EL GSM Cae!!!

ltima Actualizacin: 11 de Mayo de 1.998 - Lunes

Nota: Se corrigen algunas erratas de los mensajes

originales.
Message-ID: <3536295B.7CFE@argo.es>
Date: Thu, 16 Apr 1998 17:52:59 +0200
From: Jess Cea Avin <jcea@argo.es>
To: hacking@argo.es, anita@argo.es, teleco-vigo@argo.es, gdi@uvigo.es,
apedanica@encomix.es, free-miembros@arnal.es, ircops@esnet.org
Subject: El GSM cae!!!

Por fin!!!. Una vez ms se demuestra que el oscurantismo no ayuda a mantener un

"secreto" a salvo.
Ya es posible clonar tarjetas SIM (Subscriber Identity Module). Es decir, hacerse pasar
por cualquier usuario GSM. No hace falta modificar el mvil, ya que los mviles son
universales y la identidad la proporcionan las tarjetas.
En este mensaje intentar recopilar y ordenar un poco la furibunda cantidad de mensajes
que estoy recibiendo desde hace un par de das, especialmente en las listas de
cypherpunks y criptografa. En Bugtraq apenas ha salido una resea :).
El anuncio inicial se hizo el Pasado Lunes 13, en las listas cypherpunks@algebra.com y
cryptography@c2.net:
The Smartcard Developer Association (SDA) and two U.C. Berkeley researchers jointly
announced today that digital GSM cellphones are susceptible to cloning, contrary to the
belief of even the telecommunication providers that have fielded them.
[...]
One of the discoveries that the SDA made about GSM security was a deliberate
weakening of the confidentiality cipher used to keep eavesdroppers from listening to a
conversation. This cipher, called A5, has a 64 bit key, but only 54 bits of which are used.
The other ten bits are simply replaced with zeros.
[...]
See http://www.scard.org/ for more info.
[Special thanks to Tim Hudson for authoring the smartcard interface code that made
our work possible. We wouldn't have achieved what we did it with out it].
Este mensaje ha creado una cascada de respuestas. Las voy almacenando todas en una
carpeta del Netscape y, de momento, tengo 189 mensajes, eliminando duplicados y
superfluos :). Intentar resumir las conclusiones, provisionales, en este mensaje.
La pgina original del ataque est en http://www.scard.org/.

Han salido tambin diversas notas de prensa sobre el asunto:

http://www.scard.org/press/19980413-01/
http://dailynews.yahoo.com/headlines/technology/wired/story.html?
s=z/reuters/980413/wired/stories/security_4.html
http://www.pathfinder.com/time/magazine/1998/dom/980420/notebook.techwatc
h.levit24.html
http://cgi.pathfinder.com/netly/continue/0,1027,1898,00.html
http://cgi.pathfinder.com/netly/opinion/0,1042,1774,00.html
http://www.latimes.com/HOME/NEWS/BUSINESS/t000035457.1.html

Se puede encontrar una descripcin tcnica del ataque en:

http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html
http://www.isaac.cs.berkeley.edu/isaac/gsm.html

La tarjeta atacada pertenece a la red de Pacific Bell.

De momento el ataque requiere el acceso fsico a la tarjeta a duplicar, no siendo
posible duplicar un SIM simplemente oyendo sus transmisiones en el aire. Ello
hace que la amenaza a la seguridad del sistema se vea reducida. En cualquier
caso se prueba que el sistema es vulnerable, y no se niega la posibilidad de que,
en el futuro, sean posibles "en el aire".
El algoritmo referenciado como A3 en la especificacin GSM se corresponde al
algoritmo COMP128, al menos en muchas redes GSM mundiales.
Los encargados de romper el cdigo COMP128 (en menos de un da), son los
mismos que encontraron un fallo de seguridad en la implementacin SSL de las
primeras versiones del Netscape Navigator.
El sistema de autentificacin GSM se basa en enviar retos a la tarjeta SIM, que
devuelve convenientemente descifrados. La clave usada para cifrar/descifrar los
retos se supone conocida exclusivamente por la tarjeta y por la organizacin
(red) que la expede, pero enviando diferentes retos a una tarjeta SIM, los
investigadores lograron deducir la clave en unas 6 horas.
Al parecer la implementacin GSM fue originariamente "debilitada" debido a
las presiones de algunos gobiernos europeos a la hora de facilitar tareas de
vigilancia y seguimiento a la polica. COMP128 tiene una clave de 64 bits, pero
10 de ellos parecen ser consistentemente cero, lo que indica un intencin clara
para debilitar el sistema.
Se est investigando la posibilidad de ataques "en el aire" (sin acceso fsico a la
tarjeta SIM) enviando retos a una tarjeta remota. Para ello se requieren enviar
unos 175000 retos a las tarjetas, lo que supone varias horas. Este tipo de ataques
podra ser prctico en el metro, por ejemplo, ya que all el telfono no tiene
cobertura y responder a cualquier intento de autentificacin que se le enve. El
atacante tan slo tendra que tomar el mismo metro que el atacado durante varios
das/semanas, enviando retos y recopilando respuestas durante ese perodo. Una
tarjeta SIM tpica responde retos a una tasa de 6.25 retos por segundo.
El nmero de retos a enviar se puede reducir a costa de aumentar el tiempo de
clculo en un ordenador personal, algo perfectamente asumible ya que esta etapa
se puede hacer en "casa", sin acceso al SIM, y es fcilmente paralelizable.
Las redes GSM pueden frenar el ataque emitiendo claves de mayor calidad para
sus abonados. Ello supondra distribuir nuevas tarjetas SIM.

