A5/2
A5/2 is a stream cipher used to provide voice privacy in the GSM cellular telephone protocol. It was designed in 1992-1993 (finished March 1993) as a replacement for the relatively stronger (but still weak) A5/1, to allow the GSM standard to be exported to countries "with restrictions on the import of products with cryptographic security features".[1]
The cipher is based on a combination of four linear-feedback shift registers with irregular clocking and a non-linear combiner.
In 1999, Ian Goldberg and David A. Wagner cryptanalyzed A5/2 in the same month it was reverse engineered, and showed that it was extremely weak – so much so that low end equipment can probably break it in real time.[2]
In 2003, Elad Barkan, Eli Biham and Nathan Keller presented a ciphertext-only attack based on the error correcting codes used in GSM communication. They also demonstrated a vulnerability in the GSM protocols that allows a man-in-the-middle attack to work whenever the mobile phone supports A5/2, regardless of whether it was actually being used.[3]
Since July 1, 2006, the GSMA (GSM Association) mandated that GSM Mobile Phones will not support the A5/2 Cipher any longer, due to its weakness, and the fact that A5/1 is deemed mandatory by the 3GPP association. In July 2007, the 3GPP has approved a change request to prohibit the implementation of A5/2 in any new mobile phones, stating: "It is mandatory for A5/1 and non encrypted mode to be implemented in mobile stations. It is prohibited to implement A5/2 in mobile stations."[4] If the network does not support A5/1 then an unencrypted connection can be used.
See also
References
- ^ Security Algorithms Group of Experts (SAGE) (March 1996). "ETR 278 - Report on the specification and evaluation of the GSM cipher algorithm A5/2" (PDF). European Telecommunications Standards Institute (ETSI). Archived (PDF) from the original on December 4, 2013.
- ^ Goldberg, Ian; Wagner, David; Green, Lucky (August 26, 1999). "The (Real-Time) Cryptanalysis of A5/2". David Wagner's page at UC Berkeley Department of Electrical Engineering and Computer Sciences. Archived from the original on April 21, 2021.
- ^ Barkan, Elad; Biham, Eli; Keller, Nathan (2003). Boneh, Dan (ed.). "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication". Advances in Cryptology - CRYPTO 2003. Lecture Notes in Computer Science. 2729. Berlin, Heidelberg: Springer: 600–616. doi:10.1007/978-3-540-45146-4_35. ISBN 978-3-540-45146-4.
- ^ 3GPP TSG-SA WG3 (Security) Meeting #48 (September 18, 2007). "SP-070671 - Prohibiting A5/2 in mobile stations and other clarifications regarding A5 algorithm support". 3GPP Change Requests Portal. Archived from the original on April 21, 2021.
{{cite web}}
: CS1 maint: numeric names: authors list (link)
External links
- A5/2 at CryptoDox
- A5/2 withdrawal at security.osmocom.org
- Ian Goldberg, David Wagner, Lucky Green. The (Real-Time) Cryptanalysis of A5/2. Rump session of Crypto'99, 1999.
- Barkam, Elad; Biham, Eli; Keller, Nathan (2008), "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication" (PDF), Journal of Cryptology, 21 (3): 392–429, doi:10.1007/s00145-007-9001-y, S2CID 459117
- Tool for cracking the GSM A5/2 cipher, written by Nicolas Paglieri and Olivier Benjamin: A52HackTool (with full source code – C language – GNU GPL)