This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.
Dieter Spaar spaar at mirider.augusta.deHello, I did a few tests with Authentication and Encryption. Its just a quick hack and nothing which can be integrated into OpenBSC in a clean way but the process was rather straightforward: - For my tests I used the location update request. - I sent the AUTHENTICATION REQUEST to the MS. - When I received the AUTHENTICATION RESPONSE from the MS, I compared SRES with the expected value. If the expected value was received, I send the ENCRYPTION COMMAND with Kc to the BTS. If the wrong SRES was received, I send an AUTHENTICATION REJECT to the MS. - The BTS will now send the CIPHERING MODE COMMAND to the MS and activate encryption. - The CIPHERING MODE COMPLETE command from the MS will already be received encrypted. I have not recorded the RF traffic to check if encryption is really enabled. But the Nokia Netmonitor indicated encryption, additionally if I send the wrong Kc in the ENCRYPTION COMMAND, the location update does not complete. I have not tested speech traffic yet, but it most certainly works the same way. One thing which might be interesting is how to get SRES and Kc because the A3/A8 algorithm on the SIM is usually not known. There are a few ways how to do it: - one could record a few results from a SIM and only send RAND values where the pre-recorded results are known. - the SIM communication could be intercepted (for example with a device like the "Turbo Lite" from www.bladox.com) and if the APDU for authentication is sent, one can run its own A3/A8 algorithm instead of the one from the card. - if one has a SIM with the broken and known COMP128, its possible to find Ki so that the authentication response from the card can be calculated. - Test SIMs (for GSM Test Equipment) have implemented a know A3/A8 algorithm (XOR) and so the authentication response can be calculated. - One can buy one of those SIM clone cards (they are called Super-SIM Magic-SIM, 16in1 SIM or similar). They are of not much use for official networks because only a few (if any) providers use COMP128 any more and this is the algorithm those card implement (and expect it to be in the card which should be cloned). You can buy such SIM cards rather cheap (around 5 Euro). They usually come with a software (Windows) which allows to set the IMSI and Ki for COMP128. So you have a card with a know A3/A8 algorithm (COMP128) and a know Ki. I used one of those SIM clone cards for my experiments, the SIM worked fine in an older Nokia 3310 (at least for this test). I don't know how well it will work in other phones but for this rathe low price its probably worth a try. Best regards, Dieter -- Dieter Spaar, Germany spaar at mirider.augusta.de