COMP128
   HOME

TheInfoList



Click Here for Items Related To - COMP128
OR:
COMP128 on:   [Wikipedia]   [Google]   [Amazon]

The COMP128 algorithms are implementations of the A3 and A8 functions defined in the GSM standard. A3 is used to authenticate the mobile station to the network. A8 is used to generate the session key used by A5 to encrypt the data transmitted between the mobile station and the
BTS BTS (), also known as the Bangtan Boys, is a South Korean boy band formed in 2010 and debuting in 2013 under Big Hit Entertainment. The septet—consisting of members Jin, Suga, J-Hope, RM, Jimin, V, and Jungkook—co-writes and co-produ ...
. There are three versions of COMP128. They were originally confidential. A partial description of the first version was leaked in 1997 and completed via
reverse engineering Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompli ...
. This led to a full publication in 1998. The second and third versions were obtained via reverse engineering of software which verifies SIM cards compliance.


Introduction

For details on the way A3 and A8 are used see
Authentication Center Network switching subsystem (NSS) (or GSM core network) is the component of a GSM system that carries out call out and mobility management functions for mobile phones roaming on the network of base stations. It is owned and deployed by mobile ...
. A3 and A8 both take a 128-bit key (''Ki'') and a 128-bit
challenge Challenge may refer to: * Voter challenging or caging, a method of challenging the registration status of voters * Euphemism for disability * Peremptory challenge, a dismissal of potential jurors from jury duty Places Geography *Challenge, C ...
(''RAND'') as inputs. A3 produces a 32-bit response (''SRES'') and A8 produces a 64-bit session key (''Kc''). A3/A8 is the combined function with ''Ki'' and ''RAND'' as inputs and ''SRES'' and ''Kc'' as outputs. As A3 and A8 are not further specified, operators can freely choose the concrete algorithms used for A3 and A8.


COMP128 algorithms

The COMP128 algorithms implement the A3/A8 function. There are three of them: * COMP128-1 – original algorithm with known weaknesses * COMP128-2 – stronger algorithm which still clears the 10 rightmost bits of ''Kc'' * COMP128-3 – same algorithm as COMP128-2 with all 64 bits of ''Kc'' generated All of them are built around a compression function with two 128 bits inputs and one 128 bits output, hence their names. ''Ki'' and ''RAND'' are used as the inputs of the compression function. Bits from its output are then used to fill ''SRES'' and ''Kc''.


COMP128-1 description

COMP128-1 uses a compression function with eight rounds which is based on a butterfly structure with five stages. ''SRES'' is filled with the first 32 bits of the output. ''Kc'' is filled with the last 54 bits of the output followed by ten zeroes. For a full description of the algorithm, the reader can view th
OsmocomBB implementation


COMP128-2/3 description

The implementation of COMP128-2 and COMP128-3 is noticeably more complex than COMP128-1. For a full description of the algorithm, the reader can view th
OsmocomBB implementation
o
FreeRADIUS implementation
both based on the Python code from the Secrets of Sim article. COMP128-2 is identical to COMP128-3 except for the fact that at the end, it clears the 10 rightmost bits of ''Kc''.


Security

The COMP128-1 hash function is considered weak because there is insufficient
diffusion Diffusion is the net movement of anything (for example, atoms, ions, molecules, energy) generally from a region of higher concentration to a region of lower concentration. Diffusion is driven by a gradient in Gibbs free energy or chemical p ...
of small changes in the input. Practical attacks have been demonstrated that can recover the subscriber key from the SIM. The session keys produced by COMP128-1 and COMP128-2 intentionally have only 54 bits of entropy. This significantly weakens the A5 or A6 encryption.


References


External links

* * {{Citation , last1=Handschuh , first1=Helena , last2=Paillier , first2=Pascal , year=2000 , title=Reducing the Collision Probability of Alleged Comp128 , citeseerx=10.1.1.141.1033 GSM standard