Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication

Authors:
Elad Barkan;Eli Biham;Nathan Keller
Affiliations:
Technion—Israel Institute of Technology, Computer Science Department, 32000, Haifa, Israel;Technion—Israel Institute of Technology, Computer Science Department, 32000, Haifa, Israel;The Hebrew University of Jerusalem, Einstein Institute of Mathematics, 91904, Jerusalem, Israel
Venue:
Journal of Cryptology
Year:
2008

Citing 0
Cited 10

New attacks on UMTS network access

WTS'09 Proceedings of the 2009 conference on Wireless Telecommunications Symposium
Security enhancements against UMTS-GSM interworking attacks

Computer Networks: The International Journal of Computer and Telecommunications Networking
Dismantling SecureMemory, CryptoMemory and CryptoRF

Proceedings of the 17th ACM conference on Computer and communications security
Cryptanalysis of the DECT standard cipher

FSE'10 Proceedings of the 17th international conference on Fast software encryption
Speaker recognition in encrypted voice streams

ESORICS'10 Proceedings of the 15th European conference on Research in computer security
QoS-aware and compromise-resilient key management scheme for heterogeneous wireless internet of things

International Journal of Network Management
Linear cryptanalysis and security tradeoff of block ciphering systems with channel errors

NSS'12 Proceedings of the 6th international conference on Network and System Security
SAT based analysis of LTE stream cipher ZUC

Proceedings of the 6th International Conference on Security of Information and Networks
Let me answer that for you: exploiting broadcast information in cellular networks

SEC'13 Proceedings of the 22nd USENIX conference on Security
An experimental security analysis of two satphone standards

ACM Transactions on Information and System Security (TISSEC)

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we present a very practical ciphertext-only cryptanalysis of GSM (Global System for Mobile communications) encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use “unbreakable” ciphers. We first describe a ciphertext-only attack on A5/2 that requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer. We extend this attack to a (more complex) ciphertext-only attack on A5/1. We then describe new (active) attacks on the protocols of networks that use A5/1, A5/3, or even GPRS (General Packet Radio Service). These attacks exploit flaws in the GSM protocols, and they work whenever the mobile phone supports a weak cipher such as A5/2. We emphasize that these attacks are on the protocols, and are thus applicable whenever the cellular phone supports a weak cipher, for example, they are also applicable for attacking A5/3 networks using the cryptanalysis of A5/1. Unlike previous attacks on GSM that require unrealistic information, like long known-plaintext periods, our attacks are very practical and do not require any knowledge of the content of the conversation. Furthermore, we describe how to fortify the attacks to withstand reception errors. As a result, our attacks allow attackers to tap conversations and decrypt them either in real-time, or at any later time. We present several attack scenarios such as call hijacking, altering of data messages and call theft.