GSM SECURITY: SECURE COMMUNICATION.
Vyacheslav Sergeevich UKOV, PhD in Engineering
GSM SECURITY: REAL OR VIRTUAL?
According to world statistics, the level of losses of mobile operators from various types of fraud and sabotage is 2-6% of the total volume of traffic, and according to the companies themselves, it can reach 25%.
Moreover, fraudsters' attacks are directed against both operators and subscribers.
The solution to the problem of ensuring security in Russian communication networks is complicated by the widespread use of foreign-made technical equipment, which creates the possibility of implementing capabilities not declared by suppliers.
It is estimated that due to fraud, the mobile communications industry worldwide loses about 25 billion dollars annually; according to information from MGTS (Moscow City Telephone Network), the damage in Moscow alone is estimated at 3-5 million rubles per month. The annual losses of mobile operators in Great Britain, Spain, and Germany amount to millions of euros. Unfortunately, Russian operators do not publish such statistics.
But the scale of the figures for payments not received by operators in Europe and the world is impressive.
Therefore, the issues of ensuring information security in GSM (Groupe Speciale Mobile) networks are currently very relevant and require constant attention and analysis.
It must be recognized that the security of the first analog mobile networks was at a very low level. As the transition from analog to digital GSM and DAMPS systems progressed, the information security mechanism improved, which allowed developers to declare the impossibility of intercepting information and cloning modern mobile phones.
This article attempts to analyze potential (virtual) security declared by developers and real security determined by the modern capabilities of the “enemy”.
Potential (virtual) information security mechanisms
Authentication algorithms
First of all, let's consider the use of a PIN code password — one of the simplest authentication methods. It provides a very low level of protection in radio communication conditions. It is enough to hear this personal code just once to bypass the security measures. In reality, GSM uses a PIN code in combination with SIM (Subscriber Identify Module): this PIN code is checked on the spot by the SIM itself without being transmitted over the air.
In addition to it, GSM uses a more complex method, which consists of using a random number (from 0 to 2128 1), which only the corresponding subscriber equipment (in this case, the SIM) can respond to.
The idea behind this method is that there are so many such numbers that it is unlikely that it will be used twice. The answer, called SRES (Signed RESult), is obtained in the form of a result of the calculation, including a secret parameter belonging to the user, called Ki (Fig. 1).
The secrecy of Ki is the cornerstone of all security mechanisms – even the subscriber cannot know his own Ki. The algorithm that describes the calculation procedure is called the A3 algorithm. As a rule, such an algorithm is kept secret (extra precautions never hurt!).
In order to achieve the required level of security, the A3 algorithm must be a one-way function, as cryptographic experts call it.
This means that calculating SRES with known Ki and RAND must be simple, and the reverse action – calculating Ki with known RAND and SRES – must be as difficult as possible.
Of course, this is what ultimately determines the level of security.
The value calculated using the A3 algorithm must be 32 bits long.
Ki can have any format and length.
Fig. 1. Block diagram of authentication calculation
Encryption
Cryptographic methods make it possible to achieve a high level of security using relatively simple means.
GSM uses uniform methods to protect all data, whether it is user information: the transmission of signals associated with the user (for example, messages containing the numbers of the telephones being called), or even the transmission of system signals (for example, messages containing the results of radio measurements in preparation for transmission).
It is necessary to distinguish only two cases: either the communication is secure (then all information can be sent in encrypted form), or the communication is unsecured (then all information is sent as an unencrypted digital sequence).
Both encryption and decryption are performed using the exclusive or operation on the 114 “coded” bits of the radio packet and the 114-bit encryption sequence generated by a special algorithm called A5.
In order to obtain the encryption sequence for each packet, the A5 algorithm performs a calculation using two inputs: one is the frame number, and the other is a key called Kc, known only to the mobile station and the network (Figure 2).
Two different sequences are used in both directions of the connection: in each packet, one sequence is used for encryption in the mobile station and for decryption at the base station (BTS), while the other sequence is used for encryption at the BTS and decryption at the mobile station.
