Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Attempt To Crack GSM Encryption

Posted by timothy on from the phone-you-break-could-be-your-own dept.

Lexta writes with an interesting tidbit from IEEE Spectrum: "'Karsten Nohl, chief research scientist with H4RDW4RE, a Sunnyvale, Calif.-based security research firm, is mounting what could be the most ambitious attempt yet to compromise the GSM phone system.' The intended approach is to create an open source project to spread the computation of a giant look-up table across more than 80 machines. Interestingly, they've openly stated that nVidia's CUDA technology will be used to execute parallel elements of the problem on GPUs as well."

13 of 78 comments (clear)

  1. Big deal by Rob+Kaper · · Score: 3, Funny

    Big deal. No one still uses their cellphone to make calls anyway.

    1. Re:Big deal by balbeir · · Score: 3, Insightful

      Woosh

  2. Re:Oh my gosh by RichardJenkins · · Score: 3, Insightful

    That's not the way you use a phone.

  3. Two points.. by da_matta · · Score: 4, Informative

    1) Only applies to 2G/GSM, not 3G/UMTS
    2) This has been known pretty much from the beginning, and updating has been started years ago. As said in TFA, only news of this is the plan to make it publicly available.

  4. Re:A big book by Anonymous Coward · · Score: 5, Informative

    TFA:

    The A5/1 cracking project aims to compress the 128-petabyte A5/1 codebook -- which would require more than 100 000 years of computing by a single PC to crack--to around 2 or 3 terabytes of data, and a computing time of around three months, with the help of about 80 computers.

    Any crypto experts want to take a stab at explaining, in lay geek terms, how this is even remotely possible? That's a ~50,000:1 compression ratio.

    Trading space for time.

    128 petabytes would enable instant lookup of collisions. Cutting size in half, and you'd need 2 operations to find a collision. Cut size in half again would need to double the time again. Repeat until you reach the desired space/time trade-off.

    P.C. van Oorschot, M.J. Wiener. Improving meet-in-the-middle attacks by orders of magnitude, Crypto'96, Springer LNCS vol.1109, pp.229-236, 1996. ps, pdf. A more complete treatment is given in the 1999 Journal of Cryptology paper.

    P.C. van Oorschot, M.J. Wiener. Parallel collision search with applications to hash functions and discrete logarithms. pp.210-218, proceedings, 2nd ACM Conference on Computer and Communications Security, Nov. 1994, Fairfax, Virginia. ps, pdf. The Crypto'96 paper builds on this, and a more complete treatment is in the 1999 Journal of Cryptology paper.

    P.C. van Oorschot, M.J. Wiener. Parallel collision search with cryptanalytic applications. Journal of Cryptology, vol.12 no.1 (Jan. 1999) pp.1-28. pdf.

  5. Re:Hackers Sell Out by Anonymous Coward · · Score: 4, Insightful

    Saying they are anti-opensource is a bit much don't you think? They are a corporation who just haven't figured out how being open source would be more beneficial to them and their share-holders than remaining closed.

    I believe if they were "anti-opensopurce" most people wouldn't have that nice nvidia wrapper for the driver on linux systems. Why waste time making it at all if they are "anti-opensource"?

    Just because they haven't opened their code to the universe doesn't mean they are against open-source; just that they haven't found a means to leverage it to their advantage which companies like to do.

    Businesses are about the bottom line, money, and how to make more and keep what they got. Opensource is about sharing and giving up control; it is a hard thing for a lot of companies to fit into their business plan and sell to investors.

  6. Re:Incorrect time estimate? BOINC? by baffler86 · · Score: 3, Funny

    This should definitely be done on public school computers. Free computing to the user and a tried and true method of distributed computing.

  7. Re:A big book by bhima · · Score: 4, Insightful

    The key phrases you are looking for are "rainbow tables"; "time / memory trade-off"; "distributed computing"; "embarrassingly parallel"; "GPGPU Computing" and probably "More's Law".

    So now computers are faster than when they cooked that "100,000 years" phrase. They are employing many different computers with multiple cores. GPUs are much faster at this calculation that X86 processors. Rainbow tables are ingenious methods to store precomputed results, so the actual cracking is simple comparisons between encrypted text with known values and the data you are attacking.

