Cryptography used in GSM

Design decisions for GSM

The major cryptographic design decisions for GSM were:

• A fully symmetric cryptographic architecture: While it is obvious that the need for fast real-time encryption of the radio link requires the use of symmetric cryptography, it might still be beneficial to deploy public-key cryptography to enable key establishment. However, GSM is an entirely closed system. All key material can be loaded onto the necessary equipment before it is issued to users, so there is no need to use public-key cryptography for this purpose.

• Stream ciphers for data encryption: The requirement for fast real-time encryption over a potentially noisy communication channel means that a stream cipher is the most appropriate primitive.

• Fixing the encryption algorithms: The mobile operators must agree on which encryption algorithms to use so that the devices they operate can be made compatible with one another. However, other cryptographic algorithms, such as those used in GSM authentication, do not have to be fixed. In the case of authentication, an individual mobile operator is free to choose the cryptographic algorithm it deploys to authenticate its users (since users of another mobile operator are not directly impacted by this decision).

• Proprietary cryptographic algorithms: The designers of GSM chose to develop some proprietary cryptographic algorithms rather than use open standards. We have discussed the pros and cons of this choice. While the use of proprietary algorithms is not wise in many application environments, in the case of GSM, three factors called for the consideration of this option:

  1. GSM is a closed system, so deploying proprietary algorithms is feasible.

  2. ETSIEuropean Telecommunications Standards Institute has a degree of cryptographic expertise and maintains links with the open research community.

  3. The need for fast real-time encryption means that an algorithm designed explicitly to run on the hardware of a mobile phone will probably perform better than an ‘off-the-shelf’ algorithm.

The fundamental component involved in GSM security is the Subscriber Identification Module (SIM) card, which is a smart card inserted into the mobile phone of the user. This SIM card contains all the information distinguishing one user account from another. As a result, a user can potentially change phone equipment simply by removing the SIM and inserting it into a new phone. The SIM contains two particularly important pieces of information:

1. The International Mobile Subscriber Identity (IMSI), which is a unique number mapping a user to a particular phone number.

2. A unique 128-bit cryptographic key $K_i$, which is randomly generated by the mobile operator.

These two pieces of data are inserted onto the SIM card by the mobile operator before the SIM card is issued to the user. The key $K_i$ forms the basis for all the cryptographic services relating to the user. The SIM card also contains implementations of some of the cryptographic algorithms required to deliver these services.

GSM authentication

Entity authentication of the user in GSM is provided using a challenge-response protocol similar to the dynamic password schemes. This is implemented as part of an AKE protocol, which also generates a key $K_C$ for subsequent data encryption. GSM does not dictate which cryptographic algorithms should be used as part of this AKE protocol, but it does suggest one candidate algorithm and defines the way in which algorithms should be used.

As indicated in the illustration below, an algorithm A3 is used in the challenge-response protocol, and an algorithm A8 is used to generate the encryption key $K_C$. Both of these algorithms can be individually selected by the mobile operator and are implemented on the SIM and in the operator’s network. Both A3 and A8 can be loosely considered types of key derivation functions, since their main purpose is to use $K_i$ to generate pseudorandom values.