14 DAY TRIAL // The mobile industry is moving towards newer technology standards when it comes to limiting the risks of attacks on wireless networks, and the 3G service, already widely adopted all around the world, was seen as a solution when compared to the GSM technology. Since the latter was proven as quite vulnerable to attacks in December last year, 3G seemed like a more secure solution, until a few days ago.
A group of researchers has just proven that the encryption system that is used by the 3G communications can be cracked in only a couple of hours from any personal computer. We should note that the report is related to the 3G KASUMI system, and that its vulnerability has been proven only a few weeks after the A5/1 encryption technique in GSM was cracked.
The encryption technique that constitutes the base of the 3G KASUMI system is called MISTY, and it is included in a wider range of techniques that comes under the name of Feistel encryption. According to arstechnica, all these techniques are pretty complex, “with multiple keys being combined, and a recursive, multiround encryption process that alternates the order of different functions.” Those who would like to make an idea of their complexity can find more here.
The news site also notes, “Unfortunately, a full MISTY encryption is apparently computationally expensive, making it less than ideal for an application where time and processing power are in short supply. The KASUMI algorithm was developed specifically to simplify the MISTY system, and make it ‘faster and more hardware-friendly,’ in the words of the new study's authors. Supposedly, the simplifications didn't reduce the security of the protocol, but the new research suggests otherwise.”
The attack on 3G is said to have been based on a complex algorithm too, but that it can be reduced down to sending multiple inputs (differentiated by known values) through the encryption process and searching similar pairs of pairs. These should enable the author to figure out when related encryption keys are used, and then identify some of the bits in the keys. According to the researchers, they managed to recover the complete 128-bit key in less than two hours since starting the process.