Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
COMP128
open-in-new
<h2 id="introduction">Introduction</h2> <p>For details on the way A3 and A8 are used see <a href="/facts/Network_switching_subsystem/WbP6KDbh">Authentication Center</a>. </p><p>A3 and A8 both take a 128-bit key (<i>Ki</i>) and a 128-bit <a href="/facts/Challenge%E2%80%93response_authentication/QTMRmhpM">challenge</a> (<i>RAND</i>) as inputs. A3 produces a 32-bit response (<i>SRES</i>) and A8 produces a 64-bit session key (<i>Kc</i>). A3/A8 is the combined function with <i>Ki</i> and <i>RAND</i> as inputs and <i>SRES</i> and <i>Kc</i> as outputs. </p><p>As A3 and A8 are not further specified, operators can freely choose the concrete algorithms used for A3 and A8. </p> <h2 id="comp128-algorithms">COMP128 algorithms</h2> <p>The COMP128 algorithms implement the A3/A8 function. There are three of them: </p> <ul><li>COMP128-1 – original algorithm with known weaknesses</li> <li>COMP128-2 – stronger algorithm which still clears the 10 rightmost bits of <i>Kc</i></li> <li>COMP128-3 – same algorithm as COMP128-2 with all 64 bits of <i>Kc</i> generated</li></ul> <p>All of them are built around a <a href="/facts/One-way_compression_function/Rog6N1KR">compression function</a> with two 128 bits inputs and one 128 bits output, hence their names. <i>Ki</i> and <i>RAND</i> are used as the inputs of the compression function. Bits from its output are then used to fill <i>SRES</i> and <i>Kc</i>. </p> <h2 id="comp128-1-description">COMP128-1 description</h2> <p>COMP128-1 uses a compression function with eight rounds which is based on a butterfly structure with five stages. <i>SRES</i> is filled with the first 32 bits of the output. <i>Kc</i> is filled with the last 54 bits of the output followed by ten zeroes. </p><p>For a full description of the algorithm, the reader can view the <a href="http://git.osmocom.org/libosmocore/tree/src/gsm/comp128.c">OsmocomBB implementation</a>. </p> <h2 id="comp128-23-description">COMP128-2/3 description</h2> <p>The implementation of COMP128-2 and COMP128-3 is noticeably more complex than COMP128-1. For a full description of the algorithm, the reader can view the <a href="http://git.osmocom.org/libosmocore/tree/src/gsm/comp128v23.c">OsmocomBB implementation</a> or <a href="https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_eap/libeap/comp128.c">FreeRADIUS implementation</a>, both based on the <a href="/facts/Python_(programming_language)/YbuGqofa">Python code</a> from the Secrets of Sim<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> article. COMP128-2 is identical to COMP128-3 except for the fact that at the end, it clears the 10 rightmost bits of <i>Kc</i>. </p> <h2 id="security">Security</h2> <p>The COMP128-1 hash function is considered weak because there is insufficient <a href="/facts/Confusion_and_diffusion/PKqvzyKY">diffusion</a> of small changes in the input. Practical attacks have been demonstrated that can recover the subscriber key from the SIM.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p><p>The session keys produced by COMP128-1 and COMP128-2 intentionally have only 54 bits of entropy. This significantly weakens the A5 or A6 encryption. </p> <h2 id="external-links">External links</h2> <ul><li>Briceno, Marc; Goldberg, Ian (1998), <a href="http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html"><i>GSM Cloning</i></a></li> <li>Handschuh, Helena; Paillier, Pascal (2000), <i>Reducing the Collision Probability of Alleged Comp128</i>, <a href="/facts/CiteSeerX_(identifier)/SceDmd3c">CiteSeerX</a> <a href="https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.141.1033">10.1.1.141.1033</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Briceno, Marc; Goldberg, Ian; Wagner, David (1998), Implementation of COMP128, archived from the original on 2009-03-18 <a href="https://web.archive.org/web/20090318143444/http://www.scard.org/gsm/a3a8.txt" target="_blank">https://web.archive.org/web/20090318143444/http://www.scard.org/gsm/a3a8.txt</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Tamas, Jos (2013), Secrets of the SIM, archived from the original on 2014-12-24, retrieved 2014-12-24 <a href="https://web.archive.org/web/20141224034734/http://www.hackingprojects.net/2013/04/secrets-of-sim.html#" target="_blank">https://web.archive.org/web/20141224034734/http://www.hackingprojects.net/2013/04/secrets-of-sim.html#</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Tamas, Jos (2013), Secrets of the SIM, archived from the original on 2014-12-24, retrieved 2014-12-24 <a href="https://web.archive.org/web/20141224034734/http://www.hackingprojects.net/2013/04/secrets-of-sim.html#" target="_blank">https://web.archive.org/web/20141224034734/http://www.hackingprojects.net/2013/04/secrets-of-sim.html#</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Brumley, Billy (2004), A3/A8 & COMP128 (PDF) <a href="http://www.tcs.hut.fi/Studies/T-79.514/slides/S5.Brumley-comp128.pdf" target="_blank">http://www.tcs.hut.fi/Studies/T-79.514/slides/S5.Brumley-comp128.pdf</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> </ol>