Documente Academic
Documente Profesional
Documente Cultură
http://www.scard.org/press/19980413-01/
http://dailynews.yahoo.com/headlines/technology/wired/story.html?
s=z/reuters/980413/wired/stories/security_4.html
http://www.pathfinder.com/time/magazine/1998/dom/980420/notebook.techwatc
h.levit24.html
http://cgi.pathfinder.com/netly/continue/0,1027,1898,00.html
http://cgi.pathfinder.com/netly/opinion/0,1042,1774,00.html
http://www.latimes.com/HOME/NEWS/BUSINESS/t000035457.1.html
http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
The GSM encryption algorithm, A5, is not much good. Its effective key length is
at most five bytes; and anyone with the time and energy to look for faster attacks
can find source code for it at the bottom of this post.
The politics of all this is bizarre. Readers may recall that there was a fuss last
year about whether GSM phones could be exported to the Middle East; the
official line then was that A5 was too good for the likes of Saddam Hussein.
However, a couple of weeks ago, they switched from saying that A5 was too
strong to disclose, to saying that it was too weak to disclose! The government
line now pleads that discussing it might harm export sales.
Maybe all the fuss was just a ploy to get Saddam to buy A5 chips on the black
market; but Occam's razor suggests that we are really seeing the results of the
usual blundering, infighting and incompetence of bloated government
departments.
Indeed, my spies inform me that there was a terrific row between the NATO
signals agencies in the mid 1980's over whether GSM encryption should be
strong or not. The Germans said it should be, as they shared a long border with
the Evil Empire; but the other countries didn't feel this way, and the algorithm
as now fielded is a French design.
A5 is a stream cipher, and the keystream is the xor of three clock controlled
registers. The clock control of each register is that register's own middle bit,
xor'ed with a threshold function of the middle bits of all three registers (ie if two
or more of the middle bits are 1, then invert each of these bits; otherwise just use
them as they are). The register lengths are 19, 22 and 23, and all the feedback
polynomials are sparse.
Readers will note that there is a trivial 2^40 attack (guess the contents of
registers 1 and 2, work out register 3 from the keystream, and then step on to
check whether the guess was right). 2^40 trial encryptions could take weeks on
a workstation, but the low gate count of the algorithm means that a Xilinx chip
can easily be programmed to do keysearch, and an A5 cracker might have a few
dozen of these running at maybe 2 keys per microsecond each. Of course, if all
you want to do is break the Royal Family's keys for sale to News International,
then software would do fine.
It is thus clear that A5 should be free of all export controls, just like CDMF and
the 40-bit versions of RC2 and RC4.
Indeed, there seems to be an even faster attack. As the clock control is stop-go
rather than 1-2, one would expect some kind of correlation attack to be possible,
and on June 3rd, Dr Simon Shepherd of Bradford University was due to present
an attack on A5 to an IEE colloquium in London. However, his talk was spiked
at the last minute by GCHQ, and all we know about his attack is:
a. that sparse matrix techniques are used to reconstruct the initial state
(this was published as a `trailer' in the April 93 `Mobile Europe');
b. that he used some of the tricks from my paper `Solving a class of stream
ciphers' (Cryptologia XIV no 3 [July 90] pp 285 - 288) and from the
follow-up paper `Divide and conquer attacks on certain classes of
stream ciphers' by Ed Dawson and Andy Clark (Cryptologia XVIII no 1
[Jan 94] pp 25 - 40) (he mentioned this to me on the phone).
I believe that we have to stand up for academic freedom, and I hope that placing
A5 in the public domain will lead to the embargo on Simon's paper being lifted.
Ross Anderson
APPENDIX - AN IMPLEMENTATION OF A5
The documentation we have, which arrived anonymously in two brown
envelopes, is incomplete; we do not know the feedback taps of registers 2 and 3,
but we do know from the chip's gate count that they have at most 6 feedback taps
between them.
The following implementation of A5 is due to Mike Roe , and all comments and
queries should be sent to him.
