A5/1- ENCRYPTION ALGORITHM

A PROJECT REPORT

Submitted by:

ABHINAV KR SINGH
NITIN KUMAR

in partial fulfillment for the award of the degree

of

BACHELOR OF TECHNOLOGY

in

ELECTRONICS AND COMMUNICATION ENGINEERING

SHOBHIT UNIVERSITY::MEERUT 250 001

DEC 2010

1
 BONAFIDE CERTIFICATE

Certified that this project report “A5/1-ENCRYPTION ALGORITHM” is the bonafide

work of “ABHINAV KU SINGH & NITIN KUMAR” who carried out the project work

under my supervision.

SIGNATURE SIGNATURE

Mr. SANJAY SHARMA Mr. NEERAJ KUMAR

(Head of the department) SUPERWISER

(Senior Lecturer)

Electronics Department Electronics Department

School of Electronics Engineering School of Electronics Engineering

2
 ABSTRACT

Security requirements and services of a mobile communication system differ, due to the

radio communication between the user and the base station, extensively from those of a

fixed

network. There is no physical link in the form of a (fixed) telephone line between the user

and the local exchange, which could serve to "identify" the user for routing and charging

purposes.

Authentication by means of cryptographic procedures is thus required to stop impostors

from taking on the identity of somebody else and "transferring" calls and charges.

Eavesdropping on the radio path, intercepting data or tracing the whereabouts of a user

by listening to signaling data are other serious threats.

3
 TABLE OF CONTENTS

CHAPTER NO. TITLE PAGE NO.

Abstract....................................................................................................3

1.0

Introduction .......................................................................................................8

1.1 History and uses.....................................................................................9

1.2

Encryption.................................................................................................9

2 Overview of

GSM..............................................................................................12

2.1 GSM radio channel.....................................................................................

13

2.2 TDMA frame

structure........................................................................... .... 14

4
 3.0 Overview of

cryptography.......................................................................................16

3.1 Symmetric

algorithm.......................................................................................16

4.0 Description of GSM

security.......................................................................................19

4.1

Authentication .........................................................................................................20

4.2 Signal and Data

confidentiality ..............................................................................21

4.3 Identity

confidentiality ............................................................................................24

5.0 Encryption

algorithms...........................................................................................25

5.1 key

length............................................................................ ..............................25

5.2 The A5

Algorithm ...................................................................................... .......26

5.3

Weaknesses..........................................................................................................28

6.0 A5\1 Encryption

code....................................................................................................32
5
 7.0 Application of

project........................................................................................................37

8.0 Acronyms...............................................................................

……...................................38

9.0

Refrences............................................................................ ................................................40

6
 LIST OF TABLES

Name of table page no.

Specification of registers…………………………………………….10

Key length………………………………………….…………………25

Key length search time………………………………………………26

7
 LIST OF FIGUIRES

Name of figure page no.

1. LFSRs with clock control…………………………………………………………...11

2. GSM network……………………………………………………………………… 13

3. TDMA frame structures………………………………………………………….. 14

4. Four stage LFSRs………………………………………………………………….. 18

5. Distribution of security features in GSM network……………………………….. 20

6. GSM authentication mechanism…………………………………………………... 21

7. Ciphering key generation mechanism………………………………………………22

8. GSM security architecture…………………………………………………………..22

9. Ciphering mode initiaqtion…………………………………………………………..23

10. Key stream generation (MS to BTS & BTS to MS)……………………………….. 28

11. A5\1 cipher stream cipher…………………………………………………………… 29

8
1.0 INTRODUCTION

The motivations for security in cellular telecommunications systems are to secure conversations and
signaling data from interception as well as to prevent cellular telephone fraud. With the older analog-
based cellular telephone systems such as the Advanced Mobile Phone System (AMPS) and the Total
Access Communication System (TACS), it is a relatively simple matter for the radio hobbyist to
intercept cellular telephone conversations with a police scanner. A well-publicized case involved a
potentially embarrassing cellular telephone conversation with a member of the British royal family
being recorded and released to the media. Another security consideration with cellular
telecommunications systems involves identification credentials such as the Electronic Serial Number
(ESN), which are transmitted "in the clear" in analog systems. With more complicated equipment, it is
possible to receive the ESN and use it to commit cellular telephone fraud by "cloning" another cellular
phone and placing calls with it. Estimates for cellular fraud in the U.S. in 1993 are as high as $500
million. The procedure wherein the Mobile Station (MS) r

The security and authentication mechanisms incorporated in GSM make it the most secure mobile
communication standard cur egisters its location with the system is also vulnerable to interception and
permits the subscriber’s location to be monitored even when a call is not in progress, as evidenced by
the recent highly-publicized police pursuit of a famous U.S. athlete. rently available, particularly in
comparison to the analog systems described above. Part of the enhanced security of GSM is due to the
fact that it is a digital system utilizing a speech coding algorithm, Gaussian Minimum Shift Keying
(GMSK) digital modulation, slow frequency hopping, and Time Division Multiple Access (TDMA) time
slot architecture. To intercept and reconstruct this signal would require more highly specialized and
expensive equipment than a police scanner to perform the reception, synchronization, and decoding of
the signal. In addition, the authentication and encryption capabilities discussed in this paper ensure the

9
security of GSM cellular telephone conversations and subscriber identification credentials against even
the determined eavesdropper.

