| Abstract: |
In this chapter we present a very practical ciphertext-only
cryptanalysis of GSM encrypted communication, and various active
attacks on the GSM protocols. These attacks can even break into GSM
networks that use "unbreakable" ciphers. We first describe a
ciphertext-only attack on A5/2 that requires a few dozen
milliseconds of encrypted off-the-air cellular conversation and
finds the correct key in less than a second on a personal computer.
We extend this attack to a (more complex) ciphertext-only attack on
A5/1. We then describe new (active) attacks on the protocols of
networks that use A5/1, A5/3, or even GPRS. These attacks exploit
flaws in the GSM protocols, and they work whenever the mobile phone
supports a weak cipher such as A5/2. We emphasize that these attacks are on the protocols,
and are thus applicable whenever the cellular phone supports a weak
cipher, for example, they are also applicable for attacking A5/3
networks using the cryptanalysis of A5/1. Unlike previous attacks on
GSM that require unrealistic information, like long known plaintext
periods, our attacks are very practical and do not require any
knowledge of the content of the conversation. Furthermore, we
describe how to fortify the attacks to withstand reception errors.
As a result, our attacks allow attackers to tap conversations and
decrypt them either in real-time, or at any later time. We present
several attack scenarios such as call hijacking, altering of data
messages and call theft.
|