Cryptography Reference
In-Depth Information
6.1.3 Key Management and Authentication in GSM Networks
Another example of encrypted data communication that uses session keys, but
doesn't use an asymmetric method, are the cell phone networks based on the
GSM standard (D1, D2, and E-Plus in Germany) mentioned in Section 5.7.2.
You already know the A5 ciphering method — but how are keys agreed upon?
Each GSM handset uses a SIM card that contains a chip. This chip stores
a fixed serial number and a secret number,
Ki
. This number can presumably
not be read, but remember what was said in Section 4.4.5, and consider the
remarkable article by Anderson and Kuhn [AndKuhn.tamp] on the security of
tamperproof chips.
Furthermore, the chip implements two algorithms, A3 and A8. The GSM
standard does not specify these algorithms. The network providers keep them
secret, and they build them into their chips and into the computers of their net-
works themselves. A3 serves for authentication, A8 serves for key distribution.
The method works as follows.
Secret number
Ki
is also stored in the network provider's computers. When a
subscriber initiates a call, the chip on the SIM card sends its serial number.
This identifies the subscriber. The network looks up the corresponding secret
number,
Ki
, and sends a random number,
SRAND
, to the subscriber. The chip
on the SIM card uses A3 to compute a 32-bit response,
SRES
, from
SRAND
and
Ki
, and returns it to the base station. Since the base station also knows
Ki
, A3, and
SRAND
, it can compute
SRES
itself. The computer in the base
station compares the value computed with the value received. If the two values
match, then the call is admitted. This prevents unauthorized use of the network
at somebody else's cost.
Furthermore, both the SIM chip in the handset and the computer in the base
station compute a 64-bit session key,
Kc
, from the
Ki
and
SRAND
values,
using the A8 algorithm. However, this key
Kc
is used by both parties for A5
encryption and decryption only; it is
not
transmitted. Thanks to the previous
authentication by means of
SRES
, the two parties can be sure to be using the
same key,
Kc
.
GSM networks in other countries could use different A3 and A8 algorithms,
while subscribers can still use their cell phones. The reason is that the other
country's GSM network recognizes that a phone is not registered with it, and