Inscrivez-vous gratuitement à la Newsletter BFM Business
To succeed, the attack on the block Kasumi (which is a part of A5/3) must have almost complete control inputs and outputs of this block
Last Wednesday, we published an article about an attack allegedly breaking the A5/3 GSM encryption algorithm. Hervé Sibert contacted us to bring some more details: "In order to succeed in attacking Kasumi, which is a building block of A5/3, one needs to have almost full control over the block inputs and outputs". According to him, even though the attack remains valid, a deeper analysis is required to evaluate the impact on the A5/3 algorithm used in 2G, as well as on the other GSM algorithms built upon Kasumi: UEA1 in 3G (UMTS), and GEA3 in GPRS. Hervé Sibert has come to the conclusion that the attack does not apply in practice. "Even better, in the case of A5/3 and GEA3, the assumptions made by the attacker about the keys that are used are precisely never satisfied."
01netPro : Can we say that Kasumi is a synonym for A5/3? Hervé Sibert : No. Kasumi is a building block used in the A5/3 (2G), UEA1 (3G) and GEA3 (GPRS) GSM confidentiality algorithms. (refer to the diagram below).
How is Kasumi used in A5/3, UEA1 and GEA3 ? A session confidentiality key CK is derived pseudo-randomly within the SIM card from the 128 bit subscriber key, Ki, and from a 128 bit value provided by the network. Kasumi is applied to known public data using a key derived from CK in order to generate a pseudo-random seed (step not represented on the diagram). A sequence of masking blocks S ("keystream") is generated iteratively using Kasumi with key CK : each new masking block is generated by encrypting the XOR of the previous masking block with a counter value incremented at each block and with the pseudo-random seed. At last, the masking blocks S are used to mask (using XOR) the data blocks M, such as encoded voice, before radio link transmission.
What is the goal of the attack ? The goal of the attack is to retrieve 4 session keys CK used to generate masking blocks - as once these keys are known, it is possible to generate more masking blocks and unmask eavesdropped data.
How relevant is this attack ? This attack has three main requirements :
1. being able to choose several megabytes of data to be encrypted with Kasumi. This is not possible as the data input to Kasumi are well-defined and out of the control of an attacker
2. obtaining the corresponding millions of masking blocks S; this amounts to know the full plain message blocks M, which is not possible in practice, unless one can get inside the mobile to retrieve them - but then why would we try to break the encryption when we have access to the plain data with a trojan ?
3. that the four session keys CK to be retrieved, used by Kasumi to encrypt the above data, are mathematically linked: they must be deduced from one another by flipping their 33rd and/or their 97th bit. Session keys are pseudo-randomly generated and out of the attacker's control, thus expecting to obtain such keys is of the same complexity of running a brute force attack.
This attack is thus not practical with respect to the way Kasumi is used in GSM. Note that in a A5/3 and GEA3, the detailed specification forces the 33rd and 97th bits of session keys to be equal. Therefore, a set of keys suitable for the attack will never be used.
What is the status of GSM algorithms after this attack ? The A5/2 and A5/1 are broken, and this has been the case for quite many years (much before December news on A5/1). This new attack does not threaten A5/3, UEA1 or GEA3 more than a brute force attack - even more, it has an absolute zero success probability with A5/3 and GEA3. It is worth noting that several encryption algorithms are vulnerable to "related-key attacks" without yielding real-life vulnerabilities
Algorithms with enhanced security are continuously introduced in new standards (4G/LTE) and existing ones (2G, 3G). For instance, the SNOW 3G algorithm - the basis for LTE security- is being introduced in the 3G UMTS standard as UEA2 and it is likely that a 2G version will be specified in the near future. LTE will also allow the use of the well-known AES standard. At last, 2G will soon use 128-bit keys starting with the A5/4 algorithm, instead of the current 64-bit keys. GSM is thus getting ready to counter future, really practical attacks against A5/3, UEA1 and GEA3.