Cracking Gsm
security base
of GSM
Karsten Nohl
Sascha Krißler
@ HAR 2009
Phone with
end-to-end
encryption-soon needed?
GSM encryption has been broken over and over
again
Academic breaks of A5/1
cipher: EC1997, FSE2000,
Crypto 2003, SAC2005, …
A5/1 crackers widespread
among intelligence
agencies
Cracking tables computed
in 2008 but never
released
A5/1 Cracking2
After 15
years, still no
public A5/1
exploit !!
We’ll change
this over the
next months
Karsten Nohl
GSM is global, omnipresent and
insecure
80% of
mobile
phone
marketGSM
security
introduced
in 1987 …
200+
countries
… then
disclosed
and shown
insecure in
1994
3 billion
users!
A5/1 Cracking
3
Karsten Nohl
GSM must not be used forsecurity
systems, especially not for new ones
Recent adoptions of GSM despite weak security:
Home banking
Payment
Authentication
GSM apparently seen as secure enough
for payment & access.Falsely so!
A5/1 Cracking
4
Karsten Nohl
We need a public GSM decrypt PoC
A5/1 shown academically broken
A5/1 shown more …
… and more …
… and more broken.
Broken with massive computationRainbow table computation
'97
'00
'03
'05 '06
'03/'08
Tables never released
Too expensive
Not enough known data in GSM packets
A5/1 Cracking
5
Karsten Nohl
Groundwork fortable generation is
complete and open sourced
High-speed
A5/1 engine
Table Parameterization
Status
Table
Generation
GSM
decrypt
PoC
Your help*
needed!
Source and doc available:reflextor.com/trac/a51
* CUDA graphic cards or Xilinx Virtex FPGAs needed
A5/1 Cracking
6
Karsten Nohl
A5/1 is vulnerable to generic precomputation attacks
For ciphers with small keys,code books allow
decryption
Secret state Output
Code book provides a A52F8C02
52E91001
52E91002
mapping from known 62B9320A
52E91003
output to secret state C309ED0A
An A5/1 code book is...
Regístrate para leer el documento completo.