Cracking A5 - Thc Wiki
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Cracking A5 - Thc Wiki as PDF for free.
More details
- Words: 5,199
- Pages: 19
cracking a5 - THC Wiki
1 di 19
http://wiki.thc.org/cracking_a5
cracking a5
The A5 Cracking Project
NEWS: We have created a PRIVATE A5 mailinglist. If you feel you have something to contribute to the project please contact steve [at] segfault.net. The reason for this has been explained on the public mailinglist a5 [at] lists.segfault.net. NEW: The CCC Camp07 GSM Software Project and A5 Cracking Talk video is available. The final attack and a live demonstration will be given at a selected security conference in March 2008.
Powered by EFF. Contenuti 1. 2. 3. 4. 5. 6. 7. 8.
LICENSE About How you can help TODO Requirements A5 weakness A5/GSM encryption example Misc Ideas 1. FPGA Ideas 1. Brute Force 2. Brute Force II 3. possible boards
01/01/2008 11.12
cracking a5 - THC Wiki
2 di 19
http://wiki.thc.org/cracking_a5
2. Rainbow Table 1. Idea I 2. Idea II 3. Idea III 4. Idea IV 5. Idea V 6. Idea VI 3. TMTO modified for A5/1 1. Verbal Description 2. C Reference Implementation 3. Pseudocode 9. Resources 1. List of used encryption around the World 2. How to check if A5/1 is used 3. HD Random Access Time 10. Links
1. LICENSE GSM Software Project License Version
1, January 2007
All code, information or data [from now on "data"] available from the GSM Software Project or any other project linked from this or other pages is owned by the creator who created the data. The copyright, license right, distribution right and any other rights lies with the creator. It is prohibitied to use the data without the written agreement of the creator. This included using ideas in other projects (commercial or not commercial). Where data was created by more than 1 creator a written agreement from each of the creators has to be obtained. Please contact steve [at] segfault.net for any questions.
2. About We are security enthusiasts. Our goal is to implement a system that can crack A5/1. Our results will be used with the GSM Software Project to demonstrate weaknesses in GSM. The A5 algorithm has been broken (in theory) in 1998 but it's still widely used. The mobile operators still insist that the GSM customers (that's you and me!) are protected and that our data is safe. We want to bring together all the folks who worked on the theory of cracking A5/1. Subscribe to our mailinglist by sending an email to a5-subscribe [at] lists.segfault.net
01/01/2008 11.12
cracking a5 - THC Wiki
3 di 19
http://wiki.thc.org/cracking_a5
3. How you can help 1. Add links and information to this page or send them to steve at segfault.net 2. Sponsor us! We need hardware, books and coffee! 3. Come up with smart ideas.
4. TODO 1. Come up with example data (e.g. first encrypted burst from BTS to MS and first burst from MS to BTS). 2. Enhance the attack on A5/1 3. Implement a A5/2 crack.
5. Requirements The project comes in stages. 1. 2. 3. 4.
Understand current state of A5/1 cracking (THAT'S WHERE WE ARE IN NOW!) Implement A5/2 crack (the weaker of both algorithms) Implement one of the many A5/1 cracks from the academic papers Research and Implement new ways to crack A5/1
Our ultimate goal is to crack A5/1: 1. 2. 3. 4.
by only intercepting data (passiv) require less than 4Terabyte HD. able to decrypt short encrypted bursts (like SMS, last less than 0.1 seconds). Cracking time less than 1 day.
6. A5 weakness A5 is weak. That's A5/1 and A5/2. When you look at the algorithm it just gives you a bad feeling. 1. 2. 3. 4.
The registers are to small The trap registers are all on one side The 3 LSFRs do not mix results amoung each other Protocol implementation is faulty: An attacker can record all encrypted traffic. If the attacker gains access to the sim at any point in the future he can decrypt all traffic sniffed in the past. This works by putting the sim card into a sim reader and running the gsm_runalgorithm() function on the sim. The sim will decode any traffic without us knowing the Ki. This attack requires access to the sim for 30 seconds and can decode any GSM converstation that happened in the past. 5. etc etc etc I did a quick example to visualize the entroypy. Crypto people love entropy. An easy way to visualize the entropy is to generate a picture of the relationship between two, three or four successive numbers generated by the algorithm. Ideally we should not see any structure. All pixels should be distributed randomly. lcamtufs ISN analyzsis explains more details about this method. I use a matlab script to generate the graphics. x.txt contains the output of the a5/1 key
01/01/2008 11.12
cracking a5 - THC Wiki
4 di 19
http://wiki.thc.org/cracking_a5
initialization algorithm. a = 0; b = 0; c = 0; d = 0; XD = 256; YD = 256; ZD = 256; M = dlmread('x.txt', ' '); V = M(2,2) I(1:((XD - 1) * 2), 1:((YD - 1) * 2)) = 0; for i=1:25600 x = b - a; % -255 .. 255 y = c - b; % -255 .. 255 z = d - c; % -255 .. 255 I(x + XD, y + YD) = cast(z + (ZD - 1), 'double') / ((ZD-1) * 2); a = b; b = c; c = d; d = cast(mod(M(i, 1),256), 'int16'); % val between 0..255 %d = cast(rand(1,1) * XD, 'int16'); % val between 0..255 end imshow(I);
Figure 1: Key set to 0. FrameNumber runs from 0-25600. We can see a structure. There is a relationship between the key state with FrameNumber N and the key state with FrameNumber N - 1.
TODO: add more.
01/01/2008 11.12
cracking a5 - THC Wiki
5 di 19
http://wiki.thc.org/cracking_a5
7. A5/GSM encryption example TODO: write down how a5 works and how the data looks that is encrypted and what the first encrypted message from/to basestation is and which bits are static/known/guessable. The Frame Number (FN) wrapps around every 3h 28min 53 sec and 750ms. A layer 1 GSM message is 23 octet long. It is padded with 0x2b if less than 23 octet content data are to be send. How to encode 1 GSM message (after padding): 1. 23 * 8 = 184 bit content data per GSM message. [Output: 184 bit] 2. Add 40 bit fire code (crc) and 4 bit tail (0x00). [Output: 228 bit] 3. Convolutional encode the 228 bit. This duplicates the number of (known) bits. [Output: 456 bit] 4. Interleave the 456 bit. [Output: 456 bit] 5. Chop the 456 bit into 8 packs, each 57 bit long. Take the first two 57 bit chunks and send them in the first GSM burst. The 3rd and 4th are send in the second GSM burst and so on and so on.[Output: 4x114 bit] 6. The frame number is known and incremented for each GSM burst. A5 is reinitialized for _each_ burst. This means each burst is encoded under the same Kc but under a different frame number. The A5 state is thus different for each GSM burst. First encrypted message send from MS to BTS is 'Ciphering Mode Complete': 000: ?? ?? ?? 06 32 2b 2b 2b
- 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b 0: ?? -------1 Extended Address: 1 octet long 0: ?? ------0- C/R: Response 0: ?? ---000-- SAPI: RR, MM and CC 0: ?? -00----- Link Protocol Disciminator: GSM (not Cell Broadcasting) 1: ??
