Miscellaneous Projects » Mobile (in)Security

[[PageOutline]]

= Withdrawal of A5/2 algorithim support =

After several attacks have been published on breaking the A5/2 encryption algorithm, the specification bodies (ETSI, 3GPP)

and the operator industry (GSMA) have started to phase out A5/2.

As there seems no public document describing this procedure in detail, the page in this wiki was created.

Most of the information has been recovered from the published [http://www.3gpp.org/ftp/Specs/html-info/Meetings-S3.htm 3GPP SA3 WG meeting reports]

== Timeline ==

=== November 2004: 3GPP SA3 Meeting 36 ===

From the official [http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_36_Shenzhen/Report/Draft_Rep_v004_SA3_36.pdf report]:

''TD S3-041028 Vodafone comments to S3-040955: Proposed CR to 43.020: Clarifying the support of algorithms

within mobile stations (Rel-6). This was introduced by Vodafone and comprised an update to TD S3-040955. It was

reported that phasing out A5/2 was acceptable for the GSMA Board. The effect on other operators who implement

only A5/2 (if any) was unknown, as they do not participate in the GSM/3GPP standardisation bodies). The CR was

revised in TD S3-041075, which was approved.''

=== July 2007: 3GPP SA3 Meeting 44 ===

From the official [http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_44_Tallinn/Report/S3-060772.zip report]:

{{{

Charles Brookson gave a review of GSMA Security Group activities. Progress was being made on the 2006 work items:

-	Withdrawal of A5/2 from GSM handsets and networks

}}}

''It was noted that some manufacturers are reluctant to remove A5/2 from their mobiles as some operators were still using it. The answer was that work is still ongoing to convince operators, mainly from North America, that A5/2 should be removed.''

This means that even by mid-2007, A5/2 was still actively used by operators even in the 1st world!

== Miscellaneous ==

=== The GSMA IR.21 roaming database ===

The GSMA is maintaining a database of GSM roaming operators called IR.21.  It contains information about

the various GSM operators world wide.

The structure of the information is described in 

[http://www.algerietelecom.dz/veilletech/bulletin67/pdf/mobile7.pdf GSM Association Roaming Database, Structure and Updating Procedures].

Interesting bits of information are:

 * Which ciphering algorithms are in use (this should tell us where A5/2 is still in use!)

 * Whether or not ''Authentication performed for roaming subscribers at the commencement of GSM Service''

 * Whether or not ''Authentication performed for roaming subscribers in case of GPRS''

Having access to this database (which is available to all 700+ full GSMA members) would give real insight in

the reality of GSM network security!

=== GSMA PRD SG.15 ===

the [GSMA_Security_Group] has a document called SG.15 which describes best common practises regarding the use

of GSM security features.

Unfortunately we don't have access to that document..

=== Operators reluctant to phase out A5/2 ===

[http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_44_Tallinn/Report/S3-060772.zip 3GPP SA3 Meeting Report 44] (July 2006) states:

''It was noted that some manufacturers are reluctant to remove A5/2 from their mobiles as some operators were still using it. The answer was that work is still ongoing to convince operators, mainly from North America, that A5/2 should be removed. ''

Interestingly, not the 3rd world countries were reluctant to switch to A5/1, but American operators ;)