gsm.txt
da1e76511d49951d1ddcae0c23de4d4be9ebe9ff61c3b205668649cabcec539e
Article: 3273 of mail.cypherpunks
Xref: news.gw.com mail.cypherpunks:3273
Path: news.gw.com!ngw.gw.com!not-for-mail
From: rishab@dxm.ernet.in (Rishab Aiyer Ghosh)
Newsgroups: mail.cypherpunks
Subject: More GSM crypto/auth details
Message-ID: <TX225c10w165w@dxm.ernet.in>
Date: 21 Apr 95 15:42:40 GMT
References: <9504192330.AA05883@sharpwa.com>
Sender: owner-cypherpunks@toad.com
Distribution: mail
Organization: Deus X Machina
Lines: 137
Bhaktha finally responded to my GSM enquiries. So A3 and A8 are placeholders,
not defined crypto algorithms...
-Rishab
KESHAVAC.SMTMHS@smtmhs.sharpwa.com (Bhaktha Keshavachar) writes:
[...]
> First the phones and the network per se have nothing to do with
> authentication
> in GSM. The key is the SIM in the MS and the HLR and VLR databases in the
> network. Further A3 (the authentication algorithm) and A8 (for generating
> the
> ciphering key) are NOT speced in the GSM docs. The A5 (the actual
> encryption algorithm) is the same all over the world (to guarantee
> interoperability) and is available from ETSI under strict copyright
> conditions.
>
> Now when an operator decides to start a GSM network he buys equipment
> from the telecom companies with the databases empty and the A3/A8
> unspecified
> still. Now the operator decides on algorithms A3 and A8 and programs it in
> all
> the SIM's (which he will distribute to end customers) and in the network
> database.
>
> When a customer wants GSM service he buys an off-the-shelf GSM compatible
> phone and goes to the service provider for getting his SIM card. A GSM phone
> without the SIM is not capable of making any calls except the 112 emergency
> call.
> The customer gets a new phone number (MSISDN), the directory entry with the
> SIM. In addition the operator programs another number called Ki and updates
> the customer database on the network with the Ki. Note that the Ki is never
> transmitted by air or otherwise. The SIM is designed in such a way that
> the customer cannot read the Ki from the SIM under any condition.
>
> The SIM has just an interface for running the A3 and A8 algorithms and
> getting
> the response back. So now when the mobile needs service from the network
> (like a location update or a call) he identifies himself with his number.
> The network
> challenges it with a 128 challenge (RAND). This RAND is given to the SIM.
> The SIM
> runs the A3 and A8 algorithm and gives back SRES (a 32-bit response) and Kc
> (the 64-bit ciphering key). The SRES is returned to the network over the air
> to the network.
>
> RAND Ki
> | |
> | |
> -------------------
> | |
> | |
> | A3 |
> | |
> -------------------
> |
> |
> SRES
>
>
>
> RAND Ki
> | |
> | |
> -------------------
> | |
> | |
> | A8 |
> | |
> -------------------
> |
> |
> Kc
>
> The network performs the same calculation and compares the SRES from
> the mobile and its own value.If both are the same the mobile is
> who it claims and is successfully authenticated. This is fairly
> foolproof as the A3 and A8 is not known to anyone as also the Ki
> (the cornerstone of all security in GSM). Hope that makes that it
> clear the authentication procs in GSM.
>
> In addition when the mobile is in a foriegn operator region, the
> visited network gets in advance a challenge response pair from the
> customer's home network and uses it to authenticate the user. Thus
> even other networks do not have a knowledge of the home A3/A8/Ki
> of the visiting customer.
>
> The Kc generated in the authentication process (by A8) is used for
> encryption. After successful authentication both the network and
> the MS have the same Kc and encryption can thus be started immediately.
> In GSM each burst of transmission has 114 bits. The Kc and the present
> TDMA frame number is used to generate a 114 bit enciphering sequence
> (A5) which is added to each burst of transmission and thus securely
> enciphered. Thus we see that the ciphering key never goes on the
> air and A5 as such is not public domain. But maybe, just maybe
> the code for A5 will be known more freely than now ! Imagine the
> A5 on the net ! Just kidding :-) BTW I do not have access to A5
> and probably will not have in future too as I work on the protocol
> stack and not layer 1 mechanisms where the A5 should be embedded.
>
>
> Kc TDMA frame number
> | |
> | |
> ---------------------------------
> | |
> | A5 |
> | |
> | |
> ---------------------------------
> |
> |
> 114 bit enciphering sequence
>
> Now I am not sure whether a new Kc is generated for every call. This
> is an option left to the discretion of the operator. There are other
> security mechanisms in GSM defined like allocating TMSI (a 32 bit
> secret temporary number to customer on his first authentication)
> and using it thereafter. More about that later in a later mail if
> you are still interested. On the test equipment where we have
> detailed I have seen authentication for each call even after
> a successful location update.
>
> Hope the explanation helps.
>
> Regards,
> -Bhaktha
>
----------------------------------------------------------------------
Rishab Aiyer Ghosh For Electric Dreams subscriptions
rishab@dxm.ernet.in and back issues, send a mail to
rishab@arbornet.org rishab@arbornet.org with
Vox +91 11 6853410 Voxmail 3760335 'help' in lower case, without
H 34C Saket, New Delhi 110017, INDIA the quotes, as the Subject.