Unlock the full potential of your projects.
Show full map
Copy and edit map Copy

Rainbow Tables for A5/1

Luke O'Connor
Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
Rainbow Tables for A5/1 by Mind Map: Rainbow Tables for A5/1

1. Author Info

1.1. Map completed Sept 14, 2009 by Luke O'Connor

1.2. Link to my blog post based on this map

2. Main Source

2.1. HAR2009

2.1.1. At the recent Hacking at Random (HAR) conference, held from 13-16 August, Karsten Nohl detailed plans for cracking standard GSM cell phone encryption, known as A5/1, and making the results available for anyone to use. You can see a PDF of his presentation here.

2.1.2. announcement of a new project to attack the A5/1 GSM encryption

2.1.3. initiated by cryptography specialist Karsten Nohl

2.2. project page

3. Summary

3.1. Result

3.1.1. What

3.1.1.1. Security researcher Karsten Nohl is launching an open-source, distributed computing project designed to crack the encryption used on GSM phones and compile it into a code book that can be used to decode conversations and any data that gets sent to and from the phone.

3.1.2. How

3.1.2.1. With community assistance, he plans to pre-compute the secret keys and save them in a code book.

3.1.2.2. He estimates that the project will need 80 people dedicating their hardware and processing resources for about three months before the PoC is ready. However, with 160 people, the time can drop to about six weeks.

3.1.2.3. Each node will donate small portions of disk space, which will house part of the Rainbow Table that will be created and used to crack A5/1, and the fast GPUs will be used for the generation of, and lookup of, the nodes own table.

3.1.3. When

3.1.3.1. At the recent Hacking at Random (HAR) conference, held from 13-16 August, Karsten Nohl detailed plans for cracking standard GSM cell phone encryption

3.1.3.2. Nohl told The Tech Herald in an interview that the project expects to have a working proof-of-concept attack on A5/1, “…by the end of the year.”

3.1.4. Why

3.1.4.1. He hopes that by doing this it will spur cellular providers into improving the security of their services and fix a weakness that has been around for 15 years and affects about 3 billion mobile users.

3.1.4.2. "Clearly we are making the attack more practical and much cheaper, and of course there's a moral question of whether we should do that," he said. "But more importantly, we are informing (people) about a longstanding vulnerability and hopefully preventing more systems from adopting this."

3.2. Sound bites

3.2.1. Security researcher Karsten Nohl is launching an open-source, distributed computing project designed to crack the encryption used on GSM phones and compile it into a code book that can be used to decode conversations and any data that gets sent to and from the phone.

3.2.2. Now Mobile Europe has been contacted by Cellcrypt, whose CEO Simon Bransfield-Garth, said, "Everybody has known for quite some time that a theoretical hack of GSM existed. This news means that the theoretical risk will become a very real one within the next six months. Governments have taken steps to manage the threat for years and now this is a very worrying prospect for anyone that discusses valuable or confidential information over their mobile phone.”

3.2.3. “In our soon to be published research, undertaken amongst corporate users in the USA, 79% of people discuss confidential issues by phone every few days with 64% making such calls daily.”

3.2.4. Theoretical compromise presented at the Black Hat conference “…requires the construction of a large look-up table of approximately 2 Terabytes – this is equivalent to the amount of data contained in a 20 kilometre high pile of books.”

3.3. Impact

3.3.1. As well as normal telephone conversations, this would also allow text messages to be read, not just by state agencies with specialist equipment (for whom it is already a matter of course), but by anyone with the right equipment, costing just 1,000 euros.

3.3.2. His project, which if successful, will allow anyone with some RF equipment, patience, and a $500 USD laptop, the ability to decode GSM-based conversations and data transmissions.

3.3.3. This would undermine the whole basis of the mobile banking security structure, which uses GSM to transfer mobile TANs for validating online transfers.

3.4. Reactions

3.4.1. The encryption problem is particularly serious for people doing online banking, where banks are using text messages as authentication tokens. Banks should instead offer RSA SecurID tokens or send one-time pass phrases through regular mail, Nohl said.

3.4.2. Assuming the project is a rousing success, isn’t he worried that the criminals will take advantage of the proof-of-concept?

3.4.2.1. Whenever there is Full Disclosure, the information disclosed will usually, “…put some users at risk, but make things better for everybody in the long run.”

