Thcwiki

</head><body dir="ltr" lang="en">
<div id="header">
<div id="mastwrap"><div id="masthead">
<form id="searchform" method="get" action="">
<div>
<input name="action" value="fullsearch" type="hidden">
<input name="context" value="180" type="hidden">
<label style="display: none;" for="searchinput">Search:</label>
<input id="searchinput" name="value" value="" size="20" onfocus="searchFocus(thi
s)" onblur="searchBlur(this)" onkeyup="searchChange(this)" onchange="searchChang
e(this)" alt="Search" type="text">
<input id="titlesearch" name="titlesearch" value="Titles" alt="Search Titles" ty
pe="submit">
<input id="fullsearch" name="fullsearch" value="Text" alt="Search Full Text" typ
e="submit">
</div>
</form>
<script type="text/javascript">

</script>
<ul id="username">
<li><a href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/crack
ing_a5?action=login">Login</a></li>
</ul>
</div></div>
<ul id="navibar">
</ul>
<ul class="extranav">
<li><a href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/Recen
tChanges">RecentChanges</a></li>
<li><a href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/FindP
age">FindPage</a></li>
</ul>
<ul class="editbar"><li>Immutable Page</li><li><a
href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5?
action=info">Info</a></li><li><a href="http://web.archive.org/web/20070805124756
/http://wiki.thc.org/cracking_a5?action=AttachFile">Attachments</a></li><li>
<form class="actionsmenu" method="get" action="">
<div>
<select name="action" onchange="if ((this.selectedIndex != 0) &&
(this.options[this.selectedIndex].disabled == false)) {
this.form.submit();
}
this.selectedIndex = 0;">
<option value="show">More Actions:</option><option value="raw">Raw Text<
/option>
<option value="print">Print View</option>
<option value="RenderAsDocbook">Render as Docbook</option>
<option value="refresh">Delete Cache</option>
<option value="show" disabled="disabled" class="disabled">------------</option>
<option value="SpellCheck">Check Spelling</option>
<option value="LikePages">Like Pages</option>
<option value="LocalSiteMap">Local Site Map</option>
<option value="RenamePage" disabled="disabled" class="disabled">Rename Page</opt
ion>
<option value="DeletePage" disabled="disabled" class="disabled">Delete Page</opt
ion>
<option value="MyPages">My Pages</option>
<option value="SubscribeUser">Subscribe User</option>
<option value="Despam">Remove Spam</option>
<option value="PackagePages">Package Pages</option>
</select>
</div>
<script type="text/javascript">

</script>
</form>
</li></ul>
</div>
<div id="page" dir="ltr" lang="en">
<ul id="pagelocation">
<li><a class="backlink" title="Click to do a full-text search for this title" hr
ef="http://web.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5?ac
tion=fullsearch&value=linkto%3A%22cracking+a5%22&context=180">cracking a
5</a></li>
</ul>
<div dir="ltr" id="content" lang="en">
<big>The A5 C
racking Project</big> 
<img class="attachment" src="http://web
.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5?action=AttachFil
e&do=get&target=a51.png" title="attachment:a51.png"> NEWS: Someone vandalised the Wiki. I've thus removed write permissio
ns for everyone. From now on if you want to add information you have to send the
m to me (steve at segfault.net) instead of editing this page directly. 
 
