David Wagner wrote: > > Vin McLellan wrote: > >A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and > >developed as an export standard. > > Yeah. Except it would be more accurate to place A5/2's strength as > roughly equivalent to 17-bit DES. A5/1's strength is roughly equivalent > to that of 40-bit DES. > > Of course, the GSM folks didn't exactly do a great job of disclosing > these facts. They did disclose that A5/2 was the exportable version. > However, when A5/2 was first designed, SAGE put out a report that claimed > years of security analysis on A5/2 had been done and no mathematical > weaknesses had been found. Now that we've seen A5/2, that report suffers > from a certain credibility gap, to put it mildly...
Within the context of their threat model, it is quite instructive to consider how successful these algorithms are. AFAIK, the phone threat model includes these two attackers: * johnny phone thief who steals billing identities and sells cheap spoofed phones, and * janie papparazzi that records the famous and foolish revealing themselves over the phone, and then publishes in the media Empirically, the GSM system defeated these threats. GSM first hit the market about 10 years ago, and since then, the victims of the above have enjoyed peace and prosperity, with no risk of spoofed (GSM) phones and no risk of (GSM) eavesdroppers. Yet, they did it with 17 bit crypto. (Well, that's not quite the whole story. We can probably guess that they were encouraged to do is with very weak crypto. In fact, there is sufficient anecdotal evidence to conclude that there were strange and unrelated people involved who diverted the security equations from strength into weakness.) By doing it with such superficial crypto, GSM was now faced with a third threat: * the researcher who reveals the way to the other attackers. To cover this threat, GSM instigated security-by-secrecy, and wrapped it up in a marketing campaign that claimed the crypto was unbreakable. Basically, a lie. I recall being told by the salesman of my first phone that the crypto was unbreakable, and I had to kick myself for buying it, when, a year later, I realised that it could not be encrypted beyond the basestation, and therefore, strong crypto was pointless. And, it worked. Eli Biham said "I told him (Barkan) that it was impossible," Everyone in the community bought it. Even post-Lucky Green, there was no real thought that there was a bigger better hack hiding in there. "The 450 participants, many of whom are leaders in encryption research, 'were shocked and astounded' by their revelation that most cellphones are susceptible to misuse." The crack finally occurred a decade after deployment. GSM security even survived the infamous Lucky Green crack that Dave Wagner and Ian Goldberg helped with; there was no practical fallout to that other than embarressment, that I ever heard of, due to the difficulty of exploitation. Lucky tells the story of how the one GSM security expert brazenly said, "hey, it worked for 8 years!" (Words from my memory, perhaps Lucky can retell the story.) It worked for longer... What's even better, or worse, depending on your pov, is that the the timing couldn't be better: there is still time to beef up the G3 security, and its close enough to rollout of that technology such that this crack will *help* takeup. Nothing more desirable could happen to the GSM group than the first hand-built or grey-import GSM-2 phone crackers start appearing, just as GSM3 is starting to roll out. Perfect! It's the huge win for GSM. You simply can't purchase help like that (not that I'm suggesting they did, of course). What can we learn from this? I guess: * institutional crypto systems will always be perverted, * believe no claims of invulnerability, * large crypto systems need only a modicum of strength to do a sufficient job against their direct threats, * the independant researcher is part of the threat model, as an indirect threat, and * security-by-secrecy / obscurity can work, and can work exceedingly well. What's not clear is whether the GSM group can pull this trick off next time. They may have to put in real security into the G3, to counter the third threat. Or, maybe not, as now, there is the additional weapon of the law on their side, which might be enough to keep the third threat at bay. iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]