Tuesday, December 29, 2009

BBC: Secret mobile phone codes cracked

BBC: Secret mobile phone codes cracked

By Jonathan Fildes Technology reporter, BBC News

Encryption is used on mobiles to stop eavesdropping

A German computer scientist has published details of the secret code used to protect the conversations of more than 4bn mobile phone users.

Karsten Nohl, working with other experts, has spent the past five months cracking the algorithm used to encrypt calls using GSM technology.

GSM is the most popular standard for mobile networks around the world.

The work could allow anyone - including criminals - to eavesdrop on private phone conversations.

Mr Nohl told the Chaos Communication Congress in Berlin that the work showed that GSM security was "inadequate".

"We are trying to inform people about this widespread vulnerability," he told BBC News.

"We hope to create some additional pressure and demand from customers for better encryption."

The GSM Association (GSMA), which devised the algorithm and oversees development of the standard, said Mr Nohl's work would be "highly illegal" in the UK and many other countries.

"This isn't something that we take lightly at all," a spokeswoman said.

Mr Nohl told the BBC that he had consulted with lawyers before publication and believed the work was "legal".

'Secret key'

GSM encryption was first introduced in 1987

Mr Nohl, working with a "few dozen" other people, claims to have published material that would crack the A5/1 algorithm, a 22-year-old code used by many carriers.

The code is designed to prevent phone calls from being intercepted by forcing mobile phones and base stations to rapidly change radio frequencies over a spectrum of 80 channels.

It is known to have a series of weaknesses with the first serious flaw exposed in 1994.

Mr Nohl, who describes himself as an "offensive security researcher", announced his intention to crack the code at the Hacking at Random (HAR) conference in The Netherlands in August this year.

"Any cryptographic function is a one way street," he told BBC News. "You should not be able to decrypt without the secret key".

To get around this problem, Mr Nohl, working with other members of the encryption community, used networks of computers to crunch through "every possible combination" of inputs and outputs for the encryption code. Mr Nohl said there were "trillions" of possibilities.

It lowers the bar for people and organisations to crack GSM calls -- Ian Meakin Cellcrypt

All of the outputs are now detailed in a vast table, which can be used to determine the encryption key used to secure the conversation or text message.

"It's like a telephone book - if someone tells you a name you can look up their number," he said.

Using the codebook, a "beefy gaming computer and $3,000 worth of radio equipment" would allow anyone to decrypt signals from the billions of GSM users around the world, he said.

Signals could be decrypted in "real time" with $30,000 worth of equipment, Mr Nohl added.

'Not practical'

It has previously been possible to decrypt GSM signals to listen in on conversations, but the equipment cost "hundreds of thousands of dollars," experts said.

According to Ian Meakin, of mobile encryption firm Cellcrypt, only government agencies and "well funded" criminals had access to the necessary technology.

He described Mr Nohl's work as a "massive worry".

"It lowers the bar for people and organisations to crack GSM calls," he told BBC News.

"It inadvertently puts these tools and techniques in the hands of criminals."

However, the GSMA dismissed the worries, saying that "reports of an imminent GSM eavesdropping capability" were "common".

It said that there had been "a number" of academic papers outlining how A5/1 could be compromised but "none to date have led to a practical attack".

The association said that it had already outlined a proposal to upgrade A5/1 to a new standard known as A5/3 which was currently being "phased in".

"All in all, we consider this research, which appears to be motivated in part by commercial considerations, to be a long way from being a practical attack on GSM," the spokeswoman said.


A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone standard. It was initially kept secret, but became public knowledge through leaks and reverse engineering. A number of serious weaknesses in the cipher have been identified.

In December 2009, the completion of 2 terabyte time-memory tradeoff attack tables for breaking A5/1 was announced by cryptographer Karsten Nohl during the course of the Chaos Communication Congress in Berlin, Germany.

A5/1 is used in Europe and the United States. A5/2 was a deliberate weakening of the algorithm for certain export regions.[4] A5/1 was developed in 1987, when GSM was not yet considered for use outside Europe, and A5/2 was developed in 1989. Both were initially kept secret. However, the general design was leaked in 1994, and the algorithms were entirely reverse engineered in 1999 by Marc Briceno from a GSM telephone. In 2000, around 130 million GSM customers relied on A5/1 to protect the confidentiality of their voice communications.

Security researcher Ross Anderson reported in 1994 that "there was a terrific row between the NATO signal intelligence agencies in the mid 1980s over whether GSM encryption should be strong or not. The Germans said it should be, as they shared a long border with the Warsaw Pact; but the other countries didn't feel this way, and the algorithm as now fielded is a French design."