Message-ID: <3540CAB1.2BBB@argo.es>
Date: Fri, 24 Apr 1998 19:24:01 +0200
From: Jess Cea Avin <jcea@argo.es>
To: hacking@argo.es, anita@argo.es, teleco-vigo@argo.es,
gdi@uvigo.es, apedanica@encomix.es, free-miembros@arnal.es,
ircops@esnet.org, cert-es@listserv.rediris.es
Subject: El GSM cae!!! (y 2)
References: <3536295B.7CFE@argo.es>
Este mensaje intenta complementar el texto que envi hace unos das.
Nevertheless, customers should protect their wireless phones and SIM cards the
same way they would protect their wallets and bank cards. Subscribers who lose
their phone or SIM card should report it immediately to their wireless service
company. The lost or stolen SIM can be de-activated to prevent others from
using the account.
3. There is no risk of over-the-air eavesdropping.
The level of encryption used by GSM makes over-the-air eavesdropping nearly
impossible. So far, no one claims that they can listen to the content of
conversations or monitor data transmitted over the air on the GSM network,
including governments and network operators. Confidentiality of GSM customer
conversations remains intact and uncompromised.
4. The ability to copy a SIM card is nothing new.
It was always known that this could be done. Last weekend's announcement is
really no different from processes GSM providers use all the time to encode
smart chips. For several years now, educational institutions and scientific
laboratories have demonstrated the capability to extract data from, and copy,
smart cards. But it is an extremely complex task and would not be practical for
stealing wireless phone service. Besides, even if a handset or SIM card were
stolen, GSM operators have the ability and technological tools to shut down
fraudulent service quickly.
5. The key code which protects a subscriber identity is not "fatally flawed."
This is a somewhat complicated subject. There are two different key codes: first,
an authentication code - the A3 algorithm- that protects the customer's identity;
second, an encryption code - the A5 algorithm - that ensures the confidentiality
of conversations. It has been alleged that the authentication code (A3 algorithm)
is weakened because only 54 of the 64 bits are used, with 10 bits being replaced
by zeroes. In reality, those final 10 bits provide operators with added flexibility
in responding to security and fraud threats. Additionally, the GSM algorithm
that the researchers claimed to have broken is the "example" version provided
by the international organization that governs the use of GSM technology to its
approved carriers for them to create their own individual version. It may not be
what is deployed in the market. Several operators have already decided to
customize their codes, making them more sophisticated.
There has been some confusion about the various types of code used by GSM. In
addition to the 64-bit authentication cipher, there is a more powerful voice
encryption code (A5 algorithm) which helps keep eavesdroppers from listening
to a conversation. This code was not involved in last weekend's announcement.
Also, the speculation that GSM's encryption algorithms have been deliberately
weakened because of pressure by the U.S. intelligence community is absolutely
false.
Conclusion
Solucin:
Reeditar nuevas tarjetas SIM empleando
algoritmos A3 y A8 ms seguros, en vez del
COMP128. Este cambio no supone ninguna
modificacin ni en los terminales mviles ni en la
red, salvo en el sistema central de autentificacin
(puede haber un par de ellos en toda una red
GSM). El nico coste sera el derivado de crear y
distribuir las nuevas tarjetas.
> Vale, clono una tarjeta GSM y la puedo usar para hacer llamadas
> cargandoselas al pipiolo de turno, pero lo de escuchar las
> conversaciones no me queda tan claro.
[...]
> estoy equivocado?
Evidentemente s :).
