A group of cryptographers has developed a new attack that has broken Kasumi, the encryption algorithm used to secure traffic on 3G GSM wireless networks. The technique enables them to recover a full key by using a tactic known as a related-key attack, but experts say it is not the end of the world for Kasumi.
[See: Four Questions for Bruce Schneier on the GSM Cipher Crack]
Kasumi, also known as A5/3, is the standard cipher used to encrypt communications on 3G GSM networks, and it’s a modified version of an older algorithm called Misty. The paper describing the new attack is not yet public, but the Emergent Chaos blog has a good description of the attack, including an excerpt from the abstract:
In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2−14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 226 data, 230 bytes of memory, and 232 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the 2128 complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem.
“This is a nice piece of work. This is breaking the math, not just an implementation,” said cryptographer Bruce Schneier. “They found a practical, related key attack. It’s not clear whether it can break actual traffic or whether it’s useful operationally. Related-key attacks are a form of cryptanalysis that showed up about 10 years ago, but they’re rare in the real world because you need the related keys.”
As Emergent Chaos points out, this is not necessarily a sky-is-falling moment, but it’s not good news either.
“There’s never such an attack when you need to throw your stuff in the ocean,” Schneier said. We’ve had practical attacks on SSL, we’ve had all of these things. I believe it should be fixed, but this shows the process of crypto. And it shows that you don’t dink around with crypto. Instead of using the existing cipher they decided to modify it, and by modifying it, they broke it pretty badly. Why not use the existing cipher?”
The group of researchers who developed the new attack includes Orr Dunkelman, Nathan Keller and Adi Shamir, one of the creators of the RSA algorithm.
The news of the Kasumi crack comes just a couple of weeks after researchers published a method for attacking the older A5/1 GSM algorithm.