Page 63 - From GMS to LTE
P. 63
Global System for Mobile Communications (GSM) 49
A5/1 Passive attacks. Researchers have practically demonstrated that passive attacks
●
on A5/1 are possible under the following conditions:
– A correctly received data stream can be recorded.
– Empty bits in GSM signaling frames (fillbits) are sent with a repeating bit pattern.
– A precomputed decryption table with a size of around 4 TB is available.
While computing and storing the decryption table posed an insurmountable chal-
lenge even for specialized equipment at the time A5/1 was conceived, it has now become
possible to compute the table in a reasonable amount of time and to store the result.
The required hardware and open‐source software are now easily available at low cost,
and a practical real‐time exploit has been demonstrated during the 28th CCC Congress
in December 2011 [28].
This threat can be countered by using the A5/3 encryption algorithm for communica-
tion, which at the time of writing is considered to be secure. Today, A5/3 is supported
by most new devices appearing in the market but only by a few networks. Further, the
mobile device must not support A5/2, to deny an attacker the possibility of calculating
the key later on as described above. Another method to protect communication against
a passive A5/1 attack is to randomize the fillbits in GSM signaling frames in both the
uplink and the downlink directions. This was standardized a number of years ago in
3GPP TS 44.008, Section 5.2. In practice, it can be observed that some devices and
networks randomize the fillbits today, but widespread acceptance has still not been
reached.
At this point, it is worth noting that the efforts described above were targeted at the
ciphering key Kc. No practical methods are known that do not require physical access
to the SIM card to break the authentication and key‐generation algorithms A3 and A8
to get to the shared secret key Ki. This means that should an attacker get the ciphering
key Kc of a user, they would still not be able to authenticate during the next network
challenge. This means that if the network requires authentication and ciphering for
each communication session, it is not possible for an attacker to impersonate another
subscriber to receive calls or SMS messages in their place or to make outgoing calls.
1.7.8 Modulation
At the end of the transmission chain, the modulator maps the digital data onto an analog
carrier, which uses a bandwidth of 200 kHz. This mapping is done by encoding the bits
into changes of the carrier frequency. As the frequency change takes a finite amount of
time, a method called Gaussian minimum shift keying (GMSK) is used, which smooths
the flanks created by the frequency changes. GMSK has been selected for GSM as its
modulation and demodulation properties are easy to handle and implement into hard-
ware and as it interferes only slightly with neighboring channels.
1.7.9 Voice Activity Detection
To reduce the interference on the air interface and to increase the operating time of the
mobile device, data bursts are only sent if a speech signal is detected. This method is
called discontinuous transmission (DTX) and can be activated independently in
the uplink and downlink directions (Figure 1.40). Since only one person speaks at a time
during a conversation, one of the two speech channels can usually be deactivated. In the
