On Wed, 2010-01-06 at 16:04 +0100, M vd S wrote: > > The A5/1 state gets initialized with Kc and the frame number at the start > > of every burst. Since Kc is constant for the duration of a connection and > > you can easily compute Kc from the A5/1 state, you can decrypt every burst > > of that connection after having brute forced a single A5/1 internal state. > > > > > Is it that easy? You have to reverse step between 100 and 150 rounds, > where in every step there are 4 possible shift-permutations (the > majority rule thing, combinations 1+2, 2+3, 1+3 and 1+2+3). > > Has this been verified? Considering the clock bits, and the 3 bits left > of them (that's 1<<6=64 combinations), based on some back of the > envelope coding: > - in 24 of 64 cases there is no valid prior state (example: clock bits = > 010 and left to them = 101) > - in 26 of 64 cases there is exactly one valid prior state > - in 6 of 64 cases there are two valid prior states > - in 6 of 64 cases there are three valid prior states > - in 2 of 64 cases there are four valid prior states (these are: clock > bits = 111 and left to them = 000, or vice versa) > > On average there is one state that leads to the state you observe, so it > shouldn't explode. But still you would get about 57 to 86 possible > states on average at the point where majority clocking is not performed > anymore and it turns deterministic. (after 100 to 150 rounds of reverse > clocking respectively) > > So you'd get 70 Kc candidates on average for every single A5/1 internal > state you'd brute force. Which is a number small enough to just try on > other bursts and assess validity by simply "listening" to the decoded > audio or by some other means to assess validity of decoded data. > > Right? If so, I would be happy to update the wiki on > http://reflextor.com/trac/a51/wiki/A5/1Basics - but how? I registered > but can't seem to edit anything there. > > Kind regards, > M.
We have working code for reverse stepping and unmixing. In practice, you get 1- max 10 Kc candidates, and the wrong one is easy to eliminate, due to the peculiar choice of applying encryption _after_ error correction codes. Some initial versions of this code can be found here http://traxme.net/a5/ if you wish to play with it. I am hoping to make some sort of unified commit to svn later, where this code is integrated into the "table lookup" code. F _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
