Are GSM Mobile Phones Insecure?
Researchers claim to decrypt messages from the world's most popular mobile phones.
Ann Harrison, Computerworld online

source from http://www.pcworld.com/article/14318/are_gsm_mobile_phones_insecure.html

HAR2009 - Cracking A5 GSM Encryption

Lecture explaining the weaknesses in A5 GSM encryption and methods for exploitation of those weaknesses.

source from http://www.scribd.com/doc/18668509/HAR2009-Cracking-A5-GSM-Encryption

Creating A5/1 Rainbow Tables
The Time/Memory Trade-off framework is still in its early stage of development. It was started in early 2009 and now, it reached its basic architectural stability.

The attack on the A5/1, is a reimplementation of the THC work  THC, which was done in early 2008.

For more detail, please see source at http://reflextor.com/trac/a51

This talk titled "Cracking A5 GSM encryption" was given by Karsten at Hacking at Random (HAR) 2009.

The A5/1 algorithm is one of the ciphers used in GSM networks. It is used to encrypt both voice and signaling data.In the GSM network, A5/1 is applied both in the handset and the BTS on the corner of the network. The first phase of communication including radio resource allocation and authentication is unencrypted. Dialing and voice is encrypted. The attack on the A5/1 demoed at HAR 2009 is a reimplementation of the attack by THC, which was done in early 2008. Their approach differs slightly, as they use more common hardware to generate the tables, namely graphics cards with GPGPU capability and attempt to build a distributed infrastructure of nodes where each node donates both a small portion of diskspace for a part of the table and some kind of fast hardware for the generation of and lookup in its own table. They also took this project as a motivation to design and code a general purpose TMTO library. The attack itself is still the same and we owe THC much for their pioneering work. Also take a look at http://airprobe.org for information and software on the sniffing of GSM data. You can download the presentation here. The project page can be visited here.

Speaker Bio: Karsten is a security researcher and hardware hacker. Karsten's academic research deals with privacy protection, while his hacking projects focus on cryptographic hardware. In the past year, Karsten presented on smart-card security and embedded cryptography at 25C3, USENIX Security, BlackHat, CanSecWest, Toorcon, and the HOPE conference. Karsten is a security researcher and hardware hacker. Karsten's academic research deals with privacy protection, while his hacking projects focus on cryptographic hardware. In the past year, Karsten presented on smart-card security and embedded cryptography at 25C3, USENIX Security, BlackHat, CanSecWest, Toorcon, and the HOPE conference.

source from http://securitytube.net/Cracking-A5-GSM-encryption-(HAR-2009)-video.aspx

上传的附件：

• 119_GSM.A51.Cracking.Nohl.pdf （910.86kb，100次下载）

感谢rockinuk版的快速响应。
我先消化消化。。。。。。

德工程師：GSM加密遭破解 密碼表已流出
由 blue 於 週二, 12/29/2009 - 11:22 發表::

據國外媒體報導，一名德國電腦工程師週一宣佈，他已經破解了GSM加密演算法。

這位28歲的德國工程師名叫卡爾斯滕.諾爾(Karsten Nohl)，他此舉的目的是為了發現全球行動通信系統中的安全漏洞。GSM演算法迄今已有21年的歷史，被用於全球80%的手機。

28歲德國工程師卡爾斯滕.諾爾(Karsten Nohl)

諾爾是在德國柏林舉行的Chaos Communication Congress大會上宣佈這一成果的。他表示，參與該專案的24個人獨立工作，進而還原了GSM加密演算法的密碼表，這一資料量相當於2TB。諾爾最早於今年8月宣佈，有意破解GSM演算法。

GSM協會則表示，諾爾的行為在美國和英國均屬違法。該機構還認為，諾爾不太可能真的破解了GSM演算法。

諾爾則表示，密碼表已經可以透過BitTorrent下載。

GSM演算法是一種A5/1演算法，該演算法採用64位元二進位碼，但相對於3G網路中的128位元二進位碼而言，已經有些過時。目前，A5/1的替代品A5/3已經開發出來，但多數網路營運商尚未採用這一演算法。為了加速找尋漏洞，諾爾也使用了之前自己開發的免費A5/1彩虹表工具。

諾爾擁有美國佛吉尼亞大學電腦工程博士學位。今年稍早，他曾發現了無線電話加密演算法中的安全漏洞，並促使標準組織DECT Forum改進了這一演算法。諾爾之前還曾就RFID系統的安全性展開研究。

目前全球的無線連接設備約有43億台，其中35億台使用GSM。在北美地區，約有2.99億用戶使用這一技術。

Source from http://www.itis.tw/node/3475

晕倒，2TB先

Nohl似乎并没有发现A5/1的新漏洞,只不过是用彩虹表加速破解. 2008年已经有人弄出完整的A5/1彩虹表,但是没有公布.这之前见到过一些文章破解这个算法,但一直没有实际的代码..

2TB是按照他们设定的参数弄的，因为他们要求实际破解速度要达到一定速度。如果想减少空间占用率，那么就根据需要设置创建参数,但是链加长后,破解速度也会降低,这些参数之间是相互制约的.

