260 likes | 415 Views
GSM Security: Cryptanalysis of A5/1. Arber Ceni – 07.02.2011. Overview (I). Motivation Description of A5/1 Time-memory tradeoff attacks Golic 1997 Biryukov et al. 2000 Biham and Dunkelman 2000 Barkan , Biham and Keller 2003 COPACOBANA 2008. Overview (II). Correlation attacks
E N D
GSM Security: Cryptanalysis of A5/1 Arber Ceni – 07.02.2011
Overview (I) • Motivation • Description of A5/1 • Time-memory tradeoff attacks • Golic 1997 • Biryukov et al. 2000 • Biham and Dunkelman 2000 • Barkan, Biham and Keller 2003 • COPACOBANA 2008 GSM Security: Cryptanalysis of A5/1
Overview (II) • Correlation attacks • Ekdahl and Johansson 2003 • Maximov, Johansson and Babbage 2005 • Barkan and Biham 2006 • Other attacks on GSM and A5 family ciphers • Conclusions GSM Security: Cryptanalysis of A5/1
Motivation • GSM has more than 3 billion customers and covers around 80% of the World’s population • Every over-the-air conversation is protected by A5/1 • GSM is the biggest cryptosystem ever deployed • A5/1 developed in 1987 (older than 20 years) • Many flaws discovered • Many attacks conducted GSM Security: Cryptanalysis of A5/1
Description of A5/1 (I) • GSM uses symmetric cryptography • The same key Kc is used to encrypt and decrypt the conversation • How is the Kc generated? • Ki – root encryption key • Unique for each subscriber • A3 – authenticate the userto the mobile operator • A8 – Generate Kc GSM Security: Cryptanalysis of A5/1
Description of A5/1 (II) • Invented in 1987 • Partially leaked in 1994 • Reverse engineered by Briceno in 1999 • Idea: • Conversation as frames transmitted every 4,6 ms • 228 bits+Kc+Fn=228 bits cyphertext • 114 up, 114 down • Three LFSRs • R1 – length 19; taping bits 13, 16,17,18; clocking bit 8 • R2 – length 22; taping bits 20, 21; clocking bit 10 • R3 – length 23; 7,20,21,22; clocking bit 10 GSM Security: Cryptanalysis of A5/1
Description of A5/1 (III) • Clocking • If the clocking bit agrees with the majority bit • C1=C2=C3+1 => R1 and R2 are clocked • Probability of each register to be clocked is 3/4 GSM Security: Cryptanalysis of A5/1
Description of A5/1 (IV) • Algorithm (initial state) • Zero all registers • For each bit of the Kc: Rj[0]=Rj[0]+Kc[i], j=(1,2,3) • Clock the registers ignoring the regular clocking mechanism • For each bit of the Fn: Rj[0]=Rj[0]+Fn[i], j=(1,2,3) • Clock the registers ignoring the regular clocking mechanism • Clock the registers with thenormal clocking mechanismfor 100 rounds and discardthe output GSM Security: Cryptanalysis of A5/1
Description of A5/1 (V) • Algorithm (ciphertext generation) • Clock the cipher 114 times using the normal stop/go fashion • Produce 114 bits (keystream) by XOR-ing the MSBs of the three registers • This keystream will be used to encrypt the communication between operator and mobile station • XOR the keystream with the initial message to produce the ciphertext • Do the same for the conversation between mobile station and operator GSM Security: Cryptanalysis of A5/1
Time-memory tradeoff attacks – Golic 1997 • Alleged but similar A5/1 cipher • Divide and conquer • Idea: Guess some bits of the state of the registers and find the others by solving linear equations • Complexity: O(240.16) • How many bits should we guess: • n if n ≤ ri-taui+1 • n-ri+taui-1 otherwise • 1+3n+4n/3 linear equations • Linear independent if n< max(tau1,tau2,tau3)-1 • Real A5/1: max(tau1,tau2,tau3)=10 => O(245.22) • Time-memory tradeoff:102·K·M≥ 263.32 GSM Security: Cryptanalysis of A5/1
Time-memory tradeoff attacks – Biryukov et al. 2000 (I) • Store in HDD (prefix,state) pairs for special states starting with α = 16 bits • Flaw of A5/1: clocking tap doesn’t affect output for 16 clocking cycles • Produces 248 states instead of 264; further reduced to 240 • Compare the prefix of an unknown state • Red states R – special states; |R|= 248 • Green states G – αis encountered in position 101-277; |G|= 177*248 • 235 stored red states with avg weight 12500 • We can encounter a red state in 2 min of conversation with a probability of 61% GSM Security: Cryptanalysis of A5/1
Time-memory tradeoff attacks – Biryukov et al. 2000 (II) • Random subgraph attack • From stored special states, generate other special states • A new function f makes this possible and inverting it produces the special state from an output bit. • Time-memory tradeoff: • M= 236,|U|= 248, T= 224 and preprocessing 248 GSM Security: Cryptanalysis of A5/1
Time-memory tradeoff attacks – Biham and Dukelman 2000 (I) • Wait until an event that gives a lot of information happens • With some improvements to the previous attack, break A5/1 • R3 not clocked for 10 consecutive times and R3[10,22] are known • We get 20 clocking bits of R1 and R2 • Other 11 bits from output stream • Guessing 9 bits from R1 and 1 from R2, gives both registers • Guessing 10 bits from R3, gives the other 11 bits of R3 • Complexity: O(227) • 220 possible starting points for R3 • Complexity: O(247) GSM Security: Cryptanalysis of A5/1
Time-memory tradeoff attacks – Biham and Dukelman 2000 (II) • Improve the techniques of the previous attack • Compute two tables: • next-state table – stores the states in the computed order • Pointer table – stores the location of the state • Total Complexity computed: • 220 – possible start points for R3 • 212 – possible guesses • each of them 21.53 values which cost 2 cycles (next-state lookup) • 24.53 – values for 10 guesses of R3 • each of these clocked and checked in pointer table =>2 cycles • each check needs to be clocked twice • 220 *212 * 21.53 *2* 24.53 *(1+1+2*0.88)= 240.97 A5/1 clocking cycles GSM Security: Cryptanalysis of A5/1