A GSM transmission is organised as sequences of bursts. In a typical channel and in one direction, one burst is sent every 4.615 milliseconds and contains 114 bits available for information. A5/1 is used to produce for each burst a 114 bit sequence of keystream which is XORed with the 114 bits prior to modulation. A5/1 is initialised using a 64-bit key together with a publicly-known 22-bit frame number. In fielded GSM implementations 10 of the key bits are fixed at zero, resulting in an effective key length of 54 bits. A5/1 can also be used for data encryptions in EDGE, in which case up to eight bursts are sent every 4.615 milliseconds, each containing 348 data bits.

The registers are clocked in a stop/go fashion using a majority rule. Each register has an associated clocking bit. At each cycle, the clocking bit of all three registers is examined and the majority bit is determined. A register is clocked if the clocking bit agrees with the majority bit. Hence at each step two or three registers are clocked, and each register steps with probability 3/4.

Similarly, the 22-bits of the frame number are added in 22 cycles. Then the entire system is clocked using the normal majority clocking mechanism for 100 cycles, with the output discarded. After this is completed, the cipher is ready to produce two 114 bit sequences of output keystream, first 114 for downlink, last 114 for uplink
A number of attacks on A5/1 have been published. Some require an expensive preprocessing stage after which the cipher can be attacked in minutes or seconds. Until recently, the weaknesses have been passive attacks using the known plaintext assumption. In 2003, more serious weaknesses were identified which can be exploited in the ciphertext-only scenario, or by an active attacker. In 2006 Elad Barkan, Eli Biham and Nathan Keller demonstrated attacks against A5/1, A5/3, or even GPRS that allow attackers to tap GSM mobile phone conversations and decrypt them either in real-time, or at any later time.

In 1997, Golic presented an attack based on solving sets of linear equations which has a time complexity of 240.16 (the units are in terms of number of solutions of a system of linear equations which are required).

In 2000, Alex Biryukov, Adi Shamir and David Wagner showed that A5/1 can be cryptanalysed in real time using a time-memory tradeoff attack,[6] based on earlier work by Jovan Golic.[7] One tradeoff allows an attacker to reconstruct the key in one second from two minutes of known plaintext or in several minutes from two seconds of known plain text, but he must first complete an expensive preprocessing stage which requires 248 steps to compute around 300 GB of data. Several tradeoffs between preprocessing, data requirements, attack time and memory complexity are possible.

The same year, Eli Biham and Orr Dunkelman also published an attack on A5/1 with a total work complexity of 239.91 A5/1 clockings given 220.8 bits of known plaintext. The attack requires 32 GB of data storage after a precomputation stage of 238.[8]

Ekdahl and Johannson published an attack on the initialisation procedure which breaks A5/1 in a few minutes using two to five minutes of conversation plaintext.[9] This attack does not require a preprocessing stage. In 2004, Maximov et al. improved this result to an attack requiring "less than one minute of computations, and a few seconds of known conversation". The attack was further improved by Elad Barkan and Eli Biham in 2005.[10]

In 2003, Barkan et al. published several attacks on GSM encryption.[11] The first is an active attack. GSM phones can be convinced to use the much weaker A5/2 cipher briefly. A5/2 can be broken easily, and the phone uses the same key as for the stronger A5/1 algorithm. A second attack on A5/1 is outlined, a ciphertext-only time-memory tradeoff attack which requires a large amount of precomputation.

In 2006, Elad Barkan, Eli Biham, Nathan Keller published the full version of their 2003 paper, with attacks against A5/X Ciphers. The authors claim: [12]

We present a very practical ciphertext-only cryptanalysis of GSM encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use "unbreakable" ciphers. We first describe a ciphertext-only attack on A5/2 that requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer. We extend this attack to a (more complex) ciphertext-only attack on A5/1. We then describe new (active) attacks on the protocols of networks that use A5/1, A5/3, or even GPRS. These attacks exploit flaws in the GSM protocols, and they work whenever the mobile phone supports a weak cipher such as A5/2. We emphasize that these attacks are on the protocols, and are thus applicable whenever the cellular phone supports a weak cipher, for example, they are also applicable for attacking A5/3 networks using the cryptanalysis of A5/1. Unlike previous attacks on GSM that require unrealistic information, like long known plaintext periods, our attacks are very practical and do not require any knowledge of the content of the conversation. Furthermore, we describe how to fortify the attacks to withstand reception errors. As a result, our attacks allow attackers to tap conversations and decrypt them either in real-time, or at any later time.

