This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/baseband-devel@lists.osmocom.org/.
Alfonso De Gregorio adg at crypto.lo.gyOn Wed, Mar 9, 2011 at 9:38 PM, Henk <henk.vergonet at gmail.com> wrote: > On Tue, Mar 8, 2011 at 4:31 PM, Alfonso De Gregorio wrote: >> On Tue, Mar 8, 2011 at 3:28 PM, Henk wrote: >>> Actually comp128-2 has a 54bit Kc it seems. >> >> Have you observed a COMP128-2 implementation returning a 54bit long >> Kc?, or have you heard about this from somebody else? >> Can you please disclose more about the SIM model and the operator >> running this A3/A8 implementation? >> > > I found it in a some vendor related 3G spec some while ago, can't > remember which one. > > After some googling I found the reference below, which also confirm a > Kc of 54 bits, unfortunately I don't have access to the algorithm. > This seems to indicate a completely new algorithm, some others suggest > its a "patched" version of comp128. > > - henk Thanks for the reference below. I didn't figured out before 10bits are stuck at zero also with the v2 of COMP128. Cheers, alfonso > "Quirke (2004). Security in the GSM system." > ... > Implementations of A3, A8 > > Although the design of the GSM system allows an operator to choose any > algorithm they > like for A3 & A8, many decided on the one that was developed in secret > by the GSM > association, COMP128. > > COMP128 eventually ended up in public knowledge due to a combination > of reverse engineering and leaked documents, and serious flaws were > discovered (as discussed below). > > Some GSM operators have moved to a newer A3/A8 implementation, COMP128-2, a > completely new algorithm which was also developed in secret. This > algorithm for now > seems to have addressed the faults of the COMP128 algorithm, although > since it has yet > to come under public scrutiny it may potentially be discovered via > reverse-engineering > and any possible flaws could be learned. > > Finally, the COMP128-3 algorithm can also be used, it is simply the COMP128-2 > algorithm, however all 64-bits of the Kc are generated, allowing > maximal possible > strength from the A5 ciphering algorithm (COMP128-2 still sets the 10 > rightmost bits of > the Kc to 0), deliberately weakening the A5 ciphering. > … -- Alfonso De Gregorio BeeWise - Security Event Futures - http://beewise.org/