3.4.3. “Some criminals already have this ability,” he explained. He gave is an example of code books available now for about $100,000 to $250,000 USD. “If you’re in the business of industrial espionage, then a quarter of a million dollars doesn’t sound like too high of a price,” he added.

3.4.4. GSM Alliance said that the research is a long way from being a practical attack on GSM.

3.5. Mitigation

3.5.1. In the meantime, people can use separate encryption products on the phone, like Cellcrypt, or handsets with their own encryption, Nohl said. Amnesty International and Greenpeace are using phones with stronger encryption, for example, but it only works if both parties to a conversation are using the same technology, he said.

3.5.2. 3G is more secure

3.5.2.1. “AT&T has the ability to switch the iPhone to 3G on voice and data,” Nohl explained, but only for the iPhone 3G handsets. As things stand now, the iPhone 3G uses A5/3 (3G) for data transmission and A5/1 (GSM or 2G) for voice.

3.5.2.2. The problem is that, before AT&T moves customers over to 3G to avoid the weakness in A5/1, they would need to admit that there is a problem on their 2G voice network, something Nohl notes is highly unlikely.

3.6. Lessons and Issues

3.6.1. This weakness in the encryption used on the phones, A5/1, has been known about for years. There are at least four commercial tools that allow for decrypting GSM communications that range in price from $100,000 to $250,000 depending on how fast you want the software to work

4. General Sources

4.1. cnet

4.1.1. their summary

4.1.1.1. Security researcher Karsten Nohl is launching an open-source, distributed computing project designed to crack the encryption used on GSM phones and compile it into a code book that can be used to decode conversations and any data that gets sent to and from the phone.

4.1.2. why he's doing it

4.1.2.1. "We're not creating a vulnerability but publicizing a flaw that's already being exploited very widely," he said in a phone interview Monday.

4.1.2.2. "Clearly we are making the attack more practical and much cheaper, and of course there's a moral question of whether we should do that," he said. "But more importantly, we are informing (people) about a longstanding vulnerability and hopefully preventing more systems from adopting this."

4.1.3. what it means

4.1.3.1. Using the code book, anyone could get the encryption key for any GSM call, SMS message, or other communication encrypted with A5/1 and listen to the call or read the data in the clear.

4.1.3.2. Once the look-up table is created it would be available for anyone to use.

4.1.3.3. Carriers should upgrade the encryption or move voice services to 3G, which has much stronger encryption, Nohl said.

4.1.3.4. The encryption problem is particularly serious for people doing online banking, where banks are using text messages as authentication tokens. Banks should instead offer RSA SecurID tokens or send one-time pass phrases through regular mail, Nohl said.

4.1.3.5. In the meantime, people can use separate encryption products on the phone, like Cellcrypt, or handsets with their own encryption, Nohl said. Amnesty International and Greenpeace are using phones with stronger encryption, for example, but it only works if both parties to a conversation are using the same technology, he said.

4.1.4. how

4.1.4.1. If 160 people donate their computing resources to the project, it should only take one and a half months to complete, he said.

4.1.4.2. Participants download the software and three months later they share the files created with others, via BitTorrent, for instance, Nohl said. "We have no connection to them," he added.

4.1.4.3. By distributing the effort among participants and not having it centralized, the new effort will be less vulnerable to outside interference, he said.

4.1.5. legality

4.1.5.1. Nohl wasn't certain of the legal ramifications of the project but said it's likely that using such a look-up table is illegal but possession is legal because of the companies that openly advertise their tables for sale.

4.1.6. other efforts

4.1.6.1. This weakness in the encryption used on the phones, A5/1, has been known about for years. There are at least four commercial tools that allow for decrypting GSM communications that range in price from $100,000 to $250,000 depending on how fast you want the software to work

4.1.6.2. A few years ago a similar GSM cracking project was embarked upon but was halted before it was completed after researchers were intimidated, possibly by a cellular provider, Nohl said.

4.2. mobile europe

4.2.1. from theory to practice

4.2.1.1. Now Mobile Europe has been contacted by Cellcrypt, whose CEO Simon Bransfield-Garth, said, "Everybody has known for quite some time that a theoretical hack of GSM existed. This news means that the theoretical risk will become a very real one within the next six months. Governments have taken steps to manage the threat for years and now this is a very worrying prospect for anyone that discusses valuable or confidential information over their mobile phone.”

4.2.2. private conversations

4.2.2.1. “In our soon to be published research, undertaken amongst corporate users in the USA, 79% of people discuss confidential issues by phone every few days with 64% making such calls daily.”

