EL GSM Cae

EL GSM Cae!!!

ltima Actualizacin: 11 de Mayo de 1.998 - Lunes

Nota: Se corrigen algunas erratas de los mensajes originales.

Message-ID:

Date: Thu, 16 Apr 1998 17:52:59 +0200

From: Jess Cea Avin

To: hacking@argo.es, anita@argo.es, teleco-vigo@argo.es, gdi@uvigo.es, apedanica@encomix.es, free-miembros@arnal.es, ircops@esnet.org

Subject: El GSM cae!!!

Por fin!!!. Una vez ms se demuestra que el oscurantismo no ayuda a mantener un "secreto" a salvo.

Ya es posible clonar tarjetas SIM (Subscriber Identity Module). Es decir, hacerse pasar por cualquier usuario GSM. No hace falta modificar el mvil, ya que los mviles son universales y la identidad la proporcionan las tarjetas.

En este mensaje intentar recopilar y ordenar un poco la furibunda cantidad de mensajes que estoy recibiendo desde hace un par de das, especialmente en las listas de cypherpunks y criptografa. En Bugtraq apenas ha salido una resea :).

El anuncio inicial se hizo el Pasado Lunes 13, en las listas cypherpunks@algebra.com y cryptography@c2.net:

The Smartcard Developer Association (SDA) and two U.C. Berkeley researchers jointly announced today that digital GSM cellphones are susceptible to cloning, contrary to the belief of even the telecommunication providers that have fielded them. [...] One of the discoveries that the SDA made about GSM security was a deliberate weakening of the confidentiality cipher used to keep eavesdroppers from listening to a conversation. This cipher, called A5, has a 64 bit key, but only 54 bits of which are used. The other ten bits are simply replaced with zeros. [...]

See http://www.scard.org/ for more info.

[Special thanks to Tim Hudson for authoring the smartcard interface code that made our work possible. We wouldn't have achieved what we did it with out it]. Este mensaje ha creado una cascada de respuestas. Las voy almacenando todas en una carpeta del Netscape y, de momento, tengo 189 mensajes, eliminando duplicados y superfluos :). Intentar resumir las conclusiones, provisionales, en este mensaje.

La pgina original del ataque est en http://www.scard.org/.

Han salido tambin diversas notas de prensa sobre el asunto:

http://www.scard.org/press/19980413-01/

http://dailynews.yahoo.com/headlines/technology/wired/story.html?s=z/reuters/980413/wired/stories/security_4.html

http://www.pathfinder.com/time/magazine/1998/dom/980420/notebook.techwatch.levit24.html

http://cgi.pathfinder.com/netly/continue/0,1027,1898,00.html

http://cgi.pathfinder.com/netly/opinion/0,1042,1774,00.html

http://www.latimes.com/HOME/NEWS/BUSINESS/t000035457.1.html

Se puede encontrar una descripcin tcnica del ataque en:

http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html

http://www.isaac.cs.berkeley.edu/isaac/gsm.html

La tarjeta atacada pertenece a la red de Pacific Bell.

De momento el ataque requiere el acceso fsico a la tarjeta a duplicar, no siendo posible duplicar un SIM simplemente oyendo sus transmisiones en el aire. Ello hace que la amenaza a la seguridad del sistema se vea reducida. En cualquier caso se prueba que el sistema es vulnerable, y no se niega la posibilidad de que, en el futuro, sean posibles "en el aire".

El algoritmo referenciado como A3 en la especificacin GSM se corresponde al algoritmo COMP128, al menos en muchas redes GSM mundiales.

Los encargados de romper el cdigo COMP128 (en menos de un da), son los mismos que encontraron un fallo de seguridad en la implementacin SSL de las primeras versiones del Netscape Navigator.

El sistema de autentificacin GSM se basa en enviar retos a la tarjeta SIM, que devuelve convenientemente descifrados. La clave usada para cifrar/descifrar los retos se supone conocida exclusivamente por la tarjeta y por la organizacin (red) que la expede, pero enviando diferentes retos a una tarjeta SIM, los investigadores lograron deducir la clave en unas 6 horas.

Al parecer la implementacin GSM fue originariamente "debilitada" debido a las presiones de algunos gobiernos europeos a la hora de facilitar tareas de vigilancia y seguimiento a la polica. COMP128 tiene una clave de 64 bits, pero 10 de ellos parecen ser consistentemente cero, lo que indica un intencin clara para debilitar el sistema.

Se est investigando la posibilidad de ataques "en el aire" (sin acceso fsico a la tarjeta SIM) enviando retos a una tarjeta remota. Para ello se requieren enviar unos 175000 retos a las tarjetas, lo que supone varias horas. Este tipo de ataques podra ser prctico en el metro, por ejemplo, ya que all el telfono no tiene cobertura y responder a cualquier intento de autentificacin que se le enve. El atacante tan slo tendra que tomar el mismo metro que el atacado durante varios das/semanas, enviando retos y recopilando respuestas durante ese perodo. Una tarjeta SIM tpica responde retos a una tasa de 6.25 retos por segundo.

El nmero de retos a enviar se puede reducir a costa de aumentar el tiempo de clculo en un ordenador personal, algo perfectamente asumible ya que esta etapa se puede hacer en "casa", sin acceso al SIM, y es fcilmente paralelizable.

Las redes GSM pueden frenar el ataque emitiendo claves de mayor calidad para sus abonados. Ello supondra distribuir nuevas tarjetas SIM.

