Open Source Attempt To Crack GSM Encryption

Lexta writes with an interesting tidbit from IEEE Spectrum: "'Karsten Nohl, chief research scientist with H4RDW4RE, a Sunnyvale, Calif.-based security research firm, is mounting what could be the most ambitious attempt yet to compromise the GSM phone system.' The intended approach is to create an open source project to spread the computation of a giant look-up table across more than 80 machines. Interestingly, they've openly stated that nVidia's CUDA technology will be used to execute parallel elements of the problem on GPUs as well."

Wheew

[DaHat]

Makes me glad I use CDMA ;)

Hackers Sell Out

[SuperKendall]

Interestingly, they've openly stated that nVidia's CUDA technology will be used to execute parallel elements of the problem on GPUs as well.

Wow, even hacking is branded these days.

I look forward to the Pepsi Challenge being revised to an RSA cracking contest.

Re:Hackers Sell Out

Saying they are anti-opensource is a bit much don't you think? They are a corporation who just haven't figured out how being open source would be more beneficial to them and their share-holders than remaining closed.

I believe if they were "anti-opensopurce" most people wouldn't have that nice nvidia wrapper for the driver on linux systems. Why waste time making it at all if they are "anti-opensource"?

Just because they haven't opened their code to the universe doesn't mean they are against open-source; just that they haven't found a means to leverage it to their advantage which companies like to do.

Businesses are about the bottom line, money, and how to make more and keep what they got. Opensource is about sharing and giving up control; it is a hard thing for a lot of companies to fit into their business plan and sell to investors.

Re:Hackers Sell Out

[roguetrick]

If they're not with us, they're against us!

Re:Hackers Sell Out

[Thinboy00]

Didn't Reagan originate that (feel free to tell me to get off your lawn)?

Re:Hackers Sell Out

[PitaBred]

Nvidia is a graphics card company. That IS their advantage. If they allowed people to actually use their hardware, they would sell a lot more of it. The problem is that they want to control everything with the drivers, and rather than go to work and actually make good hardware that's differentiated by more than the bits they allow to be twiddled with the drivers.

Re:Hackers Sell Out

[FatdogHaiku]

Wow, even hacking is branded these days.

I look forward to the Pepsi Challenge being revised to an RSA cracking contest.

I prefer algorithm "B"
Mmmm, algorithm... {drool sound}

Re:Hackers Sell Out

It appears a couple of times in the gospels as something Jesus said.

Bush said after 9/11 "Either you are with us, or you are with the terrorists." The definition of "with us" changed according to convenience but included things as diverse as an import ban on Canadian Lipitor, not criticizing the director of FEMA, and not asking what reason we had for occupying Iraq.

It's usually a clear sign that the person talking should be slowly backed away from until it's safe to break into a run.

Re:Hackers Sell Out

[johanatan]

Actually, no, it was Jesus of Nazareth.

Re:Hackers Sell Out

[KillShill]

It's very anti-competitive you mean.

Take a good hard look at what they do and have done and that is an inescapable conclusion.

Re:Hackers Sell Out

[shentino]

Jesus said that because evil is a pervasive influence that will not rest until it succeeds in getting as many people damned as possible.

Apparently all the devil needs is just one loophole.

Personally I think misappropriating it to apply it to terrorism is just plain wrong.

1. Forces people into a false dichotomy, which sorta becomes true when everyone else goes lemming and takes offense (or worse) if you don't fall in line.
2. Who are they to judge what is or is not equal to evil?

Big deal

[Rob+Kaper]

Big deal. No one still uses their cellphone to make calls anyway.

Re:Big deal

[LordVader717]

He was talking about voice calls.

The thing about GSM is that it's easy for authorities to access, so anybody with more knowledge and something to hide is going to use more secure options which have become possible with mobile internet access.

Re:Big deal

[sTeF]

afaik you can DOS the UMTS layer, in which case the phone reverts to GSM encryption.

Re:Big deal

[skine]

I still use a Zach Morris phone, you insensitive clod!

The only way I can receive texts is through Morris code.