A ver, te cuento...
a. Enciendo mi mvil.
b. El mvil "escucha" las redes que estn presentes, escoge una de ellas (la tuya :)
y solicita registrarse.
c. La estacin base recibe la solicitud y procede a autentificar al usuario. Para ello:
d. La estacin base solicita un "reto" al operador registrado en el SIM del usuario.
e. La central de autentificacin de la cual depende del usuario (que puede ser otra
red, si el usuario est en "roaming") enva a la estacin base tres valores:
RETO, RESPUESTA y CLAVE.
f. La estacin base enva RETO al mvil.
g. El mvil pasa RETO a la tarjeta.
h. La tarjeta, usando el algoritmo A3, cifra RETO (usando una clave secreta slo
conocida por la tarjeta y por su centro de autentificacin) y devuelve
RESPUESTA1 al mvil.
i. El mvil enva RESPUESTA1 a la estacin base.
j. La estacin base comprueba que RESPUESTA1=RESPUESTA. La
autentificacin est aqu.
k. Simultaneamente, la tarjeta cifra RETO usando el algoritmo A8 y su clave
secreta. El resultado final es CLAVE1.
l. La tarjeta pasa CLAVE1 al mvil, que la utilizar como clave de cifrado en el
algoritmo A5, que es el que protege las posteriores comunicaciones del mvil.
m. La estacin base utilizar el valor CLAVE enviado por la central de
autentificacin para cifrar las comunicaciones con el mvil.
CLAVE1=CLAVE.
Como puede verse, el conocimiento de los "secretos" est slo en la central de
autentificacin y en el SIM. Cuando la estacin base (que puede ser de otra compaa)
solicita un tro de valores, la central de autentificacin genera un valor aleatorio para
RETO, lo cifra usando A3/A8 y la clave secreta del usuario, para obtener
RESPUESTA y CLAVE.
Espero que esta explicacin haya dejado claro, en primer lugar, cmo funciona el
"roaming" :) y, en segundo lugar, que conociendo los algoritmos A3, A8 y A5 (que
aunque eran confidenciales inicialmente, hoy en da son de dominio pblico) y la clave
secreta del SIM, es posible tanto hacerse pasar por el usuario como descifrar sus
conversaciones.
Esto ltimo es muy sencillo. Simplemente hay que espiar el registro del mvil en la red,
cuando se enciende. En dicho registro la estacin base enva RETO. Nosotros lo
"escuchamos" con nuestra SIM duplicada, y a partir de l (y de la clave secreta)
podemos obtener CLAVE, que ser la clave que el mvil y la estacin base utilizarn
para "asegurar" la privacidad de la comunicacin.
Si hay alguna duda...
Ataque al A3/A8:
o Los algoritmos A3 y A8, en la actualidad, se corresponden a variantes
COMP128, en la mayor parte de las redes GSM. De hecho lo normal es
que A3/A8 se calculen simultaneamente utilizando el mismo algoritmo,
como puede verse en http://www.scard.org/gsm/a3a8.txt.
o El ataque es posible no por la reduccin en 10 bits del espacio de claves
(algo que se decubri "a posteriori"), sino por graves problemas de
diseo del propio algoritmo, que nunca hubieran pasado desapercibidos
si se hubiera sometido al escrutinio de la comunidad acadmica.
o En realidad la tarjeta no devuelve la salida COMP128, sino tan slo sus
primeros 32 bits. Ello debera complicar sobremanera el ataque, a
primera vista, ya que una colisin en esos 32 bits no implica
necesariamente una colisin en todo el COMP128. Ese aspecto se tiene
en cuenta en el ataque, enviando retos a la tarjeta que hacen que una
colisin en esos 32 bits y no en el resto sea muy poco probable.
o Cada vez existen ms evidencias de que la reduccin de 10 bits en la
clave (algoritmo A8) fue intencional, con el fin de permitir la grabacin
de llamadas por parte de las agencias gubernamentales.
o En Europa, el Chaos Computer Group ha realizado tambin una
clonacin con xito de una tarjeta SIM GSM. El texto traducido se puede
encontrar en http://www.dis.org/erehwon/eucracke.html, y el original en
http://www.ccc.de/CRD/CRD240498.html. En este sitio se puede
encontrar abundante informacin, el software y el esquema hardware
necesario para clonar tu propia tarjeta :-).
o Al parecer, apenas un par de redes GSM en el mundo utilizan otros
algoritmos distintos al COMP128 para el A3/A8, lo que implica que
todas ellas son vulnerables al ataque.
