A5/1

A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone standard. It was initially kept secret, but became public knowledge through leaks and reverse engineering. A number of serious weaknesses in the cipher have been identified.

History and usage

A5/1 is used in Europe and the United States. A5/2 was a deliberate weakening of the algorithm for certain export regions. [cite web
first = Jeremy | last = Quirke | archivedate = 2004-07-12
title = Security in the GSM system | publisher = AusMobile
] A5/1 was developed in 1987, when GSM was not yet considered for use outside Europe, and A5/2 was developed in 1989. Both were initially kept secret. However, the general design was leaked in 1994, and the algorithms were entirely reverse engineered in 1999 by Marc Briceno from a GSM telephone. In 2000, around 130 million GSM customers relied on A5/1 to protect the confidentiality of their voice communications.

Security researcher Ross Anderson reported in 1994 that "there was a terrific row between the NATO signals agencies in the mid 1980s over whether GSM encryption should be strong or not. The Germans said it should be, as they shared a long border with the Warsaw Pact; but the other countries didn't feel this way, and the algorithm as now fielded is a French design." [cite newsgroup
title = A5 (Was: HACKING DIGITAL PHONES)
author = Ross Anderson
date = 1994-06-17
newsgroup = uk.telecom
id = 2ts9a0\$95r@lyra.csx.cam.ac.uk
]

Description

In GSM transmission is organised as sequences of "bursts". In a typical channel and in one direction, one burst is sent every 4.615 milliseconds and contains 114 bits available for information. A5/1 is used to produce for each burst a 114 bit sequence of keystream which is XORed with the 114 bits prior to modulation. A5/1 is initialised using a 64-bit key together with a publicly-known 22-bit frame number. In fielded GSM implementations 10 of the key bits are fixed at zero, resulting in an effective key length of 54 bits.

A5/1 is based around a combination of three linear feedback shift registers (LFSRs) with irregular clocking. The three shift registers are specified as follows:The bits are indexed with the least significant bit (LSB) as 0.

The registers are clocked in a stop/go fashion using a majority rule. Each register has an associated clocking bit. At each cycle, the clocking bit of all three registers is examined and the majority bit is determined. A register is clocked if the clocking bit agrees with the majority bit. Hence at each step two or three registers are clocked, and each register steps with probability 3/4.

Initially, the registers are set to zero. Then for 64 cycles, the 64-bit secret key is mixed in according to the following scheme: in cycle $0leq\left\{i\right\}<64$, the "i"th key bit is added to the least significant bit of each register using XOR &mdash;:$R \left[0\right] = R \left[0\right] oplus K \left[i\right] .$Each register is then clocked.

Similarly, the 22-bits of the frame number are added in 22 cycles. Then the entire system is clocked using the normal majority clocking mechanism for 100 cycles, with the output discarded. After this is completed, the cipher is ready to produce two 114 bit sequences of output keystream, one for each direction.

ecurity

A number of attacks on A5/1 have been published. Some require an expensive preprocessing stage after which the cipher can be attacked in minutes or seconds. Until recently, the weaknesses have been passive attacks using the known plaintext assumption. In 2003, more serious weaknesses were identified which can be exploited in the ciphertext-only scenario, or by an active attacker. In 2006 Elad Barkan, Eli Biham and Nathan Keller demonstrated attacks against A5/1, A5/3, or even GPRS that allow attackers to tap GSM mobile phone conversations and decrypt them either in real-time, or at any later time.

Known-plaintext attacks

In 1997, Golic presented an attack based on solving sets of linear equations which has a time complexity of 240.16 (the units are in terms of number of solutions of a system of linear equations which are required).

In 2000, Alex Biryukov, Adi Shamir and David Wagner showed that A5/1 can be cryptanalysed in real time using a time-memory tradeoff attack, [ cite journal
authorlink = Alex Biryukov | first = Alex | last = Biryukov | coauthors = Adi Shamir; David Wagner
title = Real Time Cryptanalysis of A5/1 on a PC
journal = Fast Software Encryption—FSE 2000 | pages = 1–18 | url = http://cryptome.org/a51-bsw.htm
] based on earlier work by Jovan Golic. [cite journal
first = Jovan Dj. | last = Golic | title = Cryptanalysis of Alleged A5 Stream Cipher
work = EUROCRYPT 1997 | year = 1997 | pages = 239–55 | url = http://jya.com/a5-hack.htm
] One tradeoff allows an attacker to reconstruct the key in one second from two minutes of known plaintext or in several minutes from two seconds of known plain text, but he must first complete an expensive preprocessing stage which requires 248 steps to compute around 300 GB of data. Several tradeoffs between preprocessing, data requirements, attack time and memory complexity are possible.