El comportamiento en una red GSM con telfonos clnicos es muy variable. El

algunos casos (Motorola) la red detecta la duplicidad y desactiva ambos
telfonos. En otros casos (tanto en Europa como en EE.UU. y Asia) suena uno
de los telfonos al azar. Muchas redes no disponen de tecnologa antifraude para
detectar este problema. En todo caso un telfono clnico es perfectamente
utilizable, en cualquier red, cuando el telfono original est apagado o fuera de
cobertura.
A pesar de todo, clonar un SIM es mucho ms costoso y complicado que clonar
un telfono analgico (en Espaa, la red Moviline de Telefnica).
Una bsqueda en Internet revela que ya en 1994 Ross Anderson
(rja14@cl.cam.ac.uk) di un toque de atencin, incluyendo el cdigo del
supuestamente confidencial algoritmo A5:
From sci.crypt Fri Jun 17 17:11:49 1994
From: rja14@cl.cam.ac.uk (Ross Anderson)
Date: 17 Jun 1994 13:43:28 GMT
Newsgroups: sci.crypt,alt.security,uk.telecom
Subject: A5 (Was: HACKING DIGITAL PHONES)

The GSM encryption algorithm, A5, is not much good. Its effective key length is
at most five bytes; and anyone with the time and energy to look for faster attacks
can find source code for it at the bottom of this post.
The politics of all this is bizarre. Readers may recall that there was a fuss last
year about whether GSM phones could be exported to the Middle East; the
official line then was that A5 was too good for the likes of Saddam Hussein.
However, a couple of weeks ago, they switched from saying that A5 was too
strong to disclose, to saying that it was too weak to disclose! The government
line now pleads that discussing it might harm export sales.
Maybe all the fuss was just a ploy to get Saddam to buy A5 chips on the black
market; but Occam's razor suggests that we are really seeing the results of the
usual blundering, infighting and incompetence of bloated government
departments.
Indeed, my spies inform me that there was a terrific row between the NATO
signals agencies in the mid 1980's over whether GSM encryption should be
strong or not. The Germans said it should be, as they shared a long border with
the Evil Empire; but the other countries didn't feel this way, and the algorithm
as now fielded is a French design.
A5 is a stream cipher, and the keystream is the xor of three clock controlled
registers. The clock control of each register is that register's own middle bit,
xor'ed with a threshold function of the middle bits of all three registers (ie if two
or more of the middle bits are 1, then invert each of these bits; otherwise just use
them as they are). The register lengths are 19, 22 and 23, and all the feedback
polynomials are sparse.
Readers will note that there is a trivial 2^40 attack (guess the contents of
registers 1 and 2, work out register 3 from the keystream, and then step on to

check whether the guess was right). 2^40 trial encryptions could take weeks on
a workstation, but the low gate count of the algorithm means that a Xilinx chip
can easily be programmed to do keysearch, and an A5 cracker might have a few
dozen of these running at maybe 2 keys per microsecond each. Of course, if all
you want to do is break the Royal Family's keys for sale to News International,
then software would do fine.
It is thus clear that A5 should be free of all export controls, just like CDMF and
the 40-bit versions of RC2 and RC4.
Indeed, there seems to be an even faster attack. As the clock control is stop-go
rather than 1-2, one would expect some kind of correlation attack to be possible,
and on June 3rd, Dr Simon Shepherd of Bradford University was due to present
an attack on A5 to an IEE colloquium in London. However, his talk was spiked
at the last minute by GCHQ, and all we know about his attack is:
a. that sparse matrix techniques are used to reconstruct the initial state
(this was published as a `trailer' in the April 93 `Mobile Europe');
b. that he used some of the tricks from my paper `Solving a class of stream
ciphers' (Cryptologia XIV no 3 [July 90] pp 285 - 288) and from the
follow-up paper `Divide and conquer attacks on certain classes of
stream ciphers' by Ed Dawson and Andy Clark (Cryptologia XVIII no 1
[Jan 94] pp 25 - 40) (he mentioned this to me on the phone).
I believe that we have to stand up for academic freedom, and I hope that placing
A5 in the public domain will lead to the embargo on Simon's paper being lifted.
Ross Anderson
APPENDIX - AN IMPLEMENTATION OF A5
The documentation we have, which arrived anonymously in two brown
envelopes, is incomplete; we do not know the feedback taps of registers 2 and 3,
but we do know from the chip's gate count that they have at most 6 feedback taps
between them.
The following implementation of A5 is due to Mike Roe , and all comments and
queries should be sent to him.
Message-ID: <3540CAB1.2BBB@argo.es>
Date: Fri, 24 Apr 1998 19:24:01 +0200
From: Jess Cea Avin <jcea@argo.es>
To: hacking@argo.es, anita@argo.es, teleco-vigo@argo.es,
gdi@uvigo.es, apedanica@encomix.es, free-miembros@arnal.es,
ircops@esnet.org, cert-es@listserv.rediris.es
Subject: El GSM cae!!! (y 2)
References: <3536295B.7CFE@argo.es>

Este mensaje intenta complementar el texto que envi hace unos das.

