COMP128

from Wikipedia, the free encyclopedia

COMP128 is an implementation of the algorithms A3 and A8 specified for the GSM network . A3 is required to authenticate the mobile station on the network or AuC (Authentication Center), while A8 is used to create a session key for encrypted transmission between the mobile station / mobile phone and the BTS (for voice connections), respectively. Generate SGSN (with GPRS ).

Technical details of the originally confidential implementation were made public in 1998 through reverse engineering .

COMP128 works with 9 rounds, whereby the central core of the algorithm is a hash function . This hash function provides a 128-bit hash value for 256-bit input. It is based on a butterfly structure. The output of the algorithm contains the response used for authentication and the session key for the A5 stream encryption, which is used to encrypt the voice transfer.

Let X [0..31] be the 32-byte input of the hash function, with K: = X [0..15] the key of the target SIM card and X [16..31] the one sent by the station Challenge. Let the tables T0 [0..511], T1 [0..255], T2 [0..127], T3 [0..63] and T4 [0..31] be the secret permutation tables. The input then goes through 8 times the following compression (according to [HP00], see web links): 

For i=0 to 4 do:
  For j=0 to 2i-1 do:
    For k=0 to 24-i-1 do:
      s = k + j*25-i
      t = s + 24-i
      x = (X[s] + 2X[t]) mod 29-i
      y = (2X[s] + X[t]) mod 29-i
      X[s] = Ti[x]
      X[t] = Ti[y]

After each permutation, the 16 bytes output in X [16..31] and K are saved again in X [0..15].

COMP128 is considered insecure because the hash does not adequately scatter small changes in the input. Due to the birthday paradox , this can be exploited in a collision attack in such a way that the entire key can be extracted within the SIM card queries.

Web links