Re:Big deal

[balbeir]

Woosh

Re:Big deal

[AHuxley]

With the history of terrorist groups in Europe and bank crime in the UK, GCHQ and its former employees would have known the correct security mix. Safe from basement efforts and underfunded press, trivial with federal agency funding.

Re:Big deal

[Joebert]

Morris, youve got an appointment with fate, and fates got curly hair.

Oh my gosh

[exsequor]

I sure hope they aren't able to listen to my phone sex...

Re:Oh my gosh

[RichardJenkins]

That's not the way you use a phone.

Re:Oh my gosh

[royallthefourth]

Not even when it's set to vibrate?

Re:Oh my gosh

[palegray.net]

Can you undress me now?

Re:Oh my gosh

[shentino]

Hey, if it helps us poor nerds out, let's have at it.

Better than staring at a screen all day.

Re:Oh my gosh

[AmiMoJo]

That's not the way you use a phone.

(Score:4, Insightful)

Whoosh

A big book

[StreetStealth]

TFA:

The A5/1 cracking project aims to compress the 128-petabyte A5/1 codebook -- which would require more than 100 000 years of computing by a single PC to crack--to around 2 or 3 terabytes of data, and a computing time of around three months, with the help of about 80 computers.

Any crypto experts want to take a stab at explaining, in lay geek terms, how this is even remotely possible? That's a ~50,000:1 compression ratio.

Re:A big book

[Manip]

Lookup table?

Re:A big book

[0123456]

Any crypto experts want to take a stab at explaining, in lay geek terms, how this is even remotely possible? That's a ~50,000:1 compression ratio.

I think what they're saying is that instead of building a table which will allow you to simply look up the relevant key from some known encrypted data, they'd build a smaller table which would allow you to substantially reduce decryption time.

Re:A big book

TFA:

The A5/1 cracking project aims to compress the 128-petabyte A5/1 codebook -- which would require more than 100 000 years of computing by a single PC to crack--to around 2 or 3 terabytes of data, and a computing time of around three months, with the help of about 80 computers.

Any crypto experts want to take a stab at explaining, in lay geek terms, how this is even remotely possible? That's a ~50,000:1 compression ratio.

Trading space for time.

128 petabytes would enable instant lookup of collisions. Cutting size in half, and you'd need 2 operations to find a collision. Cut size in half again would need to double the time again. Repeat until you reach the desired space/time trade-off.

P.C. van Oorschot, M.J. Wiener. Improving meet-in-the-middle attacks by orders of magnitude, Crypto'96, Springer LNCS vol.1109, pp.229-236, 1996. ps, pdf. A more complete treatment is given in the 1999 Journal of Cryptology paper.

P.C. van Oorschot, M.J. Wiener. Parallel collision search with applications to hash functions and discrete logarithms. pp.210-218, proceedings, 2nd ACM Conference on Computer and Communications Security, Nov. 1994, Fairfax, Virginia. ps, pdf. The Crypto'96 paper builds on this, and a more complete treatment is in the 1999 Journal of Cryptology paper.

P.C. van Oorschot, M.J. Wiener. Parallel collision search with cryptanalytic applications. Journal of Cryptology, vol.12 no.1 (Jan. 1999) pp.1-28. pdf.

Re:A big book

[jimicus]

TFA:

The A5/1 cracking project aims to compress the 128-petabyte A5/1 codebook -- which would require more than 100 000 years of computing by a single PC to crack--to around 2 or 3 terabytes of data, and a computing time of around three months, with the help of about 80 computers.

Any crypto experts want to take a stab at explaining, in lay geek terms, how this is even remotely possible? That's a ~50,000:1 compression ratio.

IIRC it was found some years ago that while GSM security in principle was OK, most of the bits of the encryption key are always set to zero.

I don't think this is true of 3G GSM though...

Re:A big book

[bhima]

The key phrases you are looking for are "rainbow tables"; "time / memory trade-off"; "distributed computing"; "embarrassingly parallel"; "GPGPU Computing" and probably "More's Law".

So now computers are faster than when they cooked that "100,000 years" phrase. They are employing many different computers with multiple cores. GPUs are much faster at this calculation that X86 processors. Rainbow tables are ingenious methods to store precomputed results, so the actual cracking is simple comparisons between encrypted text with known values and the data you are attacking.

