5.

MESSAGE ENCRYPTION ALGORITHMS

This section identifies the message encryption algorithms and modes that shall be used to encrypt messages and, when asymmetric key management is employed in an encrypted message, for encryption of message signatures. How character string identifiers are assigned and any other parameters required by the message encryption algorithms are defined.

5.1 Algorithm Basics

A system of ciphering for algorithms has to meet the following requirements 1. 2. The relation between the ciphering algorithms has to be nonlinear. The Algorithmic parameters have to be changeable during the exchange. The first requirement excludes the possibility to satisfy the identification code IC without knowing the identification key. The second one excludes the possibility of system malfunction caused by an unauthorized user trying extract a message from the systems memory and to profit by it. The best approach to providing these requirements is to use the synchronous mode for signaling, which requires the system to posses a frame and symbol synchronization, which is undesirable for the better part of the cases. The more convenient way of meeting these requirements is to include symbols in the information sequence, which is correlated to the encryption data. Now the encryption algorithms are divided into two groups. 1. 2. Classical algorithms Open key algorithms. The first group algorithms use only one key for ciphering and deciphering, and the second one uses two keys: one for the transition from plain message to encrypted message, and the other one for the transition from encryption to plain message. The main feature of this algorithm is that being familiar with only one of the keys does not allow anyone to find out the other one. The open key algorithms are widely used in cellular systems. In these algorithms the key used for ciphering is the same for all the subscribers, and the other key used for decryption is secret. This feature is very useful for the limitation of the complexity of the protocol and the integration of the ciphering structure in cellular networks.

63

The open key ciphering algorithm is based on determining the side function f, where f can be defied as a value y = f (x) and its definition area could easily be computed, for any value of its argument x. In other words the one side function f (x) can easily be computed with the help of a computer in an acceptable short time range, but the time for the determination of the inverse function is unacceptably great in the modern conditions of development of the computer mathematics. The first open key-ciphering algorithm is called RSA (abbreviation of the first letter of its inventors names - Rivest, Shamir and Aldeman). The algorithm is based on two functions E and D. The relation between these functions is given by the following equation D (E (*)) = E (d (*)) One of them is used for the encryption of the messages, and the other for its decryption. By the way, the value of the function E or D does not allow to compute the function D or E easily. Two subscribers A and B can use the RSA algorithm to send encryption messages. If subscriber A wants to send the message M to subscriber B, he can do it in three ways: 1. 2. 3. To cipher the message M; To sign the message M; To cipher and sign the message M. In the first case subscriber A converts the message M in message C = EB (M) using a secret key, then sends it to subscriber B. The later, after receiving the message C computes DA(C)= DB (EB (M))=M. In the second occasion subscriber A signs M by computing F= DA (M) and sends it to subscriber B (this is possible only if A knows the secret key DA). B receives F and determines EA (F)=EA (DA (M))=M. In this case, however, the secrecy is not guaranteed because each subscriber can do this operation by using the common key EA. In the third case A computes F=DA (M) and C = EB (F) = EB (DA (M)). Then A sends C to B. B computes DB (C) = DB (EB (F)) = DA (M) after receiving C. Then he computes EA (DA (M)) = M. The RSA algorithm provides an excellent protection of voce and data and is recommended for use in digital systems for mobile communications, including secondgeneration cellular systems. In these systems the term "security" and "protection" means 64

shutting out an unauthorized use of the system resources and ensuring secrecy of conversations between mobile users. In this aspect there are few approaches for achieving this protection: 1. 2. 3. 4. 5. 6. Authentication Secrecy of transmitted voce and data Secrecy of subscriber Secrecy of equipment Secrecy of connections Secrecy of signals for command end control The real identity of a GSM and its subscriber is the data stored in the SIM (Subscriber Identity Module). SIM comes in two physical sizes: credit card Type (ISO) and smaller plug in SIM. The heart of SIM card is a micro controller that includes ROM, and additional memory EEPROM (Electrical Erasable and Programmable Read Only Memory. In the European standard for cellular communication GSM these approaches are fixed in Recommendations, which are given in table 5.1. Table 5.1: European standard for cellular communication GSM GSM 02.09 Secrecy aspects Determines the features of

secrecy used in GSM networks Recommends its use in mobile station and systems.

