Saturday, May 23, 2009
Best Free GSM Books
Will be available shortly.
Thanks
Thursday, May 21, 2009
GSM Physical and Logical Channels
A physical channel is specified by a specific time slot in a specific channel
carrier frequency
logical channels:
run over a physical channel, but not necessarily in all its time slots
are classified into traffic channels and control channels
have to be managed: set up, maintenance, tear down
Control channels:
Control channels are interspersed with traffic channels in well-specified
ways (e.g. every 26 TDMA frames a logical channel gets bandwidth in a
physical channel)
Wednesday, May 20, 2009
Best PDF Documents to Understand the Encryption Algorithms
http://www.etsi.org/website/document/algorithms/ts_135202v070000p.pdf
http://cryptome.org/gsm-crack-bbk.pdf
http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf
A5/3 or KASUMI Encryption
In cryptography, KASUMI, also termed A5/3, is a block cipher used in the confidentiality (f8) and integrity algorithms (f9) for 3GPP mobile communications. A number of serious weaknesses in the cipher have been identified.
KASUMI was designed by the Security Algorithms Group of Experts (SAGE), part of the European standards body ETSI. Rather than invent a cipher from scratch, SAGE selected an existing algorithm, MISTY1, and optimised it slightly for implementation in hardware. Hence, MISTY1 and KASUMI are very similar — kasumi (霞) is the Japanese word for "mist" — and the cryptanalysis of one is likely to be readily adaptable to the other. KASUMI maintains an efficient implementation in software.
KASUMI has a block size of 64 bits and a key size of 128 bits. It is a Feistel cipher with eight rounds, and like MISTY1 and MISTY2, it has a recursive structure, with subcomponents also having a Feistel-like form.
In 2001, an impossible differential attack on six rounds of KASUMI was presented by Kühn (2001).
In 2003 Elad Barkan, Eli Biham and Nathan Keller demonstrated attacks against A5/1 and A5/2, that allow attackers to tap GSM mobile phone conversations and decrypt them either in real-time, or at any later time. Protocol weaknesses allow recovery of the key, but the KASUMI algorithm is unaffected in itself.
In 2005, Israeli researchers Eli Biham, Orr Dunkelman and Nathan Keller published a related-key rectangle (boomerang) attack on KASUMI that can break all 8 rounds faster than exhaustive search. The attack requires 254.6 chosen plaintexts, each of which has been encrypted under one of four related keys, and has a time complexity equivalent to 276.1 KASUMI encryptions. While this is not a practical attack, it invalidates some proofs about the security of the 3GPP protocols that had relied on the presumed strength of KASUMI.
In 2006, Elad Barkan, Eli Biham, Nathan Keller published the full version of their 2003 paper, with attacks against A5/X Ciphers. [1]
Tuesday, May 19, 2009
What are A5/1 & A5/2 Encryptions
A5/1 is used in Europe and the United States. A5/2 was a deliberate weakening of the algorithm for certain export regions.[1] A5/1 was developed in 1987, when GSM was not yet considered for use outside Europe, and A5/2 was developed in 1989. Both were initially kept secret. However, the general design was leaked in 1994, and the algorithms were entirely reverse engineered in 1999 by Marc Briceno from a GSM telephone. In 2000, around 130 million GSM customers relied on A5/1 to protect the confidentiality of their voice communications.
Security researcher Ross Anderson reported in 1994 that "there was a terrific row between the NATO signal intelligence agencies in the mid 1980s over whether GSM encryption should be strong or not. The Germans said it should be, as they shared a long border with the Warsaw Pact; but the other countries didn't feel this way, and the algorithm as now fielded is a French design."[2]
GSM Encryption Algorithms
A5 is a stream cipher consisting of three clock-controlled LFSRs of degree 19, 22, and 23.
The clock control is a threshold function of the middle bits of each of the three shift registers.
The sum of the degrees of the three shift registers is 64. The 64-bit session key is used to initialize the contents of the shift registers.
The 22-bit TDMA frame number is fed into the shift registers.
Two 114-bit keystreams are produced for each TDMA frame, which are XOR-ed with the uplink and downlink traffic channels.
It is rumored that the A5 algorithm has an "effective" key length of 40 bits.
How to hack network security cameras?
1. Go to Google.com
2. Type
intitle:"Live View /-AXIS"
and click search
3. Go to the searched links and control the security cameras working in the world
ENJOY IT