119 GSM.A51.Cracking - Nohl

Download as pdf or txt
Download as pdf or txt
You are on page 1of 17

Karsten Nohl

Sascha Kriler
@ HAR2009
Phone with
end-to-end
encryption--
soon needed?
Subverting the
security base
of GSM
2 Karsten Nohl A5/1 Cracking
Academic breaks of A5/1
cipher: EC1997, FSE2000,
Crypto 2003, SAC2005,
A5/1 crackers widespread
among intelligence
agencies
Cracking tables computed
in 2008 but never
released
After 15
years, still no
public A5/1
exploit !!
Well change
this over the
next months
GSM encryption has been broken over and over
again
3 Karsten Nohl A5/1 Cracking
GSM is global, omnipresent and
insecure
80% of
mobile
phone
market
200+
countries
3 billion
users!
GSM
security
introduced
in 1987
then
disclosed
and shown
insecure in
1994
4 Karsten Nohl A5/1 Cracking
GSM must not be used for security
systems, especially not for new ones
Recent adoptions of GSM despite weak security:
Home banking
Payment
Authentication
GSM apparently seen as secure enough
for payment & access. Falsely so!
5 Karsten Nohl A5/1 Cracking
We need a public GSM decrypt PoC
'97 '00 '03 '05
A5/1 shown academically broken
A5/1 shown more
and more
and more broken.
'06
Broken with massive computation
'03/'08
Rainbow table computation
Not enough known data in GSM packets
Too expensive
Tables never released
6 Karsten Nohl A5/1 Cracking
Groundwork for table generation is
complete and open sourced
High-speed
A5/1 engine
GSM
decrypt
PoC
Status
Table Para-
meterization
Table
Generation
Your help*
needed!
* CUDA graphic cards or Xilinx Virtex FPGAs needed
Source and doc available:
reflextor.com/trac/a51
7 Karsten Nohl A5/1 Cracking
A5/1 is vulnerable to generic pre-
computation attacks
For ciphers with small keys, code books allow
decryption
Code book provides a
mapping from known
output to secret state
An A5/1 code book is 128 Petabyte and takes
100,000+ years to be computed on a PC
Secret state Output
A52F8C02 52E91001
62B9320A 52E91002
C309ED0A 52E91003
This talk revisits techniques for computing the
code book faster and for storing it compressed
8 Karsten Nohl A5/1 Cracking
Key to code book generation is a fast
A5/1 engine
Time on single threaded CPU:
100,000+ years
3 months on 80 CUDA nodes
Parallelization
CUDA: hundreds of threads
FPGA: thousands of engines
Algorithmic tweaks
CUDA: compute 4 bits at once
FPGA: minimize critical path
9 Karsten Nohl A5/1 Cracking
Algorithmic tweaks accelerate CUDA
A5/1 engine significantly
Shift registers are
expensive in software,
while memory is
cheap
Only a few state
bits determine
round function
Trade table lookups
for shifts; optimal for
CUDA: 4 shifts at once
10 Karsten Nohl A5/1 Cracking
Balancing memory lookups and
computation maximizes throughput
Look-up tables
(16kByte SRAM)
enable parallelization
of shifts
The tables are shared
across 8 CUDA cores
each
11 Karsten Nohl A5/1 Cracking
Longer chains := less storage := longer attack time
colli-
sion
Pre-computation tables store the
code book condensed
12 Karsten Nohl A5/1 Cracking
colli-
sion
Distinguished point tables save
hard disk lookups
Hard disk access only needed at distinguished points
13 Karsten Nohl
Rainbow tables mitigate collisions
A5/1 Cracking
Rainbow tables have no mergers, but an exponentially
higher attack time
14 Karsten Nohl A5/1 Cracking
The combination of both table
optimizations is optimal
The most resource
efficient table for
A5/1 is:
32 DP segments of
length 2
15
Merged into one
rainbow
725 such tables with
height 2
28.5
needed
15 Karsten Nohl A5/1 Cracking
Tables must be computed and stored
distributed
For efficiency, tables distributed over many nodes are preferred
More importantly, no single point of failure should exist on the
critical path to the GSM decode PoC
Suggested table generation process:
1. Download
tools today
2. Generate
table*
3. Publish table
on Bittorrent*
Coordinate through mailing list if necessary (use TOR!)
*use random ID and advance parameter; publish as A51_<ID>_<parameter>.table
16 Karsten Nohl
A5/1 cracking is just the first step
Pre-computation framework build to be generic
Any cipher (key size up to 64 bits)
Various backends: CPU, CUDA, FPGA
Open source
A5/1 Cracking
Please get involved
Compute tables and provide feedback
Extend the table generator to your projects
17 Karsten Nohl A5/1 Cracking
Questions?
Karsten Nohl <nohl@virginia.edu>
Slides, source, reflextor.com/trac/a51
documentation
Mailing list tinyurl.com/a51list
ct article tinyurl.com/ct-rainbows
Many thanks to Sascha Kriler and
Sbastien Bourdeauducq!

You might also like