Breaking GSM with rainbow Tables

Since 1998 the GSM security has been academically broken but no real attack has ever been done until in 2008 when two engineers of Pico Computing (FPGA manufacture) revealed that they could break the GSM encryption in 30 seconds with 200'000$ hardware and precomputed rainbow tables. Since then the hardware was either available for rich people only or was confiscated by government agencies. So Chris Paget and Karsten Nohl decided to react and do the same thing but in a distributed open source form (on torrent). This way everybody could “enjoy” breaking GSM security and operators will be forced to upgrade the GSM protocol that is being used by more than 4 billion users and that is more than 20 years old.

💡 Research Summary

The paper presents a practical attack on the GSM A5/1 stream cipher by leveraging pre‑computed rainbow tables and distributing them openly via torrent. It begins with a concise overview of GSM authentication: the SIM stores the IMSI and a 128‑bit secret key (K). During the authentication handshake the network issues a challenge, the SIM computes a response and a session key (Ks) using K, and subsequent traffic is encrypted with Ks. The authors explain that A5/1 consists of three linear feedback shift registers (LFSRs) of lengths 19, 22 and 23 bits, clocked irregularly, and that a small set of known plaintexts (approximately 204) are transmitted regularly in GSM traffic. Because these plaintexts are XOR‑ed with the keystream generated by the LFSRs, an eavesdropper can recover the keystream directly from captured ciphertexts.

Recovering the secret key by brute‑force enumeration of all 2⁶⁴ possible LFSR states is infeasible due to memory constraints. To overcome this, the authors adopt the time‑memory trade‑off technique known as rainbow tables. Table generation proceeds as follows: a random start value (the initial LFSR state) is selected, the A5/1 encryption function is applied, then a reduction function (a simple XOR with a constant) is applied. This pair of operations is repeated m times, forming a chain. Only the first and last values of each chain are stored. During an attack, the captured keystream is iteratively reduced and encrypted until a value matches a chain’s endpoint; the corresponding chain is then recomputed from its start value to retrieve the original LFSR state, and thus the secret key.

The paper devotes considerable attention to collision handling and table efficiency. Collisions occur when two chains converge on the same intermediate value within the same column, leading to merged chains and loss of information. To mitigate this, the authors mask the last 12 bits of the final column, reducing disk look‑ups and limiting the collision probability. Moreover, each column uses a distinct reduction function, which prevents collisions across columns—a core idea of rainbow tables that allows a single large table to replace many smaller ones. The authors claim that this design halves the average number of hash‑like operations compared with the classic multiple‑table approach and gives a roughly 50 % chance of finding the key in the first half of a chain.

Implementation is carried out on consumer GPUs (both NVIDIA and ATI), achieving about 500 chain generations per second per GPU. The generated tables cover roughly 80 % of the key space, given the 204 known plaintexts, which the authors deem sufficient for a proof‑of‑concept. They also discuss extending the attack to A5/3 (the newer KASUMI‑based cipher) by replaying captured A5/3 challenges on a fake base station that forces the handset to use A5/1, thereby reusing the same session key.

The authors acknowledge that the GSM Association promotes frequency hopping (changing carrier frequency every 4.17 ms) as a defensive measure, but argue that hopping is primarily a mitigation against interference, not a cryptographic protection, and does not thwart the rainbow‑table attack. They conclude by emphasizing the political motive of the project: by releasing the tables openly, they aim to force operators to retire the insecure A5/1/A5/2 algorithms and migrate to stronger encryption (e.g., A5/3, LTE). The paper, however, lacks empirical validation on live networks, does not present concrete success rates beyond the theoretical 80 % coverage, and suffers from numerous typographical errors and informal language, which diminish its academic rigor. Nonetheless, it effectively demonstrates that GSM encryption, despite protecting billions of users, can be compromised with relatively inexpensive hardware and publicly available pre‑computed data, underscoring the urgent need for modernized mobile security.