La alianza GSM ha realizado un comunicado oficial sobre el tema. Al final del

mismo incluyo una serie de comentarios personales. Puede encontrarse una
copia del documento en http://jya.com/gsm042098.txt:
GSM Alliance Clarifies False & Misleading Reports of Digital Phone Cloning
GSM Remains the Most Secure Commercial Wireless Technology
(Business Wire; 04/17/98)
A coalition of wireless Personal Communications Services (PCS) providers has
released [on 17 Apr 1998] facts to correct some misconceptions generated by
the recent claim that several California researchers had found a weakness in the
security of Global System for Mobile communications (GSM) technology, the
world's most popular digital wireless standard.
The North American GSM Alliance, LLC - consisting of the eight largest GSM
network operators in the United States and Canada - provided the following
information in response to a number of erroneous published reports.
1. GSM phones are not vulnerable to cloning.
Researchers only claimed that, through a process of trial and error, they figured
out how to copy information from the Subscriber Identity Module (SIM) card - a
unique GSM feature that contains a customer's individual network access code.
Duplicating a SIM card is not like cellular cloning since the network only
recognizes one copy of a GSM phone number at a time. This is an important
distinction, since it does not permit would-be thieves to fraudulently capture,
duplicate and utilize a customer's phone number and account information by
intercepting over-the-air transmissions and deciphering the data.
By contrast, information from ordinary analog cellular phones can be pulled out
of the airwaves, copied and re-used multiple times. This illegal process, also
known as "sniffing," is still not possible to do with GSM technology. The
California group said that it needed physical access to a SIM card in order to
duplicate it. While they believed copying theoretically could be done remotely,
the group admitted that it was, in fact, unable to do so.
2. There is no risk to subscribers.
GSM's design process and proven functionality continues to offer the strongest
level of commercial wireless security. GSM customers can have the highest
degree of confidence that they are protected from over-the-air cloning.
In fact, thieves can more easily steal GSM phone service simply by stealing
wireless handsets rather than producing counterfeit SIM cards. Once someone
steals a SIM card, there's no need to copy it. The notion is as ridiculous as a
someone stealing an armored car full of money, then copying the bills inside!
And since the GSM networks allow only one call at a time from any phone
number, having multiple copies of a SIM is worthless. As an additional level of
security GSM operators have procedures in place which would quickly detect
and shut down attempted use of duplicate SIM card codes on multiple phones.

Nevertheless, customers should protect their wireless phones and SIM cards the
same way they would protect their wallets and bank cards. Subscribers who lose
their phone or SIM card should report it immediately to their wireless service
company. The lost or stolen SIM can be de-activated to prevent others from
using the account.
3. There is no risk of over-the-air eavesdropping.
The level of encryption used by GSM makes over-the-air eavesdropping nearly
impossible. So far, no one claims that they can listen to the content of
conversations or monitor data transmitted over the air on the GSM network,
including governments and network operators. Confidentiality of GSM customer
conversations remains intact and uncompromised.
4. The ability to copy a SIM card is nothing new.
It was always known that this could be done. Last weekend's announcement is
really no different from processes GSM providers use all the time to encode
smart chips. For several years now, educational institutions and scientific
laboratories have demonstrated the capability to extract data from, and copy,
smart cards. But it is an extremely complex task and would not be practical for
stealing wireless phone service. Besides, even if a handset or SIM card were
stolen, GSM operators have the ability and technological tools to shut down
fraudulent service quickly.
5. The key code which protects a subscriber identity is not "fatally flawed."
This is a somewhat complicated subject. There are two different key codes: first,
an authentication code - the A3 algorithm- that protects the customer's identity;
second, an encryption code - the A5 algorithm - that ensures the confidentiality
of conversations. It has been alleged that the authentication code (A3 algorithm)
is weakened because only 54 of the 64 bits are used, with 10 bits being replaced
by zeroes. In reality, those final 10 bits provide operators with added flexibility
in responding to security and fraud threats. Additionally, the GSM algorithm
that the researchers claimed to have broken is the "example" version provided
by the international organization that governs the use of GSM technology to its
approved carriers for them to create their own individual version. It may not be
what is deployed in the market. Several operators have already decided to
customize their codes, making them more sophisticated.
There has been some confusion about the various types of code used by GSM. In
addition to the 64-bit authentication cipher, there is a more powerful voice
encryption code (A5 algorithm) which helps keep eavesdroppers from listening
to a conversation. This code was not involved in last weekend's announcement.
Also, the speculation that GSM's encryption algorithms have been deliberately
weakened because of pressure by the U.S. intelligence community is absolutely
false.
Conclusion

While no human-made technology is perfect, customers can still rely on the

privacy features and security of GSM's transmission technology. It remains the
most secure commercial wireless communications system available today. More
than 80 million customers in 110 countries use GSM phones and not one
handset has been cloned since the first commercial service was launched in
1992.
North American GSM Alliance, L.L.C. is a consortium of U.S. and Canadian
digital wireless PCS carriers, which helps provide seamless wireless
communications for their customers, whether at home, in more than 1,000 U.S.
and Canadian cities and towns, or abroad. Using Global Systems for Mobile
(GSM) communications, GSM companies provide superior voice clarity,
unparalleled security and leading-edge wireless voice, data and fax features for
customers. Current members of the GSM Alliance include: Aerial
Communications, Inc., BellSouth Mobility DCS, Cook-Inlet Western Wireless;
Microcell Telecommunications Inc., Omnipoint Communications, LLC, Pacific
Bell Mobile Services, Powertel, Inc., and Western Wireless, Corp., which
continue to operate their own businesses and market under their own names.
CONTACT: For Additional Information:
Terry Phillips, Omnipoint, (973) 290-2533 OR
Mike Houghton, Communicreate, (703) 799-7383
Me gustara puntualizar la nota de prensa, casi prrafo por prrafo:
1. GSM phones are not vulnerable to cloning
An asumiendo que la red fuese capaz de detectar la existencia de dos
SIM idnticas, impidiendo de esta forma el "fraude", nada imposibilita
que el poseedor de la tarjeta SIM duplicada la utilice exclusivamente
durante las horas en las que el abonado legtimo tiene el mvil apagado
(por ejemplo, por la noche). Tambin es posible, si existe esa
"posibilidad de deteccin", realizar un efectivo ataque de denegacin de
servicio sobre el abonado legtimo, ya que la red no le permitira enviar o
recibir llamadas.
2. There is no risk to subscribers
La nota de prensa indica que es ridculo duplicar una tarjeta SIM cuando
ya se tiene acceso al original, aunque mi comentario anterior puede
suponer una razn de "inters": las tarjetas, en el peor de los casos, son
utilizables mientras el abonado legtimo tiene el telfono apagado.
Existe un riesgo *MUY* importante: con una tarjeta "clonada" es trivial
(y no detectable) descifrar las conversaciones cifradas con la tarjeta SIM
original. Es decir, que se puede utilizar la tarjeta SIM clonada no para
efectuar llamadas, sino para descifrar conversaciones.
3. There is no risk of over-the-air eavesdropping

