Cryptanalysis of A5/1

There have been a lot of articles about the new attack against the GSM cell phone encryption algorithm, A5/1. In some ways, this isn't real news; we've seen A5/1 cryptanalysis papers as far back as ten years ago.

What's new about this attack is: 1) it's completely passive, 2) its total hardware cost is around $1,000, and 3) the total time to break the key is about 30 minutes. That's impressive.

The cryptanalysis of A5/1 demonstrates an important cryptographic maxim: attacks always get better; they never get worse. This is why we tend to abandon algorithms at the first sign of weakness; we know that with time, the weaknesses will be exploited more effectively to yield better and faster attacks.

Posted on February 22, 2008 at 6:31 AM • 34 Comments

Comments

GerritFebruary 22, 2008 7:07 AM

Here in South Africa I haven't regarded cell phone calls as secure for quite some time. School kids figured out that if you dial the three-digit customer service number on your cell phone, and keep on waiting on the line a few minutes after the voice recording finishes, the following happens: It connects to (I presume) your local tower and you can hear the one side of random cell phone conversations. After a few minutes it switches over to another conversation. You can only hear one side of the conversation, but it proved quite entertaining for kids to listen in on conversations during school breaks (phoning customer service is a toll-free call). Luckily the cell phone company realized this and fixed the security hole after a few months.

ATNFebruary 22, 2008 7:33 AM

The problem for spying GSM radio seems to be that the spying antenna has to be either nearby the base station (which can change if the mobile phone moves) or nearby the mobile phone itself.
The system use TDMA (Time Division Multiple Access) with distance to base calibration - so the time slots of different communications will overlap if the spying antenna is not at the right place - the speed of radio signal in not infinite.

Erek DyskantFebruary 22, 2008 7:43 AM

The timing thing is an interesting problem. However, I'll bet that with some serious analysis it could be worked through, as the timing changes gradually not all at once.

If one captured the entire stream rather than a single signal, probably some analysis could separate each TDMA signal back out by watching the drift over time. Afterall, the tower can gracefully handle a moving phone, so there have to be time drift compensation algorithms out there.

Sure, a solution like this would take some serious engineering expenditure, but one has to assume a multi-million dollar operation in addition to the single person attack. I'm sure that a cellphone snooping widget design would be worth millions to some parties.

Matt BarrettFebruary 22, 2008 8:58 AM

I was under the impression that there is, available for suitable government (i.e., NATO) purchase, backpack hardware that allows you to do a man-in-the-middle style GSM attack.

Having not read this paper, presumably any such hardware would have solved any timing issue?

AnonymousFebruary 22, 2008 9:24 AM

@atn
"The problem for spying GSM radio seems to be that the spying antenna has to be either nearby the base station (which can change if the mobile phone moves) or nearby the mobile phone itself."

With people of my generation (25 to 35) replacing their land lines with cell phones, that really doesn't become a problem.

RoxanneFebruary 22, 2008 9:53 AM

Oh, come on. Phone communication hasn't ever been secure. We used to know that the operator might be listening in, then automatic switching took over and there was possibly some semblance of privacy, but then diversion became possible, and it's just not secure anymore.

Any time you hand off responsibility for message delivery to a third party (post office, phone company, ISP), you have to assume that someone will read the message while it's in transit. Your only hope is that you have managed to use a code that they don't know ... yet. I guess this is them saying, "Hey, we've figured out this code. Go make up a new one!"

ATNFebruary 22, 2008 9:54 AM

@Erek Dyskant:
"If one captured the entire stream"
At which position in space? The "time drift compensation" is made so that the "tower" receives clean signal - but changing "tower" is usual during a conversation if phoning from a moving place like a train. Nearby the mobile phone the signal is also clear - and probably on all the line in between the mobile phone and the "tower".
If the spy has a bit of money he will spy the conversation in the connection of the main network to the "tower" - or simpler at the computer which routes this call.

@Matt Barrett: if you have a "portable tower" in your car you ask the target mobile phone to synchronise with your "tower" - there is no timing issue.
But you have to have insider information for the target phone to accept talking to your "tower".

@Anonymous: A landline is easier to spy than a mobile phone, just tap the cable.

Matt BarrettFebruary 22, 2008 10:09 AM

@ATN: That makes sense - obviously you're not performing a passive attack, so timing becomes a non-issue. Didn't think that through properly.

