The A5 Cracking Project

NEWS: We have created a PRIVATE A5 mailinglist. If you feel you have something to contribute to the project please contact steve [at] segfault.net. The reason for this has been explained on the public mailinglist a5 [at] lists.segfault.net.

NEW: The CCC Camp07 GSM Software Project and A5 Cracking Talk video is available. There is also one video from Blackhat Washington. The final attack and a live demonstration will be given at a selected security conference in March 2008.

Powered by EFF.

2008-02-22: Our project received some media. Some people had questions and I decided to answer them here:

1) The 30-60 minutes cracker cost 1.000 USD. You need 2x1TB harddrives and a LX50 FPGA.
2) The 1.000 USD cracker can crack any A5/1 communication regardless how long. E.g. 10 seconds or 10 minutes does not make a difference. It still requires 30-60 minutes to crack. The intercepted ciphertext is passed to the cracker which returns the plaintext after 30-60 minutes.
3) SMS/Text messages can be cracked as well.

1. LICENSE

              GSM Software Project License
                 Version  1, January 2007

All code, information or data [from now on "data"] available from the GSM Software Project or any other project linked from this or other pages is owned by the creator who created the data. The copyright, license right, distribution right and any other rights lies with the creator.

It is prohibitied to use the data without the written agreement of the creator. This included using ideas in other projects (commercial or not commercial).

Where data was created by more than 1 creator a written agreement from each of the creators has to be obtained.

Please contact steve [at] segfault.net for any questions.

2. About

We are security enthusiasts. Our goal is to implement a system that can crack A5/1. Our results will be used with the GSM Software Project to demonstrate weaknesses in GSM. The A5 algorithm has been broken (in theory) in 1998 but it's still widely used. The mobile operators still insist that the GSM customers (that's you and me!) are protected and that our data is safe.

We want to bring together all the folks who worked on the theory of cracking A5/1.

Subscribe to our mailinglist by sending an email to a5-subscribe [at] lists.segfault.net

3. How you can help

1. Add links and information to this page or send them to steve at segfault.net
2. Sponsor us! We need hardware, books and coffee!
3. Come up with smart ideas.

4. TODO

1. Come up with example data (e.g. first encrypted burst from BTS to MS and first burst from MS to BTS).
2. Enhance the attack on A5/1
3. Implement a A5/2 crack.

5. Requirements

The project comes in stages.

1. Understand current state of A5/1 cracking (THAT'S WHERE WE ARE IN NOW!)
2. Implement A5/2 crack (the weaker of both algorithms)
3. Implement one of the many A5/1 cracks from the academic papers
4. Research and Implement new ways to crack A5/1

Our ultimate goal is to crack A5/1:

1. by only intercepting data (passiv)
2. require less than 4Terabyte HD.
3. able to decrypt short encrypted bursts (like SMS, last less than 0.1 seconds).
4. Cracking time less than 1 day.

6. The A5 Buster

We are working on putting the hardware together. Here are some pictures of how the system looks like for cracking A51 in 30 seconds.

First picture of our server with hdd's mounted:

First picture of our 16 FPGA cluster card:

7. A5 weakness

A5 is weak. That's A5/1 and A5/2. When you look at the algorithm it just gives you a bad feeling.

1. The registers are to small
2. The trap registers are all on one side
3. The 3 LSFRs do not mix results amoung each other
4. Protocol implementation is faulty: An attacker can record all encrypted traffic. If the attacker gains access to the sim at any point in the future he can decrypt all traffic sniffed in the past. This works by putting the sim card into a sim reader and running the gsm_runalgorithm() function on the sim. The sim will decode any traffic without us knowing the Ki. This attack requires access to the sim for 30 seconds and can decode any GSM converstation that happened in the past.
5. etc etc etc

7.1. Entropy check

I did a quick example to visualize the entroypy. Crypto people love entropy. An easy way to visualize the entropy is to generate a picture of the relationship between two, three or four successive numbers generated by the algorithm. Ideally we should not see any structure. All pixels should be distributed randomly. lcamtufs ISN analyzsis explains more details about this method.