作者：吳依恂 01/04/2010
2009年的倒數最後幾天，竟傳出了全球行動通訊系統(GSM, Global System for Mobile Communications)遭到破解的消息，德國工程師Karsten Nohl在Chaos Communication Congress會議中公佈了GSM破解內容，而全球手機約有8成皆使用這種加密演算法來加密。
手機安全專家指出，其實GSM演算法A5/1在前幾年早就被破解，只不過破解方法是必須透過模擬基地台的方式，類似「蓋台」，他指出，該方式必須採購高成本的設備，讓手機誤以為該模擬基地台為真，便可從中攔截通話，又或者當使用者的手機為3G模式，攻擊者可以發出訊號干擾3G的收訊，手機就會自動切換到2G模式，從而連到假的模擬基地台，只是過去這種方式由於成本較高，較少人會使用，而此次Nohl發表的破解內容意義在於，此後便可採用低成本的方式來破解，不需要採用中間人攻擊(Man-in-the-middle)。事實上，為了繼續支援使用2G手機的用戶，電信業者並不可能廢止掉2G這種舊通訊系統，必須考慮到廣大舊用戶的需求，更何況2G也有著低耗電的優點，能夠維持多天的通話。而有時候為了因應緊急危難事件，例如有綁架事件發生，檢調單位也可能會需要進行監聽歹徒的通話，也會採取類似的GSM破解手法。 為了維護手機隱私性，手機安全專家建議，用戶可以將手機設定為「純3G模式」，大部分的3G手機都會支援該相關設定，如此一來，當3G收訊不良時便不會自動切換到2G模式。不過，他也提醒，目前相當流行的iPhone3G(s)預設值並沒有這樣的功能，如果要讓iPhone也具備這樣的功能，就必須透過JB(Jailbreak)，再安裝軟體，才能達到這樣的功能，一般使用者會安裝多半是希望系統頻率穩定。不過一但這樣作，到了3G訊號微弱或只有2G訊號的地方，iPhone也就瞬間變iPod，安全與便利通常無法兼得，使用者只能自行斟酌如何使用囉！

Source from http://www.informationsecurity.com.tw/article/article_detail.aspx?aid=5542

26C3的文档

上传的附件：

• 1519_26C3.Karsten.Nohl.GSM.pdf （623.17kb，65次下载）

此贴被作者删除

29 December 2009. GSM A5 Files Published on Cryptome

27 April 2000. Thanks to Adi Shamir.

--------------------------------------------------------------------------------

This paper was presented at the Fast Software Encryption Workshop 2000, April 10-12, 2000, New York City. It supercedes an earlier version, "Real Time Cryptanalysis of the Alleged A5/1 on a PC (preliminary draft)," by Alex Biryukov and Adi Shamir, dated December 9, 1999.

Original 18-page paper: http://cryptome.org/a5.ps (Postscript, 297K)

Zipped Postscript: http://cryptome.org/a5.zip (104K)

Real Time Cryptanalysis of A5/1 on a PC

Alex Biryukov * Adi Shamir ** David Wagner ***

Abstract. A5/1 is the strong version of the encryption algorithm used by about 130 million GSM customers in Europe to protect the over-the-air privacy of their cellular voice and data communication. The best published attacks against it require between 240 and 245 steps. This level of security makes it vulnerable to hardware-based attacks by large organizations, but not to software-based attacks on multiple targets by hackers.
In this paper we describe new attacks on A5/1, which are based on subtle flaws in the tap structure of the registers, their noninvertible clocking mechanism, and their frequent resets. After a 248 parallelizable data preparation stage (which has to be carried out only once), the actual attacks can be carried out in real time on a single PC.

The first attack requires the output of the A5/1 algorithm during the first two minutes of the conversation, and computes the key in about one second. The second attack requires the output of the A5/1 algorithm during about two seconds of the conversation, and computes the key in several minutes. The two attacks are related, but use diffrent types of time-memory tradeoff. The attacks were verified with actual implementations, except for the preprocessing stage which was extensively sampled rather than completely executed.

REMARK: We based our attack on the version of the algorithm which was derived by reverse engineering an actual GSM telephone and published at http://www.scard.org. We would like to thank the GSM organization for graciously confiming to us the correctness of this unofficial description. In addition, we would like to stress that this paper considers the narrow issue of the cryptographic strength of A5/1, and not the broader issue of the practical security of fielded GSM systems, about which we make no claims.

* Computer Science department, The Weizmann Institute, Rehovot 76100, Israel.
** Computer Science department, The Weizmann Institute, Rehovot 76100, Israel.
*** Computer Science department, University of California, Berkeley CA 94720, USA.

--------------------------------------------------------------------------------

1 Introduction
The over-the-air privacy of GSM telephone conversations is protected by the A5 stream cipher. This algorithm has two main variants: The stronger A5/1 version is used by about 130 million customers in Europe, while the weaker A5/2 version is used by another 100 million customers in other markets. The approximate design of A5/1 was leaked in 1994, and the exact design of both A5/1 and A5/2 was reverse engineered by Briceno from an actual GSM telephone in 1999 (see [3]).

In this paper we develop two new cryptanalytic attacks on A5/1, in which a single PC can extract the conversation key in real time from a small amount of generated output. The attacks are related, but each one of them optimizes a different parameter: The first attack (called the biased birthday attack) requires two minutes of data and one second of processing time, whereas the second attack (called the the random subgraph attack) requires two seconds of data and several minutes of processing time. There are many possible choices of tradeo parameters in these attacks, and three of them are summarized in Table 1.

Source from http://cryptome.org/a51-bsw.htm

太难上手了 :(

由于一些历史原因，国内各城市采用的GSM算法还不一样。比如北京是A5/0，也就是没有加密。
其他城市有A5/2， A5/1（极少）。
国内研究这个的很少，一是研究不公开，第二，想监听的人并不需要做这么复杂的解密工作就可以监听。

有人知道台湾的GSM采用什么算法吗？

还真不知道国内有用A5/1的呢！

这个要买一套昂贵的USRP硬件收发设备才行吧？？？   有没有可能直接用个普通手机作为硬件平台的？？？