Medidas de las compaas GSM:
o En pleno revuelo del tema, el peridico "Los Angeles Times" publica el
siguiente texto:
Ataque al A5:
o
o
o
o
o
o
o
o
Message-ID: <m0ySMLJ-0003b8C@ulf.mali.sub.org>
Date: Thu, 23 Apr 98 15:47 +0200
From: ulf@fitug.de (Ulf Moller)
To: ukcrypto@maillist.ox.ac.uk
Subject: Re: More on A5 strength
In-Reply-To: <wxyax54fno.fsf@polysynaptic.iq.org>
CC: cryptography@c2.net
They mention how the keys are loaded, but the order of the bits is not
given. So it seems to me that Ross used the same leaked document from
which COMP128 has been reconstructed.
In his paper "On Fibonacci Keystream Generators", Ross states that the
best known attack on A5 consists of guessing the state of R1 and R2 and
work out R3 from the keystream. He writes, "There has been controversy
about the work factor involved in each trial, and at least one telecom
engineer has argued that this is about 2^12 operations giving a real attack
complexity on A5 of 2^52 rather than the 2^40 which one might naively
expect."
This known-plaintext attack does not depend on how the keys are loaded
to the registers. To execute the attack, you need to know the feedback
polynomials and the position of the "middle" bits, but the feasibility of
the attack clearly does not depend on a particular choice of these (still
unknown) parameters. So if the French A5 is in use, it can be broken in
2^52 decryptions.
Assume we have guessed the 40 bits of R1 and R2, and want to find R3,
given the output keystream (that is ciphertext XOR the known plaintext).
We get the MSB of R3 from knowing the MSB of R1 and R2 and the
output bit, because the output stream is the XOR of the three MSBs. So
if we can cycle the registers through and get all the 23 bits of R3, we
have determined the initial state of R3 and can do test decryptions to see
if the guess of R1 and R2 was right in the first place. (Note that this
works for any feedback polynomial.)
However, not all registers are clocked in every step. Not knowing the
middle bit of R3, in half the cases we don't know if R3 will be clocked,
in the other half we don't know whether R1 or R2 will be clocked. But if
we guess the middle bit correctly, we know which registers are clocked.
Thus the MSBs of R1 and R2 in the next step are known and we can
determine the content of the MSB of R3 from the output bit. Then, we
guess the new middle bit, which determines the following step and again
yields the MSB (bit 22 of the inital configuration). If we repeat this until
we have the complete R3, guessing 11 bits gets us another 11 bits for
free. (Does anyone see a shortcut there?)
What this means for the security of GSM depends on the GSM protocol.
How much known plaintext does it provide? Are the frame sequence
numbers that are mixed into registers known to evesdroppers (otherwise
they'd have to try ~2^52 decryptions on every frame)?
If the frame sequence numbers are known, the reduced keyspace might
also help to break the encryption. Assuming the 10 zero-bits end up in
R1, you guess the remaining 9 bits and fast-forward the register
according to the random distribution that is given by the position in the
stream you are trying to break (in each step R1 is clocked with
probability 3/4). Then guess R2 and half of R3 as above.