El comportamiento en una red GSM con telfonos clnicos es muy variable. El algunos casos (Motorola) la red detecta la duplicidad y desactiva ambos telfonos. En otros casos (tanto en Europa como en EE.UU. y Asia) suena uno de los telfonos al azar. Muchas redes no disponen de tecnologa antifraude para detectar este problema. En todo caso un telfono clnico es perfectamente utilizable, en cualquier red, cuando el telfono original est apagado o fuera de cobertura.

A pesar de todo, clonar un SIM es mucho ms costoso y complicado que clonar un telfono analgico (en Espaa, la red Moviline de Telefnica).

Una bsqueda en Internet revela que ya en 1994 Ross Anderson (rja14@cl.cam.ac.uk) di un toque de atencin, incluyendo el cdigo del supuestamente confidencial algoritmo A5:

From sci.crypt Fri Jun 17 17:11:49 1994

From: rja14@cl.cam.ac.uk (Ross Anderson)

Date: 17 Jun 1994 13:43:28 GMT

Newsgroups: sci.crypt,alt.security,uk.telecom

Subject: A5 (Was: HACKING DIGITAL PHONES)

The GSM encryption algorithm, A5, is not much good. Its effective key length is at most five bytes; and anyone with the time and energy to look for faster attacks can find source code for it at the bottom of this post.

The politics of all this is bizarre. Readers may recall that there was a fuss last year about whether GSM phones could be exported to the Middle East; the official line then was that A5 was too good for the likes of Saddam Hussein.

However, a couple of weeks ago, they switched from saying that A5 was too strong to disclose, to saying that it was too weak to disclose! The government line now pleads that discussing it might harm export sales.

Maybe all the fuss was just a ploy to get Saddam to buy A5 chips on the black market; but Occam's razor suggests that we are really seeing the results of the usual blundering, infighting and incompetence of bloated government departments.

Indeed, my spies inform me that there was a terrific row between the NATO signals agencies in the mid 1980's over whether GSM encryption should be strong or not. The Germans said it should be, as they shared a long border with the Evil Empire; but the other countries didn't feel this way, and the algorithm as now fielded is a French design.

A5 is a stream cipher, and the keystream is the xor of three clock controlled registers. The clock control of each register is that register's own middle bit, xor'ed with a threshold function of the middle bits of all three registers (ie if two or more of the middle bits are 1, then invert each of these bits; otherwise just use them as they are). The register lengths are 19, 22 and 23, and all the feedback polynomials are sparse.

Readers will note that there is a trivial 2^40 attack (guess the contents of registers 1 and 2, work out register 3 from the keystream, and then step on to check whether the guess was right). 2^40 trial encryptions could take weeks on a workstation, but the low gate count of the algorithm means that a Xilinx chip can easily be programmed to do keysearch, and an A5 cracker might have a few dozen of these running at maybe 2 keys per microsecond each. Of course, if all you want to do is break the Royal Family's keys for sale to News International, then software would do fine.

It is thus clear that A5 should be free of all export controls, just like CDMF and the 40-bit versions of RC2 and RC4.

Indeed, there seems to be an even faster attack. As the clock control is stop-go rather than 1-2, one would expect some kind of correlation attack to be possible, and on June 3rd, Dr Simon Shepherd of Bradford University was due to present an attack on A5 to an IEE colloquium in London. However, his talk was spiked at the last minute by GCHQ, and all we know about his attack is:

a. that sparse matrix techniques are used to reconstruct the initial state (this was published as a `trailer' in the April 93 `Mobile Europe');

b. that he used some of the tricks from my paper `Solving a class of stream ciphers' (Cryptologia XIV no 3 [July 90] pp 285 - 288) and from the follow-up paper `Divide and conquer attacks on certain classes of stream ciphers' by Ed Dawson and Andy Clark (Cryptologia XVIII no 1 [Jan 94] pp 25 - 40) (he mentioned this to me on the phone).

I believe that we have to stand up for academic freedom, and I hope that placing A5 in the public domain will lead to the embargo on Simon's paper being lifted.

Ross Anderson

APPENDIX - AN IMPLEMENTATION OF A5

The documentation we have, which arrived anonymously in two brown envelopes, is incomplete; we do not know the feedback taps of registers 2 and 3, but we do know from the chip's gate count that they have at most 6 feedback taps between them.

The following implementation of A5 is due to Mike Roe , and all comments and queries should be sent to him.

Message-ID:

Date: Fri, 24 Apr 1998 19:24:01 +0200

From: Jess Cea Avin

To: hacking@argo.es, anita@argo.es, teleco-vigo@argo.es, gdi@uvigo.es, apedanica@encomix.es, free-miembros@arnal.es, ircops@esnet.org, cert-es@listserv.rediris.es

Subject: El GSM cae!!! (y 2)

References:

Este mensaje intenta complementar el texto que envi hace unos das.

La alianza GSM ha realizado un comunicado oficial sobre el tema. Al final del mismo incluyo una serie de comentarios personales. Puede encontrarse una copia del documento en http://jya.com/gsm042098.txt:

GSM Alliance Clarifies False & Misleading Reports of Digital Phone Cloning GSM Remains the Most Secure Commercial Wireless Technology (Business Wire; 04/17/98)

A coalition of wireless Personal Communications Services (PCS) providers has released [on 17 Apr 1998] facts to correct some misconceptions generated by the recent claim that several California researchers had found a weakness in the security of Global System for Mobile communications (GSM) technology, the world's most popular digital wireless standard.

