29 December 2009. GSM A5 Files Published on Cryptome
28 October 1998
To: cypherpunks@algebra.com From: Anonymous Date: Thu, 08 Oct 1998 10:14:34 PDT Have spent the last few weeks going through various web pages describing GSM cloning. Some contradicting views, but overall the point is well made (and quite correctly) - cloning and/interception/monitering is both viable and achieveable. I recently was commissioned to look into this subject on behalf of a client who wished to moniter a GSM phone. Putting aside the rights and wrongs of the issue, we realised the objective. In summary it is possible to moniter/intercept a GSM phone using 2 pieces of commercially avaliable RACAL equipment, linked via a custom made preselector/combiner. The overall setup is easily portable and is controlled via a pc. It goes without saying that RACAL do not market the hardware for the above purpose - it has legitimate engineering needs, and is marketed under that legimate need. RACAL do not make the precombiner/selector (we had to make that) and they do not market the software AT ALL. I suspect that they are aware that the hardware in conjunction with the software (and access to a combiner/spliter)would give access to interception. So you must be thinking what sim parameters (or other parameters) had to be programmed into the pc software programme to allow selective interception of a GSM phone? Very little - in fact all that had to be programmed in was the phone number of the GSM handset to be targeted - and absolutely nothing else! It's food for thought. *This is not for general distribution on the web, but is shared with you on the basis of what appears to be a serious discussion on the subject on your side. please respect that aspect of confidentuality and feel free to get back to me with any comments you may have. One important aspect of the exercise has been deliberatly left out, it has little effect on sizing or costing but none-the-less is a requirement. Most engineers who understand what is involved in running 2 pieces of rf equipment in parrallel (both in TX and RX functions)at the same time will understand what is left out.
Date: Wed, 21 Oct 1998 07:06:49 -0400 To: ukcrypto@maillist.ox.ac.uk,cypherpunks@toad.com,cryptography@c2.net From: John Young <jya@pipeline.com> Subject: Status of GSM Crypto Attacks Forward from anonymous: Wed, 21 Oct 98 An engineer at a US wireless telecom and a contributor to Cryptologia--has asked me to look into the present status of attacks on the GSM encryption schemes: comp128 (a3a8 authentication, etc.) and, more importantly, the A5.1 and A5.2 voice/data encryption algorithms. After searching the web, I see that you have similar interests in this matter. I've already sent off inquiries to some of the researchers in this area--Ross Anderson, Simon Shepherd and the two Berkeley students (Goldberg and Wagner). So far, I've only heard back from Wagner. Do you have anything interesting to say about this matter--has anything happened since the Spring? Has a consensus been reached on some of the issues discussed in the <http://jya.com/crack-a5.htm> document? I'm trying to get a handle on the present state-of-the art: Where do things presently stand--who is doing the work and what, if anything, has been verified/demonstrated? Has A5 been cracked? What can be said about the possibility of intercepting and decoding an on-air conversation?
From: Paul Leyland <pleyland@microsoft.com> To: "'ukcrypto@maillist.ox.ac.uk'" <ukcrypto@maillist.ox.ac.uk> Subject: RE: Status of GSM Crypto Attacks Date: Wed, 21 Oct 1998 06:09:57 -0700 John Young forwarded: [Message above snipped] Phillipe Golle was an intern working with Dieter Gollman here at Microsoft Research over the summer. His project was to implement an attack on alleged-A5. The attack is described in "Cryptanalysis of Alleged A5 Stream Cipher" by Jovan Dj. Golic, to be found at http://jya.com/a5-hack.htm The full details will be published within the next few months, but I can say that the implementation we have successfully found the session key from the key stream, and that the computation took about two weeks on a 32-node cluster of PII-300 machines. It seems unlikely that this is a cost-effective way of eavesdropping on GSM transmissions Paul
Date: Thu, 22 Oct 1998 10:41:21 -0400 From: DG Sweiger <dsweig@jgvandyke.com> To: ukcrypto@maillist.ox.ac.uk Subject: Re: Status of GSM Crypto Attacks Does anyone have any news on how European banks are using GSM devices for end-to-end line encryption. dgs
From: "Lucky Green" <shamrock@netcom.com> To: <ukcrypto@maillist.ox.ac.uk> Subject: RE: Status of GSM Crypto Attacks Date: Mon, 26 Oct 1998 23:46:00 -0800 Greg Rose wrote on A5/1: > The key is not loaded directly into the initial registers; > instead, funny clocking is disabled, and the key bits are XORed into the > bottom bits of the registers as they are clocked. (Note that this means > that the 10 bits of key which were zeroed by COMP-128 help a brute-force > attack, but I am unable to find a way in which they help a > state-recovery attack.) Just for clarification, since I keep noticing some confusion on this issue both in the press and amongst crypto academics, the 10 bit keyspace reduction discovered in our work on A3/A8 (usually, though not always, implemented by means of COMP128), appears universal amongst all GSM MOU members. It is not COMP128 that reduces the A8 keyspace from the advertised 64 bits to an effective 54 bits. In fact, COMP128 itself has plenty of bits to spare and could have been used (ignoring for a moment the design flaws in COMP128 itself) to provide for a keyspace significantly larger than 64 bits. Instead, it was the GSM MOU and its members that decided, for non-technical reasons they refuse to disclose and one therefore can only speculate on, to deliberately reduce the upper bounds of GSM voice privacy features by a factor of over 1000. Curiously enough, this reduction of voice privacy solely benefits mobile call interceptors lacking a court authorized wire tap, since wiretaps conduced under court order can be performed at the base station or further upstream the telephony network. Thanks, --Lucky, who is busy working on extracting A5[1,2] from mobile firmware :-)
From: "christian masson" <interception1001@hotmail.com> To: jya@pipeline.com Subject: CELLULAR & VIRTUAL PROPAGATION URL Date: Mon, 26 Oct 1998 04:52:04 PST http://sawww.epfl.ch/SIC/SA/publications/SCR97/scr9-page4.html
To: jy@jya.com From: "Peter Tennenbaum" <ptdelray@worldnet.att.net> Subject: Suggestion from Marc Briceno Date: Wed, 28 Oct 98 03:50:59 PST Marc Briceno suggested that I contact you about a recent post to Cypherpunks. I wrote to him about my GSM inquiries and here is part of his reply: >> I am also extremely interested in the message that you sent to John >> Young that now appears at http://jya.com/crack-a5.htm. >> Do you still stand by this assessment? >Marc Briceno: I stand by this assessment. It becomes rather clear >that it must hold true once you look at the way GSM operates. >> If not, could you please bring me up to date on any >> errors/omisisons and/or assumptions that were not fully stated? If >> your assessment is correct, then I must ask: Has there been an >> actual demonstration of an on-air interception and decoding? Where >> do things presently stand--in theory and in practice? >MB: A recent anonymous post to the Cypherpunks mailing list from a >person claiming to have built an MIM attack device for use by law >enforcement gave some further details how one would go about building >such a device. (I do not have the post handy, but jya.com probably >has it archived on the web. If not, just ask him to do so). I don't see the post on your site. Could you please sent it to me or place it on your site. If possible, let me know where it is. I hope to have some interesting stuff for you soon. Peter Tennenbaum