A5/1 A GSM stream cipher algorithm - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

A5/1 A GSM stream cipher algorithm

Description:

A5/1 A GSM stream cipher algorithm brahim Yakut * * Havada korumal . ebekede korumas z olarak payla l yor. * * * What is primitive polynomial? – PowerPoint PPT presentation

Number of Views:1971
Avg rating:3.0/5.0
Slides: 21
Provided by: Ibrahi59
Category:
Tags: gsm | algorithm | cipher | stream

less

Transcript and Presenter's Notes

Title: A5/1 A GSM stream cipher algorithm


1
A5/1 A GSM stream cipher algorithm
  • Ibrahim Yakut

2
Outline
  • Introduction
  • History
  • A5/1 ciphering
  • Overall
  • LFSRs
  • How it works
  • Evaluation
  • Security and Computation
  • Attacks
  • Future Variants
  • Final Words

3
Introduction
  • A5/1
  • A stream cipher providing over-the air
    communication privacy in GSM
  • Released with A5/2 and one of them is mandatory
    in GSM standarts
  • A5/2 is delibrately weakened due to export
    restrictions on encryption technology during Cold
    War.
  • A5/1 is used in US and Europe, while A5/2 in
    other countries.
  • Implemented very efficiently on hardware

4
History
  • Developed in 1987, method is initally kept secret
  • The general design was leaked in 1994
  • The algorithms entirely reverse engineered by
    Briceno in 1999 from a mobile phone.
  • In 2000, around 130 million of GSM users
  • Nowadays, 3.5 billion of the worlds 4.3 billion
    wireless connections use G.S.M( A5/1A5/2).

5
A5/1 Algorithm
  • Frames in GSM
  • Keys in A5/1
  • Linear Feedback Shift Registers
  • How it works

6
A5/1 and frames
  • GSM phone conversations sequences of frames.
  • One 228 bit frame is sent in 4.6 milliseconds
    114 bits for the communication in each direction.
  • A5/1 produces 228 bits to XOR with the plaintext
    in each frame

7
Keys in A5/1
  • Initialized using a 64-bit key (Kc ) combined
    with a publicly-known 22-bit frame number(Fn).
  • In some GSM implementations, 10 key bits are
    fixed at zero - effective key length is 54 bits.

RAND (128 bit)
A8
Ki (128 bit)
KC (64 bit)
8
(No Transcript)
9
LFSR structure
b1 b2 b3 b4 ... bn-1 bn
output
new value
Feedback Function XOR
  • A5/1 based on Linear Feedback Shift Registers
    LFSRs
  • Purpose - to produce pseudo random bit sequence
  • Consists of two parts
  • shift register bit sequence
  • feedback function
  • Tap Sequence
  • bits that are input to the feedback function

10
LFSR Features
  • LFSR Period the length of the output sequence
    before it starts repeating itself.
  • n-bit LFSR can be in 2n-1 internal states
  • ? the maximal period is also 2n-1
  • the tap sequence determines the period
  • the polynomial formed by a tap sequence plus 1
    must be a primitive polynomial (mod 2)

11
LFSR Example
  • Example
  • x12x6x4x1 corresponds to LFSR of length 12

b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12
12
A5/1 LFSRs
  • Consists of 3 LFSRs of different lengths
  • 19 bits
  • x18 x17 x16 x13 1
  • clock bit 8
  • tapped bits 13, 16, 17, 18
  • 22 bits
  • x21 x20 1
  • clock bit 10
  • tapped bits 20, 21
  • 23 bits
  • x22 x21 x20 x7 1
  • clock bit 10
  • tapped bits 7, 20, 21, 22

13
A5/1 Operation
  • All 3 registers are zeroed
  • 64 cycles (without the stop/go clock)
  • Each bit of Kc(lsb to msb) is XOR'ed in parallel
    into the lsb's of the registers
  • 22 cycles (without the stop/go clock)
  • Each bit of Fn (lsb to msb) is XOR'ed in parallel
    into the lsb's of the registers
  • 100 cycles with the stop/go clock control,
    discarding the output
  • 228 cycles with the stop/go clock control which
    produce the output bit sequence.

14

A5/1 working example
0
0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0
1 0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0
1
1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0 1
0
R1
C1
clock control
21
20
0
1
1 0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1
0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1
1
1
R2
C2
0
1 0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1
0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1
0
R3
C3
15
Security of A5/1
  • As leakage from the algorithm many cryptanalysis
    works are performed.
  • Known-plaintext attacks
  • Directly to the GSM networks

16
Known-plaintext Attacks
Who Year Attack Type Pre-Proc. Steps Available Data Storage Attack Time
Golic 1997 Solving Linear Eqns. 240.16 To solve eqns.
Biryukov et al. 2000 Time-memory trade off 248 2 mins. 300 GB 1 second
Biryukov et al. 2000 Random Subgraph 248 2 secs. 300 GB Several Mins.
Biham et al. 2000 238 220.8 bits 32 GB 239.91 clckings
Ekdahl et al. 2003 No initialization No 2-5 mins. Few mins.
Maximov et al. 2004 Improved Ekdahl et al. No A few secs. Less than 1 min
17
Attacks A5/1 as in GSM
  • Barkan et al. 2003 Break A5/2, and A5/1 is
    outlined due to a large amount of precomputation.
  • 2007, Copacobana project, parallel FPGA-based
    crypto accelerator. 1st commercially available
    soln.
  • 2008, The Hackers Choice, 3 TB lookup tables(not
    released), 3-5 minutes of cracking
  • 2009, A5/1 cracking project, GPGPUs via P2P
    manner,(40 nodes), in 3-month the tables are
    constructed and published in Dec. 2009

18
Future variants
  • 3GPP project
  • A5/3 Kasumi
  • Stronger version of A5, for use in 3G networks.
  • Block cipher (not stream cipher, like other A5
    versions)
  • The design is public.
  • key-length increased
  • Broken before start to be used
  • 226 plaintext/ciphertext
  • 1 GB storage
  • 232 time complexity

19
Final words
  • A5/1 and its variants fall in security
  • To modify GSM in security, need great
    investments, GSM association is not willing to
    this.
  • Security community greatly advocates the proper
    secure algorithm.

20
Thanks
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com