GSM Security
3.4 GSM Cryptographic Algorithms
As explained in this chapter, the SIM runs an authentication protocol based on the per-manent key Ki and also derives a 64-bit temporary key Kc. This latter key is used in the radio interface encryption between the mobile terminal and the base station. The associated cryptographic algorithms are called A3 (subscriber authentication), A8 (key generation) and A5 (radio encryption).
The GSM system is modular in the sense that it is possible to replace any algorithm by another, probably more modern, algorithm without affecting the rest of the security system, as long as the algorithms share the same input–output structure. Therefore, the symbols A3, A8 and A5 rather refer to families of algorithms than to individual algorithms. The internal structures of the algorithms in a family may be totally different.
For the radio interface encryption, three different stream ciphers A5/1, A5/2 and A5/3 have been standardized so far for 64-bit keys. In addition, the term A5/0 is used for the case where no encryption is applied. In Release 9 of the 3GPP specifications, there is also a variant A5/4 that uses 128-bit keys [TS55.226]. The introduction of A5/4 into the system is more cumbersome than the introduction of a new 64-bit key variant because changing the length of temporary keys affects all the interfaces in the system that carry these keys. Additionally, there is an impact on storing these keys. In the roaming case, the key travels from the home network AuC first to the visited network, then inside the visited network from the core network to the radio access network and, finally, inside the radio access network, into the base station. Thus, a large number of interfaces and network elements are affected by a change of the key length.
There exists a very efficient attack against the A5/2 algorithm [Barkanet al. 2003]. This attack also constitutes a threat to the other algorithms because the key generation in GSM is agnostic to the algorithm. This means an active attacker could try to fool the user to start
GSM Security 35
A5/2 ciphering with the same key that is valid with another A5 algorithm from the point of view of the genuine network. As a countermeasure, 3GPP and the GSM Association (GSMA) launched a process that removed A5/2 completely from mobile terminals.
The situation is even more fragmented for the algorithms A3 and A8. This is a consequence of the fact that these algorithms need not be standardized. The algorithms A3 and A8 are executed in two places, in the SIM card on the user side, and in the AuC on the network side. Because the same operator controls both the SIM and the AuC, it is possible for mobile network operators to use their own proprietary algorithms. On the other hand, 3GPP has created, as an example, public algorithm specifications for A3 and A8 [TS55.205].
The history behind the A5 algorithms reflects general developments of mass-market use of cryptography. At the time when GSM was created, there were strict controls on the export of any products that contained cryptography. These types of restriction were in use for most countries, including the European countries that were heavily involved in the specification work of GSM inside the European Telecommunications Standards Institute (ETSI). Cryptography was included in the list of dual-use goods and was basically com-parable to items like guns. Similar to many other technologies, cryptographic protocols can also be useful for somebody with malicious intentions.
When the algorithm A5/1 was designed, one obvious requirement was that it had to comply with the export restrictions to the countries in the target market. At that time the target market was mainly seen as Europe, at least in the early phases of the technology.
As the success of GSM soon became obvious, it turned out that another weaker algo-rithm was needed in order to get global export licences for GSM terminals and network equipment. The algorithm A5/2 was designed for that purpose. At the end of the 1990s, export restrictions were harmonized between many countries and a multilateral export control regime was created under the name of ‘Wassenaar arrangement’ [Wassenaar]. At the end of 2011, 41 countries had endorsed the arrangement, including Australia, Rus-sia, Korea, Japan, the United States and many European countries. In many ways, the creation of the Wassenaar arrangement also meant less strict controls. For example, mass-market products like mobile phones were essentially exempted from obtaining export licences.
The Universal Mobile Telecommunications System (UMTS) cryptographic algorithms were designed after liberalization of export control restrictions. Therefore, it was possi-ble to introduce the 128-bit key encryption algorithm UEA1 based on the block cipher KASUMI [TS35.202]. The algorithm A5/3 was created as a 64-bit key adaptation of UEA1 [TS55.216]. Please note that the 3GPP Release 11 version of this specification essentially contains only a pointer to an ETSI web site where the full specification is available under the same specification number but a different version number. This kind of arrangement is quite common for cryptographic algorithms in the cellular domain and not only restricted to GSM. Some algorithms are available at a GSMA site, whereas 3GPP provides just a pointer. These indirect arrangements are needed because export control restrictions apply also to specifications, and it may take time to get the export licence.
The specifications of A5/1 and A5/2 are kept confidential and are provided only to parties who need to know them for implementation or deployment purposes. However, both algorithms need to be implemented in all GSM terminals (although not anymore for A5/2) and therefore reverse engineering of the algorithms was naturally feasible. There
are many cryptanalytic results also against A5/1, and certain time–memory trade-offs are possible. A successful campaign has been run to collect the vast amount of data that is needed for breaking A5/1; see [Nohl and Paget 2011] for the principles of the attack.
When the auxiliary data is in use, it is possible to run the full break of A5/1 in a stand-alone PC. This is a known plaintext attack and, as is often the case, the signalling provides the best source for known plaintext.
While the longer-term strategy of 3GPP is to move from A5/1 to A5/3 and A5/4, also a shorter-term protection against acquiring known plaintext has been introduced. This is done by randomizing bits in signalling messages in such places where the randomization does not significantly complicate handling of these messages.
The KASUMI algorithm and UEA1 have been publicly available from the beginning of 3G and there are also cryptanalytic results against them. An efficient attack on stand-alone KASUMI has been found in a ‘related key’ and ‘chosen plaintext’ setting [Dunkelmann et al. 2010] (see Section 2.3.6 for a discussion of cryptanalytic attack scenarios). This theoretical attack gives valuable cryptanalytic information about KASUMI, but the related key scenario does not apply to A5/3 as used in the GSM.
As explained in Section 3.3.3, the most notable difference between GPRS security and the original GSM security is the following: the A5 encryption algorithm that resides in the physical layer is replaced by the GEA and encryption is moved to the LLC layer of the radio network. So far, three different stream ciphers, GEA1, GEA2 and GEA3, have been standardized for 64-bit keys, the last one being the only one with specifications publicly available [TS55.216]. The GEA3 algorithm uses the same KASUMI-based key stream generator as UEA1, and is therefore very similar to A5/3. Similarly to A5/4, starting from Release 9 there is also the GEA4 algorithm that uses 128-bit keys [TS55.226].
Reverse engineering efforts have occurred for GEA1 and GEA2 algorithms, similarly as for A5 algorithms. Based on these efforts, cryptanalysis has been possible and progress has been made, as reported in [Nohl and Menette 2011]. This has led 3GPP to consider removing GEA1 completely from the system, in a manner similar to what was done for A5/2. The longer-term strategy of 3GPP is to move towards GEA3 and GEA4.