Fig. 2. Block diagram of encryption and decryption processes using the A5 algorithm
The frame number changes from packet to packet for all types of radio channels.
The Kc key is controlled by the means of signal transmission and changes, as a rule, with each message. This key is not made public, but since it changes often, it does not need such strong means of protection as, for example, the Ki key. Kc can be freely read in the SIM.
The A5 algorithm must be installed at the international level, since it must be implemented in each base station (as well as in any mobile equipment) to ensure MS roaming.
The A5 algorithm derives a 114-bit encryption sequence for each packet separately, taking into account the frame number and the Kc encryption key.
At the moment, only one A5 algorithm is installed for use in all countries.
Currently, base stations can support three main variants of the A5 algorithm:
- A5/1 – the most secure algorithm, used in most countries;
- A5/2 – a less secure algorithm, implemented in countries where the use of strong cryptography is undesirable;
- A5/0 – no encryption.
In Russia, the A5/1 algorithm is used. For security reasons, its description is not published. This algorithm is the property of the GSM MoU. However, its external specifications are made public and it can be thought of as a “black box” that accepts a 22-bit parameter and a 64-bit parameter in order to create 114-bit sequences.
As with the A3 authentication algorithm, the level of protection offered by the A5 algorithm is determined by the complexity of the inverse calculation, i.e., the calculation of Kc with two known 114-bit encryption sequences and a frame number.
Key Management
The Kc key must be agreed upon by the mobile station and the network before encryption begins. The peculiarity of the GSM standard is that the Kc key is calculated before encryption begins during the authentication process. Then the Kc is entered into non-volatile memory inside the SIM so that it is stored there even after the end of the communication session. This key is also stored in the network and is used for encryption.
Fig. 3. Block diagram for calculating Kc
Algorithm A8 is used to calculate Kc from RAND and Ki (Fig. 3).
In fact, algorithms A3 and A8 could be implemented as a single computation. For example, as a single algorithm whose output consists of 96 bits: 32 bits to form SRES and 64 bits to form Kc. It should be noted that the length of the significant part of the key Kc produced by algorithm A8 is set by the GSM MoU signature group and may be less than 64 bits.
In this case, the significant bits are padded with zeros to ensure that all 64 bits are always used in this format.
Whenever a mobile station goes through the authentication process, the mobile station and the network also compute the encryption key Kc using algorithm A8 with the same inputs RAND and Ki that are used to compute SRES using algorithm A3.
User Identity Protection
Encryption is very effective in protecting privacy, but cannot be used to protect every single radio communication. Encryption using Ks is only used when the network knows the identity of the subscriber with whom the conversation is taking place.
It is clear that encryption cannot be used for common channels that are received simultaneously by all mobile stations in a given cell and in neighboring cells (in other words, it can be used using a key known to all mobile stations, which completely defeats the purpose of it as a security mechanism).
When a mobile station moves to a special channel, there is a “bootstrap” period during which the network does not yet know the identity of the subscriber and, therefore, encryption of his message is impossible.
Therefore, all signaling messages that carry information about the identity of an unspecified subscriber must be unencrypted.
A third party may eavesdrop on the information at this stage. This is considered to be an infringement of the rights of the individual, so GSM has a special function that allows for this type of confidentiality.
Security is also provided by the use of a pseudonym or TMSI (Temporary Mobile Subscriber Identity), which is used instead of the IMSI (International Mobile Subscriber Identity) subscriber identity where possible. This pseudonym must be agreed upon in advance between the mobile station and the network.
Architecture and Protocols
The actors and protocols involved in security are essentially the same as those involved in location security, which justifies their inclusion in a similar functional area. However, the leading roles in security are reversed and should be assigned to the SIM on the mobile side, as well as to the Authentication Center (AiC), which can be considered part of the network side of security.