------01 Supvervisory Frame
1: ?? ----00-- RR Frame (Receive ready) 1: ?? ---0---- Poll/Final bit (P/F) 1: ?? 000----- N(R), Retransmission counter: 0 2: ?? -------0 EL, Extended Length: n 2: ?? ------0- M, segmentation: N 2: ?? 000010-- Length: 2 3: 06 0------- Direction: From originating site 3: 06 -000---- 0 TransactionID 3: 06 ----0110 Radio Resouce Management 4: 32 00110010 RR Cipher Mode Complete
This message tells the BTS to start ciphering. The first encrypted message send from the BTS to the MS is either a MMIdentityRequest followed by a empty GSM message or a empty GSM message. Both of them contain plenty known plaintext: The 0x2b GSM 01/01/2008 11.12
cracking a5 - THC Wiki
6 di 19
http://wiki.thc.org/cracking_a5
message padding octet. 000: 03 42 0d 05 18 03 2b 2b
- 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b 0: 03 -------1 Extended Address: 1 octet long 0: 03 ------1- C/R: Command 0: 03 ---000-- SAPI: RR, MM and CC 0: 03 -00----- Link Protocol Disciminator: GSM (not Cell Broadcasting) 1: 42 -------0 Information Frame 1: 42 ----001- N(S), Sequence counter: 1 1: 42 ---0---- P 1: 42 010----- N(R), Retransmission counter: 2 2: 0d -------1 EL, Extended Length: y 2: 0d ------0- M, segmentation: N 2: 0d 000011-- Length: 3 3: 05 0------- Direction: From originating site 3: 05 -000---- 0 TransactionID 3: 05 ----0101 Mobile Management Message (non GPRS) 4: 18 00------ SendSequenceNumber: 0 4: 18 --011000 MMIdentidyRequest 5: 03 -----011 IMEISV
or 000: 03 03 01 2b 2b 2b 2b 2b
- 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b 0: 03 -------1 Extended Address: 1 octet long 0: 03 ------1- C/R: Command 0: 03 ---000-- SAPI: RR, MM and CC 0: 03 -00----- Link Protocol Disciminator: GSM (not Cell Broadcasting) 1: 03 ------11 Unnumbered Frame 1: 03 ---0---- P 1: 03 000-00-- UI frame (Unnumbered information) 2: 01 -------1 EL, Extended Length: y 2: 01 ------0- M, segmentation: N 2: 01 000000-- Length: 0
8. Misc Ideas 1. Shall we do a brute force with FPGA or do a smart attack as outlined in the 2001 paper? 2. Can we use the weakness in A8/A3 to calculate Kc for A5/1? 3. What happened to the cypherpunks mailinglist? The LNE links seem to be down! Anyone? 4. I'm not concerned if we need 50 FPGA's or 4TB or harddrives. Some people say that it's not practical to carry 4TB of harddrives in a rucksack. We can always host the solution and when on a cracking mission the challenge can be send (via sms?) to the
01/01/2008 11.12
cracking a5 - THC Wiki
7 di 19
http://wiki.thc.org/cracking_a5
hosted Cracking Server which sends the results back after a couple of seconds. 5. Can we devide the A5/1 cracking problems into smaller problems and solve each on its own? This means finding a new attack against A5/1. 8.1. FPGA Ideas 8.1.1. Brute Force Some initial thoughts on A5/1 and FPGA. All this needs to be calculated more precisely. Each clock cycle the A5 implementation should output 64 bit of streamcipher. We can put multiple A5 implementations on the same FPGA chip. The calculation is based on a pipelined implementation of A5. The three LSFR registers are in total 19 + 22 + 23 = 64bit long. The first LSFR requires 5 Logical Units (LU's, e.g xor). The second requires 3 LU's and the last one requires 5 LU's. All together 13 LU's and 64 bit. The Trap register add's 1 LU per LSFR. Makes 16 LU's and 64bit. Generating the state (with key and FrameNumber (FN)) requires 64 + 22 = 88 steps. This is followed by another 100 cycles. Each of the 100 cycles requires 1 LU less per LSFR. After these 100 cycles we want to generate about 64 bit of output (e.g. enother 64 cycles). 1. LU's: 16 * 88 + 13 * 100 + 13 * 64 = 3540 2. Registers: 64 * 88 + 64 * 100 + 64 * 64 = 16128 After 88 + 100 + 64 cycles we will start seeing 64 bit of stream cipher output for each cycle. This is all not optimized. We do not need the first 9 steps because the Tap register only start at bit 8. we also do not need all the LU's or registers for the first 18 steps because the first LSFR is not fully used until step 18. Same for the last 64 steps. For each of the last 64 steps we only need 2 LU's and 1 register less for each step. We decided to use Xilinx. Altera is a good choice as well but at the moment most of us worked with xilinx before. The Virtex-5 from Xilinx LX330 has 330.000 LU's and runs at 500 Mhz. That brings us down to 4 days per development board?! But the boards and chips are to expensive. Better to stick with LX50. 8.1.2. Brute Force II Some more precise calculation by David Hulton:[[BR]] The LX50 can run at 200-300Mhz and cost $300 each (just the chip, without dev board). I pipelined my version of A5/1 and came up with some rough numbers on the Virtex-5 LX50. This is purely just computing the 186 clock cycles for setup and only computing a single bit of output from the pipeline on each clock cycle. I'm sure we could optimize it a little bit but once we factor in the overhead of doing the key compares and other bridge code it probably won't be much less than the numbers here..
01/01/2008 11.12
cracking a5 - THC Wiki
8 di 19
http://wiki.thc.org/cracking_a5
With this design, we will probably only be able to fit 4 fully pipelined instances of A5/1 on here unless we can hand-optimize the placement better than the Xilinx tools and code in some of the shortcuts that you mentioned on the a5 cracking page. I'll work on this a bit more and see if I can reduce the logic down. Slice Logic Utilization: Number of Slice Registers: 28,800
7,289 out of
25%
Number used as Flip Flops:
7,289
Number of Slice LUTs: 28,800
6,968 out of
24%
Number used as logic: 28,800
6,566 out of
22% Number using O6 output only:
Number used as Memory: 7,680
6,566 402 out of
5% Number used as Shift Register:
402
Number using O6 output only:
402
Slice Logic Distribution: Number of occupied Slices: 7,200
2,670 out of
37%
Number of LUT Flip Flop pairs used: Number with an unused Flip Flop: 7,292
7,292 3 out of
1%
Number with an unused LUT: 7,292
324 out of
4%
Number of fully used LUT-FF pairs: 7,292
6,965 out of
95%
Number of unique control sets:
2
A LUT Flip Flop pair for this architecture represents one LUT paired with one Flip Flop within a slice.
A control set is a unique
combination of clock, reset, set, and enable signals for a registered element. The Slice Logic Distribution report is not meaningful if the design is over-mapped for a non-slice resource or if Placement fails. IO Utilization: Number of bonded IOBs: 220
88 out of
40%
Specific Feature Utilization: Number of BUFG/BUFGCTRLs:
1 out of
01/01/2008 11.12
cracking a5 - THC Wiki
9 di 19
http://wiki.thc.org/cracking_a5
32
3% Number used as BUFGs:
1
Total equivalent gate count for design: Additional JTAG gate count for IOBs:
155,730
4,224
8.1.3. possible boards ML501 Xlinix LX50 ($955) PicoComputing E-16 LX50 ($2.000) The LX330 boards cost $5.000. Because we can put 4x more a5/1 implementations on them and they run 6.6x faster it might be worth it. 8.2. Rainbow Table Traditional rainbow tables take the key as input. Our key is 88 bit (of which the last 22 bit are the known Frame Number). We can not generate a rainbox table for 2^88 key combinations.
8.2.1. Idea I The state table of all 3 LSFR's combined is just 64 bit. The A5 initialization process (e.g. seeding in key + FN and mixing it 100 cycles) is reverseable. Thus once we know the key state we can compute the key easily. Generating rainbow tables for 64 bit keys is difficult (TODO: calculate how difficult and how many FPGA's required). This attack would work regardless of the frame number and regardless of the key length (54, 64 or 128 bit). It also uses less LU's than the normal key brute force implementation. All 3 LSFR can be stuck together to get one 64bit register: | R1 19bit | R2 22bit | R3 23bit | Rought idea of generating rainbow table with 2^36 tables: 1. Start with key state bit 35..0 is set to 0000..001. Bit 63..36 is set to 0. 2. RainbowtableNumber++; Entries = 0; 3. Calculate 64bit output from this keystate. Entries++; 4. If output's bit 63..36 are all 0 then stop this rainbow table. Otherwise take 64 bit usefull output and use this output as state. Repeat 3. 5. Increment value in bit 35..0 by 1 (e.g. start next rainbow table). Repeast 2. Problems: 1. What happens if we never hit a state that has bit 63..36 to all 0s (e.g. if we are stuck in a loop)? Break loop after a maximum number of iterations and call it an 'unlucky' rainbow table which is handles specially? 2. Using bit 63..36 is just an example. In fact any number of bits (in sequence or not in sequence) can be used.