Como se indica ms adelante, los algoritmos de proteccin de la

identidad del usuario y de la comunicacin en s, son diferentes. No
obstante, la clave de uno se deduce del otro :-)). El documento
http://jya.com/gsm061088.htm parece abonar la idea de que las claves de
confidencialidad son derivadas de la clave de autentificacin, que es
precisamente lo que se ha atacado, y con xito.
Adems, tal y como se comentaba en mi mensaje anterior, queda abierta
la posibilidad de que se pueda realizar el ataque sin disponer de la tarjeta
fsica, enviando retos y recibiendo las respuestas de un telfono en las
inmediaciones.
4. The ability to copy a SIM card is nothing new
Aqu, evidentemente, la alianza GSM se lava las manos. Dicen que la
duplicacin de tarjetas inteligentes no es algo nuevo. Naturalmente no
indican que existen tarjetas inteligentes cuya razn ltima de existencia
se basa, precisamente, en su capacidad de no ser duplicadas. Las tarjetas
SIM caen dentro de este esquema, igual que lo hacen los monederos
VISACASH, por ejemplo. A nadie se le ocurre que poder duplicar un
monedero VISACASH con sus 10.000 pts de contenido, por ejemplo,
tantas veces como se desee, es algo que no tiene importancia.
De nada sirve lo que se dice en el artculo: que la duplicacin de una
tarjeta SIM requiere unos medios fuera del alcance de las "personas
normales". Al margen de que eso no resulta tranquilizador en absoluto, ni
siquiera es cierto. Cualquiera con un ordenador y una interfaz chip (que
uno se puede fabricar por menos de 500 pts) puede emular el ataque
descrito en mi ltimo mensaje.
5. The key code which protects a subscriber identity is not "fatally flawed."
Es cierto que los algoritmos A3, A8, etc., descritos es la especificacin
GSM, son contenedores genricos que no especifican ningn algoritmo
en particular. En la especificacin se dan una serie de algoritmos como
"ejemplo", pero cada red GSM puede implementar los suyos propios.
Est en duda, no obstante, la motivacin que una red GSM tendra para
adoptar algoritmos diferentes a los propuestos "oficialmente" durante el
desarrollo de la tecnologa. En http://jya.com/gsm061088.htm se
comenta:
" In particular, there is no need for a common GSM authentication
algorithm. and different networks may use different algorithms. ( The
algorithms do, however, need to have the same input and output
parameters; in particular, the length of Kc is determined by the GSM
cipher algorithm ). Never-the-less it is desirable that there is a GSM
standard authentication algorithm which may be used by all networks
which do not wish to develop a proprietary algorithm. There is just one
candidate for such an algorithm; it was proposed by the German
administration, and is analysed in Part VI of this report."

La frase clave es: "Never-the-less it is desirable that there is a GSM

standard authentication algorithm which may be used by all networks
which do not wish to develop a proprietary algorithm". Cuntas redes
GSM se habrn preocupado de desarrollar sus propios algoritmos,
cuando ya se les daba uno como "ejemplo"?.
Por otra parte, la red es libre de elegir libremente los algoritmos A3 y A8,
que son los que certifican la identidad del usuario y proporcionan la
clave inical para la confidencialidad del resto de la comunicacin. Esos
algoritmos son libres, sin ms restricciones que los fijados en el propio
protocolo (longitud de clave, por ejemplo). Dichos algoritmos, por cierto,
se ejecutan en la tarjeta, y no salen nunca de ella.
Sin embargo el algoritmo A5, que es el utilizado para cifrar la
conversacin, se ejecuta tanto en el mvil (no en la tarjeta) como en la
red que est utilizando (para que la red pueda descifrar la conversacin).
Este algoritmo es FIJO para todas las redes GSM, asegurando as la
compatibilidad entre todos los terminales y redes, posibilitando, por
ejemplo, el "roaming" en cualquier red GSM del mundo.
En cualquier caso el ataque al A3 no se basa slo en su reducida
seguridad (es realmente ridcula :), sino en que de los 64 bits que
componen su clave, slo se utilizan 54. Ello supone reducir el espacio de
bsqueda 1024 veces. Es decir, que si el sistema fuera seguro (que no lo
es) y romperlo supone probar todas y cada una de las claves posibles, y
que -supongamos- hacerlo consume un AO trabajando 24 horas al da,
la reduccin a 54 bits supondra poder encontrar la clave correcta *NO*
en un ao, sino en un tiempo medio de cuatro horas, y un tiempo
mximo (en el peor caso) de OCHO HORAS Y MEDIA.
"In reality, those final 10 bits provide operators with added flexibility in
responding to security and fraud threats."
Me gustara saber a qu amenazas de seguridad y fraude se refieren, y
cmo es posible que reducir la seguridad del sistema mejore la
"capacidad de respuesta" de los operadores...