    --
    Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
  8. Re:A big book by kasperd · · Score: 4, Informative

    Any crypto experts want to take a stab at explaining

    The article doesn't contain enough information about A5/1 or the details of the attack for a crypto expert to explain exactly what he plan to do. However it does mention that he intend to create a rainbow table, so I can at least explain what a rainbow table is, and what the 128PB might mean. The article say it is a 64 bit encryption, but 128PB doesn't sound like the right size given a 64 bit encryption, the 128PB sounds more like a 54 bit encryption. And though it doesn't sound like a huge difference those 10 bits does mean a factor of 1024 times less work to brute force, and these days the difference between 54 and 64 bits may very well be the difference between feasible and not feasible to break. Of course in a few years 64 bits may be feasible to brute force as well.

    Compressing 128PB down to 2-3TB doesn't sound realistic at first, but then consider that those 128PB are not just 128PB of random data, they are generated by a very simple algorithm. The entire code to generate those 128PB would probably fit in less than 1MB. But the time it would take to actually run the code for long enough to generate the 128PB is prohibitive. Also notice, that what is going to happen is not really a compression of the 128PB of data. The output of the algorithm is going to be a few TB of data, but that data can't actually be used to reproduce the original 128PB of data, which wouldn't be very interesting anyway. What you really want is a function that given some input can output the encryption key, and that can happen through a very simple table lookup, which would be very fast, but infeasible since very few people have the resources to store the complete 128PB lookup table. Instead you use a more complicated algorithm, which use 50.000 times less stored data, but OTOH may run 100.000 times (or even more) slower than the simple table lookup. But 100.000 table lookups would still only take a fraction of a second on a modern CPU.

    Back to the rainbow tables. It is a tool to speed up the task of reversing a one way function. A one way function is a function that maps from one set of values to another set of values. The function is fast to compute in one direction, but there is no simple way to compute in the other direction. One example of a one way function is a hash function, which maps from strings of arbitrary lengths to the much smaller set of strings of one fixed length.

    Let's assume our one way function is called f and maps from the set S to the set T. Then we can define a different function g, which maps from T to some interesting subset of S. For example it has been used in the past with a function that maps from 128 bit strings (outputs from MD5) to the set of passwords consisting of 7 alphanumeric characters (which is a subset of the possible inputs to MD5). If you combine g and f, you get a function mapping from T to T. If you start with a value in T and keep applying this combination, you will keep getting values in T.

    Now you decide how many times in a row you will apply this combination, let's call that number n. A small n will produce very large rainbow tables, that may be faster to use. OTOH a large n will produce smaller rainbow tables that will be slower to use. This choice is the compromise mentioned in the article. He is probably going to use a value of n around 65536 or so.

    Now you start producing chains (this is the large amount of work that this project will aim to distribute). You take some input in T, then you apply the combination of the two functions n times and get an output in T. You repeat that with a few hundred billion different values in T. The output will be a lot of pairs of values, from those pairs you create a lookup table.

    Now assume you have a value x, which is the output of the one way function f, and you want to find out what the input may have been. Then you can apply the combination of functions n times and get n different values in T, look

    --

    Do you care about the security of your wireless mouse?
  9. Re:A big book by marcansoft · · Score: 3, Informative

    From Wikipedia:

    A5/1 is initialised using a 64-bit key together with a publicly-known 22-bit frame number. In fielded GSM implementations 10 of the key bits are fixed at zero, resulting in an effective key length of 54 bits.

    Way to make an already weak cipher even weaker.

  10. Re:Good thing they're going to use open source by shmlco · · Score: 3, Insightful

    Who wants it cracked in the first place? The only interests served are those of crooks and spys.

    --
    Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
  11. Re:donate by Arthur+Grumbine · · Score: 4, Funny

    Link to the project web-site: http://wiki.thc.org/gsm

    Inexplicably, that link makes me think of weed and sex. I expect a high turnout of volunteers at the college level.

    --
    Now that I think about it, I'm pretty sure everything I just said is completely wrong.
  12. Sp3ll1ng by dangitman · · Score: 3, Insightful

    H4RDW4RE?

    Are we really supposed to take a company seriously, when its own name substitutes numerals for letters?

    --
    ... and then they built the supercollider.