5

The KASUMI is a block cipher used to encrypt UMTS, GPRS, and GSM SMS messages. The references section in Wikipedia says that a related key attack is possible in 3G systems.

Q: Has it been proven that the related key attack may (or may not) apply to a given mobile provider? If so which ones are (not)affected?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

1 Answers1

5

To the best of my knowledge, the related-key attack on KASUMI is not relevant to the security of 3G, UMTS, GPRS, GSM, or any other cellular system I am familiar with. To the best of knowledge, it poses no danger to the security of those systems.

Related-key attacks on a block cipher are only a problem if the block cipher is used in a way that allows an attacker to gain partial control over the key to the block cipher (in a certain very specific way). Normally, well-designed protocols and systems do not use block ciphers in a way that would allow related-key attacks. As far as I can tell, cellular systems do not seem to use KASUMI in a way that would allow an attacker to mount a related-key attack on KASUMI. Therefore, the existence of related-key attacks on KASUMI seems to be irrelevant to the security of 3G, GSM, or other cellular systems.

The authors of the related-key attack on KASUMI (Dunkelman, Keller, and Shamir) make no claim that their attack poses any danger to deployed cellular systems.

Unfortunately, the media got this all wrong, as far as I can tell. I remember seeing a bunch of stories in the press saying that this was an embarrassment for the cellular industry and means you shouldn't trust 3G systems. Neither of those conclusions was warranted, as far as I can tell.

See also sniffing/recording GSM 3G signals.

Disclaimer: I have not analyzed the 3G, UMTS, GPRS, GSM, or other cellular standards in depth and cannot guarantee that they are free of security risks. I can only say that I am not aware of any way that the related-key attack on KASUMI might endanger deployed cellular systems. I don't mean to disparage the research of Dunkelman, Keller, and Shamir in any way. It is good research; I just want to help folks understand its practical implications.

D.W.
  • 98,420
  • 30
  • 267
  • 572