A52 Withdrawal » History » Revision 2
PageOutline = Withdrawal of A5/2 algorithim support =
After several attacks have been published on breaking the A5/2 encryption algorithm, the specification bodies (ETSI, 3GPP)
and the operator industry (GSMA) have started to phase out A5/2.
As there seems no public document describing this procedure in detail, the page in this wiki was created.
Most of the information has been recovered from the published [http://www.3gpp.org/ftp/Specs/html-info/Meetings-S3.htm 3GPP SA3 WG meeting reports]Timeline
=== November 2004: 3GPP SA3 Meeting 36 ===
From the official [http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_36_Shenzhen/Report/Draft_Rep_v004_SA3_36.pdf report]:
''TD S3-041028 Vodafone comments to S3-040955: Proposed CR to 43.020: Clarifying the support of algorithms
within mobile stations (Rel-6). This was introduced by Vodafone and comprised an update to TD S3-040955. It was
reported that phasing out A5/2 was acceptable for the GSMA Board. The effect on other operators who implement
only A5/2 (if any) was unknown, as they do not participate in the GSM/3GPP standardisation bodies). The CR was
revised in TD S3-041075, which was approved.''
=== April 2006: GSMA Industry Initiative to Withdraw A5/2 Briefing Paper ===
The paper can be found [http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_44_Tallinn/Docs/S3-060541.zip here]
=== July 2006: 3GPP SA3 Meeting 44 ===
From the official [http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_44_Tallinn/Report/S3-060772.zip report]:
Charles Brookson gave a review of GSMA Security Group activities. Progress was being made on the 2006 work items:
- Withdrawal of A5/2 from GSM handsets and networks
''It was noted that some manufacturers are reluctant to remove A5/2 from their mobiles as some operators were still using it. The answer was that work is still ongoing to convince operators, mainly from North America, that A5/2 should be removed.''
This means that even by mid-2006, 3 years after the attack was published, A5/2 was still actively used by operators even in the 1st world!
=== September 2006: Withdrawal of A5/2 from Handsets deadline ===
The GSMA SG statement regarding the deadline for withdrawal of A5/2 from handsets can be found the 3GPP TSG SA WG3 meeting 45:
[http://www.3gpp.org/ftp/tsg_sa/wg3_security/TSGS3_45_Ashburn/Docs/S3-060751.zip Withdrawal of A5/2 from Handsets Deadline]
In this document, the GSMA SG
''The successful withdrawal of A5/2 requires terminal manufacturers to remove it from, or disable it in, emerging GSM enabled devices.''
''The risk of operators continuing to demand A5/2 device support stems from the possibility that some operators may not upgrade their networks to support stronger algorithms in a timely manner. The emergence of devices without A5/2 support will mean that encryption will not be possible on networks that have not upgraded their BSS infrastructure to support A5/1 and/or A5/3. However, because of the nature of the attack, and the fact that A5/2 does not offer a higher level of protection than A5/0, it is deemed preferable that these networks run with no encryption rather than use the compromised A5/2 protocol. Therefore, there is no valid reason why operators would continue to insist on A5/2 support in devices - even those that use the algorithm - and that is the key message that GSMA is promoting to its network operator members.''
This is very interesting, as it explicitly states no encryption is not considered as a problem in case operators did not yet upgrade to A5/1, but new non-A5/2 capable devices are used on their network.
''GSMA and device manufacturer representatives at a meeting in London on 25th July at which support was pledged for the withdrawal of A5/2 by end of this year''
''In GSM Phase 1, terminals were only mandated to support A5/1 and A5/0 (unciphered mode). Therefore in order to support GSM Phase 1 mobiles, A5/2 networks have always had to allow terminals to connect using unciphered mode (A5/0).''
As we can see, some GSMA members apparently prefer to show their customers that their call is not encrypted while they are too lazy to upgrade their networks:
''There were also concerns that non-encrypted calls could give rise to customers being shown non-ciphering indicators on some terminals, causing them alarm. However, operators can turn off this feature using a configuration bit on the SIM/USIM.''