Nuevas URLs complementarias a las publicadas en mi mensaje anterior:

o
o
o
o

Seguimiento de telfonos GSM, y descifrado de comunicaciones:

http://jya.com/gsm-cloned.htm
http://jya.com/gsm-snoop.htm
Legislacin europea sobre el tema:
http://www.ii-mel.com/interception/europegb.html
Debilitacin intencionada de las claves de cifrado cuando los telfonos se
exportan a determinados pases. Seguimiento GSM:
http://www.ii-mel.com/interception/gsmgb.html
Caso Belga:
http://www.ii-mel.com/interception/belgiquegb.html

Estudio de seguridad GSM. Documento oficial de Junio de 1.998,

distribudo en "ambientes no clasificados" de forma annima. Describe
el funcionamiento criptogrfico de la red, y los algoritmos empleados:
http://jya.com/gsm061088.htm
o Algoritmos A3 y A8: (Autentificacin del usuario y generacin de clave
para la confidencialidad de la comunicacin, respectivamente).
http://www.scard.org/gsm/a3a8.txt
o Ataque al A5 (confidencialidad de la comunicacin):
http://jya.com/crack-a5.htm
o Descripcin detallada del ataque original:
http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html
El algoritmo A5 (cifrado de la conversacin) parece bastante seguro, pero dado
que su clave se deduce del reto que se plantea a la tarjeta SIM (algoritmos
A3/A8), y A3 ha sido comprometido, no es necesario "romper" el A5, ya que
su clave nos la proporciona el propio A3/A8 si conocemos la clave secreta
contenida en el SIM, que es lo que, precisamente, se ha conseguido con el
ataque descrito estos das.
Dado que el ataque permite obtener la clave secreta para los algoritmos A3 y A8,
utilizados respectivamente para autentificar el usuario y para establecer la clave
inicial de cifrado de la conversacin (algoritmo A5), tener una tarjeta clonada
permitira:
a. Efectuar y recibir llamadas mientras el usuario legtimo tiene su mvil
apagado.
b. Posiblemente efectuar llamadas AUNQUE el usuario legtimo tenga su
mvil encendido y en uso. Depender de las medidas de control de la
red.
c. Posiblemente recibir llamadas (con una probabilidad de fallo del 50%)
aunque el telfono legtimo est en uso. Depender de las caractersticas
de la red GSM.
d. Si la red est protegida contra abusos (algo que, en vista de la novedad
de todo esto, es poco probable), una tarjeta SIM clonada permitira dejar
el telfono del usuario legtimo fuera de servicio.
e. Escuchar las conversaciones del usuario legtimo.

Solucin:
Reeditar nuevas tarjetas SIM empleando
algoritmos A3 y A8 ms seguros, en vez del
COMP128. Este cambio no supone ninguna
modificacin ni en los terminales mviles ni en la
red, salvo en el sistema central de autentificacin
(puede haber un par de ellos en toda una red
GSM). El nico coste sera el derivado de crear y
distribuir las nuevas tarjetas.

Esto es algo a lo que, simplemente, no se puede cerrar los ojos.

Message-ID: <3544C005.5E6A@argo.es>
Date: Mon, 27 Apr 1998 19:27:33 +0200
From: Jess Cea Avin <jcea@argo.es>
To: Temas de Seguridad en Redes <CERT-ES@LISTSERV.REDIRIS.ES>
Subject: Re: Ms GSM
References: <01BD71E0.670A8E80@grendel.ls.fi.upm.es>

> Vale, clono una tarjeta GSM y la puedo usar para hacer llamadas
> cargandoselas al pipiolo de turno, pero lo de escuchar las
> conversaciones no me queda tan claro.
[...]
> estoy equivocado?
Evidentemente s :).
A ver, te cuento...
a. Enciendo mi mvil.
b. El mvil "escucha" las redes que estn presentes, escoge una de ellas (la tuya :)
y solicita registrarse.
c. La estacin base recibe la solicitud y procede a autentificar al usuario. Para ello:
d. La estacin base solicita un "reto" al operador registrado en el SIM del usuario.
e. La central de autentificacin de la cual depende del usuario (que puede ser otra
red, si el usuario est en "roaming") enva a la estacin base tres valores:
RETO, RESPUESTA y CLAVE.
f. La estacin base enva RETO al mvil.
g. El mvil pasa RETO a la tarjeta.
h. La tarjeta, usando el algoritmo A3, cifra RETO (usando una clave secreta slo
conocida por la tarjeta y por su centro de autentificacin) y devuelve
RESPUESTA1 al mvil.
i. El mvil enva RESPUESTA1 a la estacin base.
j. La estacin base comprueba que RESPUESTA1=RESPUESTA. La
autentificacin est aqu.
k. Simultaneamente, la tarjeta cifra RETO usando el algoritmo A8 y su clave
secreta. El resultado final es CLAVE1.
l. La tarjeta pasa CLAVE1 al mvil, que la utilizar como clave de cifrado en el
algoritmo A5, que es el que protege las posteriores comunicaciones del mvil.
m. La estacin base utilizar el valor CLAVE enviado por la central de
autentificacin para cifrar las comunicaciones con el mvil.
CLAVE1=CLAVE.
Como puede verse, el conocimiento de los "secretos" est slo en la central de
autentificacin y en el SIM. Cuando la estacin base (que puede ser de otra compaa)
solicita un tro de valores, la central de autentificacin genera un valor aleatorio para
RETO, lo cifra usando A3/A8 y la clave secreta del usuario, para obtener
RESPUESTA y CLAVE.

Espero que esta explicacin haya dejado claro, en primer lugar, cmo funciona el
"roaming" :) y, en segundo lugar, que conociendo los algoritmos A3, A8 y A5 (que
aunque eran confidenciales inicialmente, hoy en da son de dominio pblico) y la clave
secreta del SIM, es posible tanto hacerse pasar por el usuario como descifrar sus
conversaciones.
Esto ltimo es muy sencillo. Simplemente hay que espiar el registro del mvil en la red,
cuando se enciende. En dicho registro la estacin base enva RETO. Nosotros lo
"escuchamos" con nuestra SIM duplicada, y a partir de l (y de la clave secreta)
podemos obtener CLAVE, que ser la clave que el mvil y la estacin base utilizarn
para "asegurar" la privacidad de la comunicacin.
Si hay alguna duda...

