What are the A5 cipher variants (A5/0 through A5/4), and which are broken?
A5/0 is no encryption; A5/1 is the standard (broken — rainbow tables since 2009); A5/2 is a deliberately weakened export version (banned by 3GPP in 2007); A5/3 uses the KASUMI block cipher with a 64-bit key; A5/4 is A5/3 with a 128-bit key.
* A5/1: three LFSRs with majority clocking., Public domain, via Wikimedia Commons. *
The variant table:
| Variant | Description | Status |
|---|---|---|
| A5/0 | No encryption at all | — |
| A5/1 | Stream cipher, developed 1987 to protect GSM voice | Attacks known since 2000; practical since 2003; rainbow tables published 2009 |
| A5/2 | Weaker version (1989) for certain export regions | 3GPP forbade it in new phones (July 2007) |
| A5/3 | Based on the KASUMI block cipher, effective Kc = 64 bit | also used toward UMTS |
| A5/4 | A5/3 with a longer 128-bit Kc | stronger |
About that "64-bit" key — it's really only 54 bits in classic GSM. A5/1, A5/2 and A5/3 are all keyed by the session key Kc, and when Kc comes from COMP128, it carries only 54 bits of entropy padded with ten zero bits to fill the nominal 64-bit slot. So A5/3's "effective Kc = 64 bit" inherits the same ten-zero weakness — the cipher (KASUMI) is strong, but the GSM key feeding it is not. A5/4 is what actually fixes this, by using a full 128-bit Kc. (See the COMP128 / "64 but really 54" card for the padding detail.)
Notable history:
- British computer scientist Ross Anderson (1994) argued A5/1 was deliberately weakened to let NATO intelligence services eavesdrop — later confirmed
- Barkan, Biham, Keller (2006) demonstrated attacks against A5/1, A5/3, even GPRS, enabling real-time or after-the-fact decryption of GSM calls
- Cracking tools exist: Kraken (Frank A. Stevenson) for A5
- Effective break complexity: O(2⁴⁰) for A5/1 (real-time breakable), O(2⁶⁴) for A5/3
Memory anchor: A5/1 = "the broken standard one," A5/2 = "the even-weaker banned one," A5/3 = "KASUMI."
Go deeper:
GSM: SRSLY? — Karsten Nohl & Chris Paget (26C3, 2009) — the talk that turned the A5/1 rainbow-table break from theory into a published, practical attack.
A5/1 (Wikipedia) — the standard GSM cipher and the rainbow-table / Barkan–Biham–Keller attacks against it.
A5/2 (Wikipedia) — the deliberately-weakened export variant that 3GPP later banned.
KASUMI (Wikipedia) — the 64-bit block cipher (derived from MISTY1) underlying A5/3 and the UMTS f8/f9 functions.