Now that the tables are pretty much a done deal, (except for faster lookup) we need to turn our attention to finding known plaintext in the stream of GSM TDMA frames. So I am reading up on the 04.0x GSM standards, but without access to a proper airprobe equipment, it is all a bit theoretical.
A number of likely target have been proposed, but they are all at layer3 in the GSM stack. These messages will be packed in layer2 LDAPm frames, bits will be stuffed, checksums and frame numbers will be added, before they are expanded with convolution codes, chipped into little pieces that are interleaved with each other and then A5/1 is finally applied just before the data is transmitted over the air. Needless to say, we need to get a much better understanding of this process (in the the airprobe / OsmocomBB way.) So reading this stuff, as a layer123 n00b, I could not fail to notice that there is some known plaintext in the establishment of the layer2 link (LAPDm SABM message). But I have no idea if it is encrypted or not. Even if it is just a handful of bytes there, and the key recoverability is low, it is the kind of opening we should look for in a "scatter shot attack" - where you listen to the all IMMEDIATE ASSIGNMENT messages, tune in and capture the first TDMA frame(s) and crack for whatever part of the SABM message you know may be there. Even with 1% chance of recovery, over time a number Kcs / sessions can be found and decoded (Hence the name scatter shot, as opposed to targeted) Any thoughts on the matter ? F _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
