4

Why does cellular communication protocols use A5 or KASUMI and not AES or 3DES or RSA?

I have read that A5 is not that secure, is this the case?

Are A5 or KASUMI used anywhere else? Why only in cellular?

forest
  • 64,616
  • 20
  • 206
  • 257
stng
  • 41
  • 2
  • Note that KASUMI is A5/3. A5 is the name of keystream generator protocols, not the cipher itself. At least originally (with A5/1), it was chosen in part because all existing ciphers were too heavy. A newer, lighter one was developed using three LFSRs (which are very light on the hardware). – forest Apr 05 '18 at 05:42
  • So are these implemented on SIM ? cant an applet on SIM perform heavy ones as well , since I have seen all the algorithms being implemented on a smart card applet. – stng Apr 05 '18 at 05:45
  • They are implemented in the mobile device's baseband processor. The SIM does not actively perform any action activity for the device (i.e. it is not a coprocessor). It just functions for authenticating to the network and, for some older or more limited devices, storing SMS messages. – forest Apr 05 '18 at 05:46
  • So where does the key that encrypts the voice call exists ? in the baseband processor? – stng Apr 05 '18 at 05:53
  • from one of the blog on that ques you pointed to "Call encryption is facilitated by a long-term secret key (call it K) that’s stored within the tamper-resistant SIM card in your GSM phone. Your carrier also has a copy of this key. " So i was talking about this key. Later session keys are indeed actually used but this key should be present before hand. – stng Apr 05 '18 at 06:13
  • I have not gone through the whole cryptographic protocol in use here but from my experience i believe authentication must be happening by validating a cryptogram generated using the session keys (Which in turn in a step before, were generated by encrypting (using K) a key derivation data containing a random value as the input data) and later call data confidentiality by encryption is also obtained by these session keys as well. – stng Apr 05 '18 at 06:19
  • My point was that the key that is directly used to create the A5 keystream is a temporary session key and is not stored in the SIM, even if data used (in combination with a random nonce) to derive it are. – forest Apr 05 '18 at 06:23
  • Ok, i got your point. – stng Apr 05 '18 at 06:24
  • 1) limited power 2) compatible hardware – again Apr 05 '18 at 06:06

1 Answers1

1

It seems to me this is for historical and technical reasons. A5/1 and A5/2 seem to be rather old designs from late 1980s. They do not appear to be in use any more. There was no AES at that time and 3DES is block cipher and GSM networks vendors apparently wanted stream ciphers back then. KASUMI seems to have been accepted also around the the time or before AES was announced, so they couldn't have made AES the standard cipher either. Also, AES is USA standard while these GSM network standards are international, and politics is a thing.

wilx
  • 191
  • 1
  • 7
  • A5/1 is still very widely in use, used by many billions of people. Either way, this seems to be more of an opinion (though it seems reasonable). Do you have any authoritative sources to back it up? – forest Apr 05 '18 at 05:53
  • Only Wikipedia, but I do not have a reason to disbelieve the dates they mention. – wilx Apr 05 '18 at 05:55
  • @forest: Block to stream cipher requires more memory. If you look at A5/1, it seems rather trivial to implement with few registers and logic circuits. Also, I think you can resynchronize with stream cipher encrypted data stream if bytes get lost but with block ciphers you are lost. I think that is what you might want if you are implement reliable communication technology. But you are right, it is unauthoritative opinion of mine. – wilx Apr 05 '18 at 06:09
  • Yeah that's true, and A5/1 was particularly trivial to implement (just a few LFSRs). – forest Apr 05 '18 at 06:11
  • But an interesting thing I am reading here:https://blog.cryptographyengineering.com/2013/05/14/a-few-thoughts-on-cellular-encryption/ is : "The GSM ciphers were developed using the ‘make stuff up and pray nobody sees it‘ school of cryptographic algorithm design" – stng Apr 05 '18 at 06:29
  • Indeed. Especially the early ones relied on security through obscurity. Cryptographic weaknesses were found quickly after their design leaked. – forest Apr 05 '18 at 06:32
  • But what is the situation today, has A5 got any better or not? – stng Apr 05 '18 at 06:36
  • Well billions of people still use the horribly-broken A5/1, but a new protocol used for LTE exists called SNOW, which seems to be about as good as KASUMI (theoretical breaks, but not horrible in practice). However the security of authentication and generating the session key are still as horrible as ever, so even modern mobile connections can be spied on due to weaknesses in the protocol. – forest Apr 05 '18 at 06:38
  • 1
    Some possible additional information: https://www.aftenposten.no/verden/i/Olkl/Sources-We-were-pressured-to-weaken-the-mobile-security-in-the-80s – forest May 06 '18 at 02:13