Misplaced Pages

COMP128: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editContent deleted Content addedVisualWikitext
Revision as of 10:43, 15 May 2012 editStfg (talk | contribs)Extended confirmed users19,656 edits tagged as {{Rough translation}}; one can only copy edit material that makes basic sense; this doesn't← Previous edit Latest revision as of 17:51, 19 February 2021 edit undoComp.arch (talk | contribs)Extended confirmed users40,318 editsmNo edit summaryTag: 2017 wikitext editor 
(48 intermediate revisions by 22 users not shown)
Line 1: Line 1:
{{short description|Implementations of the A3 and A8 functions of the GSM standard}}
{{Rough translation|German|Deutsch}}
{{multiple issues|
'''COMP128''' is an implementation of ] network-specified algorithms A3 and A8. A3 is the ] of the mobile station on the network or AuC (Authentication Center). A8 is used a ] for the ] transmission between the mobile station and the ].
{{more citations needed|date=April 2019}}
{{unreliable sources|date=April 2019}}
{{external links|date=April 2019}}
}}
The '''COMP128''' algorithms are implementations of the A3 and A8 functions defined in the ] standard. A3 is used to ] the mobile station to the network. A8 is used to generate the ] used by A5 to encrypt the data transmitted between the mobile station and the ].


There are three versions of COMP128. They were originally confidential. A partial description of the first version was leaked in 1997 and completed via ]. This led to a full publication in 1998.<ref name="code" /> The second and third versions were obtained via reverse engineering of software which verifies SIM cards compliance.<ref name="comp128v3" />
Technical details of the originally confidential algorithm arrived in 1998 by implementing ] to the public.


==Introduction==
COMP128 works with nine rounds. The central core of the ] is a ]. This hash function provides a 128-bit hash value for 256-bit input. It is based on a butterfly structure. The output of the algorithm contains the authentication used for the response and the session key for the A5 stream cipher, which is used to encrypt the language transfer.
For details on the way A3 and A8 are used see ].


A3 and A8 both take a 128-bit key (''K<sub>i</sub>'') and a 128-bit ] (''RAND'') as inputs. A3 produces a 32-bit response (''SRES'') and A8 produces a 64-bit session key (''K<sub>c</sub>''). A3/A8 is the combined function with ''K<sub>i</sub>'' and ''RAND'' as inputs and ''SRES'' and ''K<sub>c</sub>'' as outputs.
==Pseudocode==
Let X, the 32-byte entry of the hash function, with K: = X the key goal of the SIM card and X sent by the station Challenge. are still , the tables T0, T1, T2 , T3 and T4 the secret permuted. Then passes through the first input 8 times the following compression (according to , see Related links):
For i=0 to 4 do:
For j=0 to 2<sup>i</sup>-1 do:
For k=0 to 2<sup>4-i</sup>-1 do:
s = k + j*2<sup>5-i</sup>
t = s + 2<sup>4-i</sup>
x = (X + 2X) mod 2<sup>9-i</sup>)
y = (2X + X) mod 2<sup>9-i</sup>)
X = Ti
X = Ti


As A3 and A8 are not further specified, operators can freely choose the concrete algorithms used for A3 and A8.
After each permutation, the 16 bytes of output in X and K are stored in X.


==COMP128 algorithms==
==Security==
The COMP128 algorithms implement the A3/A8 function. There are three of them:
COMP128 is considered unsafe because small changes in the hash input are not sufficiently dispersed. Due to the ], the system can be exploited to, for example, extract the ] card's key.


* COMP128-1 – original algorithm with known weaknesses
== External links ==
* COMP128-2 – stronger algorithm which still clears the 10 rightmost bits of ''K<sub>c</sub>''
* (PDF-Datei; 8,17 MB)
* COMP128-3 – same algorithm as COMP128-2 with all 64 bits of ''K<sub>c</sub>'' generated
*
* ''Reducing the Collision Probability of Alleged Comp128'' von H.Handschuh, P.Paillier, Springer-Verlag 2000 (PDF-Datei; 82 kB)
*


All of them are built around a ] with two 128 bits inputs and one 128 bits output, hence their names. ''K<sub>i</sub>'' and ''RAND'' are used as the inputs of the compression function. Bits from its output are then used to fill ''SRES'' and ''K<sub>c</sub>''.


==COMP128-1 description==
COMP128-1 uses a compression function with eight rounds which is based on a butterfly structure with five stages. ''SRES'' is filled with the first 32 bits of the output. ''K<sub>c</sub>'' is filled with the last 54 bits of the output followed by ten zeroes.


For a full description of the algorithm, the reader can view the .


==COMP128-2/3 description==
The implementation of COMP128-2 and COMP128-3 is noticeably more complex than COMP128-1. For a full description of the algorithm, the reader can view the or , both based on the ] from the Secrets of Sim<ref name="comp128v3" /> article. COMP128-2 is identical to COMP128-3 except for the fact that at the end, it clears the 10 rightmost bits of ''K<sub>c</sub>''.