01/01/2008 11.12
cracking a5 - THC Wiki
10 di 19
http://wiki.thc.org/cracking_a5
8.2.2. Idea II (This Idea is now obsolete) Maybe it's enough to generate a rainbow table for FrameNumber 0. Calculating all 2**54 keys with an FPGA and generating a rainbow tables is a matter of days (e.g. possible). Can a rainbow table generated with FrameNumber == 0 be used to decrypt packets that do not have Frame Number set to 0? 8.2.3. Idea III Is it possible to reduce a LSFR register? By this i mean exist there a shorter LSFR register that would produce the same output (for a certain class of keys)? 8.2.4. Idea IV We do not need to generate rainbow tables for all possible keystates. Let's assume we generate rainbow tables for 1/4 of all keystates (e.g 62bit). If we sniff 64 bit known plaintext our chances that we can crack it with the rainbow table is 25%. A5 is reversable: Let N be the index of current working bit of the A5 algorithm (e.g. after N bits of output have been produced and N bit of plaintext have been encrypted). Let keystate(N) be the state of the keystate after N bits have been produced. Let plaintext(N) be the N-th bit of the plaintext. It is possible to calculate keystate(N-1) if keystate(N) and plaintext(0..N) is known. Let's assume we know 65 bit of plaintext. We first try to find a match in the rainbow table for bit 0..63 and then we try to find a match for bit 1..64. The probability for 65 bit known plaintext it is already 1 - (3/4)**(65 - 64 + 1) = 43.75%. For 80 bit known plaintext it is 1 (3/4)**(80 - 64 + 1) = 98.997%. Let's get this further down: Generate 1/64 of all rainbow tables (which makes it a 58bit problem): If we get 128 bit of known plaintext our chances of decoding it are 1 (63/64)**(128 - 64 + 1) == 64% or 95% if 256 bit of plaintext are known. The maximum number of bits that are encrypted under the same keystate is 114. There are 4 bursts of 114 bit and the plaintext of each of the bursts is known. For each burst the propability of cracking it with only 1/64th of the rainbow table is: 1-(63/64)^(114 - 64 + 1) = 55.2% Considering that we have a 55.2% chance for each of the 4 burst: 1 - (1 - 0.552)**4 = 95.97% Limitation: It is obivous that this is working if we are dealing with successive bits of plaintext. It is less obvious that this also works as long as the 65 bit plaintext as distributed equaly (FIXME: can we optimize this?). 1. Does NOT work: bit 0..63 in one sequence followed by some unknown plaintext followed by bit 64 of known plaintext. 2. DOES work: plaintext bit 0 followed by 1 unknown plaintext bit followed by known plaintext bit 1, followed by unknown plaintext bit followed by known plaintext bit 2,
01/01/2008 11.12
cracking a5 - THC Wiki
11 di 19
http://wiki.thc.org/cracking_a5
... until 64. Further optimization: 1. Do this over multiple messages (e.g. if we know 128 bit in the first packet and another 128 bit in the second message it dramaticaly increases our chances of finding the key state in one of our rainbow tables). 2. Remember that for each message the BTS sends the MS also sends a message. Again, increasing our chances. 8.2.5. Idea V We have known plaintext. The first encrypted message send from the BTS to the MS is amost all 0x2b (except for the first three octets). This means we can implement the attack by Anderson and Roe: Guessing the 41 bit in the shorter R1 and R2 registers, and deriving the 23bit of the longer R3 register from the output. Anderson and Roe's attack is further described in A5/1 FPGA cracking. Calculating Rainbow tables for this is the next challenge. Combing this with Idea IV makes it a 41-6 = 35 bit problem. 8.2.6. Idea VI Are there 'useless' bits in R2? It only has two trap registers. Does this help us calculating the value of others? 8.3. TMTO modified for A5/1 FPGA developers WANTED. Please contact steve at segfault.net if you can turn the following pseudocode into the lasted FPGA implementation (and decide for a FPGA of your choice). We are currently using Xilinx LX50. Is there a better/cheaper option? 8.3.1. Verbal Description Generating tables for a A5 TMTO attack: 1) The total number of tables is $max_tables. Each table is generated in the same way except that a different reduction function is used. One table contains many chains. Each chain starts with a different $StarPoint. A chain is represented by the $StartPoint, $EndPoint and number of links between $StartPoint and $EndPoint. The
01/01/2008 11.12
cracking a5 - THC Wiki
12 di 19
http://wiki.thc.org/cracking_a5
number of links is also called the 'chain length'. 2) A chain starts with a $StartPoint and ends in a Distinguished Point $EndPoint. A chain ends when the last x bits of the $output are all 0. 3) A link in a is chain is generated by: - Set A5 state to $state - Generate 64 bit of A5 output by clocking the $state 64 times. - Generate new $state by applying reduction function to $output. Summary: Many links make up a chain. Many chains make up a table. Many tables make up a A5 TMTO attack. Notes: - One core generates one table - Multiple cores fit onto 1 FPGA - A chain is considered looping if the chain length gets longer than 10 times the expected chain length and still no $EndPoint was found. - Each table is sorted by $EndPoint and then compressed.
8.3.2. C Reference Implementation The reference implementation computes 1 table. This version is around 6000 times slower than the FPGA implementation. Download: A5DemoBusterTableGen.c Compile: gcc -Wall -O3 -march=pentium4 -o A5DemoBusterTableGen A5DemoBusterTableGen.c
8.3.3. Pseudocode /* All variables are 64 bit */ /* Parameter */ $EndPoint_Bit = 19
01/01/2008 11.12
cracking a5 - THC Wiki
13 di 19
http://wiki.thc.org/cracking_a5
$max_tables = 7956 $max_number_chains = 2^26 /* Global Variables & Initialization */ GLOBAL $g_EndPoint_Mask = (1 << $EndPointBit) - 1 GLOBAL $g_ReductionFunction
FOR $table==0 TO $max_tables DO /* At the moment the reduction function is XOR with the table number */ $g_ReductionFunction = $table; table_gen() DONE
/* * A Table contains multiple chains. Each chains consists of * 1 Start Point and 1 End Point. */ FUNCTION table_gen() { FOR $number_chain==0 TO $max_number_chains - 1 DO /* At the moment the Start Point for each chain is the * current chain number. */ $StartPoint = $number_chain $looping = a5_until_endpoint($StartPoint, &$EndPoint, &$Len) IF $looping == FALSE OUTPUT($StartPoint $EndPoint, $Len); DONE }
FUNCTION table_start_point($number_chain) { /* At the moment the start point of each chain is the Chain Number */ RETURN $number_chain } /* * INPUT: * - $StartPoint * RETURN:
01/01/2008 11.12
cracking a5 - THC Wiki
14 di 19
http://wiki.thc.org/cracking_a5
* - $EndPoint contains the EndPoint * - $Len contains the number of links in this chain * - Return value is boolean. True if EndPoint could not be found. False *
otherwise.
