| Revision as of 19:48, 15 May 2012 editBomazi (talk | contribs)Extended confirmed users3,446 editsNo edit summary← Previous edit | Revision as of 21:07, 15 May 2012 edit undoBomazi (talk | contribs)Extended confirmed users3,446 editsNo edit summaryNext edit → | ||
| Line 1: | Line 1: | ||
| '''COMP128''' is an implementation of the A3 and A8 algorithms defined in the ] standard. |
'''COMP128''' is an implementation of the A3 and A8 algorithms defined in the ] standard. | ||
| A3 is used to ] the mobile station to the network. A8 is used to generate the ] used by the A5 algorithm to encrypt the data exchanged between the mobile station and the ]. | |||
| The algorithm was originally confidential. A partial description was leaked in 1997 and completed via ].<ref name="brumley">{{Citation |last=Brumley |first=Billy |year=2004 |title=A3/A8 & COMP128 |url=http://www.tcs.hut.fi/Studies/T-79.514/slides/S5.Brumley-comp128.pdf}}</ref> | The algorithm was originally confidential. A partial description was leaked in 1997 and completed via ].<ref name="brumley">{{Citation |last=Brumley |first=Billy |year=2004 |title=A3/A8 & COMP128 |url=http://www.tcs.hut.fi/Studies/T-79.514/slides/S5.Brumley-comp128.pdf}}</ref> | ||
| ==Introduction== | |||
| ⚫ | The |
||
| For details on the way A3 and A8 are used see ]. | |||
| A3 and A8 both take a 128 bits key (K<sub>i</sub>) and a 128 bits challenge (RAND) as inputs. A3 produces a 32 bits response (SRES) and A8 produces a 64 bits session key (K<sub>c</sub>). | |||
| COMP128 combines the functionality of A3 and A8. It is built around a ] with a 256 bits input and a 128 bits output. | |||
| K<sub>i</sub> and RAND constitute the input. Bits 0-31 of the output are used as SRES. Bits 74-127 are zero-padded to form K<sub>c</sub>. | |||
| ⚫ | The hash function has nine rounds and a butterfly structure. | ||
| ==Security== | ==Security== | ||
| COMP128 is considered |
The COMP128 hash function is considered weak because small changes in the input are not sufficiently dispersed. | ||
| Practical attacks have been demonstrated that can recover the subscriber key from the SIM. Replacements algorithms have since been developed.<ref name="brumley" /> | |||
| In addition the session key produced by COMP128 has only 54 bits of entropy. This significantly weakens A5. | |||
| ==References== | ==References== | ||
Revision as of 21:07, 15 May 2012
COMP128 is an implementation of the A3 and A8 algorithms defined in the GSM standard.
A3 is used to authenticate the mobile station to the network. A8 is used to generate the session key used by the A5 algorithm to encrypt the data exchanged between the mobile station and the BTS.
The algorithm was originally confidential. A partial description was leaked in 1997 and completed via reverse engineering.
Introduction
For details on the way A3 and A8 are used see Authentication Center.
A3 and A8 both take a 128 bits key (Ki) and a 128 bits challenge (RAND) as inputs. A3 produces a 32 bits response (SRES) and A8 produces a 64 bits session key (Kc).
COMP128 combines the functionality of A3 and A8. It is built around a hash function with a 256 bits input and a 128 bits output.
Ki and RAND constitute the input. Bits 0-31 of the output are used as SRES. Bits 74-127 are zero-padded to form Kc.
The hash function has nine rounds and a butterfly structure.
Security
The COMP128 hash function is considered weak because small changes in the input are not sufficiently dispersed.
Practical attacks have been demonstrated that can recover the subscriber key from the SIM. Replacements algorithms have since been developed.
In addition the session key produced by COMP128 has only 54 bits of entropy. This significantly weakens A5.
References
- ^ Brumley, Billy (2004), A3/A8 & COMP128 (PDF)
External links
- "Sicherheit Mobiler Systeme" - Prof. Dr. Hannes Federrath - Lehrstuhl für Management der Informationssicherheit - Uni Regensburg (PDF-Datei; 8,17 MB)
- Angriff von Briceno, Goldberg und Wagner
- HP00 Reducing the Collision Probability of Alleged Comp128 von H.Handschuh, P.Paillier, Springer-Verlag 2000 (PDF-Datei; 82 kB)
- Chaos Computer Club zur Angriffsmöglichkeit