It is predicted that mobile applications and devices will become an integral part of communication and
personal management in our lives by the turn of the new decade. The present generation of mobiles is
not equipped with sufficient security features for use in sensitive communications such as mobile
payment and private data transfers. Commerce and mobile banking in a secure and efficient manner. It
proposes the security protocols. The resulting application is utilized to ensure secure transfer of sensitive
and confidential data in applications like mobile payment, secure message broadcast and secure data
storage in mobile communications. The same technique can also be incorporated into future generations
of mobile devices as a parallel mode of secure data transfer. It is envisaged that the success of such a
project would radically change the arena of mobile banking and mobile commerce.

1.1 History and usage

A5/1 is used in Europe and the United States. A5/2 was a deliberate weakening of the algorithm for
certain export regions. A5/1 was developed in 1987, when GSM was not yet considered for use outside
Europe, and A5/2 was developed in 1989. Both were initially kept secret. However, the general design
was leaked in 1994, and the algorithms were entirely reverse engineered in 1999 by Marc Briceno from
a GSM telephone. In 2000, around 130 million GSM customers relied on A5/1 to protect the
confidentiality of their voice communications.

Security researcher Ross Anderson reported in 1994 that "there was a terrific row between the NATO
signal intelligence agencies in the mid 1980s over whether GSM encryption should be strong or not. The
Germans said it should be, as they shared a long border with the Warsaw Pact; but the other countries
didn't feel this way, and the algorithm as now fielded is a French design."

1.2 Encryption

Encryption is said to occur when data is passed through a series of mathematical operations that
generate an alternate form of that data; the sequence of these operations is called an algorithm. To help

10
distinguish between the two forms of data, the unencrypted data is referred to as the plaintext and the
encrypted data as ciphertext. The security of encryption lies in the ability of an algorithm to generate
ciphertext that is not easily reverted to the original plaintext.

In a very simple example, encryption of the word "secret" could result in "terces." Reversing the order
of the letters in the plaintext generates the ciphertext. This is a very simple encryption - it is quite easy
for an attacker to retrieve the original data. A better method of encrypting this message might be to
create an alternate alphabet by shifting each letter by some arbitrary number. This is known as a
substitution cipher, a form of encryption that is still used in puzzle books today. For example, encrypting
the word "secret" with an alphabet shifted by 3 letters to the right (Figure 1.) produces "vhfuhw." A
substitution cipher simply exchanges one letter or word with another. This particular algorithm is called
the "Caesar Cipher"

Normal alphabet:      A b c d e f g h i j k l m n o p q r s t u v w x y z

Alphabet shifted by 3:      D e f g h i J k l m n o p q r s t u v w x y z a b c

A5/1 is based around a combination of three linear feedback shift registers (LFSRs) with irregular
clocking. The three shift registers are specified as follows:

LFSR Length in Characteristic Clocking Tapped

number bits polynomial bit bits

18 17 16 13

1 19 x +x +x +x +1 8 13, 16, 17, 18

21 20

2 22 x +x +1 10 20, 21
22 21 20 7

3 23 x +x +x +x +1 10 7, 20, 21, 22

Table 1.0 specification of register

The bits are indexed with the least significant bit (LSB) as 0.
11
The registers are clocked in a stop/go fashion using a majority rule. Each register has an associated
clocking bit. At each cycle, the clocking bit of all three registers is examined and the majority bit is
determined. A register is clocked if the clocking bit agrees with the majority bit. Hence at each step two
or three registers are clocked, and each register steps with probability 3/4.

Initially, the registers are set to zero. Then for 64 cycles, the 64-bit secret key is mixed in according to
the following scheme: in cycle , the ith key bit is added to the least significant bit of each
register using XOR —

Each register is then clocked.

Similarly, the 22-bits of the frame number are added in 22 cycles. Then the entire system is clocked
using the normal majority clocking mechanism for 100 cycles, with the output discarded. After this is
completed, the cipher is ready to produce two 114 bit sequences of output keystream, first 114 for
downlink, last 114 for uplink.