La informacin que sigue no la he enviado con anterioridad en ninguna lista de correo.

Es indita :-):

Ataque al A3/A8:
o Los algoritmos A3 y A8, en la actualidad, se corresponden a variantes
COMP128, en la mayor parte de las redes GSM. De hecho lo normal es
que A3/A8 se calculen simultaneamente utilizando el mismo algoritmo,
como puede verse en http://www.scard.org/gsm/a3a8.txt.
o El ataque es posible no por la reduccin en 10 bits del espacio de claves
(algo que se decubri "a posteriori"), sino por graves problemas de
diseo del propio algoritmo, que nunca hubieran pasado desapercibidos
si se hubiera sometido al escrutinio de la comunidad acadmica.
o En realidad la tarjeta no devuelve la salida COMP128, sino tan slo sus
primeros 32 bits. Ello debera complicar sobremanera el ataque, a
primera vista, ya que una colisin en esos 32 bits no implica
necesariamente una colisin en todo el COMP128. Ese aspecto se tiene
en cuenta en el ataque, enviando retos a la tarjeta que hacen que una
colisin en esos 32 bits y no en el resto sea muy poco probable.
o Cada vez existen ms evidencias de que la reduccin de 10 bits en la
clave (algoritmo A8) fue intencional, con el fin de permitir la grabacin
de llamadas por parte de las agencias gubernamentales.
o En Europa, el Chaos Computer Group ha realizado tambin una
clonacin con xito de una tarjeta SIM GSM. El texto traducido se puede
encontrar en http://www.dis.org/erehwon/eucracke.html, y el original en
http://www.ccc.de/CRD/CRD240498.html. En este sitio se puede
encontrar abundante informacin, el software y el esquema hardware
necesario para clonar tu propia tarjeta :-).
o Al parecer, apenas un par de redes GSM en el mundo utilizan otros
algoritmos distintos al COMP128 para el A3/A8, lo que implica que
todas ellas son vulnerables al ataque.
Medidas de las compaas GSM:
o En pleno revuelo del tema, el peridico "Los Angeles Times" publica el
siguiente texto:

Bethesda, Md.-based Omnipoint Corp. said it plans to change the

mathematical formulas used in its wireless phone service after two UC
Berkeley researchers discovered a way to break the code that protects it.
Omnipoint Executive Vice President George Schmitt said he's going to
personalize Omnipoint's formula for identifying phones rather than use
the general formulas of the global system for mobile communications, or
GSM, digital wireless standard. Tim Ayers, a spokesman for the Cellular
Telephone Industry Assn., said he expects most GSM operators to follow
Omnipoint's lead. [...]
Naturalmente no se dice que algoritmos se van a utilizar como A3/A8, lo
que slo significa que la comunidad investigadora no podr investigarlos
a fondo antes de ser distribudos en las nuevas tarjetas SIM. Es decir, que
nada garantiza que el nuevo esquema, no pblico, no tenga otro error de
diseo como el que hizo posible el ataque al COMP128.

Ataque al A5:
o
o
o
o
o
o
o
o

Message-ID: <m0ySMLJ-0003b8C@ulf.mali.sub.org>
Date: Thu, 23 Apr 98 15:47 +0200
From: ulf@fitug.de (Ulf Moller)
To: ukcrypto@maillist.ox.ac.uk
Subject: Re: More on A5 strength
In-Reply-To: <wxyax54fno.fsf@polysynaptic.iq.org>
CC: cryptography@c2.net

Julian Assange wrote:

>I haven't read Ross's [45] - I doubt it is about A5 per se, but rather
>about chaining of multiple LFSR's (A5 uses three), (Ross, please
>correct me) - and Bruce (or someone else) has seen that Ross's attack
>applies to A5. Note that there are several versions of A5, some
>telco's have phones which use A5/7 - these latter versions tend to be
>even weaker than A5/2! It's worth noting that AP 16.5, to my
knowledge
>is talking about the proposed (untested) reconstruction of A5, and not
>a confirmed implementation.
The excerpt of the leaked GSM Security Study at
http://jya.com/gsm061088.htm contains an incomplete description of
"The French Proposal for the Cipher" A5. The cipher consists of three
feedback shift registers; the output stream is the XOR of the MSB of all
three registers. The 19 bit register R1 is given in figure 1 the LSB after
the shift is the XOR of bits 19, 18, 17 and 14). The other registers are
known to be 22 and 23 bits large, and their feedback functions to consist
of only four XORs all together.
Clock control is based on the registers' middle bits (they do not say
exactly which bit in a 22 bit register is "middle"). Each register is
clocked based on its middle bit, inverted if less than two bits are set. So
at least two registers are clocked in each step.