*/ FUNCTION a5_until_endpoint($StartPoint, &$EndPoint, &$Len) { $state = $StartPoint; $chain_links = 0 WHILE TRUE DO $output = a5_clock($state); IF is_endpoint($output) THEN &$EndPoint = $output &$Len = $chain_links RETURN FALSE /* Check if we are looping */ $chain_links = $chain_links + 1 IF ($chain_links > $g_ChainLinks_Max * 10) RETURN TRUE /* If not looping apply reduction function and generate * new state. */ $state = $output XOR $g_ReductionFunction DONE } FUNCTION a5_clock($state) { /* Clock state for 64 clocks */ /* Store output in $output and return $output */ RETURN $output } /* * Return true if the last $g_EndPoint_Bit of $EndPoint are * all 0 */ FUCTION is_endpoint($EndPoint) { IF $EndPoint & $g_EndPoint_Mask == 0 RETURN TRUE RETURN FALSE }
9. Resources 01/01/2008 11.12
cracking a5 - THC Wiki
15 di 19
http://wiki.thc.org/cracking_a5
1. CS-2006-07-cracking-a5.pdf Barkan, Biham and Keller. Most recent research paper about cracking A5/1. 2. PHD-2006-04.pdf Elad Pinhas Barkan, Cryptoanalyzis of Ciphers (A5, Rainbow tables) 3. GsmSecurity.pdf 15 Dec 2006, Stausholm, Dahl. Explaining A5 and different attack vectors. 4. 2000, Biryukov, Shamir, Wagner (WWW). (PDF) Real Time Cryptanalysis of A5/1 on a PC. 5. Time/Memory/Data Trade-off Attacks 6. A5/1 FPGA crack 7. ekdahl-03-a51a.pdf Different Attack. Requires 2-5 mins of data. Not practical but good A5 explanation. 8. Ross Anderson original email posting. 9. a5-1-2.c Most recent A5/1 and A5/2 implementation by Marc Briceno. 10. a3a8.txt A3 and A8 implementation by Briceno, Goldberg and Wagner. 11. A5/3 and 3G algorithm. 9.1. List of used encryption around the World Known GSM Netowrk Encryption usage Version 1.12 8th December 2005 gsm_network_encryption_list.csv If you have updates (what about France??) please send an email to steve at segfault.net. MCC Country
MNC Network
Crypto
204
Netherlands
4
Vodafone
A5/1
204
Netherlands
8
KPN
A5/1
204
Netherlands
16
T-Mobile
A5/1
204
Netherlands
12
O2
A5/1
204
Netherlands
20
Orange
A5/1
206
Belgium
1
Proximus
A5/1
206
Belgium
10
Mobilstar
A5/1
206
Belgium
20
Base
A5/1
208
France
10F
SFR
A5/1, A5/0
214
Spain
1
Vodafone
A5/1
214
Spain
3
Amena
A5/1
214
Spain
7
Movistar
A5/1
222
Italy
1
TIM
A5/1
Date & City
Comments
2007-05-25 Grenoble
A5/1 for TCH, A5/0 for SMS
01/01/2008 11.12
cracking a5 - THC Wiki
16 di 19
http://wiki.thc.org/cracking_a5
222
Italy
10
Vodafone
A5/1
234
United Kingdom
10
O2
A5/1
234
United Kingdom
15
Vodafone
A5/1
234
United Kingdom
30
T-Mobile
A5/1
234
United Kingdom
33
Orange
A5/1
238
Denmark
1
TDC
A5/1
242
Norway
1
Telenor Mobil
A5/1
242
Norway
2
Netcom
A5/1
250
Russia
1
MTS
A5/1
250
Russia
2
Megafon
A5/1
250
Russia
99
Beeline
A5/1
262
Germany
2
Vodafone
A5/1
262
Germany
3
Eplus
A5/1
262
Germany
7
O2
A5/1
272
Ireland
2
O2
A5/1
x
Serbia
x
x
A5/2
293
Slovenia
40
SI Mobil Vodafone
A5/2
293
Slovenia
41
SI Mobitel GSM
A5/1
293
Slovenia
70
Vega
A5/1
404
India
4
IDEA
A5/0
404
India
10
AirTel
A5/0
404
India
11
Essar
A5/0
404
India
20
Orange
A5/0
404
India
68
Dolphin
A5/0
424
United Arab Emirates
1
Etisalat
A5/1
2007-08-11 Modena
A5/1 for TCH and SMS (thnx Andrea)
2007-12-25
Abu Dhabi
01/01/2008 11.12
cracking a5 - THC Wiki
17 di 19
http://wiki.thc.org/cracking_a5
424
United Arab Emirates
2
Du
A5/1
505
Australia
1
Telstra
A5/1
505
Australia
2
Optus
A5/1
505
Australia
3
Vodafone
A5/1
515
Philippines
2
Globe
A5/1
515
Philippines
3
Smart
A5/1
515
Philippines
5
Sun
A5/1
639
Kenya
2
Safaricom
A5/2
639
Kenya
3
Celtel
A5/2
Dubai
Converting the CSV to wiki table: cat gsm_network_encryption_list.csv | sed 's/"//g' | while read x; do echo "||`echo "$x" | sed 's/,/||/g'`||"; done
History: When A5/1 came out mostly germany (as the bordering country to the soviet block) wanted to implement strong encryption. Other Nato members (led by france) were worried that the middle east would use strong encryption. Thus they cut a deal to come up with a weaker version, A5/2. These days both (A5/1 and A5/2) have been broken. A5/3 has not been seen in the wild yet. Other comments: 1. 2. 3. 4. 5.
No encryption in Russia/Ukraine, during emergencies (which can last weeks!) No encryption if BTS is under load (can somebody confirm??) No encryption in germany during HLR/VLR outages In some arab countries without reason some areas without encryption. SMS are sometimes unencrypted even when TCH is encrypted.
9.2. How to check if A5/1 is used There are two ways. You can either use Nokia's Netmonitor (aka Field Tester) or you can use any dct3 mobile (like the nokia 3310) and gammu + PC to find out. The netmonitor is the easier way because you do not need a PC. The netmonitor software runs on many famous mobiles phones (nokia 6630, 6680, n70, sony erricson, ..) 1. Make sure your phone is using GSM (and not 3G/UMTS or DUAL). Go to Menu -> Tools -> Settings -> Network -> Network mode and switch to GSM. 2. Install the netmonitor by connecting your phone to the PC (via usb cable). 3. Launch netmonitor 4. Go to screen 1.10. Send a SMS to the phone. See if the 'Ciphering val' changes from OFF to something else. 5. Go to screen 1.10. Call the mobile phone. See if the 'Ciphering val' changes from
01/01/2008 11.12
cracking a5 - THC Wiki
18 di 19
http://wiki.thc.org/cracking_a5
OFF to something else. 6. Send an email to steve [at] segfault dot net including the country, mobile operator and cipher used (See example results below). Example how it looks like:
Results of this example: Date: 2007/05/25 09:32 Country Code: 234 Network Code: 10F Location area: 12124 (central london) A51 when receiving SMS A51 when receiving voice call Hopping: On The other method is by using gammu and a dct3 trace mobile (like the nokia 3310) connected to the PC. Start a trace, make a phonecall and send in the out.xml file that gammu produces. See our main project page on how to use gammu and dct3 trace mobiles. Check the GSMSP Project for more infos on how to use gammu. 9.3. HD Random Access Time The cracking of A5/1 requires very fast random access to the harddrive. We are currently looking for the most performing harddrives and raids. If you have access to a raid with at least 8 disks please run this test for us. Download: random_access.c ; The example assumes that the raid is available at /dev/sda and has 8 harddrives. # gcc -Wall -O2 -o random_acccess random_access.c # for x in `seq 1 8`; do ./random_access /dev/sda >log${x}.txt &; done # cat log*.txt >results.txt
Send results.txt, the type of raid and the number of harddrives in the raid to steve [at] segfault.net.
01/01/2008 11.12
cracking a5 - THC Wiki
19 di 19
http://wiki.thc.org/cracking_a5
== News Links === 1. Wired: FBI GSM interception capabilities.
