Once we have recovered the internal state of A5/1 at some point in the keystream, the information gained will only make it possible to decrypt what immediately follows in the particular frame (114 bits) where the key was found. To decode the full conversation A5/1 has to be clocked backwards up to around 200 bits, and then the frame number has to be "unmixed" (trivial), at witch the Key Unmixing method described in my previous post will recover the "master key" Kc for the entire session.
But clocking A5/1 backwards is a bit tricky since each state doesn't always have a unique predecessor. Various methods have been suggested to solve this problem, most of which center around methods for tree traversal. I have come up with a simple and fast solution, a step-backwards <-> step-forwards approach, where you step back a small number of steps (ex 20-30) try every possible combination of lfsr reverse stepping, run forwards and compare the result. When the result matches, the function recurses and does another 20-30 steps. Stepping back 100-200 clocks in this way can be done in a fraction of a second, and will give a few possible candidates. Finding the correct state should be easy, since the Kc is rumoured to have 10 bits set to 0 - it should stick out like a sore thumb. I have dumped some code fragments here http://traxme.net/a5/backwards.zip I guess I should try to gather all my bits and pieces of code in a single library (practical GSM decryption functions) Frank _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
