Bastien Baranoff wrote:
Hello all, the attack : you generate the rainbow tables for each possibles ki with a given rand set, send this rand (which is not random ;) the phone respond with sres you make the operation for 3 or 4 rand and meaningly decrease the possibility of ki. Do you think it is realisable ?
Someone please correct me if I'm wrong on this detail, but it is my understanding that no mainstream commercial operator today (outside of personal enthusiast tinkerers in Osmocom and similar communities) issues native 2G SIM cards any more - instead all of their current SIM cards are actually USIM/ISIM, and if GSM 11.11 SIM operation is supported at all, it is only provided as a backward compatibility mode. I reason that these "modern" SIMs must be using Milenage in their native 3G/4G mode, thus their secret key material is not classic Ki, but K/Ki (128 bits) plus OPc (another 128 bits), for a total of 256 bits of secret key material.
What happens when these "modern" SIMs are accessed via GSM 11.11 SIM protocol, or when 2G authentication is requested in a USIM session? I find it doubtful that they switch to COMP128 (any version) in this mode, instead I reason that they use 2G mode of Milenage, which still uses both K/Ki and OPc - thus the secret key material used even for 2G Kc and SRES generation from RAND is still 256 bits rather than 128.
Again, someone please correct me if my reasoning is wrong here.
M~