I use a matlab script to generate the graphics. x.txt contains the output of the a5/1 key initialization algorithm.

a = 0;
b = 0;
c = 0;
d = 0;

XD = 256;
YD = 256;
ZD = 256;

M = dlmread('x.txt', ' ');
V = M(2,2)
I(1:((XD - 1) * 2), 1:((YD - 1) * 2)) = 0;
for i=1:25600
        x = b - a; % -255 .. 255
        y = c - b; % -255 .. 255
        z = d - c; % -255 .. 255
        I(x + XD, y + YD) = cast(z + (ZD - 1), 'double') / ((ZD-1) * 2);
        a = b;
        b = c;
        c = d;
        d = cast(mod(M(i, 1),256), 'int16'); % val between 0..255
        %d = cast(rand(1,1) * XD, 'int16'); % val between 0..255
end

imshow(I);

Figure 1: Key set to 0. FrameNumber runs from 0-25600. We can see a structure. There is a relationship between the key state with FrameNumber N and the key state with FrameNumber N - 1.

TODO: add more.

7.2. Symmetry

Let A51 operator on a keystate to generate an output. Let A51 operate on the inverse of the keystate. Observe that the first few bits of both outputs are the same.

Question: Can this be exploited? Might be able to exploit this for TMTO. This might half our time. In addition of processing 'keystate' in the online phase attack also process keystate[63..10](+)^keystate[9..0].

8. A5/GSM encryption example

TODO: write down how a5 works and how the data looks that is encrypted and what the first encrypted message from/to basestation is and which bits are static/known/guessable.

The Frame Number (FN) wrapps around every 3h 28min 53 sec and 750ms.

A layer 1 GSM message is 23 octet long.

How to encode 1 GSM message (after padding):

1. 23 * 8 = 184 bit content data per GSM message. [Output: 184 bit]

2. Add 40 bit fire code (crc) and 4 bit tail (0x00). [Output: 228 bit]

3. Convolutional encode the 228 bit. This duplicates the number of (known) bits. [Output: 456 bit]

4. Interleave the 456 bit. [Output: 456 bit]

5. Chop the 456 bit into 8 packs, each 57 bit long. Take the first two 57 bit chunks and send them in the first GSM burst. The 3rd and 4th are send in the second GSM burst and so on and so on.[Output: 4x114 bit]

6. The frame number is known and incremented for each GSM burst. A5 is reinitialized for _each_ burst. This means each burst is encoded under the same Kc but under a different frame number. The A5 state is thus different for each GSM burst.

9. Misc Ideas

1. Shall we do a brute force with FPGA or do a smart attack as outlined in the 2001 paper?
2. Can we use the weakness in A8/A3 to calculate Kc for A5/1?
3. What happened to the cypherpunks mailinglist? The LNE links seem to be down! Anyone?
4. I'm not concerned if we need 50 FPGA's or 4TB or harddrives. Some people say that it's not practical to carry 4TB of harddrives in a rucksack. We can always host the solution and when on a cracking mission the challenge can be send (via sms?) to the hosted Cracking Server which sends the results back after a couple of seconds.
5. Can we devide the A5/1 cracking problems into smaller problems and solve each on its own? This means finding a new attack against A5/1.

9.1. FPGA Ideas

9.1.1. Brute Force

Some initial thoughts on A5/1 and FPGA. All this needs to be calculated more precisely.

Each clock cycle the A5 implementation should output 64 bit of streamcipher. We can put multiple A5 implementations on the same FPGA chip. The calculation is based on a pipelined implementation of A5.

The three LSFR registers are in total 19 + 22 + 23 = 64bit long. The first LSFR requires 5 Logical Units (LU's, e.g xor). The second requires 3 LU's and the last one requires 5 LU's. All together 13 LU's and 64 bit. The Trap register add's 1 LU per LSFR. Makes 16 LU's and 64bit.

