1130

SIM-PIC клонирование это не вредно

GSM CloningHere is some information on our GSM cloning results, starting at a very high level, and moving on eventually to detailed technical information, with data for the cryptographers and mathematicians at the end. Please feel free to contact me with any questions.This is joint work with Ian Goldberg (also of the ISAAC security research lab) and Marc Briceno (of the Smartcard Developers Association).Executive summary: We''ve shown how parties with physical access to a victim''s GSM cellphone can ``clone'''' the phone and fraudulently place calls billed to the victim''s account. This shows that the GSM fraud-prevention framework fails to live up to expectations, and casts doubt on its foundation (as well as the design process). However, we should be clear that this is only a partial flaw, not a total failure of the authentication framework: our experiments have been limited to showing that GSM phones can be cloned if the attacker has physical access to the target phone. (In US analog cellphones, one can clone the cellphones with only some radio reception equipment, which is a much more serious flaw; as a consequence, US providers lose over $500 million yearly to fraud.)One potential threat is that the salesman who sells you a cellphone may have made ``a spare copy of the keys'''' for his own use; he may later make fraudulent calls billed to you. Because most providers today apparently rely purely on the authentication codes, with no fallback position if those codes are cracked, such fraud might go undetected until long after the money has been lost.BackgroundThe GSM fraud-prevention framework relies on special cryptographic codes to authenticate customers and bill them appropriately. A personalized smartcard (called a SIM) in the cellphone stores a secret key which is used to authenticate the customer; knowledge of the key is sufficient to make calls billed to that customer. The tamper-resistant smartcard is supposed to protect the key from disclosure (even against adversaries which may have physical access to the SIM); authentication is done with a cryptographic protocol which allows the SIM to "prove" knowledge of the key to the service provider, thus authorizing a call.As a result of our mathematical analysis, we have discovered that the cryptographic codes used for authentication are not strong enough to resist attack. To exploit this vulnerability, an individual would interact with the SIM repeatedly; with enough queries, the attacker can use some mathematical techniques to learn the supposedly-secret key. Once the key is compromised, it is possible to make fraudulent calls which will be billed to the victim.Clarification: not a total break of the authentication frameworkWe wish to emphasize that we have only demonstrated how to clone a phone if given physical access to the phone (or its SIM chip). Many will probably be interested in the question of whether these attacks can be performed ``over the air'''' (i.e. by accessing the target cellphone remotely with specialized radio equipment). While we cannot rule out the possibility that someone may learn how to perform ``over the air'''' cloning, we have not demonstrated such an attack in our work.What went wrong?This vulnerability can be attributed to a serious failing of the GSM security design process: it was conducted in secrecy. Experts have learned over the years that the only way to assure security is to follow an open design process, encouraging public review to identify flaws while they can still be fixed. There''s no way that we would have been able to break the cryptography so quickly if the design had been subjected to public scrutiny; nobody is that much better than the rest of the research community.In the telecommunications security field, openness is critical to good design. Codemaking is so hard to get right the first time that it is crucial to have others double-check one''s ideas. Instead, the GSM design committee kept all security specifications secret -- which made the information just secret enough to prevent others from identifying flaws in time to fix them, but not secret enough to protect the system against eventual scrutiny. With 80 million GSM users, fixing flaws in such a widely-fielded system is likely to be quite costly.We expect that fixing the flaw may potentially be expensive. A new authentication algorithm would have to be selected. Then new SIMs would have to be programmed with the new algorithm, and distributed to the 80 million end users. Finally, a software upgrade may be required for all authentication centers.Technical details of the attackWe showed how to break the COMP128 authentication algorithm, an instantiation of A3/A8 widely used by providers. Our attack is a chosen-challenge attack. We form a number of specially-chosen challenges and query the SIM for each one; the SIM applies COMP128 to its secret key and our chosen challenge, returning a response to us. By analyzin
0