10. Links 1. http://www.dia.unisa.it/professori/ads/corso-security/www/CORSO-9900/a5/Netsec/netsec.htm 2. http://jya.com/crack-a5.htm local mirror 3. http://cryptome.org/a51-crack.htm 4. http://www.copacobana.org/ 5. Program to benchmark Harddrive Random Access time: random_access.c
01/01/2008 11.12
1 di 19
http://wiki.thc.org/cracking_a5
cracking a5
The A5 Cracking Project
NEWS: We have created a PRIVATE A5 mailinglist. If you feel you have something to contribute to the project please contact steve [at] segfault.net. The reason for this has been explained on the public mailinglist a5 [at] lists.segfault.net. NEW: The CCC Camp07 GSM Software Project and A5 Cracking Talk video is available. The final attack and a live demonstration will be given at a selected security conference in March 2008.
Powered by EFF. Contenuti 1. 2. 3. 4. 5. 6. 7. 8.
LICENSE About How you can help TODO Requirements A5 weakness A5/GSM encryption example Misc Ideas 1. FPGA Ideas 1. Brute Force 2. Brute Force II 3. possible boards
01/01/2008 11.12
cracking a5 - THC Wiki
2 di 19
http://wiki.thc.org/cracking_a5
2. Rainbow Table 1. Idea I 2. Idea II 3. Idea III 4. Idea IV 5. Idea V 6. Idea VI 3. TMTO modified for A5/1 1. Verbal Description 2. C Reference Implementation 3. Pseudocode 9. Resources 1. List of used encryption around the World 2. How to check if A5/1 is used 3. HD Random Access Time 10. Links
1. LICENSE GSM Software Project License Version
1, January 2007
All code, information or data [from now on "data"] available from the GSM Software Project or any other project linked from this or other pages is owned by the creator who created the data. The copyright, license right, distribution right and any other rights lies with the creator. It is prohibitied to use the data without the written agreement of the creator. This included using ideas in other projects (commercial or not commercial). Where data was created by more than 1 creator a written agreement from each of the creators has to be obtained. Please contact steve [at] segfault.net for any questions.
2. About We are security enthusiasts. Our goal is to implement a system that can crack A5/1. Our results will be used with the GSM Software Project to demonstrate weaknesses in GSM. The A5 algorithm has been broken (in theory) in 1998 but it's still widely used. The mobile operators still insist that the GSM customers (that's you and me!) are protected and that our data is safe. We want to bring together all the folks who worked on the theory of cracking A5/1. Subscribe to our mailinglist by sending an email to a5-subscribe [at] lists.segfault.net
01/01/2008 11.12
cracking a5 - THC Wiki
3 di 19
http://wiki.thc.org/cracking_a5
3. How you can help 1. Add links and information to this page or send them to steve at segfault.net 2. Sponsor us! We need hardware, books and coffee! 3. Come up with smart ideas.
4. TODO 1. Come up with example data (e.g. first encrypted burst from BTS to MS and first burst from MS to BTS). 2. Enhance the attack on A5/1 3. Implement a A5/2 crack.
5. Requirements The project comes in stages. 1. 2. 3. 4.
Understand current state of A5/1 cracking (THAT'S WHERE WE ARE IN NOW!) Implement A5/2 crack (the weaker of both algorithms) Implement one of the many A5/1 cracks from the academic papers Research and Implement new ways to crack A5/1
Our ultimate goal is to crack A5/1: 1. 2. 3. 4.
by only intercepting data (passiv) require less than 4Terabyte HD. able to decrypt short encrypted bursts (like SMS, last less than 0.1 seconds). Cracking time less than 1 day.
6. A5 weakness A5 is weak. That's A5/1 and A5/2. When you look at the algorithm it just gives you a bad feeling. 1. 2. 3. 4.
The registers are to small The trap registers are all on one side The 3 LSFRs do not mix results amoung each other Protocol implementation is faulty: An attacker can record all encrypted traffic. If the attacker gains access to the sim at any point in the future he can decrypt all traffic sniffed in the past. This works by putting the sim card into a sim reader and running the gsm_runalgorithm() function on the sim. The sim will decode any traffic without us knowing the Ki. This attack requires access to the sim for 30 seconds and can decode any GSM converstation that happened in the past. 5. etc etc etc I did a quick example to visualize the entroypy. Crypto people love entropy. An easy way to visualize the entropy is to generate a picture of the relationship between two, three or four successive numbers generated by the algorithm. Ideally we should not see any structure. All pixels should be distributed randomly. lcamtufs ISN analyzsis explains more details about this method. I use a matlab script to generate the graphics. x.txt contains the output of the a5/1 key
01/01/2008 11.12
cracking a5 - THC Wiki
4 di 19
http://wiki.thc.org/cracking_a5
initialization algorithm. a = 0; b = 0; c = 0; d = 0; XD = 256; YD = 256; ZD = 256; M = dlmread('x.txt', ' '); V = M(2,2) I(1:((XD - 1) * 2), 1:((YD - 1) * 2)) = 0; for i=1:25600 x = b - a; % -255 .. 255 y = c - b; % -255 .. 255 z = d - c; % -255 .. 255 I(x + XD, y + YD) = cast(z + (ZD - 1), 'double') / ((ZD-1) * 2); a = b; b = c; c = d; d = cast(mod(M(i, 1),256), 'int16'); % val between 0..255 %d = cast(rand(1,1) * XD, 'int16'); % val between 0..255 end imshow(I);
Figure 1: Key set to 0. FrameNumber runs from 0-25600. We can see a structure. There is a relationship between the key state with FrameNumber N and the key state with FrameNumber N - 1.
TODO: add more.
01/01/2008 11.12
cracking a5 - THC Wiki
5 di 19
http://wiki.thc.org/cracking_a5
7. A5/GSM encryption example TODO: write down how a5 works and how the data looks that is encrypted and what the first encrypted message from/to basestation is and which bits are static/known/guessable. The Frame Number (FN) wrapps around every 3h 28min 53 sec and 750ms. A layer 1 GSM message is 23 octet long. It is padded with 0x2b if less than 23 octet content data are to be send. How to encode 1 GSM message (after padding): 1. 23 * 8 = 184 bit content data per GSM message. [Output: 184 bit] 2. Add 40 bit fire code (crc) and 4 bit tail (0x00). [Output: 228 bit] 3. Convolutional encode the 228 bit. This duplicates the number of (known) bits. [Output: 456 bit] 4. Interleave the 456 bit. [Output: 456 bit] 5. Chop the 456 bit into 8 packs, each 57 bit long. Take the first two 57 bit chunks and send them in the first GSM burst. The 3rd and 4th are send in the second GSM burst and so on and so on.[Output: 4x114 bit] 6. The frame number is known and incremented for each GSM burst. A5 is reinitialized for _each_ burst. This means each burst is encoded under the same Kc but under a different frame number. The A5 state is thus different for each GSM burst. First encrypted message send from MS to BTS is 'Ciphering Mode Complete': 000: ?? ?? ?? 06 32 2b 2b 2b
- 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b 0: ?? -------1 Extended Address: 1 octet long 0: ?? ------0- C/R: Response 0: ?? ---000-- SAPI: RR, MM and CC 0: ?? -00----- Link Protocol Disciminator: GSM (not Cell Broadcasting) 1: ??
