Re: Cell Phone Encryption/Security in The USA
Posts: n/a
In <bbft4u$67s@qualcomm.com>, ggr@qualcomm.com (Gregory G Rose) wrote:
>(snipped fairly heavily)
>
>In article <fdbae11.0306012050.fbd4fca@posting.google.com>,
>Roger Fleming <roger_for_nntp@hotmail.com> wrote:
>Plug: There's a paper accepted for Crypto 2003 (of
>which I'm the general chair this year):
> - Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication
> Elad Barkan (Technion),
> Eli Biham (Technion),
> Nathan Keller (Technion)
>See http://www.iacr.org/conferences/crypto2003/content.html
>for more program details.
>... end Plug.
See <http://www.everything2.com/index.pl?node=GSM>:
A5 is the family of ciphers used for ensuring privacy between the
base station and the mobile. There is generally no security from the
base station to the rest of the phone network. This is where law
enforcement taps take place. End-to-end privacy (encryption between
one phone and another) was not implemented at the system level.
There are two versions of the A5 cipher. When the GSM standard was
being created, there were worries from law enforcement and national
security interests that the encryption would be too strong. Countries
such as France wanted a weak cipher that was easy to break; countries
with strong privacy laws such as Germany wanted a strong cipher that
was difficult to break. NATO was worried about countries like Iraq
gaining access to strong cryptography.
The end result was that two versions were created: A5/1 and A5/2.
A5/1 was the full version, and was used within Europe and the USA.
A5/2 was export strength - i.e. it was a weak cipher. There was a
minor scuffle when it was discovered that Australia had been sold
A5/2.
On April 10, 2000, Alex Biryukov, Adi Shamir, and David Wagner
published a paper entitled "Real Time Cryptanalysis of A5/1 on a PC".
In it, they detailed weaknesses in the algorithm and in it's
implementation that allowed the retrieval of a key for an
A5/1-encrypted conversation within one second, using a normal
personal computer. A5/1 has been exposed as being totally pathetic.
Furthermore, it was revealed that the cipher was fairly simple - it
only used three linear feedback shift registers (basic cipher
components), and the last ten bits of the key were always zero.
The inescapable conclusion was that all versions of A5 - including
A5/1 - had been deliberately weakened.
See also "GSM Interception"
<http://www.dia.unisa.it/ads.dir/corso-security/www/CORSO-9900/a5/Netsec/netsec.html>
(or <http://makeashorterlink.com/?O26B12835>). Abstract:
The GSM standard was designed to be a secure mobile phone system with
strong subscriber authentication and over-the-air transmission
encryption. The security model and algorithms were developed in
secrecy and were never published. Eventually some of the algorithms
and specifications have leaked out. The algorithms have been studied
since and critical errors have been found. Thus, after a closer look
at the GSM standard, one can see that the security model is not all
that good. An attacker can go through the security model or even
around it, and attack other parts of a GSM network, instead of the
actual phone call. Although the GSM standard was supposed to prevent
phone cloning and over-the-air eavesdropping, both of these are
possible with little additional work compared to the analog mobile
phone systems and can be implemented through various attacks. One
should not send anything confidential over a GSM network without
additional encryption if the data is supposed to stay confidential.
--
Best regards,
John Navas <http://navasgrp.home.att.net/>
Linear Mode
