Code breakers crack GSM cellphone encryption
Ian Grigg
iang at systemics.com
Tue Sep 9 14:39:37 EDT 2003
David Wagner wrote:
>
> Vin McLellan wrote:
> >A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and
> >developed as an export standard.
>
> Yeah. Except it would be more accurate to place A5/2's strength as
> roughly equivalent to 17-bit DES. A5/1's strength is roughly equivalent
> to that of 40-bit DES.
>
> Of course, the GSM folks didn't exactly do a great job of disclosing
> these facts. They did disclose that A5/2 was the exportable version.
> However, when A5/2 was first designed, SAGE put out a report that claimed
> years of security analysis on A5/2 had been done and no mathematical
> weaknesses had been found. Now that we've seen A5/2, that report suffers
> from a certain credibility gap, to put it mildly...
Within the context of their threat model, it is quite instructive
to consider how successful these algorithms are.
AFAIK, the phone threat model includes these two attackers:
* johnny phone thief who steals billing identities and sells
cheap spoofed phones, and
* janie papparazzi that records the famous and foolish revealing
themselves over the phone, and then publishes in the media
Empirically, the GSM system defeated these threats. GSM first
hit the market about 10 years ago, and since then, the victims
of the above have enjoyed peace and prosperity, with no risk
of spoofed (GSM) phones and no risk of (GSM) eavesdroppers.
Yet, they did it with 17 bit crypto.
(Well, that's not quite the whole story. We can probably guess
that they were encouraged to do is with very weak crypto. In
fact, there is sufficient anecdotal evidence to conclude that
there were strange and unrelated people involved who diverted
the security equations from strength into weakness.)
By doing it with such superficial crypto, GSM was now faced
with a third threat:
* the researcher who reveals the way to the other attackers.
To cover this threat, GSM instigated security-by-secrecy,
and wrapped it up in a marketing campaign that claimed the
crypto was unbreakable. Basically, a lie. I recall being
told by the salesman of my first phone that the crypto was
unbreakable, and I had to kick myself for buying it, when,
a year later, I realised that it could not be encrypted
beyond the basestation, and therefore, strong crypto was
pointless.
And, it worked. Eli Biham said
"I told him (Barkan) that it was impossible,"
Everyone in the community bought it. Even post-Lucky Green,
there was no real thought that there was a bigger better
hack hiding in there.
"The 450 participants, many of whom are leaders
in encryption research, 'were shocked and astounded'
by their revelation that most cellphones are
susceptible to misuse."
The crack finally occurred a decade after deployment. GSM
security even survived the infamous Lucky Green crack that
Dave Wagner and Ian Goldberg helped with; there was no
practical fallout to that other than embarressment, that
I ever heard of, due to the difficulty of exploitation.
Lucky tells the story of how the one GSM security expert
brazenly said, "hey, it worked for 8 years!" (Words from
my memory, perhaps Lucky can retell the story.) It worked
for longer...
What's even better, or worse, depending on your pov, is
that the the timing couldn't be better: there is still
time to beef up the G3 security, and its close enough to
rollout of that technology such that this crack will
*help* takeup.
Nothing more desirable could happen to the GSM group than
the first hand-built or grey-import GSM-2 phone crackers
start appearing, just as GSM3 is starting to roll out.
Perfect! It's the huge win for GSM. You simply can't
purchase help like that (not that I'm suggesting they
did, of course).
What can we learn from this? I guess:
* institutional crypto systems will always be perverted,
* believe no claims of invulnerability,
* large crypto systems need only a modicum of strength
to do a sufficient job against their direct threats,
* the independant researcher is part of the threat
model, as an indirect threat, and
* security-by-secrecy / obscurity can work, and can
work exceedingly well.
What's not clear is whether the GSM group can pull this
trick off next time. They may have to put in real security
into the G3, to counter the third threat. Or, maybe not,
as now, there is the additional weapon of the law on their
side, which might be enough to keep the third threat at
bay.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list