Generating the state (with key and FrameNumber (FN)) requires 64 + 22 = 88 steps. This is followed by another 100 cycles. Each of the 100 cycles requires 1 LU less per LSFR. After these 100 cycles we want to generate about 64 bit of output (e.g. enother 64 cycles).

1. LU's: 16 * 88 + 13 * 100 + 13 * 64 = 3540
2. Registers: 64 * 88 + 64 * 100 + 64 * 64 = 16128

After 88 + 100 + 64 cycles we will start seeing 64 bit of stream cipher output for each cycle.

This is all not optimized. We do not need the first 9 steps because the Tap register only start at bit 8. we also do not need all the LU's or registers for the first 18 steps because the first LSFR is not fully used until step 18. Same for the last 64 steps. For each of the last 64 steps we only need 2 LU's and 1 register less for each step.

We decided to use Xilinx. Altera is a good choice as well but at the moment most of us worked with xilinx before.

The Virtex-5 from Xilinx LX330 has 330.000 LU's and runs at 500 Mhz. That brings us down to 4 days per development board?! But the boards and chips are to expensive. Better to stick with LX50.

9.1.2. Brute Force II

Some more precise calculation by David Hulton:[[BR]] The LX50 can run at 200-300Mhz and cost $300 each (just the chip, without dev board). I pipelined my version of A5/1 and came up with some rough numbers on the Virtex-5 LX50. This is purely just computing the 186 clock cycles for setup and only computing a single bit of output from the pipeline on each clock cycle. I'm sure we could optimize it a little bit but once we factor in the overhead of doing the key compares and other bridge code it probably won't be much less than the numbers here..

With this design, we will probably only be able to fit 4 fully pipelined instances of A5/1 on here unless we can hand-optimize the placement better than the Xilinx tools and code in some of the shortcuts that you mentioned on the a5 cracking page. I'll work on this a bit more and see if I can reduce the logic down.

Slice Logic Utilization:
  Number of Slice Registers:                 7,289 out of  28,800   25%
    Number used as Flip Flops:               7,289
  Number of Slice LUTs:                      6,968 out of  28,800   24%
    Number used as logic:                    6,566 out of  28,800   22%
      Number using O6 output only:           6,566
    Number used as Memory:                     402 out of   7,680    5%
      Number used as Shift Register:           402
        Number using O6 output only:           402

Slice Logic Distribution:
  Number of occupied Slices:                 2,670 out of   7,200   37%
  Number of LUT Flip Flop pairs used:        7,292
    Number with an unused Flip Flop:             3 out of   7,292    1%
    Number with an unused LUT:                 324 out of   7,292    4%
    Number of fully used LUT-FF pairs:       6,965 out of   7,292   95%
    Number of unique control sets:               2

  A LUT Flip Flop pair for this architecture represents one LUT paired with
  one Flip Flop within a slice.  A control set is a unique combination of
  clock, reset, set, and enable signals for a registered element.
  The Slice Logic Distribution report is not meaningful if the design is
  over-mapped for a non-slice resource or if Placement fails.

IO Utilization:
  Number of bonded IOBs:                        88 out of     220   40%

Specific Feature Utilization:
  Number of BUFG/BUFGCTRLs:                      1 out of      32    3%
    Number used as BUFGs:                        1

Total equivalent gate count for design:  155,730
Additional JTAG gate count for IOBs:  4,224

9.1.3. possible boards

• ML501 Xlinix LX50 ($955)

• PicoComputing E-16 LX50 ($2.000)

The LX330 boards cost $5.000. Because we can put 4x more a5/1 implementations on them and they run 6.6x faster it might be worth it.

9.2. Rainbow Table

Traditional rainbow tables take the key as input. Our key is 88 bit (of which the last 22 bit are the known Frame Number). We can not generate a rainbox table for 2^88 key combinations.