NEWS: We have created a PRIVATE
A5 mailinglist. If you feel you have something to contribute to the project ple
ase contact steve [at] segfault.net. The reason for this has been explained on t
he public mailinglist a5 [at] lists.segfault.net. <img class="attachment" src="http://web.archive.org/web/20070805124756/http://
wiki.thc.org/cracking_a5?action=AttachFile&do=get&target=eff.jpg" title=
"attachment:eff.jpg"> Powered by <a class="http" href="http://web.archive.org/we
b/20070805124756/http://www.eff.org/">EFF</a>. <div class="table-of-contents">
Contents<ol><li><a href="http://web.archive.org/web/20070805124756/http://wi
ki.thc.org/cracking_a5#head-95c01db22f34647ab638420456c777c9c6813748">LICENSE</a
></li><li><a href="http://web.archive.org/web/20070805124756/http://wiki.thc.org
/cracking_a5#head-6fb4f4c3d7bdd898698faf9a42872184f837271c">About</a></li><li><a
href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5
#head-31aea107a4660b26c7c4c0899c5259b34e2e9908">How you can help</a></li><li><a
href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5#
head-cb5ff9444627fa98efb9d04fa37d0ac2070db44a">TODO</a></li><li><a href="http://
web.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5#head-cf9c7bba
f8f7c5027f1d4fb9bf25328d04ca5be6">Requirements</a></li><li><a href="http://web.a
rchive.org/web/20070805124756/http://wiki.thc.org/cracking_a5#head-007e5fe318fb2
b65630f695b6ac9fb3a3f6e01f8">A5 weakness</a></li><li><a href="http://web.archive
.org/web/20070805124756/http://wiki.thc.org/cracking_a5#head-cead03ef657be7117a8
6f0c700fa800dd694ff18">A5/GSM encryption example</a></li><li><a href="http://web
.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5#head-64138c5686a
a40d8ab04efd92443b956f8e69ca7">Misc Ideas</a><ol><li><a href="http://web.archive
.org/web/20070805124756/http://wiki.thc.org/cracking_a5#head-0b6672496f7fb9dc098
eaced6f1f86739d562331">FPGA Ideas</a><ol><li><a href="http://web.archive.org/web
/20070805124756/http://wiki.thc.org/cracking_a5#head-a49771d908eed356d014f747426
04fa9af73d44b">Brute Force</a></li><li><a href="http://web.archive.org/web/20070
805124756/http://wiki.thc.org/cracking_a5#head-134aa5cf71ade84b3cd069cc3389a612b
87736de">Brute Force II</a></li><li><a href="http://web.archive.org/web/20070805
124756/http://wiki.thc.org/cracking_a5#head-4444aa665c6ed6b1836492327e614325e271
c683">possible boards</a></li></ol></li><li><a href="http://web.archive.org/web/
20070805124756/http://wiki.thc.org/cracking_a5#head-9c5e6cbfcfefe22a276f73d51d72
cdcb97167c22">Rainbow Table</a><ol><li><a href="http://web.archive.org/web/20070
805124756/http://wiki.thc.org/cracking_a5#head-89691ba2a57e2e3a59280748a5428ac5f
7c742ee">Idea I</a></li><li><a href="http://web.archive.org/web/20070805124756/h
ttp://wiki.thc.org/cracking_a5#head-fd131e7cc4e883d35f1fd1c5d606033a20a49458">Id
ea II</a></li><li><a href="http://web.archive.org/web/20070805124756/http://wiki
.thc.org/cracking_a5#head-a7b483518faf009b7d7d0e06fe3a08eb7f47d812">Idea III</a>
</li><li><a href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/
cracking_a5#head-e467ef380130611b7af25da4d8367e23d5df2810">Idea IV</a></li><li><
a href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a
5#head-49297a2b6d698aca3e26a7b9519a1adf7f0ec9d3">Idea V</a></li><li><a href="htt
p://web.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5#head-91dc
ce4dee091ed0c78fcaccabbfc2aa8ff890b8">Idea VI</a></li></ol></li></ol></li><li><a
#head-a676f72cda6831833ec866338e6f277bc058b1a7">Resources</a><ol><li><a href="ht
tp://web.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5#head-dfd
0c5819f60ebc0728549f621229dabe9175857">List of used encryption around the World<
/a></li><li><a href="http://web.archive.org/web/20070805124756/http://wiki.thc.o
rg/cracking_a5#head-09c58797f15122ced40127af10230abe40f12d62">How to check if A5
/1 is used</a></li></ol></li><li><a href="http://web.archive.org/web/20070805124
756/http://wiki.thc.org/cracking_a5#head-10b4fbabc315a98385d77ce6cdd347e0cc09dc4
3">Links</a></li></ol></div> 
<h2 id="head-95c01db22f34647ab638420456c777c9c6813748">1. LICENSE</h2>
<pre>
GSM Software Project License
 Version 1, January 20
07

All code, information or data [from now
on "data"] available from the GSM Software Project or any other project linked
from this or other pages is owned by the creator who created the data. The copyr
ight, license right, distribution right and any other rights lies with the creat
or.
It is prohibitied to use the data witho
ut the written agreement of the creator. This included using ideas in other proj
ects (commercial or not commercial).
Where data was created by more than 1 c
reator a written agreement from each of the creators has to be obtained.
Please contact steve [at] segfault.net
for any questions.
</pre>
<h2 id="head-6fb4f4c3d7bdd898698faf9a42872184f837271c">2. About</h2>
</spa
n>We are security enthusiasts. Our goal is to implement a sys
tem that can crack A5/1. Our results will be used with the <a class="http" href=
"http://web.archive.org/web/20070805124756/http://www.thc.org/gsm">GSM Software
Project</a> to demonstrate weaknesses in GSM. The A5 algorithm has been broken (
in theory) in 1998 but it's still widely used. The mobile operators still insist
that the GSM customers (that's you and me!) are protected and that our data is
safe. 
We want to bring together all the folk
s who worked on the theory of cracking A5/1. 
Subscribe to our mailinglist b
y sending an email to a5-subscribe [at] lists.segfault.net 
<h2 id="head-31aea107a4660b26c7c4c0899c5259b34e2e9908">3. How you can help</
h2>
n><ol type="1"><li>Add links and information to this page or send them to steve
at segfault.net </li><li>Sponsor us! We
need hardware, books and coffee! </li>
<li>Come up with smart ideas. </li></ol>
<h2 id="head-cb5ff9444627fa98efb9d04fa37d0ac2070db44a">4. TODO</h2>
n><ol type="1"><li>Come up with example data (e.g. first encrypted burst from BT
S to MS and first burst from MS to BTS). </spa
n></li><li>Enhance the attack on A5/1 <
/li><li>Implement a A5/2 crack. </li></ol>
<h2 id="head-cf9c7bbaf8f7c5027f1d4fb9bf25328d04ca5be6">5. Requirements</h2>
n>The project comes in stages. <ol type="1"><li>Underst
and current state of A5/1 cracking (THAT'S WHERE WE ARE IN NOW!) </li><li>Implement A5/2 crack (the weaker of both algo
rithms) </li><li>Implement one of the m
any A5/1 cracks from the academic papers </spa
n></li><li>Research and Implement new ways to crack A5/1 </li></ol>Our ultimate goal is to crack A5/1: <ol type="1"><li>by only inter
cepting data (passiv) </li><li>require
less than 4Terabyte HD. </li><li>able t
o decrypt short encrypted bursts (like SMS, last less than 0.1 seconds). </li><li>Cracking time less than 1 day. </li
></ol>
<h2 id="head-007e5fe318fb2b65630f695b6ac9fb3a3f6e01f8">6. A5 weakness</h2>
n>A5 is weak. That's A5/1 and A5/2. When you look at the algo
rithm it just gives you a bad feeling. 
<ol type="1"><li>The registers are to small </li><li>The trap registers are all on one side </li><li>The 3 LSFRs do not mix results amoung each other <spa
n class="anchor" id="line-68"></li><li>Protocol implementation is faulty:
An attacker can record all encrypted traffic. If the attacker gains access to t
he sim at any point in the future he can decrypt all traffic sniffed in the past
. This works by putting the sim card into a sim reader and running the gsm_runal
gorithm() function on the sim. The sim will decode any traffic without us knowin
g the Ki. This attack requires access to the sim for 30 seconds and can decode a
ny GSM converstation that happened in the past. </li><li>etc etc etc </li></ol>I did a quick examp
le to visualize the entroypy. Crypto people love entropy. An easy way to visuali
ze the entropy is to generate a picture of the relationship between two, three o
r four successive numbers generated by the algorithm. Ideally we should not see
any structure. All pixels should be distributed randomly. <a class="http" href="
http://web.archive.org/web/20070805124756/http://lcamtuf.coredump.cx/newtcp/">lc
amtufs ISN analyzsis</a> explains more details about this method. 
I use a matlab script to generate the
graphics. <a class="attachment" href="http://web.archive.org/web/20070805124756/
http://wiki.thc.org/cracking_a5?action=AttachFile&do=get&target=x.txt" t
itle="attachment:x.txt">x.txt</a> contains the output of the a5/1 key initializa
tion algorithm. <pre>a = 0;
b = 0;
c = 0;
d = 0;
XD = 256;
YD = 256;
ZD = 256;
M = dlmread('x.txt', ' ');
V = M(2,2)
I(1:((XD - 1) * 2), 1:((YD - 1) * 2)) =
0;
for i=1:25600
 x = b - a; % -255 .. 255
 y = c - b; % -255 .. 255
 z = d - c; % -255 .. 255
 I(x + XD, y + YD) = cast(z + (Z
D - 1), 'double') / ((ZD-1) * 2);
 a = b;
 b = c;
 c = d;
 d = cast(mod(M(i, 1),256), 'int
16'); % val between 0..255
 %d = cast(rand(1,1) * XD, 'int1
6'); % val between 0..255
end
imshow(I);
</pre> 
Figure 1: Key set to 0. <a class="non
existent" href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/Fr
ameNumber">FrameNumber</a> runs from 0-25600. We can see a structure. There is a
relationship between the key state with <a class="nonexistent" href="http://web
.archive.org/web/20070805124756/http://wiki.thc.org/FrameNumber">FrameNumber</a>
N and the key state with <a class="nonexistent" href="http://web.archive.org/we
b/20070805124756/http://wiki.thc.org/FrameNumber">FrameNumber</a> N - 1. 
<img class="attachment" src="http://w
eb.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5?action=AttachF
ile&do=get&target=key_0_fn_0-25600.png" title="attachment:key_0_fn_0-256
00.png"> TODO: add more. 
<h2 id="head-cead03ef657be7117a86f0c700fa800dd694ff18">7. A5/GSM encryption
example</h2>
</s
pan>TODO: write down how a5 works and how the data looks that
is encrypted and what the first encrypted message from/to basestation is and wh
ich bits are static/known/guessable. 
The Frame Number (FN) wrapps around e
very 3h 28min 53 sec and 750ms. 
A layer 1 GSM message is 23 octet lon
g. It is padded with 0x2b if less than 23 octet content data are to be send. 
How to encode 1 GSM message (after pa
