LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

UMTS

UMTS

Posted Jan 8, 2010 12:31 UTC (Fri) by jonth (subscriber, #4008)
In reply to: UMTS by quotemstr
Parent article: GSM encryption crack made public

This is pretty unfair. The selection process for KASUMI (unlike the A5/1 and 2 algorithms) was actually done reasonably well. There was an open call for proposals, and then a beauty contest between the various candidates. Unlike A5/1 and A5/2, there was no attempt to implement security by obscurity. Just for information A5/3, _is_ KASUMI, and it is used by default on all UMTS networks (although it's called UEA-1 and UIA-1 in it's various guiese there), as far as I know.

As for "going with AES and other time-tested algorithms", history is littered with cryptographic algorithms that were considered secure, but now are not. (SHA-1 springs to mind). KASUMI was selected in the mid to late nineties, and the standard algorithms weren't used either because of licensing or implementation difficulties (on networks going live this year, KASUMI will be live on battery operated hardware at bitrates of 40Mb/s or so). I seem to recall that the selection process also occured at around the time the US considered 128bit encryption as "weapons grade," so US generated algorithms weren't exportable. At that time, MKSUMI was considered to be pretty good, and the algorithm itself is still considered secure to practical attacks.

Comparing it to modern ciphers is not a fair comparison. If you want to do that, then look at SNOW 3G (the cipher selected for LTE), and then complain.

(Log in to post comments)

UMTS

Posted Jan 12, 2010 16:26 UTC (Tue) by quotemstr (subscriber, #45331) [Link]

The full-round version of KASUMI was just broken with a related-key attack:
In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2^-14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 2^26 data, 2^30 bytes of memory, and 2^32 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the 2^128 complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem.
Now, like I said saying, for the love of all that's good and right, just use AES.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds