GSM Decryption Published 299
Hugh Pickens writes "The NY Times reports that German encryption expert Karsten Nohl says that he has deciphered and published the 21-year-old GSM algorithm, the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security system used by about 3.5 billion of the 4.3 billion wireless connections across the globe. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. 'This shows that existing GSM security is inadequate,' Nohl told about 600 people attending the Chaos Communication Congress. 'We are trying to push operators to adopt better security measures for mobile phone calls.' The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.' Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization. 'This will reduce the time to break a GSM call from weeks to hours,' Bransfield-Garth says. 'We expect as this further develops it will be reduced to minutes.'"
Re:Pna lbh urne zr abj? (Score:5, Interesting)
Is this encryption only secure until I tell people that this is ROT-13?
That's it. We should just ROT-13 GSM traffic.
And that, kids, is the point. This should be "+1, Troll rating was idiotic."
Re:Irony (Score:2, Interesting)
I'm more concerned about compromise of the user authentication process.
In the worst case it could result in the ability of an eavesdropper to capture your subscriber ID, and make international roaming calls as you, so they avoid racking up expensive charges themselves.
Why it's unsolvable (Score:5, Interesting)
They're there to allow companies to use inadequate security measures without public shame.
And the politics is really the problem.
Let's classify the world into four types of people: politicians, security experts, telecommunications lobbyists and the regular citizens.
The politicians want to stay in office. The security experts want good security. The telecommunications lobbyists want cheap security. The regular citizens don't know there's a security concern (except from what they hear from Hollywood).
The politicians can stay in office if they can afford a good campaign. The telecommunication lobbyists want to make a deal. The security experts are few, unconnected and don't have much money in comparison. The uneducated masses aren't going to change their voting based on GSM security even if they knew about it and understood the issues.
And so you will have the politicians portraying the security experts as evil people (which the media will dutifully transmit to the public), all while the telecommunications people get to use cheap and poor security.
(replace telecommunications with banking if you want to get really bummed out...)
Or am I wrong? Please, someone tell me I'm wrong.
On the definition of "obscurity" (Score:5, Interesting)
encryption is nothing more than security through calculated obscurity.
I think you can only prosecute an argument for that claim successfully if you engage in semantic shifting.
That is to say, you're right only if you take the word `obscurity' to mean something different from what everybody else takes it to mean.
Security by obscurity generally means you're relying on the adversary to be ill-informed about some aspect of the crypto which wouldn't be a problem for him to know about in a "real" cryptosystem, and/or extremely limited in computational power.
For instance, the windows 95 screen saver password (at most 14 characters) was stored in the registry, xor'ed with a fixed key of length 14. Probably a const char screen_saver_xor_pad[14] = [...], "safely" hidden away in some undisclosed source code. Security by obscurity.
This is also how DRM works: encrypt a bit string f with key k, then send k and e_k(f) to the recipient, but sneakily, hoping that the recipient will only decrypt and use f in accordance with the rules your piece of software implements. Security by obscurity.
Take on the other hand AES. Go do an exhaustive key search. If you're smart, do a meet-in-the-middle. That's sqrt(2^n), which is still exponential (it's sqrt(2)^n). Okay, n is fixed, but still: the best attack is (essentially) brute force. That's real security.
Then there's of course the gold-plated but impractical security (well, encryption): whenever you want to send a message m that's b bits long, come up with a uniformly random b-bit key k, then transmit m XOR k. Perfectly secure, but good luck sending k to the recipient. You can pre-share it, though, so if you put 4 TB of random key in your submarine, it can send 4 TB back to HQ confidentially. Or you can do quantum key distribution (if you have the required equipment).
I recommend that while your post has a valid point, you try to refrain from commenting on the more technical aspects of security.
I recommend you try to refrain from assessing peoples' understanding of the technical aspects of security and making recommendations based upon that assessment. I haven't seen anything in your parent's post which suggests they don't understand the subject matter, unless we take your semantic shift to be The Right Way to understand "obscurity."
Re:Why it's unsolvable (Score:5, Interesting)
You're wrong. Well, you're right up to a point, but you forgot one thing. Those security people are pissed because this has been buried by those dirty politicians and telecom lobbyists. They have an axe to grind, and now several thousand of them just got the keys to GSM.
Crooked politicians should be scared out of their minds by this. I'd give it six months before we start to see tapped GSM phone calls showing up on YouTube, resulting in high-profile congress critters resigning in disgrace. Six months max. Maybe much sooner.
Re:And this is a nearly unsolveable problem. (Score:5, Interesting)
It's a strange design given that they have unfettered access to the unencrypted backbone transmission. Why not just do the spying there, and use real security between cell and base? It gives you a real feeling of security, and them the same level of spying capability.
