Prediction of Plaintext in GSM Network using SDCCH Logical Channel

Document Type : Original Article

Author

Associate Professor, University of Tehran, Tehran, Iran

Abstract

GSM cellular standard is still widely used worldwide. In this standard, A5 ciphering algorithms are employed for protecting user data. A5/1 and A5/3 are two variants of A5 ciphering algorithms that are proven to be very powerful. Most known attacks on these ciphering algorithms assume some known plaintext data. In this paper, for the first time, a method of plaintext prediction is proposed for SDCCH logical channel. Four possible downlink SDCCH packets, which are RR, UA, SABM, and UI Fill frames, are considered. The matrices of the occurrence positions and probabilities of these packets are learned by observing the network traffic. Four matrices are considered corresponding to four different types of sessions. Experiments on a real-world network show that we can correctly predict on average 2.94 plaintexts for each session. Moreover, the average position of the first correct plaintext in all predicted plaintexts is equal to 1.24. So, the required time for cipher cracking is around 25% more than the time required by an ideal plaintext prediction system

Keywords

References

[1] ETSI. “05.02: Multiplexing and Multiple Access on the Radio Path,” Digital Cellular Telecommunications System 1999.##
[2]ETSI. “04.08: Mobile Radio Interface Layer 3 Specification,” Digital Cellular Telecommunication Systems 1999.##
[3] S. Ahmadiyan and M.Teimouri. “Blind Estimation of Number of Users in TDMA Networks Using Redundancy of Adaptive Channel Coding,” Electronic and Cyber Defense. vol. 6, pp. 11-20, 2018.##
[4] E. P. Barkan, E.Biham.“Cryptanalysis of ciphers and protocols,” Computer Science Department, Technion, 2006.##
[5] A. Biryukov, A. Shamir.“Real time cryptanalysis of the alleged A5/1 on a PC ,” preliminary draft"; URL: http://cryptome.org/a51-bs.htm 1999.##
[6] A. Biryukov, A. Shamir, D. Wagner.“Real Time Cryptanalysis of A5/1 on a PC,” Proc. International Workshop on Fast Software Encryption, pp.1-18,2000.##
[7] P. Ekdahl, T. Johansson, “Another attack on A5/1,” IEEE transactions on information theory. vol. 49, pp. 284-289,2003.##
[8] K. Nohl, “Attacking phone privacy,” Black Hat USA, pp.1-6,2010.##
[9] V. Bulavintsev, A. Semenov, O. Zaikin, S. Kochemazov, “A bitslice implementation of Anderson’s attack on A5/1,” Open Engineering,vol.23 8, pp. 7-16,2018.##
[10] M. Olawski, “Security in the GSM network"; IPSec. pl. Stream ciphers 2011.##
[11] B. Zhang, “Cryptanalysis of GSM Encryption in 2G/3G Networks Without Rainbow Tables,” Proc. International Conference on the Theory and Application of Cryptology and Information Security. pp. 428-456, 2019.##
[12] ETSI. “04.07: Mobile radio interface signalling layer 3 General aspects,” Digital Cellular Telecommunication Systems 1995.##
[13] ETSI. “04.06: Mobile Station - Base Station System (MS - BSS) interface Data Link (DL) layer specification,” Digital Cellular Telecommunication Systems 1994.##
[14] ETSI. “04.04: Layer 1 General requirements"; Digital Cellular Telecommunication Systems 1994.##
[15] ETSI. “05.03: Channel Coding,” Digital Cellular Telecommunications System 1997.##
[16] ETSI. “04.11: Point-to-Point (PP) Short Message Service (SMS) support on mobile radio interface"; Digital Cellular Telecommunication Systems 1996.##
[17] Rakhshanfar, M.; Teimouri, M.; HassanShahi, Z. “Implementation of software radio based on PC and FPGA,” Proc. 2008 4th IEEE International Conference on Circuits and Systems for Communications. pp.633-637,2008.##
Electronic and Cyber Defense
Volume 9, Issue 3 - Serial Number 35
Serial No. 35, Autumn Quarterly
December 2021
Pages 39-47

Files

History

  • Receive Date: 20 October 2020
  • Revise Date: 07 February 2021
  • Accept Date: 29 January 2021
  • Publish Date: 22 November 2021

Share

How to cite

Statistics