A5/1 is used in Europe and the United States. A5/2 was a deliberate weakening of the algorithm for certain export regions.[1] A5/1 was developed in 1987, when GSM was not yet considered for use outside Europe, and A5/2 was developed in 1989. Both were initially kept secret. However, the general design was leaked in 1994, and the algorithms were entirely reverse engineered in 1999 by Marc Briceno from a GSM telephone. In 2000, around 130 million GSM customers relied on A5/1 to protect the confidentiality of their voice communications.
Security researcher Ross Anderson reported in 1994 that "there was a terrific row between the NATO signal intelligence agencies in the mid 1980s over whether GSM encryption should be strong or not. The Germans said it should be, as they shared a long border with the Warsaw Pact; but the other countries didn't feel this way, and the algorithm as now fielded is a French design."[2]
A number of attacks on A5/1 have been published. Some require an expensive preprocessing stage after which the cipher can be attacked in minutes or seconds. Until recently, the weaknesses have been passive attacks using the
known plaintext assumption. In 2003, more serious weaknesses were identified which can be exploited in the
ciphertext-only scenario, or by an active attacker. In 2006 Elad Barkan,
Eli Biham and Nathan Keller demonstrated attacks against A5/1,
A5/3, or even GPRS that allow attackers to tap GSM mobile phone conversations and decrypt them either in real-time, or at any later time.In 2003, Barkan
et al. published several attacks on GSM encryption.
[8] The first is an active attack. GSM phones can be convinced to use the much weaker
A5/2 cipher briefly. A5/2 can be broken easily, and the phone uses the same key as for the stronger A5/1 algorithm. A second attack on A5/1 is outlined, a
ciphertext-only time-memory tradeoff attack which requires a large amount of precomputation.
No comments:
Post a Comment