Re:Irony (Score:3, Interesting)
The Nth country experiment [wikipedia.org] showed how useful secrecy was in that regard 45 years ago and the vast advances in computer technology since then have not made it any more useful.
Re:GSM Talk Video (Score:2, Interesting)
Code: http://reflextor.com/trac/a51 [reflextor.com]
(SSL cert expired a couple of weeks ago)
Paper: Subverting the security base of GSM [har2009.org]
Re:And this is a nearly unsolveable problem. (Score:1, Interesting)
Again, DES was designed to be implemented in hardware. In the mid-90's DES was very well implemented and fast in hardware. And I'm talking about small hardware, I had chips smaller than a MicroSD card that could do DES at ethernet (10 Mbit) speed.
No excuse other than the people creating the standards were complete idiots or had a bad case of Not Invented Here syndrome (I suspect both were a factor).
kinda not news (Score:5, Interesting)
(Note: I have RTFA, but I'm quoting mainly from the summary here.)
Feh. Steve Gibson explained the flaws in GSM in very precise, technical detail in his podcast with Leo LaPorte back in September. See episode 213 of Security Now [grc.com], "Cracking GSM Cellphones". He explained how the algorithm was implemented in hardware, right down to the hardware level.
Oh yes, they'd like us to believe that reverse engineering encryption is illegal. It is not. Eavesdropping on cell phone calls is illegal only because cell phone carriers have always used technology decades behind the state of the art. It's a crappy regulatory patch to a massive technical loophole. It's akin to a law forbidding wifi cards from supporting "monitor mode" because you can use it to eavesdrop on unencrypted wifi traffic. Karsten Nohl is not recommending that anyone eavesdrop on other people's phone calls. He's trying to show the public that their conversations are as good as "in the clear" and gosh darn it, the billion-dollar wireless industry just doesn't like that a bit.
Nope, even better: it puts GSM decryption technology within the reach of anyone with a 2TB hard disk, $1000 of radio equipment, and the time to figure out some software. And, as I pointed out already, this has been known for some time. Until recently, the weaknesses of GSM has been the skeleton in the closet of the wireless industry. It should have seen the light of day years ago.
This is not an easy problem for them to solve, either. A5/3 is much better encryption, but as I understand it, almost every handset in existence can be forced to fall back to A5/1 (or even A5/0, no encryption) relatively easily.
Re:And this is a nearly unsolveable problem. (Score:5, Interesting)
At a guess, they didn't use DES back when because DES is computationally intensive, i.e. slow. This is especially important when you've got a small-for-the-day device that runs on batteries and must provide something approaching real-time performance.
It's more likely that the issue was that the US Government of the day (remember, we are talking mid 80s) would have thrown a total wobbly at the use of DES in technology being installed the world over. Crypto is an area where the effective regulatory landscape has changed rather a lot over the past 25 years.
Re:Is the newest version deployed everywhere? (Score:3, Interesting)
Did you read the EFF published paper on DES? That's not "differential cryptanalysis". It was simple brute force with dedicated hardware. And the issue wasn't the algorithm, it was the key length, which lent itself to brute force attack in a surprisingly reasonable amount of time.
I agree that key management remains an issue. Subversion is the worst popular example, with its habit of storing your passwords in your home directory in plain text, with no expiration and no utility for flushing them.
Re:kinda not news (Score:4, Interesting)
Oh yes, they'd like us to believe that reverse engineering encryption is illegal. It is not.
Right you are. However, what is illegal is publically stating someone has committed illegal acts. Nohl should sue for slander.
Comparison with CDMA (Score:3, Interesting)
CDMA uses the CMEA [schneier.com] and ORYX [schneier.com] algorithms, which are pretty weak as well, as shown in the linked papers. However, CDMA has somewhat of an advantage, because it's difficult to obtain the encrypted data stream in the first place: the nature of CDMA transmission means you can't pull a signal out of the noise unless you know the codes being used by the base station and handset.
Re:Comparison with CDMA (Score:3, Interesting)
Speaking from experience I know that any/all of these older tranmission algorithms are crackable. I was an IT Call Center Manager at a cellular startup company back in 1996. Within the first year after our company launched we had customers is South Florida with their cell phones cloned. We were CDMA-based. And this technology stemmed from the USAF back in the 1970's IIRC.
Figure that GSM has likely been cracked many years ago too. The more sophisticated the hardware that can gain brute-force leverage any of these older algorithms. Who knows, when the vaporware that is currently quantum computing materializes perhaps DES, AES and the like will also be exposed. That's why perhaps the big players in the industry should look to upgrade/overhaul their algorithms every 5 years or so, ya know? Expensive scenario, but necessary if governments, military groups, and tinfoil hatters clamor for it...