As A3 and A8 are not further specified, operators can freely choose the concrete algorithms used for A3 and A8. There are three of them: COMP — original algorithm with known weaknesses COMP — stronger algorithm which still clears the 10 rightmost bits of Kc COMP — same algorithm as COMP with all 64 bits of Kc generated All of them are built around a compression function with two bits inputs and one bits output, hence their names. Ki and RAND are used as the inputs of the compression function. COMP description[ edit ] COMP uses a compression function with eight rounds which is based on a butterfly structure with five stages. SRES is filled with the first 32 bits of the output. Kc is filled with the last 54 bits of the output followed by ten zeroes.
|Published (Last):||7 February 2008|
|PDF File Size:||11.56 Mb|
|ePub File Size:||18.25 Mb|
|Price:||Free* [*Free Regsitration Required]|
It is the most widely used mobile phone system in the world. GSM was the first digital design to follow the analog era. It was supposed to make mobile communication more secure than analog counterparts. However, at the start of GSM, there were big security flaws. Many have been fixed, while others may still exist. This report will discuss one such security flaw that allows an adversary to retrieve the secret key.
This has been fixed. This allowed for the algorithms to be weak. Despite strict distribution only to manufacturers who needed this information, the GSM algorithms were leaked to the public. Most, if not all the vulnerabilities found since GSM was deployed could have been prevented had the Consortium allowed the public to scrutinize the specification. A5 The encryption algorithm used in the GSM system.
A8 The key generation algorithm used in the GSM system. AuC Authentication Center. The AuC register is used for security purposes. The RAND is a random challenge generated randomly. Unfortunately the COMP algorithm is broken so that it gives away information about its arguments when queried appropriately.
This is an undesired and unacceptable side effect in a one-way function. GSM Global System for Mobile communications, a mobile phone system based on multiple radio cells cellular mobile phone network.
The Kc is generated after every authentication initialized by the MSC. The Kc is never transmitted over-the-air. MS Mobile Station, the mobile phone. The MSC performs the switching functions of the network. It also provides a connection to other networks. NSS Network and Switching Subsystem, its main role is to manage the communications between the mobile users and other users, such as mobile users, ISDN users, fixed telephony users, etc. It also includes data bases needed in order to store information about the subscribers and to manage their mobility.
The SIM identifies a subscriber. The SIM is supposed to be tamper-proof, so that the Ki cannot be retrieved from it. RAND is sent to the user.
Now the user is connected to the network with Kc as the session key. SRES is computed using the authentication algorithm A3. Given a bit random number and the bit secret key, A3 outputs a bit value which is called the SRES. Note that the last 10 bits of the session key are set to 0.
By checking the implementation of COMP, we have discovered that the authentication and session key generation of GSM system is not strong enough to resist an attack.
Once the key is compromised, it is possible to make fraudulent calls which will be billed to the victim. The vulnerability can be attributed to the serious failing of the GSM security design process. The GSM committee kept all security specification secret. Experts have learned over the years that the only way to assure security is to follow an open design process, encouraging public review to identify flaws. On the April 13, Ian Goldberg and Marc Briceno published an article which described a method to recover the secret key by querying SIM card about , times.
It is based on the side channels and could retrieve the key in several minutes. Since the second level has only 7 valid bits per byte the birthday paradox guarantees that collisions will occur pretty rapidly. If the computational ability of IC is 6. Suggestion on B. Pre-compute eight tables. Each having entries each. Every time we find a collision, just look up the corresponding tables to find the key. However the bottle-neck of recovery time is dominated by computational time of IC.
Evaluation of B.
COMP128 algorithm a3/a8
The COMP128 algorithm and the SIM card