GSM Security Overview

By,
Pruthwin. K.G
1PI07EC070
Under the supervision of,
Ms.Soumya Pattar

1
 GSM Architecture
Mobile Stations Base Station Network Subscriber and terminal
Subsystem Management equipment databases

OMC
BTS
Exchange
System
VLR
BTS BSC MSC
HLR AUC

BTS EIR

2
 GSM Security Concerns
Operators
 Bills right people
 Avoid fraud
 Protect Services
Customers
 Privacy
 Anonymity

3
 GSM Security Design
Requirements
The security mechanism
 MUST NOT
Add significant overhead on call set up
Increase bandwidth of the channel
Increase error rate
Add expensive complexity to the system
 MUST
Cost effective scheme
 Define security procedures
Generation and distribution of keys
Exchange information between operators
Confidentiality of algorithms

4
 GSM Security Features
Key management is independent of equipment
 Subscribers can change handsets without compromising security
Subscriber identity protection
 not easy to identify the user of the system intercepting a user
data
Detection of compromised equipment
 Detection mechanism whether a mobile device was
compromised or not
Subscriber authentication
 The operator knows for billing purposes who is using the system
Signaling and user data protection
 Signaling and data channels are protected over the radio path

5
 GSM Mobile Station
Mobile Station
 Mobile Equipment (ME)
Physical mobile device
Identifiers
 IMEI – International Mobile Equipment Identity
 Subscriber Identity Module (SIM)
Smart Card containing keys, identifiers and algorithms
Identifiers
 Ki – Subscriber Authentication Key
 IMSI – International Mobile Subscriber Identity
 TMSI – Temporary Mobile Subscriber Identity
 PIN – Personal Identity Number protecting a SIM
 LAI – location area identity

6
Subscriber Identity Protection
TMSI – Temporary Mobile Subscriber Identity
 Goals
TMSI is used instead of IMSI as an a temporary subscriber identifier
TMSI prevents an eavesdropper from identifying of subscriber
 Usage
TMSI is assigned when IMSI is transmitted to AuC on the first
phone switch on
Every time a location update (new MSC) occur the networks assigns
a new TMSI
TMSI is used by the MS to report to the network or during a call
initialization
Network uses TMSI to communicate with MS
On MS switch off TMSI is stored on SIM card to be reused next time
 The Visitor Location Register (VLR) performs assignment,
administration and update of the TMSI

7
 Key Management Scheme
Ki – Subscriber Authentication Key
 Shared 128 bit key used for authentication of subscriber by
the operator
 Key Storage
Subscriber’s SIM (owned by operator, i.e. trusted)
Operator’s Home Locator Register (HLR) of the subscriber’s
home network
SIM can be used with different equipment

8
 Detection of Compromised
Equipment
International Mobile Equipment Identifier (IMEI)
 Identifier allowing to identify mobiles
 IMEI is independent of SIM
 Used to identify stolen or compromised equipment
Equipment Identity Register (EIR)
 Black list – stolen or non-type mobiles
 White list - valid mobiles
 Gray list – local tracking mobiles
Central Equipment Identity Register (CEIR)
 Approved mobile type (type approval authorities)
 Consolidated black list (posted by operators)

9
 Authentication and Encryption
Scheme
Mobile Station Radio Link GSM Operator

Challenge RAND
SIM
Ki Ki
A3 A3
Signed response (SRES)
SRES SRES

A8 Authentication: are SRES A8

values equal?
Kc Kc

mi Encrypted Data mi
A5 A5

10
A3 – MS Authentication Algorithm
Goal
 Generation of SRES response to MSC’s
random challenge RAND

RAND (128 bit)

Ki (128 bit) A3

SRES (32 bit)

11
A8 – Voice Privacy Key Generation
Algorithm
Goal
 Generation of session key Kc
A8 specification was never made public

RAND (128 bit)

Ki (128 bit) A8

KC (64 bit)

12
 Logical Implementation
of A3 and A8
Both A3 and A8 algorithms are
implemented on the SIM
 Operator can decide, which algorithm to use.
 Algorithms implementation is independent of
hardware manufacturers and network
operators.

13
 Logical Implementation
of A3 and A8
COMP128 is used for both A3 and A8 in
most GSM networks.
 COMP128 is a keyed hash function

RAND (128 bit)

Ki (128 bit) COMP128

128 bit output

SRES 32 bit and Kc 54 bit
14
 A5 – Encryption Algorithm
 A5 is a stream cipher
Implemented very efficiently on hardware
Design was never made public
Leaked to Ross Anderson and Bruce Schneier
 Variants
A5/1 – the strong version
A5/2 – the weak version
A5/3
 GSM Association Security Group and 3GPP design
 Based on Kasumi algorithm used in 3G mobile systems

15
 A5 Encryption
Mobile Stations Base Station Network Subscriber and terminal
Subsystem Management equipment databases

OMC
BTS
Exchange
System
VLR
BTS BSC MSC
HLR AUC

BTS EIR

A5 Encryption
16
 Attack History
1991
 First GSM implementation.
April 1998
 The Smartcard Developer Association (SDA) together with U.C.
Berkeley researches cracked the COMP128 algorithm stored in SIM
and succeeded to get Ki within several hours. They discovered that Kc
uses only 54 bits.
August 1999
 The week A5/2 was cracked using a single PC within seconds.
December 1999
 Alex Biryukov, Adi Shamir and David Wagner have published the
scheme breaking the strong A5/1 algorithm. Within two minutes of
intercepted call the attack time was only 1 second.
May 2002
 The IBM Research group discovered a new way to quickly extract the
COMP128 keys using side channels.

17
 Possible improvement
Use another cryptographically secure
algorithm for A3.
The operator can employ a new A5
implementation with strong encryption too.
A new A5/3 algorithm has also been agreed upon to replace the aging A5/2
algorithm.

Third solution would be to encrypt the

traffic on the operator’s backbone network
between the network components.

18
 Conclusion
GSM is the dominant cellular technology
today.
Main reason for GSM to become is that
some of the algorithms and specifications
were leaked out and studied and some
critical errors were found.
However, the security can be improved in
some areas with relatively simple
measures.
19
THANK YOU

20