8 Mar
2011
8 Mar
'11
3:28 p.m.
Actually comp128-2 has a 54bit Kc it seems.
246tnt(a)gmail.comschreef:
On a related
note, does anyone have any SIMs for sale, implementing
A3/A8 with COMP128-2, still to be provisioned with its Ki or already
provisioned with a known Ki?
Comp128v2 ?
I don't think so ...
All the cards we have use COMP128 v1, the spec for v2 have not been leaked
(yet ?).
For those, you best bet is ebay, search for "super sim" / 16-in-1 / "magic
sim" things like that.
Dealextreme also has some.
If you need more quantity, you can often contact those vendor directly and
they'll be happy to send you a bunch.
I myself bought a lot directly emailing the guys at magicsim.com
Cheers,
Sylvain 
8 Mar
8 Mar
4:31 p.m.
New subject: SIM-Max Tech's Super-SIM
On Tue, Mar 8, 2011 at 3:28 PM, Henk <henk.vergonet(a)gmail.com> wrote:
Actually comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long
Kc?, or have you heard about this from somebody else?
Can you please disclose more about the SIM model and the operator
running this A3/A8 implementation?
One more weakened key derivation function (after the first version)
would be interesting per se. Still, it would be even more interesting
to give a closer look at this obscure cipher we carry in our
pockets...
A programmable SIM with COMP128v2 would be valuable for a project I'd
like to contribute.
Cheers,
alfonso
246tnt(a)gmail.comschreef:
--
On a
related note, does anyone have any SIMs for sale, implementing
A3/A8 with COMP128-2, still to be provisioned with its Ki or already
provisioned with a known Ki?
Comp128v2 ?
I don't think so ...
All the cards we have use COMP128 v1, the spec for v2 have not been leaked
(yet ?).
For those, you best bet is ebay, search for "super sim" / 16-in-1 / "magic
sim" things like that.
Dealextreme also has some.
If you need more quantity, you can often contact those vendor directly and
they'll be happy to send you a bunch.
I myself bought a lot directly emailing the guys at magicsim.com
Cheers,
Sylvain 
6:01 p.m.
New subject: SIM-Max Tech's Super-SIM
On Tue, 8 Mar 2011 16:31:47 +0100, Alfonso De Gregorio wrote:
Interesting question, how do we know if it's comp128-2 what is being
used by a specific operator?
They can use whatever algo they want - or their equipment vendor
provides
- in their sims and auth infrastructure producing deliberately weakened
Kcs.
Actually
comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long
Kc?, or have you heard about this from somebody else?
Can you please disclose more about the SIM model and the operator
running this A3/A8 implementation?
One more weakened key derivation function (after the first version)
would be interesting per se. Still, it would be even more interesting
to give a closer look at this obscure cipher we carry in our
pockets...
No question, there still are given out sims weakening the anyway broken
a5/1.
Interestingly I observed that operators have mixed occurrence of weak
for
one and non-weak Kcs for another sim.
Another possibility is that they are able to determine that for all
sims
by choice of the RAND the network sends. So some people, contract-wise,
phone-wise or regions could be easier tapped than others.
But it's just speculation...
The most promising approach after (really) good cryptologists looking
at
in- and output is to open up and grinding down a sim chip and taking
pictures to reconstruct its logic, as it has been done with mifare etc.
Aren't there people reading this who are experienced in the latter?
Regards,
Mad
8:09 p.m.
New subject: SIM-Max Tech's Super-SIM
On Tue, Mar 8, 2011 at 6:01 PM, Mad <mad(a)auth.se> wrote:
Some alternatives exist to the approaches outlined above. But we would
need a programmable smart card with support for COMP128-v2.
I've found online some resellers and integrators I'd love to inquire.
I'll do it, when I have time.
Cheers,
alfonso
--
Alfonso De Gregorio
BeeWise - Security Event Futures - http://beewise.org/
On Tue, 8 Mar 2011 16:31:47 +0100, Alfonso De Gregorio
wrote:
Interesting question, how do we know if it's comp128-2 what is being
used by a specific operator?
You need to gain access to EFkey. In theory access to this file should
be forbidden. Yet, it already happened in the past to observe failures
in the way the access control mechanism have been engineered - I'd
love to have with me a link to a research about this, but I'm on the
move and can't find it at the moment.
With the card provisioning, operators store in EFkey: the
authentication algorithm identifier, the key value, a key mask, and an
integrity checksum.
The file format is defined by the manufacturer and varies from model to model.
Looking to the GemXplore 3G reference manual is possible to know that
Gemalto assigns the following algorithm identifiers:
COMP128_V1 0x0040
COMP128_V2 0x00F8
COMP128_V3 0x0044
and stores the EFKey quantities according to the following format:
byte# description
1-2 Algo ID of the algorithm to use
3-18 Key value
19-34 Key mask value
35-36 Integrity checksum =( SUM(byte 1… byte 34) XOR FF)(*)
Access to Ki, via other means, would not be sufficient to distinguish
(by keying a reference implementation) between v2 and v3 of COMP128,
unless the SIM card support only one of them. All other authentication
algorithm in use on second generation networks are public or leaked in
the past, namely: COMP128, Milenage 2G, CAVE, DES, 3DES, XOR.
Actually comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long
Kc?, or have you heard about this from somebody else?
Can you please disclose more about the SIM model and the operator
running this A3/A8 implementation? They can use whatever algo they want - or their
equipment vendor provides
- in their sims and auth infrastructure producing deliberately weakened
Kcs.