The SIM and AiC are the storage facilities for the subscriber's Ki key. They do not transmit these keys, but perform the A3 and A8 calculations themselves. In terms of authentication and installation of the Kc key, all other types of equipment play an intermediate role. The AiC does not participate in other functions and is a means of creating an additional layer of security around the Ki keys.
The SIM is responsible for most of the security functions on the part of the mobile stations. It stores Ki, calculates the operator-dependent A3/A8 algorithms, and stores the “dormant” key Kc. The existence of the SIM as a physical unit separate from the mobile equipment is one of the elements that allows flexibility in the choice of A3/A8.
Mobile equipment manufacturers do not need to know the specifications of these algorithms for operators. On the other hand, SIM manufacturers are obliged to implement potentially different algorithms for each of their operator customers, but the problems of competition, mass production and distribution are fundamentally different from those of the mobile equipment market.
SIM completely protects Ki from being read. Chip card technology, introduced some time before GSM started producing these miniature electronic safes, was ideal for this purpose. The only access to Ki occurs during the initial SIM personalization phase.
The harsh reality: cracking cryptographic protection and cloning GSM phones
As is known, second-generation digital cellular communication standards are very well protected from eavesdropping.
But over time, the power of computing devices increases, so developers have to implement new standards to ensure information security.
Thus, recently the GSM Association approved a new algorithm for encryption of information, which received the index A5/3.
Its implementation will raise the security of GSM standard cellular communications to a higher level.
Naturally, the new standard was developed taking into account all the changes that the GSM standard has undergone in recent years.
It supports encryption of voice and data in GPRS and EDGE networks (third generation cellular communications standard).
It is assumed that the A5/3 standard will be immediately implemented. The adoption of the new A5/3 standard has raised the issue of the current security of GSM networks even more acutely. Officially, there is no equipment in the world that allows real-time interception and decoding of GSM conversations.
However, existing information allows us to doubt this information. In the English-speaking segment of the Internet, a number of companies offer equipment for intercepting GSM network voice traffic.
Their advertising is quite open, but access to their sites is limited to ordinary users. In the Russian segment, there are often posts on electronic bulletin boards about the sale of the corresponding equipment, and for a very small amount. All this suggests that the security of GSM networks is somewhat exaggerated.
Recall that the cryptographic protection of GSM cellular communications is provided by three secret algorithms:
A3 is an algorithm used for user authentication, it also protects it from cloning;
A5 is a voice traffic encryption algorithm that ensures the protection of telephone conversations; until recently, there were two versions of it in the world: A5/1 is a strengthened algorithm used in some countries, A5/2 is its weakened analogue;
A8 is a key generation algorithm that takes the result of A3 and turns it into an A5 session key; the A5 algorithm, responsible for protecting conversations from interception, is implemented at the hardware level in mobile phones and base stations.
In real time, the information is coded, then the signal is transmitted. After that, the reverse process is performed in the phone or base station and the subscriber hears the voice of the interlocutor. The other two algorithms are embedded in the SIM card.
This architecture of cryptographic protection allows us to state that GSM communication is reliably protected not only from eavesdropping, but also from subscriber number cloning. The most important link in this chain of protection is the A5 algorithm. Until a certain time, a very limited number of people knew the principles of its operation. The GSM Association did not allow information leaks on this issue, but any secrets sooner or later cease to be such. Thus, the main details of the A5 algorithm became known in 1994.
In addition, British Telecom handed over the documentation on it to Bradford University, forgetting to conclude a non-disclosure agreement on this information. And finally, a description of the A5 algorithm was published at a conference in China.
Thus, the available information was enough to create a fairly complete picture of its functioning, and Cambridge scientists M. Roe and R. Anderson published an approximate cryptographic scheme back in 1994.
After the disclosure of the basic data of the A5 algorithm, many scientists and hackers began to look for an opportunity to break the cipher itself. And soon information was received that the protection of GSM communications is actually not so strong.
The fact is that the A5 algorithm implements a stream cipher based on three linear shift registers with non-uniform movement.
