GSM CLONING

1
GSM CLONING
2
GSM (Global System for Mobile Communication)

• Most widely used cellular mobile phone system.
• First digital system to follow analog era.
• Specification designed by GSM Consortium in
• secrecy.
• Relied on Security by Obscurity.
• Distributed on need-to-know basis.
• Eventually leaked out and researchers have
• found many ways to break the GSM algorithms.
• One way was breaking COMP128 to retrieve the
  secret key from a SIM card.

3
(No Transcript)
4
(No Transcript)
5
A8 Session Key
A3 Signature Response
COMP128 SRES, Session Key
6
COMP128 Pseudocode

• Input 16 byte secret key, 16 byte RAND
• Output 4 byte SRES, 8 byte session key
• (simoutput12)
• Load RAND into x1631
• Perform the following 8 times
• Load secret key into x015
• Compression
• Bits to Bytes
• Permutation (only on first 7 rounds)
• Compress 16 bytes to 12 bytes (simoutput)
• Return simoutput

7
(No Transcript)
8
Permutation

• Bits to Bytes
• Only 4 bits in each entry
• Example shows bits for x0, x1 gets bits
  8,25,42,59,76,93,110,127

17
34
51
102
119
0
85
68
Bits
Bytes
x2
x0
x1
9
(No Transcript)
10
What went wrong?

• Design of a security cryptosystem should be
• under the Kerckhoffs principle.
• GSM design committee kept all security
• specifications secret.

11
Attacks on COMP128

• April 13, 1998 Marc Briceno (Director of the
• Smartcard Developer Association and two
• U.C.Berkeley researchers-David Wagner and
• Ian Goldberg
• The 128bit Ki could be deduced by collecting
  around 150,000
• chosen RAND-SRES pairs.
• May 2002IBM Side-Channel attack
• (Partitioning Attack)
• 1000 random inputs, or 255 chosen inputs, or
  only 8 adaptively
• chosen inputs.

12
128-bit Ki
128-bit RAND
13
Crypto-attack by B. and G.

• Information leaking.
• A narrow pipe exists in COMP128.
• bytes i, i8, i16, i24 at the output of the
  2nd level depend only on
• bytes i, i8, i16, i24 of the initial
  input.
• Birthday paradox.
• Differential technique.

14
128-bit Ki
128-bit RAND
8bits
8bits
7bits
6bits
5bits
4bits
Back
15
Crypto-attack cont.

• After the compression at level 1,
• The correlated 32 bits? 28 bits.
• Transfer problem to Collision Attack.
• Alg. in the Random Oracle Model
• FINDCOLLISION
• Choose
• For each
• do
• If for some
• then return
• else return (failure)

16
Crypto-attack cont.2

• The birthday paradox tells us if let our
• , we have
  probability at
• least 1/2 to get a collision.
• The expectation of the number of queries
• How many chances can we have
• The total expected queries to recover the
• entire 128 bit Ki is
• How fast can we get?
• Computational ability of IC 6.25 queries/s
• Totally recovery period 7.3 hours.

17
Improvement on B. and G.

• Pre-compute 8 tables each has entries.
• Every time we find a collision, just look up the
• corresponding tables to find the key.
• Space requirements GB
• Limitation The bottle-neck of recovery time is
  dominated by computational time of IC.
• This technique could decrease computational
  requirement of PC, but the whole time wont
  decrease so much.

18
Evaluation of B. G.s Method

• Pros
• Easily to implement.
• High accuracy.
• Doesnt have to physical access to the SIM
  card.
• Cons
• Slow 7.3 hours
• Spurious key
• Assumption
• Avoidance

19
Gains from B.G.s Attack

• Necessity of the open design process
• Importance of the first round
• Aftermath of collisions

20
Partitioning Attack

• Side channels
• Timing of operations
• Power consumption
• Electromagnetic emanations
• Cardinal Principle
• Relevant bits of intermediate cycles and their
  
• values should be statistically independent of
  
• the inputs, outputs and sensitive
  information.

21
Partitioning Attack cont.

• Problems in COMP128
• Huge correlation between MSB of R0
• and the beginning of the first
• compression.
• Substitution.
• Table look up operation.
• Implementation in IC.

Figure
22
Partitioning Attack cont.2

• Explanation for the correlation.
• XiT0Ki2Ri and Xi16T02KiRi
  
• Example
• Byte1All signals with R0 in the range0-26
  
• and 155-255 fell in one category and all
  signals
• with R0 in the range27-154 fell into the
  other.
• Byte2 R0 in the range0-105 signals fell
  in one category and 106-255 signals fell into
  the other.

Graph
K226lt256 K227gt256 K?
K202 or 203
2K105lt512 and 2K106gt512 K203
23
Partitioning Attack cont.3

• Efficiency
• 1000 samples with random inputs
• 256 chosen inputs
• 8 adaptively chosen inputs

24
Future Improvements

• COMP128-2 has replaced the COMP128 to
• overcome some weakness
• COMP128-3 is develop to generate 64 bits for Kc.
• COMP128-4 is underdevelopment based on the
• 3GPP(3rd Generation Partnership Project)
• algorithm. (AES)