Time-memory tradeoff attacks – Barkan, Biham and Keller 2003 • Man-In-The-Middle attack • 1st attack • Ask the victim to start encrypting with A5/2 • Break A5/2 (which is easier) and send the authentication to the server • 2nd attack • Ask the network and the victim to start a conversation with no encryption A5/0 • This is probable to be discovered by the operator • 3rd attack • The operator initiate the authentication procedure rarely • The attacker asks the victim to encrypt with A5/2 • Brake A5/2 and use it later GSM Security: Cryptanalysis of A5/1
Time-memory tradeoff attacks –COPACOBANA 2008 • 120 parallel FPGAs (Field-Programmable Gate Array) • Offers better performance-cost ratio • Can be connected to normal PC • Using COPACOBANA: • 114 known bits (1 frame) • Preprocessing time: three months • Memory: 4.85 TB • Online phase: 10.09 s • Success rate: 63% • Can be increased to 96% • Must increase the output stream length to 4 frames GSM Security: Cryptanalysis of A5/1
Correlation attacks – Ekdahl and Johansson 2003 (I) • Based on correlation attacks • Uses bad initialization of the cipher • Key and frame number initialized linearly • Is not exponential to the length of registers • Assuming that the registers are clocked exactly 76 times we get a probability of knowing the first output • For all the positions we can write: GSM Security: Cryptanalysis of A5/1
Correlation attacks – Ekdahl and Johansson 2003 (II) • P((cl1,cl2, cl3) in vth position) can be computed recursively: • P((cl1,cl2, cl3) in vth position) = F(cl1,cl2,cl3,v) where: GSM Security: Cryptanalysis of A5/1
Correlation attacks – Ekdahl and Johansson 2003 (III) • Log-likelihood of all probabilities: • If A>0 then the output of the cipher = 0 • If A<0 then the output of the cipher = 1 • This attack requires: • 5 minutes of GSM conversation • Less than 5 minutes to recover the key • With a success rate of more than 70% GSM Security: Cryptanalysis of A5/1
Correlation attacks – Maximov, Johansson and Babbage 2005 • Improve the attack of Ekdahl and Johansson • Try to reduce the number m of needed frames • Based on two new flaws of A5/1 • Error-correction codes are applied before encryption • During silence a special kind of frame containing a large number of zeros is sent • They also make use of the log-likelihood to find the key, but they use some improved estimators • Result: • A few seconds of conversation (2000-5000 frames => 9-43s) • Less than one minute of computation GSM Security: Cryptanalysis of A5/1
Correlation attacks – Barkan and Biham 2006 • Based on conditional estimators • Based on previous correlation attacks • Exploit three new weaknesses of the R2 register • Alignment property • Has only two feedback taps which are adjacent • Symmetry property – the clocking tap is at the middle of the register • Steps: • Compute conditional estimators • Decode these estimators to find best candidates for S1 and S2 • Modeled as a huge graph in which can be applied Dijkstra-like algorithms • For each of these candidates recover candidates for S3. Recover the key from S1,S2,S3 and verify that is the correct one • Results: • 2000 frames; completes in tens of seconds; success rate is 91% GSM Security: Cryptanalysis of A5/1
Other attacks on GSM and A5 family ciphers (I) • FBDD based attack • Developed by Krause 2002 • Complexity: nO(1)2(1-α)/(1+ α)n.α is a constant • For A5/1 complexity: nO(1)20.6403n • Eavesdrop without cryptanalysis • MITM attack • Record RAND;recordciphertext=>output stream of the cipher • Later: • Send the frame number and message to the target mobile • The frame number is the same so the message can be decrypted GSM Security: Cryptanalysis of A5/1
Other attacks on GSM and A5/1 family ciphers (II) • Open source project (Nohl 2009) • Precompute rainbow tables • The compressed codebook of A5/1 • Used parallelization (FPGA) to reduce precomputing time • First public project to release the tables • 1st attack: • MITM attack • Fake base station • Cheap radio equipment • Open source software – OpenBTS • 2nd attack • Passive attack • Uses the precomputed rainbow tables • Everybody can contribute GSM Security: Cryptanalysis of A5/1
Other attacks on GSM and A5/1 family ciphers (III) • New A5/3 again weak • Made public • Based on KASUMI block cipher • Modification of MISTY • Also weak: • By applying a sandwich attack • 226 data, 230 bytes of memory, can complete in 232 time • The authors claim this is realistic and have simulated the attack in a PC GSM Security: Cryptanalysis of A5/1
Conclusions • Most of the attacks presented here, don’t make any claim for the real implementation of A5/1 in the fielded GSM • However, some of them yes • Breaking A5/1 has become an open source project! • The new A5/3 is also weak! • The cryptosystem used in GSM should be changed • It is the biggest cryptosystem ever deployed • It is not used only for conversation • Used for banking information, payment, bank transfer etc GSM Security: Cryptanalysis of A5/1
Thank you! • Questions? GSM Security: Cryptanalysis of A5/1