Confidentiality in gsm Essay


Confidentiality in GSM system by and large encounters for unafraid transmittal of voice and text services offered by system. For this the system greatly relies on encoding and decoding algorithm designed for the system. A5 algorithm is responsible for encoding and decoding of voice and text services. A5 is a block cypher which has undergone through radical alterations sporadically with clip i.e. A51, A52, and A53. More specifically the largely used algorithm for unafraid transmittal of voice and text is A51 [ 1 ] . However eavesdropping is still the bing menace. Eavesdropping include listening of voice and text over the air interface in order to execute active and inactive onslaught. Eavesdropping to confidentiality algorithm is by and large accomplished by roll uping the cypher text watercourse along with associated plaintext watercourse through air interface. In order to make this aggressor foremost necessitate to do a call with victim MS. The following measure aggressor follows is to enter the RAND ( one of entity that is used for challenge response protocol for hallmark algorithm ) which is used to put in cypher cardinal Kc. Again the aggressor besides records the parametric quantity i.e. cipher text watercourse exchanged between MS and BTS and the corresponding frame figure on uplink and downlink [ 2 ] . Recording is by and large accomplished by executing traffic analysis. Again the legitimate call is made by aggressor to victim MS it is easier for aggressor to record unencrypted plaintext. After roll uping the cypher text aggressor now recover the pseudorandom spot from matching frame and eventually retrieve the full BLOCK watercourse with associated RAND [ 2 ]

Where CFN is a cypher text block created in uplink and MFN is message associated with matching frame figure

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

Consequences of eavesdropping

1 Alteration of text message sent over wireless nexus:

After roll uping unencrypted field text, cipher text exchange between MS and BTS and the corresponding frame figure it is easy for an eavesdropper to recover a BLOCK associated with RAND as describe above. It is echt that whenever the user sends SMS it is encrypted with matching cypher cardinal KC. However in this instance an eavesdropper is able to decode the message sent over air interface with the aid of parametric quantity that he had collected [ 2 ] . Now by so an aggressor can modify the message. Again the system does non offer any proviso for MAC value or hash map for user in order to be certain that the message is non tempered in the in-between by any interloper. Hence change or alteration of message is still the bing menace for system

2 spoofing of message

With a general thought of a captured BLOCK value an eavesdropper can modify any SMS arriving from any reference and so direct it to any MS. The MS so decrypt the message and trust that it had arrived from legitimate beginning [ 2 ]


This type of menace by and large occurs when an interloper jam the web traffic and prevent user or web to entree any informations [ 13 ] . The malicious user may bespeak for channel and the system accept the channel petition of malicious user, the malicious user may reiterate the measure over and over at that place by thronging the channel for legitimate user since the figure of channel available is limited for the system. This is by and large the instance associated with DOS onslaught

Blocking resources

This is by and large done by overloading the service whereby aggressor prevent user to entree the services offered by system [ 13 ] . Overloading is by and large done by inordinate usage of resources for illustration inordinate channel petition, inordinate usage of services like SMS voice etc. Furthermore Attacker can direct the nothingness information in same frequence as that of BTS which as a consequence can do resource barricading to the user. Again an aggressor may direct a bogus IMSI detach petition to web [ 12 ] . The net consequence is that user does non acquire any entree to web paging petition [ 12 ] .

Levity in profession:

Levity in profession refers to non seriousness in profession at that place by go againsting the legal issue of an organisation. Some clip GSM service supplier or Mobile operator may travel beyond their restriction in order to accomplish unauthorised entree to data thereby doing possible misdemeanor of security services [ 13 ] . For illustration an operator can follow, block and place the location without the cognition of user there by go againsting the privateness policy of user

Menaces to authentication


Authentication perform in GSM system is one-sided. The web presents a challenge response protocol in order to authenticate the user ; nevertheless there is no proviso for user to authenticate the web [ 4 ] . This gives attacker opportunity to portray as a web at that place by listen ining the information sent by victim MS over the air interface. More exactly the possibilities of false BTS aid an eavesdropper to stop the secret key Ki which is responsible for hallmark algorithm. This is by and large done by supplying a challenge to the victim MS and so entering the response and eventually using crypto analytical onslaught [ 3 ] . Now after capturing the secret key Ki eavesdropper is able to acquire physical entree to SIM at that place by portraying to web as a legitimate user


Again due to miss of common hallmark there is opportunity for an aggressor to portray as a legitimate web to user. Furthermore after capturing the victim secret key Ki used for hallmark aggressor can portray as a legitimate user to web. Therefore two instances of caricature is by and large found in the system

Impersonating as a legitimate web to user

This sort of menace exists in the system due to blemish present in design of hallmark algorithm i.e. one manner hallmark. In order to make so attacker first captures the victim MS. In following stairss an aggressor forces user to utilize bogus BTS BCCH by supplying the higher power degree than that of original BTS

Consequences of portraying as a web to user

Commandeering of entrance and surpassing call

With sufficient base station functionality and after capturing the victim MS it is easier for an aggressor to commandeer both entrance and surpassing call. Again highjacking of entrance and surpassing call can be done with either enabled encoding or by disenabling the encoding. In the former instance aggressor makes an effort to stamp down the encoding by modifying the message where MS informs the legitimate web about its ciphering manner [ 12 ] . In the ulterior instance

1 hypertext transfer protocol: // url=http: // & A ; authDecision=-203

23GPP TSG SA WG3 Security — SA3 # 33 S3-040360

10-14 May 2004

Beijing, China

Beginning: Sarvar Patel, Lucent Technologies Inc

Title: Eavesdropping without interrupting the GSM encoding algorithm