4.2.2.2. cellcrypt

4.2.3. bit silly

4.2.3.1. And Stuart Quick, risk management specialist at Henderson Risk Limited, commented, “The recent attention given to the hacking A5/1 is no surprise. It remains a Holy Grail amongst the hacking community and is intriguing because of the associated conspiracy theories. It is believed that the cipher has had weaknesses engineered in to it in order to make it easier for the security services to snoop on calls and that mobile communications providers are therefore misleading or incorrectly advertising their product’s level of security.”

4.3. heise sec

4.3.1. impact

4.3.1.1. As well as normal telephone conversations, this would also allow text messages to be read, not just by state agencies with specialist equipment (for whom it is already a matter of course), but by anyone with the right equipment, costing just 1,000 euros.

4.3.1.2. This would undermine the whole basis of the mobile banking security structure, which uses GSM to transfer mobile TANs for validating online transfers.

4.3.1.3. Should the project prove successful and the tables be distributed via, for example, BitTorrent, mobile phone operators will probably find themselves forced to move to more secure encryption standards.

4.3.1.4. This would, however, require that all mobile phones support the new standard, something which usually necessitates a firmware update, and is therefore likely to be a big issue for many users.

4.3.2. why

4.3.2.1. intended to make the wider public aware of the vulnerabilities in A5/1, which are already old hat in specialist circles.

4.3.3. how

4.3.3.1. With community assistance, he plans to pre-compute the secret keys and save them in a code book.

4.3.3.2. Since, even with the relatively non-secure A5/1 standard, this would take 100,000 years on a normal PC and would require 128 petabytes of storage capacity, Nohl’s software uses a number of tricks.

4.3.3.3. Nohl is calling on the community to participate in the project in order to compute the tables in the shortest possible time.

4.3.3.4. A little under 200 PCs should be enough to achieve this within a few months.

4.3.3.5. Nohl's idea is nothing new – hacker group THC started to pre-compute key tables for A5/1 back in 2008, and is reported to have completed the task with the aid of FPGAs.

4.3.3.6. However, apparently due to legal issues, the tables have never been published. Nohl's project is largely based on the earlier work carried out by THC, but adds a number of enhancements.

4.3.4. what

4.3.4.1. It uses the latest graphics cards with CUDA support to carry out the computation,

4.3.4.2. distributes the task over large numbers of computers connected over the web

4.3.4.3. compresses the code book/tables using specific procedures so that they take up less space.

4.4. tech herald

4.4.1. summary

4.4.2. how

4.4.2.1. Namely, his project uses graphics cards with GPU capability, and seeks to build a distributed infrastructure of nodes.

4.4.2.2. Namely, his project uses graphics cards with GPU capability, and seeks to build a distributed infrastructure of nodes.

4.4.2.3. Each node will donate small portions of disk space, which will house part of the Rainbow Table that will be created and used to crack A5/1, and the fast GPUs will be used for the generation of, and lookup of, the nodes own table.

4.4.2.4. Nohl told The Tech Herald in an interview that the project expects to have a working proof-of-concept attack on A5/1, “…by the end of the year.”

4.4.2.5. He estimates that the project will need 80 people dedicating their hardware and processing resources for about three months before the PoC is ready. However, with 160 people, the time can drop to about six weeks.

4.4.2.6. anonymous

4.4.2.6.1. The project is anonymous, and the hope is that as users finish their part of the process, they will upload their completed tables to anonymous repositories and share them with BitTorrent.

4.4.3. impact

4.4.3.1. After the work is complete, the code book produced will be given out freely, and can be used to listen in on GSM-based phone conversations, capture SMS messages sent over the GSM network, or both at the same time.

4.4.3.2. Wouldn’t this mean the criminals could get access to GSM networks and compromise subscriber privacy and security? Why would Nohl even consider this?

4.4.3.3. 3G is more secure

4.4.3.3.1. “AT&T has the ability to switch the iPhone to 3G on voice and data,” Nohl explained, but only for the iPhone 3G handsets. As things stand now, the iPhone 3G uses A5/3 (3G) for data transmission and A5/1 (GSM or 2G) for voice.

4.4.3.3.2. The problem is that, before AT&T moves customers over to 3G to avoid the weakness in A5/1, they would need to admit that there is a problem on their 2G voice network, something Nohl notes is highly unlikely.

