Mobile Phone Cloning

Mobile Phone Cloning

Every phone has a 128 bit number stored on the sim card called the Ki. This number is given to us by the telephone operator that gives us our mobile phone service. This number Ki or secret key is also stored on the computers of our network provider. When we switch our phone on, the tower needs to identify us as a valid subscriber. Obviously the tower has to be owned by our network operator. The tower needs to authenticate us, the phone never authenticates the tower. The tower sends us a random number that is 128 bits also. The Ki is used to generate a 32 bit number called SRES using a algorithm called A3. Thus Ki is also called a password or secret key. A3 is a one way algorithm like MD5, it takes two inputs and gives us a 32 bit output. The computers controlling the tower send the tower the random number RAND and the answer SRES. The tower checks the value of SRES returned by the phone and if it is the same as the one it has received from its computers, it knows that the phone has the same value of Ki as it has. This is how the phone gets authenticated by the tower. Thus if we can figure out the value of Ki, we can get authenticated by the system. The ki stored on the sim card cannot be read by anyone outside of the sim card. It is stored on the sim card in such a way that the microprocessor will not allow us to access it. This security so far has not been broken. The mobile phone also needs to encrypt the data or our voice that is send across. To do this it needs a session key or Kc which it will use to encrypt data. Kc should be a 64 bit key that uses a symmetrical algorithm called A5 to encrypt our voice. Both sides need the same value of the session key. Thus the network computer sends the tower three values, RAND, SRES and Kc. The tower uses Kc to encrypt and decrypt the voice data to and from the mobile phone. To generate Kc we use an algorithm A8. A3 and A8 are placed in one program called COMP128 or A38. The program A5 is burned in hardware and set as transistors as we need real time encryption. The mobile phone number is not stored on the phone at all. A5 is on the phone itself as everyone uses the same. Every operator can choose the A3 and A8 algorithims and they are placed in the SIM card. When roaming we only send the SRAND, SRES and KC over, never the Ki. If the Ki is compromised then we have a problem as all gsm security depends on it.