Re:A big book

[kasperd]

Any crypto experts want to take a stab at explaining

The article doesn't contain enough information about A5/1 or the details of the attack for a crypto expert to explain exactly what he plan to do. However it does mention that he intend to create a rainbow table, so I can at least explain what a rainbow table is, and what the 128PB might mean. The article say it is a 64 bit encryption, but 128PB doesn't sound like the right size given a 64 bit encryption, the 128PB sounds more like a 54 bit encryption. And though it doesn't sound like a huge difference those 10 bits does mean a factor of 1024 times less work to brute force, and these days the difference between 54 and 64 bits may very well be the difference between feasible and not feasible to break. Of course in a few years 64 bits may be feasible to brute force as well.

Compressing 128PB down to 2-3TB doesn't sound realistic at first, but then consider that those 128PB are not just 128PB of random data, they are generated by a very simple algorithm. The entire code to generate those 128PB would probably fit in less than 1MB. But the time it would take to actually run the code for long enough to generate the 128PB is prohibitive. Also notice, that what is going to happen is not really a compression of the 128PB of data. The output of the algorithm is going to be a few TB of data, but that data can't actually be used to reproduce the original 128PB of data, which wouldn't be very interesting anyway. What you really want is a function that given some input can output the encryption key, and that can happen through a very simple table lookup, which would be very fast, but infeasible since very few people have the resources to store the complete 128PB lookup table. Instead you use a more complicated algorithm, which use 50.000 times less stored data, but OTOH may run 100.000 times (or even more) slower than the simple table lookup. But 100.000 table lookups would still only take a fraction of a second on a modern CPU.

Back to the rainbow tables. It is a tool to speed up the task of reversing a one way function. A one way function is a function that maps from one set of values to another set of values. The function is fast to compute in one direction, but there is no simple way to compute in the other direction. One example of a one way function is a hash function, which maps from strings of arbitrary lengths to the much smaller set of strings of one fixed length.

Let's assume our one way function is called f and maps from the set S to the set T. Then we can define a different function g, which maps from T to some interesting subset of S. For example it has been used in the past with a function that maps from 128 bit strings (outputs from MD5) to the set of passwords consisting of 7 alphanumeric characters (which is a subset of the possible inputs to MD5). If you combine g and f, you get a function mapping from T to T. If you start with a value in T and keep applying this combination, you will keep getting values in T.

Now you decide how many times in a row you will apply this combination, let's call that number n. A small n will produce very large rainbow tables, that may be faster to use. OTOH a large n will produce smaller rainbow tables that will be slower to use. This choice is the compromise mentioned in the article. He is probably going to use a value of n around 65536 or so.

Now you start producing chains (this is the large amount of work that this project will aim to distribute). You take some input in T, then you apply the combination of the two functions n times and get an output in T. You repeat that with a few hundred billion different values in T. The output will be a lot of pairs of values, from those pairs you create a lookup table.

Now assume you have a value x, which is the output of the one way function f, and you want to find out what the input may have been. Then you can apply the combination of functions n times and get n different values in T, look

Re:A big book

[marcansoft]

From Wikipedia:

A5/1 is initialised using a 64-bit key together with a publicly-known 22-bit frame number. In fielded GSM implementations 10 of the key bits are fixed at zero, resulting in an effective key length of 54 bits.

Way to make an already weak cipher even weaker.

Re:A big book

As far as I can remember, the original GSM spec included a reference implementation of the A5 algorithm where the last 10 bits of the key were nulled.
I don't think the reference made it into any production systems though and this problem was rectified in later revisions.

A5 itself is sound afik.

Re:A big book

[Arthur+Grumbine]

All right, Mr. van Oorschot, we get it. You want us all to read your work and accept the fact that your associate was a dick.

Re:A big book

[KZigurs]

Wasn't. It is what is running out there.

Two points..

[da_matta]

1) Only applies to 2G/GSM, not 3G/UMTS
2) This has been known pretty much from the beginning, and updating has been started years ago. As said in TFA, only news of this is the plan to make it publicly available.

