A52 Withdrawal » History » Version 7

admin, 02/19/2016 10:52 PM
add link to 2003 paper

1 7 admin
2 1 admin
3 7 admin
h1. Withdrawal of A5/2 algorithim support
6 1 admin
After several attacks have been published on breaking the A5/2 encryption algorithm, the specification bodies (ETSI, 3GPP)
7 5 admin
and the operator industry (GSMA) have started to phase out A5/2.  This has been a lengthy process, taking some four years
from attack publication to all GSM operators having fixed their networks.
9 1 admin
10 5 admin
Four years for incident response is completely unacceptable and a ridiculous time to mitigate such a severe threat against
the confidentiality of personal communication.
13 1 admin
As there seems no public document describing this lengthy procedure in detail, the page in this wiki was created. It also
14 5 admin
touches aspects that are not strictly A5/2 related but related to introducing the A5/3 and A5/4 algorithms.
16 7 admin
Most of the information has been recovered from the published "3GPP SA3 WG meeting reports":
17 5 admin
18 1 admin
As can be seen from the records below, the security working groups in the 3GPP and to a less extent in the GSMA are doing
19 5 admin
what they can.  But the operator and manufacturer industry simply has no intention to provide timely incident response
20 1 admin
and to pro-actively improve security of their mobile networks.
23 7 admin
h2. Timeline
24 1 admin
25 7 admin
h3. August 2003: Crypto 2003: E. Barkan, E. Biham, and N. Keller: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication
30 1 admin
33 7 admin
h3. November 2004: 3GPP SA3 Meeting 36
34 1 admin
35 7 admin
From the official "report":
_TD S3-041028 Vodafone comments to S3-040955: Proposed CR to 43.020: Clarifying the support of algorithms
39 1 admin
within mobile stations (Rel-6). This was introduced by Vodafone and comprised an update to TD S3-040955. It was
reported that phasing out A5/2 was acceptable for the GSMA Board. The effect on other operators who implement
only A5/2 (if any) was unknown, as they do not participate in the GSM/3GPP standardisation bodies). The CR was
42 7 admin
revised in TD S3-041075, which was approved._
43 1 admin
44 2 admin
45 7 admin
h3. April 2006: GSMA Industry Initiative to Withdraw A5/2 Briefing Paper
46 1 admin
47 2 admin
48 7 admin
The paper can be found "here":
49 1 admin
51 7 admin
h3. July 2006: 3GPP SA3 Meeting 44
From the official "report":
58 2 admin
Charles Brookson gave a review of GSMA Security Group activities. Progress was being made on the 2006 work items:
-	Withdrawal of A5/2 from GSM handsets and networks
60 7 admin
61 1 admin
62 7 admin
_It was noted that some manufacturers are reluctant to remove A5/2 from their mobiles as some operators were still using it. The answer was that work is still ongoing to convince operators, mainly from North America, that A5/2 should be removed._
63 1 admin
This means that even by mid-2006, 3 years after the attack was published, A5/2 was still actively used by operators even in the 1st world!
67 7 admin
h3. September 2006: Withdrawal of A5/2 from Handsets deadline
70 1 admin
The GSMA SG statement regarding the deadline for withdrawal of A5/2 from handsets can be found the 3GPP TSG SA WG3 meeting 45:
71 7 admin
"Withdrawal of A5/2 from Handsets Deadline":
72 1 admin
In this document, the GSMA SG 
75 7 admin
_The successful withdrawal of A5/2 requires terminal manufacturers to remove it from, or disable it in, emerging GSM enabled devices._
76 1 admin
77 7 admin
_The risk of operators continuing to demand A5/2 device support stems from the possibility that some operators may not upgrade their networks to support stronger algorithms in a timely manner. The emergence of devices without A5/2 support will mean that encryption will not be possible on networks that have not upgraded their BSS infrastructure to support A5/1 and/or A5/3. However, because of the nature of the attack, and the fact that A5/2 does not offer a higher level of protection than A5/0, it is deemed preferable that these networks run with no encryption rather than use the compromised A5/2 protocol. Therefore, there is no valid reason why operators would continue to insist on A5/2 support in devices - even those that use the algorithm - and that is the key message that GSMA is promoting to its network operator members._
78 1 admin
This is very interesting, as it explicitly states no encryption is not considered as a problem in case operators did not yet upgrade to A5/1, but new non-A5/2 capable devices are used on their network.