This scheme provides a fairly high degree of protection when choosing optimal parameters. Thus, in GSM networks a 64-bit key is used, which is provided by three registers of 19, 22 and 23 bits (which gives the required 64 bits in total).
A brute force attack using a specific algorithm that captures the relationship between the first two and third registers already gives a complexity of about 240. In addition, the A5 algorithm has been subjected to correlation analysis, which allows one to find out the key using information about the filling of the registers.
In 1994, Dr. Simon Shepherd was going to present his method of attack to all listeners at the IEE colloquium, but at the last moment his speech was banned by the British Government Communications Headquarters.
As a result, this report was published only in a classified collection. A couple of years later, other cryptography specialists distinguished themselves in the matter of cracking the A5 algorithm. For example, in addition to improving the brute-force attack system, an interesting mechanism based on the “time-memory balancing” method was soon described. Due to the calculations that preceded the cracking of the key, it was possible to reduce the search to 222, but this required 64 terabytes of disk memory. Despite the fact that even now this value looks very large, a tendency towards the rapid implementation of the task began to be observed.
Indeed, soon information about the system being hacked in real time appeared on the Internet. In early 1999, the SDA (Smartcard Developer Association) laboratory restored and tested the A5/1 and A5/2 algorithms. It was proven that the A5/2 variant uses a special 17-bit register that controls the flow of information in the first three registers.
At the same time, a simple enumeration allowed this cipher to be cracked in 15 ms of PC operation (complexity 216). The A5/1 algorithm was not left aside either, and it was soon announced that using a special method allowed the cipher to be discovered in a second on a computer with 128 MB of RAM and two 73 MB hard drives, though on condition that the conversation lasted at least two minutes.
These methods are currently being carefully studied by various cryptographers, and conclusions will be made a little later.
As for cloning, the first results of the possibility of cloning a SIM card were demonstrated in 1998.
This result was achieved by a group of computer experts from California.
Naturally, representatives of the GSM Association immediately declared these attempts to be laboratory ones and not posing a threat to the GSM community of the world, however, after some time, in other countries of the world with more liberal legislation, reports began to appear about demonstrations of SIM card cloning.
Of course, Russia could not remain on the sidelines, and information about such attempts and even about the implementation of illegal business on this basis can be found on the Internet. Thus, the approval of the A5/3 algorithm could not have come at a better time. It will allow information protection to be raised by several orders of magnitude. Unlike previous years, the developers promise to put the A5/3 operating methods on public display in order to protect against the “gaps” that were identified in previous algorithms.
Until now, it was believed that GSM phones have such reliable protection that they cannot be eavesdropped on, or even duplicated, that is, several devices can be made that simultaneously use the same number.
SDA and two researchers from the University of California, Berkeley, have reported that they have succeeded in cloning GSM cell phones.
The GSM standard, developed by the European Telecommunications Standard Institute, is currently the most widely used in the world, with 79 million cell phones used, primarily in Europe and Asia. The ability to hack GSM security is further evidence that the only guarantee of reliability of cryptographic algorithms is their absolute openness. Secret systems used in GSM and elsewhere are almost inevitably vulnerable. Everything secret sooner or later becomes clear.
Let us recall that the encrypted data of the GSM subscriber is stored on a small smart card that is inserted into the phone. Without the card, also called the SIM user identification module, the device is a useless shell. The card identifying the owner can be used with any standard phone. The discovered “hole” in security allows you to extract secret information from one SIM and rewrite it to another, creating an exact copy of the first phone. It is not yet possible to clone a phone by intercepting information on the air, but SDA does not rule out such a possibility in the future.
Having established which cryptographic methods were used in GSM, SDA brought in two researchers from the University of Berkeley, David Wagner and Ian Goldberg, to study them. In less than a day (!) they found a “hole” in the COMP128 algorithm, which is used to protect information in SIM cards. According to Wagner, the “hole” would have been found and fixed long ago if the algorithms had been published.