Re:Two points..

[sznupi]

Most importantly, handsets use less power when on GSM.

I don't see GSM being killed for a long, long time. It's like DVD, an example of "good enough" for majority of population, especially those who basically just call and text. 3G benefits are either not used or manifest themselves in very specific scenarios, "modem" function mostly.

Security also is good enough. As this attempt shows, it's non-trivial to crack. And "lawful wiretapping" bypasses it anyway also for UMTS.

Incorrect time estimate? BOINC?

[tagno25]

TFA:

The A5/1 cracking project aims to compress the 128-petabyte A5/1 codebook -- which would require more than 100 000 years of computing by a single PC to crack--to around 2 or 3 terabytes of data, and a computing time of around three months, with the help of about 80 computers.

Wouldn't they need about 100,000 computers for it to take one year? And why don't they just use BOINC and enlist random computers and attempt to get more computing power?

Re:Incorrect time estimate? BOINC?

[royallthefourth]

Wouldn't they need about 100,000 computers for it to take one year? And why don't they just use BOINC and enlist random computers and attempt to get more computing power?

Not if they're using CUDA. I did some fairly simple experiments in college and cut compute time on large datasets by 95% using a GeForce (don't remember which one) instead of a Core2 Duo. That was over almost two years ago, so I imagine the modern graphics boards are even better.

Re:Incorrect time estimate? BOINC?

[baffler86]

This should definitely be done on public school computers. Free computing to the user and a tried and true method of distributed computing.

Re:Incorrect time estimate? BOINC?

[KZigurs]

it isn't 128PB to start with. Actual key length is 2^48 if I remember correctly - there are some rather huge issues with the A5/1.

Good thing they're going to use open source

[ClosedSource]

Nobody wants GSM Encryption broken if it's done using proprietary code. And if the general public is told this is illegal, just think of the free publicity for open source!

Re:Good thing they're going to use open source

[shmlco]

Who wants it cracked in the first place? The only interests served are those of crooks and spys.

Re:Good thing they're going to use open source

Who wants it cracked?

I do, because people I bank with and trust with my data are even now happily using GSM devices to shuffle my data around, and your data, and everybody's data, and as of now, it's wide open and vulnerable.

Then there's the corporate IT security side of it. Let's take Apple as an example: Apple's mandated iPhones as their corporate device much the way some companies have gone to BlackBerries. Ok fine. This is not about OS wars or which device is better. There are GSM Blackberries too. But it's rare for a company to have a single mobile device as their flagship, so to speak. Apple is well known for being nuts about the iPhone. Most if not all of the employees carry one. The thing is, if GSM is as weak as it seems to be, then by standing behind a GSM device, Apple has effectively deployed thousands of completely insecure devices which they are using to handle and manage Apple's business and corporate secrets. Even their retail store payment devices run on iPhone.

They have put their corporate faith in GSM. Which is now full of holes like a swiss cheese. Do you see where this is going?

All a Microsoft or a Google or a Motorola needs to do is setup a van or rent an office near Apple HQ and run a very low key listening program. Probably do the whole thing from a briefcase or even a car in the parking lot. You'd never see it. They'd have probably most of Apple's secrets in a day or two, and a lot more after a few months or years. Legal? No. Is somebody going to do it? You betcha. If not Microsoft or Google, then any of the dozens of handset makers or laptop makers or software companies. Can you imagine just for Apple how many people would want all that inside info? Now expand to Boeing, Cisco, IBM, HP, Dell, you name the company, some subset of workers will be carrying GSM.

Apple shareholders ought to care about that. Steve Jobs ought to care about that. ANY CEO or IT person in any company with any GSM devices ought to be scared to death about this. If you are using GSM, you are dead. It's that simple.

And even if they cannot crack the encryption NOW, the data can still be recorded and stored away. Storage is cheap. Decrypting Apple's calls a year from now will still be valuable. I guarantee you someone is doing that right this second outside 1 Infinite Loop. The data can happily wait for the lookup table to be completed at which time the whole set of recorded data will be opened like Diet Coke with a Mentos dropped in. There are a LOT of people would want that info, and not just for Apple of course. They're just a notable example of the targets.

