6

I would like to have general infos about crypto and commom SIM card in mobile phone(I know there may be different implementations, technos according to the operator...).

  • Is crypto used only for authentication ?
  • Is crypto used also for encryption ? symmetric encryption ?

I heard about a private key embedded in it for authentication, but what about encryption, which seems as important.

crypto-learner
  • 697
  • 1
  • 7
  • 17
  • 1
    Have you read [this question](http://security.stackexchange.com/questions/31041/is-there-cryptographic-material-in-a-phones-sim-card-that-can-be-used-with-rsa?rq=1)? – Michael Foukarakis Feb 20 '15 at 13:37

1 Answers1

5

It's been a while since I researched this topic, however, several algorithms exist. At the time of my research (3 years ago), the A5 algorithm was the most used algorithm in Europe for phone and sms conversations (GPRS used a different algorithm). Several variations exist:

  • A5/0
  • A5/1: most widely used (deemed the most secure of the three), but cracked by Karsten Nohl in 2009-2010
  • A5/2

I am not sure if these algorithms are still in use, but I assume the encryption/authentication is still done in a similar manner. Update: the 3G and 4G are probably a lot safer. However, operators often fallback to 2G for normal calls/SMSes. The A5/3 algorithm (aka KASUMI) is said to be used in 3G communications. KASUMI is much harder to crack, and thus it is more simple for the NSA to go and steal the keys. Update 2: by operating a jamming device, agencies have reportedly disrupted 3G/4G communications, causing nearby phones to fall back to crackable 2G.

Authentication To decide whether or not the SIM may access the network, the SIM needs to be authenticated. A random number is generated by the operator, and is sent to the mobile device. Together with the secret key Ki, this random number runs through the A3 algorithm (it is this Ki that recently has been compromised). The output of this calculation is sent back to the operator, where the output is compared with the calculation that the operator has executed himself (the operator possesses the secret keys for all SIM cards the operator has distributed).

Encryption This part is the part that has been cracked. In short, the operator generates a random number (again), and sends it to the mobile phone. Together with the secret key Ki, this random number runs through the A8 algorithm, and generates a session key KC. This KC is used, in combination with the A5 algorithm to encrypt/decrypt the data.

SIM encryption

Note: the figure is from a paper by SANS institute, and the explanation of the A5 algorithm crack is based on the presentation of Karsten Nohl. I cannot seem to find a valid link to both of these papers at the moment.

John Deters
  • 33,650
  • 3
  • 57
  • 110
Michael
  • 5,393
  • 2
  • 32
  • 57
  • Better answer than mine! I would like to get a review about the those algorithms too in a Mathematical sense. Is there any implementations without private keys? – Léo Léopold Hertz 준영 Feb 20 '15 at 13:59
  • 1
    The A5 algorithm is based on symmetric encryption. I suppose a public-private key (asymmetric encryption) setup (same as is used in HTTPS connections) could be used. However, asymmetric encryption was introduced because of the key-distribution problem. As the operator is able to control the SIM card, I don't think that asymmetric encryption is a better solution. A secret will always exist somewhere. – Michael Feb 20 '15 at 14:01
  • @Michael Maybe symmetric crypto is also used because it is cheaper to implement and for performance issue (phone conversation needs real time processing), am I right ? – crypto-learner Feb 20 '15 at 14:40
  • @crypto-learner Communication based on asymmetric encryption typically also makes use of symmetric keys. Only the symmetric key is exchanged using asymmetric encryption. The symmetric key is then used during the lifetime of the session. – Michael Feb 20 '15 at 14:47
  • @Michel yes you are right... but there could be performance issue because of negociations involving asymmetric first exchanges ?! – crypto-learner Feb 20 '15 at 15:04
  • @Michel I read that A/2 is no more considered secure, do you which algo is the "official" substitute ? – crypto-learner Feb 20 '15 at 15:07
  • A5/3 seems to be used in 3G communications: http://en.wikipedia.org/wiki/KASUMI & http://blog.cryptographyengineering.com/2013/05/a-few-thoughts-on-cellular-encryption.html . It is much harder to crack, which is why the NSA will more likely go steal the keys at the operator: https://www.schneier.com/essays/archives/2014/12/nsa_hacking_of_cell_.html – Michael Feb 20 '15 at 15:14
  • Do you have any trustworthy sources about the Mathematics? Any publications? I have read about these implementations in some Numerical Theory books, but would like to see rigorous approaches in some publications for your claims. – Léo Léopold Hertz 준영 Feb 20 '15 at 16:18
  • @Masi Which mathematics are you referring too? I have made no claims whatsoever about the time it takes to crack. I only mentioned that the A5/1 standard has been cracked, and that A5/3 is considered to be secure. Those claims are backed up by the documents I am referring too, but I haven't taken the time to find a valid link, I have them on my harddrive if you want me to send them to you. – Michael Feb 20 '15 at 16:28
  • Where the session key generation and also encryption processes happens? In the SIM or in the handset? Does all the communications are encrypted? (Voice calls, SMSs and USSDs) – Ebrahim Ghasemi Dec 28 '16 at 13:22