[2611] in cryptography@c2.net mail archive
Re: TIME Magazine on GSM cell phone crack
daemon@ATHENA.MIT.EDU (Harald Hanche-Olsen)
Thu Apr 30 11:00:33 1998
To: cryptography@c2.net
In-Reply-To: Your message of "Mon, 13 Apr 1998 17:55:49 -0700 (PDT)"
<199804140055.RAA01864@servo.qualcomm.com>
Date: Thu, 30 Apr 1998 11:17:09 +0200
From: Harald Hanche-Olsen <hanche@math.ntnu.no>
- Phil Karn <karn@qualcomm.com>:
| >> The SDA cautions that no practical over-the-air attack is known
| >> yet but that one should not be ruled out.
|
|
| >Ok, so which is it?
|
| The latter. I am not intimately familiar with the details of GSM
| over-the-air authentication, but I suspect it is indeed possible to
| conduct this attack over the air. The bottleneck is apparently the
| SIM card, so it wouldn't take much longer to do it over the air. But
| I'll defer to the experts who actually worked on the problem.
One problem with over-the-air attacks on a GSM phone suddenly occured
to me: Remember that the output of COMP128 is 96 bits, 32 of which
are called SRES (output of A3 algorithm) and 54 of which are called Kc
(output of A8 algorithm, after 10 zero bits are appended) and 10 of
which are thrown away (to make an attack on A5 easier?)
Now, only SRES is transmitted over the air back to the base station.
Kc, being the key used for A5 to encrypt the communication channel, is
obviously not transmitted.
Presumably, only getting 32 bits of the COMP128 output per round must
increase the difficulty of the cracking attempt, thereby requiring
more challenge-response pairs to make up for this.
Does anybody in the know care to comment?
- Harald
