Real Time Cryptanalysis of A5/1 on a PC
نویسندگان
چکیده
A5/1 is the strong version of the encryption algorithm used by about 130 million GSM customers in Europe to protect the over-the-air privacy of their cellular voice and data communication. The best published attacks against it require between 240 and 245 steps. This level of security makes it vulnerable to hardware-based attacks by large organizations, but not to software-based attacks on multiple targets by hackers. In this paper we describe new attacks on A5/1, which are based on subtle flaws in the tap structure of the registers, their noninvertible clocking mechanism, and their frequent resets. After a 248 parallelizable data preparation stage (which has to be carried out only once), the actual attacks can be carried out in real time on a single PC. The first attack requires the output of the A5/1 algorithm during the first two minutes of the conversation, and computes the key in about one second. The second attack requires the output of the A5/1 algorithm during about two seconds of the conversation, and computes the key in several minutes. The two attacks are related, but use diffrent types of time-memory tradeoff. The attacks were verified with actual implementations, except for the preprocessing stage which was extensively sampled rather than completely executed. REMARK: We based our attack on the version of the algorithm which was derived by reverse engineering an actual GSM telephone and published at http://www.scard.org. We would like to thank the GSM organization for graciously confiming to us the correctness of this unofficial description. In addition, we would like to stress that this paper considers the narrow issue of the cryptographic strength of A5/1, and not the broader issue of the practical security of fielded GSM systems, about which we make no claims. * Computer Science department, The Weizmann Institute, Rehovot 76100, Israel. ** Computer Science department, The Weizmann Institute, Rehovot 76100, Israel. *** Computer Science department, University of California, Berkeley CA 94720, USA.
منابع مشابه
Recent Cryptanalysis of GSM A 5 / 1 Algorithm : What Does it Mean ?
This issue of Wireless Security Perspectives focuses on GSM and the December 1999 article titled Real Time Cryptanalysis of the Alleged A5/1 on a PC (preliminary draft) by Alex Biryukov and Adi Shamir. The authors describe an attack on the GSM A5/1 traffic encryption algorithm and claim that by analyzing the output of the algorithm, one can recover the cryptographic key in less than a second us...
متن کاملCryptanalysis of GSM encryption algorithm A5/1
The A5/1 algorithm is one of the most famous stream cipher algorithms used for over-the-air communication privacy in GSM. The purpose of this paper is to analyze several weaknesses of A5/1, including an improvement to an attack and investigation of the A5/1 state transition. Biham and Dunkelman proposed an attack on A5/1 with a time and data complexity of 239.91and 221.1, ...
متن کاملReal Time Cryptanalysis of A 5 / 1 on a
A5/1 is the strong version of the encryption algorithm used by about 130 million GSM customers in Europe to protect the over-the-air privacy of their cellular voice and data communication. The best published attacks against it require between 2 40 and 2 45 steps. This level of security makes it vulnerable to hardware-based attacks by large organizations , but not to software-based attacks on mu...
متن کاملUsing Volunteer Computing for Mounting SAT-based Cryptographic Attacks
In this paper we describe the volunteer computing project SAT@home, developed and maintained by us. This project is aimed at solving hard instances of the Boolean satisfiability problem (SAT). We believe that this project can be a useful tool for computational study of inversion problems of some cryptographic functions. In particular we describe a series of experiments performed in SAT@home on ...
متن کامل