|
|
| Line 1: |
Line 1: |
| '''COMP128''' is an implementation of the A3 and A8 algorithms defined in the [[GSM]] standard.
| | They call me Emilia. Managing people is his occupation. To collect cash is a factor that I'm totally addicted to. His family members lives in South Dakota but his spouse desires them to move.<br><br>My page - std testing at home ([http://www.hooddirectory.com/how-you-can-cure-an-unpleasant-yeast-infection/ read what he said]) |
| | |
| A3 is used to [[authentication|authenticate]] the mobile station to the network. A8 is used to generate the [[session key]] used by the A5 algorithm to encrypt the data transmitted between the mobile station and the [[Base Transceiver Station|BTS]].
| |
| | |
| The algorithm was originally confidential. A partial description was leaked in 1997 and completed via [[reverse engineering]]. This led to a full publication in 1998.<ref name="code" />
| |
| | |
| ==Introduction==
| |
| For details on the way A3 and A8 are used see [[Network_switching_subsystem#Authentication centre (AuC)|Authentication Center]].
| |
| | |
| A3 and A8 both take a 128 bits key (''K<sub>i</sub>'') and a 128 bits [[Challenge-response authentication|challenge]] (''RAND'') as inputs. A3 produces a 32 bits response (''SRES'') and A8 produces a 64 bits session key (''K<sub>c</sub>'').
| |
| | |
| COMP128 combines the functionality of A3 and A8. COMP128-1 is built around a compression function with two 128 bits inputs and one 128 bits output. The function has eight rounds and is based on a butterfly structure with five stages.
| |
| | |
| == COMP128 algorithms ==
| |
| | |
| Several COMP128 algorithms were designed:
| |
| | |
| * COMP128-1 first algorithm with known weaknesses
| |
| * COMP128-2 has replaced the COMP128-1, but still sets the 10 rightmost bits of the Kc to 0), deliberately weakening the A5 ciphering
| |
| * COMP128-3 same as COMP128-2 algorithm, but all 64-bits of the Kc are generated
| |
| * COMP128-4 based on the [[3GPP]] (3rd Generation Partnership Project) algorithm ("Milenage"), which uses AES
| |
| | |
| ==COMP128-1 Description==
| |
| T<sub>0</sub>[512], T<sub>1</sub>[256], T<sub>2</sub>[128], T<sub>3</sub>[64] and T<sub>4</sub>[32] are compression tables.
| |
| | |
| <code>
| |
| comp128 : ''RAND'', ''K<sub>i</sub>'' -> ''SRES'', ''K<sub>c</sub>''
| |
| {
| |
| x[32]: array of bytes
| |
| bit[128]: array of bits
| |
| m, n, y, z: integers
| |
|
| |
| x[16..31] := ''RAND''
| |
| for i := 1 to 8
| |
| x[0..15] := ''K<sub>i</sub>''
| |
| for j := 0 to 4
| |
| for k := 0 to 2<sup>j</sup>-1
| |
| for l := 0 to 2<sup>4-j</sup>-1
| |
| m := l + k * 2<sup>5-j</sup>
| |
| n := m + 2<sup>4-j</sup>
| |
| y := (x[m] + 2 * x[n]) mod 2<sup>9-j</sup>
| |
| z := (2 * x[m] + x[n]) mod 2<sup>9-j</sup>
| |
| x[m] := T<sub>j</sub>[y]
| |
| x[n] := T<sub>j</sub>[z]
| |
| for j := 0 to 31
| |
| for k := 0 to 3
| |
| bit[4 * j + k] := x[j]<sup>3-k</sup>
| |
| if i < 8
| |
| for j := 0 to 15
| |
| for k := 0 to 7
| |
| x[j + 16]<sup>7-k</sup> := bit[((8 * j + k) * 17) mod 128]
| |
| ''SRES'' := bit[0..31]
| |
| ''K<sub>c</sub>'' := bit[74..127] <math>\|</math> 0000000000<sub>2</sub>
| |
| }
| |
| </code>
| |
| | |
| ==Security==
| |
| The COMP128-1 hash function is considered weak because there is insufficient [[Confusion and diffusion|diffusion]] of small changes in the input.
| |
| | |
| Practical attacks have been demonstrated that can recover the subscriber key from the SIM. Replacements algorithms have since been developed.<ref name="brumley" />
| |
| | |
| In addition the session key produced by COMP128 has only 54 bits of entropy. This significantly weakens A5,A6.
| |
| | |
| ==References==
| |
| <references>
| |
| <ref name="brumley">{{Citation |last=Brumley |first=Billy |year=2004 |title=A3/A8 & COMP128 |url=http://www.tcs.hut.fi/Studies/T-79.514/slides/S5.Brumley-comp128.pdf}}</ref>
| |
| <ref name="code">{{Citation |last1=Briceno |first1=Marc |last2=Goldberg |first2=Ian |last3=Wagner |first3=David |year=1998 |title=Implementation of COMP128 |archivedate=2009-03-18|archiveurl=http://web.archive.org/web/20090318143444/http://www.scard.org/gsm/a3a8.txt|url=http://www.scard.org/gsm/a3a8.txt}}</ref>
| |
| </references>
| |
| | |
| == External links ==
| |
| * {{Citation |last1=Briceno |first1=Marc |last2=Goldberg |first2=Ian |year=1998 |title=GSM Cloning |url=http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html}}
| |
| * {{Citation |last1=Handschuh |first1=Helena |last2=Paillier |first2=Pascal |year=2000 |title=Reducing the Collision Probability of Alleged Comp128 |id={{citeseerx|10.1.1.141.1033}}}}
| |
| | |
| [[Category:GSM standard]]
| |
They call me Emilia. Managing people is his occupation. To collect cash is a factor that I'm totally addicted to. His family members lives in South Dakota but his spouse desires them to move.
My page - std testing at home (read what he said)