Security enhancement for A5/1 without losing hardware efficiency in future mobile systems

A5/1 is the strong encryption algorithm which protects the air interface of the GSM cellular network. However, in the Fast Software Encryption Workshop 2000 two attacks, the biased birthday attack and the random subgraph attack against A5/1 were presented [1]. In this paper, we propose new security enhancements to improve A5/1 encryption algorithm from the biased birthday attack [1] and random subgraph attack [3] [4] in order to be used in future mobile communication systems. The improvements that make both attacks impractical are based on the clocking mechanism of the registers, and their key setup routine. Furthermore, we have increased the linear complexity of A5/1 to make the solution of the linear equations [2] impractical in real time systems. Finally, both original and modified versions of A5/1 were implemented easily in a CPLD device for 3rd generation mobile systems

A New Guess-and-Determine Attack on the A5/1 Stream Cipher

In Europe and North America, the most widely used stream cipher to ensure privacy and confidentiality of conversations in GSM mobile phones is the A5/1. In this paper, we present a new attack on the A5/1 stream cipher with an average time complexity of 2^(48.5), which is much less than the brute-force attack with a complexity of 2^(64). The attack has a 100% success rate and requires about 5.65GB storage. We provide a detailed description of our new attack along with its implementation and results.Comment: 14 pages, 4 figures, 3 table

Eavesdropping on GSM: state-of-affairs

In the almost 20 years since GSM was deployed several security problems have been found, both in the protocols and in the - originally secret - cryptography. However, practical exploits of these weaknesses are complicated because of all the signal processing involved and have not been seen much outside of their use by law enforcement agencies. This could change due to recently developed open-source equipment and software that can capture and digitize signals from the GSM frequencies. This might make practical attacks against GSM much simpler to perform. Indeed, several claims have recently appeared in the media on successfully eavesdropping on GSM. When looking at these claims in depth the conclusion is often that more is claimed than what they are actually capable of. However, it is undeniable that these claims herald the possibilities to eavesdrop on GSM using publicly available equipment. This paper evaluates the claims and practical possibilities when it comes to eavesdropping on GSM, using relatively cheap hardware and open source initiatives which have generated many headlines over the past year. The basis of the paper is extensive experiments with the USRP (Universal Software Radio Peripheral) and software projects for this hardware.Comment: 5th Benelux Workshop on Information and System Security (WISSec 2010), November 201

Some Words on Cryptanalysis of Stream Ciphers

In the world of cryptography, stream ciphers are known as primitives used to ensure privacy over a communication channel. One common way to build a stream cipher is to use a keystream generator to produce a pseudo-random sequence of symbols. In such algorithms, the ciphertext is the sum of the keystream and the plaintext, resembling the one-time pad principal. Although the idea behind stream ciphers is simple, serious investigation of these primitives has started only in the late 20th century. Therefore, cryptanalysis and design of stream ciphers are important. In recent years, many designs of stream ciphers have been proposed in an effort to find a proper candidate to be chosen as a world standard for data encryption. That potential candidate should be proven good by time and by the results of cryptanalysis. Different methods of analysis, in fact, explain how a stream cipher should be constructed. Thus, techniques for cryptanalysis are also important. This thesis starts with an overview of cryptography in general, and introduces the reader to modern cryptography. Later, we focus on basic principles of design and analysis of stream ciphers. Since statistical methods are the most important cryptanalysis techniques, they will be described in detail. The practice of statistical methods reveals several bottlenecks when implementing various analysis algorithms. For example, a common property of a cipher to produce n-bit words instead of just bits makes it more natural to perform a multidimensional analysis of such a design. However, in practice, one often has to truncate the words simply because the tools needed for analysis are missing. We propose a set of algorithms and data structures for multidimensional cryptanalysis when distributions over a large probability space have to be constructed. This thesis also includes results of cryptanalysis for various cryptographic primitives, such as A5/1, Grain, SNOW 2.0, Scream, Dragon, VMPC, RC4, and RC4A. Most of these results were achieved with the help of intensive use of the proposed tools for cryptanalysis

State Transition Analysis of GSM Encryption Algorithm A5/1

A5/1 stream cipher is used in Global System for Mobile Communication(GSM) phones for secure communication. A5/1 encrypts the message transferred from a mobile user. In this paper, we present the implementation of cryptanalytic on A5/1 techniques such as minimized state recovery for recovering the session key. The number of state transitions/updations needed for a state S to reoccur is maintained in the lookup table. This table can be used to recover the initial state from which the keystream was produced. Experiments are carried out for reduced version, full A5/1 cipher on 3.20 GHz machine, and cluster computing facility

A structural analysis of the A5/1 state transition graph

We describe efficient algorithms to analyze the cycle structure of the graph induced by the state transition function of the A5/1 stream cipher used in GSM mobile phones and report on the results of the implementation. The analysis is performed in five steps utilizing HPC clusters, GPGPU and external memory computation. A great reduction of this huge state transition graph of 2^64 nodes is achieved by focusing on special nodes in the first step and removing leaf nodes that can be detected with limited effort in the second step. This step does not break the overall structure of the graph and keeps at least one node on every cycle. In the third step the nodes of the reduced graph are connected by weighted edges. Since the number of nodes is still huge an efficient bitslice approach is presented that is implemented with NVIDIA's CUDA framework and executed on several GPUs concurrently. An external memory algorithm based on the STXXL library and its parallel pipelining feature further reduces the graph in the fourth step. The result is a graph containing only cycles that can be further analyzed in internal memory to count the number and size of the cycles. This full analysis which previously would take months can now be completed within a few days and allows to present structural results for the full graph for the first time. The structure of the A5/1 graph deviates notably from the theoretical results for random mappings.Comment: In Proceedings GRAPHITE 2012, arXiv:1210.611