(SIM Cards) A special case of smart cards with a microprocessor Two major types Full size SIM Embedded SIM card (for mobile phones) Embedded SIM card

5 Comments on different types of SIM cards
Same thickness on all the types Same pins Difference in length and width according to the devices´ needs

6 Components of SIM Card CPU ROM EPROM or E2PROM RAM
Serial communication module

7 Important information stored in SIM cards.
Besides SMS and Contacts Passwords PIN and PUK International mobile subscriber identity (IMSI) Integrated circuit card identifier (ICC-ID) Security authentication (Ki) Ciphering information (Kc) And many others!

8 Main levels of defence Prevention of unauthorized access and usage
PIN (4~8 digits) PUK (0~9 digits) Local security measure –network not involved Customer Identity Authentication Algorithm A3 (Authentication) Algorithm A8 (Cipher Key Generation) Both algorithms stored in SIM card Ciphering of air sent information Algorithm A5 (Encryption) Embedded in hardware New ciphering key (Kc) for each call Kc and Ki never transmitted over network Anonymity TMSI sent instead of IMSI

9 GSM Architecture a Home Location Register Authentication Center

10 A3-GSM Authentication An 128-bit random challenge(RAND) is generated by HLR and sent to ME. SIM card encrypts RAND using A3 and Ki stored in SIM card. A 32-bit response is generated(SRES) SRES is sent back to the network. Same operations take place in HLR. If both SRES are equal then authentication is successful.

11 A3 Graphical Overview ? A3 HLR 128-bit challenge RAND
Mobile Equipment (ME) Ki 32-bit response SRES ? Radio Link If challenges equal then authenticated A3 Ki SIM IMPORTANT : Ki is never transmitted over the radio link.

12 A8-Cipher Key Generation
The same 128-bit random challenge (RAND) used in A3 is the input to A8 also. SIM card encrypts RAND using A8 and Ki stored in SIM card. A 64-bit cipher key is generated (Kc). Kc is used in A5 algorithm.

13 COMP128 implementation A3/A8 are both implemented together in COMP128 since they have the same input. It was developed in secret so it lacked peer review and testing. In 1998 a document with its implementation leaked with only a few lines missing that where reverse engineered. COMP128 128-bit RAND 128-bit Ki 32-bit SRES 64-bit Kc

14 COMP128 implementation details
8 rounds – 5 layers Based on a hash function Input = 256 bits = 32 bytes= 16 bytes + 16 bytes Output = 128 – 32leftmost – 64 rightmost = 32 bits Ki= X[0..15] RAND= X[16..31] Kc MAC Adress

15 COMP128- Implementation Details
Order of events RAND and Ki concatenated in input X[0..31]. The input is hashed 8 times which reduces it from 32 to 16 bytes. After each hashing but the last the X is permuted. The output of permutation is the input of the next round. After 8 rounds the last hash value is the output.

16 COMP128

17 COMPRESSION-Hash function
Butterfly Structure 16 combining operations of input pair to output pair for each layer. 5 look-up tables Ti (S-box), one for each of the 5 levels i Each Ti contains 2 9-i (8-i)-bit values So T0 has bit values, T1 has bit values and so on....

18 Butterfly Structure

19 Hash function example Example: On level 0 X[ ] is split in X[0..15] and X[16..31] The value of each one element of the right part (X[i+16]) is combined with each element of the left (X[i]) to compute y= (X[i]+2*X[i+16])mod 512 and z=(X[i+16]+2*X[i])mod 512 Finally the X[i] = T0[y] and X[i+16] = T0[z] So the size of elements is reduced from table to table.

20 Substitution of Elements

21 A5-Encryption Built-in inside the hardware 3 major versions
A5/1: the stronger A5/2: the weaker A5/3: for 3GPP-Kasumi systems Also secret Design leaked in 1994 Reverse engineered by Briceno

22 A5/1 Logical Details Conversation in GSM system is a sequence of frames Each frame is 114 bits from A(ME) to B(Base Station) and 114 bits from B to A. A5 Kc (64 bit) Fn (22 bit) 114 bit XOR Data (114 bit) Ciphertext (114 bit) Mobile Equipment BTS

23 System Overview

24 Attacs on COMP128 First in 1998 (Smart Card Developer Association)
Exploits weakness in the Butterfly Structure called narrow pipe. After the second layer of the first round, the output bytes X[i], X[i+8], X[i+16], X[i+24] depend ONLY on the input bytes with the same indices. X[i]=Ki[i] and X[i+18]=Ki[i+18] i=0..7 Size of narrow pipe is 4 bytes.

25 Narrow pipe

26 Collision We vary X[i+16], X[i+24] The rest constant
With chosen text attacks we can hope for a collision. When collision occurs in round two, it propagates until the last round. According to the birthday paradox, 214 random challenges are needed to find 2 bytes of Ki[i] and Ki[i+8]. 217 chosen texts for the whole Ki

27 Other attacks on COMP128 More attacks based on side channels
Partitioning Attack by IBM Look up table emit data, especially on the first round 8 chosen plaintext

28 Conclusion COMP128 attacks needs 217 queries and possession of the SIM card SIM cards stop functioning after so many queries Partitioning attack more than 1000 random challenges More and more attacks Companies are afraid of the cost of changing. Reluctant to put their algorithms under peer review.

29 Thank you! Images on slides 16,18, 20 are modified by
COMP128 : A Birthday surprise

Download ppt "By Theodora Kontogianni"

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
Siyang Tian. TOPIC 1.SIM CARD card embedded with subscriber identity module 2. 3G network 3rd generation mobile telecommunications.

Siyang Tian. TOPIC 1.SIM CARD card embedded with subscriber identity module 2. 3G network 3rd generation mobile telecommunications.
An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,

An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
GSM Security and Encryption

GSM Security and Encryption
Islamic University-Gaza Faculty of Engineering Electrical & Computer Engineering Department Global System for Mobile Communication GSM Group Alaa Al-ZatmaHosam.

Islamic University-Gaza Faculty of Engineering Electrical & Computer Engineering Department Global System for Mobile Communication GSM Group Alaa Al-ZatmaHosam.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
GSM Global System for Mobile Communications

GSM Global System for Mobile Communications
Federated Authentication mechanism for mobile services Dasun Weerasinghe, Saritha Arunkumar, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group.

Federated Authentication mechanism for mobile services Dasun Weerasinghe, Saritha Arunkumar, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group.
SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.

SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Information Security of Embedded Systems 20.1.2010: Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.

Information Security of Embedded Systems : Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

Similar presentations

Ads by Google