9.2.1. Idea I

The state table of all 3 LSFR's combined is just 64 bit. The A5 initialization process (e.g. seeding in key + FN and mixing it 100 cycles) is reverseable. Thus once we know the key state we can compute the key easily. Generating rainbow tables for 64 bit keys is difficult (TODO: calculate how difficult and how many FPGA's required).

This attack would work regardless of the frame number and regardless of the key length (54, 64 or 128 bit). It also uses less LU's than the normal key brute force implementation.

All 3 LSFR can be stuck together to get one 64bit register: | R1 19bit | R2 22bit | R3 23bit |

Rought idea of generating rainbow table with 2^36 tables:

1. Start with key state bit 35..0 is set to 0000..001. Bit 63..36 is set to 0.

2. RainbowtableNumber++; Entries = 0;

3. Calculate 64bit output from this keystate. Entries++;
4. If output's bit 63..36 are all 0 then stop this rainbow table. Otherwise take 64 bit usefull output and use this output as state. Repeat 3.
5. Increment value in bit 35..0 by 1 (e.g. start next rainbow table). Repeast 2.

Problems:

1. What happens if we never hit a state that has bit 63..36 to all 0s (e.g. if we are stuck in a loop)? Break loop after a maximum number of iterations and call it an 'unlucky' rainbow table which is handles specially?
2. Using bit 63..36 is just an example. In fact any number of bits (in sequence or not in sequence) can be used.

9.2.2. Idea II

(This Idea is now obsolete)
Maybe it's enough to generate a rainbow table for FrameNumber 0. Calculating all 2**54 keys with an FPGA and generating a rainbow tables is a matter of days (e.g. possible). Can a rainbow table generated with FrameNumber == 0 be used to decrypt packets that do not have Frame Number set to 0?

9.2.3. Idea III

Is it possible to reduce a LSFR register? By this i mean exist there a shorter LSFR register that would produce the same output (for a certain class of keys)?

9.2.4. Idea IV

We do not need to generate rainbow tables for all possible keystates. Let's assume we generate rainbow tables for 1/4 of all keystates (e.g 62bit). If we sniff 64 bit known plaintext our chances that we can crack it with the rainbow table is 25%.

A5 is reversable: Let N be the index of current working bit of the A5 algorithm (e.g. after N bits of output have been produced and N bit of plaintext have been encrypted). Let keystate(N) be the state of the keystate after N bits have been produced. Let plaintext(N) be the N-th bit of the plaintext. It is possible to calculate keystate(N-1) if keystate(N) and plaintext(0..N) is known.

Let's assume we know 65 bit of plaintext. We first try to find a match in the rainbow table for bit 0..63 and then we try to find a match for bit 1..64. The probability for 65 bit known plaintext it is already 1 - (3/4)**(65 - 64 + 1) = 43.75%. For 80 bit known plaintext it is 1 - (3/4)**(80 - 64 + 1) = 98.997%.

Let's get this further down: Generate 1/64 of all rainbow tables (which makes it a 58bit problem): If we get 128 bit of known plaintext our chances of decoding it are 1 - (63/64)**(128 - 64 + 1) == 64% or 95% if 256 bit of plaintext are known.

The maximum number of bits that are encrypted under the same keystate is 114. There are 4 bursts of 114 bit and the plaintext of each of the bursts is known. For each burst the propability of cracking it with only 1/64th of the rainbow table is:
1-(63/64)^(114 - 64 + 1) = 55.2%
Considering that we have a 55.2% chance for each of the 4 burst:
1 - (1 - 0.552)**4 = 95.97%

Limitation: It is obivous that this is working if we are dealing with successive bits of plaintext. It is less obvious that this also works as long as the 65 bit plaintext as distributed equaly (FIXME: can we optimize this?).

1. Does NOT work: bit 0..63 in one sequence followed by some unknown plaintext followed by bit 64 of known plaintext.
2. DOES work: plaintext bit 0 followed by 1 unknown plaintext bit followed by known plaintext bit 1, followed by unknown plaintext bit followed by known plaintext bit 2, ... until 64.