NostromoFebruary 22, 2008 11:11 AM

This is a non-story. Nobody with more intelligence than a fruit-fly would expect mobile phone communication to be secure. It's been public knowledge for a couple of years that if you use a mobile phone, you immediately give away your location to the phone system (and hence to any government that is interested).

With Internet email, you have a chance of security, because when the news leaks out that GPG has been broken, somebody will come up with a new algorithm that you can use. You have some choice. But with cellphones, the phone company gets to choose the encryption method. It may be expensive for them to change it, and it's certainly inconvenient, plus they're subject to government pressure to use something that the NSA can break easily. There is absolutely no chance of security under these circumstances.

KevinFebruary 22, 2008 12:10 PM

I think the "news" here isn't that "phones are insecure", but that the barrier to entry has been reduced.

Used to be that you had to be either a government or a phone company to spy on GSM calls.

No you just need $1K and some spare time.

periFebruary 22, 2008 1:04 PM

Just read a report which regarded GSM as the golden child of wireless security. Of course GSM is still a good example, but the timing is pretty amusing.

http://www.codenomicon.com/resources/whitepapers/...

From the abstract:

New wireless technologies such as WiMAX, NFC and ZigBee are rapidly being adopted,
along with existing wireless standards such as Bluetooth, Wi-Fi, GSM and other cellular
technologies. Bluetooth and Wi-Fi have already become notorious for severe security
shortcomings during their relatively brief existence. New vulnerabilities and exploits are
reported and demonstrated every week on live public networks. The credibility of these
wireless technologies has been damaged by security incidents, stemming from
fundamental problems in requirement gathering, implementation quality and protocol
design. Despite boasts of hardened security measures, security researchers and black-hat
hackers keep humiliating vendors. On the other hand, GSM and various descendant
technologies have been almost 100 percent free of security incidents.

MarkFebruary 22, 2008 2:08 PM

@Kevin
Used to be that you had to be either a government or a phone company to spy on GSM calls.

If someone is tapping from within the telephone network it dosn't really dosn't matter what form the "line" takes.

Kadin2048February 22, 2008 3:40 PM

My understanding is that those 'backpack' units for intercepting GSM calls aren't completely passive units; they actually contain a GSM "cell." Functionally, they're similar to "micro-cells" that mobile phone companies set up in locations of high demand or in dark spots where coverage from big cells isn't available (e.g. in subway tunnels, pedestrian underpasses, etc.).

There's a page on Cryptome with more information that seems to back up what I've heard:
http://cryptome.org/gsm-spy.htm

Clive RobinsonFebruary 23, 2008 3:36 AM

First off GSM is a European standard and because of this it is not secret even at the low levels. A5 has always been a bit of a joke with the likes of Bart Prennel. It first became publicaly disclosed by a bunch of "students" at a UK Uni where a company sent the GSM docs but forgot to get the nondisclosure agrement first..

Europe is supposadly a liberal / free market place, and due to this in a number of countries it is legaly permisable to have your own micro cell, which is also part of a bigger network. The downside as most people in that area of work know is that it makes eves droping almost childishly simple. You just have to have a stronger signal at the handset than the network cell. So with a micro cell the size of a games console and a couple of high gain antennas capturing your vics phone even when mobile is a minor physical not technical issue.

The military backpacs by the way are not for spying they are for setting up local usable comms for soldiers etc. As the major powers dont fight each other these days ther is little need for LPD Secure radio systems. The cost saving is very large but more importantly the flexability is more than any combat system has ever had. More importantly if realy secure conversations are needed ther are also comercial phones with crypto card slots at quit low cost.

If you want secure content phone calls go out and buy a crypto card phone for you and those you need to talk to...

Shachar ShemeshFebruary 23, 2008 5:32 AM

> we know that with time, the weaknesses will be exploited more effectively to yield better and faster attacks.

Well, if we take DES as an example - the first attack was at around 1988, and yet when the algorithm was at last retired it was not because of the algorithmic weaknesses in it. It was retired because brute force attack (and we all know that any bounded key length cypher is susceptible to those) has become cheap and quick enough to pose a serious threat to the algorithm.