GSM 03.20

Secrecy related with network functions

Determines

the

network

functions, which are necessary for providing secrecy features, given in Rec. 02.09.

GSM 03.21

Secrecy algorithms

Determines the cryptographic algorithms in communication

65

system. GSM 02.17 User smart card (SIM) Determines the main features of SIM.

The following security related information is stored in the GSM SIM as in table 5.2. Table 5.2: Information stored in the SIM RAND - Random number, used for the authentication of a mobile subscriber. SRES - Answer from a mobile station to the random number; KI - Individual user authentication key, which is used to compute SRES and the ciphering key. KC - Ciphering key, used for encryption/decryption of the messages and signals for command and control, transmitted over the radio channel. A3 Authentication algorithm, used to compute SRES. A5 A8 CKSN Encryption/decryption algorithm. Algorithm for the calculation of Kc.

- The Number of key sequences, which gives the real value of Kc. It is necessary to utilize different keys for transmitting and receiving.

TMSI

Temporary mobile subscriber international 66

number. IMSI Identification mobile subscriber international No. IMEI LAI International mobile equipment identity. Location area identification number.

The distribution of this secrecy information in different elements of the cellular system is given in table 5.3. Table 5.3: Secrecy information in different elements of the cellular system Network elements and other hardware Mobile station (MS) Subscriber identity module (SIM) 3. Authentication center (AUC) 4. Home location register (HLR) 5. Visitor Location register (VLR) Packet IMSI/RAMD/SRES/Kc Packet IMSI/RND/SRES/Kc, Packet MSI/TMSI/LAI/Kc/CKSN 6. Mobile switching 67 A5, triplet Types of secrecy information A5 A3, A8, IMSI, Ki, TMSI/LAI, Kc/CKSN, IMEI A3, A8, IMSI/KI

1. 2.

center (MSC) 7. Base station controller (BSC)

TMSI/IMSI/Kc A5, triplet TMSI/IMSI/Kc

There are four basic security services provided by GSM: 1. Anonymity: TMSI (temporary mobile subscriber identification) assignment. Use of temporary identifier for the user. A user has to be protected over the air interface, so GSM temporarily assign a user an ID that is known as TMSI. And used for roaming purposes, so that IMSI is not sent over the air). 2. Authentication: Authentication procedure is performed after the subscriber identity (IMSI) known by the network before the channel is encrypted. 3. Signaling data and voice protection against eavesdropping: encryption a. A3: Used for subscriber authentication b. A5: Used for ciphering/deciphering (stream cipher) c. A8: Used to generate Kc 4. User's SIM module and ID: For the identification of stolen ID or SIM. The figure 5.1 below shows the above four steps

Figure 5.1: Call functional Algorithms in GSM

5.2 The GSM Encryption Algorithm

The GSM Security Model is based on a shared secret between the subscriber's home network's HLR and the subscriber's SIM. The shared secret, called Ki, is a 128-bit key used to generate a 32-bit signed response, called SRES, to a Random Challenge, called RAND, made by the MSC, and a 64-bit session key, called Kc, used for the encryption of the overthe-air channel. When a MS first signs on to a network, the HLR provides the MSC with five triples containing a RAND, a SRES to that particular RAND based on the Ki and a Kc based 68

again on the same Ki. Each of the triples is used for one authentication of the specific MS. When all triples have been used the HLR provides a new set of five triples for the MSC. Figure 5.2 below explains the procedure.

