Hi everyone,
this is my first post here. I’m working on a student research project concering 2G encryption, especially A5/1,A5/3,A5/4 and their usage in German networks and I came across a few questions that I wasn’t able to answer so far or find resources for.
Let me shortly summarize what I know so far concerning the real-time encryption:
-
The secret key K_i is saved on the smartcard with SIM-app and the session keys K_c are completely generated on the SIM card itself
-
For real-time encryption the K_c needs to be shared with the mobile device, i.e. transfered via the T=0 protocol to the baseband processor, which takes care of the real-time encryption
-
Newer Android versions allow for complete disabling of GSM connections except for emergencies (for some smart phones like Google Pixel etc.)
-
From the standards 3GPP TS 43.020 and 3GPP TS 03.20:
When an MS wishes to establish a connection with the network, the MS shall indicate to the network which of the seven versions of the A5 algorithm it supports. The network shall not provide service to an MS which indicates that it does not support the ciphering algorithm A5/1.
Here are my questions:
-
Is the transmission of the K_c between SIM card and baseband processor encrypted in any way or transmitted in plain text?
-
How exactly are the different A5/* algorithms implemented in the baseband? Directly in hardware or with software solution? Is it dependent on the age of the device, say e.g. older phones / baseband processors might only do the older versions (like A5/1) in hardware, but newer ones might offer the software implementations / the possibily of updates?
The sources I found here are 3GPP TS 03.20 version 8.6.0 Release 1999 / ETSI TS 100 929 V8.6.0, where 4.9 says:It is mandatory for A5/1 and non encrypted mode to be implemented in mobile stations
or the more recent version 3GPP TS 43.020 version 18.0.0 Release 18, 4.9:
It is mandatory for A5/1, A5/3, A5/4 and non encrypted mode to be implemented in mobile stations. It is prohibited to implement A5/2 in mobile stations. Only A5 algorithms that are included in 3GPP specifications shall be implemented in mobile stations
-
What are the preventing factors, that optional deactivation of 2G for all end users with sufficiently modern OS versions (e.g. Android > 12) is not generally possible / done? Is this mainly an issue of device manufacturers? Or of baseband manufactures to pass through the existing solutions in Android OS to the baseband?
-
In 3GPP TS 43.020 and 3GPP TS 03.20, section 4.8 respectively, it is described what a “Negotiation of A5 algorithm” should is supposed to achieve. I frequently see in my test monitoring that A5/1 still occurs quite often, but I cannot categorize which tpyes of devices exactly use the A571 (different devices or individual old devices?).
Since I do not know exactly how the negotiation proceeds - apart from the key points in the standards - I wonder if it is also possible that more modern devices use A5/1 or if it is exclusively either old devices or old SIM cards in newer devices (where the newer devices would support A5/3 and A5/4 at the baseband processor level, but not on the SIM side, e.g., because the smart card only has a SIM application or because A5/3, A5/4 are listed in EF ‘Disabled Algorithms’?)
Can anyone shed light on that? -
Lastly, who is responsible for ensuring that A5/1 is no longer used in a specific network? The network operators? If so, at what level? Does it start with the personalization of the SIMs, or can it be managed afterwards through adjustments in the network, e.g., that BSS no longer supports A5/1 or through updates of EF ‘Disabled Algorithms’ (where possible)? Does this need to be implemented by the MS / BP manufacturers?
I know these are a lot of detailed questions and I’d be happy if someone was able to shed some light on any of them. I’m also open to splitting up these questions into several subquestions for better overview if wished for.
Best regards,
Matt