Yes, I know you can say that faster brute force techniques are a part of the attacks that keep getting better, but the advance in those tend to be guesstimated when the cypher is first created.

The fact remains that, despite the fact that DES had several algorithmic attacks on it, it was the brute force attack that killed it.

Shachar

Pavel VFebruary 23, 2008 6:25 PM

The equipment for Crack A5/1 costs only about $1,000 ..
Well, but how much costs equipment for recording a conversation?
GSM carriers use frequency hopping and its difficult to record the call….

PViFebruary 24, 2008 3:50 AM

Pavel V: GSM frequency hopping is 'slow' (when compared to military radios with hop frequencies being thousands / second) and listening should be almost trivial.

Furthermore, GSM frequency hopping is optional and the operator might not use it. Hopping is not designed as a security feature but instead to minimise signal propagation issues caused by eg. interference on one particular channel.

Clive RobinsonFebruary 24, 2008 3:50 AM

@Pavel V

"but how much costs equipment for recording a conversation?"

As has been indicated "Micro Cells" can now be purchessed as a standard of the shelf component for between 2&5K USD new, second hand a lot less, they will obviously give you out both sides of the phone call out of the "line port" in a recognised format.

But it has been possible for over 20 years to get the data from both sides of the call using Radio Tests Sets that Call Phone Network Technicians/Engineers use to trace faults and R&D Engineers use to develop and test the latest phone products. These test sets can be brought re-conditioned with all the appropriate software for less than 4K USD without any questions asked.

You can also rent test sets from Companies (Like Livingston Hire) for just a few hundred dollars a week.

So as you see not very much, it cost more to learn how to do the physical side of the interception reliably than it does for the kit to do it.

Clive RobinsonFebruary 24, 2008 4:02 AM

@ 123,

"RC: you're a moron."

RC said,

"my prediction is that, eventually, all encryption will be broken, except OTP."

I think that as RC put no limit on it time is most definatly on his side.

And as we realy do not know what "Random" is or have a reliable definition that you can work back from, he might also be wrong about OTP.

Remember,

"A closed mind is limited by self imposed limits, and open mind is only limited by it's existance at a point in time and space" and only the first is as certain as you are 8)

Clive RobinsonFebruary 24, 2008 6:31 AM

@Bruce,

Now I have had a chance to get to a desktop and have a look at the articals you link to they appear to be very light in technical detail, however at least one indicates that you might know a little more.

Am I correct in thinking that this is infact a very old "Known Plaintext in a Known position" / "Rainbow table" memory time trade off attack ?

The rainbow table size of 2TByte seems a little small, is this a reporting error or is the table taking into acount the mentioned deficiancy of nulling the lower bits of the A5/1 key by the network operators?

One artical also mentiones they "have a patent" if so on what as you and I both know patents do not happen over night and can take a couple of years to get sometimes.

@ALL

For those of you who don't know what I am talking about it is actually quite a simple attack.

If you take "plaintext" like a wordpro document, the wordpro adds formatting and other bits and pieces to the file for fonts etc. These bits of "meta data" have a very bad habit of having the same value (therefore Known Plaintext) and in the same place in the file (Known Place) a very high percentage of the time for documents from that version of the wordpro software (and often later versions due to compatability issues).

Rather than brute force (ie try every key) the encrypted file what you do is pre-compute the "ciphertext" of your "Known Plaintext" against every key and arange it into a look up table (a version of which are known as Rainbow Tables for some reason that is not relavent).

You then find the appropriate offset in the "ciphertext" file and look it up in the table to find the coresponding key(s). You then trial the key(s) against the "ciphertext" file and quite often the "plaintext" just drops out. However sometimes the known plaintext is to short to reliably identify a single key so you have to try several, however even if it was a million or so (2^20) "trials" it is going to be a lot faster than trying all keys (2^64).

The hard part of this is calculating the values for the Rainbow Table in the first place. Effectivly this will take as long as a single brut force run (not alowing for short cuts) but once calculated will be good for as many de-codes as you want (it is technicaly de-code not de-crypt as you are using a code book lookup not a cypher system).

The speed of using a rainbow table is based on how you store the table data but even using cheap HD's in a RAID configuration in a cheap NAS box you are only looking at 100ms (ie 1 tenth of a second) tops to do a single look up.

This sort of attack has been known and used for a very long time, the first semi automated way was during the second world war with breaking the German Enigma system (google amongst other things ["Banbury Sheets" "Bletchley Park"]).

It is also a relativly easy attack to stop dead in it's tracks, it only works because the crypto system is used in what is effectivly "Code Book" mode that is every Plaintext value always has the same Ciphetext value for the same key within the ciphertext under examination. Any method of random pre-encoding the plaintext prior to coding will change the value of the plaintext and therefore you would have to have as many rainbow tables as there are pre-encoded values for the known plaintext.

The simplest way to deal with this type of attack in an existing communications system is to add "whitening" to the plaintext by simply XORing it with a randomly chosen value. And no it is not required to send this randomly selected value to the other party they can work it out from the difference between the expected and actual pre-coded plaintext they receive.

If however you are designing a system from scratch there are a multitude of much better ways to do it.

As a side note Mr Morris (father of Morris Worm writer) was the chief Scientest at the NSA. Supposadly in a talk given when he retired he reminded people that as long as there was known plaintext then the NSA and other agencies of it's type would always be in business.

kiwanoFebruary 24, 2008 10:07 PM

so why are all the comments about spying, and none of them about a resurgence of cloning, now that keys can be sniffed by carding $1k worth of hardware, spending a weekend or two setting things up, and camping out near a cell antenna for a couple of afternoons?

maybe it's because cloning will hit the cellphone companies the hardest, and it's their own damed fault for not changing algorithms.

supersnailFebruary 25, 2008 11:19 AM

All in all it looks like A5 was a pretty good choice.

Why -- well the choice was made about 12 years ago, and it just about survived to the end of life of the system. If your worried about GSM security just get a 3g phone!

Compare and contrast with the few months it took to trash wi-fi security.

Nicholas JordanFebruary 25, 2008 1:26 PM

@Nobody with more intelligence than a fruit-fly would expect mobile phone communication to be secure.

Correct, we call these authorities in my experience. Often, Sales becomes the Auth because we all have to eat.

@If however you are designing a system from scratch there are a multitude of much better ways to do it.

Correct, but they do not get done. See immediate above for explaination.

This subject in overview resembles an oportunitiy I had to talk directly to a procliamed intruder. His handle is any name that has the word Dragon in it. He stated he was about to start his Masters Thesis in E.E., and that we could talk some in a time-limited but no questions barred manner. He told me that he had obtained the keys for a widely used short-range wireless protocol ( do not remember what it was ) and that he had set off a parking lot full of alarms. Later someone cleaner told me this could be done with a power-blast centered on the band.

So we know two things: 1) I learned something at the cost of a mild displeasure - I had been had. 2) A supposed attacker could claim the busting of a key for emotional reasons. This may or may not be a busted key.

I had an interesting ( for our purposes here ) discovery when I was speaking informally with a contractor who was pitching a method for yellow cake containment: When I asked a technical question it was explained to me that riverfront dinners is the modus of business and the technical matters were not of consequence.

Without having the time or technical skills to determine if A5/1 encypherment is actually used on GSM generally or on a sample device, I note for the discussion that I am not able to tell if the key for A5/1 ( or it's kraftwerk in sold devices ) is negotiated by key agreement or ( more like I would expect from commercial reality ) the same key across many devices and towers.

I note this for clarity, it is beyond my skills to write the code for cryptoanalysis. This point would make a difference in this discussion.

RogerFebruary 25, 2008 2:02 PM

@supersnail:
"All in all it looks like A5 was a pretty good choice. Why -- well the choice was made about 12 years ago, and it just about survived to the end of life of the system"

A5/1 was chosen 21 years ago.

Serious attacks have been publicly known to exist for at least 11 of those years (serious, in the sense of being easier than the strength limit that was widely known to mark the lower limit of wholesale trawling by the NSA.) For 8 years we have known of an attack that enables a very resourceful (but not quite government level) attacker to recover calls in near-real-time.

Having said that, A5 *did* meet its design goal: it was only intended to be at least as hard to break the encryption as to tap a land line. Since tapping a land line is child's play, that design goal is probably still being meet.

But on the other other hand, the design goal was never correct. Air interfaces need to be *much* stronger than wired interfaces, in terms of cost / technical complexity of mounting the attack. This is for the simple reason that to attacker land line, the attacker has to be physically present and risk getting sent to gaol; but an over-the-air eavesdropper has negligible chance of getting caught.