Figure 5.2: Mobile station authentication When the MS first comes to the area of a particular MSC, the MSC sends the Challenge of the first triple to the MS. The MS calculates a SRES with the A3 algorithm using the given Challenge and the Ki residing in the SIM. The MS then sends the SRES to the MSC, which can confirm that the SRES really corresponds to the Challenge sent by comparing the SRES from the MS and the SRES in the triple from the HLR. Thus, the MS has authenticated itself to the MSC. The MS then generates a Session Key, Kc, with the A8 algorithm. This Kc, with the A8 algorithm, asks again, the Challenge from the MSC and the Ki from the SIM. The BTS, which is used to communicate with the MS, receives the same Kc from the MSC, which has received it in the triple from the HLR. Now the over-the-air communication channel between the BTS and MS can be encrypted. Each frame in the overthe-air traffic is encrypted with a different key stream. This key stream is generated with the A5 algorithm. The A5 algorithm is initialized with the Kc and the number of the frame to be encrypted, thus generating a different key stream for every frame. This means that one call can be decrypted when the attacker knows the Kc and the frame numbers. The frame numbers are generated implicitly, which means that anybody can find out the frame number at hand. The same Kc is used as long as the MSC does not authenticate the MS again; in this case a new Kc is generated. In practice, the same Kc may be in use for days. This procedure is in figure 5.3.

69

Figure 5.3: Frame encryption and decryption The MS authentication is an optional procedure in the beginning of a call, but it is usually not performed. Thus, the Kc is not changed during calls. Only the over-the-air traffic is encrypted in a GSM network. Once the frames have been received by the BTS, it decrypts them and sends them in plain message to the operator's backbone network. The most important algorithms used in GSM are given below: 5.2.1 The MS Authentication Algorithm A3 The A3 is the authentication algorithm in the GSM security model. Its function is to generate the SRES response to the MSC's random challenge, RAND, which the MSC has received from the HLR. The A3 algorithm gets the RAND from the MSC and the secret key Ki from the SIM as input and generates a 32-bit output, which is the SRES response. Both the RAND and the Ki secret are 128 bits long as shown in figure 5.4.

Figure 5.4: Signed response (SRES) calculation Nearly every GSM operator in the world uses an algorithm called COMP128 for both A3 and A8 algorithms. COMP128 is the reference algorithm for the tasks pointed out by the GSM Consortium. Other algorithms have been named as well, but almost every operator uses the COMP128 except few. COMP 128 is in figure 5.5.

70

Figure 5.5: COMP128 calculation The COMP128 takes the RAND and the Ki as input, but it generates 128 bits of output, instead of the 32-bit SRES. The first 32 bits of the 128 bits form the SRES response. 5.2.2 The Voice-Privacy Key Generation Algorithm A8 The A8 algorithm is the key generation algorithm in the GSM security model. It is an improved algorithm. The A8 algorithm generates two types of keys one is session key, Kc, from the random challenge, RAND, received from the MSC and the second is the secret key Ki. The A8 algorithm takes the two 128-bit inputs and generates a 64-bit output from them. This output is the 64-bit session key Kc. The BTS received the same Kc from the MSC. As below in the figure 5.6.

Figure 5.6: Session key (Kc) calculation HLR is also able to generate the Kc, because the HLR knows both the RAND (the HLR generated it) and the secret key Ki, which it holds for all the GSM subscribers of this network operator. One session key, Kc, is used until the MSC decides to authenticate the MS again. This might take days to be changed. As stated in the previous section, COMP128 is used for both the A3 and A8 algorithms in most GSM networks. The COMP128 generates both the SRES response and the session key, Kc, on one run. The last 54 bits of the COMP128 output form the session key, Kc, until the MS is authenticated again. As in figure 5.5 above. Note that the key length at this point is

71

54 bits instead of 64 bits, which is the length of the key given as input to the A5 algorithm. Ten zero-bits are appended to the key generated by the COMP128 algorithm. Thus, we have a key of 64 bits with the last ten bits zeroed out. This effectively reduces the key space from 64 bits to 54 bits. This is done in all A8 implementations, including those that do not use COMP128 for key generation, and seems to be a deliberate feature of the A8 algorithm implementations. A3 and A8 both algorithms are stored in the SIM in order to prevent people from tampering with them. This means that the operator can decide, which algorithms to use independently from hardware manufacturers and other network operators. The authentication works in other countries as well, because the local network asks the HLR of the subscriber's home network for the five triples. Thus, the local network does not have to know anything about the A3 and A8 algorithms used. 5.2.3 The Strong Over-the-Air Voice-Privacy Algorithm A5 The over-the-air privacy of GSM telephone conversations is protected by the A5 stream cipher. This algorithm has two main variants: The stronger A5/1 version is used by about 130 million customers in Europe, while the weaker A5/2 version is used by another 100 million customers in other markets. The approximate design of A5 was made in 1994, and the exact design of both A5/1 and A5/2 was established in 1999. The A5 algorithm is the stream cipher used to encrypt over-the-air transmissions. The stream cipher is initialized all over again for every frame sent. The stream cipher is initialized with the session key, Kc, and the number of the frame being de/encrypted. The same Kc is used throughout the call, but the 22-bit frame number changes during the call, thus generating a unique key stream for every frame. This kind of procedure is mentioned in Figure 5.7.

