Actually comp128-2 has a 54bit Kc it seems.
246tnt@gmail.comschreef:
On a related note, does anyone have any SIMs for sale, implementing A3/A8 with COMP128-2, still to be provisioned with its Ki or already provisioned with a known Ki?
Comp128v2 ? I don't think so ...
All the cards we have use COMP128 v1, the spec for v2 have not been leaked (yet ?).
For those, you best bet is ebay, search for "super sim" / 16-in-1 / "magic sim" things like that. Dealextreme also has some.
If you need more quantity, you can often contact those vendor directly and they'll be happy to send you a bunch. I myself bought a lot directly emailing the guys at magicsim.com
Cheers,
Sylvain
On Tue, Mar 8, 2011 at 3:28 PM, Henk henk.vergonet@gmail.com wrote:
Actually comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long Kc?, or have you heard about this from somebody else? Can you please disclose more about the SIM model and the operator running this A3/A8 implementation?
One more weakened key derivation function (after the first version) would be interesting per se. Still, it would be even more interesting to give a closer look at this obscure cipher we carry in our pockets...
A programmable SIM with COMP128v2 would be valuable for a project I'd like to contribute.
Cheers,
alfonso
246tnt@gmail.comschreef:
On a related note, does anyone have any SIMs for sale, implementing A3/A8 with COMP128-2, still to be provisioned with its Ki or already provisioned with a known Ki?
Comp128v2 ? I don't think so ...
All the cards we have use COMP128 v1, the spec for v2 have not been leaked (yet ?).
For those, you best bet is ebay, search for "super sim" / 16-in-1 / "magic sim" things like that. Dealextreme also has some.
If you need more quantity, you can often contact those vendor directly and they'll be happy to send you a bunch. I myself bought a lot directly emailing the guys at magicsim.com
Cheers,
Sylvain
--
On Tue, 8 Mar 2011 16:31:47 +0100, Alfonso De Gregorio wrote:
Actually comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long Kc?, or have you heard about this from somebody else? Can you please disclose more about the SIM model and the operator running this A3/A8 implementation?
Interesting question, how do we know if it's comp128-2 what is being used by a specific operator? They can use whatever algo they want - or their equipment vendor provides - in their sims and auth infrastructure producing deliberately weakened Kcs.
One more weakened key derivation function (after the first version) would be interesting per se. Still, it would be even more interesting to give a closer look at this obscure cipher we carry in our pockets...
No question, there still are given out sims weakening the anyway broken a5/1. Interestingly I observed that operators have mixed occurrence of weak for one and non-weak Kcs for another sim. Another possibility is that they are able to determine that for all sims by choice of the RAND the network sends. So some people, contract-wise, phone-wise or regions could be easier tapped than others. But it's just speculation...
The most promising approach after (really) good cryptologists looking at in- and output is to open up and grinding down a sim chip and taking pictures to reconstruct its logic, as it has been done with mifare etc. Aren't there people reading this who are experienced in the latter?
Regards, Mad
On Tue, Mar 8, 2011 at 6:01 PM, Mad mad@auth.se wrote:
On Tue, 8 Mar 2011 16:31:47 +0100, Alfonso De Gregorio wrote:
Actually comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long Kc?, or have you heard about this from somebody else? Can you please disclose more about the SIM model and the operator running this A3/A8 implementation?
Interesting question, how do we know if it's comp128-2 what is being used by a specific operator?
You need to gain access to EFkey. In theory access to this file should be forbidden. Yet, it already happened in the past to observe failures in the way the access control mechanism have been engineered - I'd love to have with me a link to a research about this, but I'm on the move and can't find it at the moment.
With the card provisioning, operators store in EFkey: the authentication algorithm identifier, the key value, a key mask, and an integrity checksum.
The file format is defined by the manufacturer and varies from model to model.
Looking to the GemXplore 3G reference manual is possible to know that Gemalto assigns the following algorithm identifiers:
COMP128_V1 0x0040 COMP128_V2 0x00F8 COMP128_V3 0x0044
and stores the EFKey quantities according to the following format:
byte# description 1-2 Algo ID of the algorithm to use 3-18 Key value 19-34 Key mask value 35-36 Integrity checksum =( SUM(byte 1… byte 34) XOR FF)(*)
Access to Ki, via other means, would not be sufficient to distinguish (by keying a reference implementation) between v2 and v3 of COMP128, unless the SIM card support only one of them. All other authentication algorithm in use on second generation networks are public or leaked in the past, namely: COMP128, Milenage 2G, CAVE, DES, 3DES, XOR.
They can use whatever algo they want - or their equipment vendor provides
- in their sims and auth infrastructure producing deliberately weakened
Kcs.
Yes, they can use whatever key derivation they want and deploy in their SIM cards and core network, indeed. As a matter of fact, COMP128-v1 itself was not intended to be prescriptive. Telcos were expected to select their A3/A8 algorithm of choice. Of course they didn't, as incentives were no incentives to select anything different from the algorithm considered during the standardization efforts.
