A Second GSM Cipher Falls

A group of cryptographers has developed a new attack that has broken Kasumi, the encryption algorithm used to secure traffic on 3G GSM wireless networks. The technique enables them to recover a full key by using a tactic known as a related-key attack, but experts say it is not the end of the world for Kasumi.

A group of cryptographers has developed a new attack that has broken Kasumi, the encryption algorithm used to secure traffic on 3G GSM wireless networks. The technique enables them to recover a full key by using a tactic known as a related-key attack, but experts say it is not the end of the world for Kasumi.

[See: Four Questions for Bruce Schneier on the GSM Cipher Crack]

Kasumi, also known as A5/3, is the standard cipher used to encrypt communications on 3G GSM networks, and it’s a modified version of an older algorithm called Misty. The paper describing the new attack is not yet public, but the Emergent Chaos blog has a good description of the attack, including an excerpt from the abstract:

In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2−14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 226 data, 230 bytes of memory, and 232 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the 2128 complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem.

“This is a nice piece of work. This is breaking the math, not just an implementation,” said cryptographer Bruce Schneier. “They found a practical, related key attack. It’s not clear whether it can break actual traffic or whether it’s useful operationally. Related-key attacks are a form of cryptanalysis that showed up about 10 years ago, but they’re rare in the real world because you need the related keys.”

As Emergent Chaos points out, this is not necessarily a sky-is-falling moment, but it’s not good news either.

“There’s never such an attack when you need to throw your stuff in the ocean,” Schneier said. We’ve had practical attacks on SSL, we’ve had all of these things. I believe it should be fixed, but this shows the process of crypto. And it shows that you don’t dink around with crypto. Instead of using the existing cipher they decided to modify it, and by modifying it, they broke it pretty badly. Why not use the existing cipher?”

The group of researchers who developed the new attack includes Orr Dunkelman, Nathan Keller and Adi Shamir, one of the creators of the RSA algorithm.

The news of the Kasumi crack comes just a couple of weeks after researchers published a method for attacking the older A5/1 GSM algorithm.

Suggested articles

Newsmaker Interview: Scott Helme on Securing the Web

Threatpost sat down with Helme to discuss the state of web security, including certificate transparency, HTTPS deployment, Let’s Encrypt, content security policy and HTTP strict transport security.

Discussion

  • Anonymous on

    What? The Captcha says leave weimar? But im not even there!

  • Anonymous on

    This is great news.

    It is what the government always wanted, to allow simple eves dropping :-)

    There goes mobile internet banking too... It is too risky.

  • Anonymous on

    Good thing we can encrypt all our data via VPN - And there will be creative voice crypto soon as there are some coming into the inductry now.    Just have to have one on each end of call today!   So it will be software based in smartphones or over VoIP so all call will be data calls anyways and encrypted via a VPN or IPSec like method.

  • phil on

    Oh,,,I just know all that tings now..Things for this info. It really helps

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.