Slashdot Mirror

← Back to Stories (view on slashdot.org)

Second 3G GSM Cipher Cracked

Posted by Soulskill on from the dropping-like-encrypted-flies dept.

Trailrunner7 writes "A group of cryptographers has developed a new attack that has broken Kasumi, the encryption algorithm used to secure traffic on 3G GSM wireless networks. The technique enables them to recover a full key by using a tactic known as a related-key attack, but experts say it is not the end of the world for Kasumi. Kasumi, also known as A5/3, is the standard cipher used to encrypt communications on 3G GSM networks, and it's a modified version of an older algorithm called Misty. In the abstract of their paper, the cryptographers say the attack can be implemented easily on one standard PC. 'In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 214. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 226 data, 230 bytes of memory, and 232 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity.'"

16 of 57 comments (clear)

  1. Related-Key and Original Paper by eldavojohn · · Score: 5, Informative

    The technique enables them to recover a full key by using a tactic known as a related-hey attack ...

    Certainly you meant related-key attack since the paper by and large discusses related key attacks before explaining their sandwich attack.

    These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity.

    To give you more specific numbers from the conclusion of the paper:

    By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 226 data, 230 bytes of memory, and 232 time.

    Er, I believe you meant to say 4 related keys, 2^26 data, 2^30 bytes of memory and 2^32 time. As you will see in the conclusion of the paper:

    In this paper we develop a new sandwich attack on iterated block ciphers, and use it to reduce the time complexity of the best known attack on the full KASUMI from an impractical 2^76 to the very practical 2^32.

    After all a time complexity of 232 should take any computer at most a few seconds while 2^32 approaches the two hour-ish mark.

    --
    My work here is dung.
    1. Re:Related-Key and Original Paper by blee37 · · Score: 4, Interesting

      Note that Adi Shamir is the "S" in RSA. The other two authors are from the Weizmann Institute and Hebrew University. Though the paper is not public yet, these guys seem like genuine crypto all stars. http://www.emergentchaos.com/archives/2010/01/another_week_another_gsm.html

    2. Re: Related-Key and Original Paper by eldavojohn · · Score: 5, Informative

      That makes a lot more sense. Doesn't explain how you can have a probability of 214, though. And a probability of 2^14 would just be worse.

      Uh yeah, that's the funniest error of them all. If you read the summary on the paper that I linked it's two raised to the power of negative fourteen which copy pastes to 214 but should be something like 2^(-14).

      --
      My work here is dung.
    3. Re: Related-Key and Original Paper by error_frey · · Score: 2, Informative

      It should be 2^(-14)

    4. Re:Related-Key and Original Paper by Jurily · · Score: 5, Funny

      Mr. eldavojohn, you're under arrest for violating the Slashdot Anti-Proofreading Act.

  2. 3G GSM ? by BorgDrone · · Score: 4, Informative

    Kasumi, also known as A5/3, is the standard cipher used to encrypt communications on 3G GSM networks

    What is 3G GSM ? As far as I know GSM is a 2G standard.

    This encryption is also used in UMTS, which is the successor of GSM and a 3G standard.

    1. Re:3G GSM ? by sznupi · · Score: 2, Informative

      Hm, technically EDGE falls under 3G speeds, just. But generally 3G networks built on top of existing GSM infrastructure are still often taken under "GSM" umbrella.

      --
      One that hath name thou can not otter
    2. Re:3G GSM ? by LucidBeast · · Score: 3, Interesting
      UMTS allows operator to choose chiphers as long as it confirms to the 3GPP specification see: http://www.3gpp.org/ftp/Specs/html-info/33105.htm .

      All 3G cards I've seen have used rijndael (AES).

    3. Re:3G GSM ? by lobsterturd · · Score: 3, Informative

      This isn't necessarily true. Operators can use ciphers of their choice for functions that occur within the SIM card (such as authentication and key derivation), but data sent over the air can only be encrypted with Kasumi or (since UMTS Rel-7) Snow 3G. http://www.3gpp.org/ftp/Specs/html-info/33102.htm

    4. Re:3G GSM ? by Verdatum · · Score: 2, Informative

      I think it's more of a common innacuracy than anything. The GSM standard is now maintained by 3GPP, and 3GPP developed the UMTS standard, based to some extent on the GSM architecture. So people presume 3G GSM is a valid way to distinguish the technology as separate from the CDMA2000 3G technology. I don't know about other countries, but in the US, "UMTS" and "3GPP" are not well known terms to consumers, but "GSM" and "3G" are.

  3. And the first decryption yielded this.... by SpurtyBurger · · Score: 2, Funny

    "I'm on the train..."

  4. Shamir and his techniques by dachshund · · Score: 5, Insightful

    First of all, the amazingly high probability should be 2^14 (or 1/2^14 = 1 / 16,384), not "214". This is the danger with cutting and pasting mathematics. In a slightly simplified explanation, distinguishing attacks work by looking at encrypted data and trying to distinguish it from random bits. This means that the distinguisher succeeds with the probability above, which may not seem very high, but believe me --- it's much higher than what it should be for a cipher like this. And as they show, efficient distinguishing attacks can lead to nastier things like key recovery.

    I saw Adi Shamir stand up in front of a crowd at Crypto 2008 and introduce a new set of techniques he and his colleagues had developed for simplifying complex algebraic equations. People jokingly asked him if he thought it might work against AES (yes, it did). I haven't seen this paper, but my guess is that they're running around applying their techniques to everything they can find. And so Kasumi bites the dust. (Meaning that I must update my course slides, agh.)

    More to the point, this is unlikely to be a practical issue right now because it's a related key attack. You have to encrypt something with multiple keys that are closely related (similar in many respects) before the attack applies. This usually doesn't happen unless the implementers are idiots. But the point is that it's bad news --- related key attacks are the camel's nose under the tent for much worse things to come. I'd say they should upgrade to AES, but I'm not even sure if that's a great idea :)

    Oh, and I'm doing the thing I hate the most: giving the senior person all the credit. No doubt an equal or greater share of the credit goes to Orr Dunkelman and Nathan Keller, his hungry PhD student and post-doc who probably spent the last zillion hours of their lives working this out in their lab only to see people like me attribute all of their work to Shamir. Good job, guys.

  5. Ha, correction by dachshund · · Score: 2, Interesting

    First of all, the amazingly high probability should be 2^14 (or 1/2^14 = 1 / 16,384), not "214". This is the danger with cutting and pasting mathematics.

    That is, it should be 2^{-14} -- this is the danger with posting in the morning before finishing my coffee...

  6. Re:Language lesson first... by Anonymous Coward · · Score: 2, Interesting

    That's okay, it works as a review. People like me learn all our grammar from Slashdot.

  7. Re:The probability is not 214 by marcansoft · · Score: 2, Insightful

    a p value of 214 would be an amazingly impossible probability. Probability goes from 0 to 1, and 1 is the highest (most likely). 2^-14 = (1 in 16384) is "low" by human standards but amazingly high by crypto standards (most importantly, because computers can try something 16384 times in a split second).

  8. Re:Like it was private to begin with by horza · · Score: 2, Insightful

    First you are missing the point. If you have access to the exchange of course you can listen. This either requires a warrant, or some good social engineering skills. However intercepting between mobile and base station is untraceable and can be done by anybody. By tabloid journalists, criminals, jealous spouses, or somebody that just wants to cause mischief.

    Second it is A5/3 which has been broken. A5/1 is used in Europe and A5/2 outside (the US probably uses a modified A5/1 with reduced key length to allow real-time NSA intercepts) for standard GSM voice calls. A5/1 is still secure as far as we know.

    Phillip.

    --
    Property for sale in Nice, France