12
 Figure no. 1 LFSRs with clock control

2.0 OVERVIEW OF GSM

GSM (group special mobile or general system for mobile communications) is the Pan-European
standard for digital cellular communications. The Group Special Mobile was established in 1982 within
the European Conference of Post and Telecommunication Administrations (CEPT). A Further important
step in the history of GSM as a standard for a digital mobile cellular communications was the signing of
a GSM Memorandum of Understanding (MoU) in 1987 in which 18 nations committed themselves to
implement cellular networks based on the GSM specifications. In 1991 the first GSM based networks

13
commenced operations. GSM provides enhanced features over older analog-based systems, which are
summarized below:

 Total Mobility: The subscriber has the advantage of a Pan-European system allowing him to
communicate from everywhere and to be called in any area served by a GSM cellular network
using the same assigned telephone number, even outside his home location. The calling party
does not need to be informed about the called person's location because the GSM networks are
responsible for the location tasks. With his personal chipcard he can use a telephone in a rental
car, for example, even outside his home location. This mobility feature is preferred by many
business people who constantly need to be in touch with their headquarters.
 High Capacity and Optimal Spectrum Allocation: The former analog-based cellular networks
had to combat capacity problems, particularly in metropolitan areas. Through a more efficient
utilization of the assigned frequency bandwidth and smaller cell sizes, the GSM System is
capable of serving a greater number of subscribers. The optimal use of the available spectrum is
achieved through the application Frequency Division Multiple Access (FDMA), Time Division
Multiple Access (TDMA), efficient half-rate and full-rate speech coding, and the Gaussian
Minimum Shift Keying (GMSK) modulation scheme.
 Security: The security methods standardized for the GSM System make it the most secure
cellular telecommunications standard currently available. Although the confidentiality of a call
and anonymity of the GSM subscriber is only guaranteed on the radio channel, this is a major
step in achieving end-to- end security. The subscriber’s anonymity is ensured through the use of
temporary identification numbers. The confidentiality of the communication itself on the radio
link is performed by the application of encryption algorithms and frequency hopping which
could only be realized using digital systems and signaling.
 Services: The list of services available to GSM subscribers typically includes the following:
voice communication, facsimile, voice mail, short message transmission, data transmission and
supplemental services such as call forwarding.

14
 Figure2 GSM network

2.1 GSM Radio Channel

The GSM standard specifies the frequency bands of 890 to 915 MHz for the uplink band, and 935 to
960 MHz for the downlink band, with each band divided up into 200 kHz channels. Other features of
the radio channel interface include adaptive time alignment, GMSK modulation, discontinuous
transmission and reception, and slow frequency hopping. Adaptive time alignment enables the MS to
correct its transmit timeslot for propagation delay. GMSK modulation provides the spectral efficiency
and low out-of-band interference required in the GSM system. Discontinuous transmission and
reception refers to the MS powering down during idle periods and serves the dual purpose of reducing
co-channel interference and extending the portable unit's battery life. Slow frequency hopping is an
additional feature of the GSM radio channel interface which helps to counter the effects of Rayleigh
fading and co-channel interference.

2.2 TDMA Frame Structures, Channel Types, and Burst Types

The 200 kHz channels in each band are further subdivided into 577 ms timeslots, with 8 timeslots
comprising a TDMA frame of 4.6 ms. Either 26 or 51 TDMA frames are grouped into multiframes
(120 or 235 ms), depending on whether the channel is for traffic or control data. Either 51 or 26 of the
multiframes (again depending on the channel type) make up one superframe (6.12 s). A hyperframe is
composed of 2048 superframes, for a total duration of 3 hours, 28 minutes, 53 seconds, and 760 ms.
The TDMA frame structure has an associated 22-bit sequence number which uniquely identifies a
15
 TDMA frame within a given hyperframe. Figure 1 illustrates the various TDMA

fr
ame structures.

Figure 3 TDMA Frame Structures

various logical channels which are mapped onto the TDMA frame structure may be grouped into
traffic channels (TCHs) used to carry voice or user data, and control channels (CCHs) used to carry
signaling and synchronization data. Control channels are further divided into broadcast control
channels, common control channels, and dedicated control channels.

Each timeslot within a TDMA frame contains modulated data referred to as a "burst". There are
five burst types (normal, frequency correction, synchronization, dummy, and access bursts), with the
normal burst being discussed in detail here. The bit rate of the radio channel is 270.833 kbit/sec,
16
 which corresponds to a timeslot duration of 156.25 bits. The normal burst is composed of a 3-bit
start sequence, 116 bits of payload, a 26-bit training sequence used to help counter the effects of
multipath interference, a 3-bit stop sequence required by the channel coder, and a guard period (8.25
bit durations) which is a "cushion" to allow for different arrival times of bursts in adjacent timeslots
from geographically disperse MSs. Two bits from the 116-bit payload are used by the Fast
Associated Control Channel (FACCH) to signal that a given burst has been borrowed, leaving a total
of 114 bits of payload. Figure 2 illustrates the structure of the normal burst.

