[2625] in cryptography@c2.net mail archive
Re: TIME Magazine on GSM cell phone crack
daemon@ATHENA.MIT.EDU (Ian Goldberg)
Sat May 2 18:56:28 1998
To: cryptography@c2.net
From: iang@cs.berkeley.edu (Ian Goldberg)
Date: 2 May 1998 20:48:25 GMT
In article <19980430111709D.hanche@math.ntnu.no>,
Harald Hanche-Olsen <hanche@math.ntnu.no> wrote:
>- Phil Karn <karn@qualcomm.com>:
>
>| >> The SDA cautions that no practical over-the-air attack is known
>| >> yet but that one should not be ruled out.
>|
>|
>| >Ok, so which is it?
>|
>| The latter. I am not intimately familiar with the details of GSM
>| over-the-air authentication, but I suspect it is indeed possible to
>| conduct this attack over the air. The bottleneck is apparently the
>| SIM card, so it wouldn't take much longer to do it over the air. But
>| I'll defer to the experts who actually worked on the problem.
>
>One problem with over-the-air attacks on a GSM phone suddenly occured
>to me: Remember that the output of COMP128 is 96 bits, 32 of which
>are called SRES (output of A3 algorithm) and 54 of which are called Kc
>(output of A8 algorithm, after 10 zero bits are appended) and 10 of
>which are thrown away (to make an attack on A5 easier?)
>
>Now, only SRES is transmitted over the air back to the base station.
>Kc, being the key used for A5 to encrypt the communication channel, is
>obviously not transmitted.
>
>Presumably, only getting 32 bits of the COMP128 output per round must
>increase the difficulty of the cracking attempt, thereby requiring
>more challenge-response pairs to make up for this.
Nope. In fact, we took this into account when designing the attack.
It is extremely rare that the first 32 bits of the COMP128 output
of two different inputs will match, but the whole output will not.
- Ian
