Post on 03-Jun-2018
8/11/2019 GSM Security Attacks
1/32
8/11/2019 GSM Security Attacks
2/32
Agenda
A5 Overview :
LFSR (Linear Feedback Shift Registers)
A5/1 DescriptionAttack on A5 :
Space-Time Attacks Overview (by Babbage)
Cryptanalysis of A5/1 (by Shamir, Biryukov, Wagner)Other Attacks on GSM
Conclusion
8/11/2019 GSM Security Attacks
3/32
LFSR structure
Purpose- to produce pseudo random bit sequence
Consists of two parts :
shift registerbit sequence feedback function
Tap Sequence :
bits that are input to the feedback function
b1 b2 b3 b4 ... bn-1 bn
Feedback Function : XOR
output
new value
8/11/2019 GSM Security Attacks
4/32
LFSR Features
LFSR Periodthe length of the output sequencebefore it starts repeating itself.
n-bit LFSR can be in 2
n
-1 internal statesthe maximal period is also 2n-1
the tap sequence determines the period
the polynomial formed by a tap sequence plus
1 must be a primitive polynomial (mod 2)
8/11/2019 GSM Security Attacks
5/32
LFSR
Example :
x12+x6+x4+x+1 corresponds to LFSR of length 12
b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12
8/11/2019 GSM Security Attacks
6/32
A5/1 Overview
A5/1 is a stream cipher, which is initialized allover again for every frame sent.
Consists of 3 LFSRs of 19,22,23 bits length.
The 3 registers are clocked in a stop/gofashion using the majority rule.
Cryptography is a mixture of mathematics and muddle, and without themuddle the mathematics can be used against you.- Ian Cassells, a former Bletchly Park cryptanalyst.
8/11/2019 GSM Security Attacks
7/32
1 0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0
1 0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1
1 0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1
clock
control
18 17 16 0
21 20 0
02122 20
C3
C2
C1
R2
R1
R3
11
0
0
10 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0
0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1
0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1
1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0 1
1
1
0
0
1
8/11/2019 GSM Security Attacks
8/32
A5/1 : Operation
All 3 registers are zeroed
64 cycles (without the stop/go clock) :
Each bit of K (lsb to msb) is XOR'ed in parallel into
the lsb's of the registers22 cycles (without the stop/go clock) :
Each bit of Fn(lsb to msb) is XOR'ed in parallel into
the lsb's of the registers
100 cycles with the stop/go clock control,
discarding the output
228 cycles with the stop/go clock control which
produce the output bit sequence.
8/11/2019 GSM Security Attacks
9/32
The Model
The internal state of A5/1 generator is the state of all64 bits in the 3 registers, so there are 264-1 states.
The operation of A5/1 can be viewed as a state
transition :
S0 S1 S2 St
k0 k2k1 kt
Standard attack assumes the knowledge of about 64output bits (64 bits 264different sequences).
8/11/2019 GSM Security Attacks
10/32
Space/Time Trade-Off Attack I
Get keystream bits k1,k2,,kM+nand prepare
M subsequences :
k1,,knk2,,kn+1
kM,,kn+M
M
generate random state Si
generate n-bit keystream
look for it in the prepared
keystream subsequences
8/11/2019 GSM Security Attacks
11/32
Space/Time Trade-Off Attack II
Select R random states S1,..,SR and for each
state generate an n-bit keystream
S1: k1,1 k1,nS2: k2,1 k2,n
SR: kR,1 kR,n
R
Get keystream bits
k1,k2,,kM+nand prepare M
subsequences
Look for a prepared state
8/11/2019 GSM Security Attacks
12/32
Shamir/Biryukov Attack Outline
2 disks (73 GB) and 2 first minutes of the conversationare needed. Can find the key in less than a second.
This attack based on the second variation of thespace/time tradeoff.
There are n = 264total states
Athe set of prepared states (and relevant prefixes)
Bthe set of states through which the algo. proceedsThe main idea : Find state sin A B (the states are identified by prefix)
Run the algorithm in the reverse direction
8/11/2019 GSM Security Attacks
13/32
Biased Birthday Attack
Birthday paradox : A B o if |A| |B| n
Each state is chosen for A with probability PA(s) and for B
with probability PB(s). Then, the intersection will not beempty if
sPA(s) PB(s) 1
The idea is to choose the states from A and B with 2
non-uniformdistributions that have correlation between
them
8/11/2019 GSM Security Attacks
14/32
Disk Storage
state prefixThe prefixes can be sorted and thus serve
as indices into the states array
The registers are small, we canprecompute all their states and store them
in 3 cyclic arrays
But, for each state we can store
only two bits : the clock bit and
the output bit
(I, j, k)
At each step we only have to know
which of the three indices should be
incremented.
This could be implemented by aprecomputed table with 3 input bits
(clocks) and the increment vector
as the output.
No shift operations !
c1 c2 c3 inc1 inc2 inc3
0 1 0 1 1 0
State Transition :
8/11/2019 GSM Security Attacks
15/32
Special States
Disk access is very time-consuming!
Keep on disk (set A) only those states, which produce a
sequence that starts with a certain pattern , | | = kAccess the disk only when is encountered
2kprefixes can start with , so we reduce the number of
total possible states (n) by 2kand the number of disk
access times by 2k. The size of A, however, is unchanged,
and we only insert the states that satisfy the condition
there. Thus, we don't miss intersections.