4.4.4. why

4.4.4.1. “We thought that everyone that is using cell phones should be aware of the security risks,” Nohl explained to us. “Our most sincere and primary goal was to raise awareness about this problem.”

4.4.4.2. Adding to this he said that the projects aim is to raise awareness about the widespread use of GSM, and by proxy A5/1, which amounts for just over 80-percent of the mobile phone market, used in 200 countries the world over by almost 3 billion people

4.4.4.3. starting a public debate over the present insecurity and how to make GSM more secure to a “…level where people are comfortable using cellular phones.”

4.4.5. moral

4.4.5.1. full disclosure

4.4.5.2. What about the risks? Full Disclosure, which is exactly what he has done with the project's announcement, means that end users are being placed in the line of fire.

4.4.5.3. Assuming the project is a rousing success, isn’t he worried that the criminals will take advantage of the proof-of-concept?

4.4.5.4. “Some criminals already have this ability,” he explained. He gave is an example of code books available now for about $100,000 to $250,000 USD. “If you’re in the business of industrial espionage, then a quarter of a million dollars doesn’t sound like too high of a price,” he added.

4.4.5.5. Whenever there is Full Disclosure, the information disclosed will usually, “…put some users at risk, but make things better for everybody in the long run.”

4.5. GSMA

4.5.1. summary

4.5.1.1. GSM Alliance said that the research is a long way from being a practical attack on GSM.

4.5.1.2. Moreover, the GSMA feels that there were commercial considerations behind the projects goals

4.5.2. unlikely

4.5.2.1. storage

4.5.2.1.1. heoretical compromise presented at the Black Hat conference “…requires the construction of a large look-up table of approximately 2 Terabytes – this is equivalent to the amount of data contained in a 20 kilometre high pile of books.”

4.5.2.2. interception

4.5.2.2.1. “However, before a practical attack could be attempted, the GSM call has to be identified and recorded from the radio interface.

4.5.2.2.2. So far, this aspect of the methodology has not been explained in any detail and we strongly suspect the team developing the intercept approach has underestimated its practical complexity,” the GSMA statement says.

4.5.2.2.3. “The GSMA should take the hacker community and its current interest in GSM technology more serious.”

4.5.2.3. hinted that the team developing the A5/1 intercept approach underestimated its practical complexity

4.5.3. how

4.5.3.1. As the project members finish their part of the process, the hope is that they will upload their completed tables to anonymous repositories and share them with BitTorrent.

4.5.4. better encryption

4.5.4.1. At the same time, there is work to improve the security of GSM-based networks. “The GSMA has been working to further enhance privacy protection on GSM networks and has developed a new high-strength algorithm, A5/3… This new privacy algorithm is being phased in to replace A5/1.”

4.5.4.2. The use of A5/3 is already spreading across the mobile footprint here in the US.

4.5.4.3. A5/3 is used predominately in 3G networks, but in the case of carriers like AT&T, 3G is only partially implemented.

4.5.4.4. AT&T carries the voice side of their network on GSM, and the data side of things is 3G. This means they are using both A5/1 and A5/3.

4.6. HAR2009

4.6.1. Subverting the security base of GSM

4.6.1.1. not a friendly title

4.6.2. repeatedly broken but no public exploit

4.6.3. GSM is global, omnipresent and insecure

4.6.3.1. 80% of mobile phone market 200+ countries 3 billion users!

4.6.3.2. since 1987

4.6.4. should not be used for new apps as insecure

4.6.5. need public decrypt PoC

4.6.5.1. nice timechart slide 5

4.6.6. groundwork done and open

4.6.6.1. fast A5/1 implementation

4.6.6.2. table paremeterization

4.6.6.3. just generation remains

4.6.7. direct lookup table

4.6.7.1. An A5/1 code book is 128 Petabyte and takes 100,000+ years to be computed on a PC

4.6.7.2. he calls it a code book

4.6.8. need to be smarter

4.6.8.1. Time on single threaded CPU: 100,000+ years

4.6.8.2. 3 months on 80 CUDA nodes

4.6.8.2.1. parallel

4.6.8.2.2. alg tweaks

4.6.9. tables

4.6.9.1. rainbow + DP

4.6.9.2. don't follow size discussion

4.6.10. distributed

4.6.10.1. For efficiency, tables distributed over many nodes are preferred

4.6.10.2. More importantly, no single point of failure should exist on the critical path to the GSM decode PoC