80 2 admin
81 7 admin
_GSMA and device manufacturer representatives at a meeting in London on 25th July at which support was pledged for the withdrawal of A5/2 by end of this year_
82 1 admin
83 7 admin
_In GSM Phase 1, terminals were only mandated to support A5/1 and A5/0 (unciphered mode). Therefore in order to support GSM Phase 1 mobiles, A5/2 networks have always had to allow terminals to connect using unciphered mode (A5/0)._
84 2 admin
85 1 admin
As we can see, some GSMA members apparently prefer to show their customers that their call is not encrypted while they are too lazy to upgrade their networks:
86 7 admin
_There were also concerns that non-encrypted calls could give rise to customers being shown non-ciphering indicators on some terminals, causing them alarm. However, operators can turn off this feature using a configuration bit on the SIM/USIM._
87 1 admin
89 7 admin
h4. Include testing for A5/2 removal in certification
90 1 admin
92 7 admin
_The GSM Association’s Security Group (GSMA SG) fully supports and endorses the work item proposed within GCF to develop test cases to verify the removal of A5/2._
93 1 admin
95 7 admin
h3. October 2006: 3GPP SA WG3 Meeting 45
96 1 admin
98 7 admin
"Change Requests (S3-060790, S3-060791, S3060792) regarding the removal of A5/2 from the specification have been agreed and send to SA.
99 2 admin
100 1 admin
101 7 admin
h3. February 2007: 3GPP SA WG3 Meeting 46
102 1 admin
104 7 admin
From the [":]:
_5.4 GSMA [...] There is still workin ongoing on the removal of A5/2 from mobiles and, indeed, from the networks. First it would appear to convince operators to remove it first._
h3. May 2007: 3GPP SA WG3 Meeting 47
"_A5/3 Support ([ S3‑070437":] Liaison Statement (from GSMA SG): BSS vendor support for A5/3): The level of support for A5/3, (or the lack of it), was discussed and we approved the attached LS for input to SA WG3. The concern is that A5/3 is not widely supported by BSS vendors and the LS asks SA WG3 to review and update the specifications to ensure a clear deadline for A5/3 support in infrastructure is identified and it also asks SA WG3 represented BSS suppliers to respond to GSMA regarding their current/planned support for A5/3._
114 1 admin
While A5/3 is not required to phase out A5/2, this shows the lack of interest in the industry to improve the system security.
116 7 admin
h4. GSMA SG Liaison Statement about vendor support for A5/3
119 1 admin
From that Liaison statement:
121 7 admin
_SA3 will be aware that the A5/3 specification was first published in May 2002 and initial targets were that the algorithm should be supported in handsets and network infrastructure by end October 2004._
122 1 admin
123 7 admin
_The GSM Association’s Security Group (GSMA SG) discussed the level of support for A5/3 at its meeting on 14th and 15th May and we are gravely concerned that there is virtually no support for A5/3 5 years after the algorithm was published. This is despite the fact that an absolute deadline was agreed within 3GPP that Rel-6 compliant handsets are mandated to support A5/3._
124 1 admin
125 7 admin
_GSMA SG is seriously concerned that if A5/1 was to succumb to sustained attack no backup algorithm has been widely deployed in handsets and infrastructure and this would have the effect of leaving the industry and mobile users exposed to security threats for an extended period._
126 1 admin
128 7 admin
h3. July 2007: 3GPP SA WG3 Meeting 48
129 3 admin
131 7 admin
"From the GSMA Liaison report:
_A5/2 removal has now been issued with closure report within the GSMA. Very good progress is being made with operators changing over to A5/1 in their networks. Similarly, mobiles without A5/2 are emerging and the testing regimes have been modified to support this. An internal closure report is available to GSMA members._
133 1 admin
134 7 admin
So it seems, in July 2007, _only_ four years after a serious attack has been disclosed, the problem was fixed ;)
135 1 admin
136 7 admin
_[ S3-070540":]: GERAN access security review update ... Concerning A5/1 it was suggested that it is not breakable for the moment_
137 1 admin
138 7 admin
A number of change requests regarding _Prohibiting A5/2 in mobile stations and other clarifications regarding A5 algorithm support_ were made and approved.