8/11/2019 GSM Security Attacks
16/32
8/11/2019 GSM Security Attacks
17/32
8/11/2019 GSM Security Attacks
18/32
Estimations
We need 5 bytes per state to store on disk (73 G), so we can
afford 146 230/5 = 235states
We use 51 bit length prefixes (16 first bits are )How many times will be encountered in the data ?
there are 228 bits of data, that is, 177 (228-51) "relevant offsets"
2 minutes of operation, that is, 120
1000/4.5 frames 2-16is the fraction of all possible states which start with
so, the number of occurrences is 2-16177 120 1000/4.5 71
8/11/2019 GSM Security Attacks
19/32
Tree Exploration
A state isredif the sequence of output bits produced from the
state starts with . There are 248red states.
A state isgreenif the sequence produced from the state contains
an -occurrence between bit positions 101277
There are 177 248green states
We can assume that the short path (of length 277 ) will contain
only one occurrence of , so the mapping is many-to-1
red : green :
8/11/2019 GSM Security Attacks
20/32
Tree Exploration II
The set of relevant states can be viewed as a collection
of disjoint trees with red state as the root and the rest of
nodes are green states.
We're interested in trees with green states at levels
101-277. The weight of tree, W(s) is the number of green
states at those levels.
sequence
generatio
n
reverse
direction
8/11/2019 GSM Security Attacks
21/32
Tree Exploration III
It is experimentally found that W(s) has highly non-
uniform distribution :
85% of the trees die before reaching the level 100
15% of the trees have 1 W(s) 2600
Choose 235states (biased probability) with particularly
heavy trees (average weight 12500) from overall of 248
red statesThe expected number of collisions : 2
3512500 71
177 2480.61
8/11/2019 GSM Security Attacks
22/32
Tree Exploration IV
Heavy trees large number of green state candidates?
We know the exact location of in the sequence, so we know
the exact depth in the tree. The trees are narrow, so the total number of states we'll have
to check is less than 100 !
8/11/2019 GSM Security Attacks
23/32
Attack Summary
Dueto frequent reinitialization (for every new frame),it's possible to efficiently run the algorithm backwards
(328 steps).Poor choice of the clocking taps.
Each one of the registers is so small that it's possible to
precompute all its states.
8/11/2019 GSM Security Attacks
24/32
Attacks on Signaling Network
The transmissions are encrypted only between MS andBTS. After the BTS, the protocols between MSC and
BSC(BSSAP) and inside the operator's network(MAP)are unencrypted, allowing anyone who has access to thesignaling system to read or modify the data on the fly !
So, the SS7 signaling network is completely insecure.The attacker can gain the actual phone call, RAND &SRES
8/11/2019 GSM Security Attacks
25/32
Attacks on Signaling Network
If the attacker can access the HLR, s/he will be able to
retrieve the Kifor all subscribers of that particular
network.
8/11/2019 GSM Security Attacks
26/32
8/11/2019 GSM Security Attacks
27/32
SMS Architecture
SMS is a "store and
forward" message system
the message is sent from
the originator to SMSCenter, and then on to the
recipient.
SMS messages can be up
to 160 characters length
Sent in clear (but different
formats).
8/11/2019 GSM Security Attacks
28/32
SMS Attacks
Instructions
to SIMMessage Body
Instructions
to HandSet
Instructions
to SMSC
Instructions
to Air Interface
sms packet
Broken UDH(user data hdr) in an sms message caused crash insome Nokia phones. It required the user to put its SIM into a non-
affected phone and delete the offending message.
Spoofing SMS Messages: Originating Address field can be
arbitrarily set to anything.
The applications using sms should take care of authentication
and also encrypt their messages !
8/11/2019 GSM Security Attacks
29/32
8/11/2019 GSM Security Attacks
30/32
Conclusions (cont.)
Cons
Security by Obscurity
Only access securitydoesn't provide end-to-end security
GSM Security is broken at many levels, vulnerable tonumerous attacks
Even if security algorithms are not broken, the GSM
architecture will still be vulnerable to attacks from inside or
attacks targeting the operator's backbone
No mutual authentication
Confidential information requires additional encryption
over GSM
8/11/2019 GSM Security Attacks
31/32
References
GSM Association, http://www.gsmworld.comM. Rahnema, Overview of the GSM System and Protocol Architecture,IEEE Communication Magazine, April 1993
L. Pesonen, GSM Interception, November 1999
J.Rao, P. Rohatgi, H. Scherzer, S. Tinguely, Partitioning Attack: Or How toRapidly Clone Some GSM Cards, IEEE Symposium on Security and
Privacy, May 2002.P.Kocher, J. Jaffe, Introduction to Differential Power Analysis and RelatedAttacks, Cryptography Research, 1998
S. Babbage, A Space/Time Trade-off in Exhaustive Search Attacks onStream Ciphers, Europian Convention on Security and Detection, IEEConference publication, No. 408, May 1999.
A. Biryukov, A. Shamir, D. Wagner, Real Time Cryptanalysis of A5/1 on aPC, Preproceedings of FSE 7, pp. 1-18, 2000ISAAC, University of California, Berkeley, GSM Cloning,http://www.isaac.cs.berkeley.edu/iChansaac/gsm-faq.html
S. Chan, An Overview of Smart Card Security,http://home.hkstar.com/~alanchan/papers/smartCardSecurity/
http://www.isaac.cs.berkeley.edu/iChansaac/gsm-faq.htmlhttp://www.isaac.cs.berkeley.edu/iChansaac/gsm-faq.htmlhttp://www.isaac.cs.berkeley.edu/iChansaac/gsm-faq.htmlhttp://www.isaac.cs.berkeley.edu/iChansaac/gsm-faq.html8/11/2019 GSM Security Attacks
32/32
Thank You !