A5/2

GSM Encryption Algorithm A5/2

Security
Introduced in Rel-5
A5/2 is a deliberately weakened stream cipher encryption algorithm used in early GSM networks for voice and data confidentiality. It was designed with export restrictions in mind, providing minimal security that could be easily broken by intelligence agencies. Its inclusion in GSM standards represents a historical compromise between security requirements and political export controls.

Description

A5/2 is a synchronous stream cipher algorithm specifically designed for GSM networks, operating as part of the A5 family of encryption algorithms. The algorithm uses a 64-bit secret key (Kc) derived from the authentication process and a 22-bit frame number (FN) as inputs to generate a 114-bit keystream for each direction of communication (228 bits total per frame). This keystream is then XORed with the plaintext to produce ciphertext for transmission over the air interface.

The algorithm's architecture consists of three linear feedback shift registers (LFSRs) of lengths 19, 22, and 23 bits, which are irregularly clocked based on a majority function of specific tap positions. The irregular clocking mechanism was intended to provide cryptographic strength, but the design intentionally included weaknesses. The registers are initialized with the session key and frame number, then undergo a warm-up phase before producing the output keystream. The output is generated by combining the contents of specific register positions through a nonlinear combining function.

In the GSM security architecture, A5/2 operates at the physical layer between the mobile station and base transceiver station. When a call is established, the network selects an encryption algorithm from available options (A5/1, A5/2, or no encryption) based on capabilities negotiated during authentication. The mobile station and network must support the same algorithm for encrypted communication to proceed. The algorithm provides confidentiality for both voice traffic (using Full Rate, Half Rate, or Enhanced Full Rate codecs) and circuit-switched data services.

The cryptographic weaknesses of A5/2 are fundamental to its design. The algorithm uses a relatively short key (effectively 54 bits due to design constraints), and the initialization process leaves the internal state vulnerable to cryptanalysis. Most significantly, the design includes deliberate backdoors and weaknesses that allow the cipher to be broken with minimal computational resources—typically requiring only a few seconds of known plaintext and modest computing power. These weaknesses were documented in academic literature as early as 1999, leading to its eventual deprecation.

Purpose & Motivation

A5/2 was created to address political and regulatory constraints rather than technical security requirements. During the development of GSM in the late 1980s and early 1990s, many countries imposed strict export controls on strong cryptography, classifying it as munitions. European telecommunications manufacturers needed to export GSM equipment globally, including to countries with restrictive import policies on strong encryption technologies.

The algorithm served as a compromise solution that allowed GSM networks to technically implement encryption while remaining compliant with export regulations. By providing a deliberately weak algorithm, manufacturers could claim their systems supported encryption for marketing purposes while ensuring that intelligence agencies could easily intercept communications when necessary. This approach reflected the political realities of the Cold War era and the concerns of national security agencies about losing surveillance capabilities.

From a technical perspective, A5/2 provided minimal protection against casual eavesdropping while being completely inadequate against determined attackers or state-level adversaries. Its existence allowed network operators to deploy a uniform security architecture across different regulatory environments, with the stronger A5/1 algorithm reserved for markets with less restrictive export controls. This dual-algorithm approach represented a pragmatic, if ethically questionable, solution to the conflict between user privacy expectations and government surveillance requirements.

Key Features

  • Stream cipher architecture using three irregularly-clocked LFSRs
  • 64-bit secret key input derived from GSM authentication process
  • 22-bit frame number synchronization for each transmission frame
  • Deliberately weakened design with known cryptographic vulnerabilities
  • Support for both voice and circuit-switched data encryption
  • Compatibility with export control regulations of the 1990s

Evolution Across Releases

Rel-5 Initial

A5/2 was introduced as part of the original GSM security framework with deliberately weakened cryptographic properties. The initial specification defined the algorithm's structure using three linear feedback shift registers with irregular clocking controlled by a majority function. The design included specific weaknesses to facilitate easy decryption by authorized entities while providing minimal protection against casual eavesdropping.

TS 21.905

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905