139 1 admin
141 7 admin
h3. 3GPP SA WG3 Meeting 49
142 3 admin
144 7 admin
"From the GSMA SG Liaison:
_In January 2007 a group of self styled “security enthusiasts” established the “A5 Cracking Project”, with the goal of designing and building affordable equipment that can crack A5/1. The project seeks to build on previously announced theoretical attacks against A5/1, and also aims to exploit the academic attack against A5/2 that was published in 2003 and that led to the industry decision to withdraw the algorithm._
146 1 admin
147 7 admin
_The backers of the project have publicly called for volunteers to contribute to the work by contributing expertise, information and money. The project is described in more detail at, and consists of a number of phases. The first is to understand the status of various A5 hacking initiatives, the second is to crack A5/2 on a practical level, the third is to launch a practical attack against A5/1 using previously published academic papers, and the final phase will seek to identify new ways of attacking A5/1. _
148 3 admin
149 7 admin
_A second, related initiative called the GSM Software Project has also been launched.  The goal of this project is to develop a GSM scanner for under US$1,000.  The introduction and use of femtocells has made this a more likely possibility._
150 3 admin
151 7 admin
_Both projects are supported by The Hackers Choice, which in its own words is “a non-commercial group of computer experts focusing on practical and theoretical computer security … the group fosters independent research not driven by commercial interests and paradigms”._
152 1 admin
153 7 admin
_GSMA has carried out an analysis of the claims, and will be producing internal briefing documents. We have received favourable replies on upgrading to A5/3 both in the infrastructure and mobiles, and are following up the details_
154 1 admin
155 7 admin
h3. February 2008: 3GPP TSG SA WG3 Meeting 50
161 1 admin
From the GSMA SG:
162 7 admin
_A demonstrated attack on A5/1 is awaited perhaps in March at some hacker conference. GSMA has produced guiding papers for operators if need should be._
163 1 admin
164 7 admin
_SS7 protection is going to be discussed in the fore coming meeting of the GSMA group on roaming and interworking (IREG). TCAPsec and TCAP Handshake are the two candidate solutions, if they choose to do something._
165 3 admin
167 7 admin
h3. January 2009: 3GPP TSG SA WG3 Meeting 54
168 3 admin
169 7 admin
"_Recent joint meetings with the Mobile Manufacturers (EICTA) had discussed forthcoming tests to check A5/3 functions_
170 3 admin
171 7 admin
So in 2009 they are _discussing_ how to test A5/3 which was first specified in 2002 ?
172 3 admin
174 7 admin
h3. May 2009: 3GPP TSG SA3 WG Meeting 55
175 3 admin
176 7 admin
A new series of work items had been started for the next period. If anyone was interested in working on these topics then they would be welcome: Software Only Infrastructure Algorithm Updates - Mandate capability to support security algorithms without need to replace hardware._
Mh, in 2009 they _start to think_ about mandating the software-updateability of ciphering algorithms in network equipment ;)
183 4 admin
S3-091123 and S3-090829 are discussed, regarding 128bit encryption on GSM + GPRS as well as A5/4 key management
185 5 admin
186 4 admin
187 7 admin
h3. July 2009: 3GPP TSG SA3 WG Meeting 56
188 4 admin
190 7 admin
"More discussion of Kc128 derivation from UMTS AKA (S3-091520, S3-091521) as well as the A5/4 and GEA4 specification (S3-091312)
191 4 admin
192 7 admin
h3. November 2009: 3GPP TSG SA3 WG Meeting 57
196 4 admin
From the GSMA Liaison report:
198 7 admin
_SG is looking at work items including the withdrawal of COMP128-1, something which is still causing issues for many operators after 12 years since it was broken._
199 4 admin
12 years after it has been broken, the GSMA still has not officially withdrawn it?
Seven years after A5/3 has been specified:
203 7 admin
_Successful tests were made on A5/3 enabled BTS equipment in Switzerland, with 10 handsets from 7 manufacturers being tested on a live network._
204 4 admin
205 7 admin
_We also discussed the need for a CERT-like warning scheme for the mobile industry_
206 4 admin
207 7 admin
_The meeting considered the need to ensure that future infrastructure algorithm updates will be exclusively software based_
208 4 admin
211 7 admin
h2. Miscellaneous
212 3 admin
213 7 admin
h3. The GSMA IR.21 roaming database
218 1 admin
The GSMA is maintaining a database of GSM roaming operators called IR.21.  It contains information about
the various GSM operators world wide.
The structure of the information is described in 
222 7 admin
[ GSM Association Roaming Database, Structure and Updating Procedures":].
223 1 admin
Interesting bits of information are:
225 7 admin
* Which ciphering algorithms are in use (this should tell us where A5/2 is still in use!)
* Whether or not _Authentication performed for roaming subscribers at the commencement of GSM Service_
* Whether or not _Authentication performed for roaming subscribers in case of GPRS_
228 1 admin
Having access to this database (which is available to all 700+ full GSMA members) would give real insight in
the reality of GSM network security!
233 7 admin
h3. GSMA PRD SG.15
236 1 admin
the [GSMA_Security_Group] has a document called SG.15 which describes best common practises regarding the use
of GSM security features.
Unfortunately we don't have access to that document..
242 7 admin
h3. Operators reluctant to phase out A5/2
243 1 admin
244 7 admin
"3GPP SA3 Meeting Report 44": (July 2006) states:
_It was noted that some manufacturers are reluctant to remove A5/2 from their mobiles as some operators were still using it. The answer was that work is still ongoing to convince operators, mainly from North America, that A5/2 should be removed. _
248 1 admin
Interestingly, not the 3rd world countries were reluctant to switch to A5/1, but American operators ;)
Add picture from clipboard (Maximum size: 48.8 MB)