Further optimization:

1. Do this over multiple messages (e.g. if we know 128 bit in the first packet and another 128 bit in the second message it dramaticaly increases our chances of finding the key state in one of our rainbow tables).
2. Remember that for each message the BTS sends the MS also sends a message. Again, increasing our chances.

9.2.5. Idea V

Anderson and Roe's attack is further described in A5/1 FPGA cracking.
We calculated in Nov07 that roe&anderson would take 7h on our cluster.

Calculating Rainbow tables for this is the next challenge. Combing this with Idea IV makes it a 41-6 = 35 bit problem.

9.2.6. Idea VI

Are there 'useless' bits in R2? It only has two trap registers. Does this help us calculating the value of others?

9.3. TMTO modified for A5/1

FPGA developers WANTED. Please contact steve at segfault.net if you can turn the following pseudocode into the lasted FPGA implementation (and decide for a FPGA of your choice). We are currently using Xilinx LX50. Is there a better/cheaper option?

9.3.1. Verbal Description

Generating tables for a A5 TMTO attack:

1) The total number of tables is $max_tables. Each table
   is generated in the same way except that a different reduction function
   is used.

   One table contains many chains. Each chain starts with a different
   $StarPoint.

   A chain is represented by the $StartPoint, $EndPoint and
   number of links between $StartPoint and $EndPoint. The number of
   links is also called the 'chain length'.

2) A chain starts with a $StartPoint and ends in a Distinguished
   Point $EndPoint. A chain ends when the last x bits of the $output are
   all 0.

3) A link in a is chain is generated by:
   - Set A5 state to $state
   - Generate 64 bit of A5 output by clocking the $state 64 times.
   - Generate new $state by applying reduction function to $output.

Summary:
Many links make up a chain. Many chains make up a table. Many tables make up
a A5 TMTO attack.

Notes:
- One core generates one table
- Multiple cores fit onto 1 FPGA
- A chain is considered looping if the chain length gets longer than 10 times
  the expected chain length and still no $EndPoint was found.
- Each table is sorted by $EndPoint and then compressed.

9.3.2. C Reference Implementation

The reference implementation computes 1 table. This version is around 6000 times slower than the FPGA implementation.

Download: A5DemoBusterTableGen.c

Compile:

gcc -Wall -O3 -march=pentium4 -o A5DemoBusterTableGen A5DemoBusterTableGen.c

9.3.3. Pseudocode

/* All variables are 64 bit */

/* Parameter */
$EndPoint_Bit = 27
$max_tables = 156
$max_number_chains = 2^36

/* Global Variables & Initialization */
GLOBAL $g_EndPoint_Mask = (1 << $EndPointBit) - 1
GLOBAL $g_ReductionFunction


FOR $table==0 TO $max_tables DO
        /* At the moment the reduction function is XOR with the table number */
        $g_ReductionFunction = $table;
        table_gen()
DONE


/*
 * A Table contains multiple chains. Each chains consists of
 * 1 Start Point and 1 End Point.
 */
FUNCTION table_gen()
{
        FOR $number_chain==0 TO $max_number_chains - 1 DO
                /* At the moment the Start Point for each chain is the
                 * current chain number.
                 */
                $StartPoint = $number_chain
                $looping = a5_until_endpoint($StartPoint, &$EndPoint, &$Len)
                IF $looping == FALSE
                        OUTPUT($StartPoint $EndPoint, $Len);
        DONE
}


FUNCTION table_start_point($number_chain)
{
        /* At the moment the start point of each chain is the Chain Number */
        RETURN $number_chain
}

/*
 * INPUT:
 * - $StartPoint
 * RETURN:
 * - $EndPoint contains the EndPoint
 * - $Len contains the number of links in this chain
 * - Return value is boolean. True if EndPoint could not be found. False
 *   otherwise.
 */
FUNCTION a5_until_endpoint($StartPoint, &$EndPoint, &$Len)
{
        $state = $StartPoint;
        $chain_links = 0

