Cryptography Reference
In-Depth Information
Somebody with the requisite knowledge and lack of morals can still get hold
of the super-PIN as things stand currently, but I am convinced that this way
will have been barred by the time this topic goes to print. (As a sideline, some
cell phones in rental cars have no PIN — for how much longer?)
Finally, I should mention that Mannesmann was the only D2 provider who
used the COMP128 algorithm unchanged; D1 and E-Plus used variants. But
we know that this won't be a security edge for long, because these variants
will also be compromised one day.
Incomparably more dangerous would be an 'air raid' on the SIM card. This
attack forces an unsuspecting user's cell phone to constantly authenticate itself
while it is switched on. Network providers have denied this vulnerability, and
meanwhile people are careful about such allegations.
Another method to reveal the secret, Ki , compromises the computer in a base
station. However, this would probably not remain unnoticed. Network providers
surely have taken appropriate precautions.
Together with the considerable technical problems involved in eavesdropping
on GSM mobile communications, the system is still moderately secure, based
on current knowledge. Nevertheless, network providers have underestimated
and obviously even ignored the threats described above. Only very few of
them have responded to the attacks discovered so far. There were more details
at www.research.att.com/ janos/3gpp.html , but this Web site is no
longer accessible. This is why I put the text version in txt/gsm/3gpp.txt on the
Web site to this topic.
Conclusions and One 'Side Effect'
Let's briefly return to the attack described above. It exploited an obvious and
presumably unintended vulnerability of the COMP128 algorithm. A public study
of the method would have found this vulnerability immediately — it took Gold-
berg and Wagner only one day! With a uniform, but cleanly designed and thor-
oughly analyzed algorithm, we could probably still make secure phone calls.
Unfortunately, all GSM users, currently more than one billion worldwide, are
potentially at risk (though there is currently little reason to worry). Modifying
the algorithms would be extremely expensive. There is probably no better way to
show you how little mystery-mongering in designing algorithms helps security.
The real sting got lost in the media hype. It 'incidentally' turned out that the
64-bit A5 key, Kc , is only 54 bits long; the ten remaining bits are always zero.
This means that a brute-force attack would be faster by a factor of 1000. In
Search WWH ::




Custom Search