------01 Supvervisory Frame
1: ?? ----00-- RR Frame (Receive ready) 1: ?? ---0---- Poll/Final bit (P/F) 1: ?? 000----- N(R), Retransmission counter: 0 2: ?? -------0 EL, Extended Length: n 2: ?? ------0- M, segmentation: N 2: ?? 000010-- Length: 2 3: 06 0------- Direction: From originating site 3: 06 -000---- 0 TransactionID 3: 06 ----0110 Radio Resouce Management 4: 32 00110010 RR Cipher Mode Complete
This message tells the BTS to start ciphering. The first encrypted message send from the BTS to the MS is either a MMIdentityRequest followed by a empty GSM message or a empty GSM message. Both of them contain plenty known plaintext: The 0x2b GSM 01/01/2008 11.12
cracking a5 - THC Wiki
6 di 19
http://wiki.thc.org/cracking_a5
message padding octet. 000: 03 42 0d 05 18 03 2b 2b
- 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b 0: 03 -------1 Extended Address: 1 octet long 0: 03 ------1- C/R: Command 0: 03 ---000-- SAPI: RR, MM and CC 0: 03 -00----- Link Protocol Disciminator: GSM (not Cell Broadcasting) 1: 42 -------0 Information Frame 1: 42 ----001- N(S), Sequence counter: 1 1: 42 ---0---- P 1: 42 010----- N(R), Retransmission counter: 2 2: 0d -------1 EL, Extended Length: y 2: 0d ------0- M, segmentation: N 2: 0d 000011-- Length: 3 3: 05 0------- Direction: From originating site 3: 05 -000---- 0 TransactionID 3: 05 ----0101 Mobile Management Message (non GPRS) 4: 18 00------ SendSequenceNumber: 0 4: 18 --011000 MMIdentidyRequest 5: 03 -----011 IMEISV
or 000: 03 03 01 2b 2b 2b 2b 2b
- 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b 0: 03 -------1 Extended Address: 1 octet long 0: 03 ------1- C/R: Command 0: 03 ---000-- SAPI: RR, MM and CC 0: 03 -00----- Link Protocol Disciminator: GSM (not Cell Broadcasting) 1: 03 ------11 Unnumbered Frame 1: 03 ---0---- P 1: 03 000-00-- UI frame (Unnumbered information) 2: 01 -------1 EL, Extended Length: y 2: 01 ------0- M, segmentation: N 2: 01 000000-- Length: 0
8. Misc Ideas 1. Shall we do a brute force with FPGA or do a smart attack as outlined in the 2001 paper? 2. Can we use the weakness in A8/A3 to calculate Kc for A5/1? 3. What happened to the cypherpunks mailinglist? The LNE links seem to be down! Anyone? 4. I'm not concerned if we need 50 FPGA's or 4TB or harddrives. Some people say that it's not practical to carry 4TB of harddrives in a rucksack. We can always host the solution and when on a cracking mission the challenge can be send (via sms?) to the
01/01/2008 11.12
cracking a5 - THC Wiki
7 di 19
http://wiki.thc.org/cracking_a5
hosted Cracking Server which sends the results back after a couple of seconds. 5. Can we devide the A5/1 cracking problems into smaller problems and solve each on its own? This means finding a new attack against A5/1. 8.1. FPGA Ideas 8.1.1. Brute Force Some initial thoughts on A5/1 and FPGA. All this needs to be calculated more precisely. Each clock cycle the A5 implementation should output 64 bit of streamcipher. We can put multiple A5 implementations on the same FPGA chip. The calculation is based on a pipelined implementation of A5. The three LSFR registers are in total 19 + 22 + 23 = 64bit long. The first LSFR requires 5 Logical Units (LU's, e.g xor). The second requires 3 LU's and the last one requires 5 LU's. All together 13 LU's and 64 bit. The Trap register add's 1 LU per LSFR. Makes 16 LU's and 64bit. Generating the state (with key and FrameNumber (FN)) requires 64 + 22 = 88 steps. This is followed by another 100 cycles. Each of the 100 cycles requires 1 LU less per LSFR. After these 100 cycles we want to generate about 64 bit of output (e.g. enother 64 cycles). 1. LU's: 16 * 88 + 13 * 100 + 13 * 64 = 3540 2. Registers: 64 * 88 + 64 * 100 + 64 * 64 = 16128 After 88 + 100 + 64 cycles we will start seeing 64 bit of stream cipher output for each cycle. This is all not optimized. We do not need the first 9 steps because the Tap register only start at bit 8. we also do not need all the LU's or registers for the first 18 steps because the first LSFR is not fully used until step 18. Same for the last 64 steps. For each of the last 64 steps we only need 2 LU's and 1 register less for each step. We decided to use Xilinx. Altera is a good choice as well but at the moment most of us worked with xilinx before. The Virtex-5 from Xilinx LX330 has 330.000 LU's and runs at 500 Mhz. That brings us down to 4 days per development board?! But the boards and chips are to expensive. Better to stick with LX50. 8.1.2. Brute Force II Some more precise calculation by David Hulton:[[BR]] The LX50 can run at 200-300Mhz and cost $300 each (just the chip, without dev board). I pipelined my version of A5/1 and came up with some rough numbers on the Virtex-5 LX50. This is purely just computing the 186 clock cycles for setup and only computing a single bit of output from the pipeline on each clock cycle. I'm sure we could optimize it a little bit but once we factor in the overhead of doing the key compares and other bridge code it probably won't be much less than the numbers here..
01/01/2008 11.12
cracking a5 - THC Wiki
8 di 19
http://wiki.thc.org/cracking_a5
With this design, we will probably only be able to fit 4 fully pipelined instances of A5/1 on here unless we can hand-optimize the placement better than the Xilinx tools and code in some of the shortcuts that you mentioned on the a5 cracking page. I'll work on this a bit more and see if I can reduce the logic down. Slice Logic Utilization: Number of Slice Registers: 28,800
7,289 out of
25%
Number used as Flip Flops:
7,289
Number of Slice LUTs: 28,800
6,968 out of
24%
Number used as logic: 28,800
6,566 out of
22% Number using O6 output only:
Number used as Memory: 7,680
6,566 402 out of
5% Number used as Shift Register:
402
Number using O6 output only:
402
Slice Logic Distribution: Number of occupied Slices: 7,200
2,670 out of
37%
Number of LUT Flip Flop pairs used: Number with an unused Flip Flop: 7,292
7,292 3 out of
1%
Number with an unused LUT: 7,292
324 out of
4%
Number of fully used LUT-FF pairs: 7,292
6,965 out of
95%
Number of unique control sets:
2
A LUT Flip Flop pair for this architecture represents one LUT paired with one Flip Flop within a slice.
A control set is a unique
combination of clock, reset, set, and enable signals for a registered element. The Slice Logic Distribution report is not meaningful if the design is over-mapped for a non-slice resource or if Placement fails. IO Utilization: Number of bonded IOBs: 220
88 out of
40%
Specific Feature Utilization: Number of BUFG/BUFGCTRLs:
1 out of
01/01/2008 11.12
cracking a5 - THC Wiki
9 di 19
http://wiki.thc.org/cracking_a5
32
3% Number used as BUFGs:
1
Total equivalent gate count for design: Additional JTAG gate count for IOBs:
155,730
4,224
8.1.3. possible boards ML501 Xlinix LX50 ($955) PicoComputing E-16 LX50 ($2.000) The LX330 boards cost $5.000. Because we can put 4x more a5/1 implementations on them and they run 6.6x faster it might be worth it. 8.2. Rainbow Table Traditional rainbow tables take the key as input. Our key is 88 bit (of which the last 22 bit are the known Frame Number). We can not generate a rainbox table for 2^88 key combinations.
8.2.1. Idea I The state table of all 3 LSFR's combined is just 64 bit. The A5 initialization process (e.g. seeding in key + FN and mixing it 100 cycles) is reverseable. Thus once we know the key state we can compute the key easily. Generating rainbow tables for 64 bit keys is difficult (TODO: calculate how difficult and how many FPGA's required). This attack would work regardless of the frame number and regardless of the key length (54, 64 or 128 bit). It also uses less LU's than the normal key brute force implementation. All 3 LSFR can be stuck together to get one 64bit register: | R1 19bit | R2 22bit | R3 23bit | Rought idea of generating rainbow table with 2^36 tables: 1. Start with key state bit 35..0 is set to 0000..001. Bit 63..36 is set to 0. 2. RainbowtableNumber++; Entries = 0; 3. Calculate 64bit output from this keystate. Entries++; 4. If output's bit 63..36 are all 0 then stop this rainbow table. Otherwise take 64 bit usefull output and use this output as state. Repeat 3. 5. Increment value in bit 35..0 by 1 (e.g. start next rainbow table). Repeast 2. Problems: 1. What happens if we never hit a state that has bit 63..36 to all 0s (e.g. if we are stuck in a loop)? Break loop after a maximum number of iterations and call it an 'unlucky' rainbow table which is handles specially? 2. Using bit 63..36 is just an example. In fact any number of bits (in sequence or not in sequence) can be used.
