[2516] in cryptography@c2.net mail archive
Re: TIME Magazine on GSM cell phone crack
daemon@ATHENA.MIT.EDU (Phil Karn)
Wed Apr 15 17:10:21 1998
Date: Wed, 15 Apr 1998 12:16:48 -0700 (PDT)
From: Phil Karn <karn@qualcomm.com>
To: cryptech@mcs.net
Cc: cryptography@c2.net
In-reply-to: <Pine.BSF.3.95.980415091058.2701A-100000@Jupiter.Mcs.Net>
(message from Mike Rosing on Wed, 15 Apr 1998 09:24:17 -0500 (CDT))
>making. It sounds like the GSM base stations are more "intellegent", so
>they can make connections without first getting an ok from the central
>switch (which connects the cell phones to POTS). The advantage to the
As I understand GSM, the serving system obtains a list of
challenge/response pairs from the home system, which is the only
entity (besides the phone itself) in possession of the authentication
key Ki. When this list is used up, the serving system goes back and
gets another list. Think of them as one-time passwords. One purported
advantage of this scheme is that the home system doesn't have to have
the same authentication algorithm as the serving system. (But as we've
seen, they all seem to use COMP128 anyway.)
The North American digital systems (CDMA and TDMA) share common
algorithms. The protocol differs from GSM by having a two-level key
hierarchy. The long-term A-key (analogous to the GSM Ki) is again
known only to the mobile and the home system, but a temporary
second-level key ("SSD", for Shared Secret Data) is established
between the mobile and serving system when the mobile roams. The SSD
keys the hash function CAVE to authenticate actual calls.
The two-level scheme avoids the need for the serving system to go back
to the home system for new challenge/response pairs, but there is an
optional provision to regenerate a new SSD that does require
communication with the home system.
Phil
