Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Crypto :: gsma3a8.txt

On A3 and A8 algorithms(sic) in GSM

Article: 3273 of mail.cypherpunks
Xref: mail.cypherpunks:3273
From: (Rishab Aiyer Ghosh)
Newsgroups: mail.cypherpunks
Subject: More GSM crypto/auth details
Message-ID: <>
Date: 21 Apr 95 15:42:40 GMT
References: <>
Distribution: mail
Organization: Deus X Machina
Lines: 137

Bhaktha finally responded to my GSM enquiries. So A3 and A8 are placeholders,
not defined crypto algorithms...
-Rishab (Bhaktha Keshavachar) writes:
> First the phones and the network per se have nothing to do with 
> authentication
> in GSM. The key is the SIM in the MS and the HLR and VLR databases in the
> network. Further A3 (the authentication algorithm) and A8 (for generating 
> the
> ciphering key) are NOT speced in the GSM docs. The A5 (the actual
> encryption algorithm) is the same all over the world (to guarantee 
> interoperability) and is available from ETSI under strict copyright 
> conditions.
> Now when an operator decides to start a GSM network he buys equipment
> from the telecom companies with the databases empty and the A3/A8 
> unspecified
> still. Now the operator decides on algorithms A3 and A8 and programs it in 
> all
> the SIM's (which he will distribute to end customers) and in the network 
> database.
> When a customer wants GSM service he buys an off-the-shelf GSM compatible
> phone and goes to the service provider for getting his SIM card. A GSM phone
> without the SIM is not capable of making any calls except the 112 emergency 
> call.
> The customer gets a new phone number (MSISDN), the directory entry with the
> SIM. In addition the operator programs another number called Ki and updates
> the customer database on the network with the Ki. Note that the Ki is never 
> transmitted by air or otherwise. The SIM is designed in such a way that
> the customer cannot read the Ki from the SIM under any condition.
> The SIM has just an interface for running the A3 and A8 algorithms and 
> getting
> the response back. So now when the mobile needs service from the network
> (like a location update or a call) he identifies himself with his number. 
> The network
> challenges it with a 128 challenge (RAND). This RAND is given to the SIM. 
> The SIM
> runs the A3 and A8 algorithm and gives back SRES (a 32-bit response) and Kc
> (the 64-bit ciphering key). The SRES is returned to the network over the air 
> to the network.
> 		 RAND			 Ki
> 		  |				 |
> 		  |				 |
> 		-------------------
> 		|				   	|
> 		|					|
> 		|		A3			|
> 		|					|
> 		-------------------
> 					|
> 					|
> 				  SRES
> 		RAND			Ki
> 		  |				 |
> 		  |				 |
> 		-------------------
> 		|				   	|
> 		|					|
> 		|		A8			|
> 		|					|
> 		-------------------
> 					|
> 					|
> 					Kc
> The network performs the same calculation and compares the SRES from
> the mobile and its own value.If both are the same the mobile is
> who it claims and is successfully authenticated. This is fairly 
> foolproof as the A3 and A8 is not known to anyone as also the Ki 
> (the cornerstone of all security in GSM). Hope that makes that it
> clear the authentication procs in GSM.
> In addition when the mobile is in a foriegn operator region, the
> visited network gets in advance a challenge response pair from the
> customer's home network and uses it to authenticate the user. Thus
> even other networks do not have a knowledge of the home A3/A8/Ki
> of the visiting customer.
> The Kc generated in the authentication process (by A8) is used for
> encryption. After successful authentication both the network and
> the MS have the same Kc and encryption can thus be started immediately.
> In GSM each burst of transmission has 114 bits. The Kc and the present
> TDMA frame number is used to generate a 114 bit enciphering sequence
> (A5) which is added to each burst of transmission and thus securely
> enciphered. Thus we see that the ciphering key never goes on the
> air and A5 as such is not public domain. But maybe, just maybe
> the code for A5 will be known more freely than now ! Imagine the
> A5 on the net ! Just kidding :-) BTW I do not have access to A5
> and probably will not have in future too as I work on the protocol
> stack and not layer 1 mechanisms where the A5 should be embedded.
> 				Kc				TDMA frame number
> 				 |						|
> 				 |						|
> 			---------------------------------
> 			|									|
> 			|				A5					|
> 			|									|
> 			|									|
> 			---------------------------------
> 							|
> 							|
> 				114 bit enciphering sequence
> Now I am not sure whether a new Kc is generated for every call. This
> is an option left to the discretion of the operator. There are other
> security mechanisms in GSM defined like allocating TMSI (a 32 bit
> secret temporary number to customer on his first authentication)
> and using it thereafter. More about that later in a later mail if
> you are still interested. On the test equipment where we have
> detailed I have seen authentication for each call even after
> a successful location update.
> Hope the explanation helps.
> Regards,
> -Bhaktha

Rishab Aiyer Ghosh                   For Electric Dreams subscriptions                    and back issues, send a mail to                  with
Vox +91 11 6853410 Voxmail 3760335       'help' in lower case, without
H 34C Saket, New Delhi 110017, INDIA       the quotes, as the Subject.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH