Quiz Entry - updated: 2026.07.05
What are the main security weaknesses of the COMP128/GSM authentication architecture?
COMP128 relied on security-by-obscurity (partly leaked 1994, fully reverse-engineered 1999 by Marc Briceno), poorly diffuses input changes enabling a collision attack that extracts Ki in 7–12 hours, supports only one-sided authentication (enabling IMSI catchers), and allows easy downgrade attacks.
The catalogue of weaknesses:
- Security-by-obscurity: the originally confidential COMP128 was partly leaked in 1994 and fully revealed in 1999 (reverse-engineered by Marc Briceno) — secrecy was its only protection
- Weak diffusion → collision attack: small input changes aren't sufficiently spread, enabling a collision attack that recovers the secret Ki. In 1998 this took 7–12 hours — slow only because the SIM answers ~6.5 queries/second, and ~165,000 queries are needed
- NSA capability: per published internal documents, the NSA can routinely decrypt A5/1 traffic
- One-sided authentication: only the phone authenticates, not the base station → enables the IMSI catcher (a device to locate and eavesdrop on subscribers)
- Downgrade attacks: trivially possible — instruct the phone to use weak (or no) encryption
The recurring theme: GSM security was designed in the 1980s with secrecy as a crutch, weak key sizes, and asymmetric (one-sided) trust. Almost every later attack traces back to one of these original sins.
Go deeper:
COMP128 (Wikipedia) — the security-by-obscurity hash function itself: the diffusion weakness behind the collision attack that recovers Ki from the SIM, and the intentional 54-bit key.
GSM: SRSLY? — Karsten Nohl & Chris Paget (26C3, 2009) — how the cumulative "original sins" (weak keys, obscurity, one-sided trust) translate into a working, low-cost intercept.