        WHILE TRUE DO
                $output = a5_clock($state);
                IF is_endpoint($output) THEN
                        &$EndPoint = $output
                        &$Len = $chain_links
                        RETURN FALSE
                /* Check if we are looping */
                $chain_links = $chain_links + 1
                IF ($chain_links > $g_ChainLinks_Max * 10)
                        RETURN TRUE
                /* If not looping apply reduction function and generate
                 * new state.
                 */
                $state = $output XOR $g_ReductionFunction
        DONE
}

FUNCTION a5_clock($state)
{
        /* Clock state for 64 clocks */
        /* Store output in $output and return $output */
        RETURN $output
}

/*
 * Return true if the last $g_EndPoint_Bit of $EndPoint are
 * all 0
 */
FUCTION is_endpoint($EndPoint)
{
        IF $EndPoint & $g_EndPoint_Mask == 0
                RETURN TRUE
        RETURN FALSE
}

10. Resources

1. CS-2006-07-cracking-a5.pdf Barkan, Biham and Keller. Most recent research paper about cracking A5/1.

2. PHD-2006-04.pdf Elad Pinhas Barkan, Cryptoanalyzis of Ciphers (A5, Rainbow tables)

3. GsmSecurity.pdf 15 Dec 2006, Stausholm, Dahl. Explaining A5 and different attack vectors.

4. 2000, Biryukov, Shamir, Wagner (WWW). (PDF) Real Time Cryptanalysis of A5/1 on a PC.

5. Time/Memory/Data Trade-off Attacks

6. A5/1 FPGA crack

7. ekdahl-03-a51a.pdf Different Attack. Requires 2-5 mins of data. Not practical but good A5 explanation.

8. Ross Anderson original email posting.

9. a5-1-2.c Most recent A5/1 and A5/2 implementation by Marc Briceno.

10. a3a8.txt A3 and A8 implementation by Briceno, Goldberg and Wagner.

11. A5/3 and 3G algorithm.

10.1. List of used encryption around the World

Known GSM Netowrk Encryption usage
Version 1.12 8th December 2005
gsm_network_encryption_list.csv
If you have updates (what about France??) please send an email to steve at segfault.net.

Converting the CSV to wiki table:

cat gsm_network_encryption_list.csv | sed 's/"//g' | while read x; do echo "||`echo "$x" | sed 's/,/||/g'`||"; done

History: When A5/1 came out mostly germany (as the bordering country to the soviet block) wanted to implement strong encryption. Other Nato members (led by france) were worried that the middle east would use strong encryption. Thus they cut a deal to come up with a weaker version, A5/2. These days both (A5/1 and A5/2) have been broken. A5/3 has not been seen in the wild yet.

Other comments:

1. No encryption in Russia/Ukraine, during emergencies (which can last weeks!)
2. No encryption if BTS is under load (can somebody confirm??)
3. No encryption in germany during HLR/VLR outages
4. In some arab countries without reason some areas without encryption.
5. SMS are sometimes unencrypted even when TCH is encrypted.

10.2. How to check if A5/1 is used

There are two ways. You can either use Nokia's Netmonitor (aka Field Tester) or you can use any dct3 mobile (like the nokia 3310) and gammu + PC to find out. The netmonitor is the easier way because you do not need a PC. The netmonitor software runs on many famous mobiles phones (nokia 6630, 6680, n70, sony erricson, ..)

1. Make sure your phone is using GSM (and not 3G/UMTS or DUAL). Go to Menu -> Tools -> Settings -> Network -> Network mode and switch to GSM.

2. Install the netmonitor by connecting your phone to the PC (via usb cable).
3. Launch netmonitor
4. Go to screen 1.10. Send a SMS to the phone. See if the 'Ciphering val' changes from OFF to something else.
5. Go to screen 1.10. Call the mobile phone. See if the 'Ciphering val' changes from OFF to something else.
6. Send an email to steve [at] segfault dot net including the country, mobile operator and cipher used (See example results below).