dding): <ol type="1"><li>23 * 8 = 184 bit content dat
a per GSM message. [Output: 184 bit] </li><li>Add 40 bit fire code (crc) and 4
bit tail (0x00). [Output: 228 bit] </li><li>Convolutional encode the 228 bit.
This duplicates the number of (known) bits. [Output: 456 bit]
</li><li>Interl
eave the 456 bit. [Output: 456 bit] </li><li>Chop the 456 bit into 8 packs, ea
ch 57 bit long. Take the first two 57 bit chunks and send them in the first GSM
burst. The 3rd and 4th are send in the second GSM burst and so on and so on.[<st
rong>Output: 4x114 bit] <
/li><li>The frame number is known and incremented for each GSM burst. A5 is rein
itialized for _each_ burst. This means each burst is encoded under the same Kc b
ut under a different frame number. The A5 state is thus different for each GSM b
urst. </li></ol>First encrypted message send from MS to BTS is 'Ciphering Mode Complete': <pre>000: ?? ?? ?? 06 32 2b 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
 0: ?? -------1 Extended Address: 1
octet long
 0: ?? ------0- C/R: Response
 0: ?? ---000-- SAPI: RR, MM and CC
 0: ?? -00----- Link Protocol Disci
minator: GSM (not Cell Broadcasting)
 1: ?? ------01 Supvervisory Frame
 1: ?? ----00-- RR Frame (Receive r
eady)
 1: ?? ---0---- Poll/Final bit (P/F
)
 1: ?? 000----- N(R), Retransmissio
n counter: 0
 2: ?? -------0 EL, Extended Length
: n
 2: ?? ------0- M, segmentation: N
 2: ?? 000010-- Length: 2
 3: 06 0------- Direction: From ori
ginating site
 3: 06 -000---- 0 TransactionID
 3: 06 ----0110 Radio Resouce Manag
ement
 4: 32 00110010 RR Cipher Mode Comp
lete
5">This message tells the BTS to start ciphering. The
first encrypted message send from the BTS to the MS is either a MMIdentityReques
t followed by a empty GSM message or a empty GSM message. Both of them contain p
lenty known plaintext: The 0x2b GSM message padding octet. <pre>000: 03 42 0d 05 18 03
2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
 0: 03 -------1 Extended Address: 1
octet long
 0: 03 ------1- C/R: Command
 0: 03 ---000-- SAPI: RR, MM and CC
 0: 03 -00----- Link Protocol Disci
 1: 42 -------0 Information Frame
 1: 42 ----001- N(S), Sequence coun
ter: 1
 1: 42 ---0---- P
 1: 42 010----- N(R), Retransmissio
n counter: 2
 2: 0d -------1 EL, Extended Length
: y
 2: 0d ------0- M, segmentation: N
 2: 0d 000011-- Length: 3
 3: 05 0------- Direction: From ori
ginating site
 3: 05 -000---- 0 TransactionID
 3: 05 ----0101 Mobile Management M
essage (non GPRS)
 4: 18 00------ SendSequenceNumber:
0
 4: 18 --011000 MMIdentidyRequest
 5: 03 -----011 IMEISV
8">or <pre>000: 03 03 01 2b 2b 2b 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
 0: 03 -------1 Extended Address: 1
octet long
 0: 03 ------1- C/R: Command
 0: 03 ---000-- SAPI: RR, MM and CC
 0: 03 -00----- Link Protocol Disci
 1: 03 ------11 Unnumbered Frame
 1: 03 ---0---- P
 1: 03 000-00-- UI frame (Unnumbere
d information)
 2: 01 -------1 EL, Extended Length
: y
 2: 01 ------0- M, segmentation: N
 2: 01 000000-- Length: 0
4">
<h2 id="head-64138c5686aa40d8ab04efd92443b956f8e69ca7">8. Misc Ideas</h2>
pan><ol type="1"><li>Shall we do a brute force with FPGA or do a smart attack as
outlined in the 2001 paper? </li><li>
Can we use the weakness in A8/A3 to calculate Kc for A5/1? </li><li>What happened to the cypherpunks mailinglist? The
LNE links seem to be down! Anyone? </l
i><li>I'm not concerned if we need 50 FPGA's or 4TB or harddrives. Some people s
ay that it's not practical to carry 4TB of harddrives in a rucksack. We can alwa
ys host the solution and when on a cracking mission the challenge can be send (v
ia sms?) to the hosted Cracking Server which sends the results back after a coup
le of seconds. </li><li>Can we devide
the A5/1 cracking problems into smaller problems and solve each on its own? This
means finding a new attack against A5/1. </s
pan></li></ol>
<h3 id="head-0b6672496f7fb9dc098eaced6f1f86739d562331">8.1. FPGA Ideas</h3>
pan>
<h4 id="head-a49771d908eed356d014f74742604fa9af73d44b">8.1.1. Brute Force</h
4>
pan>Some initial thoughts on A5/1 and FPGA. All this needs to
be calculated more precisely. 
Each clock cycle the A5 implementatio
n should output 64 bit of streamcipher. We can put multiple A5 implementations o
n the same FPGA chip. The calculation is based on a pipelined implementation of
A5. 
The three LSFR registers are in total
19 + 22 + 23 = 64bit long. The first LSFR requires 5 Logical Units (LU's, e.g x
or). The second requires 3 LU's and the last one requires 5 LU's. All together 1
3 LU's and 64 bit. The Trap register a
dd's 1 LU per LSFR. Makes 16 LU's and 64bit. 
Generating the state (with key and <a
class="nonexistent" href="http://web.archive.org/web/20070805124756/http://wiki
.thc.org/FrameNumber">FrameNumber</a> (FN)) requires 64 + 22 = 88 steps. This is
followed by another 100 cycles. Each of the 100 cycles requires 1 LU less per L
SFR. After these 100 cycles we want to generate about 64 bit of output (e.g. eno
ther 64 cycles). <ol type="1"><li>LU's: 16 * 88 + 13 * 100 + 13 * 64 = 3
540 </li><li>Registers: 64 * 88 + 64 *
100 + 64 * 64 = 16128 </li></ol>After 88 + 100 + 64 cycl
es we will start seeing 64 bit of stream cipher output for each cycle. 
This is all not optimized. We do not
need the first 9 steps because the Tap register only start at bit 8. we also do
not need all the LU's or registers for the first 18 steps because the first LSFR
is not fully used until step 18. Same for the last 64 steps. For each of the la
st 64 steps we only need 2 LU's and 1 register less for each step. 
We decided to use Xilinx. Altera is a good choice as
well but at the moment most of us worked with xilinx before. 
The Virtex-5 from Xilinx LX330 has 33
0.000 LU's and runs at 500 Mhz. That brings us down to 4 days per development bo
ard?! But the boards and chips are to expensive. Better to stick with LX50. <spa
n class="anchor" id="line-217">