Figure 5.7: Key stream generation

72

A5 is a stream of ciphers, and the key stream is the XOR of three clock-controlled registers. The clock control of each register is that register's own middle bit, the XOR with a threshold function of the middle bits of all three registers as shown in figure 5.8 below.

Figure 5.8: XOR of registers The A5 algorithm used in European countries consists of three registers called linear feedback shift registers LSFRs of different lengths. The combined length of the three LSFRs is 64 bits. The outputs of the three registers are XOR together and the XOR represents one key stream bit. The LSFRs are 19, 22 and 23 bits long with sparse feedback polynomials below figure 5.9 shows.

Figure 5.9: A5 LSFR construction All three registers are clocked, based on the middle bit of the register. A register is clocked if its middle bit agrees with the majority value of the three middle bits. For example, if the middle bits of the three registers are 1, 1 and 0, the first two register are clocked or if the middle bits are 0, 1 and 0, then the first and third register are clocked. Thus, at least two registers are clocked on every round. Procedure is in figure 5.10.

Figure 5.10: An example LSFR with feedback The three LSFRs are initialized with the session key, Kc, and the frame number. The 64-bit Kc is first loaded into the register bit by bit. The LSB of the key is XOR into each of 73

the LSFRs. The registers are then all clocked. All 64 bits of the key are loaded into the registers by the same way. The 22-bit frame number is also loaded into the register in the same way as the below figure 5.11 shows.

Figure 5.11: XOR of A5 between MS and BTS After the registers have been initialized with the Kc and the current frame number, they are clocked one hundred times and the generated key stream bits are discarded. This is done in order to mix the frame number and keying material together. Now 228 bits of key stream output are generated. The first 114 bits are used to encrypt the frame from MS to BTS and the next 114 bits are used to encrypt the frame from BTS to MS. After this, the A5 algorithm is initialized again with the same Kc and the number of the next frame. A common type of key stream generators for additive stream cipher applications consists of a number of possibly irregularly clocked linear feedback shift registers (LFSRs) that are combined by a function with or without memory. Standard cryptographic criteria such as a large period, a high linear complexity, and good statistical properties are thus relatively easily satisfied. For resynchronization purposes, the internal state of a key stream generator is reinitialized once in a while by combining the same secret session key with different randomizing keys into the secret message keys defining different initial internal states. The A5 stream cipher is allegedly used to encrypt the links between individual cellular mobile telephone users and the base station in the GSM system. Therefore, if two users want to communicate to each other via their base stations, the same messages get encrypted twice. 74

5.2.4 Public-Key Algorithms Public key cryptosystems were invented in the late 1970's, with some help from the development of complexity theory around that time. A cryptosystem was developed which has two keys, a secret key and a public key. With the public key one could encrypt messages, and decrypt them with the private key. Thus the owner of the private key would be the only one who could decrypt the messages, but anyone knowing the public key could send them in privacy. Suppose Sender wants to send an encrypted message to receiver. Sender obtains receivers public key and encrypts the message with that key. Receiver is the only one who can decrypt senders message. Sender and can obtain Receivers public key either by asking receive personally or accessing a public-key server. Another idea that was observed was that of a key exchange. In a two-party communication it would be useful to generate a common secret key for bulk encryption using a secret key cryptosystem (e.g. some block cipher). With symmetric keys, in order for both sender and receiver must have the same key; the key must be distributed from sender to receiver or receiver to sender. As mentioned above Public Key Cryptography uses two keys, one for encryption and another for decryption. The public key is known to everybody and is usually published in some public database. The private key is kept secret and is known only to the owner of that key. So the security of the scheme depends on the fact that the owner doesn't compromise his secret key.

75