In 2007 Universities of Bochum and Kiel started a research project to create a massively parallel FPGA based crypto accelerator COPACOBANA. Yet COPACOBANA is known[13] to be the first commercially available solution being capable accelerating time-memory trade-off techniques that can be used for attacking the popular A5/1 and A5/2 algorithm used in GSM voice encryption and the Data Encryption Standard (DES). It also enables brute force attacks against GSM eliminating the need of large precomputated lookup tables.

In 2008, the group The Hackers Choice launched a project to develop a practical attack on A5/1. The attack requires the construction of a large look-up table of approximately 3 terabytes. Constructing this table has proved too big a task for anyone to complete it until now, but the group are in the process of building this table and it expected that it will be completed within the year. As of June 2008 it is not reported complete.

Once the table is built, and together with the scanning capabilities developed as part of the sister project, the group expect to be able to record any GSM call or SMS encrypted with A5/1, and within about 3.5 minutes derive the encryption key and hence listen to the call and read the SMS in clear.

The GSM rainbow table project was announced at the 2009 Black Hat security conference and aims to create the look-up table using Nvidia GPGPUs using a peer-to-peer distributed computing architecture. Since the middle of September 2009, the project runs the equivalent of 12 Nvidia GeForce GTX 260, and with unchanged effort is expected to finish in 650 days before the 137000 million chains have been completed. As more people join the effort, this time can be significantly shortened. These timescales are much shorter than the time that all GSM phones will be updated.


1. ^ O'Brien, Kevin (2009-12-28). "Cellphone Encryption Code Is Divulged". New York Times. http://www.nytimes.com/2009/12/29/technology/29hack.html. Retrieved 2009-12-29.
2. ^ a b https://har2009.org/program/attachments/119_GSM.A51.Cracking.Nohl.pdf Subverting the security base of GSM. Karsten Nohl and Sascha Krißler
3. ^ http://www.pcworld.com/article/185542/hackers_show_its_easy_to_snoop_on_a_gsm_call.html Hackers Show It's Easy to Snoop on a GSM Call, Robert McMillan, IDG News Service
4. ^ Quirke, Jeremy (2004-05-01). "Security in the GSM system". AusMobile. Archived from the original on 2004-07-12. http://web.archive.org/web/20040712061808/www.ausmobile.com/downloads/technical/Security+in+the+GSM+system+01052004.pdf.
5. ^ Ross Anderson (1994-06-17). "A5 (Was: HACKING DIGITAL PHONES)". uk.telecom. (Web link).
6. ^ Biryukov, Alex; Adi Shamir; David Wagner. "Real Time Cryptanalysis of A5/1 on a PC". Fast Software Encryption.FSE 2000: 1.18. http://cryptome.info/0001/a51-bsw/a51-bsw.htm.
7. ^ Golic, Jovan Dj. (1997). "Cryptanalysis of Alleged A5 Stream Cipher". EUROCRYPT 1997: 239.55. http://jya.com/a5-hack.htm.
8. ^ Biham, Eli; Orr Dunkelman (2000). "Cryptanalysis of the A5/1 GSM Stream Cipher". Indocrypt 2000: 43.51.
9. ^ Ekdahl, Patrik; Thomas Johansson (2003). "( Another attack on A5/1". IEEE Transactions on Information Theory 49 (1): 284.89. doi:10.1109/TIT.2002.806129. http://www.it.lth.se/patrik/papers/a5full.pdf (.
10. ^ Barkan, Elad; Eli Biham (2005). "Conditional Estimators: An Effective Attack on A5/1". Selected Areas in Cryptography 2005: 1.19.
11. ^ Barkan, Elad; Eli Biham; Nathan Keller (2003). "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication". Crypto 2003: 600.16. http://cryptome.org/gsm-crack-bbk.pdf.
12. ^ Barkan, Elad; Eli Biham; Nathan Keller. "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication by Barkan and Biham of Technion (Full Version)". http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf.
13. ^ Gueneysu, Tim; Timo Kasper; Martin Novotný; Christof Paar; Andy Rupp (2008). "Cryptanalysis with COPACOBANA". Transactions on Computers Nov. 2008: 1498.1513. http://www.copacobana.org/paper/TC_COPACOBANA.pdf.