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Message-ID: <199805051757.KAA23788@modmult.starium.com>
To: Cypherpunks Lite
Date: Fri, 24 Apr 1998 08:00:52 -0600
From: bill payne <billp@nmol.com>
CC: wire@monkey-boy.com, cyberia-l@listserv.aol.com,
ukcrypto@maillist.ox.ac.uk,
cypherpunks@toad.com, whitfield
diffie ,
ted lewis ,
rivest@theory.lcs.mit.edu,
ray kammer <" kammer"@nist.gov>,
mab@research.att.com,
marc rotenberg , lwirbel@aol.com,
L E Banderet , jssob@unm.edu,
jimduram@onlinemac.com, heather
herrald ,
grassley ,
federico pena <"
Federico.F.Pena"@hq.doe.gov>, david sobel ,
c paul robinson ,
schneier@counterpane.com
Subject: SHIFT REGISTER technology
A1 A5 AND
A1 0= A9 0= AND XOR
A6 A10 XOR XOR ;
Message-ID: <354DC8CA.5D34@nmol.com>
Date: Mon, 04 May 1998 07:55:22 -0600
From: bill payne <billp@nmol.com>
To: jy@jya.com, masanori fushimi , w.chambers@kcl.ac.uk,
inter@technologist.com
CC: lwirbel@aol.com, wire@monkey-boy.com,
ukcrypto@maillist.ox.ac.uk, cypherpunks@toad.com, ted
lewis , hanson@vni.com
Subject: Period of sequences
Judy apparently did not realize that some years previous NSA employee
Brian Snow showed us about all of NSA's KG schematics. And their
field failure records!
Masanori Fushimi in Random number generation with the recursion x[t]
= x[x-3q]+ x[t-3q],Journal of Applied Mathematics 31 (1990) 105-118
implements a gfsr with period 2^521 - l. http://av.yahoo.com/bin/query?
p=gfsr&hc=0&hs=0.
Fushimi's generator is sold by Visual Numerics.
Fushimi's implementation is very well tested. And worked SO WELL
that Visual Numerics numerical analyst Richard Hanson had TO BREAK
IT!
Reason was that the gfsr produces true zeros. This caused simulation
programs to crash from division by zero.
None of the linear congruential generators produced zeros so the problem
did not arise until the gfsr was used.
Hanson ORed in a low-order 1 to fix the problem
Masanori wrote,
Lewis and Payne [16] introduced an apparely different type of generator,
the generalized feed back shift register (GFSR), by which numbers are
formed by phase-shifted elements along a M-sequence based on a
primitive trinomial 1 + z^q + z^p.
Lewis was one of my former ms and phd students. http://www.frictionfree-economy.com/
Cycle lengths of sequences is a fascinating topic.
Let me point you guys to a delightful article on the distribution of
terminal digits of transcendental numbers.
The Mountains of pi by Richard Preston, v68 The New Yorker, March 2,
1992 p 36(21).
This is a story about Russian-born mathematicians Gregory and David
Chudnowsky.
While the story is fun to read, I think that the Chudnowsky's were
wasting their time.
I think that terminal digits of transcendental numbers have been proved
to be uniformly distributed.
o
o
o
o
o
o
o
o
To: ukcrypto@maillist.ox.ac.uk
CC: cryptography@c2.net, Ross.Anderson@cl.cam.ac.uk
Subject: Re: More on A5 strength
In-reply-to: Your message of "Thu, 23 Apr 1998 15:47:00
+0200." <m0ySMLJ-0003b8C@ulf.mali.sub.org>
Date: Fri, 24 Apr 1998 12:31:55 +0100
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
Message-ID: <E0ySghy-0002Nc-00@heaton.cl.cam.ac.uk>
o
o
o
o
o
o
o
o
Message-ID: <199804250312.NAA06926@avalon.qualcomm.com>
To: ukcrypto@maillist.ox.ac.uk
CC: cryptography@c2.net, Ross.Anderson@cl.cam.ac.uk
Subject: Re: More on A5 strength
In-reply-to: Your message of Fri, 24 Apr 1998 12:31:55
+0100. <E0ySghy-0002Nc-00@heaton.cl.cam.ac.uk>
Date: Sat, 25 Apr 1998 13:12:45 +1000
From: Greg Rose <ggr@qualcomm.com>
o
o
o
o
o
o
Message-ID: <199804261242.IAA30483@camel7.mindspring.com>
Date: Sun, 26 Apr 1998 08:41:28 -0400
To: cypherpunks@toad.com
From: John Young <jya@pipeline.com>
Subject: GSM A5 Papers