GSM Decryption Published 299
Hugh Pickens writes "The NY Times reports that German encryption expert Karsten Nohl says that he has deciphered and published the 21-year-old GSM algorithm, the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security system used by about 3.5 billion of the 4.3 billion wireless connections across the globe. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. 'This shows that existing GSM security is inadequate,' Nohl told about 600 people attending the Chaos Communication Congress. 'We are trying to push operators to adopt better security measures for mobile phone calls.' The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.' Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization. 'This will reduce the time to break a GSM call from weeks to hours,' Bransfield-Garth says. 'We expect as this further develops it will be reduced to minutes.'"
Re:Ha Ha (Score:2, Informative)
Is the newest version deployed everywhere? (Score:5, Informative)
The weaknesses of this algorithm are well-known and a new version that fixes those issues has been available for a long time. Now, does anyone knows whether this new version has been deployed everywhere? Who is still relying on the older version?
BTW, the algorithm used by 3G networks is different. It is based on AES and the design is publically available.
GSM Talk Video (Score:5, Informative)
The NY Times article is missing quite a lot detail. Slashdot users might appreciate the raw video from the talk (torrent): part 1 [dvrdns.org], 2 [dvrdns.org], 3 [dvrdns.org].
Re:Is the newest version deployed everywhere? (Score:5, Informative)
No it's not. The cipher used for 3G service is KASUMI [wikipedia.org], which is already vulnerable to a better-than-brute-force attack. (Even if it weren't, a 64-bit block is too small.)
When will people learn? Never roll your own damn cryptography. No matter how clever or paranoid you are, you're not clever and paranoid enough. Just use AES.
Re:And this is a nearly unsolveable problem. (Score:5, Informative)
That's a strawman. You're using "obscurity" with two subtly different meanings. The OP's point is that the secret of a system should not depend on the algorithm; that is, a restatement of Kerckhoff's principle [wikipedia.org], which says that a system's security should reside in the key. When someone invokes the phrase "security through obscurity", what we mean is a system that violates Kerckhoff's principle and places essential details in the cryptosystem itself, which is far more difficult to keep secret than a key.
"Obscurity" of the key and "obscurity" of the cryptosystem are distinct concepts that shouldn't be conflated, but you did just that. Perhaps it is you who should refrain from commenting on security.
back haul is in the clear (Score:1, Informative)
What the operators really want is something secure enough so you can't practically listen to a politician's conversations, but open enough so the state can listen to any citizen's conversation. All in the same of National Security. We will only be secure when the reverse is true.
Things are only encrypted over the air. Once it hits the tower and starts bouncing around SSPs and STPs the signals are in the clear and can be tapped easily. There's no point having a weak cipher for the radio component as any lawful (!) tapping will occur over the back haul.
Re:Ha Ha (Score:5, Informative)
As another poster mentioned, the government can already get a wiretap easily enough without having to break the cipher.
I am sick and tired of conspiracy theories. Remember the sage advice to never attribute to malice what can be adequately explained by incompetence.
Re:And this is a nearly unsolveable problem. (Score:5, Informative)
When someone who understands cryptographic security says "security through obscurity isn't security at all," they typically mean that knowledge of the algorithm shouldn't provide any significant benefit to an attacker. In other words, the exchange should be computationally secure even if attackers know the mechanism of encryption/decryption. In cases of public/private key encryption, the exchange should be computationally secure even if attackers know the public key.
The "obscurity" of a private key, for instance, isn't the obscurity that we're talking about. You either don't know that, or you're just out to rag on me (didn't get what you wanted for chanuquanchristmasolstice?). Whatever. My initial point, that A5/1 is naturally insecure (subject to known-plaintext attacks and hit by relatively-easily-generated rainbow tables) and this project highlights that, still stands.
I have no need to get into a credentials-off with someone on Slashdot, but I'll happily discuss the more technical aspects of cryptography with anyone interested/interesting, yourself included.
Honestly, I suspect that a few things are in play here:
- A5/1 is relatively easy to implement in limited hardware.
- Much of the existing infrastructure hardware has code that either sits in ASICs (this seems unlikely at this point) or bolted-into-a-box firmware that would require costly re-flashing.
- Companies aren't forced by consumers to provide genuine security.
- Most phone calls are *really* boring, and most of us honestly have nothing that we feel is worth hiding (I'm not saying that this sentiment is a good one in general).
I would like to think that the public will eventually get wise and call, globally, for the use of cryptographic algorithms that are more genuinely secure, even against government intrusion, but I know that this is next to impossible. Phone companies did a cost/benefit analysis on this one long ago and decided that the encryption that they were using was sufficient. With public awareness, the costs/benefits of modernization have changed (fractionally). In general, this is good news.
Re:Ha Ha (Score:3, Informative)
Of course it is trivial to turn a block cipher like AES into a stream cipher, but its performance cannot compete with a "native" stream cipher.
Re:Ha Ha (Score:4, Informative)
You can streamcipher with AES. http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation [wikipedia.org]
Security through repetition (Score:3, Informative)
Are you practicing security through repetition?
http://it.slashdot.org/comments.pl?sid=1491648&cid=30579990 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=1491648&cid=30579998 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=1491648&cid=30580026 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=1491648&cid=30580012 [slashdot.org]
Please tell us all about "When a PHB hears..." and "Security, through hidden algorithm..." again. I don't think saying it four times is enough.
Re:TFA is incomplete/incorrect. (Score:3, Informative)
Re:Ha Ha (Score:3, Informative)
GSM encryption is quite a mess apparently: http://wiki.twit.tv/wiki/Security_Now_213 [wiki.twit.tv]
As for the OPs talk about "open enough so the state can listen to any citizen's conversation", the government can already listen in - they don't need to crack stuff since GSM stuff is already decrypted at the towers.
AFAIK, GSM encryption is only used between the phone and the tower. After that the conversations or messages travel unencrypted through the rest of the network.