GSM CLONING

GSM (Global System for Mobile Communication)

• Most widely used cellular mobile phone system.• First digital system to follow analog era.• Specification designed by GSM Consortium in

secrecy.• Relied on Security by Obscurity.• Distributed on need-to-know basis.• Eventually leaked out and researchers have

found many ways to break the GSM algorithms.• One way was breaking COMP128 to retrieve the

secret key from a SIM card.

A8: Session Key

COMP128: SRES, Session Key

A3: Signature Response

COMP128 Pseudocode:

• Input: 16 byte secret key, 16 byte RAND• Output: 4 byte SRES, 8 byte session key

(simoutput[12])• Load RAND into x[16…31]• Perform the following 8 times

– Load secret key into x[0…15]– Compression– Bits to Bytes– Permutation (only on first 7 rounds)

• Compress 16 bytes to 12 bytes (simoutput)• Return simoutput[ ]

0 17 34 51 68 85 102 119… … … … … … … …Bits:

Bytes:

x[0] x[1] x[2]

Permutation:

- Bits to Bytes- Only 4 bits in each entry- Example shows bits for x[0], x[1] gets bits 8,25,42,59,76,93,110,127

What went wrong?

• Design of a security cryptosystem should be under the Kerckhoffs’ principle.

• GSM design committee kept all security specifications secret.

Attacks on COMP128

• April 13, 1998: Marc Briceno (Director of the Smartcard Developer Association and two U.C.Berkeley researchers-David Wagner and Ian Goldberg The 128bit Ki could be deduced by collecting around 150,000

chosen RAND-SRES pairs.

• May 2002:IBM Side-Channel attack (Partitioning Attack) 1000 random inputs, or 255 chosen inputs, or only 8 adaptively

chosen inputs.

Level 0

Level 1

Level 2

Level 3

Level 4

128-bit Ki 128-bit RAND

Crypto-attack by B. and G.

• Information leaking.

• A narrow “pipe” exists in COMP128. bytes i, i+8, i+16, i+24 at the output of the 2nd level depend only on

bytes i, i+8, i+16, i+24 of the initial input.

• Birthday paradox.

• Differential technique.

Level 0

Level 1

Level 2

Level 3

Level 4

128-bit Ki 128-bit RAND

8bits

8bits

7bits

6bits

5bits

4bits

Back

Crypto-attack cont.

• After the compression at level 1, • The correlated 32 bits 28 bits.• Transfer problem to Collision Attack.• Alg. in the Random Oracle Model FINDCOLLISION

1. Choose 2. For each 3. do4. If for some5. then return 6. else return (failure)

0 0{ }, | |X X x X q

0x X( )xy h x

x xy y x x( , )x x

( , )h q

Crypto-attack cont.2

• The birthday paradox tells us if let our , we have probability at least 1/2 to get a collision.• The expectation of the number of queries:

• How many chances can we have • The total expected queries to recover the entire 128 bit Ki is • How fast can we get? Computational ability of IC 6.25 queries/s Totally recovery period: 7.3 hours.

281.17 2 19170q

( ) 20535E q 2 8 162 2 65536

20535 8=164280

Improvement on B. and G.

• Pre-compute 8 tables each has entries.

• Every time we find a collision, just look up the corresponding tables to find the key.

• Space requirements: GB

• Limitation: The bottle-neck of recovery time is dominated by computational time of IC.

This technique could decrease computational requirement of PC, but the whole time won’t decrease so much.

322

32 368 2 2 2 64

Evaluation of B. G.’s Method

• Pros: Easily to implement. High accuracy. Doesn’t have to physical access to the SIM card.

• Cons: Slow: 7.3 hours Spurious key Assumption Avoidance

Gains from B.G.’s Attack

• Necessity of the open design process

• Importance of the first round

• Aftermath of collisions

Partitioning Attack

• Side channels: Timing of operations Power consumption Electromagnetic emanations

• Cardinal Principle: Relevant bits of intermediate cycles and their

values should be statistically independent of the inputs, outputs and sensitive information.

Partitioning Attack cont.

• Problems in COMP128:

Huge correlation between MSB of R[0] and the beginning of the first compression.

Substitution.

Table look up operation.

Implementation in IC.

Figure

Partitioning Attack cont.2

• Explanation for the correlation. X[i]=T0[K[i]+2*R[i]] and X[i+16]=T0[2K[i]+R[i]]

• Example: Byte1:All signals with R[0] in the range[0-26]

and [155-255] fell in one category and all signals with R[0] in the range[27-154] fell into the other.

Byte2: R[0] in the range[0-105] signals fell in one category and [106-255] signals fell into the other.

Graph

K+2*26<256

K+2*27>=256

K=? K=202 or 203

2*K+105<512 and 2*K+106>=512

K=203

Partitioning Attack cont.3

• Efficiency

1000 samples with random inputs

256 chosen inputs

8 adaptively chosen inputs

Future Improvements

• COMP128-2 has replaced the COMP128 to overcome some weakness

• COMP128-3 is develop to generate 64 bits for Kc.

• COMP128-4 is underdevelopment based on the 3GPP(3rd Generation Partnership Project) algorithm. (AES)

Input correlation for MSB of R[0]