What conclusions can be drawn from the high-profile hack of yet another protection? First of all, cell phone owners should not worry too much for now.
Without physical access for at least a few hours, no one can clone their device today, but there are no guarantees for the future. This puts mobile operators in a very unpleasant situation.
Although there are several alternatives to COMP128, this protocol is currently supported by all GSM networks. Moreover, confidence in protection against cloning was so high that, according to SDA, most operators do not even check for the simultaneous activation of identical phones.
One of the reasons why GSM developers kept the algorithms secret is probably their cooperation with the control services.
Researchers from the same SDA discovered a deliberate weakening of another cipher A5, which is used to protect conversations from eavesdropping.
This cipher has a 64-bit key, but in reality it uses only 54 bits, and 10 are simply replaced with zeros.
The only party interested in weakening the protection is the national surveillance services, — said SDA Director Mark Briceno, buyers want confidentiality of negotiations, and operators do not bear additional costs from using a full-size key.”
Subscriber encryption — real guaranteed information protection
It is known that one of the police modes embedded in GSM by developers is the ability to remove encryption in the network if necessary.
In such cases, information circulates in open form and can be accessed by anyone who has the appropriate means.
In addition, as has recently become known, security problems also exist in the most common protocol for GSM mobile communications, discussed above.
The fact is that GSM uses cryptographic algorithms to protect information, which are prohibited from export to countries subject to international sanctions, such as Iraq.
At the same time, these countries also have GSM cellular communications, which are also covered by global roaming, but the base stations here do not use cryptosystems.
However, without the specified algorithms, a GSM device is not protected from the appearance of a false base station, which opens up a lot of scope for those who like to intercept other people's conversations.
American information security experts conducted a study showing the possibility of creating a false base station that sends a message to a mobile phone that it is in Iraq or a similar country, which disables cryptographic protection.
After this, the phone connects to the false station and can be controlled by intruders.
Until recently, the encryption algorithms that existed in the West, which could guarantee the security of cell phone conversations, did not have FAPSI certificates (now the Communications Security Center of the FSB of Russia) and therefore were not legally used in Russia.
A breakthrough in the current situation was the product of the Federal State Unitary Enterprise “STC “Atlas” and its partner, the “Goodwin” concern – a special mobile phone (SMP).
Currently, Russian GSM networks have the ability to further increase the level of cryptographic protection — to additionally use subscriber encryption. The special cell phone SMP-Atlas (M-539) has become the first legally protected device in Russia, which is designed to transmit data in encrypted form.
When the crypto module is disabled, the handset operates as a regular GSM phone, which has a dust-, moisture- and shock-proof case.
The GSM 900/1800 standard phone in open mode provides all the standard functions of a GSM terminal, and in protected mode — guaranteed protection of voice information.
This is confirmed by a number of European and Russian certificates, including a special FSB certificate for information protection, as well as a patent for the invention of information protection in GSM networks.
The dimensions of the device are 140x48x25 mm, weight 180 g (photo 1). In addition, there is a graphic display and a battery that is enough for 3.5 hours of protected conversations.
Photo 1. General view of the special SMP-Atlas (M-539) cell phone
The crypto smartphone, which is capable of providing encryption with guaranteed strength not only for speech, but also for SMS, MMS, computer data and e-mail, is already on sale in Moscow cell phone stores and costs $2,500.
The encryption key is symmetrical, 256 bits. A special processor performs hardware encryption.
Unfortunately, the proposed cryptographic services are currently only available to Megafon subscribers.
Similar functions are performed by the dual-processor Crypto Smart Phone (as the developers called it), created by ZAO ANKORT (photo 2). It can work with analog, digital and IP crypto phones developed by ZAO ANKORT in any standard GSM networks that provide data transfer.
A public key is used to distribute keys. A common key is generated for each communication session.
The user can independently generate and enter keys.
The main features of the Crypto Smart Phone are given in Table 1.