Example how it looks like:

Results of this example:

• Date: 2007/05/25 09:32
• Country Code: 234
• Network Code: 10F
• Location area: 12124 (central london)
• A51 when receiving SMS
• A51 when receiving voice call
• Hopping: On

The other method is by using gammu and a dct3 trace mobile (like the nokia 3310) connected to the PC. Start a trace, make a phonecall and send in the out.xml file that gammu produces. See our main project page on how to use gammu and dct3 trace mobiles. Check the GSMSP Project for more infos on how to use gammu.

10.3. How to check if last 10 bit of Kc are set to 0

In 1997 it was discovered the the 10 least significant bit of the Kc are set to 0 by the GSM RUN ALGORITHM on the sim card. Since 2001 some sim cards fixed this flaw with the introduction of Comp128v2 and comp128v3.

It is unknown if the new Comp128 sets it to a different static pattern. The Mobile Operators denied to publish Comp128v3 and the worst has to be assumed.
You Need:

1. A Sim card reader

2. A Sim card Program to send APDU's (Gemplus SmartCard ToolSet PRO v3.3.6 (free trial version))

Commands:

1. Disable PIN1 on the phone

2. Send APDU 'SELECT DFgsm' (A0 A4 00 00 02 xx 7F 20)

3. RUN GSM ALGORITHM function (A0 88 00 00 10 xx FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF)

4. GET RESPONSE (A0 C0 00 00 0C xx)

5. Response format: <4 bytes SRES><8 bytes Kc>

6. Observe that 10 bits of the 64 bit output (last 8 bytes) are 0.

Screenshot:

10.4. Kc is only 44 bit

In 1997 it was discovered that the 10 least significant bit of the Kc were artificially set to 0.Setting 10 bit to zero makes a brute force attack on A5/1 1024 times easier. The crypto community was outraged. In 2001 the first sim cards appeared on the market that fixed this flaw.

Let's take a look of how RUN GSM ALGORITHM works with an old SIM:
GSM 11.11 section 9.2.16 RUN GSM ALORITHM
The algoritm returns 4 bytes of SRES (byte 1-4) followed by 8 byte of Kc (byte 5-12).
Quote: "The most significant bit of Kc is coded on bit 8 of byte 5."

For old sims the 10 _least_ significant bits (bit 1..10) of the Kc are set to 0.

Reading the Texas Instrument Digital Baseband Specification I learned that the Kc is wrongly mapped into the baseband which causes an additional 10 bit beeing set to 0.

The TI specification of the digital baseband describe how the Kc is mapped into the baseband. It shows that the 10 _most_ significant bit (55..64) are discarded.

This means that the SIM sets bit 1..10 to zero and the baseband discards bit 55.64 leaving only 44 bit.

Impact: The Kc is reduced to 54 bit for new sims and to 44 bit for old sims. This makes a brute force attack 1,024 or 1,048,576 times easier.

On the other hand the TI documentation might be wrong and bit 1 is in fact bit 11. This means that 10 bits are still set to 0 even for new sims.

10.5. HD Random Access Time

The cracking of A5/1 requires very fast random access to the harddrive. We are currently looking for the most performing harddrives and raids. If you have access to a raid with at least 8 disks please run this test for us.
Download: random_access.c

; The example assumes that the raid is available at /dev/sda and has 8 harddrives.
# gcc -Wall -O2 -o random_acccess random_access.c
# for x in `seq 1 8`; do ./random_access /dev/sda >log${x}.txt &; done
# cat log*.txt >results.txt

Send results.txt, the type of raid and the number of harddrives in the raid to steve [at] segfault.net.

== News Links ===

1. Wired: FBI GSM interception capabilities.

2. CCCCamp07 / Video A5 Cracking Project

11. Links

1. http://www.dia.unisa.it/professori/ads/corso-security/www/CORSO-9900/a5/Netsec/netsec.html

2. http://jya.com/crack-a5.htm local mirror

3. http://cryptome.org/a51-crack.htm

4. http://www.copacobana.org/

5. Program to benchmark Harddrive Random Access time: random_access.c