3.0 Overview of Cryptography

This section provides a brief overview of cryptography, with an emphasis on the features that
appear in the GSM system.

17
 The history of cryptography dates back thousands of years, and for the most part, it has been the
history of classical cryptography; that is, methods of encryption which can be performed using pen
and paper (or perhaps with simple mechanical aids). In the early 1900s, the invention of several
complex mechanical and electromechanical machines, such as the Enigma rotor machine, allowed the
use of more sophisticated and efficient methods of encryption, and the introduction of electronics and
computing allowed elaborate schemes of even greater complexity.

There has also been a parallel history of cryptanalysis, that is, the breaking of codes and ciphers. From
the early discovery of frequency analysis, the consequences of reading an adversary's communications
has often proved to be profound. For example, the Zimmermann Telegram triggered the entrance of
the United States into World War I, and the Allied breaking of Nazi Germany's ciphers may have
shortened World War II by as much as two years.

Until the 1970s, secure cryptography was the sole preserve of governments. Two events brought
cryptography into the public domain: the creation of a public encryption standard (DES); and the
invention of public-key cryptograph

3.1 Symmetric Algorithms

Symmetric algorithms are algorithms in which the encryption and decryption use the same key.
For example, if the plaintext is denoted by the variable P, the ciphertext by C, the encryption with
key x by the function Ex( ), and the decryption with key x by Dx( ), then the symmetric algorithms
are functionally described as follows:

C=Ex(P)
P=Dx(C)
P=Dx(Ex(P))

For a good encryption algorithm, the security of the data rests with the security of the key, which
introduces the problem of key management for symmetric algorithms. The most widely-known
example of a symmetric algorithm is the Data Encryption Standard (DES). Symmetric encryption
algorithms may be further divided into block ciphers and stream ciphers.

18
3.1.1 Block Ciphers

As the name suggests, block ciphers encrypt or decrypt data in blocks or groups of bits. DES uses a
56-bit key and processes data in 64- bit blocks, producing 64-bits of encrypted data for 64-bits of
input, and vice-versa. Block algorithms are further characterized by their mode of operation, such as
electronic code book (ECB), cipher block chaining (CBC) and cipher feedback (CFB). CBC and CFB
are examples of modes of operation where the encryption of successive blocks is dependent on the
output of one or more previous encryptions. These modes are desirable because they break up the one-
to-one correspondence between ciphertext blocks and plaintext blocks (as in ECB mode). Block
ciphers may even be implemented as a component of a stream cipher.

3.1.2 Stream Ciphers

Stream ciphers operate on a bit-by-bit basis, producing a single encrypted bit for a single plaintext
bit. Stream ciphers are commonly implemented as the exclusive-or (XOR) of the data stream with
the keystream. The security of a stream cipher is determined by the properties of the keystream. A
completely random keystream would effectively implement an unbreakable one-time pad
encryption, and a deterministic keystream with a short period would provide very little security.

Linear Feedback Shift Registers (LFSRs) are a key component of many stream ciphers. LFSRs are
implemented as a shift register where the vacant bit created by the shifting is a function of the
previous states. With the correct choice of feedback taps, LFSRs can function as pseudo-random
number generators. The statistical properties of LFSRs, such as the autocorrelation function and
power spectral density, make them useful for other applications such as pseudo-noise (PN) sequence
generators in direct sequence spread spectrum communications, and for distance measurement in
systems such as the Global Positioning System (GPS). LFSRs have the additional advantage of
being easily implemented in hardware.

The maximal length sequence (or m-sequence) is equal to 2n-1 where n is the degree of the shift
register. An example of a maximal length LFSR is shown below in Figure 3. This LFSR will generate
the periodic m-sequence consisting of the following states (1111, 0111, 1011, 0101, 1010, 1101, 0110,
0011, 1001, 0100, 0010, 0001, 1000, 1100, 1110).

19
 Figure 4 Four-Stage Linear Feedback Shift Register

In order to form an m-sequence, the feedback taps of an LFSR must correspond to a primitive
polynomial modulo 2 of degree n. A number of stream cipher designs consist of multiple LFSRs with
various interconnections and clocking schemes. The GSM A5 algorithm, used to encrypt voice and
signaling data in GSM is a stream cipher based on three clock-controlled LFSRs.