One more weakened key derivation function (after the first version) would be interesting per se. Still, it would be even more interesting to give a closer look at this obscure cipher we carry in our pockets...
No question, there still are given out sims weakening the anyway broken a5/1. Interestingly I observed that operators have mixed occurrence of weak for one and non-weak Kcs for another sim. Another possibility is that they are able to determine that for all sims by choice of the RAND the network sends. So some people, contract-wise, phone-wise or regions could be easier tapped than others. But it's just speculation...
The most promising approach after (really) good cryptologists looking at in- and output is to open up and grinding down a sim chip and taking pictures to reconstruct its logic, as it has been done with mifare etc. Aren't there people reading this who are experienced in the latter?
Some alternatives exist to the approaches outlined above. But we would need a programmable smart card with support for COMP128-v2. I've found online some resellers and integrators I'd love to inquire. I'll do it, when I have time.
Regards,
Mad
Cheers,
alfonso
On Tue, 8 Mar 2011 20:09:55 +0100, Alfonso De Gregorio wrote:
You need to gain access to EFkey. In theory access to this file should be forbidden. Yet, it already happened in the past to observe failures in the way the access control mechanism have been engineered - I'd love to have with me a link to a research about this, but I'm on the move and can't find it at the moment.
That's quite interesting, because from what I knew by now is that you have to do a - proprietary but known for some cards - ADM code verify to read or write to that file.
Would be nice if you could post this if you get hold of it again or if you remember some keywords like author or organization etc., so we have a chance finding it.
Regards, Mad
On Tue, Mar 8, 2011 at 4:31 PM, Alfonso De Gregorio wrote:
On Tue, Mar 8, 2011 at 3:28 PM, Henk wrote:
Actually comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long Kc?, or have you heard about this from somebody else? Can you please disclose more about the SIM model and the operator running this A3/A8 implementation?
I found it in a some vendor related 3G spec some while ago, can't remember which one.
After some googling I found the reference below, which also confirm a Kc of 54 bits, unfortunately I don't have access to the algorithm. This seems to indicate a completely new algorithm, some others suggest its a "patched" version of comp128.
- henk
"Quirke (2004). Security in the GSM system." ... Implementations of A3, A8
Although the design of the GSM system allows an operator to choose any algorithm they like for A3 & A8, many decided on the one that was developed in secret by the GSM association, COMP128.
COMP128 eventually ended up in public knowledge due to a combination of reverse engineering and leaked documents, and serious flaws were discovered (as discussed below).
Some GSM operators have moved to a newer A3/A8 implementation, COMP128-2, a completely new algorithm which was also developed in secret. This algorithm for now seems to have addressed the faults of the COMP128 algorithm, although since it has yet to come under public scrutiny it may potentially be discovered via reverse-engineering and any possible flaws could be learned.
Finally, the COMP128-3 algorithm can also be used, it is simply the COMP128-2 algorithm, however all 64-bits of the Kc are generated, allowing maximal possible strength from the A5 ciphering algorithm (COMP128-2 still sets the 10 rightmost bits of the Kc to 0), deliberately weakening the A5 ciphering. …
On Wed, Mar 9, 2011 at 9:38 PM, Henk henk.vergonet@gmail.com wrote:
On Tue, Mar 8, 2011 at 4:31 PM, Alfonso De Gregorio wrote:
On Tue, Mar 8, 2011 at 3:28 PM, Henk wrote:
Actually comp128-2 has a 54bit Kc it seems.
Have you observed a COMP128-2 implementation returning a 54bit long Kc?, or have you heard about this from somebody else? Can you please disclose more about the SIM model and the operator running this A3/A8 implementation?
I found it in a some vendor related 3G spec some while ago, can't remember which one.
After some googling I found the reference below, which also confirm a Kc of 54 bits, unfortunately I don't have access to the algorithm. This seems to indicate a completely new algorithm, some others suggest its a "patched" version of comp128.
- henk
Thanks for the reference below. I didn't figured out before 10bits are stuck at zero also with the v2 of COMP128.
Cheers,
alfonso
"Quirke (2004). Security in the GSM system." ... Implementations of A3, A8
Although the design of the GSM system allows an operator to choose any algorithm they like for A3 & A8, many decided on the one that was developed in secret by the GSM association, COMP128.
COMP128 eventually ended up in public knowledge due to a combination of reverse engineering and leaked documents, and serious flaws were discovered (as discussed below).
Some GSM operators have moved to a newer A3/A8 implementation, COMP128-2, a completely new algorithm which was also developed in secret. This algorithm for now seems to have addressed the faults of the COMP128 algorithm, although since it has yet to come under public scrutiny it may potentially be discovered via reverse-engineering and any possible flaws could be learned.
Finally, the COMP128-3 algorithm can also be used, it is simply the COMP128-2 algorithm, however all 64-bits of the Kc are generated, allowing maximal possible strength from the A5 ciphering algorithm (COMP128-2 still sets the 10 rightmost bits of the Kc to 0), deliberately weakening the A5 ciphering. …
baseband-devel@lists.osmocom.org
-
Alfonso De Gregorio -
Henk -
Mad