Bookmark and Share
posted by u2r2h at Tuesday, December 29, 2009 0 comments

Wednesday, December 23, 2009

HACKED Kindle .. Microsoft Word Stuffed

An Israeli hacker claims to have broken the copyright protection on Amazon's Kindle e-reader, reports say.The hack will allow the ebooks stored on the reader to be transferred as pdf files to any other device. The hacker, known as Labba, responded to a challenge posted on Israeli hacking forum, hacking.org. It is the latest in a series of Digital Rights Management hacks, the most famous being the reverse engineering of

The Kindle e-book reader has been very successful since it was launched in the US in 2007. Amazon hopes to have sold a million devices by the end of the year. It leaves it to individual publishers whether they want to apply DRM but books in its main proprietary format .azw, cannot be transferred to other devices. It did not immediately respond to the news but it is likely it will attempt to patch its DRM software. DRM has long divided opinion. While rights holders regard it as a crucial tool to protect copyright, consumers tend to hate it because it limits what can be done with content. "DRM is not an effective way of preventing copying nor is it a good way of making sales. There isn't a customer out there saying 'what I need is an electronic book that does less," novelist and co-editor of the Boing Boing blog Cory Doctorow told the BBC when the Kindle was launched. As soon as a new DRM system is active, hackers begin to try and break it. Most famously Jon Lech Johansen, known as DVD Jon, cracked the copy protection on DVDs in 1999. He went on to break the copyright protection on iTunes, leading Apple to offer DRM-free music. DVD Jon now runs a company with an application to take the pain out of moving different types of content between devices.

An Israeli hacker claims to have broken the copyright protection on Amazon's Kindle e-reader, reports say.The hack will allow the ebooks stored on the reader to be transferred as pdf files to any other device. The hacker, known as Labba, responded to a challenge posted on Israeli hacking forum, hacking.org. It is the latest in a series of Digital Rights Management hacks, the most famous being the reverse engineering of iTunes (Apple)

Ban on sales of Microsoft Word upheld

Microsoft has failed in its attempt to dismiss a court case that would stop it selling Word.The software giant appealed against a ruling which found it infringed a patent owned by Canadian company i4i. With the failure of the appeal Microsoft must now pay i4i damages of $290m (£182m) and comply with an injunction ending the sales of some versions of Word. The injunction is scheduled to go into effect on 11 January.

Microsoft said the ban would prohibit the sale of all available versions of Microsoft Word and Microsoft Office software from the date that the injunction comes into force. Versions of the software sold before that date, including Word 2003 and Word 2007, will not be hit by the ruling. "We have been preparing for this possibility since the District Court issued its injunction in August 2009 and have put the wheels in motion to remove this little-used feature from these products," Microsoft said. "Therefore, we expect to have copies of Microsoft Word 2007 and Office 2007, with this feature removed, available for US sale and distribution by the injunction date," it said. "Beta versions of Microsoft Word 2010 and Microsoft Office 2010, which are available now for downloading, do not contain the technology covered by the injunction," Microsoft added. Microsoft was accused by i4i of infringing on a 1998 XML patent in its Word 2003 and Word 2007 programs. Word uses XML, or the Extensible Markup Language, to open .XML, .DOCX, and .DOCM files. The initial ruling in the court dispute between i4i and Microsoft was made in August. At that time Microsoft was found to have infringed the i4i patent and the Canadian firm was awarded damages. The injunction on sales was imposed at the same time but a Microsoft appeal initially overturned that ban on US sales. The stay on the injunction has now run out and, as a result, Microsoft must stop selling infringing versions of Word. Microsoft said it might file further appeals, but that it was keen to comply with the injunction. "While we are moving quickly to address the injunction issue, we are also considering our legal options," it said.

Bookmark and Share
posted by u2r2h at Wednesday, December 23, 2009 0 comments

Monday, December 14, 2009

My favourite artist..

Neo Rauch (born 18 April 1960, in Leipzig, East Germany) is a German artist whose paintings mine the intersection of his personal history with the politics of industrial alienation. His work reflects the influence of socialist realism, and owes a debt to Surrealists Giorgio de Chirico and René Magritte, although Rauch hesitates to align himself with surrealism. He studied at the Hochschule für Grafik und Buchkunst in Leipzig, and he lives in Markkleeberg near Leipzig, Germany and works as the principal artist of the New Leipzig School.