4.0 Description of GSM Security Features

The security aspects of GSM are detailed in GSM Recommendations 02.09, "Security Aspects,"
02.17, "Subscriber Identity Modules," 03.20, "Security Related Network Functions," and 03.21,
"Security Related Algorithms". Security in GSM consists of the following aspects: subscriber identity
authentication, subscriber identity confidentiality, signaling data confidentiality, and user data
confidentiality. The subscriber is uniquely identified by the International Mobile Subscriber Identity
(IMSI). This information, along with the individual subscriber authentication key (Ki), constitutes
20
sensitive identification credentials analogous to the Electronic Serial Number (ESN) in analog systems
such as AMPS and TACS. The design of the GSM authentication and encryption schemes is such that
this sensitive information is never transmitted over the radio channel. Rather, a challenge-response
mechanism is used to perform authentication. The actual conversations are encrypted using a
temporary, randomly generated ciphering key (Kc). The MS identifies itself by means of the
Temporary Mobile Subscriber Identity (TMSI), which is issued by the network and may be changed
periodically (i.e. during hand-offs) for additional security.

The security mechanisms of GSM are implemented in three different system elements; the
Subscriber Identity Module (SIM), the GSM handset or MS, and the GSM network. The SIM contains
the IMSI, the individual subscriber authentication key (Ki), the ciphering key generating algorithm
(A8), the authentication algorithm (A3), as well as a Personal Identification Number (PIN). The GSM
handset contains the ciphering algorithm (A5). The encryption algorithms (A3, A5, A8) are present in
the GSM network as well. The Authentication Center (AUC), part of the Operation and Maintenance
Subsystem (OMS) of the GSM network, consists of a database of identification and authentication
information for subscribers. This information consists of the IMSI, the TMSI, the Location Area
Identity (LAI), and the individual subscriber authentication key (Ki) for each user. In order for the
authentication and security mechanisms to function, all three elements (SIM, handset, and GSM
network) are required. This distribution of security credentials and encryption algorithms provides an
additional measure of security both in ensuring the privacy of cellular telephone conversations and in
the prevention of cellular telephone fraud.

Figure 4 demonstrates the distribution of security information among the three system elements, the
SIM, the MS, and the GSM network. Within the GSM network, the security information is further
distributed among the authentication center (AUC), the home location register (HLR) and the visitor
location register (VLR). The AUC is responsible for generating the sets of RAND, SRES, and Kc
which are stored in the HLR and VLR for subsequent use in the authentication and encryption
processes.

21
 Figure 5 Distribution of Security Features in the GSM Network

4.1 Authentication

The GSM network authenticates the identity of the subscriber through the use of a challenge-
response mechanism. A 128-bit random number (RAND) is sent to the MS. The MS computes the 32-
bit signed response (SRES) based on the encryption of the random number (RAND) with the
authentication algorithm (A3) using the individual subscriber authentication key (Ki). Upon receiving
the signed response (SRES) from the subscriber, the GSM network repeats the calculation to verify the
identity of the subscriber. Note that the individual subscriber authentication key (Ki) is never
transmitted over the radio channel. It is present in the subscriber's SIM, as well as the AUC, HLR, and
VLR databases as previously described. If the received SRES agrees with the calculated value, the MS
has been successfully authenticated and may continue. If the values do not match, the connection is
terminated and an authentication failure indicated to the MS. Figure 5 shown below illustrates the
authentication mechanism.

22
 Figure 6 GSM Authentication Mechanism

4.2 Signaling and Data Confidentiality

The SIM contains the ciphering key generating algorithm (A8) which is used to produce the 64-bit
ciphering key (Kc). The ciphering key is computed by applying the same random number (RAND) used
in the authentication process to the ciphering key generating algorithm (A8) with the individual
subscriber authentication key (Ki). As will be shown in later sections, the ciphering key (Kc) is used to
encrypt and decrypt the data between the MS and BS. An additional level of security is provided by
having the means to change the ciphering key, making the system more resistant to eavesdropping. The
ciphering key may be changed at regular intervals as required by network design and security
considerations. Figure 6 below shows the calculation of the ciphering key (Kc).

23
 Figure 7 Ciphering Key Generation Mechanism

In a similar manner to the authentication process, the computation of the ciphering key (Kc) takes place
internally within the SIM. Therefore sensitive information such as the individual subscriber
authentication key (Ki) is never revealed by the SIM.

24
 Figure 8: GSM Security Architecture

Encrypted voice and data communications between the MS and the network is accomplished through
use of the ciphering algorithm A5. Encrypted communication is initiated by a ciphering mode request
command from the GSM network. Upon receipt of this command, the mobile station begins encryption
and decryption of data using the ciphering algorithm (A5) and the ciphering key (Kc). Figure 7 below
demonstrates the encryption mechanism.

25
 Figure 9 Ciphering Mode Initiation Mechanism

4.3 Subscriber Identity Confidentiality

To ensure subscriber identity confidentiality, the Temporary Mobile Subscriber Identity (TMSI)
is used. The TMSI is sent to the mobile station after the authentication and encryption procedures
have taken place. The mobile station responds by confirming reception of the TMSI. The TMSI is
valid in the location area in which it was issued. For communications outside the location area, the
Location Area Identification (LAI) is necessary in addition to the TMSI. The TMSI

26
allocation/reallocation process is shown in Figure 8 below.