GSM is possibly the biggest threat to information security currently in play. Bigger than Chinese hackers. Bigger than Windows worms or Facebook hacks. Why? GSM devices are widely deployed around the world, totally trusted by their users, and relatively easy to crack thanks to a poor encryption implementation, and those who are doing the illegal (non-law enforcement) signal intercepts are able to do it from a distance without being detected or noticed. Somebody could be in the house or office or dorm next to you monitoring GSM right this second, and you would not know. You could not stop it even if you did know, except by not using the devices.

So, the fact that there is now an opensource effort will bring light to the scale of the problem (it's very bad) and hopefully get it fixed immediately, even if that means a whole lot of GSM handsets are going to have to go obsolete at once. In the worst case, it MAY change behavior so confidential stuff is no longer handled on GSM devices or encourage wholesale change in behavior for all wireless devices (please!), or at least get people to consider security as one vital aspect when they choose a provider of phone services or data or anything else.

DECT cordless home phones run on a variation of the GSM protocol, most likely with the same encryption issues. So that's yet another area worth looking at.

Re:Good thing they're going to use open source

[shmlco]

First, "And even if they cannot crack the encryption NOW..." Then, "... and relatively easy to crack thanks to a poor encryption implementation..."

So which is it? Cracked or not?

And if not, a successful open-source method to do so simply let's EVERYONE into the playpen.

Re:Good thing they're going to use open source

[digitalchinky]

In most parts of the world the telco's tend to microwave all their cell towers back to the exchange. It's cheaper to do it this way.

With a small investment (a couple of hundred $USD) on Ebay for some receive gear, modems, and data capture cards, your average enthusiast has absolutely no need for decryption of GSM. The only point encryption takes place is between the phone and the tower. The microwave links are not encrypted and are virtually always conveyed using E1 / T1 transmissions - maybe sometimes replace the 1 with a bigger number in congested areas.

The only hard part is picking out your target, but this is hard anyway, even if you can manage decryption while the call is still in progress. (Frequency hopping and sheer number of users) Also at the trunk level, the out of band signaling (SS7) doesn't tell you where the phone call actually is (which timeslot), so you'll have to either record everything and go through it manually, or use some kind of fudged analysis to guess based on activity in the SS7 and what you see in the trunk. Or... You might just be voyeuristic, in it just for the gossip / phone sex / ambulance chasing / whatever, so none of the above matters.

Re:Good thing they're going to use open source

[Rich0]

So which is it? Cracked or not?

I dunno - maybe if we interrogated everybody with a supercomputer we might find out. For that matter, if we interrogated everybody we might figure out who has supercomputers.

If these guys are talking about this being something that a bunch of people can do with donated CPU/GPU time, then there is a good chance that somebody has a bunch of ASICs and a rainbow table already. They probably have had it for a number of years.

Keep in mind that the cracking of Enigma wasn't publicly disclosed until the 1970s I believe. At the time some people were actually still using the cipher - after all, why not since as far as anybody knew it was unbreakable? If you secretly spend millions or tens-hundreds of millions of dollars to crack a cipher, the last thing you do is tell the world about it so that people stop using the cipher that you can now read.

Re:Good thing they're going to use open source

[KZigurs]

Well, I haven't done it myself, but have researched the topic quite a lot (with a background on mobile applications and security):
One - if you have anything that is actually sensitive to discuss, don't do it over your phone. Ever. It is trivial to pretend to be your base station (van in the alley scenario) and you'll be none the wiser. But phone will be talking via A5/0 (no encryption) and you'll be experiencing very nice and good battery life.
Two - brute force attack on A5/1 is feasible, if enough incentive exists. If anything you discuss might cost more than 50K usd in three months time, don't do it ether. Wideband recording of anything where you might be and filtering out your phone conversations later is practical. Costs about 3K usd in equipment (outlay) + whatever you want to throw at key search.
Three - as mentioned above in the comments - backbones are usually unencrypted. Not much can be done about it, and MITM or backlink eavesdropping is a project that would be practical (it still is) only for really determined subjects. Oh, and your local/office base station is probably on the roof of some semi-public building where gaining access again is not beyond practical attack. Or, if a tower with equipment container - trivial.
---
Good (ish) things:
GPRS and 3G security isn't broken (publicly, afaik) yet. OTOH - isn't peer reviewed ether (worked well for a5, didn't it?). Therefore what you browse around or talk via your _UMTS_ handset is perhaps still safe. Just make sure the handset is really in 3g mode. Don't have much know-how about pretending to be UMTS base station thou - still can be fully feasible. Perhaps a feasible attack will show up tomorrow, perhaps won't. Radio hopping pattern intercept and packet capture is feasible cheaply today thou.