<h4 id="head-134aa5cf71ade84b3cd069cc3389a612b87736de">8.1.2. Brute Force II
</h4>
pan>Some more precise calculation by David Hulton:[[BR]] <spa
n class="anchor" id="line-221">The LX50 can run at 200-300Mhz and cost $3
00 each (just the chip, without dev board). I pipelined my version of A5/1 and came up with some rough numbers on <spa
n class="anchor" id="line-223">the Virtex-5 LX50. This is purely just com
puting the 186 clock cycles for setup
and only computing a single bit of output from the pipeline on each clock cycle. I'm sure we could optimize it a littl
e bit but once we factor in the overhe
ad of doing the key compares and other bridge code it probably won't be much less than the numbers here.. With this design, we will probably only be able to fit 4 fully <s
pan class="anchor" id="line-230">pipelined instances of A5/1 on here unle
ss we can hand-optimize the placement
better than the Xilinx tools and code in some of the shortcuts that you mentioned on the a5 cracking page. I'll work o
n this a bit more and see if I can red
uce the logic down. <pre>Slice Logic Utilization:
 Number of Slice Registers:
7,289 out of 28,800 25%
 Number used as Flip Flops:
7,289
 Number of Slice LUTs:
6,968 out of 28,800 24%
 Number used as logic:
6,566 out of 28,800 22%
 Number using O6 output only:
6,566
 Number used as Memory:
402 out of 7,680 5%
 Number used as Shift Register:
402
 Number using O6 output only:
402
Slice Logic Distribution:
 Number of occupied Slices:
2,670 out of 7,200 37%
 Number of LUT Flip Flop pairs used:
7,292
 Number with an unused Flip Flop:
3 out of 7,292 1%
 Number with an unused LUT:
324 out of 7,292 4%
 Number of fully used LUT-FF pairs:
6,965 out of 7,292 95%
 Number of unique control sets:
2
 A LUT Flip Flop pair for this archit
ecture represents one LUT paired with
 one Flip Flop within a slice. A con
trol set is a unique combination of
 clock, reset, set, and enable signal
s for a registered element.
 The Slice Logic Distribution report
is not meaningful if the design is
 over-mapped for a non-slice resource
or if Placement fails.
IO Utilization:
 Number of bonded IOBs:
88 out of 220 40%
Specific Feature Utilization:
 Number of BUFG/BUFGCTRLs:
1 out of 32 3%
 Number used as BUFGs:
1
Total equivalent gate count for design
: 155,730
Additional JTAG gate count for IOBs:
4,224
9">
<h4 id="head-4444aa665c6ed6b1836492327e614325e271c683">8.1.3. possible board
s</h4>
pan><ul><li><a class="http" href="http://web.archive.org/web/
20070805124756/http://www.nuhorizons.com/xilinx/boards/virtex-5/ML501/index.asp"
>ML501 Xlinix LX50</a> ($955) </li
><li><a class="http" href="http://web.archive.org/web/2007080
5124756/http://www.picocomputing.com/documentation/E-16.php">PicoComputing E-16
LX50</a> ($2.000) </li></ul>The LX330 boards cost $5.
000. Because we can put 4x more a5/1 implementations on them and they run 6.6x f
aster it might be worth it. 
<h3 id="head-9c5e6cbfcfefe22a276f73d51d72cdcb97167c22">8.2. Rainbow Table</h
3>
pan>Traditional rainbow tables take the key as input. Our key
is 88 bit (of which the last 22 bit are the known Frame Number). We can not gen
erate a rainbox table for 2^88 key combinations. 
span>
<h4 id="head-89691ba2a57e2e3a59280748a5428ac5f7c742ee">8.2.1. Idea I</h4>
The state table of
all 3 LSFR's combined is just 64 bit. The A5 initialization process (e.g. seedin
g in key + FN and mixing it 100 cycles) is reverseable. Thus once we know the ke
y state we can compute the key easily. Generating rainbow tables for 64 bit keys
is difficult (TODO: calculate how difficult and how many FPGA's required). 
This attack would work regardless of
the frame number and regardless of the key length (54, 64 or 128 bit). It also u
ses less LU's than the normal key brute force implementation. 
All 3 LSFR can be stuck together to g
et one 64bit register: | R1 19bit | R2 22bit | R3 23bit | 
span>Rought idea of generating rainbow table with 2^36 ta
bles: <ol type="1"><li>Start with
key state bit 35..0 is set to 0000..001. Bit 63..36 is set to 0. </li><li><a class="nonexistent" hr
ef="http://web.archive.org/web/20070805124756/http://wiki.thc.org/RainbowtableNu
mber">RainbowtableNumber</a>++; Entries = 0; 
</li><li>Calculate 64bit output from this keystate. Entries++; </li><li>If output's bit 63..36 are all 0 th
en stop this rainbow table. Otherwise take 64 bit usefull output and use this ou
tput as state. Repeat 3. </li><li>Incr
ement value in bit 35..0 by 1 (e.g. start next rainbow table). Repeast 2. </
li></ol>Problems: <ol type="1"><li>What happens if we never hit a state that has bit 63..36 to
all 0s (e.g. if we are stuck in a loop)? Break loop after a maximum number of it
erations and call it an 'unlucky' rainbow table which is handles specially? <spa
n class="anchor" id="line-298"></li><li>Using bit 63..36 is just an examp
le. In fact any number of bits (in sequence or not in sequence) can be used. <sp
an class="anchor" id="line-299"></li></ol>
<h4 id="head-fd131e7cc4e883d35f1fd1c5d606033a20a49458">8.2.2. Idea II</h4>
(This Idea is now o
bsolete) 
Maybe it's enough to generate a rainb
ow table for <a class="nonexistent" href="http://web.archive.org/web/20070805124
756/http://wiki.thc.org/FrameNumber">FrameNumber</a> 0. Calculating all 2**54 ke
ys with an FPGA and generating a rainbow tables is a matter of days (e.g. possib
le). Can a rainbow table generated with <a class="nonexistent" href="http://web.
archive.org/web/20070805124756/http://wiki.thc.org/FrameNumber">FrameNumber</a>
== 0 be used to decrypt packets that do not have Frame Number set to 0? 