27
5.0 GSM Encryption Algorithms

A partial source code implementation of the GSM A5 algorithm was leaked to the Internet in June,
1994. More recently there have been rumors that this implementation was an early design and bears little
resemblance to the A5 algorithm currently deployed. Nevertheless, insight into the underlying design
theory can be gained by analyzing the available information. The details of this implementation, as well
as some documented facts about A5, are summarized below:

 A5 is a stream cipher consisting of three clock-controlled LFSRs of degree 19, 22, and 23.
 The clock control is a threshold function of the middle bits of each of the three shift registers.
 The sum of the degrees of the three shift registers is 64. The 64-bit session key is used to
initialize the contents of the shift registers.
 The 22-bit TDMA frame number is fed into the shift registers.
 Two 114-bit keystreams are produced for each TDMA frame, which are XOR-ed with the uplink
and downlink traffic channels.

It is rumored that the A5 algorithm has an "effective" key length of 40 bits.

5.1 Key Length

This section focuses on key length as a figure of merit of an encryption algorithm. Assuming a brute-
force search of every possible key is the most efficient method of cracking an encrypted message (a big
assumption), Table 1 shown below summarizes how long it would take to decrypt a message with a
given key length, assuming a cracking machine capable of one million encryptions per second.

Table 1 Brute-force key search times for various key sizes

Key length in bits 32 40 56 64 128
Time required to test all possible 10.8 x 10^24
1.19 hours 12.7 days 2,291 years 584,542 years
keys years
Table 5.0

The time required for a 128-bit key is extremely large; as a basis for comparison the age of the Universe
is believed1.6x10^10 years. An example of an algorithm with a 128-bit key is the International Data
Encryption Algorithm (IDE to be A). The key length may alternately be examined by determining the
number of hypothetical cracking machines required to decrypt a message in a given period of time.

28
 Table 2 Number of machines required to search a key space in a given time
Key length in bits 1 day 1 week 1 year
40 13 2 -
56 836,788 119,132 2,291
64 2.14x10^8 3.04x10^6 584,542
128 3.9x10^27 5.6x10^26 10.8x10^24

Table 5.1 no of machines required to search a key

A machine capable of testing one million keys per second is possible by today’s standards. In
considering the strength of an encryption algorithm, the value of the information being protected
should be taken into account. It is generally accepted that DES with its 56-bit key will have reached
the end of its useful lifetime by the turn of the century for protecting data such as banking transactions.
Assuming that the A5 algorithm has an effective key length of 40 bits (instead of 64), it currently
provides adequate protection for information with a short lifetime. A common observation is that the
"tactical lifetime" of cellular telephone conversations is on the order of weeks.

5.2. The A5 Algorithm

There exists several implementations of this algorithm though the most commonly used ones are: -
A5/0 used by countries under UN Sanctions, comes with no encryption.
• A5/1 is the strongest version and is used in Western Europe and America.
• A5/2 is a weaker version used mainly in Asia.
As with A8 and A3, this algorithm was secretly developed but some unofficial descriptions of the
algorithms can be found in the internet. The A5 structure is shown in Figure 5

29
Figure 10: Keystream generation for MS to BTS and BTS to MS

The stream cipher is initialized all over again for every frame sent. The stream cipher is
initialized with the session key, Kc, and the number of the frame being de/encrypted. The same Kc
is used throughout the call, but the frame number ( a22-bit number) frame number changes during
the call, thus generating a unique keystream for every frame.
3.2.1 The A5/1 Algorithm description
The A5 algorithm used in European countries consists of three LSFRs of different lengths.
The LSFRs are initialized with Kc, and the frame number. The Kc (64-bit) is first loaded into the
register bit by bit. The LSB of the key is XORred into each of the LSFRs. The registers are then all
clocked (the majority clocking rule is disabled). All 64 bits of the key are loaded into the registers the
same way. The 22-bit frame number is also loaded into the register in the same way except that the
majority clocking rule applies from now on. After the registers have been initialized with the Kc and
the current frame number, they are clocked one hundred times and the generated keystream bits are
discarded. This is done in order to mix the frame number and keying material together. Now 228 bits
of keystream output are generated. The first 114 bits are used to encrypt the frame from MS to BTS
and the next 114 bits are used to encrypt the frame from BTS to MS. After this, the A5 algorithm is
initialized again with the same Kc and the number of the next frame.