==Security==
The COMP128-1 hash function is considered weak because there is insufficient ] of small changes in the input. Practical attacks have been demonstrated that can recover the subscriber key from the SIM.<ref name="brumley" />


The session keys produced by COMP128-1 and COMP128-2 intentionally have only 54 bits of entropy. This significantly weakens the A5 or A6 encryption.
]


==References==
]
<references>
]
<ref name="brumley">{{Citation |last=Brumley |first=Billy |year=2004 |title=A3/A8 & COMP128 |url=http://www.tcs.hut.fi/Studies/T-79.514/slides/S5.Brumley-comp128.pdf}}</ref>
<ref name="code">{{Citation |last1=Briceno |first1=Marc |last2=Goldberg |first2=Ian |last3=Wagner |first3=David |year=1998 |title=Implementation of COMP128 |archivedate=2009-03-18|archiveurl=https://web.archive.org/web/20090318143444/http://www.scard.org/gsm/a3a8.txt|url=http://www.scard.org/gsm/a3a8.txt}}</ref>
<ref name="comp128v3">{{Citation |last=Tamas |first=Jos |year=2013 |title=Secrets of the SIM |url=http://www.hackingprojects.net/2013/04/secrets-of-sim.html |access-date=2014-12-24 |archive-url=https://web.archive.org/web/20141224034734/http://www.hackingprojects.net/2013/04/secrets-of-sim.html# |archive-date=2014-12-24 |url-status=dead }}</ref>
</references>

==External links==
* {{Citation |last1=Briceno |first1=Marc |last2=Goldberg |first2=Ian |year=1998 |title=GSM Cloning |url=http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html}}
* {{Citation |last1=Handschuh |first1=Helena |last2=Paillier |first2=Pascal |year=2000 |title=Reducing the Collision Probability of Alleged Comp128 |citeseerx=10.1.1.141.1033}}

]

Latest revision as of 17:51, 19 February 2021

Implementations of the A3 and A8 functions of the GSM standard
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "COMP128" – news · newspapers · books · scholar · JSTOR (April 2019) (Learn how and when to remove this message)
Some of this article's listed sources may not be reliable. Please help improve this article by looking for better, more reliable sources. Unreliable citations may be challenged and removed. (April 2019) (Learn how and when to remove this message)
This article's use of external links may not follow Misplaced Pages's policies or guidelines. Please improve this article by removing excessive or inappropriate external links, and converting useful links where appropriate into footnote references. (April 2019) (Learn how and when to remove this message)
(Learn how and when to remove this message)

The COMP128 algorithms are implementations of the A3 and A8 functions defined in the GSM standard. A3 is used to authenticate the mobile station to the network. A8 is used to generate the session key used by A5 to encrypt the data transmitted between the mobile station and the BTS.

There are three versions of COMP128. They were originally confidential. A partial description of the first version was leaked in 1997 and completed via reverse engineering. This led to a full publication in 1998. The second and third versions were obtained via reverse engineering of software which verifies SIM cards compliance.

Introduction

For details on the way A3 and A8 are used see Authentication Center.

A3 and A8 both take a 128-bit key (Ki) and a 128-bit challenge (RAND) as inputs. A3 produces a 32-bit response (SRES) and A8 produces a 64-bit session key (Kc). A3/A8 is the combined function with Ki and RAND as inputs and SRES and Kc as outputs.

As A3 and A8 are not further specified, operators can freely choose the concrete algorithms used for A3 and A8.

COMP128 algorithms

The COMP128 algorithms implement the A3/A8 function. There are three of them:

  • COMP128-1 – original algorithm with known weaknesses
  • COMP128-2 – stronger algorithm which still clears the 10 rightmost bits of Kc
  • COMP128-3 – same algorithm as COMP128-2 with all 64 bits of Kc generated

All of them are built around a compression function with two 128 bits inputs and one 128 bits output, hence their names. Ki and RAND are used as the inputs of the compression function. Bits from its output are then used to fill SRES and Kc.

COMP128-1 description

COMP128-1 uses a compression function with eight rounds which is based on a butterfly structure with five stages. SRES is filled with the first 32 bits of the output. Kc is filled with the last 54 bits of the output followed by ten zeroes.

For a full description of the algorithm, the reader can view the OsmocomBB implementation.

COMP128-2/3 description

The implementation of COMP128-2 and COMP128-3 is noticeably more complex than COMP128-1. For a full description of the algorithm, the reader can view the OsmocomBB implementation or FreeRADIUS implementation, both based on the Python code from the Secrets of Sim article. COMP128-2 is identical to COMP128-3 except for the fact that at the end, it clears the 10 rightmost bits of Kc.

Security

The COMP128-1 hash function is considered weak because there is insufficient diffusion of small changes in the input. Practical attacks have been demonstrated that can recover the subscriber key from the SIM.

The session keys produced by COMP128-1 and COMP128-2 intentionally have only 54 bits of entropy. This significantly weakens the A5 or A6 encryption.

References

  1. Briceno, Marc; Goldberg, Ian; Wagner, David (1998), Implementation of COMP128, archived from the original on 2009-03-18
  2. ^ Tamas, Jos (2013), Secrets of the SIM, archived from the original on 2014-12-24, retrieved 2014-12-24
  3. Brumley, Billy (2004), A3/A8 & COMP128 (PDF)

External links

Category: