LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do A3 and A8 work via COMP128, and how is the 64-bit Kc actually built?

COMP128 takes RAND and Ki as input and outputs a 128-bit result split into SRES (32 bits) and Kc (54 bits, plus 42 unused bits); the 54-bit Kc is then padded with ten zero bits to form the nominal 64-bit session key.

COMP128 output split: SRES 32 bit, Kc 54 bit, 42 discarded, ten zero pad.

* COMP128 output split, and the padding that makes Kc only 54-bit entropy. *

The formal relationship:

(SRES, Kc) = COMP128(RAND, Ki)

The output bit-split:

Field Bits Use
SRES 32 Signed response (sent to the network for authentication)
Kc 54 The actual session key material
unused 42 discarded

The critical detail — the "64-bit" key isn't really 64 bits: COMP128 only produces 54 bits of key, which is then extended to 64 bits by appending ten zero bits. So the nominal 64-bit Kc has only 54 bits of entropy — a deliberately (or carelessly) weakened key. This is one of the most important GSM security findings: the effective key is far smaller than advertised.

A5 key stream: the symmetric A5 key is regenerated for every frame — A5 works with Kc and a 22-bit frame number, producing a 114-bit key stream per frame.

Memory anchor: "64 but really 54" captures the key issue: the ten zero bits are padding, not entropy.

Go deeper:

  • doc COMP128 (Wikipedia) — confirms COMP128-1/-2 produce a session key with only 54 bits of entropy, the exact source of the "64 but really 54" weakness.

From Quiz: MOBINFSEC / GSM & LTE Security Infrastructure | Updated: Jul 14, 2026