A5 (algorithm)

from Wikipedia, the free encyclopedia

A5 is a set of symmetrical encryption procedures in cellular networks based on the GSM standard. The standard defines various ciphers to protect calls and data traffic over a radio link. The A5 algorithms are contained both on the mobile devices and in the network operator's base stations. For example, if a call with A5 / 3 is to be secured, both the network operator and the respective terminal must have implemented the A5 / 3 algorithm. If the A5 / 3 algorithm is missing from a base station or a mobile device, no connection to A5 / 0, A5 / 1 or A5 / 4 can be established.

A5 / 1

A5 / 1 is a stream cipher that was developed in 1987 to protect voice communications from GSM. The first attacks had been known since 2000, and there have been practical attacks since 2003. In 2008 precalculated rainbow tables for breaking the encryption were created for the first time . But these were not published. In 2009 a two terabyte rainbow table was published. With the help of this table, the encryption can be broken in real time (“ Near real-time decryption with distributed cracking network ”).

The British computer scientist Ross Anderson was of the opinion in 1994 that a weak cipher was deliberately chosen to enable NATO intelligence services to eavesdrop on conversations. This was later confirmed.

A5 / 2

A5 / 2, also a stream cipher, is a weaker version of A5 / 1 developed in 1989 for use in certain export regions. Since 2003, ciphers from A5 / 2 can be broken in less than a second on an average PC. In July 2007 the 3GPP banned the implementation of A5 / 2 in new cell phones. Encryption is therefore not available for new cell phones in networks that only use A5 / 2.

A5 / 3

A5 / 3 is based on the KASUMI block cipher in counter mode with an effective key length K c of 64 bits, since the 64 least significant bits are a copy of the 64 most significant. A5 / 3 is specified for GSM and for the EDGE variant Enhanced Circuit Switched Data (ECSD) . The equivalent of A5 / 3 for GPRS is called GEA3. In contrast to GSM and ECSD, KASUMI-based encryption of the radio link is activated by default in UMTS .

In 2010, Orr Dunkelman, Nathan Keller and Adi Shamir presented a more practical attack against the KASUMI A5 / 3 encryption method. The "sandwich" attack enables an attacker to extract the entire 128-bit key. Since then, KASUMI has been considered theoretically broken. However, no statement can be made about the effectiveness of the attacks against the implementation of KASUMI in the A5 / 3 algorithm for GSM networks. More details can be found in the article KASUMI .

In December 2013, Deutsche Telekom announced that the A5 / 3 encryption standard would be implemented nationwide in its GSM mobile network by the end of 2013. 30,000 base stations and central network points had to be converted for this. At this point in time, Telekom assumed around 50,000 devices that were not compatible with A5 / 3. The A5 / 1 algorithm is still used in these models. Devices from the manufacturer Apple are compatible with A5 / 3 from iOS 7. See also the list of devices with A5 / 3 support in the Web Links section . The algorithm was also implemented in Macedonia, Montenegro, Poland and the Czech Republic. The competitors Vodafone , O 2 and E-Plus do not want to use A5 / 3 in their GSM cellular networks for a few years.

In the Web Links section , the GSM Security Map provides a visual overview of GSM security in different countries.

Due to the short key length of 64 bits, according to Karsten Nohl , A5 / 3 can be attacked with manageable effort using the brute force method .

A5 / 4

A5 / 4 is the A5 / 3 algorithm with a longer key K c (128-bit). For GPRS, the name of the encryption algorithm is GEA4.

See also

Web links

Individual evidence

  1. a b Present and future Standards for mobile internet and smart phone information security. (PPT; 2,342 kB) September 2012, accessed on January 9, 2014 (English).
  2. Alex Biryukov, Adi Shamir, David Wagner: Real Time Cryptanalysis of A5 / 1 on a PC . In: Fast Software Encryption 2001 (=  Lecture Notes in Computer Science ). tape 1978 . Springer, 2001, p. 1-18 ( cryptome.org ).
  3. ^ A b Elad Barkan, Eli Biham and Nathan Keller: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication . In: Crypto 2003 . 2003, p. 600-616 ( cs.technion.ac.il [PDF]).
  4. Chris Paget, Karsten Nohl: GSM. (PDF; 664 kB) SRSLY? December 27, 2009, accessed February 7, 2014 .
  5. Ross Anderson : A5 (Was: HACKING DIGITAL PHONES) , June 17, 1994
  6. Arild Færaas: Sources: We were pressured to weaken the mobile security in the 80's. Aftenposten , January 9, 2014, accessed March 2, 2017 .
  7. security.osmocom.org: A52_Withdrawal - Mobile (in) security , accessed January 29, 2011
  8. ^ Prohibiting A5 / 2 in mobile stations and other clarifications regarding A5 algorithm support. ( ZIP ; 62 kB) Accessed February 14, 2011 .
  9. Specification of the A5 / 4 Encryption Algorithms for GSM and ECSD, and the GEA4 Encryption Algorithm for GPRS ( Memento from January 10, 2014 in the Internet Archive )
  10. 3rd Generation Partnership Project (Ed.): 3GPP TS 55.216 V6.2.0 . 2003, Section 4.3 Function Definition, p. 10 ( gsma.com [PDF; accessed January 23, 2014]). gsma.com ( Memento from September 3, 2013 in the Internet Archive )
  11. Orr Dunkelman, Nathan Keller, Adi Shamir: A Practical-Time Attack on the A5 / 3 Cryptosystem Used in Third Generation GSM Telephony. (PDF; 243 kB) January 10, 2010, accessed on February 5, 2014 (English).
  12. ^ Deutsche Telekom. Telekom increases eavesdropping protection in mobile communications In: telekom.de. December 9, 2013, accessed February 3, 2014 .
  13. Data protection. Telekom introduces new encryption technology for cell phone calls. In: WirtschaftsWoche Online. December 7, 2013, accessed February 3, 2014 .
  14. Karsten Nohl. Mobile self-defense [31c3] (SnoopSnitch). In: youtube.com. December 28, 2014, accessed January 7, 2015 .
  15. European Institute for Telecommunication Standards : ETSI TS 155 226 V9.0.0 . 2011, Introduction ( etsi.org (PDF) I TS 155 226 V9).