01/01/2008 11.12
cracking a5 - THC Wiki
10 di 19
http://wiki.thc.org/cracking_a5
8.2.2. Idea II (This Idea is now obsolete) Maybe it's enough to generate a rainbow table for FrameNumber 0. Calculating all 2**54 keys with an FPGA and generating a rainbow tables is a matter of days (e.g. possible). Can a rainbow table generated with FrameNumber == 0 be used to decrypt packets that do not have Frame Number set to 0? 8.2.3. Idea III Is it possible to reduce a LSFR register? By this i mean exist there a shorter LSFR register that would produce the same output (for a certain class of keys)? 8.2.4. Idea IV We do not need to generate rainbow tables for all possible keystates. Let's assume we generate rainbow tables for 1/4 of all keystates (e.g 62bit). If we sniff 64 bit known plaintext our chances that we can crack it with the rainbow table is 25%. A5 is reversable: Let N be the index of current working bit of the A5 algorithm (e.g. after N bits of output have been produced and N bit of plaintext have been encrypted). Let keystate(N) be the state of the keystate after N bits have been produced. Let plaintext(N) be the N-th bit of the plaintext. It is possible to calculate keystate(N-1) if keystate(N) and plaintext(0..N) is known. Let's assume we know 65 bit of plaintext. We first try to find a match in the rainbow table for bit 0..63 and then we try to find a match for bit 1..64. The probability for 65 bit known plaintext it is already 1 - (3/4)**(65 - 64 + 1) = 43.75%. For 80 bit known plaintext it is 1 (3/4)**(80 - 64 + 1) = 98.997%. Let's get this further down: Generate 1/64 of all rainbow tables (which makes it a 58bit problem): If we get 128 bit of known plaintext our chances of decoding it are 1 (63/64)**(128 - 64 + 1) == 64% or 95% if 256 bit of plaintext are known. The maximum number of bits that are encrypted under the same keystate is 114. There are 4 bursts of 114 bit and the plaintext of each of the bursts is known. For each burst the propability of cracking it with only 1/64th of the rainbow table is: 1-(63/64)^(114 - 64 + 1) = 55.2% Considering that we have a 55.2% chance for each of the 4 burst: 1 - (1 - 0.552)**4 = 95.97% Limitation: It is obivous that this is working if we are dealing with successive bits of plaintext. It is less obvious that this also works as long as the 65 bit plaintext as distributed equaly (FIXME: can we optimize this?). 1. Does NOT work: bit 0..63 in one sequence followed by some unknown plaintext followed by bit 64 of known plaintext. 2. DOES work: plaintext bit 0 followed by 1 unknown plaintext bit followed by known plaintext bit 1, followed by unknown plaintext bit followed by known plaintext bit 2,
01/01/2008 11.12
cracking a5 - THC Wiki
11 di 19
http://wiki.thc.org/cracking_a5
... until 64. Further optimization: 1. Do this over multiple messages (e.g. if we know 128 bit in the first packet and another 128 bit in the second message it dramaticaly increases our chances of finding the key state in one of our rainbow tables). 2. Remember that for each message the BTS sends the MS also sends a message. Again, increasing our chances. 8.2.5. Idea V We have known plaintext. The first encrypted message send from the BTS to the MS is amost all 0x2b (except for the first three octets). This means we can implement the attack by Anderson and Roe: Guessing the 41 bit in the shorter R1 and R2 registers, and deriving the 23bit of the longer R3 register from the output. Anderson and Roe's attack is further described in A5/1 FPGA cracking. Calculating Rainbow tables for this is the next challenge. Combing this with Idea IV makes it a 41-6 = 35 bit problem. 8.2.6. Idea VI Are there 'useless' bits in R2? It only has two trap registers. Does this help us calculating the value of others? 8.3. TMTO modified for A5/1 FPGA developers WANTED. Please contact steve at segfault.net if you can turn the following pseudocode into the lasted FPGA implementation (and decide for a FPGA of your choice). We are currently using Xilinx LX50. Is there a better/cheaper option? 8.3.1. Verbal Description Generating tables for a A5 TMTO attack: 1) The total number of tables is $max_tables. Each table is generated in the same way except that a different reduction function is used. One table contains many chains. Each chain starts with a different $StarPoint. A chain is represented by the $StartPoint, $EndPoint and number of links between $StartPoint and $EndPoint. The
01/01/2008 11.12
cracking a5 - THC Wiki
12 di 19
http://wiki.thc.org/cracking_a5
number of links is also called the 'chain length'. 2) A chain starts with a $StartPoint and ends in a Distinguished Point $EndPoint. A chain ends when the last x bits of the $output are all 0. 3) A link in a is chain is generated by: - Set A5 state to $state - Generate 64 bit of A5 output by clocking the $state 64 times. - Generate new $state by applying reduction function to $output. Summary: Many links make up a chain. Many chains make up a table. Many tables make up a A5 TMTO attack. Notes: - One core generates one table - Multiple cores fit onto 1 FPGA - A chain is considered looping if the chain length gets longer than 10 times the expected chain length and still no $EndPoint was found. - Each table is sorted by $EndPoint and then compressed.
8.3.2. C Reference Implementation The reference implementation computes 1 table. This version is around 6000 times slower than the FPGA implementation. Download: A5DemoBusterTableGen.c Compile: gcc -Wall -O3 -march=pentium4 -o A5DemoBusterTableGen A5DemoBusterTableGen.c
8.3.3. Pseudocode /* All variables are 64 bit */ /* Parameter */ $EndPoint_Bit = 19
01/01/2008 11.12
cracking a5 - THC Wiki
13 di 19
http://wiki.thc.org/cracking_a5
$max_tables = 7956 $max_number_chains = 2^26 /* Global Variables & Initialization */ GLOBAL $g_EndPoint_Mask = (1 << $EndPointBit) - 1 GLOBAL $g_ReductionFunction
FOR $table==0 TO $max_tables DO /* At the moment the reduction function is XOR with the table number */ $g_ReductionFunction = $table; table_gen() DONE
/* * A Table contains multiple chains. Each chains consists of * 1 Start Point and 1 End Point. */ FUNCTION table_gen() { FOR $number_chain==0 TO $max_number_chains - 1 DO /* At the moment the Start Point for each chain is the * current chain number. */ $StartPoint = $number_chain $looping = a5_until_endpoint($StartPoint, &$EndPoint, &$Len) IF $looping == FALSE OUTPUT($StartPoint $EndPoint, $Len); DONE }
FUNCTION table_start_point($number_chain) { /* At the moment the start point of each chain is the Chain Number */ RETURN $number_chain } /* * INPUT: * - $StartPoint * RETURN:
01/01/2008 11.12
cracking a5 - THC Wiki
14 di 19
http://wiki.thc.org/cracking_a5
* - $EndPoint contains the EndPoint * - $Len contains the number of links in this chain * - Return value is boolean. True if EndPoint could not be found. False *
otherwise.
