Movatterモバイル変換

[0]ホーム
URL:

Skip to main content

Advertisement

Springer Nature Link
Log in

Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

In this paper we present a very practical ciphertext-only cryptanalysis of GSM (Global System for Mobile communications) encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use “unbreakable” ciphers. We first describe a ciphertext-only attack on A5/2 that requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer. We extend this attack to a (more complex) ciphertext-only attack on A5/1. We then describe new (active) attacks on the protocols of networks that use A5/1, A5/3, or even GPRS (General Packet Radio Service). These attacks exploit flaws in the GSM protocols, and they work whenever the mobile phone supports a weak cipher such as A5/2. We emphasize that these attacks are on the protocols, and are thus applicable whenever the cellular phone supports a weak cipher, for example, they are also applicable for attacking A5/3 networks using the cryptanalysis of A5/1. Unlike previous attacks on GSM that require unrealistic information, like long known-plaintext periods, our attacks are very practical and do not require any knowledge of the content of the conversation. Furthermore, we describe how to fortify the attacks to withstand reception errors. As a result, our attacks allow attackers to tap conversations and decrypt them either in real-time, or at any later time. We present several attack scenarios such as call hijacking, altering of data messages and call theft.

Article PDF

Similar content being viewed by others

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

References

  1. The 3rd Generation Partnership Project (3GPP),http://www.3gpp.org/.

  2. E. Barkan, E. Biham, Conditional estimators: an effective attack on A5/1. InProceedings of SAC 2005. Lecture Notes in Computer Science, vol. 3897 (Springer, Berlin, 2006), pp. 1–19.

    Google Scholar 

  3. E. Barkan, E. Biham, N. Keller, Instant ciphertext-only cryptanalysis of GSM encrypted communications. InAdvances in Cryptology, Proceedings of Crypto 2003. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 600–616.

    Google Scholar 

  4. E. Biham, O. Dunkelman, Cryptanalysis of the A5/1 GSM stream cipher. InProgress in Cryptology, Proceedings of Indocrypt’00. Lecture Notes in Computer Science, vol. 1977 (Springer, Berlin, 2000), pp. 43–51.

    Google Scholar 

  5. A. Biryukov, A. Shamir, Cryptanalytic time/memory/data tradeoffs for stream ciphers. InAdvances in Cryptology, Proceedings of Asiacrypt 2000. Lecture Notes in Computer Science, vol. 1976 (Springer, Berlin, 2000), pp. 1–13.

    Chapter  Google Scholar 

  6. A. Biryukov, A. Shamir, D. Wagner, Real time cryptanalysis of A5/1 on a PC. InAdvances in Cryptology, Proceedings of Fast Software Encryption’00. Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2001), pp. 1–18.

    Google Scholar 

  7. M. Briceno, I. Goldberg, D. Wagner, A pedagogical implementation of the GSM A5/1 and A5/2 “voice privacy” encryption algorithms,http://cryptome.org/gsm-a512.htm (originally onwww.scard.org), 1999.

  8. M. Briceno, I. Goldberg, D. Wagner, An implementation of the GSM A3A8 algorithm,http://www.iol.ie/~kooltek/a3a8.txt, 1998.

  9. M. Briceno, I. Goldberg, D. Wagner, GSM cloning,http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html, 1998.

  10. N. Courtois, A. Klimov, J. Patarin, A. Shamir, Efficient algorithms for solving overdefined systems of multivariate polynomial equations. InAdvances in Cryptology, Proceedings of Eurocrypt 2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 392–407.

    Chapter  Google Scholar 

  11. P. Ekdahl, T. Johansson, Another attack on A5/1.IEEE Trans. Inform. Theory49(1), 284–289 (2003).

    Article MATH MathSciNet  Google Scholar 

  12. European Telecommunications Standards Institute (ETSI), Digital cellular telecommunications system (phase 2+); channel coding, TS 100 909 (GSM 05.03),http://www.etsi.org.

  13. European Telecommunications Standards Institute (ETSI), Digital cellular telecommunications system (phase 2+); Mobile radio interface; layer 3 specification, TS 100 940 (GSM 04.08),http://www.etsi.org.

  14. European Telecommunications Standards Institute (ETSI), Digital cellular telecommunications system (phase 2+); mobile station—base stations system (MS—BSS) interface data link (DL) layer specification, TS 100 938 (GSM 04.06),http://www.etsi.org.

  15. European Telecommunications Standards Institute (ETSI), Digital cellular telecommunications system (phase 2+); multiplexing and multiple access on the radio path, TS 100 908 (GSM 05.02),http://www.etsi.org.

  16. European Telecommunications Standards Institute (ETSI), Digital cellular telecommunications system (phase 2+); physical layer on the radio path; general description, TS 100 573 (GSM 05.01),http://www.etsi.org.

  17. European Telecommunications Standards Institute (ETSI), Digital cellular telecommunications system (phase 2+); security related network functions, TS 100 929 (GSM 03.20),http://www.etsi.org.

  18. I. Goldberg, D. Wagner, L. Green, The (real-time) cryptanalysis of A5/2. Presented at the Rump Session of Crypto’99, 1999.

  19. J. Golic, Cryptanalysis of alleged A5 stream cipher. InAdvances in Cryptology, Proceedings of Eurocrypt ’97. Lecture Notes in Computer Science, vol. 1233 (Springer, Berlin, 1997), pp. 239–255.

    Google Scholar 

  20. A. Maximov, T. Johansson, S. Babbage, An improved correlation attack on A5/1. InProceedings of SAC 2004. Lecture Notes in Computer Science, vol. 3357 (Springer, Berlin, 2005), pp. 1–18.

    Google Scholar 

  21. Security Algorithms Group of Experts (SAGE), Report on the specification and evaluation of the GSM cipher algorithm A5/2,http://cryptome.org/espy/ETR278e01p.pdf, 1996.

  22. S. Petrović, A. Fúster-Sabater, Cryptanalysis of the A5/2 algorithm. IACR ePrint Report 2000/052,http://eprint.iacr.org, 2000.

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Technion—Israel Institute of Technology, Haifa, 32000, Israel

    Elad Barkan & Eli Biham

  2. Einstein Institute of Mathematics, The Hebrew University of Jerusalem, Jerusalem, 91904, Israel

    Nathan Keller

Authors
  1. Elad Barkan

    You can also search for this author inPubMed Google Scholar

  2. Eli Biham

    You can also search for this author inPubMed Google Scholar

  3. Nathan Keller

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence toElad Barkan.

Additional information

Communicated by Lars R. Knudsen

An earlier version of this paper appears in Barkan et al. (Advances in Cryptology, Proceedings of Crypto 2003, Lecture Notes in Computer Science, vol. 2729, pp. 600–616, 2003).

Rights and permissions

About this article

Cite this article

Barkan, E., Biham, E. & Keller, N. Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication.J Cryptol21, 392–429 (2008). https://doi.org/10.1007/s00145-007-9001-y

Download citation

Keywords

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Advertisement

[8]ページ先頭
©2009-2025 Movatter.jp