On Tue, 8 Mar 2011 16:31:47 +0100, Alfonso De Gregorio wrote:
Actually comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long Kc?, or have you heard about this from somebody else? Can you please disclose more about the SIM model and the operator running this A3/A8 implementation?
Interesting question, how do we know if it's comp128-2 what is being used by a specific operator? They can use whatever algo they want - or their equipment vendor provides - in their sims and auth infrastructure producing deliberately weakened Kcs.
One more weakened key derivation function (after the first version) would be interesting per se. Still, it would be even more interesting to give a closer look at this obscure cipher we carry in our pockets...
No question, there still are given out sims weakening the anyway broken a5/1. Interestingly I observed that operators have mixed occurrence of weak for one and non-weak Kcs for another sim. Another possibility is that they are able to determine that for all sims by choice of the RAND the network sends. So some people, contract-wise, phone-wise or regions could be easier tapped than others. But it's just speculation...
The most promising approach after (really) good cryptologists looking at in- and output is to open up and grinding down a sim chip and taking pictures to reconstruct its logic, as it has been done with mifare etc. Aren't there people reading this who are experienced in the latter?
Regards, Mad