<h4 id="head-a7b483518faf009b7d7d0e06fe3a08eb7f47d812">8.2.3. Idea III</h4>
Is it possible to r
educe a LSFR register? By this i mean exist there a shorter LSFR register that w
ould produce the same output (for a ce
rtain class of keys)? 
<h4 id="head-e467ef380130611b7af25da4d8367e23d5df2810">8.2.4. Idea IV</h4>
We do not need to g
enerate rainbow tables for all possible keystates. Let's assume we generate rain
bow tables for 1/4 of all keystates (e.g 62bit). If we sniff 64 bit known plaint
ext our chances that we can crack it with the rainbow table is 25%. 
A5 is reversable: Let N be the index
of current working bit of the A5 algorithm (e.g. after N bits of output have bee
n produced and N bit of plaintext have been encrypted). Let keystate(N) be the s
tate of the keystate after N bits have been produced. Let plaintext(N) be the N-
th bit of the plaintext. It is possible to calculate keystate(N-1) if keystate(N
) and plaintext(0..N) is known. 
Let's assume we know 65 bit of plaint
ext. We first try to find a match in the rainbow table for bit 0..63 and then we
try to find a match for bit 1..64. The probability for 65 bit known plaintext i
t is already 1 - (3/4)**(65 - 64 + 1) = 43.75%. For 80 bit known plaintext it is
1 - (3/4)**(80 - 64 + 1) = 98.997%. 
Let's get this further down: Generate
1/64 of all rainbow tables (which makes it a 58bit problem): If we get 128 bit
of known plaintext our chances of decoding it are 1 - (63/64)**(128 - 64 + 1) ==
64% or 95% if 256 bit of plaintext are known. 
The maximum number of bits that are e
ncrypted under the same keystate is 114. There are 4 bursts of 114 bit and the p
laintext of each of the bursts is known. For each burst the propability of crack
ing it with only 1/64th of the rainbow table is: 
1-(63/64)^(114 - 64 + 1) = 55.2% 
Considering that we have a 55.2% chance for each of the 4 burst: 
1 - (1 - 0.552)**4 = 95.97% 
Limitation: It is obivous that this i
s working if we are dealing with successive bits of plaintext. It is less obviou
s that this also works as long as the 65 bit plaintext as distributed equaly (FI
XME: can we optimize this?). <ol t
ype="1"><li>Does NOT work: bit 0..63 in one sequence followed by some unknown pl
aintext followed by bit 64 of known plaintext. </li><li>DOES work: plaintext bit 0 followed by 1 unknown plaintext bit
followed by known plaintext bit 1, followed by unknown plaintext bit followed b
y known plaintext bit 2, ... until 64. </li></ol>Further
optimization: <ol type="1"><li>Do
this over multiple messages (e.g. if we know 128 bit in the first packet and ano
ther 128 bit in the second message it dramaticaly increases our chances of findi
ng the key state in one of our rainbow tables). </li><li>Remember that for each message the BTS sends the MS also sen
ds a message. Again, increasing our chances. 
</li></ol>
<h4 id="head-49297a2b6d698aca3e26a7b9519a1adf7f0ec9d3">8.2.5. Idea V</h4>
pan>We have known plaintext. The first encrypted message send
from the BTS to the MS is amost all 0x2b (except for the first three octets). T
his means we can implement the attack by Anderson and Roe: Guessing the 41 bit i
n the shorter R1 and R2 registers, and deriving the 23bit of the longer R3 regis
ter from the output. 
Anderson and Roe's attack is further
described in <a class="http" href="http://web.archive.org/web/20070805124756/htt
p://pv.fernuni-hagen.de/docs/apc2001-final.pdf">A5/1 FPGA cracking</a>. 
 