They mention how the keys are loaded, but the order of the bits is not
given. So it seems to me that Ross used the same leaked document from
which COMP128 has been reconstructed.
In his paper "On Fibonacci Keystream Generators", Ross states that the
best known attack on A5 consists of guessing the state of R1 and R2 and
work out R3 from the keystream. He writes, "There has been controversy
about the work factor involved in each trial, and at least one telecom
engineer has argued that this is about 2^12 operations giving a real attack
complexity on A5 of 2^52 rather than the 2^40 which one might naively
expect."
This known-plaintext attack does not depend on how the keys are loaded
to the registers. To execute the attack, you need to know the feedback
polynomials and the position of the "middle" bits, but the feasibility of
the attack clearly does not depend on a particular choice of these (still
unknown) parameters. So if the French A5 is in use, it can be broken in
2^52 decryptions.
Assume we have guessed the 40 bits of R1 and R2, and want to find R3,
given the output keystream (that is ciphertext XOR the known plaintext).
We get the MSB of R3 from knowing the MSB of R1 and R2 and the
output bit, because the output stream is the XOR of the three MSBs. So
if we can cycle the registers through and get all the 23 bits of R3, we
have determined the initial state of R3 and can do test decryptions to see
if the guess of R1 and R2 was right in the first place. (Note that this
works for any feedback polynomial.)
However, not all registers are clocked in every step. Not knowing the
middle bit of R3, in half the cases we don't know if R3 will be clocked,
in the other half we don't know whether R1 or R2 will be clocked. But if
we guess the middle bit correctly, we know which registers are clocked.
Thus the MSBs of R1 and R2 in the next step are known and we can
determine the content of the MSB of R3 from the output bit. Then, we
guess the new middle bit, which determines the following step and again
yields the MSB (bit 22 of the inital configuration). If we repeat this until
we have the complete R3, guessing 11 bits gets us another 11 bits for
free. (Does anyone see a shortcut there?)
What this means for the security of GSM depends on the GSM protocol.
How much known plaintext does it provide? Are the frame sequence
numbers that are mixed into registers known to evesdroppers (otherwise
they'd have to try ~2^52 decryptions on every frame)?
If the frame sequence numbers are known, the reduced keyspace might
also help to break the encryption. Assuming the 10 zero-bits end up in
R1, you guess the remaining 9 bits and fast-forward the register
according to the random distribution that is given by the position in the
stream you are trying to break (in each step R1 is clocked with
probability 3/4). Then guess R2 and half of R3 as above.

o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o

Message-ID: <199805051757.KAA23788@modmult.starium.com>
To: Cypherpunks Lite
Date: Fri, 24 Apr 1998 08:00:52 -0600
From: bill payne <billp@nmol.com>
CC: wire@monkey-boy.com, cyberia-l@listserv.aol.com,
ukcrypto@maillist.ox.ac.uk,
cypherpunks@toad.com, whitfield
diffie ,
ted lewis ,
rivest@theory.lcs.mit.edu,
ray kammer <" kammer"@nist.gov>,
mab@research.att.com,
marc rotenberg , lwirbel@aol.com,
L E Banderet , jssob@unm.edu,
jimduram@onlinemac.com, heather
herrald ,
grassley ,
federico pena <"
Federico.F.Pena"@hq.doe.gov>, david sobel ,
c paul robinson ,
schneier@counterpane.com
Subject: SHIFT REGISTER technology

Friday 4/24/98 7:33 AM

John Young
J Orlin Grabbe
John Gilmore
The stuff on linear and non-linear shift register sequences which is now
appearing on jya.com is the 'military-grade' crypto technology.
Semionoff and http://www.jya.com/crack-a5.htm contains material
similar to what I saw Brian Snow present in schematics of NSA KG
units.
The statement by david.loos@eudoramail.com
The A5 algorithm uses a three level, non-linear feedback shift register
arrangement, designed to be sufficiently complex to resist attack.
points to the technology used for military-grade crypto.
The reason NSA regarded the R register, seen at
http://jya.com/whpfiles.htm, feedback function classified was that it
contained a non-linear feedback function.
I was ORDERED to build UNCLASSIFIED hardware. This is why I
stuck the R register feedback function in a fast ram.
This similarity between the structure of the nonlinear feedback function
in the CAVE algorithm seen at
http://www.semionoff.com/cellular/hacking/phreaking/

to the feedback function published in my SAND report

: A11

A1 A5 AND
A1 0= A9 0= AND XOR
A6 A10 XOR XOR ;

reveals "military-strength" technology.

SHIFT REGISTERS.
Words 'shift registers' also caused the Great American Spy Sting bust.
http://caq.com/CAQ/caq63/caq63madsen.html
The Cold War is over. And the crypto cat is now about fully out of the
bag.
Let's hope for settlement so that we can all go on to more constructive
tasks.
Later
bill
o
o
o
o
o
o
o

Message-ID: <354DC8CA.5D34@nmol.com>
Date: Mon, 04 May 1998 07:55:22 -0600
From: bill payne <billp@nmol.com>
To: jy@jya.com, masanori fushimi , w.chambers@kcl.ac.uk,
inter@technologist.com
CC: lwirbel@aol.com, wire@monkey-boy.com,
ukcrypto@maillist.ox.ac.uk, cypherpunks@toad.com, ted
lewis , hanson@vni.com
Subject: Period of sequences

Monday 5/4/98 7:22 AM

chambers,
Your statement
The advantages are a lack of mathematical structure which might provide
an entry for the cryptanalyst, and a huge choice of possibilities; the
disadvantages are that there are no guarantees on anything, and as is well
known there is a risk of getting a very short period.
made at http://www.jya.com/a5-hack.htm#wgc stuck me as profound.
Reason is that NSA cryptomathematician Scott Judy once told me that I
did not really understand the principles NSA uses for its crypto
algorithm.
Judy proceeded to explain to me that NSA bases its crypto algorithm on
complication, not mathematics.

Judy apparently did not realize that some years previous NSA employee
Brian Snow showed us about all of NSA's KG schematics. And their
field failure records!
Masanori Fushimi in Random number generation with the recursion x[t]
= x[x-3q]+ x[t-3q],Journal of Applied Mathematics 31 (1990) 105-118
implements a gfsr with period 2^521 - l. http://av.yahoo.com/bin/query?
p=gfsr&hc=0&hs=0.
Fushimi's generator is sold by Visual Numerics.
Fushimi's implementation is very well tested. And worked SO WELL
that Visual Numerics numerical analyst Richard Hanson had TO BREAK
IT!
Reason was that the gfsr produces true zeros. This caused simulation
programs to crash from division by zero.
None of the linear congruential generators produced zeros so the problem
did not arise until the gfsr was used.
Hanson ORed in a low-order 1 to fix the problem
Masanori wrote,
Lewis and Payne [16] introduced an apparely different type of generator,
the generalized feed back shift register (GFSR), by which numbers are
formed by phase-shifted elements along a M-sequence based on a
primitive trinomial 1 + z^q + z^p.
Lewis was one of my former ms and phd students. http://www.frictionfree-economy.com/
Cycle lengths of sequences is a fascinating topic.
Let me point you guys to a delightful article on the distribution of
terminal digits of transcendental numbers.
The Mountains of pi by Richard Preston, v68 The New Yorker, March 2,
1992 p 36(21).
This is a story about Russian-born mathematicians Gregory and David
Chudnowsky.
While the story is fun to read, I think that the Chudnowsky's were
wasting their time.
I think that terminal digits of transcendental numbers have been proved
to be uniformly distributed.