"If your worried about GSM security just get a 3g phone!"

The cryptographic security algorithm in 3G phones -- KASUMI -- has already had certificational attacks published. Cell phones are not designed to be secure communications devices.

David SchuetzMarch 4, 2008 3:58 PM

@Clive:

Sorry for the late response (hope you see this). To answer a couple of your questions -- I saw this talk at ShmooCon, and I don't believe it's a known plaintext attack. There were some theoretical weaknesses in the encryption algorithm that were substantially easier to exploit when working with a pre-compiled "rainbow table" of data. There's still a whole lot of processing happening real-time, even with the table, hence the need for pretty powerful FPGAs. (which, btw, I think were closer to $2000 than a grand, and that's not counting the computer to stuff the FPGA into and the 2TB of data for the tables, not to mention the actual GSM receiver to hook your computer into) (I keep seeing this $1000 figure quoted in the press and I have no idea where it came from).

The neat thing about this attack was that it was scalable (linearly, if I recall correctly). So adding more FPGAs to the mix would decrease the computation time proportionally. For like $50k (or maybe it was $75k) you could theoretically get about 30 second break time.

On the downside, with an array of 60-some FPGAs they were expecting 3 months to build the rainbow table, so there's a big up-front investment (unless you find someone to get a copy of the tables from). And as soon as your target moves to a new cell you have to crack the stream all over again, as the newly-paired base station will have a new key.

Still, it was way cool. Honestly, I think I'd be more worried about his WiFi cracking tricks with FPGA than GSM security, at least for the near term... (see his 2007-era talks).

BTW, there was a link to the ShmooCon slides at the bottom of the Washington Post article: http://blog.washingtonpost.com/securityfix/... . Unfortunately, it loses a little without H1kari's voice-over. :)


BassixApril 6, 2008 8:21 AM

GSM Security in practice and in theory are different. By agreement within the EU the least significant byte of the key is zeroed. Makes finding the rest of the key easier and quicker.
This is public domain info.

schnadigJuly 15, 2008 8:13 AM

@Bassix
The effective keylength depends on the choosen key generation algorithm (A8). For COMP128-1 (compromised!) and COMP128-2 the effective keylength is 54bit (10 bit are forced to zero). The keylength of A5 is 64 bit.
Even if every operator can choose its own A8 you can be sure that many SIM cards use one of these crippled algorithms.

WantToSpySeptember 22, 2008 4:05 PM

Hey guys,

A question if somebody knows the answer to it,
regarding the quote by Clive Robinson at February 24, 2008 3:50 AM, i am browsing the tm.livingston.co.uk where they lend radio equipment for network development/maintenance, and i am wondering exactly which equipment do i need to spy onto gsm calls and track the cb location data transmitted to the target cellphone?

Please help, much appreciated

Angry Husband

mail to: podjetnik@gmail.com

RafaelOctober 31, 2008 7:06 AM

I'm using PhoneCrypt (www.phonecrypt.com) to secure my conversations and dates, it's developed by

securstar.

It's very good, works perfectly.

I recommend!

John G.April 15, 2009 2:59 PM


Dear All:

I saw the blackhat article from Early 2008, we're already over a year after, and don't see any news.

Didn't understand where to buy the low cost interception equipment. Can someone advise a website?

Many thanks in advance,

John G.

aliSeptember 16, 2010 1:09 AM

Dear Professor Schneier
Hello and greeting,
I have a question about known plaintext for attacking A5/1.
How can plaintexts can be obtained from GSM signals? and which messages can be used as the sources for plaintext?

Clive RobinsonSeptember 16, 2010 4:42 AM

@ ali,

"How can plaintexts can be obtained from GSM signals? and which messages can be used as the sources for plaintext?
"

The format of GSM signals is not secret you can get hold of the documents with little difficulty (but some expense). The trouble is the full set is a very big pile of close typed A4 paper.

"I have a question about known plaintext for attacking A5/1"

First find the correct A5/1 information there is a bit of a history behind it and there are conflicting sources of info, partly because there are various A5 ciphers.

Most of what you need to know to get you going can be found at,

http://en.wikipedia.org/wiki/A5/1

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..