30
5.3. A5/1 Weaknesses

A5 /1 is a very strong encryption algorithm, the best published attacks to it require 2 ^40 and 2^45
steps which makes it vulnerable to hardware-based attacks of organizations but not to software based
attacks. Its main weakness is that its key is the output of the A8 algorithm which has already been
cracked. The actual size of its key is not 64 but 54, because the last 10 bits are set to 0, which makes
it much weaker.

Figure 6:

Figure 11: A5/1 Cipher stream cipher

31
A. A5/1 stream cipher key generator for secure GSM
conversations
Note. A GSM conversation is sent as a sequence of frames
per 4.6 millisecond, and each frame contains 228 bits.

Construction of A5/1 Generator:

Parameters:

(a) Three LSFRs which generate m-sequences with periods 219 - 1,

222 - 1, 223 - 1, respectively.

1. LFSR 1: ( ) 1 9 5 2 1 generates a = {a(t)}.

1fx=x+x+x+x+

2. LFSR 2: ( ) 2 2 1 generates b = {b(t)}.

2fx=x+x+

( ) 23 16 2 1

3fx=x+x+x+x+

4. Tap positions: d1 = 11, d2 = 12 and d3 = 13.

(b) Majority function f(x1, x2, x3) = (y1, y2, y3) is defined by
Output:
The output sequence u = {u(t)} which performs at time t,
u(t) = a(i1) + b(i2) + c(i3), t = 0, 1, ...
where i1, i2, and i3 are determined in a stop-and-go clock controlled
model by the majority function f.

0125

32
… … 18
0 1 2 21
…
11
…
12
0 1 2 22
……
13
…
16
f: Majority function
Stop/go control
y1
Stop/go control
y3
y2
5.4 A5/1 Key Stream Generator

Stop/go control
Output
For example, at time t, if
f(a(t+11), b(t+12), c(t+13)) = (1, 1, 0)
i.e., (y1, y2, y3) = (1, 1, 0), then LFSR 1 and LFSR 2 are
clocked and LFSR 3 has no clock pulse.
Session key or seed: initial states for three LFSRs, a
total of 64 bits.

Note 2. The first 'original' A5 algorithm was renamed A5/1. Other algorithms include A5/0, which means no
encryption at all, and A5/2, a weaker over-the-air privacy algorithm. Generally, the A5 algorithms after
A5/1 have been named A5/x. Most of the A5/x algorithms are considerably weakerthan the A5/1, which
has the time complexity of 254 at mostas, shown above. The estimated time complexity of A5/2 isas low
as 216. A5/3 is available in the work group ofwireless communications.
33
What does A5/1 suffer ?

• It can be broken with few hours by a PC.

• Short period problem: Without stop/go operation, the
period of sum of the three LFSRs is given by
(219-1)( 222-1)(223-1).
However, the experiement shows that the period of A5/1 is
arround
(4/3)(223-1).
• Collision problem: different seeds (i.e., different initial
states of three LFSRs) may result in the same key stream
(our new results shows that only 70% seeds produce
different key streams.)
• The maority function is the worst function in terms of
correlation with all affine functions.

Possible Attacks on A5/1

Brute-Force Attack against A5

If we have a Pentium III class chip with approximately 20 million
transistors and the implementation of one set of LSFRs (A5/1)
would require about 2000 transistors, we would have a set of 10,000
parallel A5/1 implementations on one chip. If the chip was clocked
to 600 MHz, we could try approximately 2M keys per second per
A5/1 implementation. A key space of 254 keys would thus require
about 900,000 seconds, 250 hours, with one chip.
Alex Biryukov and Adi Shamir (co-inventor of the RSA) claim to be
able to penetrate the security of a A5/1 ciphered GSM call in less
than one second using a PC with 128 MB RAM and large hard
drives.

34
6.0 A5\1 ENCRYPTION CODE

% a5\1 encryption code

% date of submission 01 Dec 2010

% the below program is for the random binary number generation

% the program asks for the length of the sequence to be generated

% then the generated sequence is stored in the file sequence.txt

clc;

clear all;

close all;

RA = zeros(19,1,'uint8');

RB = ones(22,1,'uint8');

RC = zeros(23,1,'uint8');

RA(19,1) = 0;

RA(11,1) = 1;

RB(5,1) = 1;

RB(15,1) = 1;

RC(1,1) = 1;

RC(10,1) = 1;

count = input('Enter the length of the sequence to be generated = ');

index = 0;

35
while(index ~= count )

index = index + 1 ;

RA19 = RA(19,1);

RA18 = RA(18,1);

RA17 = RA(17,1);

RA14 = RA(14,1);

RB22 = RB(22,1);

RB21 = RB(21,1);

RC23 = RC(23,1);

RC22 = RC(22,1);

RC21 = RC(21,1);

RC8 = RC(8,1);

RA9 = RA(9,1);

RB11 = RB(11,1);

RC11 = RC(11,1);

Max0 = 0;

