Cryptography Reference
In-Depth Information
• The need for fast real-time encryption means that an algorithm designed
explicitly to run on the hardware of a mobile phone will probably perform
better than an 'off-the-shelf' algorithm.
The fundamental component involved in GSM security is the
Subscriber
Identification Module
(SIM)
card
, which is a smart card (see Section 8.3.3) that
is inserted into the mobile phone of the user. This SIM card contains all the
information that distinguishes one user account from another. As a result, a
user can potentially change phone equipment simply by removing the SIM and
inserting it into a new phone. The SIM contains two particularly important pieces
of information:
1. the
International Mobile Subscriber Identity
(IMSI), which is a unique number
that maps a user to a particular phone number;
2. a unique 128-bit cryptographic key
K
i
, which is randomly generated by the
mobile operator.
These two pieces of data are inserted onto the SIM card by the mobile operator
before the SIM card is issued to the user. The key
K
i
forms the basis for all
the cryptographic services relating to the user. The SIM card also contains
implementations of some of the cryptographic algorithms required to deliver
these services.
GSM AUTHENTICATION
Entity authentication of the user in GSM is provided using a challenge-response
protocol, in a similar way to the dynamic password schemes that we discussed
in Section 8.5. This is implemented as part of an AKE protocol, which also
generates a key
K
c
for subsequent data encryption. GSM does not dictate which
cryptographic algorithms should be used as part of this AKE protocol, but it does
suggest one candidate algorithm and defines the way in which algorithms should
be used.
As indicated in Figure 12.7, an algorithm A3 is used in the challenge-response
protocol and an algorithm A8 is used to generate the encryption key
K
c
. Both
of these algorithms can be individually selected by the mobile operator and are
implemented on the SIM and in the operator's network. Both A3 and A8 can be
loosely considered as types of key derivation function, since their main purpose
is to use
K
i
to generate pseudorandom values.
In the following we use the notation
A
3
K
(
data
) to denote the result of
computing algorithm A3 on the input
data
using key
K
(the notation
A
8
K
(
data
)
should be similarly interpreted). If Alice (a mobile) is able to directly authenticate
to Bob (the authentication centre of a mobile operator) then the GSM AKE
protocol is as follows:
1. Alice sends an authentication request to Bob.
2. Bob generates a 128-bit randomly generated challenge number
RAND
and
sends it to Alice.