Photo 2. Dual-processor Crypto Smart Phone
Table 1. Main features of the Crypto Smart Phone
| Category | Parameters and composition | Features and capabilities |
| Main characteristics |
Transmission principle | 900/1800 MHz radio modem |
| Operating modes |
|
|
| Processors: |
|
Motorola MX21 266 M TMS 320 VC 5416 |
| Interface | Connector for data exchange (18-pin) |
USB 2.0 host sync. (via USB) charging:
|
| Keyboard/Switching | keyboard encryption button |
Russian/Latin alphabet separate button |
| LCD | LCD type screen resolution active screen size dimensions weight antenna battery battery capacity |
TFT, 260K, color 240×320 RGB pixels .2 (33.84×45.12 mm) 53x115x24 mm 150 g built-in Li-polymer 1300 mAh (1000 mAh) |
| Cryptographic characteristics |
cryptographic algorithm key distribution method key power |
symmetric, 256 bits (developed by ZAO ANKORT public key + common key (generated for each session) 1077 |
Among foreign GSM cryptophones, the TopSec GSM phone (Germany) can be noted, which is outwardly no different from a regular mobile phone. It costs about 2 thousand dollars, works with any SIM card of any operator.
Its cryptographic strength meets the security requirements for use in German and NATO government departments (Difi-Hellman encryption algorithm, combination of one-time generated keys — 1038).
The Australian company SecureGSM has announced new software for smartphones and communicators, which will allow achieving 256-bit encryption of conversations.
Reliable encryption algorithms AES, Twofish and Serpent are used.
The entire process of cryptographic transformations occurs on the fly.” The program requires Windows Mobile OS and a processor with a clock frequency of at least 200 MHz.
Acoustic noise suppression – protection against covert activation of a mobile phone
It is known that the possibility of covert activation of a mobile phone is included by developers to solve some police control tasks and is one of the undeclared capabilities.
However, unfortunately, this opportunity can be used not only by special services, but also by many interested parties.
A striking confirmation of this was the appearance on the security market of a mobile phone (MT), developed by one of the Israeli firms, which has the ability to remotely turn on other mobile phones and unauthorized activation of the acoustic information transmission mode using their standard microphones (i.e. using MT as a radio bug).
The problem of unauthorized activation of a mobile phone or use of its undeclared capabilities is currently extremely relevant, since it is a constant companion of its owner and information leakage can occur at any time while the MT is in the reception area.
To protect against this type of information leakage, perhaps the most effective is acoustic jamming of the microphone of the protected mobile phone upon detection of the fact of its unauthorized activation.
In particular, today the security market offers a whole series of so-called acoustic safes “Cocoon”, “Ladya” and “Svirel”, which provide an acoustic noise level of more than 100 dB at the point where the MT microphone is located.
The “Cocoon” product is a regular MT case, in which a miniature device for determining the moment the transmitter is turned on and an acoustic noise generator are built in.
The “Ladya” product (Fig. 4) has similar electrical characteristics and differs in that it has a desktop design in the form of a stand for office supplies.
Fig. 4. Acoustic safes «Ladya»: general appearance and operating principle
More complex is the acoustic safe with threat selection “Svirel”, which is designed for active protection against unauthorized activation of the phone listening mode by a cellular operator, registration and logging of information exchange via a radio channel.
This device provides:
- the ability to read the observation protocol or a specified part of it from the device;
- archiving the observation protocol;
- graphical display of the observation protocol for detailed analysis in the form of time diagrams with comments;
- sorting the protocol by selected parameters (event type, event time, etc.);
- processing information to compile a report file in graphic or text format;
- archiving and printing the report file.
Thus, the analysis showed that at present, mainly through the use of complex protection dynamic equilibrium in solving the problem of “armor and projectile in relation to cellular mobile radio communications, it has been restored: the actual protection of information in GSM networks can be brought closer to the potential declared by the developers.
But time goes by, technologies are improving, and the confrontation continues.