gsm : how broken is it...sep 29, 2011 · gsm : how broken is it ? olivier benjamin, 29 september...

GSM : How broken is it ?

Olivier BENJAMIN, 29 september 2011

WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.

Grenoble INPEnsimag

http://www.ensimag.fr/

Outline of the talk

SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011

● What is GSM

● The cryptographic system in GSM

● Barkam Biham and Keller's attack on A5/2

● A tool you can use

What is GSM


Stands for Global System for Mobile communications

Most used standard in all western countries

Old : first discussed in 1982, first norm in the 1990s

Standard used in 2G phones (3G uses UTMS)

80% of the world's mobile phones

How does it work

Phone communicates with nearest antenna

Based on a preshared key and challenge-response

Open, error-prone channel : use of error-correcting codes

The antenna is all-powerful Choses the encryption used


There's got to be some crypto involved

Uses a set of ciphers : A5/0 (no encryption), A5/1, A5/2, A5/3A5/2 is the weakest, but all have been broken over the yearsThe tower controls which will be used

SIM (Subscriber Identity Module) contains a key

Tower sends a challenge, phone encrypts and replies


The ciphers are all brokenA5/2 is the most broken : Ciphertext-only attackThe other attacks use rainbow tables : too complicated

There are problems with the design of GSM

The ciphers are adapted to embedded technology

There's got to be some crypto involved


Bad design in GSM

Weak to man-in-the-middle attacksThe base station chooses the cipher used All ciphers use the same key

First Idea : Build a fake base station (cell tower)Force the cell to use A5/0 → no encryption !!

Problems : The real network will not let you use A5/0You don't know the keyNot much use


Bad design in GSM

Better idea : Build a fake base stationTell the phone to use the weakest cipherRecover the key → it's the same for all !!Impersonate the phone to the networkImpersonate the network to the phone

You have now access to everything the phone sends

GSM is only as strong as its weakest cipher→ That is why we only focused on A5/2


What is A5/2

Stream cipher using 4 LFSRs (Linear Feedback Shift Registers)

The LFSRs are initialized from :A 64-bit secret key KcA 22-bit initial value : the Frame Id f (public)

LFSR1 = LFSR2 = LFSR3 = LFSR4 = 0for (int i=0 ; i<63 ; ++i) {

clockAllRegisters();LFSR1[i] ^= Kc[i]; LFSR2[i] ^= Kc[i];LFSR3[i] ^= Kc[i]; LFSR4[i] ^= Kc[i];

}for (int i=0 ; i<22 ; ++i) {

clockAllRegisters();LFSR1[i] ^= f[i]; LFSR2[i] ^= f[i];LFSR3[i] ^= f[i]; LFSR4[i] ^= f[i];

}LFSR1[15] = LFSR2[16] = LFSR3[18] = LFSR4[10] = 1;


Generation of the keystream


What is A5/2

The first 99 bits of keystream are discarded

Message is split into 114-bit frames and XORed with keystream

Decryption is the same as encryption

Half the keystream used for phone to network, and vice-versa


What happens before the cipher

GSM uses radio waves → need for error correction

Fire Code

Convolution

Interleaving

→ This introduces a lot of redundancy


The Fire code

Named after Philip Fire at Stanford in 1959

Cyclic code used to produce a CRC (Cyclic Redundancy Check)

0111010111010100101011000111010110101101

Original Message → CRC

Generated by a polynomial

Results in a block of 228 bits (with 4 tail bits equal to 0)

Linear transformations → can be expressed as a matrix

Convolution

Spreads the information over several bits

Depends on the parity :C(2*k) = u(k) + u(k-3) + u(k-4) mod 2C(2*k+1) = u(k) + u(k-1) + u(k-3) + u(k-4) mod 2

Results in a block of 456 coded bits

Here, the rate is 1/2


Interleaving

Consists of a reorganisation of the bits

The aim is to spread the adjacent bits in case of error

Redundancy is concentrated because of convolution

This solves the problem

Doesn't change the size


The order is important

After all these operations, the result is XOR-encrypted

Very bad mistake

We have much more redundancy after

We transformed a 184-bits plaintext into a 456 one

We gave the attacker 272 free bits of information about the key


The Attack

Introduced by Barkam, Biham and Keller in 2006-2007

Instant, Ciphertext-only

Needs precomputations (2h30, 4.08GB)

Recovery of the key used

Partly brute force


Remember this ?


The Attack

It is possible to obtain equations on the keystream

The key is in the LFSRs

Problem : The bits of L4 do not influence the keystream !

→ We have to brute force the value of L4→ 2^16 cases→ Hence the precomputations


The tool developed

(Very well) written in C

Multi-purpose, simulates the GSM chain

Attacks

Demo !!


The End


Thank you for your attention !

Are there any questions ?

gsm : how broken is it...sep 29, 2011 · gsm : how broken is it ? olivier benjamin, 29 september...

Documents