*/ FUNCTION a5_until_endpoint($StartPoint, &$EndPoint, &$Len) { $state = $StartPoint; $chain_links = 0 WHILE TRUE DO $output = a5_clock($state); IF is_endpoint($output) THEN &$EndPoint = $output &$Len = $chain_links RETURN FALSE /* Check if we are looping */ $chain_links = $chain_links + 1 IF ($chain_links > $g_ChainLinks_Max * 10) RETURN TRUE /* If not looping apply reduction function and generate * new state. */ $state = $output XOR $g_ReductionFunction DONE } FUNCTION a5_clock($state) { /* Clock state for 64 clocks */ /* Store output in $output and return $output */ RETURN $output } /* * Return true if the last $g_EndPoint_Bit of $EndPoint are * all 0 */ FUCTION is_endpoint($EndPoint) { IF $EndPoint & $g_EndPoint_Mask == 0 RETURN TRUE RETURN FALSE }
9. Resources 01/01/2008 11.12
cracking a5 - THC Wiki
15 di 19
http://wiki.thc.org/cracking_a5
1. CS-2006-07-cracking-a5.pdf Barkan, Biham and Keller. Most recent research paper about cracking A5/1. 2. PHD-2006-04.pdf Elad Pinhas Barkan, Cryptoanalyzis of Ciphers (A5, Rainbow tables) 3. GsmSecurity.pdf 15 Dec 2006, Stausholm, Dahl. Explaining A5 and different attack vectors. 4. 2000, Biryukov, Shamir, Wagner (WWW). (PDF) Real Time Cryptanalysis of A5/1 on a PC. 5. Time/Memory/Data Trade-off Attacks 6. A5/1 FPGA crack 7. ekdahl-03-a51a.pdf Different Attack. Requires 2-5 mins of data. Not practical but good A5 explanation. 8. Ross Anderson original email posting. 9. a5-1-2.c Most recent A5/1 and A5/2 implementation by Marc Briceno. 10. a3a8.txt A3 and A8 implementation by Briceno, Goldberg and Wagner. 11. A5/3 and 3G algorithm. 9.1. List of used encryption around the World Known GSM Netowrk Encryption usage Version 1.12 8th December 2005 gsm_network_encryption_list.csv If you have updates (what about France??) please send an email to steve at segfault.net. MCC Country
MNC Network
Crypto
204
Netherlands
4
Vodafone
A5/1
204
Netherlands
8
KPN
A5/1
204
Netherlands
16
T-Mobile
A5/1
204
Netherlands
12
O2
A5/1
204
Netherlands
20
Orange
A5/1
206
Belgium
1
Proximus
A5/1
206
Belgium
10
Mobilstar
A5/1
206
Belgium
20
Base
A5/1
208
France
10F
SFR
A5/1, A5/0
214
Spain
1
Vodafone
A5/1
214
Spain
3
Amena
A5/1
214
Spain
7
Movistar
A5/1
222
Italy
1
TIM
A5/1
Date & City
Comments
2007-05-25 Grenoble
A5/1 for TCH, A5/0 for SMS
01/01/2008 11.12
cracking a5 - THC Wiki
16 di 19
http://wiki.thc.org/cracking_a5
222
Italy
10
Vodafone
A5/1
234
United Kingdom
10
O2
A5/1
234
United Kingdom
15
Vodafone
A5/1
234
United Kingdom
30
T-Mobile
A5/1
234
United Kingdom
33
Orange
A5/1
238
Denmark
1
TDC
A5/1
242
Norway
1
Telenor Mobil
A5/1
242
Norway
2
Netcom
A5/1
250
Russia
1
MTS
A5/1
250
Russia
2
Megafon
A5/1
250
Russia
99
Beeline
A5/1
262
Germany
2
Vodafone
A5/1
262
Germany
3
Eplus
A5/1
262
Germany
7
O2
A5/1
272
Ireland
2
O2
A5/1
x
Serbia
x
x
A5/2
293
Slovenia
40
SI Mobil Vodafone
A5/2
293
Slovenia
41
SI Mobitel GSM
A5/1
293
Slovenia
70
Vega
A5/1
404
India
4
IDEA
A5/0
404
India
10
AirTel
A5/0
404
India
11
Essar
A5/0
404
India
20
Orange
A5/0
404
India
68
Dolphin
A5/0
424
United Arab Emirates
1
Etisalat
A5/1
2007-08-11 Modena
A5/1 for TCH and SMS (thnx Andrea)
2007-12-25
Abu Dhabi
01/01/2008 11.12
cracking a5 - THC Wiki
17 di 19
http://wiki.thc.org/cracking_a5
424
United Arab Emirates
2
Du
A5/1
505
Australia
1
Telstra
A5/1
505
Australia
2
Optus
A5/1
505
Australia
3
Vodafone
A5/1
515
Philippines
2
Globe
A5/1
515
Philippines
3
Smart
A5/1
515
Philippines
5
Sun
A5/1
639
Kenya
2
Safaricom
A5/2
639
Kenya
3
Celtel
A5/2
Dubai
Converting the CSV to wiki table: cat gsm_network_encryption_list.csv | sed 's/"//g' | while read x; do echo "||`echo "$x" | sed 's/,/||/g'`||"; done
History: When A5/1 came out mostly germany (as the bordering country to the soviet block) wanted to implement strong encryption. Other Nato members (led by france) were worried that the middle east would use strong encryption. Thus they cut a deal to come up with a weaker version, A5/2. These days both (A5/1 and A5/2) have been broken. A5/3 has not been seen in the wild yet. Other comments: 1. 2. 3. 4. 5.
No encryption in Russia/Ukraine, during emergencies (which can last weeks!) No encryption if BTS is under load (can somebody confirm??) No encryption in germany during HLR/VLR outages In some arab countries without reason some areas without encryption. SMS are sometimes unencrypted even when TCH is encrypted.
9.2. How to check if A5/1 is used There are two ways. You can either use Nokia's Netmonitor (aka Field Tester) or you can use any dct3 mobile (like the nokia 3310) and gammu + PC to find out. The netmonitor is the easier way because you do not need a PC. The netmonitor software runs on many famous mobiles phones (nokia 6630, 6680, n70, sony erricson, ..) 1. Make sure your phone is using GSM (and not 3G/UMTS or DUAL). Go to Menu -> Tools -> Settings -> Network -> Network mode and switch to GSM. 2. Install the netmonitor by connecting your phone to the PC (via usb cable). 3. Launch netmonitor 4. Go to screen 1.10. Send a SMS to the phone. See if the 'Ciphering val' changes from OFF to something else. 5. Go to screen 1.10. Call the mobile phone. See if the 'Ciphering val' changes from
01/01/2008 11.12
cracking a5 - THC Wiki
18 di 19
http://wiki.thc.org/cracking_a5
OFF to something else. 6. Send an email to steve [at] segfault dot net including the country, mobile operator and cipher used (See example results below). Example how it looks like:
Results of this example: Date: 2007/05/25 09:32 Country Code: 234 Network Code: 10F Location area: 12124 (central london) A51 when receiving SMS A51 when receiving voice call Hopping: On The other method is by using gammu and a dct3 trace mobile (like the nokia 3310) connected to the PC. Start a trace, make a phonecall and send in the out.xml file that gammu produces. See our main project page on how to use gammu and dct3 trace mobiles. Check the GSMSP Project for more infos on how to use gammu. 9.3. HD Random Access Time The cracking of A5/1 requires very fast random access to the harddrive. We are currently looking for the most performing harddrives and raids. If you have access to a raid with at least 8 disks please run this test for us. Download: random_access.c ; The example assumes that the raid is available at /dev/sda and has 8 harddrives. # gcc -Wall -O2 -o random_acccess random_access.c # for x in `seq 1 8`; do ./random_access /dev/sda >log${x}.txt &; done # cat log*.txt >results.txt
Send results.txt, the type of raid and the number of harddrives in the raid to steve [at] segfault.net.
01/01/2008 11.12
cracking a5 - THC Wiki
19 di 19
http://wiki.thc.org/cracking_a5
== News Links === 1. Wired: FBI GSM interception capabilities.
10. Links 1. http://www.dia.unisa.it/professori/ads/corso-security/www/CORSO-9900/a5/Netsec/netsec.htm 2. http://jya.com/crack-a5.htm local mirror 3. http://cryptome.org/a51-crack.htm 4. http://www.copacobana.org/ 5. Program to benchmark Harddrive Random Access time: random_access.c
01/01/2008 11.12
Related Documents
Cracking A5 - Thc Wiki
November 2019 10
Gsm - Thc Wiki
November 2019 12
Thc
June 2020 17
Cracking
May 2020 10
A5
November 2019 65