Calculating Rainbow tables for this i
s the next challenge. Combing this with Idea IV makes it a 41-6 = 35 bit problem
. 
<h4 id="head-91dcce4dee091ed0c78fcaccabbfc2aa8ff890b8">8.2.6. Idea VI</h4>
pan>Are there 'useless' bits in R2? It only has two trap regi
sters. Does this help us calculating the value of others? 
<h2 id="head-a676f72cda6831833ec866338e6f277bc058b1a7">9. Resources</h2>
pan><ol type="1"><li><a class="attachment" href="http://web.a
rchive.org/web/20070805124756/http://wiki.thc.org/cracking_a5?action=AttachFile&
amp;do=get&target=CS-2006-07-cracking-a5.pdf" title="attachment:CS-2006-07-c
racking-a5.pdf">CS-2006-07-cracking-a5.pdf</a> Barkan, Biham and Keller. Most re
cent research paper about cracking A5/1. </sp
an></li><li><a class="attachment" href="http://web.archiv
e.org/web/20070805124756/http://wiki.thc.org/cracking_a5?action=AttachFile&d
o=get&target=PHD-2006-04.pdf" title="attachment:PHD-2006-04.pdf">PHD-2006-04
.pdf</a> Elad Pinhas Barkan, Cryptoanalyzis of Ciphers (A5, Rainbow tables) <spa
n class="anchor" id="line-344"></li><li><a class="
attachment" href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/
cracking_a5?action=AttachFile&do=get&target=GsmSecurity.pdf" title="atta
chment:GsmSecurity.pdf">GsmSecurity.pdf</a> 15 Dec 2006, Stausholm, Dahl. Explai
ning A5 and different attack vectors. 
</li><li><a class="http" href="http://web.archive.org/web
/20070805124756/http://cryptome.org/a51-bsw.htm">2000, Biryukov, Shamir, Wagner
(WWW)</a>. (<a class="attachment" href="http://web.archive.org/web/2007080512475
6/http://wiki.thc.org/cracking_a5?action=AttachFile&do=get&target=biryuk
ov00real.pdf" title="attachment:biryukov00real.pdf">PDF</a>) Real Time Cryptanal
ysis of A5/1 on a PC. </li><li><a class="http" href="http://web.archive.org/web/20070805124756/
http://homes.esat.kuleuven.be/%7Eabiryuko/sac05_tradeoff_multiple_data.pdf">Time
/Memory/Data Trade-off Attacks</a> </li><li><a class="http" href="http://web.archive.org/web/20
070805124756/http://pv.fernuni-hagen.de/docs/apc2001-final.pdf">A5/1 FPGA crack<
/a> </li><li><a
class="attachment" href="http://web.archive.org/web/20070805124756/http://wiki.
thc.org/cracking_a5?action=AttachFile&do=get&target=ekdahl-03-a51a.pdf"
title="attachment:ekdahl-03-a51a.pdf">ekdahl-03-a51a.pdf</a> Different Attack. R
equires 2-5 mins of data. Not practical but good A5 explanation. </li><li><a class="attachment"
?action=AttachFile&do=get&target=a5_implementation.htm" title="attachmen
t:a5_implementation.htm">Ross Anderson</a> original email posting. </li><li><a class="attachmen
t" href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/cracking_
a5?action=AttachFile&do=get&target=a5-1-2.c" title="attachment:a5-1-2.c"
>a5-1-2.c</a> Most recent A5/1 and A5/2 implementation by Marc Briceno. </li><li><a class="atta
chment" href="http://web.archive.org/web/20070805124756/http://wiki.thc.org/crac
king_a5?action=AttachFile&do=get&target=a3a8.txt" title="attachment:a3a8
.txt">a3a8.txt</a> A3 and A8 implementation by Briceno, Goldberg and Wagner. <sp
an class="anchor" id="line-352"></li><li><a class=
"http" href="http://web.archive.org/web/20070805124756/http://www.gsmworld.com/u
sing/algorithms/index.shtml">A5/3 and 3G algorithm</a>. </li></ol>
<h3 id="head-dfd0c5819f60ebc0728549f621229dabe9175857">9.1. List of used enc
ryption around the World</h3>
pan>Known GSM Netowrk Encryption usage 
Version 1.12 8th December 2005 
<a class="attachment" href="http://we
b.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5?action=AttachFi
le&do=get&target=gsm_network_encryption_list.csv" title="attachment:gsm_
network_encryption_list.csv">gsm_network_encryption_list.csv</a> 
If you have updates (what about Franc
e??) please send an email to steve at segfault.net. <div><table><tbody><
tr> <td>MCC</td>
<td>Country</td>
<td>MNC</td>
<td>Network</td>
<td>Crypto</td>
<td>Date & City</td>
<td>Comments</td>
</tr>
<tr> <td>204</
td>
<td>Netherlands</td>
<td>4</td>
<td>Vodafone</td>
<td>A5/1</td>
<td> </td>
</tr>
td>
<td>KPN</td>
</tr>
td>
<td>T-Mobile</td>
</tr>
td>
<td>O2</td>
</tr>
td>
<td>Orange</td>
</tr>
td>
<td>Belgium</td>
<td>Proximus</td>
</tr>
td>
<td>Mobilstar</td>
</tr>
td>
<td>Base</td>
</tr>
td>
<td>France</td>
<td>10F</td>
<td>SFR</td>
<td>A5/1, A5/0</td>
<td>2007-05-25 Grenoble</td>
<td>A5/1 for TCH, A5/0 for SMS</td>
</tr>
td>
<td>Spain</td>
</tr>
td>
<td>Amena</td>
</tr>
td>
<td>Movistar</td>
</tr>
td>
<td>Italy</td>
<td>TIM</td>
</tr>
td>
<td>Italy</td>
</tr>
td>
<td>United Kingdom</td>
</tr>
td>
</tr>
td>
<td>T-Mobile</td>
</tr>
td>
</tr>
td>
<td>Denmark</td>
<td>TDC</td>
</tr>
td>
<td>Norway</td>
<td>Telenor Mobil</td>
</tr>
td>
<td>Norway</td>
<td>Netcom</td>
</tr>
td>
<td>Russia</td>
<td>MTS</td>
</tr>
td>
<td>Megafon</td>
</tr>
td>
<td>Beeline</td>
</tr>
td>
<td>Germany</td>
</tr>
td>
<td>Eplus</td>
</tr>
td>
</tr>
td>
<td>Ireland</td>
</tr>
td>
<td>Slovenia</td>
<td>SI Mobil Vodafone</td>
</tr>
td>
<td>SI Mobitel GSM</td>
</tr>
td>
<td>Vega</td>
</tr>
td>
<td>India</td>
<td>IDEA</td>
</tr>
td>
<td><a class="nonexistent" href="http://web.archive.org/web
/20070805124756/http://wiki.thc.org/AirTel">AirTel</a></td>
</tr>
td>
<td>Essar</td>
</tr>
td>
</tr>
td>
<td>Dolphin</td>
</tr>
td>