All in all, okay, there might be a public attempt to generate open A5/1 rainbow table today, good. From what I recall target size for the table was rather laughable - 500gb or thereabouts? I can surely bet that there are fair few of them out there already. Perhaps inside usd300'000 equipment sold for law enforcement. Perhaps...

Re:Good thing they're going to use open source

[KZigurs]

Oh, forgot to mention - the above applies to gsm. CDMA security is nonexistent + tower coverage is larger (less geo targeting required).

donate

[shata]

Link to the project web-site:
http://wiki.thc.org/gsm

If you're IT admin of school with 5000 idle computers, consider donating some GPU time :-)

Re:donate

[Arthur+Grumbine]

Link to the project web-site: http://wiki.thc.org/gsm

Inexplicably, that link makes me think of weed and sex. I expect a high turnout of volunteers at the college level.

again?

[cfriedt]

GSM was rendered practically insecure a long time ago... I guess this is supposed to be some kind of demonstration of Nvidia's awesome computing power?

Sp3ll1ng

[dangitman]

H4RDW4RE?

Are we really supposed to take a company seriously, when its own name substitutes numerals for letters?

Re:Sp3ll1ng

[ohampersand]

Nohl already has all the respect he'll ever need- he's a leading innovator in the grey-hat cracking scene. The original Mifare Classic (Boston's CharlieCard/ NYC's Metro) cracking was done by him and his team at Virginia a year or two ago. The company could be called L33tH4x0rs and they'd still be taken seriously.

Re:Sp3ll1ng

[dangitman]

he's a leading innovator in the grey-hat cracking scene.

Nobody's taking that seriously, either. Perhaps in your little world of w4nk3rs it's a big deal, but nobody else cares.

So sad, that humor is not with us...

[SuperKendall]

I'm really not sure how this was branded "Troll" as I meant the whole thing in jest. Lighten up, fellow hackers!

A pity ...

[freaker_TuC]

.. You've got to call yourself each two minutes to skip the voicemail during sex!

comments from TFA

[Eil]

The encryption technology used to prevent eavesdropping in GSM (Global System for Mobile communications), the world's most widely used cellphone system, has more security holes than Swiss cheese, according to an expert who plans to poke a big hole of his own.

I hope I am not the first to say: "giggity."

Each GSM phone has its own secret key, which is known by the network. Every time a call is initiated, a new session key for that particular call is derived from the secret key and used to encrypt the call. Nohl aims to crack the session key.

This actually doesn't sound like a bad encryption scheme.

To speed up computing time, the project relies on some components not always found in your standard PC, such as Nvidia Corp.'s CUDA (Compute Unified Device Architecture) graphics cards and Xilinx Virtex field-programmable gate arrays (FPGAs).

So, are those of us without fancy video cards or FPGAs allowed to help? Even if we can't compute keys as quickly?

That's the point Nohl hopes to drive home: The A5/1 algorithm is a broken 64-bit encryption technology, a relic of the Cold War era, when laws prohibited the export of strong encryption technology from the United States. It needs to be replaced--ideally by the much stronger, 128-bit A5/3 system

So GSM itself isn't that insecure, it's that they're using a short key length. This is rather old news then. All they are doing is brute-forcing the whole key space rather than breaking the algorithm. This is basically what brought down RC5-56 and DES (although DES had other flaws as well).

GSM@Home?

[Aizenmyou]

I can see it now...