Practically speaking, you get a 2x8-bit additive checksum of the answer, which is 48 bits compressed into 16. So there are 2^32 RESULT values which would give the same SRES.
I'll leave it as an exercise to someone with better cryptography and maths skills than me to figure out how many challenge/response pairs you'd have to grab off the air to break the SAK.
And after that, you have to derive the number dialling key (K4,K5,K6). #NMT450 #Osmocom
Answer is ... yes, if we knew the value of RESULT for a given AUTH challenge. But RESULT isn't transmitted over the air. The mobile transmits the value SRES instead:
SR1 = (R1+R2+R3) mod 256
SR2 = (R4+R5+R6) mod 256
SRES = (R1 || R2)
So the problem boils down to: you have to brute-force a 96-bit key with 3 known bits. On a GPU, this might be feasible, each operation is a pair of big-integer exponentiations and a modulo. #NMT450 #Osmocom
This is useful because the algorithm imposes some constraints:
- MSBit of K1, K2 and K3 must be set (reduces keyspace to 16+32+48 - 3 = 93 bits (down from 96)
- K4, K5 and K6 are used to encrypt the dialled number (not authentication)
- K3 must be greater than or equal to RESULT
So we can break NMT SIS really easily, right? #NMT450 #Osmocom
Well then, that's a good find. Been staring at #Osmocom Analog and the #NMT450 code, did a deep dive... and found what may be the NMT SIS authentication algorithm: https://groups.google.com/g/fido7.ru.phreaks/c/mC7BuLIpK1s/m/RmSeSo5d8jYJ
Looks like the "120 bit" SAK (subscriber auth key) is really six subkeys: K1 (16 bits). K2 (32 bits). K3 (48 bits). K4,5,6 (8 bits each).
The BS generates a random number RAND, which consists of two parts: RD1 (16 bits), RD2 (12 bits).
RESULT = ((RD1**K1) + (K2**RD2)) mod K3
oh dear I've bought yet another silly thing. a Benefon TDP40/Delta #NMT450 phone, with charger. Hopefully it'll work with #Osmocom NMT. Either way, the service pod (Localbox) turns out to be a programmed 24LC16 EEPROM soldered into a charge/handsfree/car-kit connector, so programming the IDs and frequencies should be possible. http://web.archive.org/web/20040611171005/http://nmt.btv.ru/index.php?page=adap