<td>United Arab Emirates</td>
<td>Etisalat</td>
</tr>
td>
<td>Australia</td>
<td>Telstra</td>
</tr>
td>
<td>Optus</td>
</tr>
td>
</tr>
td>
<td>Philippines</td>
<td>Globe</td>
</tr>
td>
<td>Smart</td>
</tr>
td>
<td>Sun</td>
</tr>
td>
<td>Kenya</td>
<td>Safaricom</td>
</tr>
td>
<td>Kenya</td>
<td>Celtel</td>
</tr>
</tbody></table></div>Converting the CSV to wiki table: <pre>cat gsm_network_encryption_lis
t.csv | sed 's/"//g' | while read x; do echo "||`echo "$x" | sed 's/,/||/g'`||";
done
1">History:
When A5/1 came out mostly germany (as
the bordering country to the soviet block) wanted to implement strong encryption
. Other Nato members (led by france) were worried that the middle east would use
strong encryption. Thus they cut a deal to come up with a weaker version, A5/2.
These days both (A5/1 and A5/2) have been broken. A5/3 has not been seen in the
wild yet. Other comments: <ol type="1"><li>No encryption in Russia/Ukraine, during eme
rgencies (which can last weeks!) </li>
<li>No encryption if BTS is under load (can somebody confirm??) </li><li>No encryption in germany during HLR/VLR outag
es </li><li>In some arab countries wit
hout reason some areas without encryption. </li><li>SMS are sometimes unencrypted even when TCH is encrypted. </li
></ol> 
<h3 id="head-09c58797f15122ced40127af10230abe40f12d62">9.2. How to check if
A5/1 is used</h3>
pan>There are two ways. You can either use <a class="http" hr
ef="http://web.archive.org/web/20070805124756/http://wiki.thc.org/gsm#NETMONITOR
">Nokia's Netmonitor (aka Field Tester)</a> or you can use any dct3 mobile (like
the nokia 3310) and gammu + PC to find out. The netmonitor is the easier way be
cause you do not need a PC. The <a class="http" href="http://web.archive.org/web
/20070805124756/http://wiki.thc.org/gsm#NETMONITOR">netmonitor software</a> runs
on many famous mobiles phones (nokia 6630, 6680, n70, sony erricson, ..) 
span><ol type="1"><li>Make sure your phone is using GSM (and not 3G/UMTS or DUAL). Go to Menu -
> Tools -> Settings -> Network -> Network mode and switch to GSM. <s
pan class="anchor" id="line-429"></li><li>Install the netmonitor by c
onnecting your phone to the PC (via usb cable). </li><li>Launch netmonitor <
/li><li>Go to screen 1.10. Send a SMS to the phone. See if the 'Ciphering val' c
hanges from OFF to something else. </l
i><li>Go to screen 1.10. Call the mobile phone. See if the 'Ciphering val' chang
es from OFF to something else. </li><l
i>Send an email to steve [at] segfault dot net including the country, mobile ope
rator and cipher used (See example results below). </li></ol>Example how it looks like: <di
v><table><tbody><tr> <td><img class="attachment" src="http:/
/web.archive.org/web/20070805124756/http://wiki.thc.org/cracking_a5?action=Attac
hFile&do=get&target=netmode.jpg" title="attachment:netmode.jpg"></td
>
<td><img class="attachment" src="http://web.archive.org/web
/20070805124756/http://wiki.thc.org/cracking_a5?action=AttachFile&do=get&amp
;target=ftd109.jpg" title="attachment:ftd109.jpg"></td>
</tr>
</tbody></table></div>Results of this example: <ul><l
i>Date: 2007/05/25 09:32 </li><li>Coun
try Code: 234 </li><li>Network Code: 1
0F </li><li>Location area: 12124 (cent
ral london) </li><li>A51 when receivin
g SMS </li><li>A51 when receiving voic
e call </li><li>Hopping: On </li></ul>The other metho
d is by using gammu and a dct3 trace mobile (like the nokia 3310) connected to t
he PC. Start a trace, make a phonecall and send in the out.xml file that gammu p
roduces. See our main project page on how to use gammu and dct3 trace mobiles. C
heck the <a class="http" href="http://web.archive.org/web/20070805124756/http://
wiki.thc.org/gsm">GSMSP Project</a> for more infos on how to use gammu. <spa
n class="anchor" id="line-450">
<h2 id="head-10b4fbabc315a98385d77ce6cdd347e0cc09dc43">10. Links</h2>
pan><ol type="1"><li><a class="http" href="http://web.archive
.org/web/20070805124756/http://www.dia.unisa.it/professori/ads/corso-security/ww
w/CORSO-9900/a5/Netsec/netsec.html">http://www.dia.unisa.it/professori/ads/corso
-security/www/CORSO-9900/a5/Netsec/netsec.html</a> </li><li><a class="http" href="http://web.ar
chive.org/web/20070805124756/http://jya.com/crack-a5.htm">http://jya.com/crack-a
5.htm</a> <a class="attachment" href="http://web.archive.org/web/20070805124756/
http://wiki.thc.org/cracking_a5?action=AttachFile&do=get&target=jya_com_
crack-a5.htm" title="attachment:jya_com_crack-a5.htm">local mirror</a> </li><li><a class="http"
href="http://web.archive.org/web/20070805124756/http://cryptome.org/a51-crack.h
tm">http://cryptome.org/a51-crack.htm</a> </s
pan></li><li class="gap"><a class="http" href="http://web.archive.org/web/20070805124756/http:/
/www.copacobana.org/">http://www.copacobana.org/</a> </li></ol></div></div
>
<div id="pagebottom"></div>
<div id="footer">
Balanced theme by Henrik Omma and Heather Stern. Powered by <a href="http:/
/web.archive.org/web/20070805124756/http://moinmoin.wikiwikiweb.de/">MoinMoin</a
>
</div>

<script language="Javascript">

</script>
</body></html>

Thcwiki

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Thcwiki

Încărcat de

Drepturi de autor:

Formate disponibile

</head><body dir="ltr" lang="en">

S-ar putea să vă placă și