Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication

Abstract In this paper we present a very practical ciphertext-only cryptanalysis of GSM (Global System for Mobile communications) encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use “unbreakable” ciphers. We first describe a ciphertext-only attack on A5/2 that requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer. We extend this attack to a (more complex) ciphertext-only attack on A5/1. We then describe new (active) attacks on the protocols of networks that use A5/1, A5/3, or even GPRS (General Packet Radio Service). These attacks exploit flaws in the GSM protocols, and they work whenever the mobile phone supports a weak cipher such as A5/2. We emphasize that these attacks are on the protocols, and are thus applicable whenever the cellular phone supports a weak cipher, for example, they are also applicable for attacking A5/3 networks using the cryptanalysis of A5/1. Unlike previous attacks on GSM that require unrealistic information, like long known-plaintext periods, our attacks are very practical and do not require any knowledge of the content of the conversation. Furthermore, we describe how to fortify the attacks to withstand reception errors. As a result, our attacks allow attackers to tap conversations and decrypt them either in real-time, or at any later time. We present several attack scenarios such as call hijacking, altering of data messages and call theft.

[1]  Thomas Johansson,et al.  Another attack on A5/1 , 2003, IEEE Trans. Inf. Theory.

[2]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[3]  Nicolas Courtois,et al.  Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt , 2002, ICISC.

[4]  Global System For Digital cellular telecommunications system (Phase 2+); Multiplexing and multiple access on the radio path (3GPP TS 05.02 version 7.7.0 Release 1998) , 2001 .

[5]  Eli Biham,et al.  Cryptanalysis of the A5/1 GSM Stream Cipher , 2000, INDOCRYPT.

[6]  Alex Biryukov,et al.  Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[7]  Kamel Barkaoui,et al.  Theoretical Aspects of Computing - ICTAC 2006, Third International Colloquium, Tunis, Tunisia, November 20-24, 2006, Proceedings , 2006, ICTAC.

[8]  Eli Biham,et al.  Conditional Estimators: An Effective Attack on A5/1 , 2005, Selected Areas in Cryptography.

[9]  Amparo Fúster-Sabater,et al.  Cryptanalysis of the A5/2 Algorithm , 2000, IACR Cryptol. ePrint Arch..

[10]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[11]  Alex Biryukov,et al.  Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[12]  Adi Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization , 1999, CRYPTO.

[13]  Jovan Dj. Golic,et al.  Cryptanalysis of Alleged A5 Stream Cipher , 1997, EUROCRYPT.

[14]  Eli Biham,et al.  Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication , 2003, CRYPTO.

[15]  Alexander Maximov,et al.  An Improved Correlation Attack on A5/1 , 2004, Selected Areas in Cryptography.

[16]  N. P. Andersen,et al.  The Third Generation Partnership Project (3GPP) , 2002 .