GSM CLONING
GSM CLONING
GSM (Global System for Mobile Communication)
• Most widely used cellular mobile phone system.• First digital system to follow analog era.• Specification designed by GSM Consortium in
secrecy.• Relied on Security by Obscurity.• Distributed on need-to-know basis.• Eventually leaked out and researchers have
found many ways to break the GSM algorithms.• One way was breaking COMP128 to retrieve the
secret key from a SIM card.
A8: Session Key
COMP128: SRES, Session Key
A3: Signature Response
COMP128 Pseudocode:
• Input: 16 byte secret key, 16 byte RAND• Output: 4 byte SRES, 8 byte session key
(simoutput[12])• Load RAND into x[16…31]• Perform the following 8 times
– Load secret key into x[0…15]– Compression– Bits to Bytes– Permutation (only on first 7 rounds)
• Compress 16 bytes to 12 bytes (simoutput)• Return simoutput[ ]
0 17 34 51 68 85 102 119… … … … … … … …Bits:
Bytes:
x[0] x[1] x[2]
Permutation:
- Bits to Bytes- Only 4 bits in each entry- Example shows bits for x[0], x[1] gets bits 8,25,42,59,76,93,110,127
What went wrong?
• Design of a security cryptosystem should be under the Kerckhoffs’ principle.
• GSM design committee kept all security specifications secret.
Attacks on COMP128
• April 13, 1998: Marc Briceno (Director of the Smartcard Developer Association and two U.C.Berkeley researchers-David Wagner and Ian Goldberg The 128bit Ki could be deduced by collecting around 150,000
chosen RAND-SRES pairs.
• May 2002:IBM Side-Channel attack (Partitioning Attack) 1000 random inputs, or 255 chosen inputs, or only 8 adaptively
chosen inputs.
Level 0
Level 1
Level 2
Level 3
Level 4
128-bit Ki 128-bit RAND
Crypto-attack by B. and G.
• Information leaking.
• A narrow “pipe” exists in COMP128. bytes i, i+8, i+16, i+24 at the output of the 2nd level depend only on
bytes i, i+8, i+16, i+24 of the initial input.
• Birthday paradox.
• Differential technique.
Level 0
Level 1
Level 2
Level 3
Level 4
128-bit Ki 128-bit RAND
8bits
8bits
7bits
6bits
5bits
4bits
Back
Crypto-attack cont.
• After the compression at level 1, • The correlated 32 bits 28 bits.• Transfer problem to Collision Attack.• Alg. in the Random Oracle Model FINDCOLLISION
1. Choose 2. For each 3. do4. If for some5. then return 6. else return (failure)
0 0{ }, | |X X x X q
0x X( )xy h x
x xy y x x( , )x x
( , )h q
Crypto-attack cont.2
• The birthday paradox tells us if let our , we have probability at least 1/2 to get a collision.• The expectation of the number of queries:
• How many chances can we have • The total expected queries to recover the entire 128 bit Ki is • How fast can we get? Computational ability of IC 6.25 queries/s Totally recovery period: 7.3 hours.
281.17 2 19170q
( ) 20535E q 2 8 162 2 65536
20535 8=164280
Improvement on B. and G.
• Pre-compute 8 tables each has entries.
• Every time we find a collision, just look up the corresponding tables to find the key.
• Space requirements: GB
• Limitation: The bottle-neck of recovery time is dominated by computational time of IC.
This technique could decrease computational requirement of PC, but the whole time won’t decrease so much.
322
32 368 2 2 2 64
Evaluation of B. G.’s Method
• Pros: Easily to implement. High accuracy. Doesn’t have to physical access to the SIM card.
• Cons: Slow: 7.3 hours Spurious key Assumption Avoidance
Gains from B.G.’s Attack
• Necessity of the open design process
• Importance of the first round
• Aftermath of collisions
Partitioning Attack
• Side channels: Timing of operations Power consumption Electromagnetic emanations
• Cardinal Principle: Relevant bits of intermediate cycles and their
values should be statistically independent of the inputs, outputs and sensitive information.
Partitioning Attack cont.
• Problems in COMP128:
Huge correlation between MSB of R[0] and the beginning of the first compression.
Substitution.
Table look up operation.
Implementation in IC.
Figure
Partitioning Attack cont.2
• Explanation for the correlation. X[i]=T0[K[i]+2*R[i]] and X[i+16]=T0[2K[i]+R[i]]
• Example: Byte1:All signals with R[0] in the range[0-26]
and [155-255] fell in one category and all signals with R[0] in the range[27-154] fell into the other.
Byte2: R[0] in the range[0-105] signals fell in one category and [106-255] signals fell into the other.
Graph
K+2*26<256
K+2*27>=256
K=? K=202 or 203
2*K+105<512 and 2*K+106>=512
K=203
Partitioning Attack cont.3
• Efficiency
1000 samples with random inputs
256 chosen inputs
8 adaptively chosen inputs
Future Improvements
• COMP128-2 has replaced the COMP128 to overcome some weakness
• COMP128-3 is develop to generate 64 bits for Kc.
• COMP128-4 is underdevelopment based on the 3GPP(3rd Generation Partnership Project) algorithm. (AES)
Input correlation for MSB of R[0]