The North American GSM Alliance, LLC - consisting of the eight largest GSM network operators in the United States and Canada - provided the following information in response to a number of erroneous published reports.

1. GSM phones are not vulnerable to cloning.

Researchers only claimed that, through a process of trial and error, they figured out how to copy information from the Subscriber Identity Module (SIM) card - a unique GSM feature that contains a customer's individual network access code. Duplicating a SIM card is not like cellular cloning since the network only recognizes one copy of a GSM phone number at a time. This is an important distinction, since it does not permit would-be thieves to fraudulently capture, duplicate and utilize a customer's phone number and account information by intercepting over-the-air transmissions and deciphering the data.

By contrast, information from ordinary analog cellular phones can be pulled out of the airwaves, copied and re-used multiple times. This illegal process, also known as "sniffing," is still not possible to do with GSM technology. The California group said that it needed physical access to a SIM card in order to duplicate it. While they believed copying theoretically could be done remotely, the group admitted that it was, in fact, unable to do so.

2. There is no risk to subscribers.

GSM's design process and proven functionality continues to offer the strongest level of commercial wireless security. GSM customers can have the highest degree of confidence that they are protected from over-the-air cloning.

In fact, thieves can more easily steal GSM phone service simply by stealing wireless handsets rather than producing counterfeit SIM cards. Once someone steals a SIM card, there's no need to copy it. The notion is as ridiculous as a someone stealing an armored car full of money, then copying the bills inside! And since the GSM networks allow only one call at a time from any phone number, having multiple copies of a SIM is worthless. As an additional level of security GSM operators have procedures in place which would quickly detect and shut down attempted use of duplicate SIM card codes on multiple phones.

Nevertheless, customers should protect their wireless phones and SIM cards the same way they would protect their wallets and bank cards. Subscribers who lose their phone or SIM card should report it immediately to their wireless service company. The lost or stolen SIM can be de-activated to prevent others from using the account.

3. There is no risk of over-the-air eavesdropping.

The level of encryption used by GSM makes over-the-air eavesdropping nearly impossible. So far, no one claims that they can listen to the content of conversations or monitor data transmitted over the air on the GSM network, including governments and network operators. Confidentiality of GSM customer conversations remains intact and uncompromised.

4. The ability to copy a SIM card is nothing new.

It was always known that this could be done. Last weekend's announcement is really no different from processes GSM providers use all the time to encode smart chips. For several years now, educational institutions and scientific laboratories have demonstrated the capability to extract data from, and copy, smart cards. But it is an extremely complex task and would not be practical for stealing wireless phone service. Besides, even if a handset or SIM card were stolen, GSM operators have the ability and technological tools to shut down fraudulent service quickly.

5. The key code which protects a subscriber identity is not "fatally flawed."

This is a somewhat complicated subject. There are two different key codes: first, an authentication code - the A3 algorithm- that protects the customer's identity; second, an encryption code - the A5 algorithm - that ensures the confidentiality of conversations. It has been alleged that the authentication code (A3 algorithm) is weakened because only 54 of the 64 bits are used, with 10 bits being replaced by zeroes. In reality, those final 10 bits provide operators with added flexibility in responding to security and fraud threats. Additionally, the GSM algorithm that the researchers claimed to have broken is the "example" version provided by the international organization that governs the use of GSM technology to its approved carriers for them to create their own individual version. It may not be what is deployed in the market. Several operators have already decided to customize their codes, making them more sophisticated.

There has been some confusion about the various types of code used by GSM. In addition to the 64-bit authentication cipher, there is a more powerful voice encryption code (A5 algorithm) which helps keep eavesdroppers from listening to a conversation. This code was not involved in last weekend's announcement. Also, the speculation that GSM's encryption algorithms have been deliberately weakened because of pressure by the U.S. intelligence community is absolutely false.

Conclusion

While no human-made technology is perfect, customers can still rely on the privacy features and security of GSM's transmission technology. It remains the most secure commercial wireless communications system available today. More than 80 million customers in 110 countries use GSM phones and not one handset has been cloned since the first commercial service was launched in 1992.

North American GSM Alliance, L.L.C. is a consortium of U.S. and Canadian digital wireless PCS carriers, which helps provide seamless wireless communications for their customers, whether at home, in more than 1,000 U.S. and Canadian cities and towns, or abroad. Using Global Systems for Mobile (GSM) communications, GSM companies provide superior voice clarity, unparalleled security and leading-edge wireless voice, data and fax features for customers. Current members of the GSM Alliance include: Aerial Communications, Inc., BellSouth Mobility DCS, Cook-Inlet Western Wireless; Microcell Telecommunications Inc., Omnipoint Communications, LLC, Pacific Bell Mobile Services, Powertel, Inc., and Western Wireless, Corp., which continue to operate their own businesses and market under their own names.

CONTACT: For Additional Information: Terry Phillips, Omnipoint, (973) 290-2533 OR Mike Houghton, Communicreate, (703) 799-7383 Me gustara puntualizar la nota de prensa, casi prrafo por prrafo:

1. GSM phones are not vulnerable to cloning

An asumiendo que la red fuese capaz de detectar la existencia de dos SIM idnticas, impidiendo de esta forma el "fraude", nada imposibilita que el poseedor de la tarjeta SIM duplicada la utilice exclusivamente durante las horas en las que el abonado legtimo tiene el mvil apagado (por ejemplo, por la noche). Tambin es posible, si existe esa "posibilidad de deteccin", realizar un efectivo ataque de denegacin de servicio sobre el abonado legtimo, ya que la red no le permitira enviar o recibir llamadas.