Rauch's paintings suggest a narrative intent but, as art historian Charlotte Mullins explains, closer scrutiny immediately presents the viewer with enigmas: "Architectural elements peter out; men in uniform from throughout history intimidate men and women from other centuries; great struggles occur but their reason is never apparent; styles change at a whim

Rauch's parents died in a train accident when he was four weeks old. He grew up with his grandparents in Aschersleben and passed his exam at the Thomas-Müntzer-Oberschule (now Gymnasium Stephaneum). Rauch studied painting at the Leipziger Hochschule für Grafik und Buchkunst (Higher Education for Graphic and Book Art). He then was Masterstudent with Professor Arno Rink (1981.1986) and with Professor Bernhard Heisig (1986-1990). After the fall of the GDR Rauch worked from 1993 to 1998 as an assistant to Arno Rink and Sighard Gille at the Leipziger Akademie.

Rauch works with his spouse and artist Rosa Loy at a former cotton-mill, Leipziger Baumwollspinnerei, about which he says: "It is the location of concentration and inspiration. Here the best ideas come to me."

Rauch is considered to be part of the New Leipzig School and his works are characterized by a style that depends on the Social Realism of communism. Especially American critics prefer to recognize in his contemporary style a post communist Surrealism. But more than anyone Rauch is recognized as an East-West painter. Rauch merges the modern myths of both the Warsaw Pact and the Western world. His figures are portrayed in a landscape in which an American Comic-Aestheticism meets the Social Realism of communism. In the art publication .Texte zur Kunst. (Texts about Art, number 55) he was defined as an example for a new German neo-conservatism.

One of his promoters, Roberta Smith (journalist for the New York Times), caused great enthusiasm in the US for Rauch's works with an article about the "painter, who came from the cold." Rauch's works are in the Museum of Modern Art in New York City and have been shown in numerous solo exhibitions, including one at the Wiener Albertina.

Rauch won the Vincent Award in 2002. His work was featured at the 2005 Carnegie International in Pittsburgh Pennsylvania, and he had his first solo North American museum exhibition at the Saint Louis Art Museum in St. Louis, Missouri in 2003-2004.[6] His first Canadian exhibit was held at the Musee d'art contemporain de Montreal in 2006.

In 2007 Rauch painted a series of works especially for a solo exhibition in the mezzanine of the modern art wing at the Metropolitan Museum in New York City. This special exhibition was called "Para." Rauch explains that he enjoys the associations the word "para" evokes in his own mind, and says that his works at "Para" have no particular intention, but that they could signify anything to anyone.
. When I first agreed to do the Met exhibition, I thought about a way of working that would be about the nature of a museum. But straight away I realized that I was much more interested in those "visions from the Witches Circle" in my studio than I was in coming up with things in a purely thematic way. Calling them "visions" reflects my personality.they precede inspiration and spring from the moment when internal images appear at the prompting of intellectual decisions. I have no choice but to accept everything that I discover in this way.[1] .

'Paranoia', oil on canvas painting by Neo Rauch, 2007

Works for "Para":

* Jagdzimmer (Hunter's room), 2007
* Vater (Father), 2007
* Die Fuge (The Fugue/The Gap), 2007
* Warten auf die Barbaren (Waiting for the Barbarians), 2007
* Para, 2007
* Paranoia, 2007
* Goldgrube (Gold Mine), 2007
* Vorort (Suburb), 2007
* Der nächste Zug (The Next Move/The Next Draw), 2007
* Die Flamme (The Flame), 2007

The works created for "Para" are characterized by three elements: a pre-communist civic-mindedness, communist Social Realism and an idealized countryside. On the other hand it's a prefix which evokes associations like para-normal, para-dox or para-noia.
It may be read in a system connection, for example a picture like Paranoia reflects the cognitions theory in a hermetic room.[citation needed]

Leipzig, Rauch's city of birth, is known historically as a city of trade through its association with the Leipzig Trade Fair. This civic-mindedness of a trader's city also expressed itself under communism where Leipzig was the center of popular resistance that led to Die Wende. Rauch uses characters and images of life of pre-communist civil society that was oppressed by communism in the GDR. The oppression of communism and the total control of civic life under the rule of communist ideology is one of the elements of Rauch's work. The destructive powers of ideologies is perhaps the reason why Rauch refuses to interpret his own work as a powerful statement in favor of a cultural relativism that characterized the civic bourgeois thought that was destroyed.

In 2007, the Galerie Rudolfinum in Prague held a retrospective entitled "Neue Rollen," organized by the Kunstmuseum, Wolfsburg, of Rauch's works covering 13 years.

u2r2h4blogs to read and scrutinize!!


Bookmark and Share
posted by u2r2h at Monday, December 14, 2009 0 comments