HOME

TheInfoList



Click Here for Items Related To - COMP128
OR:
COMP128 on:   [Wikipedia]   [Google]   [Amazon]

The COMP128 algorithms are implementations of the A3 and A8 functions defined in the
GSM The Global System for Mobile Communications (GSM) is a family of standards to describe the protocols for second-generation (2G) digital cellular networks, as used by mobile devices such as mobile phones and Mobile broadband modem, mobile broadba ...
standard. A3 is used to
authenticate Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating ...
the mobile station to the network. A8 is used to generate the
session key A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is content encryption key (CEK), traffic encryption key (TEK), or multicast key which refers to any key used for ...
used by A5 to encrypt the data transmitted between the mobile station and the
BTS BTS (), also known as the Bangtan Boys, is a South Korean boy band formed in 2010. The band consists of Jin, Suga, J-Hope, RM, Jimin, V, and Jung Kook, who co-write or co-produce much of their material. Originally a hip hop group, they ...
. There are three versions of COMP128. They were originally confidential. A partial description of the first version was leaked in 1997 and completed via
reverse engineering Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompl ...
. This led to a full publication in 1998. The second and third versions were obtained via reverse engineering of software which verifies SIM cards compliance.


Introduction

For details on the way A3 and A8 are used see
Authentication Center Network switching subsystem (NSS) (or GSM core network) is the component of a GSM system that carries out telephone exchange, call out and mobility management functions for mobile phones roaming on the Base Station subsystem, network of base sta ...
. A3 and A8 both take a 128-bit key (''Ki'') and a 128-bit challenge (''RAND'') as inputs. A3 produces a 32-bit response (''SRES'') and A8 produces a 64-bit session key (''Kc''). A3/A8 is the combined function with ''Ki'' and ''RAND'' as inputs and ''SRES'' and ''Kc'' as outputs. As A3 and A8 are not further specified, operators can freely choose the concrete algorithms used for A3 and A8.


COMP128 algorithms

The COMP128 algorithms implement the A3/A8 function. There are three of them: * COMP128-1 – original algorithm with known weaknesses * COMP128-2 – stronger algorithm which still clears the 10 rightmost bits of ''Kc'' * COMP128-3 – same algorithm as COMP128-2 with all 64 bits of ''Kc'' generated All of them are built around a compression function with two 128 bits inputs and one 128 bits output, hence their names. ''Ki'' and ''RAND'' are used as the inputs of the compression function. Bits from its output are then used to fill ''SRES'' and ''Kc''.


COMP128-1 description

COMP128-1 uses a compression function with eight rounds which is based on a butterfly structure with five stages. ''SRES'' is filled with the first 32 bits of the output. ''Kc'' is filled with the last 54 bits of the output followed by ten zeroes. For a full description of the algorithm, the reader can view th
OsmocomBB implementation


COMP128-2/3 description

The implementation of COMP128-2 and COMP128-3 is noticeably more complex than COMP128-1. For a full description of the algorithm, the reader can view th
OsmocomBB implementation
o
FreeRADIUS implementation
both based on the Python code from the Secrets of Sim article. COMP128-2 is identical to COMP128-3 except for the fact that at the end, it clears the 10 rightmost bits of ''Kc''.


Security

The COMP128-1 hash function is considered weak because there is insufficient
diffusion Diffusion is the net movement of anything (for example, atoms, ions, molecules, energy) generally from a region of higher concentration to a region of lower concentration. Diffusion is driven by a gradient in Gibbs free energy or chemical p ...
of small changes in the input. Practical attacks have been demonstrated that can recover the subscriber key from the SIM. The session keys produced by COMP128-1 and COMP128-2 intentionally have only 54 bits of entropy. This significantly weakens the A5 or A6 encryption.


References


External links

* * {{Citation , last1=Handschuh , first1=Helena , last2=Paillier , first2=Pascal , year=2000 , title=Reducing the Collision Probability of Alleged Comp128 , citeseerx=10.1.1.141.1033 GSM standard