Max1 = 0;

if(RA9 == 1)

Max1 = Max1 + 1;

else

MAx0 = Max0 + 1;

end

if(RB11 == 1)

Max1 = Max1 + 1;

36
else

Max0 = Max0 + 1;

end

if(RC11 == 1)

Max1 = Max1 + 1;

else

Max0 = Max0 + 1;

end

if(Max1 > Max0)

CK = 1;

else

CK = 0;

end

tempA = bitxor(RA19, RA18);

tempA = bitxor(RA17, tempA);

tempA = bitxor(RA14, tempA);

tempB = bitxor(RB22, RB21);

tempC = bitxor(RC23, RC22);

tempC = bitxor(RC21, tempC);

tempC = bitxor(RC8, tempC);

if(RA9 == CK)

for ind = 19 :-1: 2

37
 RA(ind,1) = RA(ind-1,1);

end

RA(1,1) = tempA;

end

if(RB11 == CK)

for ind = 22 :-1: 2

RB(ind,1) = RB(ind-1,1);

end

RB(1,1) = tempB;

end

if(RC11 == CK)

for ind = 23 :-1: 2

RC(ind,1) = RC(ind-1,1);

end

RC(1,1) = tempC;

end

outA = bitxor(RA19,RB22);

outA = bitxor(RC23,outA);

seq(index) = outA;

end

fid = fopen('sequence.txt','w');

38
 fprintf(fid,'%d',seq);

fclose(fid);

7.0. Application of project:

39
The applications of an encrypted data transfer enabled in a mobile phone have a large

range of possibilities for applications.

 The foremost is mobile banking, where transactions involving large finances

can be carried out with ease and in a secure method [1].

 Second, the possibilities for mobile merchandise are present. Hence, the scope

of mobile device as a communication tool is enlarged to a very large extent.

 Third, the encryption can be used to transfer private and confidential

information securely over the mobile network.

 The fourth application is to use the device for securing personal information for

security reasons.

 Authentication.

 Signaling and data confidentiality.

40
8.0 Acronyms

A3 Authentication Algorithm

A5 Ciphering Algorithm

A8 Ciphering Key Generating Algorithm

AMPS Advanced Mobile Phone System

AUC Authentication Center

BS Base Station

CBC Cipher Block Chaining

CEPT European Conference of Post and Telecommunication Administrations

CFB Cipher Feedback

CKSN Ciphering Key Sequence Number

DES Data Encryption Standard

DSA Digital Signature Algorithm

ECB Electronic Code Book

ETSI European Telecommunications Standards Institute

GMSK Gaussian Minimum Shift Keying

GSM Group Special Mobile

HLR Home Location Register

IMSI International Mobile Subscriber Identity

Kc Ciphering Key

Ki Individual Subscriber Authentication Key

LAI Location Area Identity

LFSR Linear Feedback Shift Register

MoU Memorandum of Understanding

41
MS Mobile Station

MSC Mobile Switching Center

NIST National Institute of Standards and Technology1

OMS Operation and Maintenance Subsystem

RAND Random Number

RSA Rivest, Shamir, Adleman

SHA Secure Hash Algorithm

SRES Signed Response

TACS Total Access Communications System

TMSI Temporary Mobile Subscriber Identity

VLR Visitor Location Register

REFRENCES

42
1. wireless communication by Theodore S Rappaport.
2. Van der Arend, P. J. C., "Security Aspects and the Implementation in the GSM System,"
Proceedings of the Digital Cellular Radio Conference, Hagen, Westphalia, Germany, October,
1988.
3. Biala, J., "Mobilfunk und Intelligente Netze," Friedr., Vieweg & Sohn Verlagsgesellschaft, 1994.
4. Cooke, J.C.; Brewster, R.L., "Cyptographic Security Techniques for Digital Mobile Telephones,"
Proceedings of the IEEE International Conference on Selected Topics in Wireless
Communications, Vancouver, B.C., Canada, 1992.
5. European Telecommunications Standards Institute, Recommendation GSM 02.09, "Security
Aspects".
6. European Telecommunications Standards Institute, Recommendation GSM 02.17, "Subscriber
Identity Module".
7. European Telecommunications Standards Institute, Recommendation GSM 03.20, "Security
Related Network Functions".
8. Hodges, M.R.L., "The GSM Radio Interface," British Telecom Technology Journal, Vol. 8, No.
1, January 1990, pp. 31-43.
9. Hudson, R.L., "Snooping versus Secrecy," Wall Street Journal, February 11, 1994, p. R14
10. Schneier, B., "Applied Cryptography," J. Wiley & Sons, 1994.
11. Williamson, J., "GSM Bids for Global Recognition in a Crowded Cellular World," Telephony,
vol. 333, no. 14, April 1992, pp. 36-40.

43