Report

GSM Security: Cryptanalysis of A5/1 Arber Ceni – 07.02.2011 Overview (I) Motivation Description of A5/1 Time-memory tradeoff attacks 2 Golic 1997 Biryukov et al. 2000 Biham and Dunkelman 2000 Barkan, Biham and Keller 2003 COPACOBANA 2008 GSM Security: Cryptanalysis of A5/1 Arber Ceni Overview (II) Correlation attacks Ekdahl and Johansson 2003 Maximov, Johansson and Babbage 2005 Barkan and Biham 2006 Other attacks on GSM and A5 family ciphers Conclusions 3 GSM Security: Cryptanalysis of A5/1 Arber Ceni Motivation GSM has more than 3 billion customers and covers around 80% of the World’s population Every over-the-air conversation is protected by A5/1 GSM is the biggest cryptosystem ever deployed A5/1 developed in 1987 (older than 20 years) Many flaws discovered Many attacks conducted 4 GSM Security: Cryptanalysis of A5/1 Arber Ceni Description of A5/1 (I) GSM uses symmetric cryptography The same key Kc is used to encrypt and decrypt the conversation How is the Kc generated? Ki – root encryption key Unique for each subscriber A3 – authenticate the user to the mobile operator A8 – Generate Kc 5 GSM Security: Cryptanalysis of A5/1 Arber Ceni Description of A5/1 (II) Invented in 1987 Partially leaked in 1994 Reverse engineered by Briceno in 1999 Idea: Conversation as frames transmitted every 4,6 ms 228 bits+Kc+Fn=228 bits cyphertext 114 up, 114 down Three LFSRs 6 R1 – length 19; taping bits 13, 16,17,18; clocking bit 8 R2 – length 22; taping bits 20, 21; clocking bit 10 R3 – length 23; 7,20,21,22; clocking bit 10 GSM Security: Cryptanalysis of A5/1 Arber Ceni Description of A5/1 (III) Clocking 7 If the clocking bit agrees with the majority bit C1=C2=C3+1 => R1 and R2 are clocked Probability of each register to be clocked is 3/4 GSM Security: Cryptanalysis of A5/1 Arber Ceni Description of A5/1 (IV) Algorithm (initial state) 8 Zero all registers For each bit of the Kc: Rj[0]=Rj[0]+Kc[i], j=(1,2,3) Clock the registers ignoring the regular clocking mechanism For each bit of the Fn: Rj[0]=Rj[0]+Fn[i], j=(1,2,3) Clock the registers ignoring the regular clocking mechanism Clock the registers with the normal clocking mechanism for 100 rounds and discard the output GSM Security: Cryptanalysis of A5/1 Arber Ceni Description of A5/1 (V) Algorithm (ciphertext generation) 9 Clock the cipher 114 times using the normal stop/go fashion Produce 114 bits (keystream) by XOR-ing the MSBs of the three registers This keystream will be used to encrypt the communication between operator and mobile station XOR the keystream with the initial message to produce the ciphertext Do the same for the conversation between mobile station and operator GSM Security: Cryptanalysis of A5/1 Arber Ceni Time-memory tradeoff attacks – Golic 1997 Alleged but similar A5/1 cipher Divide and conquer Idea: Guess some bits of the state of the registers and find the others by solving linear equations Complexity: O(240.16) How many bits should we guess: 10 n n-ri+taui-1 if n ≤ ri-taui+1 otherwise 1+3n+4n/3 linear equations Linear independent if n< max(tau1,tau2,tau3)-1 Real A5/1: max(tau1,tau2,tau3)=10 => O(245.22) Time-memory tradeoff:102·K·M≥ 263.32 GSM Security: Cryptanalysis of A5/1 Arber Ceni Time-memory tradeoff attacks – Biryukov et al. 2000 (I) Store in HDD (prefix,state) pairs for special states starting with α = 16 bits Flaw of A5/1: clocking tap doesn’t affect output for 16 clocking cycles Produces 248 states instead of 264; further reduced to 240 Compare the prefix of an unknown state Red states R – special states; |R|= 248 Green states G – α is encountered in position 101-277; |G|= 177*248 235 stored red states with avg weight 12500 We can encounter a red state in 2 min of conversation with a probability