gsm : how broken is it...sep 29, 2011 · gsm : how broken is it ? olivier benjamin, 29 september...
TRANSCRIPT
GSM : How broken is it ?
Olivier BENJAMIN, 29 september 2011
WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.
Grenoble INPEnsimag
Outline of the talk
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
● What is GSM
● The cryptographic system in GSM
● Barkam Biham and Keller's attack on A5/2
● A tool you can use
What is GSM
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
Stands for Global System for Mobile communications
Most used standard in all western countries
Old : first discussed in 1982, first norm in the 1990s
Standard used in 2G phones (3G uses UTMS)
80% of the world's mobile phones
How does it work
Phone communicates with nearest antenna
Based on a preshared key and challenge-response
Open, error-prone channel : use of error-correcting codes
The antenna is all-powerful Choses the encryption used
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
There's got to be some crypto involved
Uses a set of ciphers : A5/0 (no encryption), A5/1, A5/2, A5/3A5/2 is the weakest, but all have been broken over the yearsThe tower controls which will be used
SIM (Subscriber Identity Module) contains a key
Tower sends a challenge, phone encrypts and replies
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
The ciphers are all brokenA5/2 is the most broken : Ciphertext-only attackThe other attacks use rainbow tables : too complicated
There are problems with the design of GSM
The ciphers are adapted to embedded technology
There's got to be some crypto involved
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
Bad design in GSM
Weak to man-in-the-middle attacksThe base station chooses the cipher used All ciphers use the same key
First Idea : Build a fake base station (cell tower)Force the cell to use A5/0 → no encryption !!
Problems : The real network will not let you use A5/0You don't know the keyNot much use
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
Bad design in GSM
Better idea : Build a fake base stationTell the phone to use the weakest cipherRecover the key → it's the same for all !!Impersonate the phone to the networkImpersonate the network to the phone
You have now access to everything the phone sends
GSM is only as strong as its weakest cipher→ That is why we only focused on A5/2
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
What is A5/2
Stream cipher using 4 LFSRs (Linear Feedback Shift Registers)
The LFSRs are initialized from :A 64-bit secret key KcA 22-bit initial value : the Frame Id f (public)
LFSR1 = LFSR2 = LFSR3 = LFSR4 = 0for (int i=0 ; i<63 ; ++i) {
clockAllRegisters();LFSR1[i] ^= Kc[i]; LFSR2[i] ^= Kc[i];LFSR3[i] ^= Kc[i]; LFSR4[i] ^= Kc[i];
}for (int i=0 ; i<22 ; ++i) {
clockAllRegisters();LFSR1[i] ^= f[i]; LFSR2[i] ^= f[i];LFSR3[i] ^= f[i]; LFSR4[i] ^= f[i];
}LFSR1[15] = LFSR2[16] = LFSR3[18] = LFSR4[10] = 1;
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
Generation of the keystream
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
What is A5/2
The first 99 bits of keystream are discarded
Message is split into 114-bit frames and XORed with keystream
Decryption is the same as encryption
Half the keystream used for phone to network, and vice-versa
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
What happens before the cipher
GSM uses radio waves → need for error correction
Fire Code
Convolution
Interleaving
→ This introduces a lot of redundancy
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
The Fire code
Named after Philip Fire at Stanford in 1959
Cyclic code used to produce a CRC (Cyclic Redundancy Check)
0111010111010100101011000111010110101101
Original Message → CRC
Generated by a polynomial
Results in a block of 228 bits (with 4 tail bits equal to 0)
Linear transformations → can be expressed as a matrix
Convolution
Spreads the information over several bits
Depends on the parity :C(2*k) = u(k) + u(k-3) + u(k-4) mod 2C(2*k+1) = u(k) + u(k-1) + u(k-3) + u(k-4) mod 2
Results in a block of 456 coded bits
Here, the rate is 1/2
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
Interleaving
Consists of a reorganisation of the bits
The aim is to spread the adjacent bits in case of error
Redundancy is concentrated because of convolution
This solves the problem
Doesn't change the size
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
The order is important
After all these operations, the result is XOR-encrypted
Very bad mistake
We have much more redundancy after
We transformed a 184-bits plaintext into a 456 one
We gave the attacker 272 free bits of information about the key
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
The Attack
Introduced by Barkam, Biham and Keller in 2006-2007
Instant, Ciphertext-only
Needs precomputations (2h30, 4.08GB)
Recovery of the key used
Partly brute force
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
Remember this ?
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
The Attack
It is possible to obtain equations on the keystream
The key is in the LFSRs
Problem : The bits of L4 do not influence the keystream !
→ We have to brute force the value of L4→ 2^16 cases→ Hence the precomputations
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
The tool developed
(Very well) written in C
Multi-purpose, simulates the GSM chain
Attacks
Demo !!
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
The End
SecurIMAG - GSM : How broken is it ? - Olivier BENJAMIN - 29/09/2011
Thank you for your attention !
Are there any questions ?