Just a few questions for plaintext: Assume that, the attacker has enough time to find Kc in the initial attempt.
1) The attacker sends a known SMS content to the target phone like "big discount for you", which will be the plaintext. Also sender phone number and SMS-C center are candidates for plaintext. Can we find Kc from this plaintext? The attacker has hours for resolve. 2) When the attacker resolves Kc of this known SMS, the hacker decode "Cipher Complete Message" which contains IMEISV. It is known that Kc is determined by A8 algorithm when A3 is executed. Normally, it is during authentication and when network issues "RUN GSM ALGORITHM" command. I don't know the frequency of Kc change in a normal network operation. The attacker can use the Kc found before until it is changed. In the worst case, the "Cipher Complete Message" is completely known for him and use this message for next decryption operations. What do you think? Sakin _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
