Fast, FPGA-based Rainbow Table creation for attacking encrypted mobile communications

Encryption algorithms utilized in mobile communication systems have been under attack since their introduction, and many of these attacks have been successful in practical settings. One such example, A5/1 used in GSM, was attacked using “Rainbow Tables”, i.e. pre-computed tables that trade long offline computation and large storage for runtime efficiency when cracking the code. Traditionally, Rainbow Tables were used to reverse password hashes. Their application against A5/1 opened up a new domain of exploitation. In this paper, we present an FPGA-based architecture for the efficient creation of Rainbow Tables for the A5/3 block cipher that is used in 2^nd and 3^rd generation mobile communication systems. The overall goal is to extract the encryption key, provided we have a ciphertext block under a known plaintext attack. The presented architecture exploits the parallelism in the Rainbow Table creation process, and using a Virtext5 LX330T achieves speedups around 9x and 550x for one and 64 compute engines respectively. We show that due to the limited available memory in our experimental setup, our approach achieves high success rates for a key space reduced to 2⁴². We then demonstrate how we can seamlessly extend the proposed architecture to efficiently create much larger Rainbow Tables for the full key-space.