The same year, Eli Biham and Orr Dunkelman also published an attack on A5/1 with a total work complexity of 239.91 A5/1 clockings given 220.8 bits of known plaintext. The attack requires 32 GB of data storage after a precomputation stage of 238. [cite journal
first = Eli | last = Biham | coauthors = Orr Dunkelman
title = Cryptanalysis of the A5/1 GSM Stream Cipher | year = 2000
journal = Indocrypt 2000 | pages =43–51
]

Ekdahl and Johannson published an attack on the initialisation procedure which breaks A5/1 in a few minutes using two to five minutes of conversation plaintext. [cite journal
first = Patrik | last = Ekdahl | coauthors = Thomas Johansson
title = Another attack on A5/1
journal = IEEE Transactions on Information Theory | volume = 49 | issue = 1
pages = 284–89 | year = 2003 | url = http://www.it.lth.se/patrik/papers/a5full.pdf (
doi = 10.1109/TIT.2002.806129
] This attack does not require a preprocessing stage. In 2004, Maximov et al improved this result to an attack requiring "less than one minute of computations, and a few seconds of known conversation". The attack was further improved by Elad Barkan and Eli Biham in 2005. [cite journal
first = Elad | last = Barkan | coauthors = Eli Biham
title = Conditional Estimators: An Effective Attack on A5/1
journal = Selected Areas in Cryptography 2005 | year = 2005 | pages = 1–19
]

Attacks on A5/1 as used in GSM

In 2003, Barkan et al published several attacks on GSM encryption. [cite journal
first = Elad | last = Barkan | coauthors = Eli Biham; Nathan Keller
title = Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication | year = 2003
journal = Crypto 2003 | pages = 600–16 | url = http://cryptome.org/gsm-crack-bbk.pdf
] The first is an active attack. GSM phones can be convinced to use the much weaker A5/2 cipher briefly. A5/2 can be broken easily, and the phone uses the same key as for the stronger A5/1 algorithm. A second attack on A5/1 is outlined, a ciphertext-only time-memory tradeoff attack which requires a large amount of precomputation.

In 2006, Elad Barkan, Eli Biham, Nathan Keller published the full version of their 2003 paper, with attacks against A5/X Ciphers. The authors claim: [cite web
url = http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf
title = Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication by Barkan and Biham of Technion (Full Version)
first = Elad | last = Barkan | coauthors = Eli Biham; Nathan Keller
] quotation|We present a very practical ciphertext-only cryptanalysis of GSM encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use "unbreakable" ciphers. We first describe a ciphertext-only attack on A5/2 that requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer. We extend this attack to a (more complex) ciphertext-only attack on A5/1. We then describe new (active) attacks on the protocols of networks that use A5/1, A5/3, or even GPRS. These attacks exploit flaws in the GSM protocols, and they work whenever the mobile phone supports a weak cipher such as A5/2. We emphasize that these attacks are on the protocols, and are thus applicable whenever the cellular phone supports a weak cipher, for example, they are also applicable for attacking A5/3 networks using the cryptanalysis of A5/1. Unlike previous attacks on GSM that require unrealistic information, like long known plaintext periods, our attacks are very practical and do not require any knowledge of the content of the conversation. Furthermore, we describe how to fortify the attacks to withstand reception errors. As a result, our attacks allow attackers to tap conversations and decrypt them either in real-time, or at any later time.

In 2008, the group The Hackers Choice launched a project to develop a practical attack on A5/1. The attack requires the construction of a large look-up table of approximately 3 Terabytes. Constructing this table has proved too big a task for anyone to complete it until now, but the group are in the process of building this table and it expected that it will be completed within the year. As of June 2008 it is not reported complete.

Once the table is built, and together with the scanning capabilities developed as part of the sister project, the group expect to be able to record any GSM call or SMS encrypted with A5/1, and within about 3-5 minutes derive the encryption key and hence listen to the call / read the SMS in clear.

