A5/2 Explained
A5/2 is a stream cipher used to provide voice privacy in the GSM cellular telephone protocol. It was designed in 1992-1993 (finished March 1993) as a replacement for the relatively stronger (but still weak) A5/1, to allow the GSM standard to be exported to countries "with restrictions on the import of products with cryptographic security features".[1]
The cipher is based on a combination of four linear-feedback shift registers with irregular clocking and a non-linear combiner.
In 1999, Ian Goldberg and David A. Wagner cryptanalyzed A5/2 in the same month it was reverse engineered, and showed that it was extremely weak – so much so that low end equipment can probably break it in real time.[2]
In 2003, Elad Barkan, Eli Biham and Nathan Keller presented a ciphertext-only attack based on the error correcting codes used in GSM communication. They also demonstrated a vulnerability in the GSM protocols that allows a man-in-the-middle attack to work whenever the mobile phone supports A5/2, regardless of whether it was actually being used.[3]
Since July 1, 2006, the GSMA (GSM Association) mandated that GSM Mobile Phones will not support the A5/2 Cipher any longer, due to its weakness, and the fact that A5/1 is deemed mandatory by the 3GPP association. In July 2007, the 3GPP has approved a change request to prohibit the implementation of A5/2 in any new mobile phones, stating: "It is mandatory for A5/1 and non encrypted mode to be implemented in mobile stations. It is prohibited to implement A5/2 in mobile stations."[4] If the network does not support A5/1 then an unencrypted connection can be used.
See also
External links
- A5/2 at CryptoDox
- A5/2 withdrawal at security.osmocom.org
- Ian Goldberg, David Wagner, Lucky Green. The (Real-Time) Cryptanalysis of A5/2. Rump session of Crypto'99, 1999.
- Tool for cracking the GSM A5/2 cipher, written by Nicolas Paglieri and Olivier Benjamin: A52HackTool (with full source code – C language – GNU GPL)
Notes and References
- Web site: Security Algorithms Group of Experts (SAGE). March 1996. ETR 278 - Report on the specification and evaluation of the GSM cipher algorithm A5/2. live. European Telecommunications Standards Institute (ETSI). https://web.archive.org/web/20131204061251/http://www.etsi.org/deliver/etsi_etr/200_299/278/01_60/etr_278e01p.pdf . December 4, 2013 .
- Web site: Goldberg. Ian. Wagner. David. Green. Lucky. August 26, 1999. The (Real-Time) Cryptanalysis of A5/2. live. David Wagner's page at UC Berkeley Department of Electrical Engineering and Computer Sciences. https://web.archive.org/web/20210421131010/https://people.eecs.berkeley.edu/~daw/tmp/a52-slides.ps . April 21, 2021 .
- Book: Barkan. Elad. Biham. Eli. Keller. Nathan . Advances in Cryptology - CRYPTO 2003 . Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication . 2003. Boneh. Dan . Lecture Notes in Computer Science. 2729. en. Berlin, Heidelberg. Springer. 600–616. 10.1007/978-3-540-45146-4_35. 978-3-540-45146-4. free.
- Web site: 3GPP TSG-SA WG3 (Security) Meeting #48. 18 September 2007. SP-070671 - Prohibiting A5/2 in mobile stations and other clarifications regarding A5 algorithm support. live. 3GPP Change Requests Portal. https://web.archive.org/web/20210421125343/https://portal.3gpp.org/ngppapp/CreateTdoc.aspx?mode=view&contributionUid=SP-070671 . April 21, 2021 .