David Wagner wrote:
> Vin McLellan  wrote:
> >A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and
> >developed as an export standard.
> Yeah.  Except it would be more accurate to place A5/2's strength as
> roughly equivalent to 17-bit DES.  A5/1's strength is roughly equivalent
> to that of 40-bit DES.
> Of course, the GSM folks didn't exactly do a great job of disclosing
> these facts.  They did disclose that A5/2 was the exportable version.
> However, when A5/2 was first designed, SAGE put out a report that claimed
> years of security analysis on A5/2 had been done and no mathematical
> weaknesses had been found.  Now that we've seen A5/2, that report suffers
> from a certain credibility gap, to put it mildly...

Within the context of their threat model, it is quite instructive
to consider how successful these algorithms are.

AFAIK, the phone threat model includes these two attackers:

  * johnny phone thief who steals billing identities and sells
    cheap spoofed phones, and
  * janie papparazzi that records the famous and foolish revealing
    themselves over the phone, and then publishes in the media

Empirically, the GSM system defeated these threats.  GSM first
hit the market about 10 years ago, and since then, the victims
of the above have enjoyed peace and prosperity, with no risk
of spoofed (GSM) phones and no risk of (GSM) eavesdroppers.

Yet, they did it with 17 bit crypto.

(Well, that's not quite the whole story.  We can probably guess
that they were encouraged to do is with very weak crypto.  In
fact, there is sufficient anecdotal evidence to conclude that
there were strange and unrelated people involved who diverted
the security equations from strength into weakness.)

By doing it with such superficial crypto, GSM was now faced
with a third threat:

  * the researcher who reveals the way to the other attackers.

To cover this threat, GSM instigated security-by-secrecy,
and wrapped it up in a marketing campaign that claimed the
crypto was unbreakable.  Basically, a lie.  I recall being
told by the salesman of my first phone that the crypto was
unbreakable, and I had to kick myself for buying it, when,
a year later, I realised that it could not be encrypted
beyond the basestation, and therefore, strong crypto was

And, it worked.  Eli Biham said 

   "I told him (Barkan) that it was impossible,"

Everyone in the community bought it.  Even post-Lucky Green,
there was no real thought that there was a bigger better
hack hiding in there.

   "The 450 participants, many of whom are leaders
   in encryption research, 'were shocked and astounded'
   by their revelation that most cellphones are
   susceptible to misuse."

The crack finally occurred a decade after deployment.  GSM
security even survived the infamous Lucky Green crack that
Dave Wagner and Ian Goldberg helped with;  there was no
practical fallout to that other than embarressment, that
I ever heard of, due to the difficulty of exploitation.

Lucky tells the story of how the one GSM security expert
brazenly said, "hey, it worked for 8 years!"  (Words from
my memory, perhaps Lucky can retell the story.)  It worked
for longer...

What's even better, or worse, depending on your pov, is
that the the timing couldn't be better:  there is still
time to beef up the G3 security, and its close enough to
rollout of that technology such that this crack will
*help* takeup.

Nothing more desirable could happen to the GSM group than
the first hand-built or grey-import GSM-2 phone crackers
start appearing, just as GSM3 is starting to roll out.

Perfect!  It's the huge win for GSM.  You simply can't
purchase help like that (not that I'm suggesting they
did, of course).

What can we learn from this?  I guess:

   * institutional crypto systems will always be perverted,

   * believe no claims of invulnerability,

   * large crypto systems need only a modicum of strength
     to do a sufficient job against their direct threats,

   * the independant researcher is part of the threat
     model, as an indirect threat, and

   * security-by-secrecy / obscurity can work, and can
     work exceedingly well.

What's not clear is whether the GSM group can pull this
trick off next time.  They may have to put in real security
into the G3, to counter the third threat.  Or, maybe not,
as now, there is the additional weapon of the law on their
side, which might be enough to keep the third threat at


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to