Bastien Baranoff wrote:
> Hello all, the attack : you generate the rainbow tables for each possibles ki
> with a given rand set, send this rand (which is not random ;) the phone
> respond with sres you make the operation for 3 or 4 rand and meaningly
> decrease the possibility of ki. Do you think it is realisable ?
Someone please correct me if I'm wrong on this detail, but it is my
understanding that no mainstream commercial operator today (outside of
personal enthusiast tinkerers in Osmocom and similar communities)
issues native 2G SIM cards any more - instead all of their current SIM
cards are actually USIM/ISIM, and if GSM 11.11 SIM operation is
supported at all, it is only provided as a backward compatibility
mode. I reason that these "modern" SIMs must be using Milenage in
their native 3G/4G mode, thus their secret key material is not classic
Ki, but K/Ki (128 bits) plus OPc (another 128 bits), for a total of
256 bits of secret key material.
What happens when these "modern" SIMs are accessed via GSM 11.11 SIM
protocol, or when 2G authentication is requested in a USIM session?
I find it doubtful that they switch to COMP128 (any version) in this
mode, instead I reason that they use 2G mode of Milenage, which still
uses both K/Ki and OPc - thus the secret key material used even for 2G
Kc and SRES generation from RAND is still 256 bits rather than 128.
Again, someone please correct me if my reasoning is wrong here.
M~