Yes, they can use whatever key derivation they want and deploy in
their SIM cards and core network, indeed. As a matter of fact,
COMP128-v1 itself was not intended to be prescriptive. Telcos were
expected to select their A3/A8 algorithm of choice. Of course they
didn't, as incentives were no incentives to select anything different
from the algorithm considered during the standardization efforts.
One more
weakened key derivation function (after the first version)
would be interesting per se. Still, it would be even more interesting
to give a closer look at this obscure cipher we carry in our
pockets...
No question, there still are given out sims weakening the anyway broken
a5/1.
Interestingly I observed that operators have mixed occurrence of weak for
one and non-weak Kcs for another sim.
Another possibility is that they are able to determine that for all sims
by choice of the RAND the network sends. So some people, contract-wise,
phone-wise or regions could be easier tapped than others.
But it's just speculation...
The most promising approach after (really) good cryptologists looking at
in- and output is to open up and grinding down a sim chip and taking
pictures to reconstruct its logic, as it has been done with mifare etc.
Aren't there people reading this who are experienced in the latter? Regards,
Mad
15 Mar
15 Mar
4:22 p.m.
New subject: SIM-Max Tech's Super-SIM
On Tue, 8 Mar 2011 20:09:55 +0100, Alfonso De Gregorio wrote:
You need to gain access to EFkey. In theory access to this file
should
be forbidden. Yet, it already happened in the past to observe
failures
in the way the access control mechanism have been engineered - I'd
love to have with me a link to a research about this, but I'm on the
move and can't find it at the moment.
That's quite interesting, because from what I knew by now is that you
have
to do a - proprietary but known for some cards - ADM code verify to
read or
write to that file.
Would be nice if you could post this if you get hold of it again or if
you remember some keywords like author or organization etc., so we have
a
chance finding it.
Regards,
Mad
9 Mar
9 Mar
9:38 p.m.
New subject: SIM-Max Tech's Super-SIM
On Tue, Mar 8, 2011 at 4:31 PM, Alfonso De Gregorio wrote:
On Tue, Mar 8, 2011 at 3:28 PM, Henk wrote:
I found it in a some vendor related 3G spec some while ago, can't
remember which one.
After some googling I found the reference below, which also confirm a
Kc of 54 bits, unfortunately I don't have access to the algorithm.
This seems to indicate a completely new algorithm, some others suggest
its a "patched" version of comp128.
- henk
"Quirke (2004). Security in the GSM system."
...
Implementations of A3, A8
Although the design of the GSM system allows an operator to choose any
algorithm they
like for A3 & A8, many decided on the one that was developed in secret
by the GSM
association, COMP128.
COMP128 eventually ended up in public knowledge due to a combination
of reverse engineering and leaked documents, and serious flaws were
discovered (as discussed below).
Some GSM operators have moved to a newer A3/A8 implementation, COMP128-2, a
completely new algorithm which was also developed in secret. This
algorithm for now
seems to have addressed the faults of the COMP128 algorithm, although
since it has yet
to come under public scrutiny it may potentially be discovered via
reverse-engineering
and any possible flaws could be learned.
Finally, the COMP128-3 algorithm can also be used, it is simply the COMP128-2
algorithm, however all 64-bits of the Kc are generated, allowing
maximal possible
strength from the A5 ciphering algorithm (COMP128-2 still sets the 10
rightmost bits of
the Kc to 0), deliberately weakening the A5 ciphering.
…
Actually comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long
Kc?, or have you heard about this from somebody else?
Can you please disclose more about the SIM model and the operator
running this A3/A8 implementation?
9:53 p.m.
New subject: SIM-Max Tech's Super-SIM
On Wed, Mar 9, 2011 at 9:38 PM, Henk <henk.vergonet(a)gmail.com> wrote:
On Tue, Mar 8, 2011 at 4:31 PM, Alfonso De Gregorio
wrote:
Thanks for the reference below. I didn't figured out before 10bits are
stuck at zero also with the v2 of COMP128.
Cheers,
alfonso
On Tue, Mar 8, 2011 at 3:28 PM, Henk wrote:
I found it in a some vendor related 3G spec some while ago, can't
remember which one.
After some googling I found the reference below, which also confirm a
Kc of 54 bits, unfortunately I don't have access to the algorithm.
This seems to indicate a completely new algorithm, some others suggest
its a "patched" version of comp128.
- henk Actually comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long
Kc?, or have you heard about this from somebody else?
Can you please disclose more about the SIM model and the operator
running this A3/A8 implementation?
"Quirke (2004). Security in the GSM
system."
...
Implementations of A3, A8
Although the design of the GSM system allows an operator to choose any
algorithm they
like for A3 & A8, many decided on the one that was developed in secret
by the GSM
association, COMP128.
COMP128 eventually ended up in public knowledge due to a combination
of reverse engineering and leaked documents, and serious flaws were
discovered (as discussed below).
Some GSM operators have moved to a newer A3/A8 implementation, COMP128-2, a
completely new algorithm which was also developed in secret. This
algorithm for now
seems to have addressed the faults of the COMP128 algorithm, although
since it has yet
to come under public scrutiny it may potentially be discovered via
reverse-engineering
and any possible flaws could be learned.
Finally, the COMP128-3 algorithm can also be used, it is simply the COMP128-2
algorithm, however all 64-bits of the Kc are generated, allowing
maximal possible
strength from the A5 ciphering algorithm (COMP128-2 still sets the 10
rightmost bits of
the Kc to 0), deliberately weakening the A5 ciphering.
…
--
Alfonso De Gregorio
BeeWise - Security Event Futures - http://beewise.org/
5230
days inactive
5231
days old
baseband-devel@lists.osmocom.org
6 comments
3 participants
participants (3)
-
Alfonso De Gregorio -
Henk -
Mad