2. There is no risk to subscribers

La nota de prensa indica que es ridculo duplicar una tarjeta SIM cuando ya se tiene acceso al original, aunque mi comentario anterior puede suponer una razn de "inters": las tarjetas, en el peor de los casos, son utilizables mientras el abonado legtimo tiene el telfono apagado.

Existe un riesgo *MUY* importante: con una tarjeta "clonada" es trivial (y no detectable) descifrar las conversaciones cifradas con la tarjeta SIM original. Es decir, que se puede utilizar la tarjeta SIM clonada no para efectuar llamadas, sino para descifrar conversaciones.

3. There is no risk of over-the-air eavesdropping

Como se indica ms adelante, los algoritmos de proteccin de la identidad del usuario y de la comunicacin en s, son diferentes. No obstante, la clave de uno se deduce del otro :-)). El documento http://jya.com/gsm061088.htm parece abonar la idea de que las claves de confidencialidad son derivadas de la clave de autentificacin, que es precisamente lo que se ha atacado, y con xito.

Adems, tal y como se comentaba en mi mensaje anterior, queda abierta la posibilidad de que se pueda realizar el ataque sin disponer de la tarjeta fsica, enviando retos y recibiendo las respuestas de un telfono en las inmediaciones.

4. The ability to copy a SIM card is nothing new

Aqu, evidentemente, la alianza GSM se lava las manos. Dicen que la duplicacin de tarjetas inteligentes no es algo nuevo. Naturalmente no indican que existen tarjetas inteligentes cuya razn ltima de existencia se basa, precisamente, en su capacidad de no ser duplicadas. Las tarjetas SIM caen dentro de este esquema, igual que lo hacen los monederos VISACASH, por ejemplo. A nadie se le ocurre que poder duplicar un monedero VISACASH con sus 10.000 pts de contenido, por ejemplo, tantas veces como se desee, es algo que no tiene importancia.

De nada sirve lo que se dice en el artculo: que la duplicacin de una tarjeta SIM requiere unos medios fuera del alcance de las "personas normales". Al margen de que eso no resulta tranquilizador en absoluto, ni siquiera es cierto. Cualquiera con un ordenador y una interfaz chip (que uno se puede fabricar por menos de 500 pts) puede emular el ataque descrito en mi ltimo mensaje.

5. The key code which protects a subscriber identity is not "fatally flawed."

Es cierto que los algoritmos A3, A8, etc., descritos es la especificacin GSM, son contenedores genricos que no especifican ningn algoritmo en particular. En la especificacin se dan una serie de algoritmos como "ejemplo", pero cada red GSM puede implementar los suyos propios. Est en duda, no obstante, la motivacin que una red GSM tendra para adoptar algoritmos diferentes a los propuestos "oficialmente" durante el desarrollo de la tecnologa. En http://jya.com/gsm061088.htm se comenta: " In particular, there is no need for a common GSM authentication algorithm. and different networks may use different algorithms. ( The algorithms do, however, need to have the same input and output parameters; in particular, the length of Kc is determined by the GSM cipher algorithm ). Never-the-less it is desirable that there is a GSM standard authentication algorithm which may be used by all networks which do not wish to develop a proprietary algorithm. There is just one candidate for such an algorithm; it was proposed by the German administration, and is analysed in Part VI of this report."

La frase clave es: "Never-the-less it is desirable that there is a GSM standard authentication algorithm which may be used by all networks which do not wish to develop a proprietary algorithm". Cuntas redes GSM se habrn preocupado de desarrollar sus propios algoritmos, cuando ya se les daba uno como "ejemplo"?.

Por otra parte, la red es libre de elegir libremente los algoritmos A3 y A8, que son los que certifican la identidad del usuario y proporcionan la clave inical para la confidencialidad del resto de la comunicacin. Esos algoritmos son libres, sin ms restricciones que los fijados en el propio protocolo (longitud de clave, por ejemplo). Dichos algoritmos, por cierto, se ejecutan en la tarjeta, y no salen nunca de ella.

Sin embargo el algoritmo A5, que es el utilizado para cifrar la conversacin, se ejecuta tanto en el mvil (no en la tarjeta) como en la red que est utilizando (para que la red pueda descifrar la conversacin). Este algoritmo es FIJO para todas las redes GSM, asegurando as la compatibilidad entre todos los terminales y redes, posibilitando, por ejemplo, el "roaming" en cualquier red GSM del mundo.

En cualquier caso el ataque al A3 no se basa slo en su reducida seguridad (es realmente ridcula :), sino en que de los 64 bits que componen su clave, slo se utilizan 54. Ello supone reducir el espacio de bsqueda 1024 veces. Es decir, que si el sistema fuera seguro (que no lo es) y romperlo supone probar todas y cada una de las claves posibles, y que -supongamos- hacerlo consume un AO trabajando 24 horas al da, la reduccin a 54 bits supondra poder encontrar la clave correcta *NO* en un ao, sino en un tiempo medio de cuatro horas, y un tiempo mximo (en el peor caso) de OCHO HORAS Y MEDIA. "In reality, those final 10 bits provide operators with added flexibility in responding to security and fraud threats."

Me gustara saber a qu amenazas de seguridad y fraude se refieren, y cmo es posible que reducir la seguridad del sistema mejore la "capacidad de respuesta" de los operadores...

