Article: 3273 of mail.cypherpunks Xref: news.gw.com mail.cypherpunks:3273 Path: news.gw.com!ngw.gw.com!not-for-mail From: rishab@dxm.ernet.in (Rishab Aiyer Ghosh) Newsgroups: mail.cypherpunks Subject: More GSM crypto/auth details Message-ID: Date: 21 Apr 95 15:42:40 GMT References: <9504192330.AA05883@sharpwa.com> Sender: owner-cypherpunks@toad.com Distribution: mail Organization: Deus X Machina Lines: 137 Bhaktha finally responded to my GSM enquiries. So A3 and A8 are placeholders, not defined crypto algorithms... -Rishab KESHAVAC.SMTMHS@smtmhs.sharpwa.com (Bhaktha Keshavachar) writes: [...] > First the phones and the network per se have nothing to do with > authentication > in GSM. The key is the SIM in the MS and the HLR and VLR databases in the > network. Further A3 (the authentication algorithm) and A8 (for generating > the > ciphering key) are NOT speced in the GSM docs. The A5 (the actual > encryption algorithm) is the same all over the world (to guarantee > interoperability) and is available from ETSI under strict copyright > conditions. > > Now when an operator decides to start a GSM network he buys equipment > from the telecom companies with the databases empty and the A3/A8 > unspecified > still. Now the operator decides on algorithms A3 and A8 and programs it in > all > the SIM's (which he will distribute to end customers) and in the network > database. > > When a customer wants GSM service he buys an off-the-shelf GSM compatible > phone and goes to the service provider for getting his SIM card. A GSM phone > without the SIM is not capable of making any calls except the 112 emergency > call. > The customer gets a new phone number (MSISDN), the directory entry with the > SIM. In addition the operator programs another number called Ki and updates > the customer database on the network with the Ki. Note that the Ki is never > transmitted by air or otherwise. The SIM is designed in such a way that > the customer cannot read the Ki from the SIM under any condition. > > The SIM has just an interface for running the A3 and A8 algorithms and > getting > the response back. So now when the mobile needs service from the network > (like a location update or a call) he identifies himself with his number. > The network > challenges it with a 128 challenge (RAND). This RAND is given to the SIM. > The SIM > runs the A3 and A8 algorithm and gives back SRES (a 32-bit response) and Kc > (the 64-bit ciphering key). The SRES is returned to the network over the air > to the network. > > RAND Ki > | | > | | > ------------------- > | | > | | > | A3 | > | | > ------------------- > | > | > SRES > > > > RAND Ki > | | > | | > ------------------- > | | > | | > | A8 | > | | > ------------------- > | > | > Kc > > The network performs the same calculation and compares the SRES from > the mobile and its own value.If both are the same the mobile is > who it claims and is successfully authenticated. This is fairly > foolproof as the A3 and A8 is not known to anyone as also the Ki > (the cornerstone of all security in GSM). Hope that makes that it > clear the authentication procs in GSM. > > In addition when the mobile is in a foriegn operator region, the > visited network gets in advance a challenge response pair from the > customer's home network and uses it to authenticate the user. Thus > even other networks do not have a knowledge of the home A3/A8/Ki > of the visiting customer. > > The Kc generated in the authentication process (by A8) is used for > encryption. After successful authentication both the network and > the MS have the same Kc and encryption can thus be started immediately. > In GSM each burst of transmission has 114 bits. The Kc and the present > TDMA frame number is used to generate a 114 bit enciphering sequence > (A5) which is added to each burst of transmission and thus securely > enciphered. Thus we see that the ciphering key never goes on the > air and A5 as such is not public domain. But maybe, just maybe > the code for A5 will be known more freely than now ! Imagine the > A5 on the net ! Just kidding :-) BTW I do not have access to A5 > and probably will not have in future too as I work on the protocol > stack and not layer 1 mechanisms where the A5 should be embedded. > > > Kc TDMA frame number > | | > | | > --------------------------------- > | | > | A5 | > | | > | | > --------------------------------- > | > | > 114 bit enciphering sequence > > Now I am not sure whether a new Kc is generated for every call. This > is an option left to the discretion of the operator. There are other > security mechanisms in GSM defined like allocating TMSI (a 32 bit > secret temporary number to customer on his first authentication) > and using it thereafter. More about that later in a later mail if > you are still interested. On the test equipment where we have > detailed I have seen authentication for each call even after > a successful location update. > > Hope the explanation helps. > > Regards, > -Bhaktha > ---------------------------------------------------------------------- Rishab Aiyer Ghosh For Electric Dreams subscriptions rishab@dxm.ernet.in and back issues, send a mail to rishab@arbornet.org rishab@arbornet.org with Vox +91 11 6853410 Voxmail 3760335 'help' in lower case, without H 34C Saket, New Delhi 110017, INDIA the quotes, as the Subject.