==== Include testing for A5/2 removal in certification ====
''The GSM Association’s Security Group (GSMA SG) fully supports and endorses the work item proposed within GCF to develop test cases to verify the removal of A5/2.''
=== October 2006: 3GPP SA WG3 Meeting 45 ===
Change Requests (S3-060790, S3-060791, S3060792) regarding the removal of A5/2 from the specification have been agreed and send to SA.
=== February 2007: 3GPP SA WG3 Meeting 46 ===
''5.4 GSMA [...] There is still workin ongoing on the removal of A5/2 from mobiles and, indeed, from the networks. First it would appear to convince operators to remove it first.''
=== May 2007: 3GPP SA WG3 Meeting 47 ===
''A5/3 Support ([http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_47_Tallinn/Docs/S3-070437.zip S3‑070437] Liaison Statement (from GSMA SG): BSS vendor support for A5/3): The level of support for A5/3, (or the lack of it), was discussed and we approved the attached LS for input to SA WG3. The concern is that A5/3 is not widely supported by BSS vendors and the LS asks SA WG3 to review and update the specifications to ensure a clear deadline for A5/3 support in infrastructure is identified and it also asks SA WG3 represented BSS suppliers to respond to GSMA regarding their current/planned support for A5/3.''
While A5/3 is not required to phase out A5/2, this shows the lack of interest in the industry to improve the system security.
==== GSMA SG Liaison Statement about vendor support for A5/3 ====
From that Liaison statement:
''SA3 will be aware that the A5/3 specification was first published in May 2002 and initial targets were that the algorithm should be supported in handsets and network infrastructure by end October 2004.''
''The GSM Association’s Security Group (GSMA SG) discussed the level of support for A5/3 at its meeting on 14th and 15th May and we are gravely concerned that there is virtually no support for A5/3 5 years after the algorithm was published. This is despite the fact that an absolute deadline was agreed within 3GPP that Rel-6 compliant handsets are mandated to support A5/3.''
''GSMA SG is seriously concerned that if A5/1 was to succumb to sustained attack no backup algorithm has been widely deployed in handsets and infrastructure and this would have the effect of leaving the industry and mobile users exposed to security threats for an extended period.''
=== July 2007: 3GPP SA WG3 Meeting 48 ===
From the GSMA Liaison report:
''A5/2 removal has now been issued with closure report within the GSMA. Very good progress is being made with operators changing over to A5/1 in their networks. Similarly, mobiles without A5/2 are emerging and the testing regimes have been modified to support this. An internal closure report is available to GSMA members.''
So it seems, in July 2007, ''only'' four years after a serious attack has been disclosed, the problem was fixed ;)Miscellaneous
=== The GSMA IR.21 roaming database ===
The GSMA is maintaining a database of GSM roaming operators called IR.21. It contains information about
the various GSM operators world wide.
The structure of the information is described in
[http://www.algerietelecom.dz/veilletech/bulletin67/pdf/mobile7.pdf GSM Association Roaming Database, Structure and Updating Procedures].
Interesting bits of information are: * Which ciphering algorithms are in use (this should tell us where A5/2 is still in use!) * Whether or not ''Authentication performed for roaming subscribers at the commencement of GSM Service'' * Whether or not ''Authentication performed for roaming subscribers in case of GPRS''
Having access to this database (which is available to all 700+ full GSMA members) would give real insight in
the reality of GSM network security!
=== GSMA PRD SG.15 ===
the [GSMA_Security_Group] has a document called SG.15 which describes best common practises regarding the use
of GSM security features.
Unfortunately we don't have access to that document..
=== Operators reluctant to phase out A5/2 ===
[http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_44_Tallinn/Report/S3-060772.zip 3GPP SA3 Meeting Report 44] (July 2006) states:
''It was noted that some manufacturers are reluctant to remove A5/2 from their mobiles as some operators were still using it. The answer was that work is still ongoing to convince operators, mainly from North America, that A5/2 should be removed. ''
Interestingly, not the 3rd world countries were reluctant to switch to A5/1, but American operators ;)