Nuevas URLs complementarias a las publicadas en mi mensaje anterior:

Seguimiento de telfonos GSM, y descifrado de comunicaciones:

http://jya.com/gsm-cloned.htm

http://jya.com/gsm-snoop.htm

Legislacin europea sobre el tema:

http://www.ii-mel.com/interception/europegb.html

Debilitacin intencionada de las claves de cifrado cuando los telfonos se exportan a determinados pases. Seguimiento GSM:

http://www.ii-mel.com/interception/gsmgb.html

Caso Belga:

http://www.ii-mel.com/interception/belgiquegb.html

Estudio de seguridad GSM. Documento oficial de Junio de 1.998, distribudo en "ambientes no clasificados" de forma annima. Describe el funcionamiento criptogrfico de la red, y los algoritmos empleados:

http://jya.com/gsm061088.htm

Algoritmos A3 y A8: (Autentificacin del usuario y generacin de clave para la confidencialidad de la comunicacin, respectivamente).

http://www.scard.org/gsm/a3a8.txt

Ataque al A5 (confidencialidad de la comunicacin):

http://jya.com/crack-a5.htm

Descripcin detallada del ataque original:

http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html

El algoritmo A5 (cifrado de la conversacin) parece bastante seguro, pero dado que su clave se deduce del reto que se plantea a la tarjeta SIM (algoritmos A3/A8), y A3 ha sido comprometido, no es necesario "romper" el A5, ya que su clave nos la proporciona el propio A3/A8 si conocemos la clave secreta contenida en el SIM, que es lo que, precisamente, se ha conseguido con el ataque descrito estos das.

Dado que el ataque permite obtener la clave secreta para los algoritmos A3 y A8, utilizados respectivamente para autentificar el usuario y para establecer la clave inicial de cifrado de la conversacin (algoritmo A5), tener una tarjeta clonada permitira:

. Efectuar y recibir llamadas mientras el usuario legtimo tiene su mvil apagado.

a. Posiblemente efectuar llamadas AUNQUE el usuario legtimo tenga su mvil encendido y en uso. Depender de las medidas de control de la red.

b. Posiblemente recibir llamadas (con una probabilidad de fallo del 50%) aunque el telfono legtimo est en uso. Depender de las caractersticas de la red GSM.

c. Si la red est protegida contra abusos (algo que, en vista de la novedad de todo esto, es poco probable), una tarjeta SIM clonada permitira dejar el telfono del usuario legtimo fuera de servicio.

d. Escuchar las conversaciones del usuario legtimo.

a. Solucin:

Reeditar nuevas tarjetas SIM empleando algoritmos A3 y A8 ms seguros, en vez del COMP128. Este cambio no supone ninguna modificacin ni en los terminales mviles ni en la red, salvo en el sistema central de autentificacin (puede haber un par de ellos en toda una red GSM). El nico coste sera el derivado de crear y distribuir las nuevas tarjetas. Esto es algo a lo que, simplemente, no se puede cerrar los ojos.

Message-ID:

Date: Mon, 27 Apr 1998 19:27:33 +0200

From: Jess Cea Avin

To: Temas de Seguridad en Redes

Subject: Re: Ms GSM

References:

> Vale, clono una tarjeta GSM y la puedo usar para hacer llamadas > cargandoselas al pipiolo de turno, pero lo de escuchar las > conversaciones no me queda tan claro. [...] > estoy equivocado?

Evidentemente s :).

A ver, te cuento...

a. Enciendo mi mvil.

b. El mvil "escucha" las redes que estn presentes, escoge una de ellas (la tuya :) y solicita registrarse.

c. La estacin base recibe la solicitud y procede a autentificar al usuario. Para ello:

d. La estacin base solicita un "reto" al operador registrado en el SIM del usuario.

e. La central de autentificacin de la cual depende del usuario (que puede ser otra red, si el usuario est en "roaming") enva a la estacin base tres valores: RETO, RESPUESTA y CLAVE.

f. La estacin base enva RETO al mvil.

g. El mvil pasa RETO a la tarjeta.

h. La tarjeta, usando el algoritmo A3, cifra RETO (usando una clave secreta slo conocida por la tarjeta y por su centro de autentificacin) y devuelve RESPUESTA1 al mvil.

i. El mvil enva RESPUESTA1 a la estacin base.

j. La estacin base comprueba que RESPUESTA1=RESPUESTA. La autentificacin est aqu.

k. Simultaneamente, la tarjeta cifra RETO usando el algoritmo A8 y su clave secreta. El resultado final es CLAVE1.

l. La tarjeta pasa CLAVE1 al mvil, que la utilizar como clave de cifrado en el algoritmo A5, que es el que protege las posteriores comunicaciones del mvil.

m. La estacin base utilizar el valor CLAVE enviado por la central de autentificacin para cifrar las comunicaciones con el mvil.

CLAVE1=CLAVE.

Como puede verse, el conocimiento de los "secretos" est slo en la central de autentificacin y en el SIM. Cuando la estacin base (que puede ser de otra compaa) solicita un tro de valores, la central de autentificacin genera un valor aleatorio para RETO, lo cifra usando A3/A8 y la clave secreta del usuario, para obtener RESPUESTA y CLAVE.

Espero que esta explicacin haya dejado claro, en primer lugar, cmo funciona el "roaming" :) y, en segundo lugar, que conociendo los algoritmos A3, A8 y A5 (que aunque eran confidenciales inicialmente, hoy en da son de dominio pblico) y la clave secreta del SIM, es posible tanto hacerse pasar por el usuario como descifrar sus conversaciones.

Esto ltimo es muy sencillo. Simplemente hay que espiar el registro del mvil en la red, cuando se enciende. En dicho registro la estacin base enva RETO. Nosotros lo "escuchamos" con nuestra SIM duplicada, y a partir de l (y de la clave secreta) podemos obtener CLAVE, que ser la clave que el mvil y la estacin base utilizarn para "asegurar" la privacidad de la comunicacin.

Si hay alguna duda...

La informacin que sigue no la he enviado con anterioridad en ninguna lista de correo. Es indita :-):

Ataque al A3/A8:

Los algoritmos A3 y A8, en la actualidad, se corresponden a variantes COMP128, en la mayor parte de las redes GSM. De hecho lo normal es que A3/A8 se calculen simultaneamente utilizando el mismo algoritmo, como puede verse en http://www.scard.org/gsm/a3a8.txt.

El ataque es posible no por la reduccin en 10 bits del espacio de claves (algo que se decubri "a posteriori"), sino por graves problemas de diseo del propio algoritmo, que nunca hubieran pasado desapercibidos si se hubiera sometido al escrutinio de la comunidad acadmica.

En realidad la tarjeta no devuelve la salida COMP128, sino tan slo sus primeros 32 bits. Ello debera complicar sobremanera el ataque, a primera vista, ya que una colisin en esos 32 bits no implica necesariamente una colisin en todo el COMP128. Ese aspecto se tiene en cuenta en el ataque, enviando retos a la tarjeta que hacen que una colisin en esos 32 bits y no en el resto sea muy poco probable.

Cada vez existen ms evidencias de que la reduccin de 10 bits en la clave (algoritmo A8) fue intencional, con el fin de permitir la grabacin de llamadas por parte de las agencias gubernamentales.

En Europa, el Chaos Computer Group ha realizado tambin una clonacin con xito de una tarjeta SIM GSM. El texto traducido se puede encontrar en http://www.dis.org/erehwon/eucracke.html, y el original en http://www.ccc.de/CRD/CRD240498.html. En este sitio se puede encontrar abundante informacin, el software y el esquema hardware necesario para clonar tu propia tarjeta :-).

Al parecer, apenas un par de redes GSM en el mundo utilizan otros algoritmos distintos al COMP128 para el A3/A8, lo que implica que todas ellas son vulnerables al ataque.

Medidas de las compaas GSM:

En pleno revuelo del tema, el peridico "Los Angeles Times" publica el siguiente texto: Bethesda, Md.-based Omnipoint Corp. said it plans to change the mathematical formulas used in its wireless phone service after two UC Berkeley researchers discovered a way to break the code that protects it. Omnipoint Executive Vice President George Schmitt said he's going to personalize Omnipoint's formula for identifying phones rather than use the general formulas of the global system for mobile communications, or GSM, digital wireless standard. Tim Ayers, a spokesman for the Cellular Telephone Industry Assn., said he expects most GSM operators to follow Omnipoint's lead. [...]

Naturalmente no se dice que algoritmos se van a utilizar como A3/A8, lo que slo significa que la comunidad investigadora no podr investigarlos a fondo antes de ser distribudos en las nuevas tarjetas SIM. Es decir, que nada garantiza que el nuevo esquema, no pblico, no tenga otro error de diseo como el que hizo posible el ataque al COMP128.

Ataque al A5:

Message-ID:

Date: Thu, 23 Apr 98 15:47 +0200

From: ulf@fitug.de (Ulf Moller)

To: ukcrypto@maillist.ox.ac.uk

Subject: Re: More on A5 strength

In-Reply-To:

CC: cryptography@c2.net

Julian Assange wrote:

>I haven't read Ross's [45] - I doubt it is about A5 per se, but rather >about chaining of multiple LFSR's (A5 uses three), (Ross, please >correct me) - and Bruce (or someone else) has seen that Ross's attack >applies to A5. Note that there are several versions of A5, some >telco's have phones which use A5/7 - these latter versions tend to be >even weaker than A5/2! It's worth noting that AP 16.5, to my knowledge >is talking about the proposed (untested) reconstruction of A5, and not >a confirmed implementation. The excerpt of the leaked GSM Security Study at http://jya.com/gsm061088.htm contains an incomplete description of "The French Proposal for the Cipher" A5. The cipher consists of three feedback shift registers; the output stream is the XOR of the MSB of all three registers. The 19 bit register R1 is given in figure 1 the LSB after the shift is the XOR of bits 19, 18, 17 and 14). The other registers are known to be 22 and 23 bits large, and their feedback functions to consist of only four XORs all together.

Clock control is based on the registers' middle bits (they do not say exactly which bit in a 22 bit register is "middle"). Each register is clocked based on its middle bit, inverted if less than two bits are set. So at least two registers are clocked in each step.

They mention how the keys are loaded, but the order of the bits is not given. So it seems to me that Ross used the same leaked document from which COMP128 has been reconstructed.

In his paper "On Fibonacci Keystream Generators", Ross states that the best known attack on A5 consists of guessing the state of R1 and R2 and work out R3 from the keystream. He writes, "There has been controversy about the work factor involved in each trial, and at least one telecom engineer has argued that this is about 2^12 operations giving a real attack complexity on A5 of 2^52 rather than the 2^40 which one might naively expect."

This known-plaintext attack does not depend on how the keys are loaded to the registers. To execute the attack, you need to know the feedback polynomials and the position of the "middle" bits, but the feasibility of the attack clearly does not depend on a particular choice of these (still unknown) parameters. So if the French A5 is in use, it can be broken in 2^52 decryptions.

Assume we have guessed the 40 bits of R1 and R2, and want to find R3, given the output keystream (that is ciphertext XOR the known plaintext). We get the MSB of R3 from knowing the MSB of R1 and R2 and the output bit, because the output stream is the XOR of the three MSBs. So if we can cycle the registers through and get all the 23 bits of R3, we have determined the initial state of R3 and can do test decryptions to see if the guess of R1 and R2 was right in the first place. (Note that this works for any feedback polynomial.)

However, not all registers are clocked in every step. Not knowing the middle bit of R3, in half the cases we don't know if R3 will be clocked, in the other half we don't know whether R1 or R2 will be clocked. But if we guess the middle bit correctly, we know which registers are clocked. Thus the MSBs of R1 and R2 in the next step are known and we can determine the content of the MSB of R3 from the output bit. Then, we guess the new middle bit, which determines the following step and again yields the MSB (bit 22 of the inital configuration). If we repeat this until we have the complete R3, guessing 11 bits gets us another 11 bits for free. (Does anyone see a shortcut there?)

What this means for the security of GSM depends on the GSM protocol. How much known plaintext does it provide? Are the frame sequence numbers that are mixed into registers known to evesdroppers (otherwise they'd have to try ~2^52 decryptions on every frame)?

If the frame sequence numbers are known, the reduced keyspace might also help to break the encryption. Assuming the 10 zero-bits end up in R1, you guess the remaining 9 bits and fast-forward the register according to the random distribution that is given by the position in the stream you are trying to break (in each step R1 is clocked with probability 3/4). Then guess R2 and half of R3 as above.

Message-ID:

To: Cypherpunks Lite

Date: Fri, 24 Apr 1998 08:00:52 -0600

From: bill payne

CC: wire@monkey-boy.com, cyberia-l@listserv.aol.com, ukcrypto@maillist.ox.ac.uk,

cypherpunks@toad.com, whitfield diffie ,

ted lewis , rivest@theory.lcs.mit.edu,

ray kammer , mab@research.att.com,

marc rotenberg , lwirbel@aol.com,

L E Banderet , jssob@unm.edu,

jimduram@onlinemac.com, heather herrald ,

grassley ,

federico pena , david sobel ,

c paul robinson , schneier@counterpane.com

Subject: SHIFT REGISTER technology

Friday 4/24/98 7:33 AM

John Young J Orlin Grabbe John Gilmore

The stuff on linear and non-linear shift register sequences which is now appearing on jya.com is the 'military-grade' crypto technology.

Semionoff and http://www.jya.com/crack-a5.htm contains material similar to what I saw Brian Snow present in schematics of NSA KG units.

The statement by david.loos@eudoramail.com

The A5 algorithm uses a three level, non-linear feedback shift register arrangement, designed to be sufficiently complex to resist attack.

points to the technology used for military-grade crypto.

The reason NSA regarded the R register, seen at http://jya.com/whpfiles.htm, feedback function classified was that it contained a non-linear feedback function.

I was ORDERED to build UNCLASSIFIED hardware. This is why I stuck the R register feedback function in a fast ram.

This similarity between the structure of the nonlinear feedback function in the CAVE algorithm seen at

http://www.semionoff.com/cellular/hacking/phreaking/

to the feedback function published in my SAND report

: A11 A1 A5 AND

A1 0= A9 0= AND XOR

A6 A10 XOR XOR ;

reveals "military-strength" technology.

SHIFT REGISTERS.

Words 'shift registers' also caused the Great American Spy Sting bust.

http://caq.com/CAQ/caq63/caq63madsen.html

The Cold War is over. And the crypto cat is now about fully out of the bag.

Let's hope for settlement so that we can all go on to more constructive tasks.

Later bill

Message-ID:

Date: Mon, 04 May 1998 07:55:22 -0600

From: bill payne

To: jy@jya.com, masanori fushimi , w.chambers@kcl.ac.uk, inter@technologist.com

CC: lwirbel@aol.com, wire@monkey-boy.com, ukcrypto@maillist.ox.ac.uk, cypherpunks@toad.com, ted lewis , hanson@vni.com

Subject: Period of sequences

Monday 5/4/98 7:22 AM

chambers,

Your statement

The advantages are a lack of mathematical structure which might provide an entry for the cryptanalyst, and a huge choice of possibilities; the disadvantages are that there are no guarantees on anything, and as is well known there is a risk of getting a very short period.

made at http://www.jya.com/a5-hack.htm#wgc stuck me as profound.

Reason is that NSA cryptomathematician Scott Judy once told me that I did not really understand the principles NSA uses for its crypto algorithm.

Judy proceeded to explain to me that NSA bases its crypto algorithm on complication, not mathematics.

Judy apparently did not realize that some years previous NSA employee Brian Snow showed us about all of NSA's KG schematics. And their field failure records!

Masanori Fushimi in Random number generation with the recursion x[t] = x[x-3q]+ x[t-3q],Journal of Applied Mathematics 31 (1990) 105-118 implements a gfsr with period 2^521 - l. http://av.yahoo.com/bin/query?p=gfsr&hc=0&hs=0.

Fushimi's generator is sold by Visual Numerics.

Fushimi's implementation is very well tested. And worked SO WELL that Visual Numerics numerical analyst Richard Hanson had TO BREAK IT!