Notes

ee also

* Cellular Message Encryption Algorithm
* KASUMI, also known as A5/3

References

* cite web
first = Greg | last = Rose
title = A precis of the new attacks on GSM encryption | publisher = QUALCOMM Australia | date = 2003-09-10
url = http://www.qualcomm.com.au/PublicationsDocs/GSM_Attacks.pdf

* cite journal
first = Alexander | last = Maximov | coauthors = Thomas Johansson; Steve Babbage
title = An Improved Correlation Attack on A5/1
journal = Selected Areas in Cryptography 2004 | year = 2004 | pages = 1–18

* cite web
first = Marc | last = Briceno | coauthors = Ian Goldberg; David Wagner | date = 1999-10-23
url = http://www.mirrors.wiretapped.net/security/cryptography/algorithms/gsm/a5-1-2.c
title = A pedagogical implementation of the GSM A5/1 and A5/2 "voice privacy" encryption algorithms

* cite news
url = http://www.cs.technion.ac.il/%7Ebarkan/GSM-Media/HaaretzInternetEnglish.pdf
title = Technion team cracks GSM cellular phone encryption | work = Haaretz
first = Hadar | last = Horesh | date = 2003-09-03

* cite web
url = http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-info.cgi?2006/CS/CS-2006-07
title = Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication (Technical Report CS-2006-07)
first = Elad | last = Barkan | coauthors = Eli Biham; Nathan Keller | month = July | year = 2006

* cite web
url = http://www.ma.huji.ac.il/~nkeller
title = Nathan Keller's Homepage

Wikimedia Foundation. 2010.

### Look at other dictionaries:

• A5/1 — es un algoritmo cifrador de flujo usado para proporcionar privacidad en la comunicación al aire libre en el estándar GSM, es decir, el algoritmo que cifra la conversación entre 2 terminales GSM cuando el mensaje viaja por el aire. Inicialmente… …   Wikipedia Español

• A5/1 — Pour les articles homonymes, voir A5. Schéma du A5/1 et ses trois registres à décalage. Un registre est décalé si le bit en orange correspond à la majorité des trois bits orange. On insère alors un bit corresponda …   Wikipédia en Français

• A5 (Algorithmus) — A5 ist ein Satz von Chiffren zur Sicherung der Kommunikation in Mobilfunknetzen nach dem GSM Standard. Der Standard definiert drei Chiffren. Inhaltsverzeichnis 1 A5/1 2 A5/2 3 A5/3 4 Weblinks …   Deutsch Wikipedia

• A5 — is commonly used to refer to an ISO 216 international standard paper size, measuring (148×210 mm).A5, A05, A 5, A V or A 5 may refer to: * A5, a German rocket design in World War II * A5 band (Apple 5), a Chinese band of 5 boys born in 1980s: Qu… …   Wikipedia

• A5 — steht für: A5 (Algorithmus) (Stromchiffre A5/1 bzw. A5/2, Blockchiffre A5/3), Verschlüsselungsstandard in GSM Mobilfunknetzen A5 (Rakete), Raketenprojekt im nationalsozialistischen Deutschland Airlinair, französische Fluggesellschaft (IATA Code)… …   Deutsch Wikipedia

• A5/2 — is a stream cipher used to provide voice privacy in the GSM cellular telephone protocol.The cipher is based around a combination of four linear feedback shift registers with irregular clocking and a non linear combiner.In 1999, Ian Goldberg and… …   Wikipedia

• A5/2 — est un algorithme de chiffrement par flot utilisé dans le cadre des communications GSM en dehors de l Europe. Il crée une suite pseudo aléatoire avec laquelle on effectue un XOR avec les données. En 1999, Ian Goldberg et David Wagner l ont… …   Wikipédia en Français

• A5 — puede referirse a: A5 (cohete), cohetes alemanes de 1938. Autostrada A5, una autopista italiana que conecta Turín con el Túnel del Mont Blanc. Línea A5, un servicio regoinal de ferrocarril convencional entre Algeciras y Granada. Audi A5, un… …   Wikipedia Español

• A5 — У этого термина существуют и другие значения, см. A5 (значения). Предупреждение на экране сотового телефона об отсутствии шифрования на сети …   Википедия

• A5 — Cette page d’homonymie répertorie les différents sujets et articles partageant un même nom.   Sigles d’une seule lettre > Sigles de deux lettres   Sigles de trois lettres   Sigles de quatre lettres …   Wikipédia en Français