Sobolewski, J. S., and W. H. Payne, Pseudonoise with Arbitrary

Amplitude Distribution: Part I: Theory, IEEE Transactions On
Computers, 21 (1972): 337-345.
Sobolewski, J. S., and W. H. Payne, Pseudonoise with Arbitrary
Amplitude Distribution: Park II: Hardware Implementation, IEEE
Transactions on Computers, 21 (1972): 346-352.
Sobolewski is another of my former phd students.
Hopefully you guys will read judge Santiago Campos' 56 page
MEMORANDUM OPINION AND ORDER on the Payne and Morales
lawsuit on jya.com within several days.
I made a copy and gave it to Sobolewski on Sunday afternoon.
I want Sobolewski's opinion on what Morales and I should do.
Soblewski lives about two miles from us.
Sobloweski is an administrator [vp of computing at university of new
mexico] and knows how administrators think.
Let's hope this UNFORTUNATE mess involving shift register sequences
gets settled.
But let's not forget our sense of humors despite the about .5 million dead
Iranians.
Hopefully the system will take care of the guys that did that did the
Iranians.
Masanori wrote,
The GFSR sequence as well as the Tausworthe sequence can be
constructed using any M-sequence whether the characteristic polynomial
is trinomial or not;...
Jim Durham, my seismic data authenticator project leader, retired from
Sandia.
Durham gave me a number of tech reports upon his retirement.
One was authored by Robert TITSWORTHE of jpl.
TITSWORTHE changed his name!
Later
guys

o
o
o
o
o
o
o
o

To: ukcrypto@maillist.ox.ac.uk
CC: cryptography@c2.net, Ross.Anderson@cl.cam.ac.uk
Subject: Re: More on A5 strength
In-reply-to: Your message of "Thu, 23 Apr 1998 15:47:00
+0200." <m0ySMLJ-0003b8C@ulf.mali.sub.org>
Date: Fri, 24 Apr 1998 12:31:55 +0100
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
Message-ID: <E0ySghy-0002Nc-00@heaton.cl.cam.ac.uk>

> Does anyone see a shortcut there?

Last time I looked at it carefully I concluded that you only need to guess
the clock inout bit half the time, so you need about 5 bit guesses giving
an overall complexity of 2^45. I could be wrong though - it's notorious
that you only get the real complexity of an attack when you implement
and test it.
Jovan Golic showed that you can get a 2^40 attack with a little more
work, and you can work back from a reconstructed state to get Kc. This
paper is worth studying; it's in the proceedings of Eurocrypt 97 (LNCS v
1233) pp 239-255 and entitled `Cryptanalysis of Alleged A5 Stream
Cipher'
Ross

o
o
o
o
o
o
o
o

Message-ID: <199804250312.NAA06926@avalon.qualcomm.com>
To: ukcrypto@maillist.ox.ac.uk
CC: cryptography@c2.net, Ross.Anderson@cl.cam.ac.uk
Subject: Re: More on A5 strength
In-reply-to: Your message of Fri, 24 Apr 1998 12:31:55
+0100. <E0ySghy-0002Nc-00@heaton.cl.cam.ac.uk>
Date: Sat, 25 Apr 1998 13:12:45 +1000
From: Greg Rose <ggr@qualcomm.com>

Ross Anderson writes:

>> Does anyone see a shortcut there?
>
>Last time I looked at it carefully I concluded that you only
>need to guess the clock inout bit half the time, so you need
>about 5 bit guesses giving an overall complexity of 2^45. I
>could be wrong though - it's notorious that you only get the
>real complexity of an attack when you implement and test it.
I implemented this kind of attack about a year ago, and you're right, the
complexity is about 2^44 (measured).
Greg.

o
o
o
o
o
o

Message-ID: <199804261242.IAA30483@camel7.mindspring.com>
Date: Sun, 26 Apr 1998 08:41:28 -0400
To: cypherpunks@toad.com
From: John Young <jya@pipeline.com>
Subject: GSM A5 Papers

We would be grateful for assistance in obtaining copies of the following

papers, particularly the first:

S J Shepherd, "Cryptanalysis of the GSM A5 Cipher Algorithm",

IEE Colloquium on Security and Cryptography Applications to
Radio Systems, Digest No. 1994/141, Savoy Place, London, 3
June 1994, (COMMERCIAL-IN-CONFIDENCE).
S J Shepherd, "An Approach to the Cryptanalysis of Mobile
Stream Ciphers", IEE Colloquium on Security and Cryptography
Applications to Radio Systems, Digest No. 1994/141, Savoy
Place, London, 3 June 1994, (COMMERCIAL-IN-CONFIDENCE).
S J Shepherd, "Public Key Stream Ciphers", IEE Colloquium on
Security and Cryptography Applications to Radio Systems,
Digest No. 1994/141, pp 10/1-10/7, Savoy Place, London, 3 June
1994.
These are listed on Dr Shepherd's bio at:
http://vader.brad.ac.uk/finance/SJShepherd.html

Localizacin fsica de mviles

Artculos Criptologa y Privacidad
Artculos
La Pgina de Jess Cea Avin