of 61% 11 GSM Security: Cryptanalysis of A5/1 Arber Ceni Time-memory tradeoff attacks – Biryukov et al. 2000 (II) Random subgraph attack From stored special states, generate other special states A new function f makes this possible and inverting it produces the special state from an output bit. Time-memory tradeoff: M T | U | M= 236,|U|= 248, T= 224 and preprocessing 248 Attack Type Preprocessing steps Available Data Number of 73GB HDD Attack Time Biased Birthday attack(1) 242 2 minutes 4 1 second Biased Birthday attack(2) 248 2 minutes 2 1 second Random subgraph attack 248 2 seconds 4 minutes 12 GSM Security: Cryptanalysis of A5/1 Arber Ceni Time-memory tradeoff attacks – Biham and Dukelman 2000 (I) Wait until an event that gives a lot of information happens With some improvements to the previous attack, break A5/1 R3 not clocked for 10 consecutive times and R3[10,22] are known We get 20 clocking bits of R1 and R2 Other 11 bits from output stream Guessing 9 bits from R1 and 1 from R2, gives both registers Guessing 10 bits from R3, gives the other 11 bits of R3 Complexity: O(227) 220 possible starting points for R3 13 Complexity: O(247) GSM Security: Cryptanalysis of A5/1 Arber Ceni Time-memory tradeoff attacks – Biham and Dukelman 2000 (II) Improve the techniques of the previous attack Compute two tables: next-state table – stores the states in the computed order Pointer table – stores the location of the state Total Complexity computed: 14 220 – possible start points for R3 212 – possible guesses each of them 21.53 values which cost 2 cycles (next-state lookup) 24.53 – values for 10 guesses of R3 each of these clocked and checked in pointer table =>2 cycles each check needs to be clocked twice 220 *212 * 21.53 *2* 24.53 *(1+1+2*0.88)= 240.97 A5/1 clocking cycles GSM Security: Cryptanalysis of A5/1 Arber Ceni Time-memory tradeoff attacks – Barkan, Biham and Keller 2003 Man-In-The-Middle attack 1st attack 2nd attack Ask the network and the victim to start a conversation with no encryption A5/0 This is probable to be discovered by the operator 3rd attack 15 Ask the victim to start encrypting with A5/2 Break A5/2 (which is easier) and send the authentication to the server The operator initiate the authentication procedure rarely The attacker asks the victim to encrypt with A5/2 Brake A5/2 and use it later GSM Security: Cryptanalysis of A5/1 Arber Ceni Time-memory tradeoff attacks – COPACOBANA 2008 120 parallel FPGAs (Field-Programmable Gate Array) Offers better performance-cost ratio Can be connected to normal PC Using COPACOBANA: 114 known bits (1 frame) Preprocessing time: three months Memory: 4.85 TB Online phase: 10.09 s Success rate: 63% 16 Can be increased to 96% Must increase the output stream length to 4 frames GSM Security: Cryptanalysis of A5/1 Arber Ceni Correlation attacks – Ekdahl and Johansson 2003 (I) Based on correlation attacks Uses bad initialization of the cipher Key and frame number initialized linearly Is not exponential to the length of registers Assuming that the registers are clocked exactly 76 times we get a probability of knowing the first output 1 2 3 P( s76 s76 s76 O(j76,76,76,1) ) P(assum ptioncorrect) 1 P(assum ptionwrong) 1 / 2 For all the positions we can write: 17 GSM Security: Cryptanalysis of A5/1 Arber Ceni Correlation attacks – Ekdahl and Johansson 2003 (II) p(jcl1 ,cl2 ,cl3 ) P((cl1 , cl2 , cl3 ) in vth position) vI O(jcl1 ,cl2 ,cl3 ,v 100 ) 0 1 / 21 P((cl1 , cl2 , cl3 ) in vth position) vI P((cl1,cl2, cl3) in vth position) can be computed recursively: P((cl1,cl2, cl3) in vth position) = F(cl1,cl2,cl3,v) where: F (cl1 , cl2 , cl3 , v) 0 if cl1 0, cl2 0 and cl3 0 F (cl1 , cl2 , cl3 , v) 0 if cl1 0 or cl2 0 or cl3 0 F (cl1 , cl2 , cl3 , v) 0 if cl1 v or cl2 v or cl3 v F (cl1 , cl2 , cl3 , v) 0.25F (cl1 1, cl2 1, cl3 1, v 1) 0.25F (cl1 , cl2 1, cl3 1, v 1) 0.25F (cl1 1, cl2 , cl3 1, v 1) 0.25F (cl1 1, cl2 1, cl3 , v 1) 18 GSM Security: Cryptanalysis of A5/1 Arber Ceni Correlation attacks – Ekdahl and Johansson 2003 (III) Log-likelihood of all probabilities: m p(jcl1 ,cl2 ,cl3 ) j 1 1 p(jcl1 ,cl2 ,cl3 ) A( cl1 ,cl2 ,cl3 ) ln If A>0 then the output of the cipher = 0 If A<0 then the output of the cipher = 1 This attack requires: 19 5 minutes of GSM conversation Less than 5 minutes to recover the key With a success rate of more than 70% GSM Security: Cryptanalysis of A5/1 Arber Ceni Correlation attacks – Maximov, Johansson and Babbage 2005 Improve the attack of Ekdahl and Johansson Try to reduce the number m of needed frames Based on two new flaws of A5/1 Error-correction codes are applied before encryption During silence a special kind of frame containing a large number of zeros is sent They also make use of the log-likelihood to find the key, but they use some improved estimators Result: 20 A few seconds of conversation (2000-5000 frames => 9-43s) Less than one minute of computation GSM Security: Cryptanalysis of A5/1 Arber Ceni Correlation attacks – Barkan and Biham 2006 Based on conditional estimators Based on previous correlation attacks Exploit three new weaknesses of the R2 register Alignment property Has only two feedback taps which are adjacent Symmetry property – the clocking tap is at the middle of the register Steps: Compute conditional estimators Decode these estimators to find best candidates for S1 and S2 Modeled as a huge graph in which can be applied Dijkstra-like algorithms For each of these candidates recover candidates for S3. Recover the key from S1,S2,S3 and verify that is the correct one Results: 21 2000 frames; completes in tens of seconds; success rate is 91% GSM Security: Cryptanalysis of A5/1 Arber Ceni Other attacks on GSM and A5 family ciphers (I) FBDD based attack Developed by Krause 2002 Complexity: nO(1)2(1-α)/(1+ α)n. α is a constant For A5/1 complexity: nO(1)20.6403n Eavesdrop without cryptanalysis MITM attack Record RAND;record ciphertext=>output stream of the cipher Later: 22 Send the frame number and message to the target mobile The frame number is the same so the message can be decrypted GSM Security: Cryptanalysis of A5/1 Arber Ceni Other attacks on GSM and A5/1 family ciphers (II) Open source project (Nohl 2009) Precompute rainbow tables The compressed codebook of A5/1 Used parallelization (FPGA) to reduce precomputing time First public project to release the tables 1st attack: MITM attack Fake base station Cheap radio equipment Open source software – OpenBTS 2nd 23 attack Passive attack Uses the precomputed rainbow tables Everybody can contribute GSM Security: Cryptanalysis of A5/1 Arber Ceni Other attacks on GSM and A5/1 family ciphers (III) New A5/3 again weak Made public Based on KASUMI block cipher Also weak: 24 Modification of MISTY By applying a sandwich attack 226 data, 230 bytes of memory, can complete in 232 time The authors claim this is realistic and have simulated the attack in a PC GSM Security: Cryptanalysis of A5/1 Arber Ceni Conclusions Most of the attacks presented here, don’t make any claim for the real implementation of A5/1 in the fielded GSM However, some of them yes Breaking A5/1 has become an open source project! The new A5/3 is also weak! The cryptosystem used in GSM should be changed 25 It is the biggest cryptosystem ever deployed It is not used only for conversation Used for banking information, payment, bank transfer etc GSM Security: Cryptanalysis of A5/1 Arber Ceni Thank you! Questions? 26 GSM Security: Cryptanalysis of A5/1 Arber Ceni