Reason was that the gfsr produces true zeros. This caused simulation programs to crash from division by zero.

None of the linear congruential generators produced zeros so the problem did not arise until the gfsr was used.

Hanson ORed in a low-order 1 to fix the problem

Masanori wrote,

Lewis and Payne [16] introduced an apparely different type of generator, the generalized feed back shift register (GFSR), by which numbers are formed by phase-shifted elements along a M-sequence based on a primitive trinomial 1 + z^q + z^p.

Lewis was one of my former ms and phd students. http://www.friction-free-economy.com/

Cycle lengths of sequences is a fascinating topic.

Let me point you guys to a delightful article on the distribution of terminal digits of transcendental numbers.

The Mountains of pi by Richard Preston, v68 The New Yorker, March 2, 1992 p 36(21).

This is a story about Russian-born mathematicians Gregory and David Chudnowsky.

While the story is fun to read, I think that the Chudnowsky's were wasting their time.

I think that terminal digits of transcendental numbers have been proved to be uniformly distributed.

Sobolewski, J. S., and W. H. Payne, Pseudonoise with Arbitrary Amplitude Distribution: Part I: Theory, IEEE Transactions On Computers, 21 (1972): 337-345.

Sobolewski, J. S., and W. H. Payne, Pseudonoise with Arbitrary Amplitude Distribution: Park II: Hardware Implementation, IEEE Transactions on Computers, 21 (1972): 346-352.

Sobolewski is another of my former phd students.

Hopefully you guys will read judge Santiago Campos' 56 page MEMORANDUM OPINION AND ORDER on the Payne and Morales lawsuit on jya.com within several days.

I made a copy and gave it to Sobolewski on Sunday afternoon.

I want Sobolewski's opinion on what Morales and I should do.

Soblewski lives about two miles from us.

Sobloweski is an administrator [vp of computing at university of new mexico] and knows how administrators think.

Let's hope this UNFORTUNATE mess involving shift register sequences gets settled.

But let's not forget our sense of humors despite the about .5 million dead Iranians.

Hopefully the system will take care of the guys that did that did the Iranians.

Masanori wrote,

The GFSR sequence as well as the Tausworthe sequence can be constructed using any M-sequence whether the characteristic polynomial is trinomial or not;...

Jim Durham, my seismic data authenticator project leader, retired from Sandia.

Durham gave me a number of tech reports upon his retirement.

One was authored by Robert TITSWORTHE of jpl.

TITSWORTHE changed his name!

Later guys

To: ukcrypto@maillist.ox.ac.uk

CC: cryptography@c2.net, Ross.Anderson@cl.cam.ac.uk

Subject: Re: More on A5 strength

In-reply-to: Your message of "Thu, 23 Apr 1998 15:47:00 +0200."

Date: Fri, 24 Apr 1998 12:31:55 +0100

From: Ross Anderson

Message-ID:

> Does anyone see a shortcut there?

Last time I looked at it carefully I concluded that you only need to guess the clock inout bit half the time, so you need about 5 bit guesses giving an overall complexity of 2^45. I could be wrong though - it's notorious that you only get the real complexity of an attack when you implement and test it.

Jovan Golic showed that you can get a 2^40 attack with a little more work, and you can work back from a reconstructed state to get Kc. This paper is worth studying; it's in the proceedings of Eurocrypt 97 (LNCS v 1233) pp 239-255 and entitled `Cryptanalysis of Alleged A5 Stream Cipher'

Ross

Message-ID:

To: ukcrypto@maillist.ox.ac.uk

CC: cryptography@c2.net, Ross.Anderson@cl.cam.ac.uk

Subject: Re: More on A5 strength

In-reply-to: Your message of Fri, 24 Apr 1998 12:31:55 +0100.

Date: Sat, 25 Apr 1998 13:12:45 +1000

From: Greg Rose

Ross Anderson writes:

>> Does anyone see a shortcut there? > >Last time I looked at it carefully I concluded that you only >need to guess the clock inout bit half the time, so you need >about 5 bit guesses giving an overall complexity of 2^45. I >could be wrong though - it's notorious that you only get the >real complexity of an attack when you implement and test it.

I implemented this kind of attack about a year ago, and you're right, the complexity is about 2^44 (measured).

Greg.

Message-ID:

Date: Sun, 26 Apr 1998 08:41:28 -0400

To: cypherpunks@toad.com

From: John Young

Subject: GSM A5 Papers

We would be grateful for assistance in obtaining copies of the following papers, particularly the first:

S J Shepherd, "Cryptanalysis of the GSM A5 Cipher Algorithm", IEE Colloquium on Security and Cryptography Applications to Radio Systems, Digest No. 1994/141, Savoy Place, London, 3 June 1994, (COMMERCIAL-IN-CONFIDENCE).

S J Shepherd, "An Approach to the Cryptanalysis of Mobile Stream Ciphers", IEE Colloquium on Security and Cryptography Applications to Radio Systems, Digest No. 1994/141, Savoy Place, London, 3 June 1994, (COMMERCIAL-IN-CONFIDENCE).

S J Shepherd, "Public Key Stream Ciphers", IEE Colloquium on Security and Cryptography Applications to Radio Systems, Digest No. 1994/141, pp 10/1-10/7, Savoy Place, London, 3 June 1994.

These are listed on Dr Shepherd's bio at:

http://vader.brad.ac.uk/finance/SJShepherd.html

Localizacin fsica de mviles

Artculos Criptologa y Privacidad

Artculos

La Pgina de Jess Cea Avin